相关链接:https://blog.csdn.net/gengzhikui1992/article/details/89183302
nmap:
-v:显示详细信息
root@kali:~# nmap -v 192.168.96.129 -p139,445
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-06 19:08 CST
Initiating ARP Ping Scan at 19:08
Scanning 192.168.96.129 [1 port]
Completed ARP Ping Scan at 19:08, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:08
Completed Parallel DNS resolution of 1 host. at 19:08, 0.00s elapsed
Initiating SYN Stealth Scan at 19:08
Scanning bogon (192.168.96.129) [2 ports]
Discovered open port 445/tcp on 192.168.96.129
Discovered open port 139/tcp on 192.168.96.129
Completed SYN Stealth Scan at 19:08, 0.00s elapsed (2 total ports)
Nmap scan report for bogon (192.168.96.129)
Host is up (0.00036s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:3F:17:B1 (VMware)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
使用smb-os-discovery.nse脚本进行扫描
root@kali:~# nmap 192.168.96.129 -p139,445 --script=smb-os-discovery.nseStarting
Nmap 7.80 ( https://nmap.org ) at 2019-12-06 19:01 CST
Nmap scan report for 192.168.96.129
Host is up (0.00042s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:3F:17:B1 (VMware)
Host script results:
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: windowxppro
| NetBIOS computer name: WINDOWXPPRO\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2019-12-06T19:01:18+08:00
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
使用smb-vuln-*.nse下的所有脚本扫描,--script-args设置参数值
root@kali:~# nmap -p139,445 --script=smb-vuln-*.nse --script-args=unsafe=1 192.168.96.129
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-06 20:35 CST
Nmap scan report for bogon (192.168.96.129)
Host is up (0.00049s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:3F:17:B1 (VMware)
Host script results:
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_smb-vuln-ms10-054: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
nbtscan:
root@kali:/usr/share/nmap/scripts# nbtscan -r 192.168.96.0/24
Doing NBT name scan for addresses from 192.168.96.0/24
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
192.168.96.0 Sendto failed: Permission denied
192.168.96.128 <unknown> <unknown>
192.168.96.129 WINDOWXPPRO <unknown> 00:0c:29:3f:17:b1
192.168.96.130 METASPLOITABLE <server> METASPLOITABLE 00:00:00:00:00:00
192.168.96.255 Sendto failed: Permission denied
enum4linux:
root@kali# enum4linux -a 192.168.96.129
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Dec 6 21:24:01 2019
==========================
| Target Information |
==========================
Target ........... 192.168.96.129
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
======================================================
| Enumerating Workgroup/Domain on 192.168.96.129 |
======================================================
[+] Got domain/workgroup name: WORKGROUP
==============================================
| Nbtstat Information for 192.168.96.129 |
==============================================
Looking up status of 192.168.96.129
WINDOWXPPRO <00> - M <ACTIVE> Workstation Service
WORKGROUP <00> - <GROUP> M <ACTIVE> Domain/Workgroup Name
MAC Address = 00-0C-29-3F-17-B1
=======================================
| Session Check on 192.168.96.129 |
=======================================
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.