Kali渗透测试之服务扫描2——SNMP、SMB、SMTP扫描

Kali渗透测试 专栏收录该内容
35 篇文章 13 订阅

一、SNMP扫描

SNMP(简单网络管理协议)明文

  • 基于SNMP,进行网络设备监控,如:交换机、防火墙、服务器,CPU等其系统内部信息,基本都可以监控到。
  • 信息的金矿,经常被管理员配置错误
  • community:登录证书,默认值为public。容易被管理员遗忘修改其特征字符。两个默认的community strings,一个是public(可读),另一个是private(可写)
  • 服务器:161端口,客户端:162端口(UDP)

MIB Tree:

  • SNMP Management Information Base(MIB)
  • 树形的网络设备管理功能数据库

在目标主机上安装SNMP服务,并查看服务的状态、团队信息等。

控制面板——添加或删除程序,出现下图所示界面:

1、onesixtyone

  • 扫描硬件信息
root@kali:~# onesixtyone 192.168.247.129 public
Scanning 1 hosts, 1 communities
192.168.247.129 [public] Hardware: x86 Family 6 Model 142 Stepping 9 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Uniprocessor Free)
  • 如果没有扫除查询结果,有可能目标主机已经改变了它的默认community,我们可以结合字典对其进行扫描。
root@kali:~# dpkg -L onesixtyone
/.
/usr
/usr/bin
/usr/bin/onesixtyone
/usr/share
/usr/share/doc
/usr/share/doc/onesixtyone
/usr/share/doc/onesixtyone/README
/usr/share/doc/onesixtyone/changelog.Debian.amd64.gz
/usr/share/doc/onesixtyone/changelog.Debian.gz
/usr/share/doc/onesixtyone/changelog.gz
/usr/share/doc/onesixtyone/copyright
/usr/share/doc/onesixtyone/dict.txt        //默认字典
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/onesixtyone.1.gz

root@kali:~# onesixtyone -c /usr/share/doc/onesixtyone/dict.txt 192.168.247.129 -o my.log -w 100
Logging to file my.log
Scanning 1 hosts, 49 communities
 [


] ,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~���������������������������������������

2、snmpwalk

  • 能查出更多的信息,-c 指定community, -v指定使用的SNMP版本,2c版本使用比较广泛,但可读性不是很好。
root@kali:~# snmpwalk 192.168.247.129 -c public -v 2c
Created directory: /var/lib/snmp/mib_indexes
iso.3.6.1.2.1.1.1.0 = STRING: "Hardware: x86 Family 6 Model 142 Stepping 9 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Uniprocessor Free)"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.311.1.1.3.1.2
iso.3.6.1.2.1.1.3.0 = Timeticks: (176845) 0:29:28.45
iso.3.6.1.2.1.1.4.0 = ""
iso.3.6.1.2.1.1.5.0 = STRING: "CHENGQIA-852040"
iso.3.6.1.2.1.1.6.0 = ""
iso.3.6.1.2.1.1.7.0 = INTEGER: 76
iso.3.6.1.2.1.2.1.0 = INTEGER: 2
iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.1.327683 = INTEGER: 327683
iso.3.6.1.2.1.2.2.1.2.1 = Hex-STRING: 4D 53 20 54 43 50 20 4C 6F 6F 70 62 61 63 6B 20 
69 6E 74 65 72 66 61 63 65 00 
......
iso.3.6.1.2.1.25.6.3.1.4.3 = INTEGER: 4
iso.3.6.1.2.1.25.6.3.1.5.1 = Hex-STRING: 07 E2 0B 19 11 32 2A 00 
iso.3.6.1.2.1.25.6.3.1.5.2 = Hex-STRING: 07 E3 04 18 17 1A 16 00 
iso.3.6.1.2.1.25.6.3.1.5.3 = Hex-STRING: 07 E2 0B 19 11 34 2E 00 
  • 指定IOD进行查询
root@kali:~# snmpwalk 192.168.247.129 -c public -v 2c iso.3.6.1.2.1.1.5
iso.3.6.1.2.1.1.5.0 = STRING: "CHENGQIA-852040"

3、snmp-check

相比snmpwalk,增强了可读性

  • snmp-check 192.168.247.129
  • snmp-check 192.168.247.129 -w          //是否可写
root@kali:~# snmp-check 192.168.247.129
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 192.168.247.129:161 using SNMPv1 and community 'public'

[*] System information:

  Host IP address               : 192.168.247.129
  Hostname                      : CHENGQIA-852040
  Description                   : Hardware: x86 Family 6 Model 142 Stepping 9 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Uniprocessor Free)
  Contact                       : -
  Location                      : -
  Uptime snmp                   : 4 days, 16:23:42.81
  Uptime system                 : 03:39:26.46
  System date                   : 2019-5-4 14:40:46.9
  Domain                        : WORKGROUP

[*] User accounts:               //用户账户
             
  cqq                                 
  Guest               
  test$               
  Administrator       
  SUPPORT_388945a0    
  IUSR_CHENGQIA-852040
  IWAM_CHENGQIA-852040

[*] Network information:

  IP forwarding enabled         : no
  Default TTL                   : 128
  TCP segments received         : 149505
  TCP segments sent             : 73696
  TCP segments retrans          : 36
  Input datagrams               : 151617
  Delivered datagrams           : 151592
  Output datagrams              : 76693

[*] Network interfaces:

  Interface                     : [ up ] MS TCP Loopback interface
  Id                            : 1
  Mac Address                   : :::::
  Type                          : softwareLoopback
  Speed                         : 10 Mbps
  MTU                           : 1520
  In octets                     : 61841
  Out octets                    : 61841

  Interface                     : [ up ] Intel(R) PRO/1000 MT Network Connection
  Id                            : 327683
  Mac Address                   : 00:0c:29:8f:74:74
  Type                          : ethernet-csmacd
  Speed                         : 10 Mbps
  MTU                           : 1500
  In octets                     : 11941081
  Out octets                    : 6663859


[*] Network IP:

  Id                    IP Address            Netmask               Broadcast           
  1                     127.0.0.1             255.0.0.0             1                   
  327683                192.168.247.129       255.255.255.0         1                   

[*] Routing information:          //路由信息

  Destination           Next hop              Mask                  Metric              
  0.0.0.0               192.168.247.2         0.0.0.0               30                  
  127.0.0.0             127.0.0.1             255.0.0.0             1                   
  192.168.247.0         192.168.247.129       255.255.255.0         30                  
  192.168.247.129       127.0.0.1             255.255.255.255       30                  
  192.168.247.255       192.168.247.129       255.255.255.255       30                  
  224.0.0.0             192.168.247.129       240.0.0.0             30                  
  255.255.255.255       192.168.247.129       255.255.255.255       1                       
  ......       
root@kali:~# snmp-check 192.168.247.129 -w
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 192.168.247.129:161 using SNMPv1 and community 'public'
[+] Write access check enabled

[!] 192.168.247.129:161 SNMP request timeout

二、SMB扫描

SMB协议(Server Message Block)

  • 微软历史上出现问题最多的协议;
  • 实现复杂,默认在Windows上是开放的,也是最常用的协议,用于实现文件的共享。

空会话未身份认证访问(SMB1)——Windows 2000/XP/Windows 2003

  • 不用建立连接也可以获取密码,用户名,组名,机器名,用户、组ID

1、nmap

  •  nmap -v -p139,445 192.168.247.129-131          //nmap扫描3个主机默认开放的139、445端口,但是不能准确判断操作系统的类型,一般情况下是Windows系统。
  • nmap 192.168.247.129 -p139,445 --script=smb-os-discovery.nse                                  //使用nmap自带的脚本进行操作系统的判断。
  • nmap -v -p139,445 --script=smb-vuln-*.nse --script-args=safe=1 192.168.247.129       //扫描Windows系统中的SMB协议是否有漏洞;smb-vuln-*.nse  指定所有关于smb-vuln的脚本文件,进行全扫描;safe — 对目标主机安全地进行扫描,unsafe扫描容易使目标系统宕机。
root@kali:~# nmap -v -p139,445 192.168.247.129-131
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:46 CST
Initiating ARP Ping Scan at 14:46
Scanning 3 hosts [1 port/host]
Completed ARP Ping Scan at 14:46, 0.22s elapsed (3 total hosts)
Initiating Parallel DNS resolution of 3 hosts. at 14:46
Completed Parallel DNS resolution of 3 hosts. at 14:46, 0.09s elapsed
Nmap scan report for 192.168.247.130 [host down]
Nmap scan report for 192.168.247.131 [host down]
Initiating SYN Stealth Scan at 14:46
Scanning bogon (192.168.247.129) [2 ports]
Discovered open port 445/tcp on 192.168.247.129
Discovered open port 139/tcp on 192.168.247.129
Completed SYN Stealth Scan at 14:46, 0.00s elapsed (2 total ports)
Nmap scan report for bogon (192.168.247.129)
Host is up (0.00045s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:8F:74:74 (VMware)

Read data files from: /usr/bin/../share/nmap
Nmap done: 3 IP addresses (1 host up) scanned in 0.43 seconds
           Raw packets sent: 7 (228B) | Rcvd: 3 (116B)
root@kali:~# nmap 192.168.247.129 -p139,445 --script=smb-os-discovery.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:47 CST
Nmap scan report for bogon (192.168.247.129)
Host is up (0.00024s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:8F:74:74 (VMware)

Host script results:      //目标主机操作系统信息
| smb-os-discovery: 
|   OS: Windows Server 2003 3790 Service Pack 2 (Windows Server 2003 5.2)
|   OS CPE: cpe:/o:microsoft:windows_server_2003::sp2
|   Computer name: chengqia-852040
|   NetBIOS computer name: CHENGQIA-852040\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2019-05-04T14:47:50+08:00

Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds
root@kali:~# nmap -v -p139,445 --script=smb-vuln-*.nse --script-args=safe=1 192.168.247.129
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:50 CST
NSE: Loaded 10 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:50
Completed NSE at 14:50, 0.00s elapsed
Initiating ARP Ping Scan at 14:50
Scanning 192.168.247.129 [1 port]
Completed ARP Ping Scan at 14:50, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:50
Completed Parallel DNS resolution of 1 host. at 14:50, 0.01s elapsed
Initiating SYN Stealth Scan at 14:50
Scanning bogon (192.168.247.129) [2 ports]
Discovered open port 445/tcp on 192.168.247.129
Discovered open port 139/tcp on 192.168.247.129
Completed SYN Stealth Scan at 14:50, 0.00s elapsed (2 total ports)
NSE: Script scanning 192.168.247.129.
Initiating NSE at 14:50
Completed NSE at 14:50, 5.00s elapsed
Nmap scan report for bogon (192.168.247.129)
Host is up (0.00044s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:8F:74:74 (VMware)
 
Host script results:         //目标主机存在的漏洞
| smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

NSE: Script Post-scanning.
Initiating NSE at 14:50
Completed NSE at 14:50, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 5.41 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

2、nbtscan

  • -r :使用本地端口137,兼容性好,扫描结果全;
  • 可以跨网段扫描
root@kali:~# nbtscan -r 192.168.247.0/24
Doing NBT name scan for addresses from 192.168.247.0/24

IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
192.168.247.0	Sendto failed: Permission denied
192.168.247.1    LAPTOP-PCL3G0V7  <server>  <unknown>        00:50:56:c0:00:08
192.168.247.129  CHENGQIA-852040  <server>  <unknown>        00:0c:29:8f:74:74
192.168.247.177  <unknown>                  <unknown>        
192.168.247.255	Sendto failed: Permission denied

3、enum4linux

root@kali:~# enum4linux -U 192.168.247.129
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat May  4 14:54:15 2019

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.247.129
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ======================================================= 
|    Enumerating Workgroup/Domain on 192.168.247.129    |
 ======================================================= 
[+] Got domain/workgroup name: WORKGROUP

 ======================================== 
|    Session Check on 192.168.247.129    |
 ======================================== 
[+] Server 192.168.247.129 allows sessions using username '', password ''     //允许建立空连接

 ============================================== 
|    Getting domain SID for 192.168.247.129    |
 ============================================== 
Cannot connect to server.  Error was NT_STATUS_INVALID_PARAMETER
[+] Can't determine if host is part of domain or part of a workgroup

 ================================ 
|    Users on 192.168.247.129    |
 ================================ 
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.
enum4linux complete on Sat May  4 14:54:16 2019

三、SMTP扫描

SMTP:Simple Mail Transfer Protocol,简单邮件传输协议。

1、nc

root@kali:~# nc -nv 192.168.247.129 25       //连接25端口
(UNKNOWN) [192.168.247.129] 25 (smtp) open
220 chengqia-852040 Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at  Sat, 4 May 2019 14:55:24 +0800 
^C

2、nmap

  • 需先进行端口扫描、判断目标主机是否开启25号端口;
  • nmap smtp.163.com -p25 --script=smtp-enum-users.nse --script-args=smtp-enum-users.methods={VRFY}      //使用VRFY方法进行账户枚举。
  • nmap smtp.163.com -p25 --script=smtp-open-relay.nse        #扫描是否开启中继,如果开启邮件中继的话,容易被黑客利用,发送垃圾邮件。
root@kali:~# nmap smtp.163.com -p25 --script=smtp-enum-users.nse --script-args=smtp-enum-users.methods={VRFY}
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:57 CST
Nmap scan report for smtp.163.com (123.125.50.134)
Host is up (0.00032s latency).
Other addresses for smtp.163.com (not scanned): 123.125.50.133 123.125.50.138 123.125.50.132 123.125.50.135
rDNS record for 123.125.50.134: m50-134.163.com

PORT   STATE    SERVICE
25/tcp filtered smtp

Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds
root@kali:~# nmap smtp.163.com -p25 --script=smtp-open-relay.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:59 CST
Nmap scan report for smtp.163.com (123.125.50.135)
Host is up (0.0072s latency).
Other addresses for smtp.163.com (not scanned): 123.125.50.132 123.125.50.138 123.125.50.133 123.125.50.134
rDNS record for 123.125.50.135: m50-135.163.com

PORT   STATE SERVICE
25/tcp open  smtp
|_smtp-open-relay: Server doesn't seem to be an open relay, all tests failed

Nmap done: 1 IP address (1 host up) scanned in 2.60 seconds

 

  • 1
    点赞
  • 0
    评论
  • 0
    收藏
  • 一键三连
    一键三连
  • 扫一扫,分享海报

├─第1章 课程介绍 │ 任务001:Kali Linux渗透测试介绍.mp4 │ ├─第2Kali安装 │ 任务002Kali Linux安装-硬盘安装、虚拟机安装.mp4 │ 任务003:Kali Linux 安装-持久加密USB安装、熟悉环境、熟悉BASH命令.mp4 │ 任务004:Kali Linux安装-熟悉环境.mp4 │ ├─第3章 工作环境优化 │ 任务005:网络配置、更新升级、安装软件包、浏览器插件.mp4 │ 任务006:安装Java、安装显卡驱动、安装网卡补丁、并发线程限制、电源优化.mp4 │ 任务007:.mp4 │ 任务008:.mp4 │ ├─第4章 实验环境 │ 任务009:实验环境.mp4 │ ├─章 基本工具 │ 任务010:基本工具-NETCAT(telnet-banner、传输文本信息).mp4 │ 任务011:基本工具-NETCAT(传输-目录、流媒体服务、端口扫描、远程克隆硬盘).mp4 │ 任务012:基本工具-远程控制、NCAT、WIRESHARK、WIRESHARK-筛选器、常见协议.mp4 │ 任务013:基本工具-常见协议包、WIRESHARK-TCP.mp4 │ 任务014:WIRESHARK-信息统计、实践.mp4 │ 任务015:TCPDUMP-抓包、筛选、高级筛选、过程文档记录.mp4 │ ├─章 信息收集 │ 任务016:被动信息收集:信息收集内容、信息用途、信息收集DNS、DNS信息收集-NSLOOKUP.mp4 │ 任务017:DNS信息收集-DIGmp4.mp4 │ 任务018:DNS区域传输、DNS字典爆破、DNS信息.mp4 │ 任务019:搜索引擎、SHODAN.mp4 │ 任务020:SHODAN.mp4 │ 任务021:google搜索:实例.mp4 │ 任务022:其他途径.mp4 │ 任务023:RECON-NG.mp4 │ ├─章 主动信息收集 │ 任务024:主动信息收集-发现.mp4 │ 任务025:主动信息收集-发现(二).mp4 │ 任务026:主动信息收集-发现(三).mp4 │ 任务027:主动信息收集-发现(四).mp4 │ 任务028:主动信息收集-发现(五).mp4 │ 任务029:端口扫描.mp4 │ 任务030:端口扫描(二).mp4 │ 任务031:服务扫描.mp4 │ 任务032:操作系统识别.mp4 │ 任务033:SMB扫描.mp4 │ 任务034:SMTP扫描.mp4 │ ├─章 弱点扫描 │ 任务035:弱点扫描.mp4 │ 任务036:NMAP.mp4 │ 任务037:NESSUS.mp4 │ 任务038:NEXPOSE.mp4 │ ├─章 缓冲区溢出 │ 任务039:缓冲区溢出.mp4 │ 任务040:POP3.mp4 │ 任务041:FUZZING.mp4 │ 任务042Linux缓冲区溢出.mp4 │ 任务043:选择和修改EXP.mp4 | ├─章 提权 │ 任务45: 抓包嗅探.mp4 │ 任务46: WCE.mp4 │ 任务47: 利用漏洞提权.mp │ 任务48: 利用配置不当提权.mp4 │ 任务49: 收集敏感数据、隐藏痕迹.mp4 │ ├─章 无线 │ 任务050:无线渗透.mp4 │ 任务051:无线网运行模式和无线网硬件设备及基本概念.mp4 │ 任务052:无线技术概念.mp4 │ 任务053:Linux 无线协议栈及配置命令.mp4 │ 任务054:RADIOTAP头部.mp4 │ 任务055:CONTROL FRAME.mp4 │ 任务056:MANAGEMENT FRAME 管理帧.mp4 │ 任务057:REASSOCIATION REQUEST FRAME.mp4 │ 任务058:WEP加密、RC4算法.mp4 │ 任务059:WPA安全系统.mp4 │ 任
©️2021 CSDN 皮肤主题: 技术黑板 设计师:CSDN官方博客 返回首页
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、C币套餐、付费专栏及课程。

余额充值