Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ,-.----. ,--, ,---,
- \ / \ ,--, ,--.'| ,---.'|
- | : | .--.--. ,----._,. ,'_ /| | |, | | :
- | | .\ : / / ' / / ' / .--. | | : `--'_ | | | ,---.
- . : |: | | : /`./ | : | ,'_ /| : . | ,' ,'| ,--.__| | / \
- | | \ : | : ;_ | | .\ . | ' | | . . ' | | / ,' | / / |
- | : . | \ \ `. . ; '; | | | ' | | | | | : . ' / | . ' / |
- : |`-' `----. \ ' . . | : | : ; ; | ' : |__ ' ; |: | ' ; /|
- : : : / /`--' / ___ `---`-'| | ' : `--' \ | | '.'| | | '/ ' ' | / |
- | | : '--'. / / .\ .'__/\_: | : , .-./ ; : ; | : :| | : |
- `---'.| `--'---' \ ; | | : : `--`----' | , / \ \ / \ \ /
- `---` `--" \ \ / ---`-' `----' `----'
- `--`-'
- I'm not writing this to brag.
- A Penetrate Skauk Guide for those without the an experience or practice (RU)
- --[ 1 ]-- Введение (Introduction)
- Работа делится на два этапа: сбор информации и ее дальнейшее применение.
- --[ 2 ]-- Сбор информации (Collection of information)
- 2.1 для начала узнаем айпи сервера: пропингуем сайт (ping example.com)
- '''
- root@kali:~# ping sneakerhead.ru
- PING sneakerhead.ru (79.174.76.30) 56(84) bytes of data.
- 64 bytes from 9755.ovz-ssd1.hc.ru (79.174.76.30): icmp_seq=1 ttl=51 time=378 ms
- 64 bytes from 9755.ovz-ssd1.hc.ru (79.174.76.30): icmp_seq=2 ttl=51 time=536 ms
- 64 bytes from 9755.ovz-ssd1.hc.ru (79.174.76.30): icmp_seq=3 ttl=51 time=420 ms
- 64 bytes from 9755.ovz-ssd1.hc.ru (79.174.76.30): icmp_seq=4 ttl=51 time=427 ms
- ^C
- --- sneakerhead.ru ping statistics ---
- 4 packets transmitted, 4 received, 0% packet loss, time 3003ms
- rtt min/avg/max/mdev = 378.326/440.948/536.862/58.521 ms
- root@kali:~#
- '''
- окей, теперь мы знаем sneakerhead.ru ---> 79.174.76.30
- 2.2 айпи адресс мы будем использовать в качестве входного параметра в утилиту nmap.
- '''
- root@kali:~# nmap -sV -sC 79.174.76.30
- Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-19 21:59 UTC
- Nmap scan report for 9755.ovz-ssd1.hc.ru (79.174.76.30)
- Host is up (0.42s latency).
- Not shown: 985 closed ports
- PORT STATE SERVICE VERSION
- 21/tcp open ftp ProFTPD or KnFTPD
- 22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
- | ssh-hostkey:
- | 1024 0f:26:2a:34:e5:2a:4b:c2:35:15:53:fc:28:27:c9:eb (DSA)
- |_ 2048 f2:34:49:de:a7:e9:16:e5:7e:a3:8f:43:1b:c1:05:e1 (RSA)
- 25/tcp filtered smtp
- 53/tcp open domain ISC BIND 9.8.2rc1
- | dns-nsid:
- |_ bind.version: 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3
- 80/tcp open http nginx 1.10.2
- |_http-server-header: nginx/1.10.2
- |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
- 110/tcp open pop3 Dovecot pop3d
- |_pop3-capabilities: TOP RESP-CODES USER CAPA STLS SASL(PLAIN LOGIN DIGEST-MD5 CRAM-MD5) PIPELINING UIDL
- | ssl-cert: Subject: commonName=imap.example.com
- | Not valid before: 2015-02-11T15:04:35
- |_Not valid after: 2016-02-11T15:04:35
- |_ssl-date: 2018-02-19T22:00:08+00:00; 0s from scanner time.
- 135/tcp filtered msrpc
- 139/tcp filtered netbios-ssn
- 143/tcp open imap Dovecot imapd
- |_imap-capabilities: LITERAL+ LOGIN-REFERRALS completed AUTH=LOGIN IMAP4rev1 OK SASL-IR AUTH=CRAM-MD5A0001 STARTTLS AUTH=PLAIN IDLE ENABLE AUTH=DIGEST-MD5 Capability ID
- | ssl-cert: Subject: commonName=imap.example.com
- | Not valid before: 2015-02-11T15:04:35
- |_Not valid after: 2016-02-11T15:04:35
- |_ssl-date: 2018-02-19T22:00:09+00:00; 0s from scanner time.
- 443/tcp open ssl/http nginx 1.10.2
- |_http-server-header: nginx/1.10.2
- |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
- | ssl-cert: Subject: commonName=sneakerhead.ru
- | Subject Alternative Name: DNS:sneakerhead.ru, DNS:www.sneakerhead.ru
- | Not valid before: 2017-08-05T00:00:00
- |_Not valid after: 2020-08-04T23:59:59
- |_ssl-date: 2018-02-19T22:00:04+00:00; 0s from scanner time.
- | tls-nextprotoneg:
- |_ http/1.1
- 445/tcp filtered microsoft-ds
- 587/tcp open smtp Exim smtpd 4.84_2
- | smtp-commands: 9755.ovz-ssd1.hc.ru Hello 9755.ovz-ssd1.hc.ru [184.17.205.32], SIZE 52428800, 8BITMIME, PIPELINING, AUTH PLAIN LOGIN CRAM-MD5, STARTTLS, HELP,
- |_ Commands supported: AUTH STARTTLS HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP
- | ssl-cert: Subject: commonName=9126.ovz-n6.hc.ru/organizationName=XX/stateOrProvinceName=XX/countryName=XX
- | Not valid before: 2015-02-11T15:06:02
- |_Not valid after: 2025-02-08T15:06:02
- |_ssl-date: 2018-02-19T22:00:07+00:00; 0s from scanner time.
- 993/tcp open ssl/imap Dovecot imapd
- |_imap-capabilities: LITERAL+ LOGIN-REFERRALS completed AUTH=LOGIN OK SASL-IR AUTH=CRAM-MD5A0001 IMAP4rev1 AUTH=PLAIN IDLE ENABLE AUTH=DIGEST-MD5 Capability ID
- | ssl-cert: Subject: commonName=imap.example.com
- | Not valid before: 2015-02-11T15:04:35
- |_Not valid after: 2016-02-11T15:04:35
- |_ssl-date: 2018-02-19T22:00:04+00:00; 0s from scanner time.
- 995/tcp open ssl/pop3 Dovecot pop3d
- |_pop3-capabilities: TOP RESP-CODES USER CAPA SASL(PLAIN LOGIN DIGEST-MD5 CRAM-MD5) PIPELINING UIDL
- | ssl-cert: Subject: commonName=imap.example.com
- | Not valid before: 2015-02-11T15:04:35
- |_Not valid after: 2016-02-11T15:04:35
- |_ssl-date: 2018-02-19T22:00:01+00:00; 0s from scanner time.
- 3306/tcp open mysql MySQL (unauthorized)
- Service Info: OSs: Unix, Red Hat Enterprise Linux 6; CPE: cpe:/o:redhat:enterprise_linux:6
- Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
- Nmap done: 1 IP address (1 host up) scanned in 63.24 seconds
- root@kali:~#
- '''
- msfconsole
- , ,
- / \
- ((__---,,,---__))
- (_) O O (_)_________
- \ _ / |\
- o_o \ M S F | \
- \ _____ | *
- ||| WW|||
- ||| |||
- =[ metasploit v4.16.15-dev ]
- + -- --=[ 1699 exploits - 968 auxiliary - 299 post ]
- + -- --=[ 503 payloads - 40 encoders - 10 nops ]
- + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
- msf > nmap -p 3306 79.174.76.30 --script mysql-dump-hashes –script args='username=root,password=secret'
- [*] exec: nmap -p 3306 79.174.76.30 --script mysql-dump-hashes –script args='username=root,password=secret'
- Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-19 23:16 UTC
- Failed to resolve "–script".
- Failed to resolve "args=username=root,password=secret".
- Nmap scan report for 9755.ovz-ssd1.hc.ru (79.174.76.30)
- Host is up (0.62s latency).
- PORT STATE SERVICE
- 3306/tcp open mysql
- Nmap done: 1 IP address (1 host up) scanned in 2.23 seconds
- msf > nmap -sV --script mysql-databases 79.174.76.30
- [*] exec: nmap -sV --script mysql-databases 79.174.76.30
- Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-19 23:17 UTC
- Nmap scan report for 9755.ovz-ssd1.hc.ru (79.174.76.30)
- Host is up (0.40s latency).
- Not shown: 983 closed ports
- PORT STATE SERVICE VERSION
- 21/tcp open ftp ProFTPD or KnFTPD
- 22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
- 25/tcp filtered smtp
- 53/tcp open tcpwrapped
- 80/tcp open tcpwrapped
- |_http-server-header: nginx/1.10.2
- 110/tcp open pop3 Dovecot pop3d
- 135/tcp filtered msrpc
- 139/tcp filtered netbios-ssn
- 143/tcp open imap Dovecot imapd
- 443/tcp open tcpwrapped
- |_http-server-header: nginx/1.10.2
- 445/tcp filtered microsoft-ds
- 465/tcp open tcpwrapped
- 587/tcp open smtp Exim smtpd 4.84_2
- 993/tcp open tcpwrapped
- 995/tcp open tcpwrapped
- 1500/tcp open tcpwrapped
- 3306/tcp open mysql MySQL (unauthorized)
- Service Info: OS: Unix
- Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
- Nmap done: 1 IP address (1 host up) scanned in 84.51 seconds
- msf > use auxiliary/scanner/mysql/mysql_version
- msf auxiliary(mysql_version) > set RHOSTS 79.174.76.30
- RHOSTS => 79.174.76.30
- msf auxiliary(mysql_version) > info
- Name: MySQL Server Version Enumeration
- Module: auxiliary/scanner/mysql/mysql_version
- License: Metasploit Framework License (BSD)
- Rank: Normal
- Provided by:
- kris katterjohn <katterjohn@gmail.com>
- Basic options:
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- RHOSTS 79.174.76.30 yes The target address range or CIDR identifier
- RPORT 3306 yes The target port (TCP)
- THREADS 1 yes The number of concurrent threads
- Description:
- Enumerates the version of MySQL servers.
- msf auxiliary(mysql_version) > run
- [*] 79.174.76.30:3306 - 79.174.76.30:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MySQL server
- [*] Scanned 1 of 1 hosts (100% complete)
- [*] Auxiliary module execution completed
- msf auxiliary(mysql_version) > show options
- Module options (auxiliary/scanner/mysql/mysql_version):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- RHOSTS 79.174.76.30 yes The target address range or CIDR identifier
- RPORT 3306 yes The target port (TCP)
- THREADS 1 yes The number of concurrent threads
- msf auxiliary(mysql_version) > set RHOSTS 79.174.76.30-254
- RHOSTS => 79.174.76.30-254
- msf auxiliary(mysql_version) > set THREADS 20
- THREADS => 20
- msf auxiliary(mysql_version) > run
- [+] 79.174.76.41:3306 - 79.174.76.41:3306 is running MySQL 5.5.52-MariaDB (protocol 10)
- [*] 79.174.76.30:3306 - 79.174.76.30:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MySQL server
- [*] 79.174.76.37:3306 - 79.174.76.37:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MariaDB server
- [+] 79.174.76.49:3306 - 79.174.76.49:3306 is running MySQL 5.5.44 (protocol 10)
- [*] 79.174.76.33:3306 - 79.174.76.33:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MySQL server
- [*] 79.174.76.36:3306 - 79.174.76.36:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MySQL server
- [*] 79.174.76.32:3306 - 79.174.76.32:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MySQL server
- [*] 79.174.76.43:3306 - 79.174.76.43:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MariaDB server
- [+] 79.174.76.42:3306 - 79.174.76.42:3306 is running MySQL 5.5.48 (protocol 10)
- [*] 79.174.76.35:3306 - 79.174.76.35:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MySQL server
- [+] 79.174.76.48:3306 - 79.174.76.48:3306 is running MySQL 5.5.44 (protocol 10)
- [*] 79.174.76.38:3306 - 79.174.76.38:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MySQL server
- [*] 79.174.76.34:3306 - 79.174.76.34:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MariaDB server
- [*] 79.174.76.44:3306 - 79.174.76.44:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MariaDB server
- [+] 79.174.76.40:3306 - 79.174.76.40:3306 is running MySQL 5.5.44 (protocol 10)
- [*] 79.174.76.45:3306 - 79.174.76.45:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MySQL server
- [*] 79.174.76.47:3306 - 79.174.76.47:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MariaDB server
- [+] 79.174.76.46:3306 - 79.174.76.46:3306 is running MySQL 5.5.52-MariaDB (protocol 10)
- [*] 79.174.76.50:3306 - 79.174.76.50:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MariaDB server
- [+] 79.174.76.54:3306 - 79.174.76.54:3306 is running MySQL 5.5.52-MariaDB (protocol 10)
- [+] 79.174.76.60:3306 - 79.174.76.60:3306 is running MySQL 5.5.52-MariaDB (protocol 10)
- [+] 79.174.76.55:3306 - 79.174.76.55:3306 is running MySQL 5.5.5-10.0.31-MariaDB (protocol 10)
- [+] 79.174.76.53:3306 - 79.174.76.53:3306 is running MySQL 5.5.44 (protocol 10)
- [*] 79.174.76.58:3306 - 79.174.76.58:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MariaDB server
- [*] 79.174.76.61:3306 - 79.174.76.61:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MariaDB server
- [+] 79.174.76.57:3306 - 79.174.76.57:3306 is running MySQL 5.5.51 (protocol 10)
- [*] 79.174.76.59:3306 - 79.174.76.59:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MySQL server
- [*] Scanned 32 of 225 hosts (14% complete)
- [*] 79.174.76.80:3306 - 79.174.76.80:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MariaDB server
- [*] 79.174.76.70:3306 - 79.174.76.70:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MariaDB server
- [*] 79.174.76.78:3306 - 79.174.76.78:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MariaDB server
- [+] 79.174.76.76:3306 - 79.174.76.76:3306 is running MySQL 5.5.52-MariaDB (protocol 10)
- [+] 79.174.76.73:3306 - 79.174.76.73:3306 is running MySQL 5.5.52-MariaDB (protocol 10)
- [*] 79.174.76.67:3306 - 79.174.76.67:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MariaDB server
- [+] 79.174.76.74:3306 - 79.174.76.74:3306 is running MySQL 5.5.44 (protocol 10)
- [+] 79.174.76.81:3306 - 79.174.76.81:3306 is running MySQL 5.5.44 (protocol 10)
- [*] 79.174.76.72:3306 - 79.174.76.72:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MySQL server
- [*] Scanned 45 of 225 hosts (20% complete)
- [*] 79.174.76.69:3306 - 79.174.76.69:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MariaDB server
- [*] 79.174.76.68:3306 - 79.174.76.68:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MySQL server
- [*] 79.174.76.75:3306 - 79.174.76.75:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MySQL server
- [*] 79.174.76.71:3306 - 79.174.76.71:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MariaDB server
- [*] 79.174.76.89:3306 - 79.174.76.89:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MariaDB server
- [*] 79.174.76.94:3306 - 79.174.76.94:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MySQL server
- [*] 79.174.76.90:3306 - 79.174.76.90:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MySQL server
- [*] 79.174.76.92:3306 - 79.174.76.92:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MariaDB server
- [*] 79.174.76.84:3306 - 79.174.76.84:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MariaDB server
- [*] 79.174.76.93:3306 - 79.174.76.93:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MariaDB server
- [*] 79.174.76.83:3306 - 79.174.76.83:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MySQL server
- [*] 79.174.76.95:3306 - 79.174.76.95:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MariaDB server
- [+] 79.174.76.86:3306 - 79.174.76.86:3306 is running MySQL 5.5.52-MariaDB (protocol 10)
- [*] 79.174.76.85:3306 - 79.174.76.85:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MySQL server
- [*] 79.174.76.91:3306 - 79.174.76.91:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MariaDB server
- [*] 79.174.76.88:3306 - 79.174.76.88:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MariaDB server
- [*] 79.174.76.98:3306 - 79.174.76.98:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MySQL server
- [*] 79.174.76.97:3306 - 79.174.76.97:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MariaDB server
- [*] 79.174.76.99:3306 - 79.174.76.99:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MySQL server
- [*] 79.174.76.96:3306 - 79.174.76.96:3306 is running MySQL, but responds with an error: \x04Host '184.17.205.32' is not allowed to connect to this MariaDB server
- ^C[*] Caught interrupt from the console...
- [*] Auxiliary module execution completed
- //
- root@kali:~# nmap -sV --script mysql-users 79.174.76.30
- Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-19 23:18 UTC
- Nmap scan report for 9755.ovz-ssd1.hc.ru (79.174.76.30)
- Host is up (0.47s latency).
- Not shown: 983 closed ports
- PORT STATE SERVICE VERSION
- 21/tcp open ftp ProFTPD or KnFTPD
- 22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
- 25/tcp filtered smtp
- 53/tcp open domain ISC BIND 9.8.2rc1
- 80/tcp open http nginx 1.10.2
- |_http-server-header: nginx/1.10.2
- 110/tcp open pop3 Dovecot pop3d
- 135/tcp filtered msrpc
- 139/tcp filtered netbios-ssn
- 143/tcp open imap Dovecot imapd
- 443/tcp open ssl/http nginx 1.10.2
- |_http-server-header: nginx/1.10.2
- 445/tcp filtered microsoft-ds
- 465/tcp open ssl/smtp Exim smtpd 4.84_2
- 587/tcp open smtp Exim smtpd 4.84_2
- 993/tcp open ssl/imap Dovecot imapd
- 995/tcp open ssl/pop3 Dovecot pop3d
- 1500/tcp open ssl/http ISPManager billing system httpd 5 (lang: en; time zone: MSK)
- 3306/tcp open mysql MySQL (unauthorized)
- Service Info: OSs: Unix, Red Hat Enterprise Linux 6; CPE: cpe:/o:redhat:enterprise_linux:6
- Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
- Nmap done: 1 IP address (1 host up) scanned in 108.24 seconds
- root@kali:~# ssh 79.174.76.30
- root@79.174.76.30's password:
- Permission denied, please try again.
- root@79.174.76.30's password:
- Permission denied, please try again.
- root@79.174.76.30's password:
- root@79.174.76.30: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
- root@kali:~#
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement