其实吧这篇文件也是一个大概的了解和思路篇...没什么技术含量,但是你可以你可以从思路中来获得;
其他的技术都是靠自己去摸索,我说了半天还是别人的,不如自己直接试试,这样效果比我直接告诉你的更加的深刻...
好了别的废话不多说,我现在直接给大家说说C段:
首先什么是C段
这里我告诉大家..比如在:127.127.127.4 这个IP上面有一个网站 127.4 这个服务器上面有网站我们可以想想..他是一个非常大的站几乎没什么漏洞!但是在他同C段 127.127.127.1~127.127.127.255 这 1~255 上面也有服务器而且也有网站并且存在漏洞,那么我们就可以来渗透 1~255任何一个站 之后提权来嗅探得到127.4 这台服务器的密码 甚至3389连接的密码后台登录的密码 如果运气好会得到很多的密码...(这里大家又看见了提权这个两个字眼这下大家知道了提权的重要性了吧!)
C段没什么技术含量简单的配置一下Cain这款工具就OK了..现在版本是4.9功能是非常的强大但是 是在window下面用的..
如果是Linux Unix 系统大家可以百度一下!Unix下的嗅探、
在UNIX环境下如Sniffit,Snoop,Tcpdump,Dsniff 等都是比较常见的! 如果window2003提权不到 Unix 也别想了..
其实大家可以把C段想像成 远程键盘记录器...而且C段嗅探是防不胜防 很多大的站就是这么被和谐的..
大家都知道 很多大的黑客站被大牛们盯上,之后被渗透 其中很多是嗅探拿下的...
大家如果自己提权不好。可以搭建虚拟机来测试嗅探看看
拿C段
<ignore_js_op>
![](http://www.hack80.com/data/attachment/forum/201307/28/151730ahl6lbf6beq22yia.jpg)
看见了个很接近的C段 并且是一个公司 一般的企业的都挺好日的
218.x.241.134的第一个企业站点习惯性的在后面加了个admin
<ignore_js_op>![](http://www.hack80.com/data/attachment/forum/201307/28/151745z60jketzbtej56t1.jpg)
![](http://www.hack80.com/data/attachment/forum/201307/28/151745z60jketzbtej56t1.jpg)
找到后台登陆进去
<ignore_js_op>![](http://www.hack80.com/data/attachment/forum/201307/28/151751n3yicjf94yty0thy.jpg)
![](http://www.hack80.com/data/attachment/forum/201307/28/151751n3yicjf94yty0thy.jpg)
这个分店选择 看见了系统管理组
<ignore_js_op>![](http://www.hack80.com/data/attachment/forum/201307/28/151800cue8iuw66twe6c8o.jpg)
![](http://www.hack80.com/data/attachment/forum/201307/28/151800cue8iuw66twe6c8o.jpg)
登陆进去 后台是这个样的
<ignore_js_op>![](http://www.hack80.com/data/attachment/forum/201307/28/151804sixltmiatnigxd9t.jpg)
![](http://www.hack80.com/data/attachment/forum/201307/28/151804sixltmiatnigxd9t.jpg)
果断manager 点击登陆 竟然不需要密码 就进去了 找到后台上传地方
<ignore_js_op>![](http://www.hack80.com/data/attachment/forum/201307/28/151809uvpt1i1vp665518q.jpg)
![](http://www.hack80.com/data/attachment/forum/201307/28/151809uvpt1i1vp665518q.jpg)
<ignore_js_op>![](http://www.hack80.com/data/attachment/forum/201307/28/151816y3z9psutc5xnpp41.png)
![](http://www.hack80.com/data/attachment/forum/201307/28/151816y3z9psutc5xnpp41.png)
果断xx.asp;1.jpg
<ignore_js_op>
进入上传成功人品真不是盖的!
![](http://www.hack80.com/data/attachment/forum/201307/28/151819yobntz0hthm5pnm0.png)
<ignore_js_op>![](http://www.hack80.com/data/attachment/forum/201307/28/151822izelyq5ylzzua5d3.png)
![](http://www.hack80.com/data/attachment/forum/201307/28/151822izelyq5ylzzua5d3.png)
复制图片地址
果断进去webshell
<ignore_js_op>![](http://www.hack80.com/data/attachment/forum/201307/28/151836boww95n0b75jfpj6.png)
![](http://www.hack80.com/data/attachment/forum/201307/28/151836boww95n0b75jfpj6.png)
习惯性的看下组建
<ignore_js_op>
支持ws
![](http://www.hack80.com/data/attachment/forum/201307/28/151839ptjkx1msizmj6nkv.png)
果断找可写目录
<ignore_js_op>![](http://www.hack80.com/data/attachment/forum/201307/28/151845iretk6uiekq6qk1t.png)
![](http://www.hack80.com/data/attachment/forum/201307/28/151845iretk6uiekq6qk1t.png)
发现可写目录 用菜刀吧cmd.exe和pr.exe上传到这个可写可读目录
<ignore_js_op>![](http://www.hack80.com/data/attachment/forum/201307/28/151848uomeotfi6xto866h.png)
![](http://www.hack80.com/data/attachment/forum/201307/28/151848uomeotfi6xto866h.png)
执行命令
<ignore_js_op>![](http://www.hack80.com/data/attachment/forum/201307/28/151851txzpeyqzqyiiys1f.png)
![](http://www.hack80.com/data/attachment/forum/201307/28/151851txzpeyqzqyiiys1f.png)
Pr可以提权溢出返回的是system权限 添加个账户
<ignore_js_op>![](http://www.hack80.com/data/attachment/forum/201307/28/151853bmmnnn6onlcs0z9t.png)
![](http://www.hack80.com/data/attachment/forum/201307/28/151853bmmnnn6onlcs0z9t.png)
C:wmpubwmiislogpr.exe "net userxxoo ooxx /add & net localgroup administrators xxoo /add"执行命令添加用户显示成功 因为已经添加好了 我就不在添加了
<ignore_js_op>
读取一些注册表 3389的端口 显示3366
![](http://www.hack80.com/data/attachment/forum/201307/28/151856rbs8esc8ehbcxzht.png)
<ignore_js_op>
果断登陆
![](http://www.hack80.com/data/attachment/forum/201307/28/151901iomjmawma7iamxkz.png)
输入账户和密码 成功登陆进去
<ignore_js_op>
登陆进去 看见服务器有麦咖啡
![](http://www.hack80.com/data/attachment/forum/201307/28/151906fzn75vtezz48tj34.png)
<ignore_js_op>
服务关掉不然我下载啥玩意都得被杀掉
![](http://www.hack80.com/data/attachment/forum/201307/28/151911afh048bh7fj44m0z.png)
吧Cain下载好 打开
<ignore_js_op>![](http://www.hack80.com/data/attachment/forum/201307/28/151916zjs3jbk7ksd4tjk3.png)
![](http://www.hack80.com/data/attachment/forum/201307/28/151916zjs3jbk7ksd4tjk3.png)
<ignore_js_op>
配置选网卡
![](http://www.hack80.com/data/attachment/forum/201307/28/151921oqy3y4agqpqavqga.png)
<ignore_js_op>
端口选择
![](http://www.hack80.com/data/attachment/forum/201307/28/151925zemjppnhrkzemksi.png)
激活嗅探器然后扫描一下Mac地址
<ignore_js_op>![](http://www.hack80.com/data/attachment/forum/201307/28/151930vo9n1klmn6fnk1ff.png)
![](http://www.hack80.com/data/attachment/forum/201307/28/151930vo9n1klmn6fnk1ff.png)
然后点击确定
<ignore_js_op>![](http://www.hack80.com/data/attachment/forum/201307/28/151937tzyo24bdk4wwstoz.png)
![](http://www.hack80.com/data/attachment/forum/201307/28/151937tzyo24bdk4wwstoz.png)
添加一下
<ignore_js_op>![](http://www.hack80.com/data/attachment/forum/201307/28/151940gz5n5bjfdy5jn5rn.png)
![](http://www.hack80.com/data/attachment/forum/201307/28/151940gz5n5bjfdy5jn5rn.png)
选择一下要嗅探的主机
<ignore_js_op>
点击开始
![](http://www.hack80.com/data/attachment/forum/201307/28/151945jxgvtlx3hfl0egzv.png)
<ignore_js_op>
坐等数据吧!
![](http://www.hack80.com/data/attachment/forum/201307/28/151948ctkgh8ghhy03yy38.jpg)