1. SNMP扫描
SNMP:简单网络管理协议
- 基于SNMP,进行网络设备监控,如:交换机、防火墙、服务器,CPU等其系统内部信息。基本都可以监控到。
- community:登录证书,容易被管理员遗忘修改其特征字符 #可用字典破解community(public/private/manager);
- 信息的金矿,经常被错误配置;
MIB Tree:
- SNMP Management Information;
- 树型的网络设备管理功能数据库;
前期准备
在目标机上安装SNMP服务,并查看服务的状态,团体信息等;
(1)SNMP扫描——onesixtyone
- 能扫出硬件信息;
root@root:~# onesixtyone 192.168.37.130 public
Scanning 1 hosts, 1 communities
192.168.37.130 [public] Hardware: x86 Family 6 Model 78 Stepping 3 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.1 (Build 2600 Uniprocessor Free)
(2) SNMP扫描——snmpwalk
- 能查出更多的信息, -v指定版本,2c使用比较广泛,但可读性不是很好;
root@root:~# snmpwalk 192.168.37.130 -c public -v 2c
iso.3.6.1.2.1.1.1.0 = STRING: "Hardware: x86 Family 6 Model 78 Stepping 3 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.1 (Build 2600 Uniprocessor Free)"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.311.1.1.3.1.1
iso.3.6.1.2.1.1.3.0 = Timeticks: (43123182) 4 days, 23:47:11.82
iso.3.6.1.2.1.1.4.0 = ""
iso.3.6.1.2.1.1.5.0 = STRING: "UPWARD"
iso.3.6.1.2.1.1.6.0 = ""
iso.3.6.1.2.1.1.7.0 = INTEGER: 76
iso.3.6.1.2.1.2.1.0 = INTEGER: 3
iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.1.2 = INTEGER: 2
iso.3.6.1.2.1.2.2.1.1.196612 = INTEGER: 196612
iso.3.6.1.2.1.2.2.1.2.1 = Hex-STRING: 4D 53 20 54 43 50 20 4C 6F 6F 70 62 61 63 6B 20
69 6E 74 65 72 66 61 63 65 00
iso.3.6.1.2.1.2.2.1.2.2 = Hex-STRING: 41 4D 44 20 50 43 4E 45 54 20 46 61 6D 69 6C 79
20 50 43 49 20 45 74 68 65 72 6E 65 74 20 41 64
61 70 74 65 72 20 2D 20 CA FD BE DD B0 FC BC C6
BB AE B3 CC D0 F2 CE A2 D0 CD B6 CB BF DA 00
iso.3.6.1.2.1.2.2.1.2.196612 = Hex-STRING: 42 6C 75 65 74 6F 6F 74 68 20 C9 E8 B1 B8 28 B8
F6 C8 CB C7 F8 D3 F2 CD F8 29 00
......
iso.3.6.1.2.1.25.6.3.1.2.2 = STRING: "WebFldrs XP"
iso.3.6.1.2.1.25.6.3.1.2.3 = STRING: "VMware Tools"
iso.3.6.1.2.1.25.6.3.1.3.1 = OID: ccitt.0
iso.3.6.1.2.1.25.6.3.1.3.2 = OID: ccitt.0
iso.3.6.1.2.1.25.6.3.1.3.3 = OID: ccitt.0
iso.3.6.1.2.1.25.6.3.1.4.1 = INTEGER: 4
iso.3.6.1.2.1.25.6.3.1.4.2 = INTEGER: 4
iso.3.6.1.2.1.25.6.3.1.4.3 = INTEGER: 4
iso.3.6.1.2.1.25.6.3.1.5.1 = Hex-STRING: 07 E2 0B 11 15 33 36 00
iso.3.6.1.2.1.25.6.3.1.5.2 = Hex-STRING: 07 E3 04 07 0B 39 34 00
iso.3.6.1.2.1.25.6.3.1.5.3 = Hex-STRING: 07 E2 0B 11 15 35 08 00
root@root:~# snmpwalk 192.168.37.130 -c public -v 2c iso.3.6.1.2.1.25.6.3.1.2.2
iso.3.6.1.2.1.25.6.3.1.2.2 = STRING: "WebFldrs XP"
(3)SNMP扫描——snmp-check
- 相比snmpwalk,增强了可读性;
- snmp-check 192.168.37.130;
- snmp-check 192.168.37.130 -w; #是否可写
root@root:~# snmp-check 192.168.37.130
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)[+] Try to connect to 192.168.37.130:161 using SNMPv1 and community 'public'[*] System information:Host IP address : 192.168.37.130Hostname : UPWARDDescription : Hardware: x86 Family 6 Model 78 Stepping 3 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.1 (Build 2600 Uniprocessor Free)Contact : -Location : -Uptime snmp : 4 days, 13:40:38.12Uptime system : 4 days, 23:54:43.71System date : 2019-4-14 19:03:54.4Domain : WORKGROUP[*] User accounts:x y z abc$ Guest yaoxingzhi IUSR_UPWARD IWAM_UPWARD Administrator HelpAssistant SUPPORT_388945a0 [*] Network information:IP forwarding enabled : noDefault TTL : 128TCP segments received : 11471TCP segments sent : 4045TCP segments retrans : 0Input datagrams : 13960Delivered datagrams : 13859Output datagrams : 9959[*] Network interfaces:Interface : [ up ] MS TCP Loopback interfaceId : 1Mac Address : :::::Type : softwareLoopbackSpeed : 10 MbpsMTU : 1520In octets : 8291Out octets : 8291......
[*] Network IP:Id IP Address Netmask Broadcast 196612 0.0.0.0 0.0.0.0 1 1 127.0.0.1 255.0.0.0 1 2 192.168.37.130 255.255.255.0 1 [*] Routing information:Destination Next hop Mask Metric 0.0.0.0 192.168.37.2 0.0.0.0 10 127.0.0.0 127.0.0.1 255.0.0.0 1 192.168.37.0 192.168.37.130 255.255.255.0 10 192.168.37.130 127.0.0.1 255.255.255.255 10 192.168.37.255 192.168.37.130 255.255.255.255 10 224.0.0.0 192.168.37.130 240.0.0.0 10 255.255.255.255 192.168.37.130 255.255.255.255 1 [*] TCP connections and listening ports:Local address Local port Remote address Remote port State 0.0.0.0 25 0.0.0.0 47132 listen 0.0.0.0 80 0.0.0.0 20587 listen 0.0.0.0 135 0.0.0.0 39150 Others : 0CGIRequests : 0BGIRequests : 0NotFoundErrors : 0
......root@root:~# snmp-check 192.168.37.130 -w
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)[+] Try to connect to 192.168.37.130:161 using SNMPv1 and community 'public'
[+] Write access check enabled[!] 192.168.37.130:161 SNMP request timeout
2. SMB扫描
SMB协议:
- Server Message Block协议;
- 微软历史上出现问题最多的协议;
- 实现复杂,默认在Windows上是开放的,也是最常用的协议,用于实现文件的共享;
(1)Nmap
- 可以使用nmap扫描默认开放的端口139,445,但是不能准确判断操作系统的类型,一般情况下是Windows系统;
- nmap 192.168.37.130 -p139,445 --script=smb-os-discovery.nse #使用nmap自带的脚本进行操作系统的判断;
- nmap -v -p139,445 --script=smb-vuln-*.nse --script-args=safe=1 192.168.37.130 #扫描Windows系统中的SMB协议是否有漏洞;可以使用smb-vuln-*.nse来指定所有的脚本文件,进行全扫描;
root@root:~# nmap -v -p139,445 192.168.37.130-132 #扫描3个主机,查看是否开启139,445端口
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 19:47 CST
Initiating ARP Ping Scan at 19:47
Scanning 2 hosts [1 port/host]
Completed ARP Ping Scan at 19:47, 0.21s elapsed (2 total hosts)
Initiating Parallel DNS resolution of 2 hosts. at 19:47
Completed Parallel DNS resolution of 2 hosts. at 19:47, 0.01s elapsed
Nmap scan report for 192.168.37.132 [host down]
Initiating Parallel DNS resolution of 1 host. at 19:47
Completed Parallel DNS resolution of 1 host. at 19:47, 0.01s elapsed
Initiating SYN Stealth Scan at 19:47
Scanning bogon (192.168.37.130) [2 ports]
Discovered open port 139/tcp on 192.168.37.130
Discovered open port 445/tcp on 192.168.37.130
Completed SYN Stealth Scan at 19:47, 0.01s elapsed (2 total ports)
Nmap scan report for bogon (192.168.37.130)
Host is up (0.00043s latency).PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:B6:06:CC (VMware)Initiating SYN Stealth Scan at 19:47
Scanning bogon (192.168.37.131) [2 ports]
Completed SYN Stealth Scan at 19:47, 0.00s elapsed (2 total ports)
Nmap scan report for bogon (192.168.37.131)
Host is up (0.000035s latency).PORT STATE SERVICE
139/tcp closed netbios-ssn
445/tcp closed microsoft-dsRead data files from: /usr/bin/../share/nmap
Nmap done: 3 IP addresses (2 hosts up) scanned in 0.46 secondsRaw packets sent: 7 (260B) | Rcvd: 7 (284B)
root@root:~# nmap 192.168.37.130 -p139,445 --script=smb-os-discovery.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 19:53 CST
Nmap scan report for bogon (192.168.37.130)
Host is up (0.00032s latency).PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:B6:06:CC (VMware)Host script results:
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: upward
| NetBIOS computer name: UPWARD\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2019-04-14T19:53:27+08:00Nmap done: 1 IP address (1 host up) scanned in 0.82 seconds- 可以使用smb-vuln-*.nse来指定所有的脚本文件,进行全扫描。
root@root:~# nmap -v -p139,445 --script=smb-vuln-*.nse --script-args=safe=1 192.168.37.130
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 19:58 CST
NSE: Loaded 10 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:58
Completed NSE at 19:58, 0.00s elapsed
Initiating ARP Ping Scan at 19:58
Scanning 192.168.37.130 [1 port]
Completed ARP Ping Scan at 19:58, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:58
Completed Parallel DNS resolution of 1 host. at 19:58, 0.30s elapsed
Initiating SYN Stealth Scan at 19:58
Scanning bogon (192.168.37.130) [2 ports]
Discovered open port 139/tcp on 192.168.37.130
Discovered open port 445/tcp on 192.168.37.130
Completed SYN Stealth Scan at 19:58, 0.00s elapsed (2 total ports)
NSE: Script scanning 192.168.37.130.
Initiating NSE at 19:58
Completed NSE at 19:58, 5.01s elapsed
Nmap scan report for bogon (192.168.37.130)
Host is up (0.00041s latency).PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:B6:06:CC (VMware)Host script results:
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143NSE: Script Post-scanning.
Initiating NSE at 19:58
Completed NSE at 19:58, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.03 secondsRaw packets sent: 3 (116B) | Rcvd: 3 (116B)
(2)Nbtscan
- -r 选项:使用本地端口137,兼容性好,扫描结果全;
- 可以跨网段扫描;
root@root:~# nbtscan -r 192.168.37.0/24
Doing NBT name scan for addresses from 192.168.37.0/24IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
192.168.37.0 Sendto failed: Permission denied
192.168.37.130 UPWARD <server> <unknown> 00:0c:29:b6:06:cc
192.168.37.131 <unknown> <unknown>
192.168.37.255 Sendto failed: Permission denied
(3) enum4linux
root@root:~# enum4linux -U 192.168.37.130
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Apr 14 20:18:06 2019==========================
| Target Information |==========================
Target ........... 192.168.37.130
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none======================================================
| Enumerating Workgroup/Domain on 192.168.37.130 |======================================================
[+] Got domain/workgroup name: WORKGROUP=======================================
| Session Check on 192.168.37.130 |=======================================
[+] Server 192.168.37.130 allows sessions using username '', password ''=============================================
| Getting domain SID for 192.168.37.130 |=============================================
Cannot connect to server. Error was NT_STATUS_INVALID_PARAMETER
[+] Can't determine if host is part of domain or part of a workgroup===============================
| Users on 192.168.37.130 |===============================
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.
enum4linux complete on Sun Apr 14 20:18:08 2019root@root:~# enum4linux -a 192.168.37.130
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Apr 14 20:19:56 2019==========================
| Target Information |==========================
Target ........... 192.168.37.130
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none======================================================
| Enumerating Workgroup/Domain on 192.168.37.130 |======================================================
[+] Got domain/workgroup name: WORKGROUP==============================================
| Nbtstat Information for 192.168.37.130 |==============================================
Looking up status of 192.168.37.130UPWARD <00> - M <ACTIVE> Workstation ServiceUPWARD <20> - M <ACTIVE> File Server ServiceWORKGROUP <00> - <GROUP> M <ACTIVE> Domain/Workgroup NameWORKGROUP <1e> - <GROUP> M <ACTIVE> Browser Service ElectionsWORKGROUP <1d> - M <ACTIVE> Master Browser..__MSBROWSE__. <01> - <GROUP> M <ACTIVE> Master BrowserMAC Address = 00-0C-29-B6-06-CC=======================================
| Session Check on 192.168.37.130 |=======================================
[+] Server 192.168.37.130 allows sessions using username '', password ''=============================================
| Getting domain SID for 192.168.37.130 |=============================================
Cannot connect to server. Error was NT_STATUS_INVALID_PARAMETER
[+] Can't determine if host is part of domain or part of a workgroup========================================
| OS information on 192.168.37.130 |========================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.37.130 from smbclient:
[+] Got OS info for 192.168.37.130 from srvinfo:
Cannot connect to server. Error was NT_STATUS_INVALID_PARAMETER===============================
| Users on 192.168.37.130 |===============================
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.===========================================
| Share Enumeration on 192.168.37.130 |===========================================
[E] Can't list shares: NT_STATUS_ACCESS_DENIED[+] Attempting to map shares on 192.168.37.130======================================================
| Password Policy Information for 192.168.37.130 |======================================================
[E] Unexpected error from polenum:[+] Attaching to 192.168.37.130 using a NULL share[+] Trying protocol 445/SMB...[!] Protocol failed: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)[+] Trying protocol 139/SMB...[!] Protocol failed: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)[+] Retieved partial password policy with rpcclient:================================
| Groups on 192.168.37.130 |================================ [+] Getting builtin groups:[+] Getting builtin group memberships:[+] Getting local groups:[+] Getting local group memberships:[+] Getting domain groups:[+] Getting domain group memberships:=========================================================================
| Users on 192.168.37.130 via RID cycling (RIDS: 500-550,1000-1050) |========================================================================= ===============================================
| Getting printer info for 192.168.37.130 |===============================================
Cannot connect to server. Error was NT_STATUS_INVALID_PARAMETERenum4linux complete on Sun Apr 14 20:20:00 2019
3. SMTP扫描
- SMTP(Simple Mail Transfer Protocol):简单邮件传输协议;
(1) nc
root@root:~# nc -nv 192.168.37.130 25 #连接25号端口
(UNKNOWN) [192.168.37.130] 25 (smtp) open
220 upward Microsoft ESMTP MAIL Service, Version: 6.0.2600.5512 ready at Sun, 14 Apr 2019 20:26:36 +0800
^C(2) nmap
- 前提:使用端口扫描,判断出目标主机开放25号端口;
- nmap smtp.163.com -p25 --script=smtp-enum-users.nse --script-args=smtp-enum-users.methods={VRFY} ##扫描用户账户,指定方式为{VRFY}
- nmap smtp.163.com -p25 --script=smtp-open-relay.nse #扫描是否开启中继(如果开启邮件中继的话,所有人都可以使用邮件中继,甚至做一些非法的事情)
#前提:使用端口扫描,判断出目标主机开放25号端口;
root@root:~# nmap smtp.163.com -p25 --script=smtp-enum-users.nse --script-args=smtp-enum-users.methods={VRFY}
#扫描用户账户,指定方式为{VRFY}
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 20:27 CST
Nmap scan report for smtp.163.com (123.125.50.132)
Host is up (0.0092s latency).
Other addresses for smtp.163.com (not scanned): 123.125.50.133 123.125.50.138 123.125.50.134 123.125.50.135
rDNS record for 123.125.50.132: m50-132.163.comPORT STATE SERVICE
25/tcp open smtp
| smtp-enum-users:
|_ Couldn't find any accountsNmap done: 1 IP address (1 host up) scanned in 9.25 seconds
root@root:~# nmap smtp.163.com -p25 --script=smtp-open-relay.nse #是否开启中继
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 20:29 CST
Nmap scan report for smtp.163.com (123.125.50.135)
Host is up (0.013s latency).
Other addresses for smtp.163.com (not scanned): 123.125.50.134 123.125.50.138 123.125.50.133 123.125.50.132
rDNS record for 123.125.50.135: m50-135.163.comPORT STATE SERVICE
25/tcp open smtp
|_smtp-open-relay: Server doesn't seem to be an open relay, all tests failedNmap done: 1 IP address (1 host up) scanned in 7.93 seconds