-p <port ranges>: Only scan specified ports,-p-就是扫描1-65535全端口 -sV: Probe open ports to determine service/version info -T[0-6]: Set timing template (higher is faster),控制扫描速度啥的 -A: Enables OS detection and Version detection -oN/-oX/-oS/-oG <file>: Output scan results in normal, XML, s|<rIpt kIddi3,and Grepable format, respectively, to the given filename. ,-oX就是输出xml格式后面跟文名 -Pn 不ping了,直接扫,避免有的机器禁ping而扫不到
TRACEROUTE HOP RTT ADDRESS 1 1.09 ms 192.168.199.230
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 133.02 seconds root@kali:~#
root@kali:~# nikto -host 192.168.199.230 -port 80 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.199.230 + Target Hostname: 192.168.199.230 + Target Port: 80 + Start Time: 2019-10-13 05:30:31 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b + Server may leak inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep 5 23:12:46 2001 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version) + OpenSSL/0.9.6b appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are also current. + Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + OSVDB-27487: Apache is vulnerable to XSS via the Expect header + OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392. + OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839. + OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542. + mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756. + Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL. + OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). + OSVDB-3268: /manual/: Directory indexing found. + OSVDB-3092: /manual/: Web server manual found. + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + OSVDB-3092: /test.php: This might be interesting... + /wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found. + /wordpresswp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found. + /wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found. + /wordpresswp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found. + /wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found. + /wordpresswp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found. + /assets/mobirise/css/meta.php?filesrc=: A PHP backdoor file manager was found. + /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution. + /shell?cat+/etc/hosts: A backdoor was identified. + 8724 requests: 0 error(s) and 30 item(s) reported on remote host + End Time: 2019-10-13 05:30:56 (GMT-4) (25 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
定位到漏洞:
1
mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
root@kali:~# nbtscan 192.168.199.230 Doing NBT name scan for addresses from 192.168.199.230
IP address NetBIOS Name Server User MAC address ------------------------------------------------------------------------------ 192.168.199.230 KIOPTRIX <server> KIOPTRIX 00:00:00:00:00:00 root@kali:~#
root@kali:~# rpcclient -U "" 192.168.199.230
root@kali:~# smbclient -L="192.168.199.230" Server does not support EXTENDED_SECURITY but 'client use spnego = yes' and 'client ntlmv2 auth = yes' is set Anonymous login successful Enter WORKGROUP\root's password:
Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (Samba Server) ADMIN$ IPC IPC Service (Samba Server) Reconnecting with SMB1 for workgroup listing. Server does not support EXTENDED_SECURITY but 'client use spnego = yes' and 'client ntlmv2 auth = yes' is set Anonymous login successful
Server Comment --------- ------- KIOPTRIX Samba Server
root@kali:~# enum4linux 192.168.199.230 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Oct 13 04:23:40 2019
========================== | Target Information | ========================== Target ........... 192.168.199.230 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=============================================== | Nbtstat Information for 192.168.199.230 | =============================================== Looking up status of 192.168.199.230 KIOPTRIX <00> - B <ACTIVE> Workstation Service KIOPTRIX <03> - B <ACTIVE> Messenger Service KIOPTRIX <20> - B <ACTIVE> File Server Service ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser MYGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name MYGROUP <1d> - B <ACTIVE> Master Browser MYGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
======================================== | Session Check on 192.168.199.230 | ======================================== [+] Server 192.168.199.230 allows sessions using username '', password ''
============================================== | Getting domain SID for 192.168.199.230 | ============================================== Domain Name: MYGROUP Domain Sid: (NULL SID) [+] Can't determine if host is part of domain or part of a workgroup
========================================= | OS information on 192.168.199.230 | ========================================= Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464. [+] Got OS info for 192.168.199.230 from smbclient: [+] Got OS info for 192.168.199.230 from srvinfo: KIOPTRIX Wk Sv PrQ Unx NT SNT Samba Server platform_id : 500 os version : 4.5 server type : 0x9a03
================================ | Users on 192.168.199.230 | ================================ Use of uninitialized value $users in print at ./enum4linux.pl line 874. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.
Use of uninitialized value $users in print at ./enum4linux.pl line 888. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.
============================================ | Share Enumeration on 192.168.199.230 | ============================================
Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (Samba Server) ADMIN$ IPC IPC Service (Samba Server) Reconnecting with SMB1 for workgroup listing.
Server Comment --------- ------- KIOPTRIX Samba Server
[+] Attempting to map shares on 192.168.199.230 //192.168.199.230/IPC$ [E] Can't understand response: NT_STATUS_NETWORK_ACCESS_DENIED listing \* //192.168.199.230/ADMIN$ [E] Can't understand response: tree connect failed: NT_STATUS_WRONG_PASSWORD
======================================================= | Password Policy Information for 192.168.199.230 | ======================================================= [E] Unexpected error from polenum:
[+] Attaching to 192.168.199.230 using a NULL share
[+] Getting builtin group memberships: Group 'Administrators' (RID: 544) has member: Couldn't find group Administrators Group 'System Operators' (RID: 549) has member: Couldn't find group System Operators Group 'Backup Operators' (RID: 551) has member: Couldn't find group Backup Operators Group 'Account Operators' (RID: 548) has member: Couldn't find group Account Operators Group 'Power Users' (RID: 547) has member: Couldn't find group Power Users Group 'Guests' (RID: 546) has member: Couldn't find group Guests Group 'Users' (RID: 545) has member: Couldn't find group Users Group 'Print Operators' (RID: 550) has member: Couldn't find group Print Operators Group 'Replicator' (RID: 552) has member: Couldn't find group Replicator
[+] Getting domain group memberships: Group 'Domain Users' (RID: 513) has member: Couldn't find group Domain Users Group 'Domain Admins' (RID: 512) has member: Couldn't find group Domain Admins
================================================ | Getting printer info for 192.168.199.230 | ================================================ No printers returned.
enum4linux complete on Sun Oct 13 04:23:51 2019
root@kali:~#
看了其他人写的writeup,正常可以拿到samba的版本号,但是我这个拿不到,还报了个错误:
1
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
