HTTP IIS
1
2
3
4
5
6
7
8
9
nmap 10.4.18.97
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
3389/tcp open ms-wbt-server
1
2
3
4
5
6
7
8
9
10
11
nmap 10.4.18.97 -sV -O
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3306/tcp open mysql MySQL (unauthorized)
3389/tcp open ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
在浏览器中访问,发现靶场WEBGOAT.
1
10.4.18.97
1
whatweb 10.4.18.97
1
http 10.4.18.97
1
dirb http://10.4.18.97
在终端中渲染Web页面:
1
browsh --startup-url http://10.4.18.97/Default.aspx
Windows侦察:IIS
概述
为您提供了一台 Kali GUI 机器和一台运行 IIS 服务的目标机器。目标机器的 IP 地址在 Kali 机器桌面 (/root/Desktop/target) 上名为 target 的文本文件中提供。
你的任务和目标是使用 Kali 机器上可用的工具(WhatWeb、Dirb、Browsh)对服务进行指纹识别并提取目标服务器信息。
指示:
- 你的 Kali 机器有一个 IP 地址为 10.10.XY 的接口运行“ip addr”以了解 X 和 Y 的值。
- 目标机器的 IP 地址在文件“/root/Desktop/target”中提到
- 不要攻击位于 IP 地址 192.VW1 和 10.10.X.1 的网关
我自己的思路
1
Target IP Address : 10.0.20.250
1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@attackdefense:~# nmap 10.0.20.250
Starting Nmap 7.91 ( https://nmap.org ) at 2022-08-23 08:20 IST
Nmap scan report for 10.0.20.250
Host is up (0.0031s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
3389/tcp open ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 6.51 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root@attackdefense:~# nmap 10.0.20.250 -p 80,135,139,445,3306,3389 -sV -O
Starting Nmap 7.91 ( https://nmap.org ) at 2022-08-23 08:23 IST
Nmap scan report for 10.0.20.250
Host is up (0.0031s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3306/tcp open mysql MySQL (unauthorized)
3389/tcp open ms-wbt-server Microsoft Terminal Services
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (92%), Microsoft Windows Vista SP1 (92%), Microsoft Windows 10 1709 - 1909 (92%), Microsoft Windows Longhorn (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 Update 1 (91%), Microsoft Windows Server 2016 build 10586 - 14393 (91%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (91%), Microsoft Windows Server 2016 (90%), Microsoft Windows 10 1703 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 3 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.21 seconds
1
http://10.0.20.250/Default.aspx
1
2
3
4
5
6
root@attackdefense:~# whatweb 10.0.20.250
Ignoring eventmachine-1.3.0.dev.1 because its extensions are not built. Try: gem pristine eventmachine --version 1.3.0.dev.1
Ignoring fxruby-1.6.29 because its extensions are not built. Try: gem pristine fxruby --version 1.6.29
http://10.0.20.250 [302 Found] ASP_NET[4.0.30319], Cookies[ASP.NET_SessionId,Server], Country[RESERVED][ZZ], HTTPServer[Microsoft-IIS/10.0], HttpOnly[ASP.NET_SessionId], IP[10.0.20.250], Microsoft-IIS[10.0], RedirectLocation[/Default.aspx], Title[Object moved], X-Powered-By[ASP.NET], X-XSS-Protection[0]
http://10.0.20.250/Default.aspx [302 Found] ASP_NET[4.0.30319], Cookies[ASP.NET_SessionId,Server], Country[RESERVED][ZZ], HTTPServer[Microsoft-IIS/10.0], HttpOnly[ASP.NET_SessionId], IP[10.0.20.250], Microsoft-IIS[10.0], RedirectLocation[/Default.aspx], Title[Object moved], X-Powered-By[ASP.NET], X-XSS-Protection[0]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@attackdefense:~# http 10.0.20.250
HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 130
Content-Type: text/html; charset=utf-8
Date: Tue, 23 Aug 2022 03:01:45 GMT
Location: /Default.aspx
Server: Microsoft-IIS/10.0
Set-Cookie: ASP.NET_SessionId=ldrkga2ne5kcskmlpczrvt3i; path=/; HttpOnly; SameSite=Lax
Set-Cookie: Server=RE9UTkVUR09BVA==; path=/
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-XSS-Protection: 0
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/Default.aspx">here</a>.</h2>
</body></html>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
root@attackdefense:~# dirb http://10.0.20.250/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Aug 23 08:59:47 2022
URL_BASE: http://10.0.20.250/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.0.20.250/ ----
==> DIRECTORY: http://10.0.20.250/app_themes/
==> DIRECTORY: http://10.0.20.250/aspnet_client/
==> DIRECTORY: http://10.0.20.250/configuration/
==> DIRECTORY: http://10.0.20.250/content/
==> DIRECTORY: http://10.0.20.250/Content/
==> DIRECTORY: http://10.0.20.250/downloads/
==> DIRECTORY: http://10.0.20.250/Downloads/
==> DIRECTORY: http://10.0.20.250/resources/
==> DIRECTORY: http://10.0.20.250/Resources/
---- Entering directory: http://10.0.20.250/app_themes/ ----
==> DIRECTORY: http://10.0.20.250/app_themes/default/
==> DIRECTORY: http://10.0.20.250/app_themes/Default/
---- Entering directory: http://10.0.20.250/aspnet_client/ ----
==> DIRECTORY: http://10.0.20.250/aspnet_client/system_web/
---- Entering directory: http://10.0.20.250/configuration/ ----
---- Entering directory: http://10.0.20.250/content/ ----
---- Entering directory: http://10.0.20.250/Content/ ----
---- Entering directory: http://10.0.20.250/downloads/ ----
---- Entering directory: http://10.0.20.250/Downloads/ ----
---- Entering directory: http://10.0.20.250/resources/ ----
==> DIRECTORY: http://10.0.20.250/resources/images/
==> DIRECTORY: http://10.0.20.250/resources/Images/
---- Entering directory: http://10.0.20.250/Resources/ ----
==> DIRECTORY: http://10.0.20.250/Resources/images/
==> DIRECTORY: http://10.0.20.250/Resources/Images/
---- Entering directory: http://10.0.20.250/app_themes/default/ ----
==> DIRECTORY: http://10.0.20.250/app_themes/default/images/
==> DIRECTORY: http://10.0.20.250/app_themes/default/Images/
---- Entering directory: http://10.0.20.250/app_themes/Default/ ----
==> DIRECTORY: http://10.0.20.250/app_themes/Default/images/
==> DIRECTORY: http://10.0.20.250/app_themes/Default/Images/
---- Entering directory: http://10.0.20.250/aspnet_client/system_web/ ----
---- Entering directory: http://10.0.20.250/resources/images/ ----
---- Entering directory: http://10.0.20.250/resources/Images/ ----
---- Entering directory: http://10.0.20.250/Resources/images/ ----
---- Entering directory: http://10.0.20.250/Resources/Images/ ----
---- Entering directory: http://10.0.20.250/app_themes/default/images/ ----
==> DIRECTORY: http://10.0.20.250/app_themes/default/images/extras/
==> DIRECTORY: http://10.0.20.250/app_themes/default/images/listing/
---- Entering directory: http://10.0.20.250/app_themes/default/Images/ ----
==> DIRECTORY: http://10.0.20.250/app_themes/default/Images/extras/
==> DIRECTORY: http://10.0.20.250/app_themes/default/Images/listing/
---- Entering directory: http://10.0.20.250/app_themes/Default/images/ ----
==> DIRECTORY: http://10.0.20.250/app_themes/Default/images/extras/
==> DIRECTORY: http://10.0.20.250/app_themes/Default/images/listing/
---- Entering directory: http://10.0.20.250/app_themes/Default/Images/ ----
==> DIRECTORY: http://10.0.20.250/app_themes/Default/Images/extras/
==> DIRECTORY: http://10.0.20.250/app_themes/Default/Images/listing/
---- Entering directory: http://10.0.20.250/app_themes/default/images/extras/ ----
---- Entering directory: http://10.0.20.250/app_themes/default/images/listing/ ----
---- Entering directory: http://10.0.20.250/app_themes/default/Images/extras/ ----
---- Entering directory: http://10.0.20.250/app_themes/default/Images/listing/ ----
---- Entering directory: http://10.0.20.250/app_themes/Default/images/extras/ ----
---- Entering directory: http://10.0.20.250/app_themes/Default/images/listing/ ----
---- Entering directory: http://10.0.20.250/app_themes/Default/Images/extras/ ----
---- Entering directory: http://10.0.20.250/app_themes/Default/Images/listing/ ----
-----------------
END_TIME: Tue Aug 23 09:07:50 2022
DOWNLOADED: 133748 - FOUND: 0
1
root@attackdefense:~# browsh --startup-url http://10.0.20.250/Default.aspx
解决方案
此实验室的解决方案可在以下手册中找到:https://assets.ine.com/labs/ad-manuals/walkthrough-2311.pdf
