# 配置不当的网络服务

## **配置不当的网络服务**

利用 Web 漏洞与社会工程学攻击是突破边界的主要手段，并且对于企业来说，例如 FTP 之类的网络服务越来越少在互联网上被公开，但这不意味着通过配置不当的网络服务突破边界是不可做到的事情。需要注意的是，我们讨论的是网络服务的不当配置，而不是利用漏洞，或者即便有漏洞可利用（拒绝服务漏洞）也不会给予我们额外优势。同利用漏洞一样，有时候我们需要将多个线索进行组合利用。以下是一些常见的网络服务以及常见的不当配置（不讨论弱口令以及 CVE 漏洞）。虽然这些服务更多时候出现在内网，但将它们暴露给互联网本身也是不必要且不应该的。

<table border="1" id="bkmrk-%E6%9C%8D%E5%8A%A1-%E9%BB%98%E8%AE%A4%E7%AB%AF%E5%8F%A3-%E8%84%86%E5%BC%B1%E9%85%8D%E7%BD%AE-ftp-21-" style="border-collapse: collapse; width: 100%; height: 414.4px;"><colgroup><col style="width: 24.9629%;"></col><col style="width: 24.9629%;"></col><col style="width: 50.0494%;"></col></colgroup><tbody><tr style="height: 29.6px;"><td style="height: 29.6px;">**服务**</td><td style="height: 29.6px;">**默认端口**</td><td style="height: 29.6px;">**脆弱配置**</td></tr><tr style="height: 29.6px;"><td style="height: 29.6px;">FTP</td><td style="height: 29.6px;">21</td><td style="height: 29.6px;">匿名访问</td></tr><tr style="height: 29.6px;"><td style="height: 29.6px;">SMTP</td><td style="height: 29.6px;">25</td><td style="height: 29.6px;">开放中继</td></tr><tr style="height: 29.6px;"><td style="height: 29.6px;">MSRPC</td><td style="height: 29.6px;">135</td><td style="height: 29.6px;">系统进程与信息泄露</td></tr><tr style="height: 29.6px;"><td style="height: 29.6px;">NBT-SSN</td><td style="height: 29.6px;">139</td><td style="height: 29.6px;">空会话访问</td></tr><tr style="height: 29.6px;"><td style="height: 29.6px;">SMB</td><td style="height: 29.6px;">445</td><td style="height: 29.6px;">空会话访问，默认可读可写目录</td></tr><tr style="height: 29.6px;"><td style="height: 29.6px;">VNC</td><td style="height: 29.6px;">5900/5901</td><td style="height: 29.6px;">无认证</td></tr><tr style="height: 29.6px;"><td style="height: 29.6px;">WinRM</td><td style="height: 29.6px;">5985/5986</td><td style="height: 29.6px;">系统与域信息泄露</td></tr><tr style="height: 29.6px;"><td style="height: 29.6px;">X11</td><td style="height: 29.6px;">6000</td><td style="height: 29.6px;">无认证</td></tr><tr style="height: 29.6px;"><td style="height: 29.6px;">MSSQL</td><td style="height: 29.6px;">1433</td><td style="height: 29.6px;">系统与域信息泄露</td></tr><tr style="height: 29.6px;"><td style="height: 29.6px;">RDP</td><td style="height: 29.6px;">3389</td><td style="height: 29.6px;">系统与域信息泄露</td></tr><tr style="height: 29.6px;"><td style="height: 29.6px;">Redis</td><td style="height: 29.6px;">6379</td><td style="height: 29.6px;">无认证，任意文件写权限</td></tr><tr style="height: 29.6px;"><td style="height: 29.6px;">Rsync</td><td style="height: 29.6px;">873</td><td style="height: 29.6px;">无认证</td></tr><tr style="height: 29.6px;"><td style="height: 29.6px;">MongoDB</td><td style="height: 29.6px;">27017</td><td style="height: 29.6px;">无认证</td></tr></tbody></table>

在使用 Nmap 扫描过 raven-medicine.org 之后，我们发现端口 21 是开放的，通常是 FTP 服务的端口。我们针对该端口进行更加详细的服务扫描：

```bash
└─# nmap  -p21 -sV -vv raven-medicine.org                  
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-26 12:54 PST
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 12:54
Scanning raven-medicine.org (185.2.101.114) [4 ports]
Completed Ping Scan at 12:54, 0.15s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:54
Completed Parallel DNS resolution of 1 host. at 12:54, 0.22s elapsed
Initiating SYN Stealth Scan at 12:54
Scanning raven-medicine.org (185.2.101.114) [1 port]
Discovered open port 21/tcp on 185.2.101.114
Completed SYN Stealth Scan at 12:54, 0.15s elapsed (1 total ports)
Initiating Service scan at 12:54
Scanning 1 service on raven-medicine.org (185.2.101.114)
Completed Service scan at 12:54, 1.45s elapsed (1 service on 1 host)
NSE: Script scanning 185.2.101.114.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 12:54
Completed NSE at 12:54, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 12:54
Completed NSE at 12:54, 0.00s elapsed
Nmap scan report for raven-medicine.org (185.2.101.114)
Host is up, received reset ttl 110 (0.11s latency).
rDNS record for 185.2.101.114: m2314.contaboserver.net
Scanned at 2023-02-26 12:54:55 PST for 2s

PORT   STATE SERVICE REASON          VERSION
21/tcp open  ftp     syn-ack ttl 110 vsftpd 3.0.3
Service Info: OS: Unix

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.43 seconds
           Raw packets sent: 5 (196B) | Rcvd: 2 (84B)

```

[![image.png](https://raven-medicine.com/uploads/images/gallery/2023-02/scaled-1680-/c8SS3wTK947kgp5v-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-02/c8SS3wTK947kgp5v-image.png)

该服务确实为 FTP，软件以及版本为 **VsFTPD 3.0.3**。该版本的 FTP 服务器较新，不具有严重漏洞。

[![image.png](https://raven-medicine.com/uploads/images/gallery/2023-02/scaled-1680-/g3xp9t5nFEBIl8WY-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-02/g3xp9t5nFEBIl8WY-image.png)

检查一下该服务是否允许匿名访问。检测匿名访问，通常尝试使用用户 anonymous 或 ftp。该目标的确允许匿名访问，并且该服务器上还存储着一些文件。

[![image.png](https://raven-medicine.com/uploads/images/gallery/2023-02/scaled-1680-/rO5swzHUKTgb5Cke-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-02/rO5swzHUKTgb5Cke-image.png)

我们可以使用 wget 将可下载的文件全部下载到本地，慢慢分析

```shell
└─# wget -m ftp://anonymous:admin@raven-medicine.org
--2023-02-26 13:00:38--  ftp://anonymous:*password*@raven-medicine.org/
           => ‘raven-medicine.org/.listing’
Resolving raven-medicine.org (raven-medicine.org)... 185.2.101.114
Connecting to raven-medicine.org (raven-medicine.org)|185.2.101.114|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD not needed.
==> PASV ... done.    ==> LIST ... done.

raven-medicine.org/.listing              [ <=>                                                                  ]     246  --.-KB/s    in 0s      

2023-02-26 13:00:41 (38.8 MB/s) - ‘raven-medicine.org/.listing’ saved [246]

--2023-02-26 13:00:41--  ftp://anonymous:*password*@raven-medicine.org/note.txt

```

[![image.png](https://raven-medicine.com/uploads/images/gallery/2023-02/scaled-1680-/kOwSlqTKeZ8IpotG-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-02/kOwSlqTKeZ8IpotG-image.png)

我们在这些文件中发现一个 txt 文件，看起来是个便签，但是似乎记录了一组 Github 的明文凭证。文件夹里似乎是一个叫 chat.js 应用的源代码

[![image.png](https://raven-medicine.com/uploads/images/gallery/2023-02/scaled-1680-/NbAtPMdVRntRxITX-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-02/NbAtPMdVRntRxITX-image.png)

我们使用该账户尝试登陆 Github，发现登陆成功。

[![image.png](https://raven-medicine.com/uploads/images/gallery/2023-02/scaled-1680-/TRzlAS5FnWdcolLw-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-02/TRzlAS5FnWdcolLw-image.png)

该帐号有一个公开的仓库，存放着一个脚本。尽管目前为止我们还不知道该信息对于我们有何作用，但在之后的渗透过程中可以来回顾该信息，以打开新的通道。

[![image.png](https://raven-medicine.com/uploads/images/gallery/2023-02/scaled-1680-/ovXsr6D7ZCyfUuyz-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-02/ovXsr6D7ZCyfUuyz-image.png)