# **打靶**
## **第一步探测靶机IP地址**
**搭建靶机前做一个探测**
## **ifconfig (查看自己网段)**
nmap -p- 192.168.162.0/24 扫描全网段或者直接 nmap -sn 192.168.162.0/24(探测全网段ip)
搭建靶机后再做一遍探测,多出来的ip就是靶机
确认靶机ip地址为 192.168.151.134
或者更简单的方法
直接 nmap -p- 192.168.162.0/24 (探测网段存活IP的所有端口)
得到端口信息
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
1024/tcp open kdm
对端口进行指纹探测,我们nmap探测的都是端口的默认服务(不一定它的端口就是使用的默认服务)
## 指纹探测
`nmap 192.168.151.134 -p 22,80,111,139,443,1024 -sV -sC -O --version-all`
`PORT STATE SERVICE VERSION`
`22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)`
`| ssh-hostkey:`
`| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)`
`| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)`
`|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)`
`|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
|_http-title: Test Page for the Apache Web Server on Red Hat Linux`
`| http-methods:`
`|_ Potentially risky methods: TRACE`
`|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 1024/tcp status
|_ 100024 1 1026/udp status`
`139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)`
`443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b`
`|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after: 2010-09-26T09:32:06`
`|_ssl-date: 2024-12-04T11:25:41+00:00; -13h33m39s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
|_ SSL2_RC2_128_CBC_EXPORT40_WITH_MD5`
`|_http-title: 400 Bad Request`
`1024/tcp open status 1 (RPC #100024)`
`MAC Address: 00:0C:29:57:48:96 (VMware)`
`Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port`
`Device type: general purpose`
`Running: Linux 2.4.X`
`OS CPE: cpe:/o:linux:linux_kernel:2.4`
`OS details: Linux 2.4.9 - 2.4.18 (likely embedded)`
`Network Distance: 1 hop`
`Host script results:`
`|_clock-skew: -13h33m39s
|_smb2-time: Protocol negotiation failed (SMB2)`
`|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)`
`OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .`
`Nmap done: 1 IP address (1 host up) scanned in 24.55 seconds`
nmap:网络扫描工具命令。
192.168.151.134:要扫描的目标主机 IP 地址。
-p 22,80,111,139,443,1024:指定扫描这些端口,涵盖常见服务对应的端口,像 SSH、HTTP 等服务端口。
-sV:探测端口上服务的具体版本。
-sC:运行默认脚本扫描,检测相关安全情况等。
-O:探测目标主机运行的操作系统类型。
--version-all:更全面深入地探测服务版本信息。
总之,这条命令是对指定 IP 主机的特定端口做全面扫描,查端口情况、服务版本、操作系统以及安全相关问题。
## 利用nmap进行漏洞探测
`nmap 192.168.151.134 -p 22,80,111,139,443,1024 -oA`
`--script=vuln`
## `敏感目录`
* `http://192.168.151.134/~operator (CODE:403|SIZE:273)`
+ `http://192.168.151.134/~root (CODE:403|SIZE:269)`
+ `http://192.168.151.134/cgi-bin/ (CODE:403|SIZE:272)`
+ `http://192.168.151.134/index.html(CODE:200|SIZE:2890)`
+ `http://192.168.151.134/mrtg/index.html(CODE:200|SIZE:17318)`
+ `http://192.168.151.134/usage/index.html(CODE:200|SIZE:3704)`
**网页中没有什么有效信息可以收集,但是有一个子目录中的文件变相提示注意mod_ssl漏洞**
查看nmap漏洞扫描信息 发现Apache 1.3.20
利用工具 searchsploit Apache 1.3.20 (查找相关漏洞与exp信息)
发现利用脚本
searchsploit mod_ssl
尝试samba,root权限
nmap没有扫描出来版本,我们使用msf的smb_version扫描一下
`use auxiliary/scanner/smb/smb_version`
`set RHOSTS 192.168.151.134`
设置ip地址直接run,发现版本为Samba 2.2.1a
然后进行漏洞查找,找到两个,一个是ruby,还是看看.c的吧
