这篇博客介绍了使用Kali Linux进行网络扫描和渗透测试的过程。通过masscan和nmap工具扫描目标IP的开放端口,发现多个服务如FTP、HTTP、DNS和RPC。接着利用wfuzz工具穷举子域名并发现易受攻击的CMS系统,如dedecms,尝试SQL注入和文件上传漏洞。最终通过免杀MSF马进行内网渗透,展示了多网段内网渗透的步骤,包括使用proxychains开设代理和构造正向攻击载荷。
欢迎大家一起来Hacking水友攻防实验室学习,渗透测试,代码审计,免杀逆向,实战分享,靶场靶机,求关注
- masscan扫描
kali@kali:~$ sudo masscan -p 1-65535 192.168.0.134 --rate=1000
[sudo] kali 的密码:
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-04-22 05:28:53 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 49154/tcp on 192.168.0.134
Discovered open port 21/tcp on 192.168.0.134
Discovered open port 6588/tcp on 192.168.0.134
Discovered open port 135/tcp on 192.168.0.134
Discovered open port 80/tcp on 192.168.0.134
Discovered open port 3389/tcp on 192.168.0.134
Discovered open port 53/tcp on 192.168.0.134
Discovered open port 999/tcp on 192.168.0.134
Discovered open port 49155/tcp on 192.168.0.134
- nmap探测端口信息
kali@kali:~$ nmap -sC -A -p 49151,21,6588,13,80,3389,53,999,49122 192.168.0.134 -oA cc123-port
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-22 01:32 EDT
Nmap scan report for 192.168.0.134
Host is up (0.00094s latency).
PORT STATE SERVICE VERSION
13/tcp filtered daytime
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Microsoft DNS 6.1.7601 (1DB1446A) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB1446A)
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
999/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Microsoft-IIS/7.5
|_http-title: phpMyAdmin
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2020-04-22T05:32:53+00:00; 0s from scanner time.
6588/tcp open http Microsoft IIS httpd 7.5
| http-cookie-flags:
| /:
| ASPSESSIONIDAATDDDCD:
|_ httponly flag not set
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: \xBB\xA4\xCE\xC0\xC9\xF1\xA1\xA4\xD6\xF7\xBB\xFA\xB4\xF3\xCA\xA6 V3.5.1 - \xC7\xB0\xCC\xA8\xB5\xC7\xC2\xBC
49122/tcp filtered unknown
49151/tcp filtered unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2:sp1
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.75 seconds
kali@kali:~$ nmap -sC -A -p 49151,21,6588,135,80,3389,53,999,49122 192.168.0.134 -oA cc123-port
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-22 01:34 EDT
Nmap scan report for 192.168.0.134
Host is up (0.00072s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Microsoft DNS 6.1.7601 (1DB1446A) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB1446A)
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
135/tcp open msrpc Microsoft Windows RPC
999/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Microsoft-IIS/7.5
|_http-title: phpMyAdmin
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2020-04-22T05:35:26+00:00; 0s from scanner time.
6588/tcp open http Microsoft IIS httpd 7.5
| http-cookie-flags:
| /:
| ASPSESSIONIDAATDDDCD:
|_ httponly flag not set
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: \xBB\xA4\xCE\xC0\xC9\xF1\xA1\xA4\xD6\xF7\xBB\xFA\xB4\xF3\xCA\xA6 V3.5.1 - \xC7\xB0\xCC\xA8\xB5\xC7\xC2\xBC
49122/tcp filtered unknown
49151/tcp filtered unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2:sp1
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.23 seconds
- 端口的一些信息
- host的绑定
C:\Windows\System32\drivers\etc
192.168.0.134 www.cc123.com
注意主机好像不行,要在虚拟机里面才可以。
- 设置网关
kali@kali:~$ wfuzz -w /usr/share/amass/wordlists/subdomains-top1mil-5000.txt -u cc123.com -H "Host:FUZZ.cc123.com" --hw 53
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.4 - The Web Fuzzer *
********************************************************
Target: http://cc123.com/
Total requests: 5000
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000030: 200 461 L 1272 W 22640 Ch "new"
000000001: 200 969 L 2160 W 43741 Ch "www"
000001176: 200 969 L 2160 W 43741 Ch "WWW"
000002700: 400 6 L 26 W 334 Ch "m."
000002795: 400 6 L 26 W 334 Ch "ns2.cl.bellsouth.net."
000002883: 400 6 L 26 W 334 Ch "ns1.viviotech.net."
000002885: 400 6 L 26 W 334 Ch "ns2.viviotech.net."
000003050: 400 6 L 26 W 334 Ch "ns3.cl.bellsouth.net."
000004081: 400 6 L 26 W 334 Ch "ferrari.fortwayne.com."
000004082: 400 6 L 26 W 334 Ch "jordan.fortwayne.com."
000004083: 400 6 L 26 W 334 Ch "quatro.oweb.com."
000000267: 200 931 L 1878 W 30822 Ch "ww2"
最低0.47元/天 解锁文章
7396
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
