Recon
┌──(kali㉿kali-[~/Labs/Joy/80]
└─$ sudo nmap -sS -sV -p- 192.168.80.136
Starting Nmap 7.93 ( https://nmap.org at 2023-04-10 22:42 EDT
Nmap scan report for 192.168.80.136
Host is up (0.00064s latency.
Not shown: 65523 closed tcp ports (reset
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
22/tcp open ssh Dropbear sshd 0.34 (protocol 2.0
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.4.25
110/tcp open pop3 Dovecot pop3d
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP
143/tcp open imap Dovecot imapd
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP
465/tcp open smtp Postfix smtpd
587/tcp open smtp Postfix smtpd
993/tcp open ssl/imap Dovecot imapd
995/tcp open ssl/pop3 Dovecot pop3d
MAC Address: 00:0C:29:31:8C:D0 (VMware
Service Info: Hosts: The, JOY.localdomain, 127.0.1.1, JOY; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up scanned in 13.69 seconds
Process
通过上面的信息,我们发现部分版本号,例如SSH为Dropbear sshd 0.34,还有ProFTPD,但我们不知道FTP服务的版本号,我们首先尝试FTP能否匿名登录。
但是我们现在无法得到该文件,我们再将眼光放回SSH服务,尝试搜寻SSH的漏洞进行利用(虽然我们能从searchsploit找到漏洞,但是无法成功利用)。
使用如下命令sudo nmap -sU -Pn -A --top-ports 20 --reason 192.168.80.136进行扫描。