Date
Mar 15, 2025 → Mar 15, 2025
Tag
Nmap
Service Enumeration
User Enumeration
192.168.182.40
Nmap
nmap -sT -p- --min-rate 5000
192.168.182.40
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-15 01:47 EDT
Warning: 192.168.182.40 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.182.40
Host is up (0.064s latency).
Not shown: 65309 closed tcp ports (conn-refused), 213 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 22.17 seconds
各种http端口都无返回,53使用
也无相应返回
使用rpc看看是否可以匿名登录
我们可以进行登录

rpcclient $> ls
command not found: ls
rpcclient $>
Display all 227 possibilities? (y or n)
? dfsenum eventlog_reporteventsource lsacreateaccount querydominfo
adddriver dfsenumex exit lsadelpriv querygroup
addform dfsgetinfo fetch_attributes lsaenumacctrights querygroupmem
addpermachineconnection dfsremove fetch_properties lsaenumprivsaccount querymultiplevalues
addprinter dfsversion fss_create_expose lsaenumsid querymultiplevalues2
AsyncNotify dscracknames fss_delete lsalookupprivvalue querysecret
capabilities dsenumdomtrusts fss_get_mapping lsaquery queryuser
change_trust_pw dsgetdcinfo fss_get_sup_version lsaquerysecobj queryuseraliases
chgpasswd dsgetncchanges fss_has_shadow_copy lsaquerytrustdominfo queryusergroups
chgpasswd2 dsr_enumtrustdom fss_is_path_sup lsaquerytrustdominfobyname quit
chgpasswd3 dsr_getdcname fss_recovery_complete lsaquerytrustdominfobysid Register
chgpasswd4 dsr_getdcnameex getanydcname lsaremoveacctrights RegisterEx
clusapi_create_enum dsr_getdcnameex2 getcoreprinterdrivers lsasettrustdominfo retrieveprivatedata
clusapi_create_enumex dsr_getforesttrustinfo getdata netconnenum rffpcnex
clusapi_get_cluster_name dsr_getsitename getdataex netdiskenum samlogon
clusapi_get_cluster_version dsroledominfo getdcname netfileenum samlookupnames
clusapi_get_cluster_version2 dswriteaccountspn getdcsitecoverage netfilegetsec samlookuprids
clusapi_get_quorum_resource echoaddone getdispinfoidx netnamevalidate samquerysecobj
clusapi_get_resource_state echodata getdispname netremotetod setdriver
clusapi_offline_resource enumalsgroups getdompwinfo netrenumtrusteddomains setform
clusapi_online_resource enumdata getdriver netrenumtrusteddomainsex setjob
clusapi_open_cluster enumdataex getdriverdir netsessdel setprinter
clusapi_open_resource enumdomains getdriverpackagepath netsessenum setprinterdata
看看是否有有用的函数给我们使用
可以尝试枚举域名,但是不可用

其他端口枚举
enum4linux
192.168.182.40


smbclient -N -L \\\\
192.168.182.40
\\
3389
虽然我们不知道用户名和密码,但是我们也可以使用这个来尝试获取到相关信息

进
但还是没什么作用
5357


通过搜索我们拿到了这个端口可能的RCE,先来试试看是否可行


生成我们自己的shell

需要修改一下内部的代码以兼容python3
然后启动监听器,注意我们使用的是Meterpreter shell,所以要使用正确的监听器
不行啊,换一个方法

in