Teníamos del post anterior, la siguiente salida de nmap Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-01 11:43 CEST NSE: Loaded 132 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 11:43 Completed NSE at 11:43, 0.00s elapsed Initiating NSE at 11:43 Completed NSE at 11:43, 0.00s elapsed Initiating ARP Ping Scan at 11:43 Scanning 192.168.1.131 [1 port] Completed ARP Ping Scan at 11:43, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 11:43 Completed Parallel DNS resolution of 1 host. at 11:43, 0.15s elapsed Initiating SYN Stealth Scan at 11:43 Scanning 192.168.1.131 [1000 ports] Discovered open port 21/tcp on 192.168.1.131 Discovered open port 139/tcp on 192.168.1.131 Discovered open port 111/tcp on 192.168.1.131 Discovered open port 5900/tcp on 192.168.1.131 Discovered open port 22/tcp on 192.168.1.131 Discovered open port 445/tcp on 192.168.1.131 Discovered open port 80/tcp on 192.168.1.131 Discovered open port 25/tcp on 192.168.1.131 Discovered open port 23/tcp on 192.168.1.131 Discovered open port 53/tcp on 192.168.1.131 Discovered open port 3306/tcp on 192.168.1.131 Discovered open port 8009/tcp on 192.168.1.131 Discovered open port 2049/tcp on 192.168.1.131 Discovered open port 1524/tcp on 192.168.1.131 Discovered open port 512/tcp on 192.168.1.131 Discovered open port 6667/tcp on 192.168.1.131 Discovered open port 6000/tcp on 192.168.1.131 Discovered open port 513/tcp on 192.168.1.131 Discovered open port 8180/tcp on 192.168.1.131 Discovered open port 2121/tcp on 192.168.1.131 Discovered open port 514/tcp on 192.168.1.131 Discovered open port 5432/tcp on 192.168.1.131 Discovered open port 1099/tcp on 192.168.1.131 Completed SYN Stealth Scan at 11:43, 0.15s elapsed (1000 total ports) Initiating Service scan at 11:43 Scanning 23 services on 192.168.1.131 Completed Service scan at 11:43, 11.31s elapsed (23 services on 1 host) Initiating OS detection (try #1) against 192.168.1.131 NSE: Script scanning 192.168.1.131. Initiating NSE at 11:43 Completed NSE at 11:44, 14.52s elapsed Initiating NSE at 11:44 Completed NSE at 11:44, 0.00s elapsed Nmap scan report for 192.168.1.131 Host is up (0.00059s latency). Not shown: 977 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd |_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, | ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX | Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX | Public Key type: rsa | Public Key bits: 1024 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2010-03-17T14:07:45 | Not valid after: 2010-04-16T14:07:45 | MD5: dcd9 ad90 6c8f 2f73 74af 383b 2540 8828 |_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6 |_ssl-date: 2016-07-01T09:43:21+00:00; -35s from scanner time. 53/tcp open domain ISC BIND 9.4.2 | dns-nsid: |_ bind.version: 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 |_http-title: Metasploitable2 - Linux 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/udp nfs | 100005 1,2,3 41183/tcp mountd | 100005 1,2,3 49986/udp mountd | 100021 1,3,4 41855/udp nlockmgr | 100021 1,3,4 54128/tcp nlockmgr | 100024 1 42483/tcp status |_ 100024 1 49051/udp status 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 512/tcp open exec netkit-rsh rexecd 513/tcp open login? 514/tcp open tcpwrapped 1099/tcp open rmiregistry GNU Classpath grmiregistry |_rmi-dumpregistry: Registry listing failed (No return data received from server) 1524/tcp open shell Metasploitable root shell 2049/tcp open nfs 2-4 (RPC #100003) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/udp nfs | 100005 1,2,3 41183/tcp mountd | 100005 1,2,3 49986/udp mountd | 100021 1,3,4 41855/udp nlockmgr | 100021 1,3,4 54128/tcp nlockmgr | 100024 1 42483/tcp status |_ 100024 1 49051/udp status 2121/tcp open ftp ProFTPD 1.3.1 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 | mysql-info: | Protocol: 53 | Version: .0.51a-3ubuntu5 | Thread ID: 8 | Capabilities flags: 43564 | Some Capabilities: SupportsTransactions, Support41Auth, SupportsCompression, SwitchToSSLAfterHandshake, LongColumnFlag, ConnectWithDatabase, Speaks41ProtocolNew | Status: Autocommit |_ Salt: 7HD[!-`|m0EJ$q2@-^sH 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 5900/tcp open vnc VNC (protocol 3.3) | vnc-info: | Protocol version: 3.3 | Security types: |_ Unknown security type (33554432) 6000/tcp open X11 (access denied) 6667/tcp open irc Unreal ircd | irc-info: | users: 1 | servers: 1 | lusers: 1 | lservers: 0 | server: irc.Metasploitable.LAN | version: Unreal3.2.8.1. irc.Metasploitable.LAN | uptime: 0 days, 0:04:04 | source ident: nmap | source host: 5AD5FCE2.78DED367.FFFA6D49.IP |_ error: Closing Link: gjtkunzrr[192.168.1.134] (Quit: gjtkunzrr) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) |_ajp-methods: Failed to get a valid response for the OPTION request 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/5.5 MAC Address: 08:00:27:67:3E:A2 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Uptime guess: 497.102 days (since Fri Feb 20 08:16:41 2015) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=202 (Good luck!) IP ID Sequence Generation: All zeros Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | Names: | METASPLOITABLE<00> Flags: <unique><active> | METASPLOITABLE<03> Flags: <unique><active> | METASPLOITABLE<20> Flags: <unique><active> | WORKGROUP<00> Flags: <group><active> |_ WORKGROUP<1e> Flags: <group><active> | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | NetBIOS computer name: | Workgroup: WORKGROUP |_ System time: 2016-07-01T05:43:21-04:00 TRACEROUTE HOP RTT ADDRESS 1 0.59 ms 192.168.1.131 NSE: Script Post-scanning. Initiating NSE at 11:44 Completed NSE at 11:44, 0.00s elapsed Initiating NSE at 11:44 Completed NSE at 11:44, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 31.64 seconds Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.430KB)
Nos encontramos estos puertos abiertos
39/tcp
open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) Samba es un sistema para compartir archivos entre Windows y Linux. Si ponemos smbclient -L //192.168.1.131 nos dará un listado de todos los servicios Samba No hace falta meter contraseña, le dais a intro y se acabó. Si abrimos el navegador y ponemos smb://192.168.1.131 Si ponemos smbclient //192.168.1.131/CARPETA Accederemos a la carpeta tmp porque hemos visto una cosa muy rara escrita, ¿verdad? Si usamos el módulo samba_symlink_traversal Nos arroja el siguiente resultado
Si ahora nos conectamos a smbclient //192.168.1.131/tmp/ Y nos metemos en eldirectorio que nos ha dado (rootfs)
No hay comentarios:
Publicar un comentario
Nota: solo los miembros de este blog pueden publicar comentarios.