4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.874 seconds (136.61 hosts/sec). 4 responded
发现192.168.205.129 是我们的靶机ip 开始信息搜集
root㉿kali)-[/home/kali] └─# nmap -sS -sV -A -T4 -p- 192.168.205.129 Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-16 04:26 EST Nmap scan report for 192.168.205.129 Host is up (0.00043s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0) | ssh-hostkey: | 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA) | 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA) |_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA) 80/tcp open http Apache httpd 2.2.22 ((Debian)) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Apache/2.2.22 (Debian) |_http-generator: Drupal 7 (http://drupal.org) |_http-title: Welcome to Drupal Site | Drupal Site 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100024 1 44174/udp6 status | 100024 1 46616/tcp status | 100024 1 46812/udp status |_ 100024 1 46918/tcp6 status 46616/tcp open status 1 (RPC #100024) MAC Address: 00:0C:29:04:0C:DE (VMware) Device type: general purpose Running: Linux 3.X OS CPE: cpe:/o:linux:linux_kernel:3 OS details: Linux 3.2 - 3.16 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE HOP RTT ADDRESS 1 0.43 ms 192.168.205.129
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.30 seconds
得到22 80 111 三个端口
22是ssh 80是http服务
首先进入web页面看一看有什么
一个登录页面 拿一下网站的基本信息
┌──(root㉿kali)-[/home/kali] └─# whatweb -v 192.168.205.129 WhatWeb report for http://192.168.205.129 Status : 200 OK Title : Welcome to Drupal Site | Drupal Site IP : 192.168.205.129 Country : RESERVED, ZZ
Detected Plugins: [ Apache ] The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards.
Version : 2.2.22 (from HTTP Server Header) Google Dorks: (3) Website : http://httpd.apache.org/
[ Content-Language ] Detect the content-language setting from the HTTP header.
String : en
[ Drupal ] Drupal is an opensource CMS written in PHP.
Aggressive function available (check plugin file or details). Google Dorks: (1) Website : http://www.drupal.org
[ HTTPServer ] HTTP server header string. This plugin also attempts to identify the operating system from the server header.
OS : Debian Linux String : Apache/2.2.22 (Debian) (from server string)
[ JQuery ] A fast, concise, JavaScript that simplifies how to traverse HTML documents, handle events, perform animations, and add AJAX.
Website : http://jquery.com/
[ MetaGenerator ] This plugin identifies meta generator tags and extracts its value.
String : Drupal 7 (http://drupal.org)
[ PHP ] PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. This plugin identifies PHP errors, modules and versions and extracts the local file path and username if present.
Version : 5.4.45-0+deb7u14 Google Dorks: (2) Website : http://www.php.net/
[ PasswordField ] find password fields
String : pass (from field name)
[ Script ] This plugin detects instances of script HTML elements and returns the script language/type.
String : text/javascript
[ UncommonHeaders ] Uncommon HTTP server headers. The blacklist includes all the standard headers and many non standard but common ones. Interesting but fairly common headers should have their own plugins, eg. x-powered-by, server and x-aspnet-version. Info about headers can be found at www.http-stats.com
.jpg)
.png)
