oscp学习（二）基础

最新推荐文章于 2025-03-10 16:04:57 发布

唐布啦

最新推荐文章于 2025-03-10 16:04:57 发布

阅读量291

点赞数

文章标签：学习 ssh 服务器网络安全

本文链接：https://blog.youkuaiyun.com/qq_48514193/article/details/129146916

版权

11-SSH Enumeration (ssh 枚举)

信息收集收集主机端口信息

#探测模板

 --version-intensity <level>: Set from 0 (light) to 9 (try all probes) 版本扫描
--version-all  和以上等级9强度相同
扫描到相关的信息例如ssh相关的可以通过
searchsploit 组件搜索exploit

└─$ ssh 192.168.86.132
ssh: connect to host 192.168.86.132 port 22: Connection refused
                                                                                          #可以通过ssh <ip> -c 指令                                    
┌──(kali㉿kali)-[~]
└─$ ssh 192.168.86.132 -c
option requires an argument -- c
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
           [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
           [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]
           [-i identity_file] [-J [user@]host[:port]] [-L address]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] destination [command]

#
└─$ ssh 192.168.86.135                            
The authenticity of host '192.168.86.135 (192.168.86.135)' can't be established.
RSA key fingerprint is SHA256:BQHm5EoHX9GCiOLuVscegPXLQOsuPs+E9d/rrJB84rk.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.86.135' (RSA) to the list of known hosts.
kali@192.168.86.135's password:

ssh暴力枚举不应该是首先要尝试的方式因为这样会导致管理员发现。一般情况下都是通过发现的信息，获取到的密码直接进行登录。

searchsploit

通过nmap拿到端口信息，然后通过searchsploit 等渠道寻找版本对应的漏洞进行利用
记一次在实战靶机中使用SearchSploit的总结 - 先知社区 (aliyun.com)

通过收集到的端口信息，查询漏洞特征然后进行校验

12-HTTPS Enumeration（HTTPS 枚举）

通常发现发现服务端口开放第一步尝试通过访问收集信息。

信息收集注意事项

1.我们通过端口扫描也会发现开放的web 服务，如果在ctf比赛中一般情况下可能会需要分析网页源代码。

在网页目录为一个管理面板界面时，分析网页源代码格外重要

2.通过工具进行信息收集

工具 dirbuster (目录破解)

https://blog.youkuaiyun.com/weixin_41489908/article/details/115434107

暴力穷举不提倡，最好能通过字典进行扫描效率较高

nikto 目录发现与信息收集

https://blog.youkuaiyun.com/weixin_54055099/article/details/126436562

 nikto -h               
Option host requires an argument

       -config+            Use this config file
       -Display+           Turn on/off display outputs
       -dbcheck            check database and other key files for syntax errors
       -Format+            save file (-o) format
       -Help               Extended help information
       -host+              target host/URL
       -id+                Host authentication to use, format is id:pass or id:pass:realm
       -list-plugins       List all available plugins
       -output+            Write output to this file
       -nossl              Disables using SSL
       -no404              Disables 404 checks
       -Plugins+           List of plugins to run (default: ALL)
       -port+              Port to use (default 80)
       -root+              Prepend root value to all requests, format is /directory
       -ssl                Force ssl mode on port
       -Tuning+            Scan tuning
       -timeout+           Timeout for requests (default 10 seconds)
       -update             Update databases and plugins from CIRT.net
       -Version            Print plugin and database versions
       -vhost+             Virtual host (for Host header)
                + requires a value

        Note: This is the short help output. Use -H for full help text.
        #关键词  Directory indexing found