小白日记12:kali渗透测试之服务扫描(二)-SMB扫描
来源:互联网 发布:路由器突然没有网络 编辑:程序博客网 时间:2024/05/03 13:15
SMB扫描
Server Message Block 协议。与其他标准的TCP/IP协议不同,SMB协议是一种复杂的协议,因为随着Windows计算机的开发,越来越多的功能被加入到协议中去了,很难区分哪些概念和功能应该属于Windows操作系统本身,哪些概念应该属于SMB 协议。因为该协议很复杂,所以是微软历史上出现安全问题最多的协议。
1、Nmap
最简单的方法:扫描其固定开放的端口139,445,但是无法准确判断其为windows系统
root@kali:~# <strong>nmap -v -p139,445 192.168.1.0/24 #-v显示更详细的信息</strong>Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-12 15:35 CSTInitiating ARP Ping Scan at 15:35Scanning 255 hosts [1 port/host]Completed ARP Ping Scan at 15:35, 1.70s elapsed (255 total hosts)Initiating Parallel DNS resolution of 255 hosts. at 15:35Completed Parallel DNS resolution of 255 hosts. at 15:35, 0.01s elapsedNmap scan report for 192.168.1.0 [host down]Nmap scan report for 192.168.1.2 [host down]Nmap scan report for 192.168.1.3 [host down]Nmap scan report for 192.168.1.4 [host down] …………………………………………Nmap scan report for 192.168.1.255 [host down]Initiating Parallel DNS resolution of 1 host. at 15:35Completed Parallel DNS resolution of 1 host. at 15:35, 0.00s elapsedInitiating SYN Stealth Scan at 15:35Scanning 4 hosts [2 ports/host]Discovered open port 445/tcp on 192.168.1.141Discovered open port 139/tcp on 192.168.1.141Discovered open port 445/tcp on 192.168.1.107Discovered open port 139/tcp on 192.168.1.107Completed SYN Stealth Scan at 15:35, 0.05s elapsed (8 total ports)Nmap scan report for DD-WRT (192.168.1.1)Host is up (0.0088s latency).PORT STATE SERVICE139/tcp closed netbios-ssn445/tcp closed microsoft-dsMAC Address: 1C:BD:B9:27:D5:32 (D-Link International)Nmap scan report for 192.168.1.107Host is up (0.0011s latency).PORT STATE SERVICE139/tcp open netbios-ssn445/tcp open microsoft-dsMAC Address: 08:00:27:EB:1D:BC (Oracle VirtualBox virtual NIC)Nmap scan report for DESKTOP-TA5DCRJ (192.168.1.141)Host is up (0.0027s latency).PORT STATE SERVICE139/tcp open netbios-ssn445/tcp open microsoft-dsMAC Address: 2C:6E:85:C4:0D:5B (Intel Corporate)Nmap scan report for kali (192.168.1.143)Host is up (0.0032s latency).PORT STATE SERVICE139/tcp closed netbios-ssn445/tcp closed microsoft-dsMAC Address: 08:00:27:CA:63:99 (Oracle VirtualBox virtual NIC)Initiating SYN Stealth Scan at 15:35Scanning 192.168.1.127 [2 ports]Completed SYN Stealth Scan at 15:35, 0.06s elapsed (2 total ports)Nmap scan report for 192.168.1.127Host is up (0.00015s latency).PORT STATE SERVICE139/tcp closed netbios-ssn445/tcp closed microsoft-dsRead data files from: /usr/bin/../share/nmapNmap done: 256 IP addresses (5 hosts up) scanned in 2.03 seconds Raw packets sent: 516 (14.608KB) | Rcvd: 16 (616B)高级扫描
1.发现开放smb协议的windows系统
root@kali:~# nmap 192.168.1.141 -p139,445 <strong>--script=smb-os-discovery.nse #用于发现smb协议的脚本</strong>Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-12 15:43 CSTNmap scan report for DESKTOP-TA5DCRJ (192.168.1.141)Host is up (0.00030s latency).PORT STATE SERVICE139/tcp open netbios-ssn445/tcp open microsoft-dsMAC Address: 2C:6E:85:C4:0D:5B (Intel Corporate)Host script results:| smb-os-discovery: | OS: Windows 10 Home China 10586 (Windows 10 Home China 6.3)| OS CPE: cpe:/o:microsoft:windows_10::-| NetBIOS computer name: DESKTOP-TA5DCRJ| Workgroup: WORKGROUP|_ System time: 2016-09-12T15:43:52+08:00Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds2.扫描windows系统smb协议是否有漏洞
由于从NMAP 6.49beta6开始,smb-check-vulns.nse脚本被取消了。它被分为smb-vuln-conficker、•smb-vuln-cve2009-3103、smb-vuln-ms06-025、smb-vuln-ms07-029、smb-vuln-regsvc-dos、smb-vuln-ms08-067这六个脚本。用户根据需要选择对应的脚本。如果不确定执行哪一个,可以使用smb-vuln-*.nse来指定所有的脚本文件,进行全扫描。root@kali:~# nmap -v -p139,445 --script=smb-vuln-*.nse --script-args=unsafe=1 192.168.1.115 -Pn <strong>#unsafe=1:高强度扫描,可能造成宕机,可选为0(安全扫描) #-Pn:有防火墙过滤包,也继续进行扫描</strong>Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-12 19:59 CSTNSE: Loaded 8 scripts for scanning.NSE: Script Pre-scanning.Initiating NSE at 19:59Completed NSE at 19:59, 0.00s elapsedInitiating ARP Ping Scan at 19:59Scanning 192.168.1.115 [1 port]Completed ARP Ping Scan at 19:59, 0.09s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 19:59Completed Parallel DNS resolution of 1 host. at 19:59, 0.01s elapsedInitiating SYN Stealth Scan at 19:59Scanning PC (192.168.1.115) [2 ports]Discovered open port 139/tcp on 192.168.1.115Discovered open port 445/tcp on 192.168.1.115Completed SYN Stealth Scan at 19:59, 0.04s elapsed (2 total ports)NSE: Script scanning 192.168.1.115.Initiating NSE at 19:59Completed NSE at 19:59, 5.00s elapsedNmap scan report for PC (192.168.1.115)Host is up (0.00028s latency).PORT STATE SERVICE139/tcp open netbios-ssn445/tcp open microsoft-dsMAC Address: 08:00:27:2B:32:0F (Oracle VirtualBox virtual NIC)Host script results:| smb-vuln-cve2009-3103: | VULNERABLE:| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)| State: VULNERABLE| IDs: CVE:CVE-2009-3103| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, | Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a | denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE | PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, | aka "SMBv2 Negotiation Vulnerability." | | Disclosure date: 2009-09-08| References:| http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103|_smb-vuln-ms10-054: ERROR: Script execution failed (use -d to debug)|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIEDNSE: Script Post-scanning.Initiating NSE at 19:59Completed NSE at 19:59, 0.00s elapsedRead data files from: /usr/bin/../share/nmapNmap done: 1 IP address (1 host up) scanned in 5.47 seconds Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
2、Nbtscan
#-R:使用本地端口137,兼容性好,可发现老版本的系统,扫描结果最全
#支持网段扫描
优点:可跨网段扫描mac地址,如果防火墙过滤不够好的话
IP address NetBIOS Name Server User MAC address ------------------------------------------------------------------------------192.168.1.0Sendto failed: Permission denied192.168.1.127 <unknown> <unknown> 192.168.1.107 METASPLOITABLE <server> METASPLOITABLE 00:00:00:00:00:00192.168.1.141 DESKTOP-TA5DCRJ <server> <unknown> 2c:6e:85:c4:0d:5b192.168.1.115 PC <server> <unknown> 08:00:27:2b:32:0f192.168.1.255Sendto failed: Permission denied
3、enum4linux
在linux系统下枚举出windows系统,不支持网段扫描,但结果非常详细
root@kali:~# enum4linux -a 192.168.1.141Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Sep 12 20:22:19 2016 ========================== | Target Information | ========================== Target ........... 192.168.1.141RID Range ........ 500-550,1000-1050Username ......... ''Password ......... ''Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ===================================================== | Enumerating Workgroup/Domain on 192.168.1.141 | ===================================================== [+] Got domain/workgroup name: WORKGROUP ============================================= | Nbtstat Information for 192.168.1.141 | ============================================= Looking up status of 192.168.1.141DESKTOP-TA5DCRJ <00> - B <ACTIVE> Workstation ServiceDESKTOP-TA5DCRJ <20> - B <ACTIVE> File Server ServiceWORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup NameMAC Address = 2C-6E-85-C4-0D-5B ====================================== | Session Check on 192.168.1.141 | ====================================== [+] Server 192.168.1.141 allows sessions using username '', password '' <strong>#尝试建立空连接</strong> ============================================ | Getting domain SID for 192.168.1.141 | ============================================ could not initialise lsa pipe. Error was NT_STATUS_ACCESS_DENIEDcould not obtain sid for domain WORKGROUPerror: NT_STATUS_ACCESS_DENIED[+] Can't determine if host is part of domain or part of a workgroup ======================================= | OS information on 192.168.1.141 | ======================================= [+] Got OS info for 192.168.1.141 from smbclient: Domain=[DESKTOP-TA5DCRJ] OS=[Windows 10 Home China 10586] Server=[Windows 10 Home China 6.3][E] Can't get OS info with srvinfo: NT_STATUS_ACCESS_DENIED ============================== | Users on 192.168.1.141 | ============================== [E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED ========================================== | Share Enumeration on 192.168.1.141 | ========================================== [E] Can't list shares: NT_STATUS_ACCESS_DENIED[+] Attempting to map shares on 192.168.1.141 ===================================================== | Password Policy Information for 192.168.1.141 | ===================================================== [E] Unexpected error from polenum:[+] Attaching to 192.168.1.141 using a NULL share[+] Trying protocol 445/SMB...[!] Protocol failed: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)[+] Trying protocol 139/SMB...[!] Protocol failed: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)[E] Failed to get password policy with rpcclient =============================== | Groups on 192.168.1.141 | =============================== [+] Getting builtin groups:[E] Can't get builtin groups: NT_STATUS_ACCESS_DENIED[+] Getting builtin group memberships:[+] Getting local groups:[E] Can't get local groups: NT_STATUS_ACCESS_DENIED[+] Getting local group memberships:[+] Getting domain groups:[E] Can't get domain groups: NT_STATUS_ACCESS_DENIED[+] Getting domain group memberships: ======================================================================== | Users on 192.168.1.141 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================== [E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible. ============================================== | Getting printer info for 192.168.1.141 | ============================================== could not initialise lsa pipe. Error was NT_STATUS_ACCESS_DENIEDcould not obtain sid for domain WORKGROUPerror: NT_STATUS_ACCESS_DENIEDenum4linux complete on Mon Sep 12 20:22:20 2016<strong></strong>
小白日记,未完待续……
0 0
- 小白日记12:kali渗透测试之服务扫描(二)-SMB扫描
- 小白日记34:kali渗透测试之Web渗透-扫描工具-Burpsuite(二)
- 小白日记33:kali渗透测试之Web渗透-扫描工具-Burpsuite(一)
- 小白日记10:kali渗透测试之端口扫描-UDP、TCP、僵尸扫描、隐蔽扫描
- 小白日记13:kali渗透测试之服务扫描(三)-SMTB扫描、防火墙识别、负载均衡识别、WAF识别
- 小白日记28:kali渗透测试之Web渗透-扫描工具-Nikto
- 小白日记29:kali渗透测试之Web渗透-扫描工具-Vega
- 小白日记30:kali渗透测试之Web渗透-扫描工具-Skipfish
- 小白日记31:kali渗透测试之Web渗透-扫描工具-Arachni
- 小白日记32:kali渗透测试之Web渗透-扫描工具-QWASP_ZAP
- 小白日记11:kali渗透测试之服务扫描-banner、dmitry、nmap特征库、操作系统识别、SNMP
- 小白日记15:kali渗透测试之弱点扫描-漏扫三招、漏洞管理、CVE、CVSS、NVD
- 小白日记16:kali渗透测试之弱点扫描-openvas、nessus
- 小白日记22:kali渗透测试之提权(二)--抓包嗅探
- 小白日记3:kali渗透测试之被动信息收集(二)-dig、whios、dnsenum、fierce
- 小白日记2:kali渗透测试之被动信息收集(一)
- 小白日记4:kali渗透测试之被动信息收集(三)--Shodan、Google
- 小白日记6:kali渗透测试之被动信息收集(五)-Recon-ng
- UEFI主板GPT方式安装CentOS 6.4
- 结构体怎样使用extern?
- Java中equals和==的区别
- FRM-18108 FRM-10102错误解决
- Spring字符自动解释成Enum
- 小白日记12:kali渗透测试之服务扫描(二)-SMB扫描
- Spring MVC 结合 Jedis Cluster
- Android NDK so crash,定位目标代码使用 arm-linux-androideabi-addr2line
- 算法的排序过程
- json字符串转数组转对象
- ftp
- PUD编码规则
- 反转数字
- uIP学习的参考资料