Коллективное решение финального проекта по основам ИБ

# Коллективное решение финального проекта по основам ИБ ``` sudo nmap -O -v 10.10.122.1 PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 5357/tcp open wsdapi 5432/tcp open postgresql MAC Address: 00:50:56:9E:4D:81 (VMware) Nmap scan report for 10.10.122.2 PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 5357/tcp open wsdapi 8080/tcp open http-proxy MAC Address: 00:50:56:9E:73:93 (VMware) Nmap scan report for 10.10.122.3 PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 5357/tcp open wsdapi 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49156/tcp open unknown 49157/tcp open unknown MAC Address: 00:50:56:9E:9B:5E (VMware) Nmap scan report for 10.10.122.4 Host is up (0.011s latency). Not shown: 995 closed tcp ports (reset) PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1433/tcp open ms-sql-s 5357/tcp open wsdapi MAC Address: 00:50:56:9E:65:96 (VMware) Nmap scan report for 10.10.122.5 PORT STATE SERVICE 139/tcp open netbios-ssn MAC Address: 00:50:56:9E:01:28 (VMware) Nmap scan report for 10.10.122.6 PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:50:56:9E:D7:E4 (VMware) Nmap scan report for 10.10.122.7 PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49156/tcp open unknown 49158/tcp open unknown MAC Address: 00:50:56:9E:88:94 (VMware) ``` --- ![](https://i.imgur.com/DATh7bV.jpg) делаем скриншот с машины ![](https://i.imgur.com/aeSsGsU.jpg) смотрим файлы ![](https://i.imgur.com/72AJjpu.jpg) ![](Uploading file..._vzimnqutn) сканируем сеть ![](Uploading file..._v3183xh4f) 10.10.122.7 - worker pc - windows 7 pro (подвержена ethernalBlue) - все наши машины подключены сюда 10.10.122.3 - worker pc - windows 7 pro 10.10.122.2 - computer (Apache tomcat) 10.10.122.4 - computer - windows10 10.10.122.1 - computer (дефо) 10.10.122.5 - hm2 10.10.122.6 - hm3 - windows 10 ![](Uploading file..._2yd4as9kk) domain.local - имя домена 10.10.122.240 - cервер - apache tomcat атака скан портов командой sudo masscan -v -sS -p80,443,53,389 10.10.0.0/16 --source-ip 10.10.122.12 --source-mac 96:7c:12:ea:25:ea --router-ip 10.10.122.254 --interface tap0 там надо поменять на свой IP и MAC https://nmap.org/book/man-port-scanning-techniques.html ![](https://i.imgur.com/LLEwvr1.jpg) сканим хосты ![](https://i.imgur.com/xHmAvrz.png) 10 подсетей: 10.10.21 10.10.122 10.10.113 10.10.121 10.10.54 10.10.20 10.10.50 10.10.112 10.10.51 10.10.53 ![](https://i.imgur.com/NgQqVr9.jpg) после фильтрования 29 адресов: 10.10.112.250 10.10.112.254 10.10.113.254 10.10.120.254 10.10.121.10 10.10.121.254 10.10.20.208 10.10.20.240 10.10.20.248 10.10.20.251 10.10.20.254 10.10.21.1 10.10.21.10 10.10.21.11 10.10.21.2 10.10.21.200 10.10.21.254 10.10.21.3 10.10.21.4 10.10.21.5 10.10.21.6 10.10.21.7 10.10.21.8 10.10.21.9 10.10.50.254 10.10.51.254 10.10.52.254 10.10.53.254 10.10.54.254 ![](https://i.imgur.com/kidD0Ar.jpg) *DBeaver* - поисковик базы данных ![](https://i.imgur.com/j0JmVoC.jpg) # **Findings** Имеет дефолтный логин и пароль 10.10.122.1 Login:postgres Password: 10.10.122.2 Apache tomcat 10.0.12 High level - CVE-2021-42340 ![](Uploading file..._gd9aqrnyn) входим в систему Login: tomcat password: tomcat ![](https://i.imgur.com/k2dPbHR.jpg) 10.10.122.3 MS17-010 EthernalBlue Dos *подключились по RDP* Vivaldi - mimikatz ![](https://i.imgur.com/VQaMHdS.jpg) 10.10.122.4 p1433 Sql server 2019 httpd2.0 ![](Uploading file..._zgj6ztc2u) ![](Uploading file..._0z8mxy244) NETBIOS - nbtscan ![](Uploading file..._nkvavepyf) Вошли на ЕВЕ 10.10.122.240 admin eve ![](https://i.imgur.com/OLg8MLF.jpg) ![](https://i.imgur.com/gSaaXfX.jpg) **Armitage** ![](https://i.imgur.com/VGC5YIG.jpg) **Netdiscover** ![](https://i.imgur.com/Yti9z3R.jpg) **NMAP** `nmap -sV -A 10.10.122.1-7,239,240` *Nmap scan report for 10.10.122.1* PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Service Unavailable |_http-server-header: Microsoft-HTTPAPI/2.0 5432/tcp open postgresql? MAC Address: 00:50:56:9E:4D:81 (VMware) *Nmap scan report for 10.10.122.2* Host is up (0.031s latency). Not shown: 995 closed tcp ports (reset) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Service Unavailable |_http-server-header: Microsoft-HTTPAPI/2.0 8080/tcp open http Apache Tomcat 10.0.12 |_http-open-proxy: Proxy might be redirecting requests |_http-title: Apache Tomcat/10.0.12 |_http-favicon: Apache Tomcat MAC Address: 00:50:56:9E:73:93 (VMware) *Nmap scan report for 10.10.122.3* Host is up (0.031s latency). Not shown: 991 closed tcp ports (reset) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC MAC Address: 00:50:56:9E:9B:5E (VMware) Host script results: | smb2-security-mode: | 2.1: | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_nbstat: NetBIOS name: nil, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:9e:9b:5e (VMware) | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: worker-PC | NetBIOS computer name: WORKER-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2021-12-22T01:40:49-08:00 *Nmap scan report for 10.10.122.4* PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | ms-sql-ntlm-info: | Target_Name: COMPUTER | NetBIOS_Domain_Name: COMPUTER | NetBIOS_Computer_Name: COMPUTER | DNS_Domain_Name: Computer | DNS_Computer_Name: Computer |_ Product_Version: 10.0.17763 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Service Unavailable MAC Address: 00:50:56:9E:65:96 (VMware) Host script results: | smb2-security-mode: | 3.1.1: NetBIOS MAC: 00:50:56:9e:65:96 (VMware) | ms-sql-info: | 10.10.122.4:1433: | Version: | name: Microsoft SQL Server 2019 RTM | number: 15.00.2000.00 | Product: Microsoft SQL Server 2019 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 *Nmap scan report for 10.10.122.5* Host is up (0.031s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? MAC Address: 00:50:56:9E:01:28 (VMware) Host script results: |_nbstat: NetBIOS name: HM2, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:9e:01:28 (VMware) | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required *Nmap scan report for 10.10.122.6* PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? MAC Address: 00:50:56:9E:D7:E4 (VMware) Host script results: |_clock-skew: 6h56m58s |_nbstat: NetBIOS name: HM3, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:9e:d7:e4 (VMware) | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required *Nmap scan report for 10.10.122.7* Not shown: 991 closed tcp ports (reset) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC MAC Address: 00:50:56:9E:88:94 (VMware) Host script results: | smb2-security-mode: | 2.1: |_ Message signing enabled but not required | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: worker-PC | NetBIOS computer name: WORKER-PC\x00 | Workgroup: WORKGROUP\x00 *Nmap scan report for 10.10.122.239* PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) MAC Address: 00:50:56:9E:46:5F (VMware) *Nmap scan report for 10.10.122.240* PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) MAC Address: 00:50:56:9E:95:39 (VMware) Подключились через браузер к 10.10.122.240:80 Вошли в EVE Login:admin password:eve Получили доступ к лабам ![](https://i.imgur.com/15y539g.jpg) ![](https://i.imgur.com/G0szY9v.png)