192.168.0.79
# finger @numen
[numen]
Login Name TTY Idle When Where
root Super-User console 7 Fri 10:03 :0
root Super-User pts/6 11 Fri 12:56 192.168.0.116
root Super-User pts/7 Fri 10:11 zw
root Super-User pts/11 3:21 Fri 09:53 192.16 nu
men:
ts/10 May 7 13:08 18 (192.168.0.116)
(samsa:如果没有finger,就只好有rusers乐)
4) showmount
# showmount -ae numen
export table of numen:
/space/users/lpf sun9
samsa:/space/users/lpf
sun9:/space/users/lpf
(samsa:该机提供了那些共享目录,谁共享了这些目录[/etc/dfs/dfstab])
5) rpcinfo
# rpcinfo -p numen
program vers proto port service
100000 4 tcp 111 rpcbind
100000 4 udp 111 rpcbind
100024 1 udp 32772 status
100024 1 tcp 32771 status
100021 4 udp 4045 nlockmgr
100001 2 udp 32778 rstatd
100083 1 tcp 32773 ttdbserver
100235 1 tcp 32775
100021 2 tcp 4045 nlockmgr
100005 1 udp 32781 mountd
100005 1 tcp 32776 mountd
100003 2 udp 2049 nfs
100011 1 udp 32822 rquotad
100002 2 udp 32823 rusersd
100002 3 tcp 33180 rusersd
100012 1 udp 32824 sprayd
100008 1 udp 32825 walld
100068 2 udp 32829 cmsd
(samsa:[/etc/rpc]可惜没开rexd,据说开了rexd就跟没password一样哦!
不过有rstat,rusers,mount和nfs:-)
6) x-windows
# DISPLAY=victim.com:0.0
# export DISPLAY
# xhost
access control disabled, clients can connect from any host
(samsa:great!!!)
# xwininfo -root
xwininfo: Window id: 0x25 (the root window) (has no name)
Absolute upper-left X: 0
Absolute upper-left Y: 0
Relative upper-left X: 0
Relative upper-left Y: 0
Width: 1152
Height: 900
Depth: 24
Visual Class: TrueColor
Border width: 0
Class: InputOutput
Colormap: 0x21 (installed)
Bit Gravity State: ForgetGravity
Window Gravity State: NorthWestGravity
Backing Store State: NotUseful
Save Under State: no
Map State: IsViewable
Override Redirect State: no
Corners: +0+0 -0+0 -0-0 +0-0
-geometry 1152x900+0+0
(samsa:cant be greater!!!!!!!!!!!)
7) smtp
# telnet numen smtp
Trying 192.168.0.198...
Connected to numen.
Escape character is ^].
220 numen.ac.cn ESMTP Sendmail 8.9.1b+Sun/8.9.1; Fri, 7 May 1999 14:01:39 +0
800
(CST)
expn root
250 Super-User <">[email protected]>
vrfy ylx
250 <">[email protected]>
expn ftp
250 <">[email protected]>
(samsa:ftp说明有匿名ftp)
(samsa:如果没有finger和rusers,只好用这种方法一个个猜用户名乐)
debug
500 Command unrecognized: "debug"
wiz
500 Command unrecognized: "wiz"
(samsa:这些著名的漏洞现在哪儿还会有呢?:-(()
8) 使用 scanner(***)
# satan victim.com
...
(samsa:satan 是图形界面的,就没法陈列了!! 列举出 victim.com 的系统类型(e.g.SunOS 5.7),提供的服务(e.g.WWW)和存在的脆弱性)
发布人:netbull 来自:sinbad网络安全