主动信息收集之SMB扫描
一、SMB协议
SMB(ServerMessage Block)通信协议是微软(Microsoft)和英特尔(Intel)在1987年制定的协议,主要是作为Microsoft网络的通讯协议。SMB 是在会话层(session layer)和表示层(presentation layer)以及小部分应用层(application layer)的协议。SMB使用了NetBIOS的应用程序接口 (Application Program Interface,简称API),一般端口使用为139,445。另外,它是一个开放性的协议,允许了协议扩展——使得它变得更大而且复杂;大约有65个最上层的作业,而每个作业都超过120个函数,甚至Windows NT也没有全部支持到,最近微软又把 SMB 改名为 CIFS(CommonInternet File System),并且加入了许多新的特色。
二、SMB扫描(发现漏洞)
1、nmap
示例:
┌──(root💀kali)-[/home/kali/Desktop/Tools] └─# nmap -v -p139,445 10.10.10.129 Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-04 04:08 EST Initiating ARP Ping Scan at 04:08 Scanning 10.10.10.129 [1 port] Completed ARP Ping Scan at 04:08, 0.06s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 04:08 Completed Parallel DNS resolution of 1 host. at 04:08, 0.02s elapsed Initiating SYN Stealth Scan at 04:08 Scanning 10.10.10.129 [2 ports] Discovered open port 139/tcp on 10.10.10.129 Discovered open port 445/tcp on 10.10.10.129 Completed SYN Stealth Scan at 04:08, 0.04s elapsed (2 total ports) Nmap scan report for 10.10.10.129 Host is up (0.00026s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:0C:29:DE:5D:BA (VMware) Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds Raw packets sent: 3 (116B) | Rcvd: 3 (116B) ┌──(root💀kali)-[/home/kali/Desktop/Tools] └─# nmap -v -p139,445 10.10.10.131 Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-04 04:09 EST Initiating ARP Ping Scan at 04:09 Scanning 10.10.10.131 [1 port] Completed ARP Ping Scan at 04:09, 0.06s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 04:09 Completed Parallel DNS resolution of 1 host. at 04:09, 0.01s elapsed Initiating SYN Stealth Scan at 04:09 Scanning 10.10.10.131 [2 ports] Discovered open port 139/tcp on 10.10.10.131 Discovered open port 445/tcp on 10.10.10.131 Completed SYN Stealth Scan at 04:09, 0.04s elapsed (2 total ports) Nmap scan report for 10.10.10.131 Host is up (0.00038s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:0C:29:76:04:88 (VMware) Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
高级扫描,依据服务识别系统
┌──(root💀kali)-[/home/kali/Desktop/Tools] └─# nmap 10.10.10.131 -p 139,445 --script=smb-os-discovery.nse Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-04 04:11 EST Nmap scan report for 10.10.10.131 Host is up (0.00032s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:0C:29:76:04:88 (VMware) Host script results: | smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager) | OS CPE: cpe:/o:microsoft:windows_xp::- | Computer name: xpsp3 | NetBIOS computer name: XPSP3\x00 | Domain name: ujs.com | Forest name: ujs.com | FQDN: xpsp3.ujs.com |_ System time: 2021-12-04T17:11:24+08:00 Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds
检查是否存在已知漏洞
┌──(root💀kali)-[/home/kali/Desktop/Tools] └─# nmap -v -p139,445 10.10.10.131 --script=smb-check-vulns --script-args=unsafe=1
指定脚本参数unsafe=1破坏性扫描,即可发一些有破坏性的数据包(可能对目标造成损害,如宕机),safe=1反之,扫描结果如果是:Host is down ,这可能是目标安装有防火墙所致,可加参数-Pn再次测试
或针对某一漏洞探测是否有效
┌──(root💀kali)-[/usr/share/nmap/scripts] └─# nmap -v -p139,445 --script=smb-vuln-ms08-067.nse 10.10.10.131 Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-04 04:24 EST NSE: Loaded 1 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 04:24 Completed NSE at 04:24, 0.00s elapsed Initiating ARP Ping Scan at 04:24 Scanning 10.10.10.131 [1 port] Completed ARP Ping Scan at 04:24, 0.12s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 04:24 Completed Parallel DNS resolution of 1 host. at 04:24, 4.01s elapsed Initiating SYN Stealth Scan at 04:24 Scanning 10.10.10.131 [2 ports] Discovered open port 445/tcp on 10.10.10.131 Discovered open port 139/tcp on 10.10.10.131 Completed SYN Stealth Scan at 04:24, 0.05s elapsed (2 total ports) NSE: Script scanning 10.10.10.131. Initiating NSE at 04:24 Completed NSE at 04:25, 17.03s elapsed Nmap scan report for 10.10.10.131 Host is up (0.00036s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:0C:29:76:04:88 (VMware) Host script results: | smb-vuln-ms08-067: | VULNERABLE: | Microsoft Windows system vulnerable to remote code execution (MS08-067) | State: LIKELY VULNERABLE | IDs: CVE:CVE-2008-4250 | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, | Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary | code via a crafted RPC request that triggers the overflow during path canonicalization. | | Disclosure date: 2008-10-23 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250 |_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx NSE: Script Post-scanning. Initiating NSE at 04:25 Completed NSE at 04:25, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 21.56 seconds Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
2、nbtscan
帮助信息
┌──(root💀kali)-[/usr/share/nmap/scripts] └─# nbtscan -h "Human-readable service names" (-h) option cannot be used without verbose (-v) option. Usage: nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename)|(<scan_range>) -v verbose output. Print all names received from each host -d dump packets. Print whole packet contents. -e Format output in /etc/hosts format. -l Format output in lmhosts format. Cannot be used with -v, -s or -h options. -t timeout wait timeout milliseconds for response. Default 1000. -b bandwidth Output throttling. Slow down output so that it uses no more that bandwidth bps. Useful on slow links, so that ougoing queries don't get dropped. -r use local port 137 for scans. Win95 boxes respond to this only. You need to be root to use this option on Unix. -q Suppress banners and error messages, -s separator Script-friendly output. Don't print column and record headers, separate fields with separator. -h Print human-readable names for services. Can only be used with -v option. -m retransmits Number of retransmits. Default 0. -f filename Take IP addresses to scan from file filename. -f - makes nbtscan take IP addresses from stdin. <scan_range> what to scan. Can either be single IP like 192.168.1.1 or range of addresses in one of two forms: xxx.xxx.xxx.xxx/xx or xxx.xxx.xxx.xxx-xxx. Examples: nbtscan -r 192.168.1.0/24 Scans the whole C-class network. nbtscan 192.168.1.25-137 Scans a range from 192.168.1.25 to 192.168.1.137 nbtscan -v -s : 192.168.1.0/24 Scans C-class network. Prints results in script-friendly format using colon as field separator. Produces output like that: 192.168.0.1:NT_SERVER:00U 192.168.0.1:MY_DOMAIN:00G 192.168.0.1:ADMINISTRATOR:03U 192.168.0.2:OTHER_BOX:00U ... nbtscan -f iplist Scans IP addresses specified in file iplist.
示例:
┌──(root💀kali)-[/usr/share/nmap/scripts] └─# nbtscan -r 10.10.10.131 Doing NBT name scan for addresses from 10.10.10.131 IP address NetBIOS Name Server User MAC address ------------------------------------------------------------------------------ 10.10.10.131 XPSP3 <server> <unknown> 00:0c:29:76:04:88 ┌──(root💀kali)-[/usr/share/nmap/scripts] └─# nbtscan -r 10.10.10.129 Doing NBT name scan for addresses from 10.10.10.129 IP address NetBIOS Name Server User MAC address ------------------------------------------------------------------------------ 10.10.10.129 OWASPBWA <server> OWASPBWA 00:00:00:00:00:00 ┌──(root💀kali)-[/usr/share/nmap/scripts] └─# nbtscan -r 10.10.10.0/24 Doing NBT name scan for addresses from 10.10.10.0/24 IP address NetBIOS Name Server User MAC address ------------------------------------------------------------------------------ 10.10.10.0 Sendto failed: Permission denied 10.10.10.1 LAPTOP-L73NVBKU <unknown> 00:50:56:c0:00:08 10.10.10.131 XPSP3 <server> <unknown> 00:0c:29:76:04:88 10.10.10.135 <unknown> <unknown> 10.10.10.129 OWASPBWA <server> OWASPBWA 00:00:00:00:00:00 10.10.10.255 Sendto failed: Permission denied
- 参数 -r:使用本地137端口来扫描,兼容性最强
- nbtscan 支持跨网段的MAC扫描
3、enum4linux
不支持网段扫描,但结果很详细
帮助信息
┌──(root💀kali)-[/usr/share/nmap/scripts] └─# enum4linux -h enum4linux v0.8.9 (http://labs.portcullis.co.uk/application/enum4linux/) Copyright (C) 2011 Mark Lowe (mrl@portcullis-security.com) Simple wrapper around the tools in the samba package to provide similar functionality to enum.exe (formerly from www.bindview.com). Some additional features such as RID cycling have also been added for convenience. Usage: ./enum4linux.pl [options] ip Options are (like "enum"): -U get userlist -M get machine list* -S get sharelist -P get password policy information -G get group and member list -d be detailed, applies to -U and -S -u user specify username to use (default "") -p pass specify password to use (default "") The following options from enum.exe aren't implemented: -L, -N, -D, -f Additional options: -a Do all simple enumeration (-U -S -G -P -r -o -n -i). This opion is enabled if you don't provide any other options. -h Display this help message and exit -r enumerate users via RID cycling -R range RID ranges to enumerate (default: 500-550,1000-1050, implies -r) -K n Keep searching RIDs until n consective RIDs don't correspond to a username. Impies RID range ends at 999999. Useful against DCs. -l Get some (limited) info via LDAP 389/TCP (for DCs only) -s file brute force guessing for share names -k user User(s) that exists on remote system (default: administrator,guest,krbtgt,domain admins,root,bin,none) Used to get sid with "lookupsid known_username" Use commas to try several users: "-k admin,user1,user2" -o Get OS information -i Get printer information -w wrkg Specify workgroup manually (usually found automatically) -n Do an nmblookup (similar to nbtstat) -v Verbose. Shows full commands being run (net, rpcclient, etc.) RID cycling should extract a list of users from Windows (or Samba) hosts which have RestrictAnonymous set to 1 (Windows NT and 2000), or "Network access: Allow anonymous SID/Name translation" enabled (XP, 2003). NB: Samba servers often seem to have RIDs in the range 3000-3050. Dependancy info: You will need to have the samba package installed as this script is basically just a wrapper around rpcclient, net, nmblookup and smbclient. Polenum from http://labs.portcullis.co.uk/application/polenum/ is required to get Password Policy info.
示例:
┌──(root💀kali)-[/usr/share/nmap/scripts] └─# enum4linux -a 10.10.10.129 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Dec 4 04:42:51 2021 ========================== | Target Information | ========================== Target ........... 10.10.10.129 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ==================================================== | Enumerating Workgroup/Domain on 10.10.10.129 | ==================================================== [+] Got domain/workgroup name: WORKGROUP ============================================ | Nbtstat Information for 10.10.10.129 | #扫出来的服务 ============================================ Looking up status of 10.10.10.129 OWASPBWA <00> - B <ACTIVE> Workstation Service OWASPBWA <03> - B <ACTIVE> Messenger Service OWASPBWA <20> - B <ACTIVE> File Server Service ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser WORKGROUP <1d> - B <ACTIVE> Master Browser WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name MAC Address = 00-00-00-00-00-00 ===================================== | Session Check on 10.10.10.129 | ===================================== [E] Server doesn't allow session using username '', password ''. Aborting remainder of tests. ┌──(root💀kali)-[/usr/share/nmap/scripts] └─# enum4linux -a 10.10.10.131 #注意扫描结果 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Dec 4 04:42:59 2021 ========================== | Target Information | ========================== Target ........... 10.10.10.131 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ==================================================== | Enumerating Workgroup/Domain on 10.10.10.131 | ==================================================== [+] Got domain/workgroup name: UJS ============================================ | Nbtstat Information for 10.10.10.131 | ============================================ Looking up status of 10.10.10.131 XPSP3 <00> - M <ACTIVE> Workstation Service XPSP3 <20> - M <ACTIVE> File Server Service UJS <00> - <GROUP> M <ACTIVE> Domain/Workgroup Name UJS <1e> - <GROUP> M <ACTIVE> Browser Service Elections UJS <1d> - M <ACTIVE> Master Browser ..__MSBROWSE__. <01> - <GROUP> M <ACTIVE> Master Browser MAC Address = 00-0C-29-76-04-88 ===================================== | Session Check on 10.10.10.131 | ===================================== [E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.
不忘初心,方得始终。
分类:
kali 渗透测试学习笔记
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· 单线程的Redis速度为什么快?