nmap
C:\root\Desktop> nmap -A 10.10.10.17
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-18 09:13 EDT
Nmap scan report for 10.10.10.17
Host is up (0.33s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
| 256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
|_ 256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: TOP SASL(PLAIN) CAPA RESP-CODES UIDL AUTH-RESP-CODE USER PIPELINING
143/tcp open imap Dovecot imapd
|_imap-capabilities: AUTH=PLAINA0001 SASL-IR LOGIN-REFERRALS more IMAP4rev1 ENABLE LITERAL+ Pre-login listed IDLE post-login OK ID have capabilities
443/tcp open ssl/http nginx 1.10.0 (Ubuntu)
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title: Welcome to nginx!
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Not valid before: 2017-04-13T11:19:29
|_Not valid after: 2027-04-11T11:19:29
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
| tls-nextprotoneg:
|_ http/1.1
发现smtp邮件服务打开了,还有110的pop3也是邮箱服务
拿这个扫
C:\root\exp\smtp-user-enum-1.2> perl smtp-user-enum.pl -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 10.10.10.17
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
-----------------------------------------------------