生活随笔
收集整理的這篇文章主要介紹了
snmp-smtp=smb扫描
小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
一、SNMP掃描
SNMP(簡(jiǎn)單網(wǎng)絡(luò)管理協(xié)議)明文
基于SNMP,進(jìn)行網(wǎng)絡(luò)設(shè)備監(jiān)控,如:交換機(jī)、防火墻、服務(wù)器,CPU等其系統(tǒng)內(nèi)部信息,基本都可以監(jiān)控到。 信息的金礦,經(jīng)常被管理員配置錯(cuò)誤 community:登錄證書,默認(rèn)值為public。容易被管理員遺忘修改其特征字符。兩個(gè)默認(rèn)的community strings,一個(gè)是public(可讀),另一個(gè)是private(可寫) 服務(wù)器:161端口,客戶端:162端口(UDP) MIB Tree:
SNMP Management Information Base(MIB) 樹形的網(wǎng)絡(luò)設(shè)備管理功能數(shù)據(jù)庫(kù) 在目標(biāo)主機(jī)上安裝SNMP服務(wù),并查看服務(wù)的狀態(tài)、團(tuán)隊(duì)信息等。
控制面板——添加或刪除程序,出現(xiàn)下圖所示界面:
1、onesixtyone
root@kali:~ Scanning 1 hosts, 1 communities 192.168.247.129 [public] Hardware: x86 Family 6 Model 142 Stepping 9 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Uniprocessor Free)
如果沒有掃除查詢結(jié)果,有可能目標(biāo)主機(jī)已經(jīng)改變了它的默認(rèn)community,我們可以結(jié)合字典對(duì)其進(jìn)行掃描。 root@kali:~ /. /usr /usr/bin /usr/bin/onesixtyone /usr/share /usr/share/doc /usr/share/doc/onesixtyone /usr/share/doc/onesixtyone/README /usr/share/doc/onesixtyone/changelog.Debian.amd64.gz /usr/share/doc/onesixtyone/changelog.Debian.gz /usr/share/doc/onesixtyone/changelog.gz /usr/share/doc/onesixtyone/copyright /usr/share/doc/onesixtyone/dict.txt //默認(rèn)字典 /usr/share/man /usr/share/man/man1 /usr/share/man/man1/onesixtyone.1.gz root@kali:~ Logging to file my.log Scanning 1 hosts, 49 communities [ ] ,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~���������������������������������������
2、snmpwalk
能查出更多的信息,-c 指定community, -v指定使用的SNMP版本,2c版本使用比較廣泛,但可讀性不是很好。 root@kali:~ Created directory: /var/lib/snmp/mib_indexes iso.3.6.1.2.1.1.1.0 = STRING: "Hardware: x86 Family 6 Model 142 Stepping 9 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Uniprocessor Free)" iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.311.1.1.3.1.2 iso.3.6.1.2.1.1.3.0 = Timeticks: (176845) 0:29:28.45 iso.3.6.1.2.1.1.4.0 = "" iso.3.6.1.2.1.1.5.0 = STRING: "CHENGQIA-852040" iso.3.6.1.2.1.1.6.0 = "" iso.3.6.1.2.1.1.7.0 = INTEGER: 76 iso.3.6.1.2.1.2.1.0 = INTEGER: 2 iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1 iso.3.6.1.2.1.2.2.1.1.327683 = INTEGER: 327683 iso.3.6.1.2.1.2.2.1.2.1 = Hex-STRING: 4D 53 20 54 43 50 20 4C 6F 6F 70 62 61 63 6B 20 69 6E 74 65 72 66 61 63 65 00 ...... iso.3.6.1.2.1.25.6.3.1.4.3 = INTEGER: 4 iso.3.6.1.2.1.25.6.3.1.5.1 = Hex-STRING: 07 E2 0B 19 11 32 2A 00 iso.3.6.1.2.1.25.6.3.1.5.2 = Hex-STRING: 07 E3 04 18 17 1A 16 00 iso.3.6.1.2.1.25.6.3.1.5.3 = Hex-STRING: 07 E2 0B 19 11 34 2E 00
root@kali:~ iso.3.6.1.2.1.1.5.0 = STRING: "CHENGQIA-852040"
3、snmp-check
相比snmpwalk,增強(qiáng)了可讀性
snmp-check 192.168.247.129 snmp-check 192.168.247.129 -w????????? //是否可寫 root@kali:~ snmp-check v1.9 - SNMP enumerator Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org) [+] Try to connect to 192.168.247.129:161 using SNMPv1 and community 'public' [*] System information: Host IP address : 192.168.247.129 Hostname : CHENGQIA-852040 Description : Hardware: x86 Family 6 Model 142 Stepping 9 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Uniprocessor Free) Contact : - Location : - Uptime snmp : 4 days, 16:23:42.81 Uptime system : 03:39:26.46 System date : 2019-5-4 14:40:46.9 Domain : WORKGROUP [*] User accounts: //用戶賬戶 cqq Guest test $ Administrator SUPPORT_388945a0 IUSR_CHENGQIA-852040 IWAM_CHENGQIA-852040 [*] Network information: IP forwarding enabled : no Default TTL : 128 TCP segments received : 149505 TCP segments sent : 73696 TCP segments retrans : 36 Input datagrams : 151617 Delivered datagrams : 151592 Output datagrams : 76693 [*] Network interfaces: Interface : [ up ] MS TCP Loopback interface Id : 1 Mac Address : ::::: Type : softwareLoopback Speed : 10 Mbps MTU : 1520 In octets : 61841 Out octets : 61841 Interface : [ up ] Intel(R) PRO/1000 MT Network Connection Id : 327683 Mac Address : 00:0c:29:8f:74:74 Type : ethernet-csmacd Speed : 10 Mbps MTU : 1500 In octets : 11941081 Out octets : 6663859 [*] Network IP: Id IP Address Netmask Broadcast 1 127.0.0.1 255.0.0.0 1 327683 192.168.247.129 255.255.255.0 1 [*] Routing information: //路由信息 Destination Next hop Mask Metric 0.0.0.0 192.168.247.2 0.0.0.0 30 127.0.0.0 127.0.0.1 255.0.0.0 1 192.168.247.0 192.168.247.129 255.255.255.0 30 192.168.247.129 127.0.0.1 255.255.255.255 30 192.168.247.255 192.168.247.129 255.255.255.255 30 224.0.0.0 192.168.247.129 240.0.0.0 30 255.255.255.255 192.168.247.129 255.255.255.255 1 ......
root@kali:~ snmp-check v1.9 - SNMP enumerator Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org) [+] Try to connect to 192.168.247.129:161 using SNMPv1 and community 'public' [+] Write access check enabled [!] 192.168.247.129:161 SNMP request timeout
二、SMB掃描
SMB協(xié)議(Server Message Block)
微軟歷史上出現(xiàn)問題最多的協(xié)議; 實(shí)現(xiàn)復(fù)雜,默認(rèn)在Windows上是開放的,也是最常用的協(xié)議,用于實(shí)現(xiàn)文件的共享。 空會(huì)話未身份認(rèn)證訪問(SMB1)——Windows 2000/XP/Windows 2003
不用建立連接也可以獲取密碼,用戶名,組名,機(jī)器名,用戶、組ID 1、nmap
?nmap -v -p139,445 192.168.247.129-131????????? //nmap掃描3個(gè)主機(jī)默認(rèn)開放的139、445端口,但是不能準(zhǔn)確判斷操作系統(tǒng)的類型,一般情況下是Windows系統(tǒng)。 nmap 192.168.247.129 -p139,445 --script=smb-os-discovery.nse????????????????????????????????? //使用nmap自帶的腳本進(jìn)行操作系統(tǒng)的判斷。 nmap -v -p139,445 --script=smb-vuln-*.nse --script-args=safe=1 192.168.247.129?????? //掃描Windows系統(tǒng)中的SMB協(xié)議是否有漏洞;smb-vuln-*.nse? 指定所有關(guān)于smb-vuln的腳本文件,進(jìn)行全掃描;safe — 對(duì)目標(biāo)主機(jī)安全地進(jìn)行掃描,unsafe掃描容易使目標(biāo)系統(tǒng)宕機(jī)。 root@kali:~ Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:46 CST Initiating ARP Ping Scan at 14:46 Scanning 3 hosts [1 port/host] Completed ARP Ping Scan at 14:46, 0.22s elapsed (3 total hosts) Initiating Parallel DNS resolution of 3 hosts. at 14:46 Completed Parallel DNS resolution of 3 hosts. at 14:46, 0.09s elapsed Nmap scan report for 192.168.247.130 [host down] Nmap scan report for 192.168.247.131 [host down] Initiating SYN Stealth Scan at 14:46 Scanning bogon (192.168.247.129) [2 ports] Discovered open port 445/tcp on 192.168.247.129 Discovered open port 139/tcp on 192.168.247.129 Completed SYN Stealth Scan at 14:46, 0.00s elapsed (2 total ports) Nmap scan report for bogon (192.168.247.129) Host is up (0.00045s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:0C:29:8F:74:74 (VMware) Read data files from: /usr/bin/../share/nmap Nmap done : 3 IP addresses (1 host up) scanned in 0.43 seconds Raw packets sent: 7 (228B) | Rcvd: 3 (116B)
root@kali:~ Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:47 CST Nmap scan report for bogon (192.168.247.129) Host is up (0.00024s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:0C:29:8F:74:74 (VMware) Host script results: //目標(biāo)主機(jī)操作系統(tǒng)信息 | smb-os-discovery: | OS: Windows Server 2003 3790 Service Pack 2 (Windows Server 2003 5.2) | OS CPE: cpe:/o:microsoft:windows_server_2003::sp2 | Computer name: chengqia-852040 | NetBIOS computer name: CHENGQIA-852040\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2019-05-04T14:47:50+08:00 Nmap done : 1 IP address (1 host up) scanned in 0.50 seconds
root@kali:~ Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:50 CST NSE: Loaded 10 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 14:50 Completed NSE at 14:50, 0.00s elapsed Initiating ARP Ping Scan at 14:50 Scanning 192.168.247.129 [1 port] Completed ARP Ping Scan at 14:50, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 14:50 Completed Parallel DNS resolution of 1 host. at 14:50, 0.01s elapsed Initiating SYN Stealth Scan at 14:50 Scanning bogon (192.168.247.129) [2 ports] Discovered open port 445/tcp on 192.168.247.129 Discovered open port 139/tcp on 192.168.247.129 Completed SYN Stealth Scan at 14:50, 0.00s elapsed (2 total ports) NSE: Script scanning 192.168.247.129. Initiating NSE at 14:50 Completed NSE at 14:50, 5.00s elapsed Nmap scan report for bogon (192.168.247.129) Host is up (0.00044s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:0C:29:8F:74:74 (VMware) Host script results: //目標(biāo)主機(jī)存在的漏洞 | smb-vuln-ms08-067: | VULNERABLE: | Microsoft Windows system vulnerable to remote code execution (MS08-067) | State: VULNERABLE | IDs: CVE:CVE-2008-4250 | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, | Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary | code via a crafted RPC request that triggers the overflow during path canonicalization. | | Disclosure date: 2008-10-23 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250 |_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ NSE: Script Post-scanning. Initiating NSE at 14:50 Completed NSE at 14:50, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Nmap done : 1 IP address (1 host up) scanned in 5.41 seconds Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
2、nbtscan
-r :使用本地端口137,兼容性好,掃描結(jié)果全; 可以跨網(wǎng)段掃描 root@kali:~ Doing NBT name scan for addresses from 192.168.247.0/24 IP address NetBIOS Name Server User MAC address ------------------------------------------------------------------------------ 192.168.247.0 Sendto failed: Permission denied 192.168.247.1 LAPTOP-PCL3G0V7 <server> <unknown> 00:50:56:c0:00:08 192.168.247.129 CHENGQIA-852040 <server> <unknown> 00:0c:29:8f:74:74 192.168.247.177 <unknown> <unknown> 192.168.247.255 Sendto failed: Permission denied
3、enum4linux
root@kali:~ Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat May 4 14:54:15 2019 ========================== | Target Information | ========================== Target ........... 192.168.247.129 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ======================================================= | Enumerating Workgroup/Domain on 192.168.247.129 | ======================================================= [+] Got domain/workgroup name: WORKGROUP ======================================== | Session Check on 192.168.247.129 | ======================================== [+] Server 192.168.247.129 allows sessions using username '' , password '' //允許建立空連接 ============================================== | Getting domain SID for 192.168.247.129 | ============================================== Cannot connect to server. Error was NT_STATUS_INVALID_PARAMETER [+] Can't determine if host is part of domain or part of a workgroup ================================ | Users on 192.168.247.129 | ================================ Use of uninitialized value $users in print at ./enum4linux.pl line 874. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877. Use of uninitialized value $users in print at ./enum4linux.pl line 888. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890. enum4linux complete on Sat May 4 14:54:16 2019 三、SMTP掃描
SMTP:Simple Mail Transfer Protocol,簡(jiǎn)單郵件傳輸協(xié)議。
1、nc
root@kali:~ (UNKNOWN) [192.168.247.129] 25 (smtp) open 220 chengqia-852040 Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Sat, 4 May 2019 14:55:24 +0800 ^C
2、nmap
需先進(jìn)行端口掃描、判斷目標(biāo)主機(jī)是否開啟25號(hào)端口; nmap smtp.163.com -p25 --script=smtp-enum-users.nse --script-args=smtp-enum-users.methods={VRFY}????? //使用VRFY方法進(jìn)行賬戶枚舉。 nmap smtp.163.com -p25 --script=smtp-open-relay.nse??????? #掃描是否開啟中繼,如果開啟郵件中繼的話,容易被黑客利用,發(fā)送垃圾郵件。 root@kali:~ Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:57 CST Nmap scan report for smtp.163.com (123.125.50.134) Host is up (0.00032s latency). Other addresses for smtp.163.com (not scanned): 123.125.50.133 123.125.50.138 123.125.50.132 123.125.50.135 rDNS record for 123.125.50.134: m50-134.163.com PORT STATE SERVICE 25/tcp filtered smtp Nmap done : 1 IP address (1 host up) scanned in 0.66 seconds
root@kali:~ Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:59 CST Nmap scan report for smtp.163.com (123.125.50.135) Host is up (0.0072s latency). Other addresses for smtp.163.com (not scanned): 123.125.50.132 123.125.50.138 123.125.50.133 123.125.50.134 rDNS record for 123.125.50.135: m50-135.163.com PORT STATE SERVICE 25/tcp open smtp |_smtp-open-relay: Server doesn't seem to be an open relay, all tests failed Nmap done: 1 IP address (1 host up) scanned in 2.60 seconds ?
總結(jié)
以上是生活随笔 為你收集整理的snmp-smtp=smb扫描 的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問題。
如果覺得生活随笔 網(wǎng)站內(nèi)容還不錯(cuò),歡迎將生活随笔 推薦給好友。
