新手打靶教学全程

# **打靶**

## **第一步探测靶机IP地址**

**搭建靶机前做一个探测**

## **ifconfig (查看自己网段)**

nmap -p- 192.168.162.0/24 扫描全网段或者直接 nmap -sn 192.168.162.0/24(探测全网段ip)

搭建靶机后再做一遍探测，多出来的ip就是靶机

确认靶机ip地址为 192.168.151.134

或者更简单的方法

直接 nmap -p- 192.168.162.0/24 （探测网段存活IP的所有端口）

得到端口信息

22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
1024/tcp open kdm

对端口进行指纹探测，我们nmap探测的都是端口的默认服务（不一定它的端口就是使用的默认服务）

## 指纹探测

`nmap 192.168.151.134 -p 22,80,111,139,443,1024 -sV -sC -O --version-all`

`PORT STATE SERVICE VERSION`
`22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)`
`| ssh-hostkey:`
`| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)`
`| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)`
`|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)`
`|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
|_http-title: Test Page for the Apache Web Server on Red Hat Linux`
`| http-methods:`
`|_ Potentially risky methods: TRACE`
`|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 1024/tcp status
|_ 100024 1 1026/udp status`
`139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)`
`443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b`
`|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after: 2010-09-26T09:32:06`
`|_ssl-date: 2024-12-04T11:25:41+00:00; -13h33m39s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
|_ SSL2_RC2_128_CBC_EXPORT40_WITH_MD5`
`|_http-title: 400 Bad Request`
`1024/tcp open status 1 (RPC #100024)`
`MAC Address: 00:0C:29:57:48:96 (VMware)`
`Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port`
`Device type: general purpose`
`Running: Linux 2.4.X`
`OS CPE: cpe:/o:linux:linux_kernel:2.4`
`OS details: Linux 2.4.9 - 2.4.18 (likely embedded)`
`Network Distance: 1 hop`

`Host script results:`
`|_clock-skew: -13h33m39s
|_smb2-time: Protocol negotiation failed (SMB2)`
`|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)`

`OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .`
`Nmap done: 1 IP address (1 host up) scanned in 24.55 seconds`

nmap：网络扫描工具命令。

192.168.151.134：要扫描的目标主机 IP 地址。

-p 22,80,111,139,443,1024：指定扫描这些端口，涵盖常见服务对应的端口，像 SSH、HTTP 等服务端口。
-sV：探测端口上服务的具体版本。
-sC：运行默认脚本扫描，检测相关安全情况等。
-O：探测目标主机运行的操作系统类型。
--version-all：更全面深入地探测服务版本信息。

总之，这条命令是对指定 IP 主机的特定端口做全面扫描，查端口情况、服务版本、操作系统以及安全相关问题。

## 利用nmap进行漏洞探测

`nmap 192.168.151.134 -p 22,80,111,139,443,1024 -oA`
`--script=vuln`

## `敏感目录`

* `http://192.168.151.134/~operator (CODE:403|SIZE:273)`

+ `http://192.168.151.134/~root (CODE:403|SIZE:269)`
+ `http://192.168.151.134/cgi-bin/ (CODE:403|SIZE:272)`
+ `http://192.168.151.134/index.html(CODE:200|SIZE:2890)`

+ `http://192.168.151.134/mrtg/index.html(CODE:200|SIZE:17318)`

+ `http://192.168.151.134/usage/index.html(CODE:200|SIZE:3704)`

**网页中没有什么有效信息可以收集，但是有一个子目录中的文件变相提示注意mod_ssl漏洞**

查看nmap漏洞扫描信息发现Apache 1.3.20

利用工具 searchsploit Apache 1.3.20 （查找相关漏洞与exp信息）

发现利用脚本

searchsploit mod_ssl

尝试samba，root权限

nmap没有扫描出来版本，我们使用msf的smb_version扫描一下

`use auxiliary/scanner/smb/smb_version`

`set RHOSTS 192.168.151.134`

设置ip地址直接run，发现版本为Samba 2.2.1a