一、SNMP扫描
SNMP(简单网络管理协议)明文
- 基于SNMP,进行网络设备监控,如:交换机、防火墙、服务器,CPU等其系统内部信息,基本都可以监控到。
- 信息的金矿,经常被管理员配置错误
- community:登录证书,默认值为public。容易被管理员遗忘修改其特征字符。两个默认的community strings,一个是public(可读),另一个是private(可写)
- 服务器:161端口,客户端:162端口(UDP)
MIB Tree:
- SNMP Management Information Base(MIB)
- 树形的网络设备管理功能数据库
在目标主机上安装SNMP服务,并查看服务的状态、团队信息等。
控制面板——添加或删除程序,出现下图所示界面:
1、onesixtyone
- 扫描硬件信息
-
root@kali:~
# onesixtyone 192.168.247.129 public
-
Scanning 1 hosts, 1 communities
-
192.168.247.129 [public] Hardware: x86 Family 6 Model 142 Stepping 9 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Uniprocessor Free)
- 如果没有扫除查询结果,有可能目标主机已经改变了它的默认community,我们可以结合字典对其进行扫描。
-
root@kali:~
# dpkg -L onesixtyone
-
/.
-
/usr
-
/usr/bin
-
/usr/bin/onesixtyone
-
/usr/share
-
/usr/share/doc
-
/usr/share/doc/onesixtyone
-
/usr/share/doc/onesixtyone/README
-
/usr/share/doc/onesixtyone/changelog.Debian.amd64.gz
-
/usr/share/doc/onesixtyone/changelog.Debian.gz
-
/usr/share/doc/onesixtyone/changelog.gz
-
/usr/share/doc/onesixtyone/copyright
-
/usr/share/doc/onesixtyone/dict.txt //默认字典
-
/usr/share/man
-
/usr/share/man/man1
-
/usr/share/man/man1/onesixtyone.1.gz
-
-
root@kali:~
# onesixtyone -c /usr/share/doc/onesixtyone/dict.txt 192.168.247.129 -o my.log -w 100
-
Logging to file my.log
-
Scanning 1 hosts, 49 communities
-
[
-
-
-
] ,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~���������������������������������������
2、snmpwalk
- 能查出更多的信息,-c 指定community, -v指定使用的SNMP版本,2c版本使用比较广泛,但可读性不是很好。
-
root@kali:~
# snmpwalk 192.168.247.129 -c public -v 2c
-
Created directory: /var/lib/snmp/mib_indexes
-
iso.3.6.1.2.1.1.1.0 = STRING:
"Hardware: x86 Family 6 Model 142 Stepping 9 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Uniprocessor Free)"
-
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.311.1.1.3.1.2
-
iso.3.6.1.2.1.1.3.0 = Timeticks: (176845) 0:29:28.45
-
iso.3.6.1.2.1.1.4.0 =
""
-
iso.3.6.1.2.1.1.5.0 = STRING:
"CHENGQIA-852040"
-
iso.3.6.1.2.1.1.6.0 =
""
-
iso.3.6.1.2.1.1.7.0 = INTEGER: 76
-
iso.3.6.1.2.1.2.1.0 = INTEGER: 2
-
iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1
-
iso.3.6.1.2.1.2.2.1.1.327683 = INTEGER: 327683
-
iso.3.6.1.2.1.2.2.1.2.1 = Hex-STRING: 4D 53 20 54 43 50 20 4C 6F 6F 70 62 61 63 6B 20
-
69 6E 74 65 72 66 61 63 65 00
-
......
-
iso.3.6.1.2.1.25.6.3.1.4.3 = INTEGER: 4
-
iso.3.6.1.2.1.25.6.3.1.5.1 = Hex-STRING: 07 E2 0B 19 11 32 2A 00
-
iso.3.6.1.2.1.25.6.3.1.5.2 = Hex-STRING: 07 E3 04 18 17 1A 16 00
-
iso.3.6.1.2.1.25.6.3.1.5.3 = Hex-STRING: 07 E2 0B 19 11 34 2E 00
- 指定IOD进行查询
-
root@kali:~
# snmpwalk 192.168.247.129 -c public -v 2c iso.3.6.1.2.1.1.5
-
iso.3.6.1.2.1.1.5.0 = STRING:
"CHENGQIA-852040"
3、snmp-check
相比snmpwalk,增强了可读性
- snmp-check 192.168.247.129
- snmp-check 192.168.247.129 -w //是否可写
-
root@kali:~
# snmp-check 192.168.247.129
-
snmp-check v1.9 - SNMP enumerator
-
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
-
-
[+] Try to connect to 192.168.247.129:161 using SNMPv1 and community
'public'
-
-
[*] System information:
-
-
Host IP address : 192.168.247.129
-
Hostname : CHENGQIA-852040
-
Description : Hardware: x86 Family 6 Model 142 Stepping 9 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Uniprocessor Free)
-
Contact : -
-
Location : -
-
Uptime snmp : 4 days, 16:23:42.81
-
Uptime system : 03:39:26.46
-
System date : 2019-5-4 14:40:46.9
-
Domain : WORKGROUP
-
-
[*] User accounts: //用户账户
-
-
cqq
-
Guest
-
test$
-
Administrator
-
SUPPORT_388945a0
-
IUSR_CHENGQIA-852040
-
IWAM_CHENGQIA-852040
-
-
[*] Network information:
-
-
IP forwarding enabled : no
-
Default TTL : 128
-
TCP segments received : 149505
-
TCP segments sent : 73696
-
TCP segments retrans : 36
-
Input datagrams : 151617
-
Delivered datagrams : 151592
-
Output datagrams : 76693
-
-
[*] Network interfaces:
-
-
Interface : [ up ] MS TCP Loopback interface
-
Id : 1
-
Mac Address : :::::
-
Type : softwareLoopback
-
Speed : 10 Mbps
-
MTU : 1520
-
In octets : 61841
-
Out octets : 61841
-
-
Interface : [ up ] Intel(R) PRO/1000 MT Network Connection
-
Id : 327683
-
Mac Address : 00:0c:29:8f:74:74
-
Type : ethernet-csmacd
-
Speed : 10 Mbps
-
MTU : 1500
-
In octets : 11941081
-
Out octets : 6663859
-
-
-
[*] Network IP:
-
-
Id IP Address Netmask Broadcast
-
1 127.0.0.1 255.0.0.0 1
-
327683 192.168.247.129 255.255.255.0 1
-
-
[*] Routing information: //路由信息
-
-
Destination Next hop Mask Metric
-
0.0.0.0 192.168.247.2 0.0.0.0 30
-
127.0.0.0 127.0.0.1 255.0.0.0 1
-
192.168.247.0 192.168.247.129 255.255.255.0 30
-
192.168.247.129 127.0.0.1 255.255.255.255 30
-
192.168.247.255 192.168.247.129 255.255.255.255 30
-
224.0.0.0 192.168.247.129 240.0.0.0 30
-
255.255.255.255 192.168.247.129 255.255.255.255 1
-
......
-
root@kali:~
# snmp-check 192.168.247.129 -w
-
snmp-check v1.9 - SNMP enumerator
-
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
-
-
[+] Try to connect to 192.168.247.129:161 using SNMPv1 and community
'public'
-
[+] Write access check enabled
-
-
[!] 192.168.247.129:161 SNMP request timeout
二、SMB扫描
SMB协议(Server Message Block)
- 微软历史上出现问题最多的协议;
- 实现复杂,默认在Windows上是开放的,也是最常用的协议,用于实现文件的共享。
空会话未身份认证访问(SMB1)——Windows 2000/XP/Windows 2003
- 不用建立连接也可以获取密码,用户名,组名,机器名,用户、组ID
1、nmap
- nmap -v -p139,445 192.168.247.129-131 //nmap扫描3个主机默认开放的139、445端口,但是不能准确判断操作系统的类型,一般情况下是Windows系统。
- nmap 192.168.247.129 -p139,445 --script=smb-os-discovery.nse //使用nmap自带的脚本进行操作系统的判断。
- nmap -v -p139,445 --script=smb-vuln-*.nse --script-args=safe=1 192.168.247.129 //扫描Windows系统中的SMB协议是否有漏洞;smb-vuln-*.nse 指定所有关于smb-vuln的脚本文件,进行全扫描;safe — 对目标主机安全地进行扫描,unsafe扫描容易使目标系统宕机。
-
root@kali:~
# nmap -v -p139,445 192.168.247.129-131
-
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:46 CST
-
Initiating ARP Ping Scan at 14:46
-
Scanning 3 hosts [1 port/host]
-
Completed ARP Ping Scan at 14:46, 0.22s elapsed (3 total hosts)
-
Initiating Parallel DNS resolution of 3 hosts. at 14:46
-
Completed Parallel DNS resolution of 3 hosts. at 14:46, 0.09s elapsed
-
Nmap scan report
for 192.168.247.130 [host down]
-
Nmap scan report
for 192.168.247.131 [host down]
-
Initiating SYN Stealth Scan at 14:46
-
Scanning bogon (192.168.247.129) [2 ports]
-
Discovered open port 445/tcp on 192.168.247.129
-
Discovered open port 139/tcp on 192.168.247.129
-
Completed SYN Stealth Scan at 14:46, 0.00s elapsed (2 total ports)
-
Nmap scan report
for bogon (192.168.247.129)
-
Host is up (0.00045s latency).
-
-
PORT STATE SERVICE
-
139/tcp open netbios-ssn
-
445/tcp open microsoft-ds
-
MAC Address: 00:0C:29:8F:74:74 (VMware)
-
-
Read data files from: /usr/bin/../share/nmap
-
Nmap
done: 3 IP addresses (1 host up) scanned
in 0.43 seconds
-
Raw packets sent: 7 (228B) | Rcvd: 3 (116B)
-
root@kali:~
# nmap 192.168.247.129 -p139,445 --script=smb-os-discovery.nse
-
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:47 CST
-
Nmap scan report
for bogon (192.168.247.129)
-
Host is up (0.00024s latency).
-
-
PORT STATE SERVICE
-
139/tcp open netbios-ssn
-
445/tcp open microsoft-ds
-
MAC Address: 00:0C:29:8F:74:74 (VMware)
-
-
Host script results: //目标主机操作系统信息
-
| smb-os-discovery:
-
| OS: Windows Server 2003 3790 Service Pack 2 (Windows Server 2003 5.2)
-
| OS CPE: cpe:/o:microsoft:windows_server_2003::sp2
-
| Computer name: chengqia-852040
-
| NetBIOS computer name: CHENGQIA-852040\x00
-
| Workgroup: WORKGROUP\x00
-
|_ System time: 2019-05-04T14:47:50+08:00
-
-
Nmap
done: 1 IP address (1 host up) scanned
in 0.50 seconds
-
root@kali:~
# nmap -v -p139,445 --script=smb-vuln-*.nse --script-args=safe=1 192.168.247.129
-
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:50 CST
-
NSE: Loaded 10 scripts
for scanning.
-
NSE: Script Pre-scanning.
-
Initiating NSE at 14:50
-
Completed NSE at 14:50, 0.00s elapsed
-
Initiating ARP Ping Scan at 14:50
-
Scanning 192.168.247.129 [1 port]
-
Completed ARP Ping Scan at 14:50, 0.00s elapsed (1 total hosts)
-
Initiating Parallel DNS resolution of 1 host. at 14:50
-
Completed Parallel DNS resolution of 1 host. at 14:50, 0.01s elapsed
-
Initiating SYN Stealth Scan at 14:50
-
Scanning bogon (192.168.247.129) [2 ports]
-
Discovered open port 445/tcp on 192.168.247.129
-
Discovered open port 139/tcp on 192.168.247.129
-
Completed SYN Stealth Scan at 14:50, 0.00s elapsed (2 total ports)
-
NSE: Script scanning 192.168.247.129.
-
Initiating NSE at 14:50
-
Completed NSE at 14:50, 5.00s elapsed
-
Nmap scan report
for bogon (192.168.247.129)
-
Host is up (0.00044s latency).
-
-
PORT STATE SERVICE
-
139/tcp open netbios-ssn
-
445/tcp open microsoft-ds
-
MAC Address: 00:0C:29:8F:74:74 (VMware)
-
-
Host script results: //目标主机存在的漏洞
-
| smb-vuln-ms08-067:
-
| VULNERABLE:
-
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
-
| State: VULNERABLE
-
| IDs: CVE:CVE-2008-4250
-
| The Server service
in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
-
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
-
| code via a crafted RPC request that triggers the overflow during path canonicalization.
-
|
-
| Disclosure date: 2008-10-23
-
| References:
-
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
-
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
-
|_smb-vuln-ms10-054:
false
-
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
-
| smb-vuln-ms17-010:
-
| VULNERABLE:
-
| Remote Code Execution vulnerability
in Microsoft SMBv1 servers (ms17-010)
-
| State: VULNERABLE
-
| IDs: CVE:CVE-2017-0143
-
| Risk factor: HIGH
-
| A critical remote code execution vulnerability exists
in Microsoft SMBv1
-
| servers (ms17-010).
-
|
-
| Disclosure date: 2017-03-14
-
| References:
-
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
-
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
-
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
-
-
NSE: Script Post-scanning.
-
Initiating NSE at 14:50
-
Completed NSE at 14:50, 0.00s elapsed
-
Read data files from: /usr/bin/../share/nmap
-
Nmap
done: 1 IP address (1 host up) scanned
in 5.41 seconds
-
Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
2、nbtscan
- -r :使用本地端口137,兼容性好,扫描结果全;
- 可以跨网段扫描
-
root@kali:~
# nbtscan -r 192.168.247.0/24
-
Doing NBT name scan
for addresses from 192.168.247.0/24
-
-
IP address NetBIOS Name Server User MAC address
-
------------------------------------------------------------------------------
-
192.168.247.0 Sendto failed: Permission denied
-
192.168.247.1 LAPTOP-PCL3G0V7 <server> <unknown> 00:50:56:c0:00:08
-
192.168.247.129 CHENGQIA-852040 <server> <unknown> 00:0c:29:8f:74:74
-
192.168.247.177 <unknown> <unknown>
-
192.168.247.255 Sendto failed: Permission denied
3、enum4linux
-
root@kali:~
# enum4linux -U 192.168.247.129
-
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat May 4 14:54:15 2019
-
-
==========================
-
| Target Information |
-
==========================
-
Target ........... 192.168.247.129
-
RID Range ........ 500-550,1000-1050
-
Username .........
''
-
Password .........
''
-
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
-
-
-
=======================================================
-
| Enumerating Workgroup/Domain on 192.168.247.129 |
-
=======================================================
-
[+] Got domain/workgroup name: WORKGROUP
-
-
========================================
-
| Session Check on 192.168.247.129 |
-
========================================
-
[+] Server 192.168.247.129 allows sessions using username
'', password
'' //允许建立空连接
-
-
==============================================
-
| Getting domain SID
for 192.168.247.129 |
-
==============================================
-
Cannot connect to server. Error was NT_STATUS_INVALID_PARAMETER
-
[+] Can
't determine if host is part of domain or part of a workgroup
-
-
================================
-
| Users on 192.168.247.129 |
-
================================
-
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
-
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.
-
-
Use of uninitialized value $users in print at ./enum4linux.pl line 888.
-
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.
-
enum4linux complete on Sat May 4 14:54:16 2019
三、SMTP扫描
SMTP:Simple Mail Transfer Protocol,简单邮件传输协议。
1、nc
-
root@kali:~
# nc -nv 192.168.247.129 25 //连接25端口
-
(UNKNOWN) [192.168.247.129] 25 (smtp) open
-
220 chengqia-852040 Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Sat, 4 May 2019 14:55:24 +0800
-
^C
2、nmap
- 需先进行端口扫描、判断目标主机是否开启25号端口;
- nmap smtp.163.com -p25 --script=smtp-enum-users.nse --script-args=smtp-enum-users.methods={VRFY} //使用VRFY方法进行账户枚举。
- nmap smtp.163.com -p25 --script=smtp-open-relay.nse #扫描是否开启中继,如果开启邮件中继的话,容易被黑客利用,发送垃圾邮件。
-
root@kali:~
# nmap smtp.163.com -p25 --script=smtp-enum-users.nse --script-args=smtp-enum-users.methods={VRFY}
-
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:57 CST
-
Nmap scan report
for smtp.163.com (123.125.50.134)
-
Host is up (0.00032s latency).
-
Other addresses
for smtp.163.com (not scanned): 123.125.50.133 123.125.50.138 123.125.50.132 123.125.50.135
-
rDNS record
for 123.125.50.134: m50-134.163.com
-
-
PORT STATE SERVICE
-
25/tcp filtered smtp
-
-
Nmap
done: 1 IP address (1 host up) scanned
in 0.66 seconds
-
root@kali:~
# nmap smtp.163.com -p25 --script=smtp-open-relay.nse
-
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:59 CST
-
Nmap scan report
for smtp.163.com (123.125.50.135)
-
Host is up (0.0072s latency).
-
Other addresses
for smtp.163.com (not scanned): 123.125.50.132 123.125.50.138 123.125.50.133 123.125.50.134
-
rDNS record
for 123.125.50.135: m50-135.163.com
-
-
PORT STATE SERVICE
-
25/tcp open smtp
-
|_smtp-open-relay: Server doesn
't seem to be an open relay, all tests failed
-
-
Nmap done: 1 IP address (1 host up) scanned in 2.60 seconds
扫一扫
2373
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
