SNMP扫描
SNMP:简单网络管理协议
基于SNMP,进行网络设备监控,如:交换机、防火墙、服务器,CPU等其系统内部信息。服务端端口:161,明文传输
一般由企业运维部门负责监控团队进行管理。
-
community:登录证书,容易被管理员遗忘修改其特征字符 #可用字典破解community(public/private/manager);
-
信息的金矿,可以查看到设备非常详细的内容,但经常被错误配置;一般管理员是基于功能实现,认为网络通了就好,可以监控到就好。
MIB Tree:
- SNMP Management Information;
树型的网络设备管理功能数据库; - 树形结构
我们测试时一般查一下目标系统是否启用snmp,是否使用通用community,如果使用的是public,我们可以通过一些工具发送一些查询指令,可以查询到目标主机很多信息
SNMP扫描——onesixtyone
使用onesixtyone 192.168.1.11 public查询出是否使用的是public
root@root:~# onesixtyone 192.168.1.11 public
Scanning 1 hosts, 1 communities
192.168.1.11 [public] Hardware: x86 Family 6 Model 78 Stepping 3 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.1 (Build 2600 Uniprocessor Free)
我们可以使用
dpkg -L onesixtyone
来查询一些有没有默认字典
snmpwalk能查出更多的信息,-c 指定community, -v指定版本,有v,1,2,3,2c使用比较广泛,但可读性不是很好;snmpwalk 192.168.37.130 -c public -v 2c
不同的oid对应不同的属性
root@root:~# snmpwalk 192.168.37.130 -c public -v 2c
iso.3.6.1.2.1.1.1.0 = STRING: "Hardware: x86 Family 6 Model 78 Stepping 3 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.1 (Build 2600 Uniprocessor Free)"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.311.1.1.3.1.1
iso.3.6.1.2.1.1.3.0 = Timeticks: (43123182) 4 days, 23:47:11.82
iso.3.6.1.2.1.1.4.0 = ""
iso.3.6.1.2.1.1.5.0 = STRING: "UPWARD"
iso.3.6.1.2.1.1.6.0 = ""
iso.3.6.1.2.1.1.7.0 = INTEGER: 76
iso.3.6.1.2.1.2.1.0 = INTEGER: 3
iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.1.2 = INTEGER: 2
iso.3.6.1.2.1.2.2.1.1.196612 = INTEGER: 196612
iso.3.6.1.2.1.2.2.1.2.1 = Hex-STRING: 4D 53 20 54 43 50 20 4C 6F 6F 70 62 61 63 6B 20
69 6E 74 65 72 66 61 63 65 00
iso.3.6.1.2.1.2.2.1.2.2 = Hex-STRING: 41 4D 44 20 50 43 4E 45 54 20 46 61 6D 69 6C 79
20 50 43 49 20 45 74 68 65 72 6E 65 74 20 41 64
61 70 74 65 72 20 2D 20 CA FD BE DD B0 FC BC C6
BB AE B3 CC D0 F2 CE A2 D0 CD B6 CB BF DA 00
iso.3.6.1.2.1.2.2.1.2.196612 = Hex-STRING: 42 6C 75 65 74 6F 6F 74 68 20 C9 E8 B1 B8 28 B8
F6 C8 CB C7 F8 D3 F2 CD F8 29 00
......
iso.3.6.1.2.1.25.6.3.1.2.2 = STRING: "WebFldrs XP"
iso.3.6.1.2.1.25.6.3.1.2.3 = STRING: "VMware Tools"
iso.3.6.1.2.1.25.6.3.1.3.1 = OID: ccitt.0
iso.3.6.1.2.1.25.6.3.1.3.2 = OID: ccitt.0
iso.3.6.1.2.1.25.6.3.1.3.3 = OID: ccitt.0
iso.3.6.1.2.1.25.6.3.1.4.1 = INTEGER: 4
iso.3.6.1.2.1.25.6.3.1.4.2 = INTEGER: 4
iso.3.6.1.2.1.25.6.3.1.4.3 = INTEGER: 4
iso.3.6.1.2.1.25.6.3.1.5.1 = Hex-STRING: 07 E2 0B 11 15 33 36 00
iso.3.6.1.2.1.25.6.3.1.5.2 = Hex-STRING: 07 E3 04 07 0B 39 34 00
iso.3.6.1.2.1.25.6.3.1.5.3 = Hex-STRING: 07 E2 0B 11 15 35 08 00
root@root:~# snmpwalk 192.168.37.130 -c public -v 2c iso.3.6.1.2.1.25.6.3.1.2.2
iso.3.6.1.2.1.25.6.3.1.2.2 = STRING: "WebFldrs XP"
SNMP扫描——snmp-check
默认public,可以使用-c修改community
相比snmpwalk,增强了可读性;
snmp-check 192.168.37.130
;snmp-check 192.168.37.130 -w
; #是否可写
root@root:~# snmp-check 192.168.37.130
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 192.168.37.130:161 using SNMPv1 and community 'public'
[*] System information:
Host IP address : 192.168.37.130
Hostname : UPWARD
Description : Hardware: x86 Family 6 Model 78 Stepping 3 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.1 (Build 2600 Uniprocessor Free)
Contact : -
Location : -
Uptime snmp : 4 days, 13:40:38.12
Uptime system : 4 days, 23:54:43.71
System date : 2019-4-14 19:03:54.4
Domain : WORKGROUP
[*] User accounts:
x
y
z
abc$
Guest
yaoxingzhi
IUSR_UPWARD
IWAM_UPWARD
Administrator
HelpAssistant
SUPPORT_388945a0
[*] Network information:
IP forwarding enabled : no
Default TTL : 128
TCP segments received : 11471
TCP segments sent : 4045
TCP segments retrans : 0
Input datagrams : 13960
Delivered datagrams : 13859
Output datagrams : 9959
[*] Network interfaces:
Interface : [ up ] MS TCP Loopback interface
Id : 1
Mac Address : :::::
Type : softwareLoopback
Speed : 10 Mbps
MTU : 1520
In octets : 8291
Out octets : 8291
......
[*] Network IP:
Id IP Address Netmask Broadcast
196612 0.0.0.0 0.0.0.0 1
1 127.0.0.1 255.0.0.0 1
2 192.168.37.130 255.255.255.0 1
[*] Routing information:
Destination Next hop Mask Metric
0.0.0.0 192.168.37.2 0.0.0.0 10
127.0.0.0 127.0.0.1 255.0.0.0 1
192.168.37.0 192.168.37.130 255.255.255.0 10
192.168.37.130 127.0.0.1 255.255.255.255 10
192.168.37.255 192.168.37.130 255.255.255.255 10
224.0.0.0 192.168.37.130 240.0.0.0 10
255.255.255.255 192.168.37.130 255.255.255.255 1
[*] TCP connections and listening ports:
Local address Local port Remote address Remote port State
0.0.0.0 25 0.0.0.0 47132 listen
0.0.0.0 80 0.0.0.0 20587 listen
0.0.0.0 135 0.0.0.0 39150
Others : 0
CGIRequests : 0
BGIRequests : 0
NotFoundErrors : 0
......
SMB扫描
SMB协议:
Server Message Block协议;
微软历史上出现安全问题最多的协议;
实现复杂,默认在微软系统上是开放的,也是最常用的协议,用于实现文件的共享,打印机共享;可以实现跨系统的互通,
如果一个操作系统上我们扫描出开着SMB,可以尝试基于SMB协议的漏洞。
空会话连接漏洞
不建立正常会话连接,SMB1.0的漏洞,可以建立空连接,获取密码策略、用户名、组名、机器名、用户、组SID等,sid(administratorsid为500)。
1.Nmap扫描
一般情况下SMB协议端口默认是139或者445,新版本一般是445.但是不能准确判断操作系统的类型,一般情况下是Windows系统;
-v表示详细信息,扫描192.168.1.1-10的139和445端口
nmap -v -p139,445 192.168.1.1-10
可以看到最后的几个扫描结果显示filtered,一般表示防火墙过滤了,但事实上不是这个问题,可能是虚拟机nat模式不完整造成的,因此最好使用桥接模式
root@kali:~# nmap -v -p139,445 192.168.1.1-10
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-02 06:54 EDT
Initiating Ping Scan at 06:54
Scanning 10 hosts [4 ports/host]
Completed Ping Scan at 06:54, 1.27s elapsed (10 total hosts)
Initiating Parallel DNS resolution of 10 hosts. at 06:54
Completed Parallel DNS resolution of 10 hosts. at 06:54, 0.00s elapsed
Initiating SYN Stealth Scan at 06:54
Scanning 10 hosts [2 ports/host]
Discovered open port 139/tcp on 192.168.1.5
Discovered open port 445/tcp on 192.168.1.5
Discovered open port 445/tcp on 192.168.1.1
Completed SYN Stealth Scan at 06:54, 2.15s elapsed (20 total ports)
Nmap scan report for 192.168.1.1 (192.168.1.1)
Host is up (0.0026s latency).
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp open microsoft-ds
Nmap scan report for 192.168.1.2 (192.168.1.2)
Host is up (0.00016s latency).
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
Nmap scan report for 192.168.1.3 (192.168.1.3)
Host is up (0.000032s latency).
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
Nmap scan report for 192.168.1.4 (192.168.1.4)
Host is up (0.00015s latency).
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
Nmap scan report for pc-20190715ykdz (192.168.1.5)
Host is up (0.0011s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap scan report for 192.168.1.6 (192.168.1.6)
Host is up (0.00011s latency).
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
Nmap scan report for redminote7-wangjin (192.168.1.7)
Host is up (0.24s latency).
PORT STATE SERVICE
139/tcp closed netbios-ssn
445/tcp closed microsoft-ds
Nmap scan report for 192.168.1.8 (192.168.1.8)
Host is up (0.000064s latency).
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
Nmap scan report for 192.168.1.9 (192.168.1.9)
Host is up (0.000044s latency).
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
Nmap scan report for 192.168.1.10 (192.168.1.10)
Host is up (0.000038s latency).
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
用来发现的脚本,发现是否是windows系统,linux和windows开了同样端口,返回信息是不一样的
nmap 192.168.37.130 -p139,445 --script=smb-os-discovery.nse
#使用nmap自带的脚本进行操作系统的判断;
进行SMB漏洞扫描(已取消)
nmap -v -p139,445 --script=smb-check-vulns.nse --script-args=unsafe=1 192.168.1.5
由于从NMAP 6.49beta6开始,smb-check-vulns.nse脚本被取消了。它被分为smb-vuln-conficker、•smb-vuln-cve2009-3103、smb-vuln-ms06-025、smb-vuln-ms07-029、smb-vuln-regsvc-dos、smb-vuln-ms08-067这六个脚本。用户根据需要选择对应的脚本。如果不确定执行哪一个,可以使用smb-vuln-*.nse来指定所有的脚本文件。
nmap -v -p139,445 --script=smb-vuln-*.nse --script-args=safe=1 192.168.1.1 -Pn
//args:指定参数,safe=1表示不进行破坏扫描,unsafe表示可能会造成破坏(更加准确)
#扫描Windows系统中的SMB协议是否有漏洞;可以使用smb-vuln-*.nse来指定所有的脚本文件,进行全扫描;-Pn:表示即使被防火墙过滤也去扫,否则防火墙拒绝后系统会认为宕机了
root@kali:~# nmap -v -p139,445 --script=smb-vuln-*.nse --script-args=safe=1 192.168.1.5
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-02 09:31 EDT
NSE: Loaded 11 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 09:31
Completed NSE at 09:31, 0.00s elapsed
Initiating ARP Ping Scan at 09:31
Scanning 192.168.1.5 [1 port]
Completed ARP Ping Scan at 09:31, 0.11s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:31
Completed Parallel DNS resolution of 1 host. at 09:31, 0.51s elapsed
Initiating SYN Stealth Scan at 09:31
Scanning pc-20190715ykdz (192.168.1.5) [2 ports]
Discovered open port 445/tcp on 192.168.1.5
Discovered open port 139/tcp on 192.168.1.5
Completed SYN Stealth Scan at 09:31, 0.09s elapsed (2 total ports)
NSE: Script scanning 192.168.1.5.
Initiating NSE at 09:31
Completed NSE at 09:31, 5.00s elapsed
Nmap scan report for pc-20190715ykdz (192.168.1.5)
Host is up (0.00027s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: E4:02:9B:3B:35:62 (Intel Corporate)
Host script results:
|_smb-vuln-cve-2017-7494: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: No accounts left to try
NSE: Script Post-scanning.
Initiating NSE at 09:31
Completed NSE at 09:31, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.48 seconds
Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
Nbtscan
这是一款用于扫描Windows网络上NetBIOS名字信息的程序。该程序对给出范围内的每一个地址发送NetBIOS状态查询,并且以易读的表格列出接收到的信息,对于每个响应的主机,NBTScan列出它的IP地址、NetBIOS计算机名、登录用户名和MAC地址。但只能用于局域网,NBTSCAN可以取到PC的真实IP地址和MAC地址,如果有”ARP攻击”在做怪,可以找到装有ARP攻击的PC的IP/和MAC地址。但只能用于局域网,NBTSCAN可以取到PC的真实IP地址和MAC地址,如果有”ARP攻击”在做怪,可以找到装有ARP攻击的PC的IP/和MAC地址。NBTSCAN可以取到PC的真实IP地址和MAC地址,如果有”ARP攻击”在做怪,可以找到装有ARP攻击的PC的IP/和MAC地址。总之,NBTSCAN可以取到PC的真实IP地址和MAC地址。
- -r 选项:使用本地端口137,兼容性好,扫描结果全;可以跨网段扫描;
root@kali:~# nbtscan -r 192.168.1.0/24
Doing NBT name scan for addresses from 192.168.1.0/24
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
192.168.1.0 Sendto failed: Permission denied
192.168.1.2 <unknown> <unknown>
192.168.1.5 PC-20190715YKDZ <server> <unknown> e4:02:9b:3b:35:62
192.168.1.1 SMBSHARE <server> SMBSHARE 00:00:00:00:00:00
192.168.1.255 Sendto failed: Permission denied
参考:Nbtscan介绍及使用
enum4linux
Enum4linux是一个用于枚举来自Windows和Samba系统的信息的工具。 它试图提供与以前从www.bindview.com可用的enum.exe类似的功能。
它是用Perl编写的,基本上是一个包装Samba工具smbclient,rpclient,net和nmblookup。
dnstracer用于获取给定主机名从给定域名服务器(DNS)的信息,并跟随DNS服务器链得到权威结果。
root@kali:~# enum4linux -U 192.168.1.1
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Aug 2 10:16:48 2020
==========================
| Target Information |
==========================
Target ........... 192.168.1.1
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===================================================
| Enumerating Workgroup/Domain on 192.168.1.1 |
===================================================
[+] Got domain/workgroup name: WORKGROUP
====================================
| Session Check on 192.168.1.1 |
====================================
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.
root@kali:~#
SMTP扫描
SMTP(Simple Mail Transfer Protocol):简单邮件传输协议;
使用nc进行探测
root@root:~# nc -nv 192.168.37.130 25 #连接25号端口
(UNKNOWN) [192.168.37.130] 25 (smtp) open
220 upward Microsoft ESMTP MAIL Service, Version: 6.0.2600.5512 ready at Sun, 14 Apr 2019 20:26:36 +0800
^C
使用nmap扫描
前提:使用端口扫描,判断出目标主机开放25号端口;
nmap smtp.163.com -p25 --script=smtp-enum-users.nse --script-args=smtp-enum-users.methods={VRFY}
扫描用户账户,指定方式为{VRFY}
nmap smtp.163.com -p25 --script=smtp-open-relay.nse
扫描是否开启中继(如果开启邮件中继的话,所有人都可以使用邮件中继,甚至做一些非法的事情)
#前提:使用端口扫描,判断出目标主机开放25号端口;
root@root:~# nmap smtp.163.com -p25 --script=smtp-enum-users.nse --script-args=smtp-enum-users.methods={VRFY}
#扫描用户账户,指定方式为{VRFY}
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 20:27 CST
Nmap scan report for smtp.163.com (123.125.50.132)
Host is up (0.0092s latency).
Other addresses for smtp.163.com (not scanned): 123.125.50.133 123.125.50.138 123.125.50.134 123.125.50.135
rDNS record for 123.125.50.132: m50-132.163.com
PORT STATE SERVICE
25/tcp open smtp
| smtp-enum-users:
|_ Couldn't find any accounts
Nmap done: 1 IP address (1 host up) scanned in 9.25 seconds
root@root:~# nmap smtp.163.com -p25 --script=smtp-open-relay.nse #是否开启中继
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 20:29 CST
Nmap scan report for smtp.163.com (123.125.50.135)
Host is up (0.013s latency).
Other addresses for smtp.163.com (not scanned): 123.125.50.134 123.125.50.138 123.125.50.133 123.125.50.132
rDNS record for 123.125.50.135: m50-135.163.com
PORT STATE SERVICE
25/tcp open smtp
|_smtp-open-relay: Server doesn't seem to be an open relay, all tests failed
Nmap done: 1 IP address (1 host up) scanned in 7.93 seconds