小白日记12：kali渗透测试之服务扫描（二）-SMB扫描

SMB扫描

Server Message Block 协议。与其他标准的TCP/IP协议不同，SMB协议是一种复杂的协议，因为随着Windows计算机的开发，越来越多的功能被加入到协议中去了，很难区分哪些概念和功能应该属于Windows操作系统本身，哪些概念应该属于SMB 协议。因为该协议很复杂，所以是微软历史上出现安全问题最多的协议。

1、Nmap

最简单的方法：扫描其固定开放的端口139,445，但是无法准确判断其为windows系统

root@kali:~# <strong>nmap -v -p139,445 192.168.1.0/24          #-v显示更详细的信息</strong>

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-12 15:35 CST
Initiating ARP Ping Scan at 15:35
Scanning 255 hosts [1 port/host]
Completed ARP Ping Scan at 15:35, 1.70s elapsed (255 total hosts)
Initiating Parallel DNS resolution of 255 hosts. at 15:35
Completed Parallel DNS resolution of 255 hosts. at 15:35, 0.01s elapsed
Nmap scan report for 192.168.1.0 [host down]
Nmap scan report for 192.168.1.2 [host down]
Nmap scan report for 192.168.1.3 [host down]
Nmap scan report for 192.168.1.4 [host down]                                                                               
…………………………………………
Nmap scan report for 192.168.1.255 [host down]
Initiating Parallel DNS resolution of 1 host. at 15:35
Completed Parallel DNS resolution of 1 host. at 15:35, 0.00s elapsed
Initiating SYN Stealth Scan at 15:35
Scanning 4 hosts [2 ports/host]
Discovered open port 445/tcp on 192.168.1.141
Discovered open port 139/tcp on 192.168.1.141
Discovered open port 445/tcp on 192.168.1.107
Discovered open port 139/tcp on 192.168.1.107
Completed SYN Stealth Scan at 15:35, 0.05s elapsed (8 total ports)
Nmap scan report for DD-WRT (192.168.1.1)
Host is up (0.0088s latency).
PORT    STATE  SERVICE
139/tcp closed netbios-ssn
445/tcp closed microsoft-ds
MAC Address: 1C:BD:B9:27:D5:32 (D-Link International)

Nmap scan report for 192.168.1.107
Host is up (0.0011s latency).
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:EB:1D:BC (Oracle VirtualBox virtual NIC)

Nmap scan report for DESKTOP-TA5DCRJ (192.168.1.141)
Host is up (0.0027s latency).
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 2C:6E:85:C4:0D:5B (Intel Corporate)

Nmap scan report for kali (192.168.1.143)
Host is up (0.0032s latency).
PORT    STATE  SERVICE
139/tcp closed netbios-ssn
445/tcp closed microsoft-ds
MAC Address: 08:00:27:CA:63:99 (Oracle VirtualBox virtual NIC)

Initiating SYN Stealth Scan at 15:35
Scanning 192.168.1.127 [2 ports]
Completed SYN Stealth Scan at 15:35, 0.06s elapsed (2 total ports)
Nmap scan report for 192.168.1.127
Host is up (0.00015s latency).
PORT    STATE  SERVICE
139/tcp closed netbios-ssn
445/tcp closed microsoft-ds

Read data files from: /usr/bin/../share/nmap
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.03 seconds
           Raw packets sent: 516 (14.608KB) | Rcvd: 16 (616B)

高级扫描

1.发现开放smb协议的windows系统

root@kali:~# nmap 192.168.1.141 -p139,445 <strong>--script=smb-os-discovery.nse  #用于发现smb协议的脚本</strong>

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-12 15:43 CST
Nmap scan report for DESKTOP-TA5DCRJ (192.168.1.141)
Host is up (0.00030s latency).
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 2C:6E:85:C4:0D:5B (Intel Corporate)

Host script results:
| smb-os-discovery: 
|   OS: Windows 10 Home China 10586 (Windows 10 Home China 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   NetBIOS computer name: DESKTOP-TA5DCRJ
|   Workgroup: WORKGROUP
|_  System time: 2016-09-12T15:43:52+08:00

Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds

2.扫描windows系统smb协议是否有漏洞
由于从NMAP 6.49beta6开始，smb-check-vulns.nse脚本被取消了。它被分为smb-vuln-conficker、•smb-vuln-cve2009-3103、smb-vuln-ms06-025、smb-vuln-ms07-029、smb-vuln-regsvc-dos、smb-vuln-ms08-067这六个脚本。用户根据需要选择对应的脚本。如果不确定执行哪一个，可以使用smb-vuln-*.nse来指定所有的脚本文件，进行全扫描。

root@kali:~# nmap -v -p139,445 --script=smb-vuln-*.nse --script-args=unsafe=1 192.168.1.115 -Pn
               <strong>#unsafe=1：高强度扫描，可能造成宕机，可选为0（安全扫描） #-Pn：有防火墙过滤包，也继续进行扫描</strong>
Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-12 19:59 CST
NSE: Loaded 8 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:59
Completed NSE at 19:59, 0.00s elapsed
Initiating ARP Ping Scan at 19:59
Scanning 192.168.1.115 [1 port]
Completed ARP Ping Scan at 19:59, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:59
Completed Parallel DNS resolution of 1 host. at 19:59, 0.01s elapsed
Initiating SYN Stealth Scan at 19:59
Scanning PC (192.168.1.115) [2 ports]
Discovered open port 139/tcp on 192.168.1.115
Discovered open port 445/tcp on 192.168.1.115
Completed SYN Stealth Scan at 19:59, 0.04s elapsed (2 total ports)
NSE: Script scanning 192.168.1.115.
Initiating NSE at 19:59
Completed NSE at 19:59, 5.00s elapsed
Nmap scan report for PC (192.168.1.115)
Host is up (0.00028s latency).
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:2B:32:0F (Oracle VirtualBox virtual NIC)

Host script results:
| smb-vuln-cve2009-3103: 
|   VULNERABLE:
|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2009-3103
|           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, 
|           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a 
|           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE 
|           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, 
|           aka "SMBv2 Negotiation Vulnerability." 
|           
|     Disclosure date: 2009-09-08
|     References:
|       http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms10-054: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED

NSE: Script Post-scanning.
Initiating NSE at 19:59
Completed NSE at 19:59, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 5.47 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

2、Nbtscan

#-R:使用本地端口137，兼容性好，可发现老版本的系统，扫描结果最全

#支持网段扫描

优点：可跨网段扫描mac地址，如果防火墙过滤不够好的话

IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
192.168.1.0	Sendto failed: Permission denied
192.168.1.127    <unknown>                  <unknown>        
192.168.1.107    METASPLOITABLE   <server>  METASPLOITABLE   00:00:00:00:00:00
192.168.1.141    DESKTOP-TA5DCRJ  <server>  <unknown>        2c:6e:85:c4:0d:5b
192.168.1.115    PC               <server>  <unknown>        08:00:27:2b:32:0f
192.168.1.255	Sendto failed: Permission denied

3、enum4linux

在linux系统下枚举出windows系统，不支持网段扫描，但结果非常详细

root@kali:~# enum4linux -a 192.168.1.141
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Sep 12 20:22:19 2016

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.1.141
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===================================================== 
|    Enumerating Workgroup/Domain on 192.168.1.141    |
 ===================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================= 
|    Nbtstat Information for 192.168.1.141    |
 ============================================= 
Looking up status of 192.168.1.141
	DESKTOP-TA5DCRJ <00> -         B <ACTIVE>  Workstation Service
	DESKTOP-TA5DCRJ <20> -         B <ACTIVE>  File Server Service
	WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name

	MAC Address = 2C-6E-85-C4-0D-5B

 ====================================== 
|    Session Check on 192.168.1.141    |
 ====================================== 
[+] Server 192.168.1.141 allows sessions using username '', password ''  <strong>#尝试建立空连接
</strong>
 ============================================ 
|    Getting domain SID for 192.168.1.141    |
 ============================================ 
could not initialise lsa pipe. Error was NT_STATUS_ACCESS_DENIED
could not obtain sid for domain WORKGROUP
error: NT_STATUS_ACCESS_DENIED
[+] Can't determine if host is part of domain or part of a workgroup

 ======================================= 
|    OS information on 192.168.1.141    |
 ======================================= 
[+] Got OS info for 192.168.1.141 from smbclient: Domain=[DESKTOP-TA5DCRJ] OS=[Windows 10 Home China 10586] Server=[Windows 10 Home China 6.3]
[E] Can't get OS info with srvinfo: NT_STATUS_ACCESS_DENIED

 ============================== 
|    Users on 192.168.1.141    |
 ============================== 
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED

[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED

 ========================================== 
|    Share Enumeration on 192.168.1.141    |
 ========================================== 
[E] Can't list shares: NT_STATUS_ACCESS_DENIED

[+] Attempting to map shares on 192.168.1.141

 ===================================================== 
|    Password Policy Information for 192.168.1.141    |
 ===================================================== 
[E] Unexpected error from polenum:

[+] Attaching to 192.168.1.141 using a NULL share

	[+] Trying protocol 445/SMB...

	[!] Protocol failed: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

	[+] Trying protocol 139/SMB...

	[!] Protocol failed: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

[E] Failed to get password policy with rpcclient


 =============================== 
|    Groups on 192.168.1.141    |
 =============================== 

[+] Getting builtin groups:
[E] Can't get builtin groups: NT_STATUS_ACCESS_DENIED

[+] Getting builtin group memberships:

[+] Getting local groups:
[E] Can't get local groups: NT_STATUS_ACCESS_DENIED

[+] Getting local group memberships:

[+] Getting domain groups:
[E] Can't get domain groups: NT_STATUS_ACCESS_DENIED

[+] Getting domain group memberships:

 ======================================================================== 
|    Users on 192.168.1.141 via RID cycling (RIDS: 500-550,1000-1050)    |
 ======================================================================== 
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.

 ============================================== 
|    Getting printer info for 192.168.1.141    |
 ============================================== 
could not initialise lsa pipe. Error was NT_STATUS_ACCESS_DENIED
could not obtain sid for domain WORKGROUP
error: NT_STATUS_ACCESS_DENIED


enum4linux complete on Mon Sep 12 20:22:20 2016<strong>
</strong>

小白日记，未完待续……