-p <port ranges>: Only scan specified ports,-p-就是扫描1-65535全端口 -sV: Probe open ports to determine service/version info -T[0-6]: Set timing template (higher is faster),控制扫描速度啥的 -A: Enables OS detection and Version detection -oN/-oX/-oS/-oG <file>: Output scan results in normal, XML, s|<rIpt kIddi3,and Grepable format, respectively, to the given filename. ,-oX就是输出xml格式后面跟文名 -Pn 不ping了,直接扫,避免有的机器禁ping而扫不到
root@kali:~# nmap -p- -sV -T4 -A -oX Kioptrix_level_1.xml 192.168.199.230 Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-13 03:46 EDT Nmap scan report for 192.168.199.230 Host is up (0.0011s latency). Not shown: 65529 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99) | ssh-hostkey: | 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1) | 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA) |_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA) |_sshv1: Server supports SSHv1 80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b) | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b |_http-title: Test Page for the Apache Web Server on Red Hat Linux 111/tcp open rpcbind 2 (RPC #100000) 139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP) 443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b |_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b |_http-title: 400 Bad Request |_ssl-date: 2019-10-13T07:49:52+00:00; +1m50s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_RC2_128_CBC_WITH_MD5 | SSL2_DES_192_EDE3_CBC_WITH_MD5 | SSL2_RC4_128_WITH_MD5 | SSL2_RC4_128_EXPORT40_WITH_MD5 | SSL2_DES_64_CBC_WITH_MD5 | SSL2_RC4_64_WITH_MD5 |_ SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 1024/tcp open status 1 (RPC #100024) MAC Address: 00:0C:29:7C:3A:16 (VMware) Device type: general purpose Running: Linux 2.4.X OS CPE: cpe:/o:linux:linux_kernel:2.4 OS details: Linux 2.4.9 - 2.4.18 (likely embedded) Network Distance: 1 hop
TRACEROUTE HOP RTT ADDRESS 1 1.09 ms 192.168.199.230
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 133.02 seconds root@kali:~#
root@kali:~# nikto -host 192.168.199.230 -port 80 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.199.230 + Target Hostname: 192.168.199.230 + Target Port: 80 + Start Time: 2019-10-13 05:30:31 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b + Server may leak inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep 5 23:12:46 2001 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version) + OpenSSL/0.9.6b appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are also current. + Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + OSVDB-27487: Apache is vulnerable to XSS via the Expect header + OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392. + OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839. + OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542. + mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756. + Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL. + OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). + OSVDB-3268: /manual/: Directory indexing found. + OSVDB-3092: /manual/: Web server manual found. + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + OSVDB-3092: /test.php: This might be interesting... + /wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found. + /wordpresswp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found. + /wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found. + /wordpresswp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found. + /wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found. + /wordpresswp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found. + /assets/mobirise/css/meta.php?filesrc=: A PHP backdoor file manager was found. + /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution. + /shell?cat+/etc/hosts: A backdoor was identified. + 8724 requests: 0 error(s) and 30 item(s) reported on remote host + End Time: 2019-10-13 05:30:56 (GMT-4) (25 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
定位到漏洞:
mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
root@kali:~# nbtscan 192.168.199.230 Doing NBT name scan for addresses from 192.168.199.230
IP address NetBIOS Name Server User MAC address ------------------------------------------------------------------------------ 192.168.199.230 KIOPTRIX <server> KIOPTRIX 00:00:00:00:00:00 root@kali:~#
root@kali:~# rpcclient -U "" 192.168.199.230
root@kali:~# smbclient -L="192.168.199.230" Server does not support EXTENDED_SECURITY but 'client use spnego = yes' and 'client ntlmv2 auth = yes' is set Anonymous login successful Enter WORKGROUP\root's password:
Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (Samba Server) ADMIN$ IPC IPC Service (Samba Server) Reconnecting with SMB1 for workgroup listing. Server does not support EXTENDED_SECURITY but 'client use spnego = yes' and 'client ntlmv2 auth = yes' is set Anonymous login successful
Server Comment --------- ------- KIOPTRIX Samba Server
root@kali:~# enum4linux 192.168.199.230 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Oct 13 04:23:40 2019
========================== | Target Information | ========================== Target ........... 192.168.199.230 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=============================================== | Nbtstat Information for 192.168.199.230 | =============================================== Looking up status of 192.168.199.230 KIOPTRIX <00> - B <ACTIVE> Workstation Service KIOPTRIX <03> - B <ACTIVE> Messenger Service KIOPTRIX <20> - B <ACTIVE> File Server Service ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser MYGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name MYGROUP <1d> - B <ACTIVE> Master Browser MYGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
======================================== | Session Check on 192.168.199.230 | ======================================== [+] Server 192.168.199.230 allows sessions using username '', password ''
============================================== | Getting domain SID for 192.168.199.230 | ============================================== Domain Name: MYGROUP Domain Sid: (NULL SID) [+] Can't determine if host is part of domain or part of a workgroup
========================================= | OS information on 192.168.199.230 | ========================================= Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464. [+] Got OS info for 192.168.199.230 from smbclient: [+] Got OS info for 192.168.199.230 from srvinfo: KIOPTRIX Wk Sv PrQ Unx NT SNT Samba Server platform_id :500 os version :4.5 server type :0x9a03
================================ | Users on 192.168.199.230 | ================================ Use of uninitialized value $users in print at ./enum4linux.pl line 874. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.
Use of uninitialized value $users in print at ./enum4linux.pl line 888. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.
============================================ | Share Enumeration on 192.168.199.230 | ============================================
Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (Samba Server) ADMIN$ IPC IPC Service (Samba Server) Reconnecting with SMB1 for workgroup listing.
Server Comment --------- ------- KIOPTRIX Samba Server
[+] Attempting to map shares on 192.168.199.230 //192.168.199.230/IPC$[E] Can't understand response: NT_STATUS_NETWORK_ACCESS_DENIED listing \* //192.168.199.230/ADMIN$[E] Can't understand response: tree connect failed: NT_STATUS_WRONG_PASSWORD
======================================================= | Password Policy Information for 192.168.199.230 | ======================================================= [E] Unexpected error from polenum:
[+] Attaching to 192.168.199.230 using a NULL share
[+] Getting builtin group memberships: Group 'Administrators' (RID: 544) has member: Couldn't find group Administrators Group 'System Operators' (RID: 549) has member: Couldn't find group System Operators Group 'Backup Operators' (RID: 551) has member: Couldn't find group Backup Operators Group 'Account Operators' (RID: 548) has member: Couldn't find group Account Operators Group 'Power Users' (RID: 547) has member: Couldn't find group Power Users Group 'Guests' (RID: 546) has member: Couldn't find group Guests Group 'Users' (RID: 545) has member: Couldn't find group Users Group 'Print Operators' (RID: 550) has member: Couldn't find group Print Operators Group 'Replicator' (RID: 552) has member: Couldn't find group Replicator
[+] Getting domain group memberships: Group 'Domain Users' (RID: 513) has member: Couldn't find group Domain Users Group 'Domain Admins' (RID: 512) has member: Couldn't find group Domain Admins
================================================ | Getting printer info for 192.168.199.230 | ================================================ No printers returned.
评论