介绍 方针： 0.10.10.134 (Windows) Kali：10.10.16.65 总的来说，Bastion 其实并不是一个特别简略的机器。假如运用 windows 能够更方便地处理这台靶机。Command VM 关于这台靶机其实挺不错的，不过咱们也能够运用 kali 来完结这个靶机。 信息枚举 首要，勘探敞开端口 # Nmap 7.70 scan initiated Sun May 5 12:33:32 2019 as: nmap -sT -p- --min-rate 10000 -oN ports 10.10.10.134 Warning: 10.10.10.134 giving up on port because retransmission cap hit (10). Nmap scan report for 10.10.10.134 Host is up (0.33s latency). Not shown: 60653 closed ports, 4873 filtered ports PORT STATE SERVICE 22/tcp open ssh 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 49664/tcp open unknown 49665/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 49670/tcp open unknown 从上面敞开的端口，咱们能够推导出这是一台敞开了 ssh 服务的 windows 机器。接着测验获取这些敞开端口对应的服务： # Nmap 7.70 scan initiated Sun May 5 12:29:46 2019 as: nmap -A -oN services 10.10.10.134 Nmap scan report for 10.10.10.134 Host is up (0.53s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH for_Windows7.9 (protocol 2.0) | ssh-hostkey: | 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA) | 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA) | 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2019 Standard 14393 microsoft-ds No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.70%E=4%D=5/5%OT=22%CT=1%CU=37821%PV=Y%DS=2%DC=T%G=Y%TM=5CCED772 OS:%P=x86_64-pc-linux-gnu)SEQ(SP=F4%GCD=1%ISR=10A%TI=I%CI=I%II=I%SS=S%TS=A) OS:SEQ(SP=F3%GCD=1%ISR=10A%TI=I%CI=I%TS=A)OPS(O1=M54BNW8ST11%O2=M54BNW8ST11 OS:%O3=M54BNW8NNT11%O4=M54BNW8ST11%O5=M54BNW8ST11%O6=M54BST11)WIN(W1=2000%W OS:2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M54BNW OS:8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0 OS:%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4 OS:(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+% OS:F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y% OS:T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%R OS:ID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z) Network Distance: 2 hops Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |clock-skew: mean: -43m13s, deviation: 1h09m14s, median: -3m15s | smb-os-discovery: | OS: Windows Server 2019 Standard 14393 (Windows Server 2019 Standard 6.3) | Computer name: Bastion | NetBIOS computer name: BASTIONx00 | Workgroup: WORKGROUPx00 | System time: 2019-05-05T14:27:12+02:00 | smb-security-mode: | account_used: guest | authenticationlevel: user | challengeresponse: supported | messagesigning: disabled (dangerous, but default) | smb2-security-mode: | 2.02: | Message signing enabled but not required | smb2-time: | date: 2019-05-05 12:27:09 | start_date: 2019-05-05 12:10:06 TRACEROUTE (using port 143/tcp) HOP RTT ADDRESS 1 693.81 ms 10.10.16.1 2 694.08 ms 10.10.10.134 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done at Sun May 5 12:30:42 2019 -- 1 IP address (1 host up) scanned in 56.60 seconds 运用 上面的信息看起来并没有什么特别的。一般的靶机，http 服务往往都是突破口。关于这个靶机，咱们应该注意到敞开在 445 端口的 smb 服务（445 端口往往也是 windows 机器的突破口）。在 kali 上进行 smb 服务的勘探，咱们能够挑选运用 smbmap, smbclient, enum4linux 等。咱们先来试一下 smbclient： smbclient -L 10.10.10.134 [1][2]黑客接单网