一、SNMP扫描
举例信息可以参考:https://blog.csdn.net/bbwangj/article/details/80981098
1、SNMP(Simple Network Management Protocol):简单网络管理协议
- Snmp系统的内部信息都是通过snmp进行监控的,snmp特定的服务有特定的编号,比如查CPU,内存等,每个设备都有自己的MIB库,如果你想查询思科的,那就先导入相应的厂商的客户端的MIB库发给服务器去请求。
- snmp服务默认使用UDP的161和162 端口;
- SNMP系统内部表数据可以通过snmp进行网络设备监控,如:交换机、防火墙、服务器,CPU等其系统内部信息。基本都可以监控到;
- snmp简单网络管理协议,是应用层协议;
- 信息的查询和匹配;
- 两个communitstring一个可读,一个可写;
- community:登录证书,容易被管理员遗忘修改其特征字符 #可用字典破解community(public/private/manager);
- 信息的金矿,经常被错误配置,防止被人窃取做坏事;
2、MIB Tree
- SNMP Management Information Base;
- 树型的网络设备管理功能数据库;
实验环境:
WindowsXP:192.168.85.147
kali:192.168.85.161
切记首先关闭WindowsXP的防火墙!!!!
前期准备——先安装XP
在WindowsXP上安装SNMP服务,并查看服务的状态、团体信息等等。
启动:services.msc
进行相关设置:
1、SNMP扫描——onesixtyone
- SNMP枚举工具;
- 可以批量获得目标主机的系统信息;
命令:onesixtyone 192.168.85.147 public
2、SNMP扫描——snmpwalk
- 能够查出更多信息,-v指定版本,2c使用比较广泛,但可读性不是很好;
可以了解到一些信息!!!
root@kali:~# snmpwalk 192.168.85.147 -c public -v 2c
Created directory: /var/lib/snmp/mib_indexes
iso.3.6.1.2.1.1.1.0 = STRING: "Hardware: x86 Family 6 Model 142 Stepping 11 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.1 (Build 2600 Uniprocessor Free)"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.311.1.1.3.1.1
iso.3.6.1.2.1.1.3.0 = Timeticks: (183537) 0:30:35.37
iso.3.6.1.2.1.1.4.0 = ""
iso.3.6.1.2.1.1.5.0 = STRING: "ZHANGCHA-D607EB"
iso.3.6.1.2.1.1.6.0 = ""
... ...
iso.3.6.1.2.1.25.6.3.1.2.1 = STRING: "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148"
iso.3.6.1.2.1.25.6.3.1.2.2 = STRING: "WebFldrs XP"
iso.3.6.1.2.1.25.6.3.1.2.3 = STRING: "VMware Tools"
iso.3.6.1.2.1.25.6.3.1.3.1 = OID: ccitt.0
iso.3.6.1.2.1.25.6.3.1.3.2 = OID: ccitt.0
iso.3.6.1.2.1.25.6.3.1.3.3 = OID: ccitt.0
iso.3.6.1.2.1.25.6.3.1.4.1 = INTEGER: 4
iso.3.6.1.2.1.25.6.3.1.4.2 = INTEGER: 4
iso.3.6.1.2.1.25.6.3.1.4.3 = INTEGER: 4
iso.3.6.1.2.1.25.6.3.1.5.1 = Hex-STRING: 07 E3 08 10 15 01 34 00
iso.3.6.1.2.1.25.6.3.1.5.2 = Hex-STRING: 07 E3 06 12 14 01 06 00
iso.3.6.1.2.1.25.6.3.1.5.3 = Hex-STRING: 07 E3 08 10 15 02 36 00
3、SNMP扫描——snmp-check
- 相比于snmpwalk,增强了可读性;
- 命令:snmp-check 192.168.85.147;
- snmp-check 192.168.85.147 -w # -w查看可写的
- snmp-check -c public -v 2c 192.168.85.147
root@kali:~# snmp-check 192.168.85.147 -w # -w查看可写的
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 192.168.85.147:161 using SNMPv1 and community 'public'
[+] Write access check enabled
[!] 192.168.85.147:161 SNMP request timeout
oot@kali:~# snmp-check -c public -v 2c 192.168.85.147
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 192.168.85.147:161 using SNMPv2c and community 'public'
[*] System information:
Host IP address : 192.168.85.147
Hostname : ZHANGCHA-D607EB
Description : Hardware: x86 Family 6 Model 142 Stepping 11 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.1 (Build 2600 Uniprocessor Free)
Contact : -
Location : -
Uptime snmp : 10:38:07.03
Uptime system : 00:48:20.89
System date : 2019-8-16 22:07:20.1
Domain : WORKGROUP
[*] User accounts:
Guest
zhang
Administrator
HelpAssistant
SUPPORT_388945a0
[*] Network information:
... ...
2、SMB扫描
SMB协议:
- Server Message Block协议;
- 微软历史上出现问题最多的协议;
- 实现复杂,默认在Windows上是开放的,也是最常用的协议,用于实现文件的共享;
(1)nmap
- 可以使用nmap扫描默认开放的端口139,445,但是不能准确判断操作系统的类型,一般情况下是Windows系统;
- nmap 192.168.85.147 -p139,445 --script=smb-os-discovery.nse
#使用nmap自带的脚本进行操作系统的判断;- nmap -v -p139,445 --script=smb-vuln-.nse --script-args=safe=1 192.168.37.130
#扫描Windows系统中的SMB协议是否有漏洞;可以使用smb-vuln-.nse来指定所有的脚本文件,进行全扫描;
- nmap -v -p139,445 192.168.85.147-152
#扫描3个主机,查看是否开启139,445端口
root@kali:~# nmap -v -p139,445 192.168.85.147-152
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-16 22:26 CST
Initiating ARP Ping Scan at 22:26
Scanning 6 hosts [1 port/host]
Completed ARP Ping Scan at 22:26, 0.21s elapsed (6 total hosts)
Initiating Parallel DNS resolution of 6 hosts. at 22:26
Completed Parallel DNS resolution of 6 hosts. at 22:26, 0.01s elapsed
Nmap scan report for 192.168.85.148 [host down]
Nmap scan report for 192.168.85.149 [host down]
Nmap scan report for 192.168.85.150 [host down]
Nmap scan report for 192.168.85.151 [host down]
Initiating SYN Stealth Scan at 22:26
Scanning 2 hosts [2 ports/host]
Discovered open port 445/tcp on 192.168.85.147
Discovered open port 139/tcp on 192.168.85.147
Discovered open port 445/tcp on 192.168.85.152
Discovered open port 139/tcp on 192.168.85.152
Completed SYN Stealth Scan at 22:26, 0.00s elapsed (4 total ports)
Nmap scan report for 192.168.85.147 (192.168.85.147)
Host is up (0.00014s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:24:05:EA (VMware)
Nmap scan report for 192.168.85.152 (192.168.85.152)
Host is up (0.00023s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:32:2A:91 (VMware)
Read data files from: /usr/bin/../share/nmap
Nmap done: 6 IP addresses (2 hosts up) scanned in 0.42 seconds
Raw packets sent: 14 (456B) | Rcvd: 6 (232B)
- nmap 192.168.85.147 -p139,445 --script=smb-os-discovery.nse
#使用nmap自带的脚本进行操作系统的判断;
root@kali:~# nmap 192.168.85.147 -p139,445 --script=smb-os-discovery.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-16 22:30 CST
Nmap scan report for 192.168.85.147 (192.168.85.147)
Host is up (0.00029s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:24:05:EA (VMware)
Host script results:
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: zhangcha-d607eb
| NetBIOS computer name: ZHANGCHA-D607EB\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2019-08-16T22:30:37+08:00
Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds
nmap -v -p139,445 --script=smb-vuln-.nse --script-args=safe=1 192.168.85.147
#扫描Windows系统中的SMB协议是否有漏洞;可以使用smb-vuln-.nse来指定所有的脚本文件,进行全扫描;
root@kali:~# nmap -v -p139,445 --script=smb-vuln-*.nse --script-args=safe=1 192.168.85.147
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-16 22:35 CST
NSE: Loaded 10 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
Initiating ARP Ping Scan at 22:35
Scanning 192.168.85.147 [1 port]
Completed ARP Ping Scan at 22:35, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:35
Completed Parallel DNS resolution of 1 host. at 22:35, 0.00s elapsed
Initiating SYN Stealth Scan at 22:35
Scanning 192.168.85.147 (192.168.85.147) [2 ports]
Discovered open port 445/tcp on 192.168.85.147
Discovered open port 139/tcp on 192.168.85.147
Completed SYN Stealth Scan at 22:35, 0.00s elapsed (2 total ports)
NSE: Script scanning 192.168.85.147.
Initiating NSE at 22:35
Completed NSE at 22:35, 5.01s elapsed
Nmap scan report for 192.168.85.147 (192.168.85.147)
Host is up (0.00032s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:24:05:EA (VMware)
Host script results:
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
NSE: Script Post-scanning.
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 5.28 seconds
Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
(2)nbtscan
- -r 选项:使用本地端口137,兼容性好,扫描结果全;
- 可以跨网段扫描;
命令:nbtscan -r 192.168.85.0/24
root@kali:~# nbtscan -r 192.168.85.0/24
Doing NBT name scan for addresses from 192.168.85.0/24
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
192.168.85.0 Sendto failed: Permission denied
192.168.85.255 Sendto failed: Permission denied
192.168.85.161 <unknown> <unknown>
192.168.85.147 ZHANGCHA-D607EB <server> <unknown> 00:0c:29:24:05:ea
192.168.85.152 WIN-3M1E6U1785H <server> <unknown> 00:0c:29:32:2a:91
(3)enum4linux
命令:enum4linux -U 192.168.85.147
#扫描共享服务
root@kali:~# enum4linux -U 192.168.85.147
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Aug 16 22:41:59 2019
==========================
| Target Information |
==========================
Target ........... 192.168.85.147
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
======================================================
| Enumerating Workgroup/Domain on 192.168.85.147 |
======================================================
[+] Got domain/workgroup name: WORKGROUP
=======================================
| Session Check on 192.168.85.147 |
=======================================
[+] Server 192.168.85.147 allows sessions using username '', password ''
=============================================
| Getting domain SID for 192.168.85.147 |
=============================================
Cannot connect to server. Error was NT_STATUS_INVALID_PARAMETER
[+] Can't determine if host is part of domain or part of a workgroup
===============================
| Users on 192.168.85.147 |
===============================
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.
Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.
enum4linux complete on Fri Aug 16 22:42:00 2019
3、SMTP扫描
SMTP(Simple Mail Transfer Protocol):简单邮件传输协议;
3.1> nc
- netcat的简写;
- 机器之间传输文件协议;
- 机器之间网络测速;
- 端口扫描;
- 实现TCP/UDP任意端口的监听;
命令:nc -nv 192.168.85.164 53
- -n 直接使用IP地址,而不通过域名服务器 ;
- -v 显示详细输出;
root@kali:~# nc -nv 192.168.85.164 53
(UNKNOWN) [192.168.85.164] 53 (domain) open
^C
在Windows R 2008中安装DNS服务,并将防火墙关闭!!!
3.2> nmap
- 前提:使用端口扫描,判断出目标主机开放53号端口;
- nmap smtp.163.com -p25 --script=smtp-enum-users.nse --script-args=smtp-enum-users.methods={VRFY} ##扫描用户账户,指定方式为{VRFY}
- nmap smtp.163.com -p53 --script=smtp-open-relay.nse #扫描是否开启中继(如果开启邮件中继的话,所有人都可以使用邮件中继,甚至做一些非法的事情)
3.2.1> 开启目标主机25号端口的SMTP服务;
查看服务已经启动;
3.2.2> 查看WindowsXP目标主机开放的端口;
3.2.3> 扫描用户账户,指定方式为{VRFY};
命令:nmap smtp.163.com -p25 --script=smtp-enum-users.nse --script-args=smtp-enum-users.methods={VRFY}
3.2.3> 扫描是否开启中继;
nmap smtp.163.com -p53 --script=smtp-open-relay.nse
#扫描是否开启中继(如果开启邮件中继的话,所有人都可以使用邮件中继,甚至做一些非法的事情)
3.2.4>
命令:smtp-user-enum -M VRFY -U users.txt -t 192.168.85.147
# 查询目标主机的smtp中是否有users.txt文件中所含的用户名
users.txt文档
扫描结果为;