2.1. 端口扫描
┌──(root㉿kali)-[~]
└─# nmap 192.168.56.13 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-21 05:01 EST
Nmap scan report for 192.168.56.13
Host is up (0.0031s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
MAC Address: 08:00:27:B8:67:CA (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 28.73 seconds
25 端口被防火墙过滤了 多半是需要knock
2.2. 目录扫描
┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.56.13
^[[A/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/reports/http_192.168.56.13/_24-12-21_05-06-58.txt
Target: http://192.168.56.13/
[05:06:58] Starting:
[05:06:59] 403 - 278B - /.ht_wsr.txt
[05:06:59] 403 - 278B - /.htaccess.orig
[05:06:59] 403 - 278B - /.htaccess.bak1
[05:06:59] 403 - 278B - /.htaccess.save
[05:06:59] 403 - 278B - /.htaccess.sample
[05:06:59] 403 - 278B - /.htaccess_extra
[05:06:59] 403 - 278B - /.htaccess_orig
[05:06:59] 403 - 278B - /.htaccess_sc
[05:06:59] 403 - 278B - /.htaccessOLD
[05:06:59] 403 - 278B - /.htaccessBAK
[05:06:59] 403 - 278B - /.htaccessOLD2
[05:06:59] 403 - 278B - /.htm
[05:06:59] 403 - 278B - /.htpasswd_test
[05:06:59] 403 - 278B - /.html
[05:06:59] 403 - 278B - /.htpasswds
[05:06:59] 403 - 278B - /.httr-oauth
[05:06:59] 403 - 278B - /.php
[05:07:05] 301 - 313B - /blog -> http://192.168.56.13/blog/
[05:07:09] 200 - 3KB - /blog/wp-login.php
[05:07:09] 200 - 5KB - /blog/
[05:07:15] 403 - 278B - /server-status
[05:07:15] 403 - 278B - /server-status/
Task Completed
┌──(root㉿kali)-[~/Desktop/hmv/Diophanate]
└─# gobuster dir -u http://192.168.56.13 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,zip
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.13
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: zip,php,html,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 278]
/.php (Status: 403) [Size: 278]
/index.html (Status: 200) [Size: 10701]
/blog (Status: 301) [Size: 313] [--> http://192.168.56.13/blog/]
/note.txt (Status: 200) [Size: 36]
2.3. knock
/note.txt
┌──(root㉿kali)-[~/Desktop/hmv/Diophanate]
└─# curl http://192.168.56.13/note.txt
Don't forget: 7000 8000 9000
admin
这应该就是要敲门的端口
┌──(root㉿kali)-[~/Desktop/hmv/Diophanate]
└─# knock 192.168.56.13 7000 8000 9000 -v
hitting tcp 192.168.56.13:7000
hitting tcp 192.168.56.13:8000
hitting tcp 192.168.56.13:9000
┌──(root㉿kali)-[~/Desktop/hmv/Diophanate]
└─# nmap 192.168.56.13
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-21 05:18 EST
Nmap scan report for 192.168.56.13
Host is up (0.022s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
MAC Address: 08:00:27:B8:67:CA (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 1.90 seconds