1 获取靶机相关信息
nmap -sV 192.168.222.131
***
Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-20 03:09 EDT
Nmap scan report for localhost (192.168.222.131)
Host is up (0.000067s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 00:0C:29:97:47:75 (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.92 seconds
***
nmap -A -v -T4 192.168.222.131
***
Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-20 03:11 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 03:11
Completed NSE at 03:11, 0.00s elapsed
Initiating NSE at 03:11
Completed NSE at 03:11, 0.00s elapsed
Initiating NSE at 03:11
Completed NSE at 03:11, 0.00s elapsed
Initiating ARP Ping Scan at 03:11
Scanning 192.168.222.131 [1 port]
Completed ARP Ping Scan at 03:11, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 03:11
Completed Parallel DNS resolution of 1 host. at 03:11, 0.00s elapsed
Initiating SYN Stealth Scan at 03:11
Scanning localhost (192.168.222.131) [1000 ports]
Discovered open port 80/tcp on 192.168.222.131
Discovered open port 21/tcp on 192.168.222.131
Discovered open port 22/tcp on 192.168.222.131
Completed SYN Stealth Scan at 03:11, 0.12s elapsed (1000 total ports)
Initiating Service scan at 03:11
Scanning 3 services on localhost (192.168.222.131)
Completed Service scan at 03:11, 6.01s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against localhost (192.168.222.131)
NSE: Script scanning 192.168.222.131.
Initiating NSE at 03:11
NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.
Completed NSE at 03:11, 3.51s elapsed
Initiating NSE at 03:11
Completed NSE at 03:11, 0.00s elapsed
Initiating NSE at 03:11
Completed NSE at 03:11, 0.00s elapsed
Nmap scan report for localhost (192.168.222.131)
Host is up (0.00014s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.222.128
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 600
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
| 2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
| 256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
|_ 256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: BTRisk
MAC Address: 00:0C:29:97:47:75 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.249 days (since Tue Oct 19 21:13:36 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.14 ms localhost (192.168.222.131)
NSE: Script Post-scanning.
Initiating NSE at 03:11
Completed NSE at 03:11, 0.00s elapsed
Initiating NSE at 03:11
Completed NSE at 03:11, 0.00s elapsed
Initiating NSE at 03:11
Completed NSE at 03:11, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.41 seconds
Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.290KB)
***
2.发现存在80端口,扫描其网页目录
dirb http://192.168.222.131
***
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Oct 20 03:21:34 2021
URL_BASE: http://192.168.222.131/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.222.131/ ----
==> DIRECTORY: http://192.168.222.131/assets/
+ http://192.168.222.131/index.php (CODE:200|SIZE:758)
==> DIRECTORY: http://192.168.222.131/javascript/
+ http://192.168.222.131/server-status (CODE:403|SIZE:295)
==> DIRECTORY: http://192.168.222.131/uploads/
---- Entering directory: http://192.168.222.131/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.222.131/javascript/ ----
==> DIRECTORY: http://192.168.222.131/javascript/jquery/
---- Entering directory: http://192.168.222.131/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.222.131/javascript/jquery/ ----
+ http://192.168.222.131/javascript/jquery/jquery (CODE:200|SIZE:252879)
+ http://192.168.222.131/javascript/jquery/version (CODE:200|SIZE:5)
-----------------
END_TIME: Wed Oct 20 03:21:42 2021
DOWNLOADED: 13836 - FOUND: 4
***
nikto -host IP:PORT(如果是80端口,可以不加端口号)
nikto -host 192.168.222.131
***
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.222.131
+ Target Hostname: 192.168.222.131
+ Target Port: 80
+ Start Time: 2021-10-20 03:25:17 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.21
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /config.php: PHP Config file may contain database IDs and passwords.
#php的配置文件,会有sql的账户以及密码文件
+ OSVDB-3233: /
内容来源于网络如有侵权请私信删除
文章来源: 博客园
- 还没有人评论,欢迎说说您的想法!
客服
