有点小白，专业是网络安全，但是目前刚刚接触，心里诚惶诚恐，想学，但是害怕失败，聊寄于写博客来不断地提升自己好了。

FourAndSix靶机

这个是通过百度云找到的。

之后通过Vmware 导入 OVA文件。

启动靶机

可以看到网络地址的范围是 192.168.41.132到 192.168.41.254

nmap

这个扫描界的神奇，然而我还是用的不熟练

nmap 参数

-F 扫描100个最有可能开放的端口
-v 获取扫描到的信息
-sT 采用TCP扫描
-p 指定端口
-sV 版本检测
-Pn 将所有主机都默认为在线，跳过主机发现
-n 不做DNS解析
-R 总是做DNS反向解析
--dns-servers指定自定义的DNS服务器
--system-dns 使用操作系统的DNS
--traceroute 追踪每台主机的跳转路径

nmap 扫描

由于不熟悉nmap，各种命令都试一下

最简单的命令：

nmap 192.168.41.132

PS C:\WINDOWS\system32> nmap 192.168.41.132
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-08 15:56 ?D1ú±ê×?ê±??
Nmap scan report for bogon (192.168.41.132)
Host is up (0.0000050s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
2049/tcp open  nfs
MAC Address: 00:0C:29:81:23:53 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 22.66 seconds

加入-v 和 -F选项，速度加快了

PS C:\WINDOWS\system32> nmap -v -F 192.168.41.132
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-08 15:59 ?D1ú±ê×?ê±??
Initiating ARP Ping Scan at 15:59
Scanning 192.168.41.132 [1 port]
Completed ARP Ping Scan at 15:59, 1.33s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:59
Completed Parallel DNS resolution of 1 host. at 15:59, 0.01s elapsed
Initiating SYN Stealth Scan at 15:59
Scanning bogon (192.168.41.132) [100 ports]
Discovered open port 22/tcp on 192.168.41.132
Discovered open port 111/tcp on 192.168.41.132
Discovered open port 2049/tcp on 192.168.41.132
Completed SYN Stealth Scan at 15:59, 0.01s elapsed (100 total ports)
Nmap scan report for bogon (192.168.41.132)
Host is up (0.0010s latency).
Not shown: 97 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
2049/tcp open  nfs
MAC Address: 00:0C:29:81:23:53 (VMware)

Read data files from: E:\ProgramFiles\Nmap
Nmap done: 1 IP address (1 host up) scanned in 8.07 seconds
           Raw packets sent: 101 (4.428KB) | Rcvd: 101 (4.040KB)

指定一个ip地址范围进行扫描

PS C:\WINDOWS\system32> nmap -v -F 192.168.41.132-254
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-08 16:01 ?D1ú±ê×?ê±??
Initiating ARP Ping Scan at 16:01
Scanning 123 hosts [1 port/host]
Completed ARP Ping Scan at 16:01, 6.19s elapsed (123 total hosts)
Initiating Parallel DNS resolution of 123 hosts. at 16:01
Completed Parallel DNS resolution of 123 hosts. at 16:01, 0.01s elapsed
Nmap scan report for 192.168.41.133 [host down]
Nmap scan report for 192.168.41.134 [host down]
Nmap scan report for 192.168.41.135 [host down]
Nmap scan report for 192.168.41.136 [host down]
...
Nmap scan report for 192.168.41.156 [host down]
Nmap scan report for 192.168.41.157 [host down]
Nmap scan report for 192.168.41.251 [host down]
Nmap scan report for 192.168.41.252 [host down]
Nmap scan report for 192.168.41.253 [host down]
Initiating SYN Stealth Scan at 16:01
Scanning 2 hosts [100 ports/host]
Discovered open port 22/tcp on 192.168.41.132
Discovered open port 111/tcp on 192.168.41.132
Discovered open port 2049/tcp on 192.168.41.132
Completed SYN Stealth Scan against 192.168.41.132 in 1.14s (1 host left)
Completed SYN Stealth Scan at 16:01, 2.13s elapsed (200 total ports)
Nmap scan report for bogon (192.168.41.132)
Host is up (0.00087s latency).
Not shown: 97 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
2049/tcp open  nfs
MAC Address: 00:0C:29:81:23:53 (VMware)

Nmap scan report for bogon (192.168.41.254)
Host is up (0.00s latency).
All 100 scanned ports on bogon (192.168.41.254) are filtered
MAC Address: 00:50:56:F7:B4:93 (VMware)

Read data files from: E:\ProgramFiles\Nmap
Nmap done: 123 IP addresses (2 hosts up) scanned in 15.43 seconds
           Raw packets sent: 561 (20.780KB) | Rcvd: 132 (5.268KB)

NFS服务

22端口开放了ssh服务，
111端口开放了 rpcbind服务
2049端口开放了 nfs服务

NFS就是网络文件系统
可以简单地看作一个文件服务器
重点是：
NFS的功能比较丰富，但是端口不固定
所以需要远程过程调用RPC。
客户机通过RPC服务去连接对应的NFS服务
所以在启动NFS之前， RPC服务要在这之前先启动。

探测nfs可以挂载的脚本

nmap -sV --script=nfs-showmount 192.168.41.132

PS C:\WINDOWS\system32> nmap -sV --script=nfs-showmount 192.168.41.132
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-08 16:11 ?D1ú±ê×?ê±??
Nmap scan report for bogon (192.168.41.132)
Host is up (0.0000040s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9 (protocol 2.0)
111/tcp  open  rpcbind 2 (RPC #100000)
| nfs-showmount:
|_  /home/user/storage
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3         2049/tcp  nfs
|   100003  2,3         2049/udp  nfs
|   100005  1,3          606/tcp  mountd
|_  100005  1,3          812/udp  mountd
2049/tcp open  nfs     2-3 (RPC #100003)
MAC Address: 00:0C:29:81:23:53 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.26 seconds

这里使用了脚本参数 --script=nfs-showmount

nfs-showmount

我们发现了一个可供挂载的目录： /home/usr/storage
接下来的想法就是要挂载到那个目录下，然后看看有没有什么文件可供利用的

后面的内容暂时有点无法继续，鸽一会儿

参考资料

nmap所有参数
nmap命令的实用29个例子
FourAndSix2渗透实战
Linux下NFS服务器搭建
渗透测试之Jarbas和FourandSix靶机实战

FourAndSix靶机渗透