God.org单域环境-信息收集
写在前面
本来这套靶机一共有六台的,但是因为部署虚拟机的服务器空间不够,就只部署了域控制器、域内SQL服务器、域内Web服务器、域内文件服务器,两台域内个人机就没有部署。
假设已经接入了域环境的内网,但不清楚域内的具体网络情况。(实际上使用了192.168.233.80/28,其中Kali的ip为192.168.233.85/28)
探测域内机器
首先使用nmap对网内进行一次icmp和arp扫描
root@kali:~/Desktop# nmap -sn -PR 192.168.233.80/28
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-09 16:05 CST
Nmap scan report for 192.168.233.90
Host is up (0.0037s latency).
MAC Address: CE:5D:BA:08:08:71 (Unknown)
Nmap scan report for 192.168.233.91
Host is up (0.0036s latency).
MAC Address: F6:8F:9F:D8:B7:E7 (Unknown)
Nmap scan report for 192.168.233.92
Host is up (0.0020s latency).
MAC Address: 6E:EF:48:30:B1:63 (Unknown)
Nmap scan report for 192.168.233.93
Host is up (0.00012s latency).
MAC Address: 00:0C:29:B1:39:0E (VMware)
Nmap scan report for 192.168.233.85
Host is up.
Nmap done: 16 IP addresses (5 hosts up) scanned in 1.41 seconds
初步发现共有5个ip存活,其中一个是自己。
接着尝试探测端口和服务信息,加上Pn参数表示不进行ping探测以避免漏掉不相应icmp的机器。
root@kali:~/Desktop# nmap -sV -Pn 192.168.233.80/28
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-09 16:18 CST
Nmap scan report for 192.168.233.90
Host is up (0.0032s latency).
Not shown: 972 closed ports
PORT STATE SERVICE VERSION
25/tcp open smtp Microsoft Exchange smtpd
53/tcp open domain Microsoft DNS 6.1.7601 (1DB1446A) (Windows Server 2008 R2 SP1)
80/tcp open http Microsoft IIS httpd 7.5
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-12-09 08:18:38Z)
110/tcp open pop3 Microsoft Exchange 2007-2010 pop3d
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap Microsoft Exchange 2007-2010 imapd
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: god.org, Site: Default-First-Site-Name)
443/tcp open ssl/https?
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: GOD)
464/tcp open kpasswd5?
587/tcp open smtp Microsoft Exchange smtpd
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
808/tcp open ccproxy-http?
993/tcp open ssl/imaps?
995/tcp open ssl/pop3s?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: god.org, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server?
5060/tcp open sip?
6001/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6002/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6004/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6005/tcp open msrpc Microsoft Windows RPC
6006/tcp open msrpc Microsoft Windows RPC
6007/tcp open msrpc Microsoft Windows RPC
MAC Address: CE:5D:BA:08:08:71 (Unknown)
Service Info: Hosts: OWA2010CN-God.god.org, OWA2010CN-GOD; OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2:sp1
Nmap scan report for 192.168.233.91
Host is up (0.0031s latency).
Not shown: 987 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2012 11.00.2100; RTM
2383/tcp open ms-olap4?
3389/tcp open ms-wbt-server?
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
MAC Address: F6:8F:9F:D8:B7:E7 (Unknown)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Nmap scan report for 192.168.233.92
Host is up (0.0024s latency).
Not shown: 985 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000
2383/tcp open ms-olap4?
3389/tcp open ssl/ms-wbt-server?
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
MAC Address: 6E:EF:48:30:B1:63 (Unknown)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Nmap scan report for 192.168.233.93
Host is up (0.00094s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
1052/tcp open msrpc Microsoft Windows RPC
1433/tcp open ms-sql-s Microsoft SQL Server 2005 9.00.1399; RTM
2383/tcp open ms-olap4?
3389/tcp open ms-wbt-server Microsoft Terminal Service
MAC Address: 00:0C:29:B1:39:0E (VMware)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 16 IP addresses (5 hosts up) scanned in 150.93 seconds
在192.168.233.90上发现389端口开放了ldap服务并探测出了域名信息为god.org,暂时判断为域控制器。
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: god.org, Site: Default-First-Site-Name)
尝试对139端口进行nbstat探测以获取主机名。
root@kali:~/Desktop# nmap -sS -p 135 --script nbstat 192.168.233.80/28
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-09 16:34 CST
Nmap scan report for 192.168.233.90
Host is up (0.0032s latency).
PORT STATE SERVICE
135/tcp open msrpc
MAC Address: CE:5D:BA:08:08:71 (Unknown)
Host script results:
| nbstat: NetBIOS name: OWA2010CN-GOD, NetBIOS user: <unknown>, NetBIOS MAC: ce:5d:ba:08:08:71 (unknown)
| Names:
| OWA2010CN-GOD<00> Flags: <unique><active>
| GOD<00> Flags: <group><active>
| GOD<1c> Flags: <group><active>
| OWA2010CN-GOD<20> Flags: <unique><active>
| GOD<1e> Flags: <group><active>
| GOD<1d> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
|_ GOD<1b> Flags: <unique><active>
Nmap scan report for 192.168.233.91
Host is up (0.0055s latency).
PORT STATE SERVICE
135/tcp open msrpc
MAC Address: F6:8F:9F:D8:B7:E7 (Unknown)
Host script results:
| nbstat: NetBIOS name: WEBSERVER, NetBIOS user: <unknown>, NetBIOS MAC: f6:8f:9f:d8:b7:e7 (unknown)
| Names:
| WEBSERVER<00> Flags: <unique><active>
| GOD<00> Flags: <group><active>
| WEBSERVER<20> Flags: <unique><active>
|_ GOD<1e> Flags: <group><active>
Nmap scan report for 192.168.233.92
Host is up (0.0023s latency).
PORT STATE SERVICE
135/tcp open msrpc
MAC Address: 6E:EF:48:30:B1:63 (Unknown)
Host script results:
| nbstat: NetBIOS name: SQLSERVER, NetBIOS user: <unknown>, NetBIOS MAC: 6e:ef:48:30:b1:63 (unknown)
| Names:
| SQLSERVER<00> Flags: <unique><active>
| SQLSERVER<20> Flags: <unique><active>
|_ GOD<00> Flags: <group><active>
Nmap scan report for 192.168.233.93
Host is up (0.00067s latency).
PORT STATE SERVICE
135/tcp open msrpc
MAC Address: 00:0C:29:B1:39:0E (VMware)
Host script results:
| nbstat: NetBIOS name: FILESERV, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:b1:39:0e (VMware)
| Names:
| FILESERV<00> Flags: <unique><active>
| FILESERV<20> Flags: <unique><active>
| GOD<00> Flags: <group><active>
|_ GOD<1e> Flags: <group><active>
Nmap done: 16 IP addresses (5 hosts up) scanned in 1.78 seconds
通过NetBIOS name,大致了解了域内存在的机器,以便后面进行服务攻击。
总结
此时已经大致了解域内的情况了,后面就开始针对每台机器进行攻击。
_(:3 」∠)_