美文网首页
FourAndSix靶机渗透

FourAndSix靶机渗透

作者: 萍水间人 | 来源:发表于2019-02-08 16:29 被阅读38次

    有点小白, 专业是网络安全, 但是目前刚刚接触, 心里诚惶诚恐, 想学, 但是害怕失败, 聊寄于写博客来不断地提升自己好了。

    FourAndSix靶机

    这个是通过百度云找到的。

    之后通过Vmware 导入 OVA文件。


    启动靶机

    可以看到网络地址的范围是 192.168.41.132到 192.168.41.254

    nmap

    这个扫描界的神奇, 然而我还是用的不熟练

    nmap 参数

    -F 扫描100个最有可能开放的端口
    -v 获取扫描到的信息
    -sT 采用TCP扫描
    -p 指定端口
    -sV 版本检测
    -Pn 将所有主机都默认为在线,跳过主机发现
    -n 不做DNS解析
    -R 总是做DNS反向解析
    --dns-servers指定自定义的DNS服务器
    --system-dns 使用操作系统的DNS
    --traceroute 追踪每台主机的跳转路径

    nmap 扫描

    由于不熟悉nmap, 各种命令都试一下

    最简单的命令:

    nmap 192.168.41.132

    PS C:\WINDOWS\system32> nmap 192.168.41.132
    Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-08 15:56 ?D1ú±ê×?ê±??
    Nmap scan report for bogon (192.168.41.132)
    Host is up (0.0000050s latency).
    Not shown: 997 closed ports
    PORT     STATE SERVICE
    22/tcp   open  ssh
    111/tcp  open  rpcbind
    2049/tcp open  nfs
    MAC Address: 00:0C:29:81:23:53 (VMware)
    
    Nmap done: 1 IP address (1 host up) scanned in 22.66 seconds
    
    

    加入-v 和 -F选项, 速度加快了

    PS C:\WINDOWS\system32> nmap -v -F 192.168.41.132
    Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-08 15:59 ?D1ú±ê×?ê±??
    Initiating ARP Ping Scan at 15:59
    Scanning 192.168.41.132 [1 port]
    Completed ARP Ping Scan at 15:59, 1.33s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 15:59
    Completed Parallel DNS resolution of 1 host. at 15:59, 0.01s elapsed
    Initiating SYN Stealth Scan at 15:59
    Scanning bogon (192.168.41.132) [100 ports]
    Discovered open port 22/tcp on 192.168.41.132
    Discovered open port 111/tcp on 192.168.41.132
    Discovered open port 2049/tcp on 192.168.41.132
    Completed SYN Stealth Scan at 15:59, 0.01s elapsed (100 total ports)
    Nmap scan report for bogon (192.168.41.132)
    Host is up (0.0010s latency).
    Not shown: 97 closed ports
    PORT     STATE SERVICE
    22/tcp   open  ssh
    111/tcp  open  rpcbind
    2049/tcp open  nfs
    MAC Address: 00:0C:29:81:23:53 (VMware)
    
    Read data files from: E:\ProgramFiles\Nmap
    Nmap done: 1 IP address (1 host up) scanned in 8.07 seconds
               Raw packets sent: 101 (4.428KB) | Rcvd: 101 (4.040KB)
    

    指定一个ip地址范围进行扫描

    PS C:\WINDOWS\system32> nmap -v -F 192.168.41.132-254
    Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-08 16:01 ?D1ú±ê×?ê±??
    Initiating ARP Ping Scan at 16:01
    Scanning 123 hosts [1 port/host]
    Completed ARP Ping Scan at 16:01, 6.19s elapsed (123 total hosts)
    Initiating Parallel DNS resolution of 123 hosts. at 16:01
    Completed Parallel DNS resolution of 123 hosts. at 16:01, 0.01s elapsed
    Nmap scan report for 192.168.41.133 [host down]
    Nmap scan report for 192.168.41.134 [host down]
    Nmap scan report for 192.168.41.135 [host down]
    Nmap scan report for 192.168.41.136 [host down]
    ...
    Nmap scan report for 192.168.41.156 [host down]
    Nmap scan report for 192.168.41.157 [host down]
    Nmap scan report for 192.168.41.251 [host down]
    Nmap scan report for 192.168.41.252 [host down]
    Nmap scan report for 192.168.41.253 [host down]
    Initiating SYN Stealth Scan at 16:01
    Scanning 2 hosts [100 ports/host]
    Discovered open port 22/tcp on 192.168.41.132
    Discovered open port 111/tcp on 192.168.41.132
    Discovered open port 2049/tcp on 192.168.41.132
    Completed SYN Stealth Scan against 192.168.41.132 in 1.14s (1 host left)
    Completed SYN Stealth Scan at 16:01, 2.13s elapsed (200 total ports)
    Nmap scan report for bogon (192.168.41.132)
    Host is up (0.00087s latency).
    Not shown: 97 closed ports
    PORT     STATE SERVICE
    22/tcp   open  ssh
    111/tcp  open  rpcbind
    2049/tcp open  nfs
    MAC Address: 00:0C:29:81:23:53 (VMware)
    
    Nmap scan report for bogon (192.168.41.254)
    Host is up (0.00s latency).
    All 100 scanned ports on bogon (192.168.41.254) are filtered
    MAC Address: 00:50:56:F7:B4:93 (VMware)
    
    Read data files from: E:\ProgramFiles\Nmap
    Nmap done: 123 IP addresses (2 hosts up) scanned in 15.43 seconds
               Raw packets sent: 561 (20.780KB) | Rcvd: 132 (5.268KB)
    

    NFS服务

    22端口开放了ssh服务,
    111端口开放了 rpcbind服务
    2049端口开放了 nfs服务

    NFS就是网络文件系统
    可以简单地看作一个文件服务器
    重点是:
    NFS的功能比较丰富, 但是端口不固定
    所以需要远程过程调用RPC。
    客户机通过RPC服务去连接对应的NFS服务
    所以在启动NFS之前, RPC服务要在这之前先启动。

    探测nfs可以挂载的脚本

    nmap -sV --script=nfs-showmount 192.168.41.132

    PS C:\WINDOWS\system32> nmap -sV --script=nfs-showmount 192.168.41.132
    Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-08 16:11 ?D1ú±ê×?ê±??
    Nmap scan report for bogon (192.168.41.132)
    Host is up (0.0000040s latency).
    Not shown: 997 closed ports
    PORT     STATE SERVICE VERSION
    22/tcp   open  ssh     OpenSSH 7.9 (protocol 2.0)
    111/tcp  open  rpcbind 2 (RPC #100000)
    | nfs-showmount:
    |_  /home/user/storage
    | rpcinfo:
    |   program version   port/proto  service
    |   100000  2            111/tcp  rpcbind
    |   100000  2            111/udp  rpcbind
    |   100003  2,3         2049/tcp  nfs
    |   100003  2,3         2049/udp  nfs
    |   100005  1,3          606/tcp  mountd
    |_  100005  1,3          812/udp  mountd
    2049/tcp open  nfs     2-3 (RPC #100003)
    MAC Address: 00:0C:29:81:23:53 (VMware)
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 28.26 seconds
    
    

    这里使用了脚本参数 --script=nfs-showmount


    nfs-showmount

    我们发现了一个可供挂载的目录: /home/usr/storage
    接下来的想法就是要挂载到那个目录下,然后看看有没有什么文件可供利用的


    后面的内容暂时有点无法继续, 鸽一会儿

    参考资料

    nmap所有参数
    nmap命令的实用29个例子
    FourAndSix2渗透实战
    Linux下NFS服务器搭建
    渗透测试之Jarbas和FourandSix靶机实战

    相关文章

      网友评论

          本文标题:FourAndSix靶机渗透

          本文链接:https://www.haomeiwen.com/subject/joinsqtx.html