Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

zhakowany, teaz potrzebuję pomocy z dziedziny konfiguracji widnows serwer 2012

dr.pawlica 31 Lip 2017 09:06 789 8
  • #1 31 Lip 2017 09:06
    dr.pawlica
    Poziom 6  

    Witam, jestem szczęsliwym posiadaczem system win 8.1+ win server 2012 (taka hybryda). Człowiek który kontroluje mój komputer domowy korzystając z funkcji windows server 2012 stworzył pokaźną siec wirtualną w której znajduja sie wirtualne dyski, wirtualne karty sieciowe, serwery poczty, serwery http, podlączony jestem nawet do domeny jakiejś chyba. System widzi tylko połowę pamięci RAM, podejrzewam że została ona zagospodarowana na postawienie wirtualnego systemu przez który łaczy sie mój ziomal. Jeszcze jest od groma objawów które wskazują na atak.

    zakładam ten wątek ponieważ chciał bym jakoś odzyskać ten zmapowany RAM, skopiować wirtualne dyski oraz namierzyć wszystkie lokalizacje sieciowe które są w jakikolwiek sposób wykorzystywane do obsługi tej sieci i przede wszystkim pojąć po co ten człowiek to robi i na jaką skalę.
    pozatym żadne formaty i zerowanie dysków nie pomaga więc może jak dowiem się coś więcej o tej sieci to wpadnę na jakieś rozwiązanie.

    Spoiler:

    Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-30 21:12 ?rodkowoeuropejski czas letni

    NSE: Loaded 275 scripts for scanning.

    NSE: Script Pre-scanning.

    Initiating NSE at 21:12

    NSE: [shodan-api] Error: Please specify your ShodanAPI key with the shodan-api.apikey argument

    NSE: [mtrace] A source IP must be provided through fromip argument.

    Completed NSE at 21:12, 10.23s elapsed

    Initiating NSE at 21:12

    Completed NSE at 21:12, 0.00s elapsed

    Initiating NSE at 21:12

    Completed NSE at 21:12, 0.00s elapsed

    Pre-scan script results:

    | knx-gateway-discover:

    |_ ERROR: Couldn't get interface for 224.0.23.12

    | targets-asn:

    |_ targets-asn.asn is a mandatory parameter

    Initiating Parallel DNS resolution of 1 host. at 21:12

    Completed Parallel DNS resolution of 1 host. at 21:12, 6.50s elapsed

    Initiating SYN Stealth Scan at 21:12

    Scanning 192.168.0.102 [1000 ports]

    Discovered open port 554/tcp on 192.168.0.102

    Discovered open port 139/tcp on 192.168.0.102

    Discovered open port 135/tcp on 192.168.0.102

    Discovered open port 445/tcp on 192.168.0.102

    Discovered open port 49154/tcp on 192.168.0.102

    Discovered open port 10243/tcp on 192.168.0.102

    Discovered open port 49159/tcp on 192.168.0.102

    Discovered open port 49155/tcp on 192.168.0.102

    Discovered open port 49152/tcp on 192.168.0.102

    Discovered open port 49153/tcp on 192.168.0.102

    Discovered open port 49158/tcp on 192.168.0.102

    Discovered open port 2869/tcp on 192.168.0.102





    Discovered open port 5357/tcp on 192.168.0.102

    Completed SYN Stealth Scan at 21:12, 0.11s elapsed (1000 total ports)

    Initiating UDP Scan at 21:12

    Scanning 192.168.0.102 [1000 ports]

    Discovered open port 5353/udp on 192.168.0.102

    Discovered open port 53/udp on 192.168.0.102

    Discovered open port 137/udp on 192.168.0.102

    Completed UDP Scan at 21:12, 4.31s elapsed (1000 total ports)

    Initiating Service scan at 21:12

    Scanning 1013 services on 192.168.0.102

    Service scan Timing: About 0.89% done

    Service scan Timing: About 9.08% done; ETC: 21:27 (0:13:51 remaining)

    Service scan Timing: About 20.53% done; ETC: 21:21 (0:07:17 remaining)

    Service scan Timing: About 32.28% done; ETC: 21:19 (0:05:00 remaining)

    Service scan Timing: About 45.11% done; ETC: 21:18 (0:03:30 remaining)

    Service scan Timing: About 59.13% done; ETC: 21:18 (0:02:20 remaining)

    Service scan Timing: About 79.66% done; ETC: 21:17 (0:00:59 remaining)

    Completed Service scan at 21:16, 265.48s elapsed (1013 services on 1 host)

    Initiating OS detection (try #1) against 192.168.0.102

    Retrying OS detection (try #2) against 192.168.0.102

    Retrying OS detection (try #3) against 192.168.0.102

    Retrying OS detection (try #4) against 192.168.0.102

    Retrying OS detection (try #5) against 192.168.0.102

    NSE: Script scanning 192.168.0.102.

    Initiating NSE at 21:17

    Discovered open port 500/udp on 192.168.0.102

    Discovered open port 47808/udp on 192.168.0.102

    Discovered open port 1900/udp on 192.168.0.102

    Completed NSE at 21:23, 391.94s elapsed

    Initiating NSE at 21:23

    Completed NSE at 21:23, 8.95s elapsed

    Initiating NSE at 21:23

    Completed NSE at 21:23, 0.23s elapsed

    Nmap scan report for 192.168.0.102

    Host is up (0.00s latency).

    Not shown: 994 open|filtered ports, 987 closed ports

    PORT STATE SERVICE VERSION

    135/tcp open msrpc Microsoft Windows RPC

    139/tcp open netbios-ssn Microsoft Windows netbios-ssn

    445/tcp open microsoft-ds Windows 8.1 Pro 9600 microsoft-ds (workgroup: WORKGROUP)

    554/tcp open rtsp?

    2869/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

    |_http-comments-displayer: Couldn't find any comments.

    | http-headers:

    |_ (Request type: GET)

    |_http-mobileversion-checker: No mobile version detected.

    |_http-referer-checker: Couldn't find any cross-domain scripts.

    |_http-security-headers:

    |_http-traceroute: ERROR: Script execution failed (use -d to debug)

    | http-useragent-tester:

    |

    | Allowed User Agents:

    | Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)

    | libwww

    | lwp-trivial

    | libcurl-agent/1.0

    | PHP/

    | Python-urllib/2.5

    | GT::WWW

    | Snoopy

    | MFC_Tear_Sample

    | HTTP::Lite

    | PHPCrawl

    | URI::Fetch

    | Zend_Http_Client

    | http client

    | PECL::HTTP

    | Wget/1.13.4 (linux-gnu)

    | WWW-Mechanize/1.34

    |_

    |_http-xssed: No previously reported XSS vuln.

    5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

    |_http-comments-displayer: Couldn't find any comments.

    |_http-date: Sun, 30 Jul 2017 19:17:17 GMT; -1s from local time.

    | http-headers:

    | Content-Type: text/html; charset=us-ascii

    | Server: Microsoft-HTTPAPI/2.0

    | Date: Sun, 30 Jul 2017 19:17:21 GMT

    | Connection: close

    | Content-Length: 326

    |

    |_ (Request type: GET)

    |_http-mobileversion-checker: No mobile version detected.

    |_http-referer-checker: Couldn't find any cross-domain scripts.

    |_http-security-headers:

    |_http-server-header: Microsoft-HTTPAPI/2.0

    |_http-title: Service Unavailable

    | http-traceroute:

    |_ Possible reverse proxy detected.

    | http-useragent-tester:

    |

    | Allowed User Agents:

    | Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)

    | libwww

    | lwp-trivial

    | libcurl-agent/1.0

    | PHP/

    | Python-urllib/2.5

    | GT::WWW

    | Snoopy

    | MFC_Tear_Sample

    | HTTP::Lite

    | PHPCrawl

    | URI::Fetch

    | Zend_Http_Client

    | http client

    | PECL::HTTP

    | Wget/1.13.4 (linux-gnu)

    | WWW-Mechanize/1.34

    |_

    |_http-xssed: No previously reported XSS vuln.

    10243/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

    |_http-comments-displayer: Couldn't find any comments.

    |_http-date: Sun, 30 Jul 2017 19:17:38 GMT; -1s from local time.

    | http-headers:

    | Content-Type: text/html; charset=us-ascii

    | Server: Microsoft-HTTPAPI/2.0

    | Date: Sun, 30 Jul 2017 19:17:38 GMT

    | Connection: close

    | Content-Length: 315

    |

    |_ (Request type: GET)

    |_http-mobileversion-checker: No mobile version detected.

    |_http-referer-checker: Couldn't find any cross-domain scripts.

    |_http-security-headers:

    |_http-server-header: Microsoft-HTTPAPI/2.0

    |_http-title: Not Found

    | http-traceroute:

    |_ Possible reverse proxy detected.

    | http-useragent-tester:

    |

    | Allowed User Agents:

    | Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)

    | libwww

    | lwp-trivial

    | libcurl-agent/1.0

    | PHP/

    | Python-urllib/2.5

    | GT::WWW

    | Snoopy

    | MFC_Tear_Sample

    | HTTP::Lite

    | PHPCrawl

    | URI::Fetch

    | Zend_Http_Client

    | http client

    | PECL::HTTP

    | Wget/1.13.4 (linux-gnu)

    | WWW-Mechanize/1.34

    |_

    |_http-xssed: No previously reported XSS vuln.

    49152/tcp open msrpc Microsoft Windows RPC

    49153/tcp open msrpc Microsoft Windows RPC

    49154/tcp open msrpc Microsoft Windows RPC

    49155/tcp open msrpc Microsoft Windows RPC

    49158/tcp open msrpc Microsoft Windows RPC

    49159/tcp open msrpc Microsoft Windows RPC

    53/udp open domain?

    137/udp open netbios-ns Microsoft Windows 10 netbios-ns (workgroup: WORKGROUP)

    500/udp open isakmp?

    |_ike-version: ERROR: Script execution failed (use -d to debug)

    1900/udp open upnp?

    | upnp-info:

    | 192.168.0.102

    | Server: Microsoft-Windows/6.3 UPnP/1.0 UPnP-Device-Host/1.0

    |_ Location: http://192.168.0.102:2869/upnphost/udhisapi.d...ent=uuid:3c3d31bd-b1bf-409b-8834-c731ff86b5f4

    5353/udp open mdns DNS-based service discovery

    | dns-service-discovery:

    | 47989/tcp nvstream_dbd

    |_ Address=192.168.0.102 fe80:0:0:0:2562:172e:c9e6:6fe8

    47808/udp open bacnet

    |_bacnet-info: ERROR: Script execution failed (use -d to debug)

    No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

    TCP/IP fingerprint:

    OS:SCAN(V=7.50%E=4%D=7/30%OT=135%CT=1%CU=33742%PV=Y%DS=0%DC=L%G=Y%TM=597E32

    OS:46%P=i686-pc-windows-windows)SEQ(SP=F0%GCD=1%ISR=10F%TI=I%CI=I%II=I%SS=S

    OS:%TS=7)OPS(O1=M5B4NW8ST11%O2=M5B4NW8ST11%O3=M5B4NW8NNT11%O4=M5B4NW8ST11%O

    OS:5=M5B4NW8ST11%O6=M5B4ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6

    OS:=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M5B4NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O

    OS:%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%D

    OS:F=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=

    OS:%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%

    OS:W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=

    OS:)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=Z%RUCK=G%RUD=G)IE(R=Y%

    OS:DFI=N%T=80%CD=Z)



    Uptime guess: 0.065 days (since Sun Jul 30 19:50:01 2017)

    Network Distance: 0 hops

    TCP Sequence Prediction: Difficulty=239 (Good luck!)

    IP ID Sequence Generation: Incremental

    Service Info: Host: KOM_PAW; OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_10



    Host script results:

    |_clock-skew: mean: -1s, deviation: 0s, median: -1s

    |_fcrdns: FAIL (No PTR record)

    |_ipidseq: ERROR: Script execution failed (use -d to debug)

    |_msrpc-enum: NT_STATUS_ACCESS_DENIED

    | nbstat: NetBIOS name: KOM_PAW, NetBIOS user: <unknown>, NetBIOS MAC: 10:bf:48:e2:fd:1b (Asustek Computer)

    | Names:

    | KOM_PAW<20> Flags: <unique><active>

    | WORKGROUP<00> Flags: <group><active>

    | KOM_PAW<00> Flags: <unique><active>

    | WORKGROUP<1e> Flags: <group><active>

    | WORKGROUP<1d> Flags: <unique><active>

    |_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>

    |_path-mtu: ERROR: Script execution failed (use -d to debug)

    |_qscan: ERROR: Script execution failed (use -d to debug)

    | smb-mbenum:

    | Master Browser

    | KOM_PAW 6.3 PAWE\x9D

    | Potential Browser

    | KOM_PAW 6.3 PAWE\x9D

    | Server service

    | KOM_PAW 6.3 PAWE\x9D

    | Windows NT/2000/XP/2003 server

    | KOM_PAW 6.3 PAWE\x9D

    | Workstation

    |_ KOM_PAW 6.3 PAWE\x9D

    | smb-os-discovery:

    | OS: Windows 8.1 Pro 9600 (Windows 8.1 Pro 6.3)

    | OS CPE: cpe:/o:microsoft:windows_8.1::-

    | Computer name: KOM_PAW

    | NetBIOS computer name: KOM_PAW\x00

    | Workgroup: WORKGROUP\x00

    |_ System time: 2017-07-30T21:17:10+02:00

    | smb-security-mode:

    | account_used: guest

    | authentication_level: user

    | challenge_response: supported

    |_ message_signing: disabled (dangerous, but default)

    |_smbv2-enabled: Server supports SMBv2 protocol



    NSE: Script Post-scanning.

    Initiating NSE at 21:23

    Completed NSE at 21:23, 0.00s elapsed

    Initiating NSE at 21:23

    Completed NSE at 21:23, 0.00s elapsed

    Initiating NSE at 21:23

    Completed NSE at 21:23, 0.00s elapsed

    Read data files from: D:\Różne\Nmap

    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

    Nmap done: 1 IP address (1 host up) scanned in 701.36 seconds

    Raw packets sent: 3079 (108.826KB) | Rcvd: 4207 (156.290KB)



    Spoiler:



    Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-30 21:11 ?rodkowoeuropejski czas letni

    NSE: Loaded 275 scripts for scanning.

    NSE: Script Pre-scanning.

    Initiating NSE at 21:12

    NSE: [mtrace] A source IP must be provided through fromip argument.

    NSE: [shodan-api] Error: Please specify your ShodanAPI key with the shodan-api.apikey argument

    Completed NSE at 21:12, 10.21s elapsed

    Initiating NSE at 21:12

    Completed NSE at 21:12, 0.00s elapsed

    Initiating NSE at 21:12

    Completed NSE at 21:12, 0.00s elapsed

    Pre-scan script results:

    | knx-gateway-discover:

    |_ ERROR: Couldn't get interface for 224.0.23.12

    | lltd-discovery:

    | 192.168.0.1

    | Hostname: TL-WR841N

    | Mac: 1c:1b:0d:0b:bc:da (Giga-byte Technology)

    |_ Use the newtargets script-arg to add the results as targets

    | targets-asn:

    |_ targets-asn.asn is a mandatory parameter

    Initiating ARP Ping Scan at 21:12

    Scanning 192.168.0.1 [1 port]

    Completed ARP Ping Scan at 21:12, 0.02s elapsed (1 total hosts)

    Initiating Parallel DNS resolution of 1 host. at 21:12

    Completed Parallel DNS resolution of 1 host. at 21:12, 6.52s elapsed

    Initiating SYN Stealth Scan at 21:12

    Scanning 192.168.0.1 [1000 ports]

    Discovered open port 80/tcp on 192.168.0.1

    Discovered open port 22/tcp on 192.168.0.1

    Discovered open port 1900/tcp on 192.168.0.1

    Discovered open port 49152/tcp on 192.168.0.1

    Completed SYN Stealth Scan at 21:12, 0.36s elapsed (1000 total ports)

    Initiating UDP Scan at 21:12

    Scanning 192.168.0.1 [1000 ports]

    Increasing send delay for 192.168.0.1 from 0 to 50 due to max_successful_tryno increase to 5

    Increasing send delay for 192.168.0.1 from 50 to 100 due to max_successful_tryno increase to 6

    Warning: 192.168.0.1 giving up on port because retransmission cap hit (6).

    Increasing send delay for 192.168.0.1 from 100 to 200 due to 11 out of 11 dropped probes since last increase.

    Increasing send delay for 192.168.0.1 from 200 to 400 due to 11 out of 11 dropped probes since last increase.

    UDP Scan Timing: About 6.20% done; ETC: 21:20 (0:07:49 remaining)

    Increasing send delay for 192.168.0.1 from 400 to 800 due to 11 out of 11 dropped probes since last increase.

    UDP Scan Timing: About 9.43% done; ETC: 21:23 (0:09:46 remaining)

    UDP Scan Timing: About 12.49% done; ETC: 21:24 (0:10:38 remaining)

    UDP Scan Timing: About 30.87% done; ETC: 21:26 (0:10:00 remaining)

    UDP Scan Timing: About 37.30% done; ETC: 21:27 (0:09:16 remaining)

    UDP Scan Timing: About 40.57% done; ETC: 21:29 (0:10:03 remaining)

    UDP Scan Timing: About 41.39% done; ETC: 21:30 (0:10:56 remaining)

    UDP Scan Timing: About 42.34% done; ETC: 21:32 (0:11:52 remaining)

    UDP Scan Timing: About 43.54% done; ETC: 21:35 (0:12:55 remaining)

    UDP Scan Timing: About 45.09% done; ETC: 21:37 (0:14:05 remaining)

    UDP Scan Timing: About 47.14% done; ETC: 21:41 (0:15:23 remaining)

    UDP Scan Timing: About 50.40% done; ETC: 21:46 (0:16:51 remaining)

    Increasing send delay for 192.168.0.1 from 800 to 1000 due to 202 out of 504 dropped probes since last increase.

    UDP Scan Timing: About 65.87% done; ETC: 22:03 (0:17:36 remaining)

    UDP Scan Timing: About 75.34% done; ETC: 22:13 (0:15:00 remaining)

    UDP Scan Timing: About 81.71% done; ETC: 22:17 (0:11:57 remaining)

    UDP Scan Timing: About 87.37% done; ETC: 22:21 (0:08:41 remaining)

    UDP Scan Timing: About 92.70% done; ETC: 22:23 (0:05:13 remaining)

    UDP Scan Timing: About 97.14% done; ETC: 22:26 (0:02:06 remaining)

    UDP Scan Timing: About 98.93% done; ETC: 22:26 (0:00:48 remaining)

    Completed UDP Scan at 22:29, 4649.20s elapsed (1000 total ports)

    Initiating Service scan at 22:29

    Scanning 642 services on 192.168.0.1

    Discovered open port 53/udp on 192.168.0.1

    Discovered open|filtered port 53/udp on 192.168.0.1 is actually open

    Service scan Timing: About 0.78% done

    Service scan Timing: About 5.30% done; ETC: 23:04 (0:32:29 remaining)

    Service scan Timing: About 5.45% done; ETC: 23:23 (0:50:52 remaining)

    Service scan Timing: About 9.97% done; ETC: 23:04 (0:31:00 remaining)

    Service scan Timing: About 10.12% done; ETC: 23:14 (0:40:32 remaining)

    Service scan Timing: About 14.64% done; ETC: 23:04 (0:29:32 remaining)

    Service scan Timing: About 14.80% done; ETC: 23:11 (0:35:36 remaining)

    Service scan Timing: About 19.31% done; ETC: 23:04 (0:27:55 remaining)

    Service scan Timing: About 19.47% done; ETC: 23:09 (0:32:20 remaining)

    Service scan Timing: About 23.99% done; ETC: 23:04 (0:26:21 remaining)

    Service scan Timing: About 24.14% done; ETC: 23:08 (0:29:41 remaining)

    Service scan Timing: About 28.66% done; ETC: 23:04 (0:24:46 remaining)

    Service scan Timing: About 28.82% done; ETC: 23:08 (0:27:20 remaining)

    Service scan Timing: About 33.33% done; ETC: 23:04 (0:23:08 remaining)

    Service scan Timing: About 33.49% done; ETC: 23:07 (0:25:13 remaining)

    Service scan Timing: About 38.01% done; ETC: 23:04 (0:21:32 remaining)

    Service scan Timing: About 38.32% done; ETC: 23:07 (0:23:33 remaining)

    Service scan Timing: About 42.83% done; ETC: 23:07 (0:21:17 remaining)

    Service scan Timing: About 47.35% done; ETC: 23:04 (0:18:17 remaining)

    Service scan Timing: About 56.23% done; ETC: 23:04 (0:15:15 remaining)

    Service scan Timing: About 61.37% done; ETC: 23:04 (0:13:26 remaining)

    Service scan Timing: About 70.09% done; ETC: 23:04 (0:10:27 remaining)

    Service scan Timing: About 75.39% done; ETC: 23:04 (0:08:34 remaining)

    Service scan Timing: About 84.11% done; ETC: 23:04 (0:05:33 remaining)

    Service scan Timing: About 89.41% done; ETC: 23:04 (0:03:41 remaining)

    Service scan Timing: About 97.35% done; ETC: 23:04 (0:00:56 remaining)

    Completed Service scan at 23:05, 2146.66s elapsed (642 services on 1 host)

    Initiating OS detection (try #1) against 192.168.0.1

    Retrying OS detection (try #2) against 192.168.0.1

    Retrying OS detection (try #3) against 192.168.0.1

    Retrying OS detection (try #4) against 192.168.0.1

    Retrying OS detection (try #5) against 192.168.0.1

    NSE: Script scanning 192.168.0.1.

    Initiating NSE at 23:05

    Discovered open port 67/udp on 192.168.0.1

    Completed NSE at 23:06, 53.03s elapsed

    Initiating NSE at 23:06

    Completed NSE at 23:07, 31.19s elapsed

    Initiating NSE at 23:07

    Completed NSE at 23:07, 3.11s elapsed

    Nmap scan report for 192.168.0.1

    Host is up (0.00s latency).

    Not shown: 1358 closed ports, 636 open|filtered ports

    PORT STATE SERVICE VERSION

    22/tcp open ssh Dropbear sshd 2012.55 (protocol 2.0)

    |_banner: SSH-2.0-dropbear_2012.55

    | ssh-hostkey:

    | 1024 37:41:9d:fe:38:42:62:d2:ca:6a:28:37:39:8f:5f:9b (DSA)

    |_ 1040 18:a7:17:8e:19:d4:cb:47:b3:df:c5:e0:fa:03:6f:e0 (RSA)

    | ssh2-enum-algos:

    | kex_algorithms: (2)

    | diffie-hellman-group1-sha1

    | diffie-hellman-group14-sha1

    | server_host_key_algorithms: (2)

    | ssh-rsa

    | ssh-dss

    | encryption_algorithms: (9)

    | aes128-ctr

    | 3des-ctr

    | aes256-ctr

    | aes128-cbc

    | 3des-cbc

    | aes256-cbc

    | twofish256-cbc

    | twofish-cbc

    | twofish128-cbc

    | mac_algorithms: (3)

    | hmac-sha1-96

    | hmac-sha1

    | hmac-md5

    | compression_algorithms: (1)

    |_ none

    80/tcp open http TP-LINK WR841N WAP http config

    | http-auth-finder:

    | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.0.1

    | url method

    | http://192.168.0.1:80/ FORM

    | http://192.168.0.1/userRpm/LoginRpm.htm?Save=Save FORM

    | http://192.168.0.1/userRpm/LoginRpm.htm FORM

    | http://192.168.0.1 FORM

    | http://192.168.0.1/ "http://192.168.0.1"; FORM

    | http://192.168.0.1/ "http://httpAutErrorArray[2]; FORM

    | http://192.168.0.1/userRpm/ "http://192.168.0.1"; FORM

    |_ http://192.168.0.1/userRpm/ "http://httpAutErrorArray[2]; FORM

    | http-comments-displayer:

    | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.0.1

    |

    | Path: http://192.168.0.1/userRpm/ "http://httpAutErrorArray[2];

    | Line number: 7

    | Comment:

    |

    | //--></SCRIPT>

    |

    | Path: http://192.168.0.1/userRpm/ "http://httpAutErrorArray[2];

    | Line number: 6

    | Comment:

    | <!--

    |_ //-->

    | http-headers:

    | Server: Router Webserver

    | Connection: close

    | Content-Type: text/html

    | WWW-Authenticate: Basic realm="TP-LINK Wireless N Router WR841N"

    |

    |_ (Request type: GET)

    | http-methods:

    |_ Supported Methods: GET POST

    |_http-mobileversion-checker: No mobile version detected.

    |_http-referer-checker: Couldn't find any cross-domain scripts.

    |_http-security-headers:

    |_http-server-header: Router Webserver

    |_http-title: TL-WR841N

    | http-traceroute:

    |_ Possible reverse proxy detected.

    | http-useragent-tester:

    |

    | Allowed User Agents:

    | Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)

    | libwww

    | lwp-trivial

    | libcurl-agent/1.0

    | PHP/

    | Python-urllib/2.5

    | GT::WWW

    | Snoopy

    | MFC_Tear_Sample

    | HTTP::Lite

    | PHPCrawl

    | URI::Fetch

    | Zend_Http_Client

    | http client

    | PECL::HTTP

    | Wget/1.13.4 (linux-gnu)

    | WWW-Mechanize/1.34

    |_

    |_http-xssed: No previously reported XSS vuln.

    1900/tcp open upnp ipOS upnpd (TP-LINK TL-WR841N WAP 11.0; UPnP 1.0)

    49152/tcp open http Huawei HG8245T modem http config

    |_http-comments-displayer: Couldn't find any comments.

    |_http-date: Sun, 30 Jul 2017 22:06:08 GMT; +1h00m10s from local time.

    | http-headers:

    | Connection: close

    | Date: Sun, 30 Jul 2017 22:06:14 GMT

    |

    |_ (Request type: GET)

    | http-methods:

    |_ Supported Methods: GET POST

    |_http-mobileversion-checker: No mobile version detected.

    |_http-referer-checker: Couldn't find any cross-domain scripts.

    |_http-security-headers:

    |_http-title: Site doesn't have a title.

    |_http-traceroute: ERROR: Script execution failed (use -d to debug)

    | http-useragent-tester:

    |

    | Allowed User Agents:

    | Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)

    | libwww

    | lwp-trivial

    | libcurl-agent/1.0

    | PHP/

    | Python-urllib/2.5

    | GT::WWW

    | Snoopy

    | MFC_Tear_Sample

    | HTTP::Lite

    | PHPCrawl

    | URI::Fetch

    | Zend_Http_Client

    | http client

    | PECL::HTTP

    | Wget/1.13.4 (linux-gnu)

    | WWW-Mechanize/1.34

    |_

    |_http-xssed: No previously reported XSS vuln.

    53/udp open domain ISC BIND 9.10.3-P4-Ubuntu

    | dns-nsid:

    |_ bind.version: 9.10.3-P4-Ubuntu

    |_dns-recursion: Recursion appears to be enabled

    67/udp open dhcps?

    | dhcp-discover:

    | DHCP Message Type: DHCPACK

    | Server Identifier: 192.168.0.1

    | Subnet Mask: 255.255.255.0

    | Router: 192.168.0.1

    |_ Domain Name Server: 192.168.0.1

    MAC Address: EC:08:6B:9E:4C:82 (Tp-link Technologies)

    No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

    TCP/IP fingerprint:

    OS:SCAN(V=7.50%E=4%D=7/30%OT=22%CT=1%CU=3%PV=Y%DS=1%DC=D%G=Y%M=EC086B%TM=59

    OS:7E4A8A%P=i686-pc-windows-windows)ECN(R=N)T1(R=N)T2(R=N)T3(R=N)T4(R=N)T5(

    OS:R=N)T6(R=N)T7(R=N)U1(R=N)IE(R=N)



    Network Distance: 1 hop

    Service Info: OSs: Linux, ipOS 7.0; Devices: WAP, broadband router; CPE: cpe:/o:linux:linux_kernel, cpe:/h:tp-link:wr841n, cpe:/h:tp-link:tl-wr841n, cpe:/o:ubicom:ipos:7.0, cpe:/h:huawei:hg8245t



    Host script results:

    |_clock-skew: mean: 1h00m10s, deviation: 0s, median: 1h00m10s

    |_fcrdns: FAIL (No PTR record)

    |_firewalk: ERROR: Script execution failed (use -d to debug)

    |_ipidseq: ERROR: Script execution failed (use -d to debug)

    |_path-mtu: ERROR: Script execution failed (use -d to debug)

    |_qscan: ERROR: Script execution failed (use -d to debug)

    | traceroute-geolocation:

    | HOP RTT ADDRESS GEOLOCATION

    |_ 1 0.00 192.168.0.1 - ,-



    TRACEROUTE

    HOP RTT ADDRESS

    1 0.00 ms 192.168.0.1



    NSE: Script Post-scanning.

    Initiating NSE at 23:07

    Completed NSE at 23:07, 0.00s elapsed

    Initiating NSE at 23:07

    Completed NSE at 23:07, 0.00s elapsed

    Initiating NSE at 23:07

    Completed NSE at 23:07, 0.00s elapsed

    Read data files from: D:\Różne\Nmap

    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

    Nmap done: 1 IP address (1 host up) scanned in 6924.19 seconds

    Raw packets sent: 6598 (229.492KB) | Rcvd: 77157 (3.860MB)

    na wstępie wrzucam logi z nmapa, wszystkie pozycje które tam widać nie są założone przezmnie.
    dajcie znać jakie skany zrobić by bardziej rozjaśnić sytuację jeśli tylko ktoś sie zainteresuje tematem oczywiście.

    dzieki i po pracy uzupełnie swój post jeśli będzie tak potrzeba.

    0 8
  • #2 31 Lip 2017 09:18
    bogiebog
    Specjalista Sieci, Internet

    dr.pawlica napisał:
    pozatym żadne formaty i zerowanie dysków nie pomaga

    Nie wierzę że format dysku i postawienie systemu od nowa nie pomaga
    Nie ma takich cudów, no chya że masz zamiast orginalnych systemów jakieś craki.

    0
  • #3 31 Lip 2017 09:27
    dr.pawlica
    Poziom 6  

    sugerujesz mi że wymyśliłem to sobie dla zwiekszenia dramatyzmu sytuacji?;p jak już pisałem wcześniej, pamięć RAM jest zmapowana i nie potrafie jej odmapować.

    0
  • #4 31 Lip 2017 10:17
    bogiebog
    Specjalista Sieci, Internet

    Jak nie masz shakowanego BIOSa to format dysku i reinstalacja systemu przywróci sprawny system.

    Dodano po 2 [minuty]:

    Uruchom linux live z CD/USB, na każdym fizycznym dysku /dev/xxx wykonaj

    dd if=/dev/zero of=/dev/xxx bs=1M

    to wyczyści bezwzględnie zawartość dysków twardych

    następnie postaw system od nowa.

    0
  • #5 31 Lip 2017 11:16
    dr.pawlica
    Poziom 6  

    bogiebog napisał:

    dd if=/dev/zero of=/dev/xxx bs=1M

    to wyczyści bezwzględnie zawartość dysków twardych


    to nic nie da, co prawda nie zerowałem tego dysku ale wkładałem inny zdrowy dysk, instalowałem od nowa system i nic to nie dało.
    szczerze to nie zależy mi na naprawie tej sytuacji, chce namierzyć resztę tych serwerów, połączeń, odzyskać obrazy dysków i dowiedzieć się po co. a co zdążyłem zauważyć wszystko jest skonfigurowane komendami dostępnymi w windows serwer 2012R dostępnymi z CMD czy tam innego shella, co za tym idzie założyłem że ktoś z biegłą znajomością tego systemu i komend pomoże mi jakoś to ugryźć.

    0
  • #6 31 Lip 2017 12:08
    bogiebog
    Specjalista Sieci, Internet

    dr.pawlica napisał:
    ystem widzi tylko połowę pamięci RAM,

    Ile widzi BIOS ?

    OS 32bit ? system zobaczy tylko max 4gb.

    Pokaż screeny z RAM z bios-a i systemu.

    0
  • #8 31 Lip 2017 12:57
    dr.pawlica
    Poziom 6  

    zhakowany, teaz potrzebuję pomocy z dziedziny konfiguracji widnows serwer 2012[/img]

    bogiebog napisał:

    OS 32bit ? system zobaczy tylko max 4gb.
    Pokaż screeny z RAM z bios-a i systemu.

    64bit, jak wrócę do domu to wrzucę, w Biosie widać dwie kości ale z tego co pamiętam jedna z nich ma jakieś dziwne ustawienia.

    edit dorzucam screeny jednak obie kosci widzi tak samo myliłem się

    https://ibb.co/fNPS25
    https://ibb.co/dHLpFQ
    https://ibb.co/nz5OaQ
    https://ibb.co/f6HrUk


    leonov napisał:
    Nie masz przypadkiem "zhackowanego" routera ? wgraj mu nowy firmware i zobacz co będzie.

    przypadkiem router mam shakowany na pewno, ale ja router wypnę całkowicie i wepnę modem na sztywno do karty sieciowej na płycie, to i tak sieć nadal istnieje i problem nie znika.
    nie pytam sie jak sie pozbyć intruza, tylko jak odzyskać RAM i jak odnaleźć w sieci wirtualne dyski i je zrzucić, rozmawiajmy na temat pls.

    0
  • #9 01 Sie 2017 19:52
    willyvmm
    Poziom 26  

    dr.pawlica napisał:
    Witam, jestem szczęsliwym posiadaczem system win 8.1+ win server 2012 (taka hybryda).


    Mozesz to wyjasnic ?

    Cos mi sie wydaje ze masz tam jakies virtualne maszyny - albo caly ten temat to jedna wielka prowokacja.

    0