當前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

snmp-smtp=smb扫描

發(fā)布時間：2024/6/3 编程问答 32 豆豆

生活随笔收集整理的這篇文章主要介紹了 snmp-smtp=smb扫描小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.

一、SNMP掃描

SNMP（簡單網(wǎng)絡管理協(xié)議）明文

基于SNMP，進行網(wǎng)絡設備監(jiān)控，如：交換機、防火墻、服務器，CPU等其系統(tǒng)內部信息，基本都可以監(jiān)控到。

信息的金礦，經(jīng)常被管理員配置錯誤
community：登錄證書，默認值為public。容易被管理員遺忘修改其特征字符。兩個默認的community strings，一個是public（可讀），另一個是private（可寫）
服務器：161端口，客戶端：162端口（UDP）

MIB Tree：

SNMP Management Information Base（MIB）
樹形的網(wǎng)絡設備管理功能數(shù)據(jù)庫

在目標主機上安裝SNMP服務，并查看服務的狀態(tài)、團隊信息等。

控制面板——添加或刪除程序，出現(xiàn)下圖所示界面：

1、onesixtyone

掃描硬件信息

root@kali:~# onesixtyone 192.168.247.129 public

Scanning 1 hosts, 1 communities

192.168.247.129 [public] Hardware: x86 Family 6 Model 142 Stepping 9 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Uniprocessor Free)

如果沒有掃除查詢結果，有可能目標主機已經(jīng)改變了它的默認community，我們可以結合字典對其進行掃描。

root@kali:~# dpkg -L onesixtyone

/usr

/usr/bin

/usr/bin/onesixtyone

/usr/share

/usr/share/doc

/usr/share/doc/onesixtyone

/usr/share/doc/onesixtyone/README

/usr/share/doc/onesixtyone/changelog.Debian.amd64.gz

/usr/share/doc/onesixtyone/changelog.Debian.gz

/usr/share/doc/onesixtyone/changelog.gz

/usr/share/doc/onesixtyone/copyright

/usr/share/doc/onesixtyone/dict.txt //默認字典

/usr/share/man

/usr/share/man/man1

/usr/share/man/man1/onesixtyone.1.gz

root@kali:~# onesixtyone -c /usr/share/doc/onesixtyone/dict.txt 192.168.247.129 -o my.log -w 100

Logging to file my.log

Scanning 1 hosts, 49 communities

[

] ,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~��

2、snmpwalk

能查出更多的信息，-c 指定community， -v指定使用的SNMP版本，2c版本使用比較廣泛，但可讀性不是很好。

root@kali:~# snmpwalk 192.168.247.129 -c public -v 2c

Created directory: /var/lib/snmp/mib_indexes

iso.3.6.1.2.1.1.1.0 = STRING: "Hardware: x86 Family 6 Model 142 Stepping 9 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Uniprocessor Free)"

iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.311.1.1.3.1.2

iso.3.6.1.2.1.1.3.0 = Timeticks: (176845) 0:29:28.45

iso.3.6.1.2.1.1.4.0 = ""

iso.3.6.1.2.1.1.5.0 = STRING: "CHENGQIA-852040"

iso.3.6.1.2.1.1.6.0 = ""

iso.3.6.1.2.1.1.7.0 = INTEGER: 76

iso.3.6.1.2.1.2.1.0 = INTEGER: 2

iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1

iso.3.6.1.2.1.2.2.1.1.327683 = INTEGER: 327683

iso.3.6.1.2.1.2.2.1.2.1 = Hex-STRING: 4D 53 20 54 43 50 20 4C 6F 6F 70 62 61 63 6B 20

69 6E 74 65 72 66 61 63 65 00

......

iso.3.6.1.2.1.25.6.3.1.4.3 = INTEGER: 4

iso.3.6.1.2.1.25.6.3.1.5.1 = Hex-STRING: 07 E2 0B 19 11 32 2A 00

iso.3.6.1.2.1.25.6.3.1.5.2 = Hex-STRING: 07 E3 04 18 17 1A 16 00

iso.3.6.1.2.1.25.6.3.1.5.3 = Hex-STRING: 07 E2 0B 19 11 34 2E 00

指定IOD進行查詢

root@kali:~# snmpwalk 192.168.247.129 -c public -v 2c iso.3.6.1.2.1.1.5

iso.3.6.1.2.1.1.5.0 = STRING: "CHENGQIA-852040"

3、snmp-check

相比snmpwalk，增強了可讀性

snmp-check 192.168.247.129
snmp-check 192.168.247.129 -w????????? //是否可寫

root@kali:~# snmp-check 192.168.247.129

snmp-check v1.9 - SNMP enumerator

[+] Try to connect to 192.168.247.129:161 using SNMPv1 and community 'public'

[*] System information:

Host IP address : 192.168.247.129

Hostname : CHENGQIA-852040

Description : Hardware: x86 Family 6 Model 142 Stepping 9 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Uniprocessor Free)

Contact : -

Location : -

Uptime snmp : 4 days, 16:23:42.81

Uptime system : 03:39:26.46

System date : 2019-5-4 14:40:46.9

Domain : WORKGROUP

[*] User accounts: //用戶賬戶

cqq

Guest

test$

Administrator

SUPPORT_388945a0

IUSR_CHENGQIA-852040

IWAM_CHENGQIA-852040

[*] Network information:

IP forwarding enabled : no

Default TTL : 128

TCP segments received : 149505

TCP segments sent : 73696

TCP segments retrans : 36

Input datagrams : 151617

Delivered datagrams : 151592

Output datagrams : 76693

[*] Network interfaces:

Interface : [ up ] MS TCP Loopback interface

Id : 1

Mac Address : :::::

Type : softwareLoopback

Speed : 10 Mbps

MTU : 1520

In octets : 61841

Out octets : 61841

Interface : [ up ] Intel(R) PRO/1000 MT Network Connection

Id : 327683

Mac Address : 00:0c:29:8f:74:74

Type : ethernet-csmacd

Speed : 10 Mbps

MTU : 1500

In octets : 11941081

Out octets : 6663859

[*] Network IP:

Id IP Address Netmask Broadcast

1 127.0.0.1 255.0.0.0 1

327683 192.168.247.129 255.255.255.0 1

[*] Routing information: //路由信息

Destination Next hop Mask Metric

0.0.0.0 192.168.247.2 0.0.0.0 30

127.0.0.0 127.0.0.1 255.0.0.0 1

192.168.247.0 192.168.247.129 255.255.255.0 30

192.168.247.129 127.0.0.1 255.255.255.255 30

192.168.247.255 192.168.247.129 255.255.255.255 30

224.0.0.0 192.168.247.129 240.0.0.0 30

255.255.255.255 192.168.247.129 255.255.255.255 1

......

root@kali:~# snmp-check 192.168.247.129 -w

snmp-check v1.9 - SNMP enumerator

[+] Try to connect to 192.168.247.129:161 using SNMPv1 and community 'public'

[+] Write access check enabled

[!] 192.168.247.129:161 SNMP request timeout

二、SMB掃描

SMB協(xié)議（Server Message Block）

微軟歷史上出現(xiàn)問題最多的協(xié)議；
實現(xiàn)復雜，默認在Windows上是開放的，也是最常用的協(xié)議，用于實現(xiàn)文件的共享。

空會話未身份認證訪問（SMB1）——Windows 2000/XP/Windows 2003

不用建立連接也可以獲取密碼，用戶名，組名，機器名，用戶、組ID

1、nmap

?nmap -v -p139,445 192.168.247.129-131????????? //nmap掃描3個主機默認開放的139、445端口，但是不能準確判斷操作系統(tǒng)的類型，一般情況下是Windows系統(tǒng)。
nmap 192.168.247.129 -p139,445 --script=smb-os-discovery.nse????????????????????????????????? //使用nmap自帶的腳本進行操作系統(tǒng)的判斷。
nmap -v -p139,445 --script=smb-vuln-*.nse --script-args=safe=1 192.168.247.129?????? //掃描Windows系統(tǒng)中的SMB協(xié)議是否有漏洞；smb-vuln-*.nse? 指定所有關于smb-vuln的腳本文件，進行全掃描；safe — 對目標主機安全地進行掃描，unsafe掃描容易使目標系統(tǒng)宕機。

root@kali:~# nmap -v -p139,445 192.168.247.129-131

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:46 CST

Initiating ARP Ping Scan at 14:46

Scanning 3 hosts [1 port/host]

Completed ARP Ping Scan at 14:46, 0.22s elapsed (3 total hosts)

Initiating Parallel DNS resolution of 3 hosts. at 14:46

Completed Parallel DNS resolution of 3 hosts. at 14:46, 0.09s elapsed

Nmap scan report for 192.168.247.130 [host down]

Nmap scan report for 192.168.247.131 [host down]

Initiating SYN Stealth Scan at 14:46

Scanning bogon (192.168.247.129) [2 ports]

Discovered open port 445/tcp on 192.168.247.129

Discovered open port 139/tcp on 192.168.247.129

Completed SYN Stealth Scan at 14:46, 0.00s elapsed (2 total ports)

Nmap scan report for bogon (192.168.247.129)

Host is up (0.00045s latency).

PORT STATE SERVICE

139/tcp open netbios-ssn

445/tcp open microsoft-ds

MAC Address: 00:0C:29:8F:74:74 (VMware)

Read data files from: /usr/bin/../share/nmap

Nmap done: 3 IP addresses (1 host up) scanned in 0.43 seconds

Raw packets sent: 7 (228B) | Rcvd: 3 (116B)

root@kali:~# nmap 192.168.247.129 -p139,445 --script=smb-os-discovery.nse

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:47 CST

Nmap scan report for bogon (192.168.247.129)

Host is up (0.00024s latency).

PORT STATE SERVICE

139/tcp open netbios-ssn

445/tcp open microsoft-ds

MAC Address: 00:0C:29:8F:74:74 (VMware)

Host script results: //目標主機操作系統(tǒng)信息

| smb-os-discovery:

| OS: Windows Server 2003 3790 Service Pack 2 (Windows Server 2003 5.2)

| OS CPE: cpe:/o:microsoft:windows_server_2003::sp2

| Computer name: chengqia-852040

| NetBIOS computer name: CHENGQIA-852040\x00

| Workgroup: WORKGROUP\x00

|_ System time: 2019-05-04T14:47:50+08:00

Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds

root@kali:~# nmap -v -p139,445 --script=smb-vuln-*.nse --script-args=safe=1 192.168.247.129

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:50 CST

NSE: Loaded 10 scripts for scanning.

NSE: Script Pre-scanning.

Initiating NSE at 14:50

Completed NSE at 14:50, 0.00s elapsed

Initiating ARP Ping Scan at 14:50

Scanning 192.168.247.129 [1 port]

Completed ARP Ping Scan at 14:50, 0.00s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 14:50

Completed Parallel DNS resolution of 1 host. at 14:50, 0.01s elapsed

Initiating SYN Stealth Scan at 14:50

Scanning bogon (192.168.247.129) [2 ports]

Discovered open port 445/tcp on 192.168.247.129

Discovered open port 139/tcp on 192.168.247.129

Completed SYN Stealth Scan at 14:50, 0.00s elapsed (2 total ports)

NSE: Script scanning 192.168.247.129.

Initiating NSE at 14:50

Completed NSE at 14:50, 5.00s elapsed

Nmap scan report for bogon (192.168.247.129)

Host is up (0.00044s latency).

PORT STATE SERVICE

139/tcp open netbios-ssn

445/tcp open microsoft-ds

MAC Address: 00:0C:29:8F:74:74 (VMware)

Host script results: //目標主機存在的漏洞

| smb-vuln-ms08-067:

| VULNERABLE:

| Microsoft Windows system vulnerable to remote code execution (MS08-067)

| State: VULNERABLE

| IDs: CVE:CVE-2008-4250

| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,

| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary

| code via a crafted RPC request that triggers the overflow during path canonicalization.

| Disclosure date: 2008-10-23

| References:

| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250

|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

|_smb-vuln-ms10-054: false

|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND

| smb-vuln-ms17-010:

| VULNERABLE:

| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)

| State: VULNERABLE

| IDs: CVE:CVE-2017-0143

| Risk factor: HIGH

| A critical remote code execution vulnerability exists in Microsoft SMBv1

| servers (ms17-010).

| Disclosure date: 2017-03-14

| References:

| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

NSE: Script Post-scanning.

Initiating NSE at 14:50

Completed NSE at 14:50, 0.00s elapsed

Read data files from: /usr/bin/../share/nmap

Nmap done: 1 IP address (1 host up) scanned in 5.41 seconds

Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

2、nbtscan

-r ：使用本地端口137，兼容性好，掃描結果全；
可以跨網(wǎng)段掃描

root@kali:~# nbtscan -r 192.168.247.0/24

Doing NBT name scan for addresses from 192.168.247.0/24

IP address NetBIOS Name Server User MAC address

------------------------------------------------------------------------------

192.168.247.0 Sendto failed: Permission denied

192.168.247.1 LAPTOP-PCL3G0V7 <server> <unknown> 00:50:56:c0:00:08

192.168.247.129 CHENGQIA-852040 <server> <unknown> 00:0c:29:8f:74:74

192.168.247.177 <unknown> <unknown>

192.168.247.255 Sendto failed: Permission denied

3、enum4linux

root@kali:~# enum4linux -U 192.168.247.129

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat May 4 14:54:15 2019

==========================

| Target Information |

==========================

Target ........... 192.168.247.129

RID Range ........ 500-550,1000-1050

Username ......... ''

Password ......... ''

Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

=======================================================

| Enumerating Workgroup/Domain on 192.168.247.129 |

=======================================================

[+] Got domain/workgroup name: WORKGROUP

========================================

| Session Check on 192.168.247.129 |

========================================

[+] Server 192.168.247.129 allows sessions using username '', password '' //允許建立空連接

==============================================

| Getting domain SID for 192.168.247.129 |

==============================================

Cannot connect to server. Error was NT_STATUS_INVALID_PARAMETER

[+] Can't determine if host is part of domain or part of a workgroup

================================

| Users on 192.168.247.129 |

================================

Use of uninitialized value $users in print at ./enum4linux.pl line 874.

Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

Use of uninitialized value $users in print at ./enum4linux.pl line 888.

Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

enum4linux complete on Sat May 4 14:54:16 2019

三、SMTP掃描

SMTP：Simple Mail Transfer Protocol，簡單郵件傳輸協(xié)議。

1、nc

root@kali:~# nc -nv 192.168.247.129 25 //連接25端口

(UNKNOWN) [192.168.247.129] 25 (smtp) open

220 chengqia-852040 Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Sat, 4 May 2019 14:55:24 +0800

2、nmap

需先進行端口掃描、判斷目標主機是否開啟25號端口；
nmap smtp.163.com -p25 --script=smtp-enum-users.nse --script-args=smtp-enum-users.methods={VRFY}????? //使用VRFY方法進行賬戶枚舉。
nmap smtp.163.com -p25 --script=smtp-open-relay.nse??????? #掃描是否開啟中繼，如果開啟郵件中繼的話，容易被黑客利用，發(fā)送垃圾郵件。

root@kali:~# nmap smtp.163.com -p25 --script=smtp-enum-users.nse --script-args=smtp-enum-users.methods={VRFY}

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:57 CST

Nmap scan report for smtp.163.com (123.125.50.134)

Host is up (0.00032s latency).

Other addresses for smtp.163.com (not scanned): 123.125.50.133 123.125.50.138 123.125.50.132 123.125.50.135

rDNS record for 123.125.50.134: m50-134.163.com

PORT STATE SERVICE

25/tcp filtered smtp

Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds

root@kali:~# nmap smtp.163.com -p25 --script=smtp-open-relay.nse

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:59 CST

Nmap scan report for smtp.163.com (123.125.50.135)

Host is up (0.0072s latency).

Other addresses for smtp.163.com (not scanned): 123.125.50.132 123.125.50.138 123.125.50.133 123.125.50.134

rDNS record for 123.125.50.135: m50-135.163.com

PORT STATE SERVICE

25/tcp open smtp

|_smtp-open-relay: Server doesn't seem to be an open relay, all tests failed

Nmap done: 1 IP address (1 host up) scanned in 2.60 seconds

總結

以上是生活随笔為你收集整理的snmp-smtp=smb扫描的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內容還不錯，歡迎將生活随笔推薦給好友。

上一篇： Swaks-smtp瑞士军刀(smtp邮
下一篇： Web服务器漏洞和安全