1. Experimental environment description
In order to exploit the exploits of the experiment, the previous article I have introduced the installation of Kioptrix target drone and network configuration. Now look at the two necessary systems in the virtual machine: the Kioptrix virtual machine and the Kali Linux virtual machine. The former is target drone, the latter being used as an attack aircraft. The network topology looks like this:
2. Listing Services
First we use the Nmap command to scan the machine in the network, and enter the following command to scan all IP and TCP ports on the 192.168.50.0/24 network segment.
nmap -f -n -P0 -T4 192.168.50.0/24
The scan results are as follows:
Now, we can know that the machine is online, and we can see that the target machine is open with TCP ports, 22, 80, 139, 445, respectively. Next, we have multiple scenarios to choose from, and you can use Netcat or other similar programs to manually probe these ports for more information.
3. Full scan with Nmap
Now we have identified the target system, the IP address is "192.168.50.102", the following to conduct a targeted Nmap scan, observe the scanned information.
nmap -n -sTUV -pT:22,80,139,443,U:111,137,53 192.168.50.102
-stuv: Indicates the port that scans TCP and UDP, determines the status of the port, and outputs the version information of the relevant software;
-P: indicates the scope of the specified scan and the port to be scanned;
u: Specify the port as UDP;
The following is the scan result:
From the results can be found some valuable information, such as Host:kioptrix4;oss, open port and version information. Prepare for the next exploit.
Note that the OSS tag is a probabilistic representation and is not necessarily true. Oss:linux, Windows indicates that this could be a Linux, or Windows. To be reviewed based on all output results.
4. Use Netcat and ncat to get the flag
Netcat is a powerful tool that can be used for information collection and exploit phases, and more so that it can be used to create backdoors and transfer files.
4.1 netcat Get Flag
Use the following command to connect the 80 port of 192.168.50.102 .
nc 192.168.50.102 80
This will connect to the Kioptrix Web service, and we need to use instructions to get the returned information. Enter: And HEAD / HTTP 1.1
then press two times to enter to see the results of the output:
Here the output of the content of the HTTP header, the above information indicates that the target machine ran apache/2.2.8, the system for the ubuntu;php version of Php/5.2.4-2.
4.2 Using NCAT to get a flag
This process is similar to NC. Refer to the 4.1 content.
4.3 using smbclient to get a flag
TCP port 139 is a very interesting port, using the Smbclient tool to get the flag for this service. Enter the following command:
smbclient -L 192.168.50.102 -N
The smbclient is connected to 192.168.50.102, and then the service information is displayed. The-n option indicates that there is no target root password.
The output results are as follows:
As a result, the version of Samba is 3.0.28a, and we can use this information to search for possible vulnerabilities for this server.
Manual exploit of penetration testing