liunx 相关提权渗透技巧总结,一、ldap 渗透技巧: 1.cat /etc/nsswitch 看看密码登录策略我们可以看到使用了file ldap模式 2.less /etc/ldap.conf base ou=People,dc=unix-center,dc=net 找到ou,dc,dc设置 3.查找管理员信息 匿名方式 ldapsearch -x -D “cn=administrator,cn=People,dc=unix-center,dc=net” -b “cn=administrator,cn=People,dc=unix-center,dc=net” -h 192.168.2.2 有密码形式 ldapsearch -x -W -D “cn=administrator,cn=People,dc=unix-center,dc=net” -b “cn=administrator,cn=People,dc=unix-center,dc=net” -h 192.168.2.2 4.查找10条用户记录 ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口 实战: 1.cat /etc/nsswitch 看看密码登录策略我们可以看到使用了file ldap模式 2.less /etc/ldap.conf base ou=People,dc=unix-center,dc=net 找到ou,dc,dc设置 3.查找管理员信息 匿名方式 ldapsearch -x -D “cn=administrator,cn=People,dc=unix-center,dc=net” -b “cn=administrator,cn=People,dc=unix-center,dc=net” -h 192.168.2.2 有密码形式 ldapsearch -x -W -D “cn=administrator,cn=People,dc=unix-center,dc=net” -b “cn=administrator,cn=People,dc=unix-center,dc=net” -h 192.168.2.2 4.查找10条用户记录 ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口 渗透实战: 1.返回所有的属性 ldapsearch -h 192.168.7.33 -b “dc=ruc,dc=edu,dc=cn” -s sub “objectclass=*” version: 1 dn: dc=ruc,dc=edu,dc=cn dc: ruc objectClass: domain dn: uid=manager,dc=ruc,dc=edu,dc=cn uid: manager objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top sn: manager cn: manager dn: uid=superadmin,dc=ruc,dc=edu,dc=cn uid: superadmin objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top sn: superadmin cn: superadmin dn: uid=admin,dc=ruc,dc=edu,dc=cn uid: admin objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top sn: admin cn: admin dn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn uid: dcp_anonymous objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson sn: dcp_anonymous cn: dcp_anonymous 2.查看基类 bash-3.00# ldapsearch -h 192.168.7.33 -b “dc=ruc,dc=edu,dc=cn” -s base “objectclass=*” | more version: 1 dn: dc=ruc,dc=edu,dc=cn dc: ruc objectClass: domain 3.查找 bash-3.00# ldapsearch -h 192.168.7.33 -b “” -s base “objectclass=*” version: 1 dn: objectClass: top namingContexts: dc=ruc,dc=edu,dc=cn supportedExtension: 2.16.840.1.113730.3.5.7 supportedExtension: 2.16.840.1.113730.3.5.8 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5 supportedLDAPVersion: 2 supportedLDAPVersion: 3 vendorName: Sun Microsystems, Inc. vendorVersion: Sun-Java(tm)-System-Directory/6.2 dataversion: 020090516011411 netscapemdsuffix: cn=ldap://dc=webA:389 supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |