p85 使用nmap探测目标主机的操作系统版本那里有问题,我探测不了NAT服务器的!
msf > nmap -sT 10.10.10.254 [*] exec: nmap -sT 10.10.10.254 Starting Nmap 7.01 ( https://nmap.org ) at 2016-02-21 02:13 EST Nmap scan report for gate.dvssc.com (10.10.10.254) Host is up (0.00020s latency). All 1000 scanned ports on gate.dvssc.com (10.10.10.254) are filtered MAC Address: 00:50:56:E6:00:CC (VMware) Nmap done: 1 IP address (1 host up) scanned in 21.24 seconds
但是可以经过这个NAT服务器探测到之后的windows xp系统
root@kali:~# nmap -O 192.168.10.128 Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-17 14:28 CST Nmap scan report for 192.168.10.128 Host is up (0.34s latency). Not shown: 988 closed ports PORT STATE SERVICE 25/tcp open smtp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 514/tcp filtered shell 777/tcp open multiling-http 1025/tcp open NFS-or-IIS 6002/tcp open X11:2 7001/tcp open afs3-callback 7002/tcp open afs3-prserver Device type: general purpose Running: Microsoft Windows 7|2012|XP OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_xp::sp3 OS details: Microsoft Windows 7 or Windows Server 2012, Microsoft Windows XP SP3 OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.13 seconds
p95 开放代理探测辅助模块
要连google了,这里lantern就发挥不了作用了,还是老老实实改hosts吧。
msf auxiliary(ssh_version) > use auxiliary/scanner/http/open_proxy msf auxiliary(open_proxy) > set SITE www.google.com SITE => www.google.com msf auxiliary(open_proxy) > set RHOSTS 24.25.24.1-24.25.26.254 RHOSTS => 24.25.24.1-24.25.26.254 msf auxiliary(open_proxy) > set MULTIPORTS true MULTIPORTS => true msf auxiliary(open_proxy) > set VERIFY_CONNECT true VERIFY_CONNECT => true msf auxiliary(open_proxy) > set THREADS 100 THREADS => 100 msf auxiliary(open_proxy) > run [*] Scanned 93 of 766 hosts (12% complete) [*] Scanned 186 of 766 hosts (24% complete) [*] Scanned 238 of 766 hosts (31% complete) [*] Scanned 307 of 766 hosts (40% complete) [*] Scanned 400 of 766 hosts (52% complete) [*] Scanned 471 of 766 hosts (61% complete) [*] Scanned 538 of 766 hosts (70% complete) [*] Scanned 616 of 766 hosts (80% complete) [*] Scanned 698 of 766 hosts (91% complete) [*] Scanned 766 of 766 hosts (100% complete) [*] Auxiliary module execution completed
结果貌似是一个也没扫到!
p96 ssh口令嗅探
先编辑一个字典文件:
# vim /root/words.txt(每行一个密码) root 123456 linux ubuntu
然后
msf auxiliary(ssh_login) > set PASS_FILE /root/words.txt PASS_FILE => /root/words.txt msf auxiliary(ssh_login) > run [*] 10.10.10.254:22 SSH - Starting bruteforce [-] 10.10.10.254:22 SSH - Failed: 'root:' [!] No active DB -- Credential data will not be saved! [-] 10.10.10.254:22 SSH - Failed: 'root:root' [-] 10.10.10.254:22 SSH - Failed: 'root:123456' [-] 10.10.10.254:22 SSH - Failed: 'root:linux' [+] 10.10.10.254:22 SSH - Success: 'root:ubuntu' 'uid=0(root) gid=0(root) groups=0(root) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux ' [*] Command shell session 1 opened (10.10.10.128:35006 -> 10.10.10.254:22) at 2016-02-21 04:08:00 -0500 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
密码get!
p97 psnuffle口令嗅探
kali上:
msf > use auxiliary/sniffer/psnuffle
msf auxiliary(psnuffle) > run
owaspbwa上:
# ftp 10.10.10.254
依次输入账号\密码:msfadmin\msfadmin
kali上成功监听:
[*] Successful FTP Login: 10.10.10.129:54041-10.10.10.254:21 >> msfadmin / msfadmin
p100 OpenVAS漏洞扫描器
本来是在kali 2.0上弄的,可是他预装的只是metasploit中的模块,似乎没法创建用户,因此也就无法执行openvas_connect。
想要装个openvas,参考https://www.kali.org/penetration-testing/openvas-vulnerability-scanning/
可是到了openvas_setup这一步总是有各种问题,比如说
ERROR: The number of NVTs in the OpenVAS Manager database is too low. FIX: Make sure OpenVAS Scanner is running with an up-to-date NVT collection and run 'openvasmd --rebuild'.
按照提示修复也没反应,还是报错,google也没解决。所以最后还是换到BT5上来玩。
创建帐户时有点奇怪,按书上的输入则创建失败,把引号去掉就成功了:
root@bt:~# openvasad -c 'add_user' -n admin -r 'Adimin' Enter password: ad main:MESSAGE:2357:2016-02-22 01h06.08 EST: No rules file provided, the new user will have no restrictions. ad main:WARNING:2357:2016-02-22 01h06.08 EST: Failed to create user admin!
root@bt:~# test -e /var/lib/openvas/users/admin || openvasad -c add_user -n admin -r Admin Enter password: ad main:MESSAGE:2364:2016-02-22 01h09.06 EST: No rules file provided, the new user will have no restrictions. ad main:MESSAGE:2364:2016-02-22 01h09.06 EST: User admin has been successfully created.
为了启动方便,可以编写一个脚本start_openvas.sh:
1 openvas-nvt-sync 2 openvassd --listen=127.0.0.1 --port=9391 3 openvassd --listen=127.0.0.1 --port=9393 4 openvasmd --database=/usr/local/var/lib/openvas/mgr/tasks.db \ 5 --slisten=127.0.0.1 --sport=9391 --listen=0.0.0.0 --port=9390 6 gsad --listen=0.0.0.0 --port=9392 --alisten=127.0.0.1 --aport=9393\ 7 --mlisten=127.0.0.1 --mport=9390 --http-only
来试试看。。
结果1个漏洞也没扫出来,什么情况???
导演,和说好的剧本不同啊!!
p118 第三章实践作业
1、选定163.com进行情报收集!
# whois 163.com
补充:在bt5下使用whois 163.com搜出更全面的信息,一览无余啊!
egistrar WHOIS Server: whois.markmonitor.com Registrar URL: http://www.markmonitor.com Updated Date: 2015-11-30T21:31:22-0800 Creation Date: 1997-09-14T21:00:00-0700 Registrar Registration Expiration Date: 2018-09-13T21:00:00-0700 Registrar: MarkMonitor, Inc. Registrar IANA ID: 292 Registrar Abuse Contact Email: abusecomplaints@markmonitor.com Registrar Abuse Contact Phone: +1.2083895740 Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited) Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited) Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited) Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited) Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited) Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited) Registry Registrant ID: Registrant Name: Domain Admin Registrant Organization: Guangzhou NetEase Computer System Co., Ltd Registrant Street: No. 16, Keyun Road, Tianhe District, Registrant City: Guangzhou Registrant State/Province: Guangdong Registrant Postal Code: 510665 Registrant Country: CN Registrant Phone: +86.2085106370 Registrant Phone Ext: Registrant Fax: +86.2085106370 Registrant Fax Ext: Registrant Email: nsadmin@corp.netease.com Registry Admin ID: Admin Name: Domain Admin Admin Organization: Guangzhou NetEase Computer System Co., Ltd Admin Street: No. 16, Keyun Road, Tianhe District, Admin City: Guangzhou Admin State/Province: Guangdong Admin Postal Code: 510665 Admin Country: CN Admin Phone: +86.2085106370 Admin Phone Ext: Admin Fax: +86.2085106370 Admin Fax Ext: Admin Email: nsadmin@corp.netease.com Registry Tech ID: Tech Name: Domain Admin Tech Organization: Guangzhou NetEase Computer System Co., Ltd Tech Street: No. 16, Keyun Road, Tianhe District, Tech City: Guangzhou Tech State/Province: Guangdong Tech Postal Code: 510665 Tech Country: CN Tech Phone: +86.2085106370 Tech Phone Ext: Tech Fax: +86.2085106370 Tech Fax Ext: Tech Email: nsadmin@corp.netease.com
原来在天河区科韵路啊,哈哈!
继续
# nslookup > set type=A > 163.com Non-authoritative answer: Name: 163.com Address: 123.58.180.7 Name: 163.com Address: 123.58.180.8
通过dig命令和114 dns查询
root@kali:~# dig @114.114.114.114 163.com
; <<>> DiG 9.9.5-12.1-Debian <<>> @114.114.114.114 163.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16208 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;163.com. IN A ;; ANSWER SECTION: 163.com. 371 IN A 123.58.180.7 163.com. 371 IN A 123.58.180.8 ;; Query time: 37 msec ;; SERVER: 114.114.114.114#53(114.114.114.114) ;; WHEN: Sun Feb 21 20:48:18 EST 2016 ;; MSG SIZE rcvd: 68
通过纯真数据库查询该ip地址,得到
浙江省杭州市 网易计算机系统BGP节点
然而通过GeoIP查到的是在广州,这应该才是对的嘛!
再通过netcraft查查子站点的信息:
可以看到很多详细的信息,例如服务器的操作系统(linux)以及一些site technology等。
接下来我们用ip2Domain反查域名
都只查到一个host
然后我试了下书上的,同样是只查到一个主机,和书上查到4个hosts的结果不同!不知为何!