SMB扫描

Server Message Block 协议。与其他标准的TCP/IP协议不同,SMB协议是一种复杂的协议,因为随着Windows计算机的开发,越来越多的功能被加入到协议中去了,很难区分哪些概念和功能应该属于Windows操作系统本身,哪些概念应该属于SMB 协议。因为该协议很复杂,所以是微软历史上出现安全问题最多的协议。

1、Nmap

最简单的方法:扫描其固定开放的端口139,445,但是无法准确判断其为windows系统

root@kali:~# <strong>nmap -v -p139,445 192.168.1.0/24          #-v显示更详细的信息</strong>

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-12 15:35 CST

Initiating ARP Ping Scan at 15:35

Scanning 255 hosts [1 port/host]

Completed ARP Ping Scan at 15:35, 1.70s elapsed (255 total hosts)

Initiating Parallel DNS resolution of 255 hosts. at 15:35

Completed Parallel DNS resolution of 255 hosts. at 15:35, 0.01s elapsed

Nmap scan report for 192.168.1.0 [host down]

Nmap scan report for 192.168.1.2 [host down]

Nmap scan report for 192.168.1.3 [host down]

Nmap scan report for 192.168.1.4 [host down]

…………………………………………

Nmap scan report for 192.168.1.255 [host down]

Initiating Parallel DNS resolution of 1 host. at 15:35

Completed Parallel DNS resolution of 1 host. at 15:35, 0.00s elapsed

Initiating SYN Stealth Scan at 15:35

Scanning 4 hosts [2 ports/host]

Discovered open port 445/tcp on 192.168.1.141

Discovered open port 139/tcp on 192.168.1.141

Discovered open port 445/tcp on 192.168.1.107

Discovered open port 139/tcp on 192.168.1.107

Completed SYN Stealth Scan at 15:35, 0.05s elapsed (8 total ports)

Nmap scan report for DD-WRT (192.168.1.1)

Host is up (0.0088s latency).

PORT    STATE  SERVICE

139/tcp closed netbios-ssn

445/tcp closed microsoft-ds

MAC Address: 1C:BD:B9:27:D5:32 (D-Link International)

Nmap scan report for 192.168.1.107

Host is up (0.0011s latency).

PORT    STATE SERVICE

139/tcp open  netbios-ssn

445/tcp open  microsoft-ds

MAC Address: 08:00:27:EB:1D:BC (Oracle VirtualBox virtual NIC)

Nmap scan report for DESKTOP-TA5DCRJ (192.168.1.141)

Host is up (0.0027s latency).

PORT    STATE SERVICE

139/tcp open  netbios-ssn

445/tcp open  microsoft-ds

MAC Address: 2C:6E:85:C4:0D:5B (Intel Corporate)

Nmap scan report for kali (192.168.1.143)

Host is up (0.0032s latency).

PORT    STATE  SERVICE

139/tcp closed netbios-ssn

445/tcp closed microsoft-ds

MAC Address: 08:00:27:CA:63:99 (Oracle VirtualBox virtual NIC)

Initiating SYN Stealth Scan at 15:35

Scanning 192.168.1.127 [2 ports]

Completed SYN Stealth Scan at 15:35, 0.06s elapsed (2 total ports)

Nmap scan report for 192.168.1.127

Host is up (0.00015s latency).

PORT    STATE  SERVICE

139/tcp closed netbios-ssn

445/tcp closed microsoft-ds

Read data files from: /usr/bin/../share/nmap

Nmap done: 256 IP addresses (5 hosts up) scanned in 2.03 seconds

           Raw packets sent: 516 (14.608KB) | Rcvd: 16 (616B)

高级扫描

1.发现开放smb协议的windows系统

root@kali:~# nmap 192.168.1.141 -p139,445 <strong>--script=smb-os-discovery.nse  #用于发现smb协议的脚本</strong>

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-12 15:43 CST

Nmap scan report for DESKTOP-TA5DCRJ (192.168.1.141)

Host is up (0.00030s latency).

PORT    STATE SERVICE

139/tcp open  netbios-ssn

445/tcp open  microsoft-ds

MAC Address: 2C:6E:85:C4:0D:5B (Intel Corporate)

Host script results:

| smb-os-discovery:

|   OS: Windows 10 Home China 10586 (Windows 10 Home China 6.3)

|   OS CPE: cpe:/o:microsoft:windows_10::-

|   NetBIOS computer name: DESKTOP-TA5DCRJ

|   Workgroup: WORKGROUP

|_  System time: 2016-09-12T15:43:52+08:00

Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds

2.扫描windows系统smb协议是否有漏洞
由于从NMAP 6.49beta6开始,smb-check-vulns.nse脚本被取消了。它被分为smb-vuln-conficker、•smb-vuln-cve2009-3103、smb-vuln-ms06-025、smb-vuln-ms07-029、smb-vuln-regsvc-dos、smb-vuln-ms08-067这六个脚本。用户根据需要选择对应的脚本。如果不确定执行哪一个,可以使用smb-vuln-*.nse来指定所有的脚本文件,进行全扫描。

root@kali:~# nmap -v -p139,445 --script=smb-vuln-*.nse --script-args=unsafe=1 192.168.1.115 -Pn

               <strong>#unsafe=1:高强度扫描,可能造成宕机,可选为0(安全扫描) #-Pn:有防火墙过滤包,也继续进行扫描</strong>

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-12 19:59 CST

NSE: Loaded 8 scripts for scanning.

NSE: Script Pre-scanning.

Initiating NSE at 19:59

Completed NSE at 19:59, 0.00s elapsed

Initiating ARP Ping Scan at 19:59

Scanning 192.168.1.115 [1 port]

Completed ARP Ping Scan at 19:59, 0.09s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 19:59

Completed Parallel DNS resolution of 1 host. at 19:59, 0.01s elapsed

Initiating SYN Stealth Scan at 19:59

Scanning PC (192.168.1.115) [2 ports]

Discovered open port 139/tcp on 192.168.1.115

Discovered open port 445/tcp on 192.168.1.115

Completed SYN Stealth Scan at 19:59, 0.04s elapsed (2 total ports)

NSE: Script scanning 192.168.1.115.

Initiating NSE at 19:59

Completed NSE at 19:59, 5.00s elapsed

Nmap scan report for PC (192.168.1.115)

Host is up (0.00028s latency).

PORT    STATE SERVICE

139/tcp open  netbios-ssn

445/tcp open  microsoft-ds

MAC Address: 08:00:27:2B:32:0F (Oracle VirtualBox virtual NIC)

Host script results:

| smb-vuln-cve2009-3103:

|   VULNERABLE:

|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)

|     State: VULNERABLE

|     IDs:  CVE:CVE-2009-3103

|           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,

|           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a

|           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE

|           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,

|           aka "SMBv2 Negotiation Vulnerability."

|

|     Disclosure date: 2009-09-08

|     References:

|       http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103

|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103

|_smb-vuln-ms10-054: ERROR: Script execution failed (use -d to debug)

|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED

NSE: Script Post-scanning.

Initiating NSE at 19:59

Completed NSE at 19:59, 0.00s elapsed

Read data files from: /usr/bin/../share/nmap

Nmap done: 1 IP address (1 host up) scanned in 5.47 seconds

           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

2、Nbtscan

#-R:使用本地端口137,兼容性好,可发现老版本的系统,扫描结果最全

#支持网段扫描

优点:可跨网段扫描mac地址,如果防火墙过滤不够好的话

IP address       NetBIOS Name     Server    User             MAC address

------------------------------------------------------------------------------

192.168.1.0	Sendto failed: Permission denied

192.168.1.127    <unknown>                  <unknown>

192.168.1.107    METASPLOITABLE   <server>  METASPLOITABLE   00:00:00:00:00:00

192.168.1.141    DESKTOP-TA5DCRJ  <server>  <unknown>        2c:6e:85:c4:0d:5b

192.168.1.115    PC               <server>  <unknown>        08:00:27:2b:32:0f

192.168.1.255	Sendto failed: Permission denied

3、enum4linux

在linux系统下枚举出windows系统,不支持网段扫描,但结果非常详细

root@kali:~# enum4linux -a 192.168.1.141

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Sep 12 20:22:19 2016

 ==========================

|    Target Information    |

 ==========================

Target ........... 192.168.1.141

RID Range ........ 500-550,1000-1050

Username ......... ''

Password ......... ''

Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 =====================================================

|    Enumerating Workgroup/Domain on 192.168.1.141    |

 =====================================================

[+] Got domain/workgroup name: WORKGROUP

 =============================================

|    Nbtstat Information for 192.168.1.141    |

 =============================================

Looking up status of 192.168.1.141

	DESKTOP-TA5DCRJ <00> -         B <ACTIVE>  Workstation Service

	DESKTOP-TA5DCRJ <20> -         B <ACTIVE>  File Server Service

	WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name

	MAC Address = 2C-6E-85-C4-0D-5B

 ======================================

|    Session Check on 192.168.1.141    |

 ======================================

[+] Server 192.168.1.141 allows sessions using username '', password ''  <strong>#尝试建立空连接

</strong>

 ============================================

|    Getting domain SID for 192.168.1.141    |

 ============================================

could not initialise lsa pipe. Error was NT_STATUS_ACCESS_DENIED

could not obtain sid for domain WORKGROUP

error: NT_STATUS_ACCESS_DENIED

[+] Can't determine if host is part of domain or part of a workgroup

 =======================================

|    OS information on 192.168.1.141    |

 =======================================

[+] Got OS info for 192.168.1.141 from smbclient: Domain=[DESKTOP-TA5DCRJ] OS=[Windows 10 Home China 10586] Server=[Windows 10 Home China 6.3]

[E] Can't get OS info with srvinfo: NT_STATUS_ACCESS_DENIED

 ==============================

|    Users on 192.168.1.141    |

 ==============================

[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED

[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED

 ==========================================

|    Share Enumeration on 192.168.1.141    |

 ==========================================

[E] Can't list shares: NT_STATUS_ACCESS_DENIED

[+] Attempting to map shares on 192.168.1.141

 =====================================================

|    Password Policy Information for 192.168.1.141    |

 =====================================================

[E] Unexpected error from polenum:

[+] Attaching to 192.168.1.141 using a NULL share

	[+] Trying protocol 445/SMB...

	[!] Protocol failed: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

	[+] Trying protocol 139/SMB...

	[!] Protocol failed: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

[E] Failed to get password policy with rpcclient

 ===============================

|    Groups on 192.168.1.141    |

 =============================== 

[+] Getting builtin groups:

[E] Can't get builtin groups: NT_STATUS_ACCESS_DENIED

[+] Getting builtin group memberships:

[+] Getting local groups:

[E] Can't get local groups: NT_STATUS_ACCESS_DENIED

[+] Getting local group memberships:

[+] Getting domain groups:

[E] Can't get domain groups: NT_STATUS_ACCESS_DENIED

[+] Getting domain group memberships:

 ========================================================================

|    Users on 192.168.1.141 via RID cycling (RIDS: 500-550,1000-1050)    |

 ========================================================================

[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.

 ==============================================

|    Getting printer info for 192.168.1.141    |

 ==============================================

could not initialise lsa pipe. Error was NT_STATUS_ACCESS_DENIED

could not obtain sid for domain WORKGROUP

error: NT_STATUS_ACCESS_DENIED

enum4linux complete on Mon Sep 12 20:22:20 2016<strong>

</strong>

小白日记,未完待续……

小白日记12:kali渗透测试之服务扫描(二)-SMB扫描的更多相关文章

  1. 小白日记13:kali渗透测试之服务扫描(三)-SMTB扫描、防火墙识别、负载均衡识别、WAF识别

    SMTP扫描 SMTP(Simple Mail Transfer Protocol)即简单邮件传输协议,它是一组用于由源地址到目的地址传送邮件的规则,由它来控制信件的中转方式.SMTP协议属于TCP/ ...

  2. 小白日记11:kali渗透测试之服务扫描-banner、dmitry、nmap特征库、操作系统识别、SNMP

    服务扫描 不能单纯的以端口辨别服务.很多网络服务是漏洞频发的高危对象,对网络上的特定服务进行扫描,往往能让我们少走弯路,增加渗透成功的几率.确定开放端口后,通常会对相应端口上所运行服务的信息进行更深入 ...

  3. kali渗透测试之缓冲区溢出实例-windows,POP3,SLmail

    kali渗透测试之缓冲区溢出实例-windows,POP3,SLmail 相关链接:https://www.bbsmax.com/A/xl569l20Jr/ http://4hou.win/wordp ...

  4. kali渗透综合靶机(十二)--SickOs1.2靶机

    kali渗透综合靶机(十二)--SickOs1.2靶机 靶机下载地址:https://www.vulnhub.com/entry/sickos-12,144/ 一.主机发现 1.netdiscover ...

  5. 小白日记10:kali渗透测试之端口扫描-UDP、TCP、僵尸扫描、隐蔽扫描

    端口扫描 二三四层发现的目的只是为了准确发现所有活着主机IP,确定攻击面,端口扫描即发现攻击点,发现开放端口.端口对应网络服务及应用端程序,服务端程序的漏洞通过端口攻入.[所有的扫描结果,都不要完全相 ...

  6. 小白日记15:kali渗透测试之弱点扫描-漏扫三招、漏洞管理、CVE、CVSS、NVD

    发现漏洞 弱点发现方法: 1.基于端口服务扫描结果版本信息,比对其是否为最新版本,若不是则去其 官网查看其补丁列表,然后去逐个尝试,但是此法弊端很大,因为各种端口应用比较多,造成耗时大. 2.搜索已公 ...

  7. 小白日记32:kali渗透测试之Web渗透-扫描工具-QWASP_ZAP

    扫描工具-QWASP_ZAP 十大安全工具之一,集成性工具,功能完善,而且强大.既可做主动扫描,也可做截断代理.开源免费跨平台,简单易用,体验相对混乱,但在主动扫描方面,相对占优.[kali集成] # ...

  8. 小白日记34:kali渗透测试之Web渗透-扫描工具-Burpsuite(二)

    扫描工具-Burpsuite 公共模块 0.Spider 爬网 手动爬网 先禁用截断功能 手动将页面中点击所有连接,对提交数据的地方,都进行提交[无论内容] 自动爬网[参数设置] 指定爬网路径,否则其 ...

  9. 小白日记16:kali渗透测试之弱点扫描-openvas、nessus

    漏洞扫描工具 1.openvas OpenVAS是开放式漏洞评估系统,也可以说它是一个包含着相关工具的网络扫描器.在kali上默认集成openvas.在kali上,配置相对简单[几乎每天都在更新] 实 ...

随机推荐

  1. CentOS搭建LAMP环境

    最近准备安装roundcube,需要先搭建一个 LAMP 运行环境,从网上搜索了一下,有不少资料.自己也按部就班安装了一遍,把过程整理了下来. LAMP 是Linux, Apache, MySQL, ...

  2. Apache Rewrite常用设置说明

    例子: RewriteEngine on 打开引擎 RewriteRule test.html /test.php [L] RewriteRule test.html?$ /tianqi.php?s1 ...

  3. 虚拟桌面基础架构(VDI)与终端服务和传统PC对比

    VDI(Virtual Desktop Infrastructure),即虚拟桌面基础架构,正迅速成为一个热门词汇,它将颠覆企业向终端用户交付应用的游戏规则.这篇专题就是想通过VDI与两种传统技术的对 ...

  4. 转】Maven学习总结(五)——聚合与继承

    原博文出自于: http://www.cnblogs.com/xdp-gacl/p/4058008.html 感谢! 一.聚合 如果我们想一次构建多个项目模块,那我们就需要对多个项目模块进行聚合 1. ...

  5. 转】Maven学习总结(二)——Maven项目构建过程练习

    原博文出自于:http://www.cnblogs.com/xdp-gacl/p/4051690.html 感谢! 上一篇只是简单介绍了一下maven入门的一些相关知识,这一篇主要是体验一下Maven ...

  6. Mysql数据库插入的中文字段值显示问号的问题解决

    最近我使用myeclipse连接mysql数据库查询表中的数据,表中字段值为中文的字段显示问号,查了很多资料将解决方法总结如下: 步骤一:修改mysql数据库的配置文件my.ini或者my-defau ...

  7. PID参数整定快速入门(调节器参数整定方法)

    PID调节器参数整定方法很多,常见的工程整定方法有临界比例度法.衰减曲线法和经验法.云润仪表以图文形式分别介绍调节器参数整定方法. 临界比例度法一个调节系统,在阶跃干扰作用下,出现既不发散也不衰减的等 ...

  8. Mybatis中实体类中的字段跟对应表的字段不一致时解决办法

    解决字段名与实体类属性名不相同的冲突 实体类字段: public class Order { private int id; private String orderNo; private float ...

  9. poj 1517 u Calculate e

    u Calculate e Time Limit: 1000MS   Memory Limit: 10000K Total Submissions: 19465   Accepted: 11362   ...

  10. Codeforces Round #352 (Div. 2) D. Robin Hood (二分答案)

    题目链接:http://codeforces.com/contest/672/problem/D 有n个人,k个操作,每个人有a[i]个物品,每次操作把最富的人那里拿一个物品给最穷的人,问你最后贫富差 ...