一、SNMP扫描
SNMP(简单网络管理协议)明文
- 基于SNMP,进行网络设备监控,如:交换机、防火墙、服务器,CPU等其系统内部信息,基本都可以监控到。
- 信息的金矿,经常被管理员配置错误
- community:登录证书,默认值为public。容易被管理员遗忘修改其特征字符。两个默认的community strings,一个是public(可读),另一个是private(可写)
- 服务器:161端口,客户端:162端口(UDP)
MIB Tree:
- SNMP Management Information Base(MIB)
- 树形的网络设备管理功能数据库
在目标主机上安装SNMP服务,并查看服务的状态、团队信息等。
控制面板——添加或删除程序,出现下图所示界面:
1、onesixtyone
- 扫描硬件信息
root@kali:~# onesixtyone 192.168.247.129 public
Scanning 1 hosts, 1 communities
192.168.247.129 [public] Hardware: x86 Family 6 Model 142 Stepping 9 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Uniprocessor Free)
- 如果没有扫除查询结果,有可能目标主机已经改变了它的默认community,我们可以结合字典对其进行扫描。
root@kali:~# dpkg -L onesixtyone
/.
/usr
/usr/bin
/usr/bin/onesixtyone
/usr/share
/usr/share/doc
/usr/share/doc/onesixtyone
/usr/share/doc/onesixtyone/README
/usr/share/doc/onesixtyone/changelog.Debian.amd64.gz
/usr/share/doc/onesixtyone/changelog.Debian.gz
/usr/share/doc/onesixtyone/changelog.gz
/usr/share/doc/onesixtyone/copyright
/usr/share/doc/onesixtyone/dict.txt //默认字典
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/onesixtyone.1.gz
root@kali:~# onesixtyone -c /usr/share/doc/onesixtyone/dict.txt 192.168.247.129 -o my.log -w 100
Logging to file my.log
Scanning 1 hosts, 49 communities
[
] ,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~���������������������������������������
2、snmpwalk
- 能查出更多的信息,-c 指定community, -v指定使用的SNMP版本,2c版本使用比较广泛,但可读性不是很好。
root@kali:~# snmpwalk 192.168.247.129 -c public -v 2c
Created directory: /var/lib/snmp/mib_indexes
iso.3.6.1.2.1.1.1.0 = STRING: "Hardware: x86 Family 6 Model 142 Stepping 9 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Uniprocessor Free)"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.311.1.1.3.1.2
iso.3.6.1.2.1.1.3.0 = Timeticks: (176845) 0:29:28.45
iso.3.6.1.2.1.1.4.0 = ""
iso.3.6.1.2.1.1.5.0 = STRING: "CHENGQIA-852040"
iso.3.6.1.2.1.1.6.0 = ""
iso.3.6.1.2.1.1.7.0 = INTEGER: 76
iso.3.6.1.2.1.2.1.0 = INTEGER: 2
iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.1.327683 = INTEGER: 327683
iso.3.6.1.2.1.2.2.1.2.1 = Hex-STRING: 4D 53 20 54 43 50 20 4C 6F 6F 70 62 61 63 6B 20
69 6E 74 65 72 66 61 63 65 00
......
iso.3.6.1.2.1.25.6.3.1.4.3 = INTEGER: 4
iso.3.6.1.2.1.25.6.3.1.5.1 = Hex-STRING: 07 E2 0B 19 11 32 2A 00
iso.3.6.1.2.1.25.6.3.1.5.2 = Hex-STRING: 07 E3 04 18 17 1A 16 00
iso.3.6.1.2.1.25.6.3.1.5.3 = Hex-STRING: 07 E2 0B 19 11 34 2E 00
- 指定IOD进行查询
root@kali:~# snmpwalk 192.168.247.129 -c public -v 2c iso.3.6.1.2.1.1.5
iso.3.6.1.2.1.1.5.0 = STRING: "CHENGQIA-852040"
3、snmp-check
相比snmpwalk,增强了可读性
- snmp-check 192.168.247.129
- snmp-check 192.168.247.129 -w //是否可写
root@kali:~# snmp-check 192.168.247.129
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 192.168.247.129:161 using SNMPv1 and community 'public'
[*] System information:
Host IP address : 192.168.247.129
Hostname : CHENGQIA-852040
Description : Hardware: x86 Family 6 Model 142 Stepping 9 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Uniprocessor Free)
Contact : -
Location : -
Uptime snmp : 4 days, 16:23:42.81
Uptime system : 03:39:26.46
System date : 2019-5-4 14:40:46.9
Domain : WORKGROUP
[*] User accounts: //用户账户
cqq
Guest
test$
Administrator
SUPPORT_388945a0
IUSR_CHENGQIA-852040
IWAM_CHENGQIA-852040
[*] Network information:
IP forwarding enabled : no
Default TTL : 128
TCP segments received : 149505
TCP segments sent : 73696
TCP segments retrans : 36
Input datagrams : 151617
Delivered datagrams : 151592
Output datagrams : 76693
[*] Network interfaces:
Interface : [ up ] MS TCP Loopback interface
Id : 1
Mac Address : :::::
Type : softwareLoopback
Speed : 10 Mbps
MTU : 1520
In octets : 61841
Out octets : 61841
Interface : [ up ] Intel(R) PRO/1000 MT Network Connection
Id : 327683
Mac Address : 00:0c:29:8f:74:74
Type : ethernet-csmacd
Speed : 10 Mbps
MTU : 1500
In octets : 11941081
Out octets : 6663859
[*] Network IP:
Id IP Address Netmask Broadcast
1 127.0.0.1 255.0.0.0 1
327683 192.168.247.129 255.255.255.0 1
[*] Routing information: //路由信息
Destination Next hop Mask Metric
0.0.0.0 192.168.247.2 0.0.0.0 30
127.0.0.0 127.0.0.1 255.0.0.0 1
192.168.247.0 192.168.247.129 255.255.255.0 30
192.168.247.129 127.0.0.1 255.255.255.255 30
192.168.247.255 192.168.247.129 255.255.255.255 30
224.0.0.0 192.168.247.129 240.0.0.0 30
255.255.255.255 192.168.247.129 255.255.255.255 1
......
root@kali:~# snmp-check 192.168.247.129 -w
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 192.168.247.129:161 using SNMPv1 and community 'public'
[+] Write access check enabled
[!] 192.168.247.129:161 SNMP request timeout
二、SMB扫描
SMB协议(Server Message Block)
- 微软历史上出现问题最多的协议;
- 实现复杂,默认在Windows上是开放的,也是最常用的协议,用于实现文件的共享。
空会话未身份认证访问(SMB1)——Windows 2000/XP/Windows 2003
- 不用建立连接也可以获取密码,用户名,组名,机器名,用户、组ID
1、nmap
- nmap -v -p139,445 192.168.247.129-131 //nmap扫描3个主机默认开放的139、445端口,但是不能准确判断操作系统的类型,一般情况下是Windows系统。
- nmap 192.168.247.129 -p139,445 --script=smb-os-discovery.nse //使用nmap自带的脚本进行操作系统的判断。
- nmap -v -p139,445 --script=smb-vuln-*.nse --script-args=safe=1 192.168.247.129 //扫描Windows系统中的SMB协议是否有漏洞;smb-vuln-*.nse 指定所有关于smb-vuln的脚本文件,进行全扫描;safe — 对目标主机安全地进行扫描,unsafe扫描容易使目标系统宕机。
root@kali:~# nmap -v -p139,445 192.168.247.129-131
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:46 CST
Initiating ARP Ping Scan at 14:46
Scanning 3 hosts [1 port/host]
Completed ARP Ping Scan at 14:46, 0.22s elapsed (3 total hosts)
Initiating Parallel DNS resolution of 3 hosts. at 14:46
Completed Parallel DNS resolution of 3 hosts. at 14:46, 0.09s elapsed
Nmap scan report for 192.168.247.130 [host down]
Nmap scan report for 192.168.247.131 [host down]
Initiating SYN Stealth Scan at 14:46
Scanning bogon (192.168.247.129) [2 ports]
Discovered open port 445/tcp on 192.168.247.129
Discovered open port 139/tcp on 192.168.247.129
Completed SYN Stealth Scan at 14:46, 0.00s elapsed (2 total ports)
Nmap scan report for bogon (192.168.247.129)
Host is up (0.00045s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:8F:74:74 (VMware)
Read data files from: /usr/bin/../share/nmap
Nmap done: 3 IP addresses (1 host up) scanned in 0.43 seconds
Raw packets sent: 7 (228B) | Rcvd: 3 (116B)
root@kali:~# nmap 192.168.247.129 -p139,445 --script=smb-os-discovery.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:47 CST
Nmap scan report for bogon (192.168.247.129)
Host is up (0.00024s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:8F:74:74 (VMware)
Host script results: //目标主机操作系统信息
| smb-os-discovery:
| OS: Windows Server 2003 3790 Service Pack 2 (Windows Server 2003 5.2)
| OS CPE: cpe:/o:microsoft:windows_server_2003::sp2
| Computer name: chengqia-852040
| NetBIOS computer name: CHENGQIA-852040\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2019-05-04T14:47:50+08:00
Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds
root@kali:~# nmap -v -p139,445 --script=smb-vuln-*.nse --script-args=safe=1 192.168.247.129
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:50 CST
NSE: Loaded 10 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:50
Completed NSE at 14:50, 0.00s elapsed
Initiating ARP Ping Scan at 14:50
Scanning 192.168.247.129 [1 port]
Completed ARP Ping Scan at 14:50, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:50
Completed Parallel DNS resolution of 1 host. at 14:50, 0.01s elapsed
Initiating SYN Stealth Scan at 14:50
Scanning bogon (192.168.247.129) [2 ports]
Discovered open port 445/tcp on 192.168.247.129
Discovered open port 139/tcp on 192.168.247.129
Completed SYN Stealth Scan at 14:50, 0.00s elapsed (2 total ports)
NSE: Script scanning 192.168.247.129.
Initiating NSE at 14:50
Completed NSE at 14:50, 5.00s elapsed
Nmap scan report for bogon (192.168.247.129)
Host is up (0.00044s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:8F:74:74 (VMware)
Host script results: //目标主机存在的漏洞
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
NSE: Script Post-scanning.
Initiating NSE at 14:50
Completed NSE at 14:50, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 5.41 seconds
Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
2、nbtscan
- -r :使用本地端口137,兼容性好,扫描结果全;
- 可以跨网段扫描
root@kali:~# nbtscan -r 192.168.247.0/24
Doing NBT name scan for addresses from 192.168.247.0/24
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
192.168.247.0 Sendto failed: Permission denied
192.168.247.1 LAPTOP-PCL3G0V7 <server> <unknown> 00:50:56:c0:00:08
192.168.247.129 CHENGQIA-852040 <server> <unknown> 00:0c:29:8f:74:74
192.168.247.177 <unknown> <unknown>
192.168.247.255 Sendto failed: Permission denied
3、enum4linux
root@kali:~# enum4linux -U 192.168.247.129
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat May 4 14:54:15 2019
==========================
| Target Information |
==========================
Target ........... 192.168.247.129
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=======================================================
| Enumerating Workgroup/Domain on 192.168.247.129 |
=======================================================
[+] Got domain/workgroup name: WORKGROUP
========================================
| Session Check on 192.168.247.129 |
========================================
[+] Server 192.168.247.129 allows sessions using username '', password '' //允许建立空连接
==============================================
| Getting domain SID for 192.168.247.129 |
==============================================
Cannot connect to server. Error was NT_STATUS_INVALID_PARAMETER
[+] Can't determine if host is part of domain or part of a workgroup
================================
| Users on 192.168.247.129 |
================================
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.
Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.
enum4linux complete on Sat May 4 14:54:16 2019
三、SMTP扫描
SMTP:Simple Mail Transfer Protocol,简单邮件传输协议。
1、nc
root@kali:~# nc -nv 192.168.247.129 25 //连接25端口
(UNKNOWN) [192.168.247.129] 25 (smtp) open
220 chengqia-852040 Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Sat, 4 May 2019 14:55:24 +0800
^C
2、nmap
- 需先进行端口扫描、判断目标主机是否开启25号端口;
- nmap smtp.163.com -p25 --script=smtp-enum-users.nse --script-args=smtp-enum-users.methods={VRFY} //使用VRFY方法进行账户枚举。
- nmap smtp.163.com -p25 --script=smtp-open-relay.nse #扫描是否开启中继,如果开启邮件中继的话,容易被黑客利用,发送垃圾邮件。
root@kali:~# nmap smtp.163.com -p25 --script=smtp-enum-users.nse --script-args=smtp-enum-users.methods={VRFY}
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:57 CST
Nmap scan report for smtp.163.com (123.125.50.134)
Host is up (0.00032s latency).
Other addresses for smtp.163.com (not scanned): 123.125.50.133 123.125.50.138 123.125.50.132 123.125.50.135
rDNS record for 123.125.50.134: m50-134.163.com
PORT STATE SERVICE
25/tcp filtered smtp
Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds
root@kali:~# nmap smtp.163.com -p25 --script=smtp-open-relay.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:59 CST
Nmap scan report for smtp.163.com (123.125.50.135)
Host is up (0.0072s latency).
Other addresses for smtp.163.com (not scanned): 123.125.50.132 123.125.50.138 123.125.50.133 123.125.50.134
rDNS record for 123.125.50.135: m50-135.163.com
PORT STATE SERVICE
25/tcp open smtp
|_smtp-open-relay: Server doesn't seem to be an open relay, all tests failed
Nmap done: 1 IP address (1 host up) scanned in 2.60 seconds