Reprinted from: https://mp.weixin.qq.com/s/zEgHxJEOfaiYVZYmg7NnXA?
In most cases, we believe that nmap scan is just a tool, rather than as the penetration is a tool. nmap integrates a large number of outstanding nse script that can help us within the network penetration in some of the more harsh environment, especially when we control the machine with a low-privilege * nix platform, the need for field penetration. nmap offers many effective script, you do not need to rely on other third-party tools, penetration testing internal network machines. In earlier versions of linux hair, most are installed by default nmap. Here I summarize some common network penetration script, we want to help.
Tips: intrusion risk, scans need to be cautious
user or the like smb-enum-domains.nse domain controller information collection scan, host information may be acquired, the user can use the password policy
nmap --script smb-enum-domains.nse -p445 <Host>
the sudo nmap the -sU SMB-enum---script -sS -p domains.nse the U-: 137, T: 139 <Host>
Script the Output
the Host Script Results:
| SMB-enum-Domains:
| WINDOWS2000
| Groups: n-/ A
| the Users: Administrator, blah, the Guest, testpass, Ron, Test, User
| Creation Time: 2009-10-17 12:45:47
| Passwords: length min: n-/ A; min Age: Days. 5; Age max: 100 Days; History: 10 Passwords
| the Properties: Complexity requirements exist
| the Account Lockout: 5 attempts unsuccessful attempts in 30 minutes by Will Lock the Account for 30 minutes at The OUT
| the Builtin
| Groups: the Administrators, Backup Operators, the Guests, the Power the Users, Replicator, the Users
| the Users: n-/ A
| Creation Time: 2009-10-17 12:45:46
| Passwords: length min: n-/ A; min Age: n- / a Days; max Age: 42 is Days; History: n-/ a Passwords
| _ the Account Lockout Disabled
SMB-enum-users.nse, penetration time domain is performed, with the permission of a host domain, but limited authority, not for more information, when a domain user, the script can make use of the domain controller scans
nmap --script SMB-enum-users.nse -p445 <Host>
the sudo nmap the -sU -sS --script SMB-enum-users the U--p .nse: 137, T: 139 <Host>
Script the Output
the Host Script Results:
| SMB-enum-Users:
| _ | _ the Domain: the TEST-RON-WIN2K; the Users: Administrator, the Guest, the TEST-WIN2K-IUSR_RON , IWAM_RON-WIN2K-the TEST, test1234, the TsInternetUser
Host Script Results:
| smb-enum-the Users:
| | RON-WIN2K-TEST\Administrator (RID: 500)
| | | Description: Built-in account for administering the computer/domain
| | |_ Flags: Password does not expire, Normal user account
| | RON-WIN2K-TEST\Guest (RID: 501)
| | | Description: Built-in account for guest access to the computer/domain
| | |_ Flags: Password not required, Password does not expire, Normal user account
| | RON-WIN2K-TEST\IUSR_RON-WIN2K-TEST (RID: 1001)
| | | Full name: Internet Guest Account
| | | Description: Built-in account for anonymous access to Internet Information Services
| | |_ Flags: Password not required, Password does not expire, Normal user account
| | RON-WIN2K-TEST\IWAM_RON-WIN2K-TEST (RID: 1002)
| | | Full name: Launch IIS Process Account
| | | Description: Built-in account for Internet Information Services to start out of process applications
| | |_ Flags: Password not required, Password does not expire, Normal user account
| | RON-WIN2K-TEST\test1234 (RID: 1005)
| | |_ Flags: Normal user account
| | RON-WIN2K-TEST\TsInternetUser (RID: 1000)
| | | Full name: TsInternetUser
| | | Description: This user account is used by Terminal Services.
|_ |_ |_ Flags: Password not required, Password does not expire, Normal user account
smb-enum-shares.nse 遍历远程主机的共享目录
nmap --script smb-enum-shares.nse -p445 <host>
sudo nmap -sU -sS --script smb-enum-shares.nse -p U:137,T:139 <host>
Script Output
Host script results:
| smb-enum-shares:
| account_used: WORKGROUP\Administrator
| ADMIN$
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Remote Admin
| Users: 0
| Max Users: <unlimited>
| Path: C:\WINNT
| Anonymous access: <none>
| Current user access: READ/WRITE
| C$
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Default share
| Users: 0
| Max Users: <unlimited>
| Path: C:\
| Anonymous access: <none>
| Current user access: READ
| IPC$
| Type: STYPE_IPC_HIDDEN
| the Comment: Remote IPC
| the Users: 1
| Max the Users: <Unlimited>
| Path:
| Anonymous Access: the READ
| _ Current the User Access: the READ
smb-enum-processes.nse system process carried out by a host of smb traverse through this information, you can know the software running on the target host information, select the appropriate vulnerabilities or circumvent firewalls and antivirus software.
SMB-enum---script nmap processes.nse -p445 <Host>
the sudo nmap the -sU -sS --script SMB -p-enum-processes.nse the U-: 137, T: 139 <Host>
Script the Output
the Host Script Results:
| smb-enum-Processes:
| _ | _ Idle, System, SMSS, CSRSS, Winlogon, Services, logon.scr, LSASS, spoolsv, MSDTC, VMwareService, svchost, ALG, Explorer, VMwareTray, VMwareUser, WMIPRVSE
-
Host Script Results:
| smb-enum-Processes:
| `+-Idle
| | `-System
| | `-smss
| | `+-csrss
| | `-winlogon
| | `+-services
| | | `+-spoolsv
| | | +-msdtc
| | | +-VMwareService
| | | +-svchost
| | | `-alg
| | +-logon.scr
| | `-lsass
| +-explorer
| | `+-VMwareTray
| | `-VMwareUser
|_ `-wmiprvse
--
Host script results:
| smb-enum-processes:
| PID PPID Priority Threads Handles
| ----- ----- -------- ------- -------
| 0 0 0 1 0 `+-Idle
| 4 0 8 49 395 | `-System
| 252 4 11 3 19 | `-smss
| 300 252 13 10 338 | `+-csrss
| 324 252 13 18 513 | `-winlogon
| 372 324 9 16 272 | `+-services
| 872 372 8 12 121 | | `+-spoolsv
| 896 372 8 13 151 | | +-msdtc
| 1172 372 13 3 53 | | +-VMwareService
| 1336 372 8 20 158 | | +-svchost
| 1476 372 8 6 90 | | `-alg
| 376 324 4 1 22 | +-logon.scr
| 23 is 384. 9 324 394 | `-lsass
| 1720 1684 + 259. 8. 9 -explorer
|. 8. 1 1796 1720 42 is |` + -VMwareTray
|. 8. 1 1808 1720 44 is | `-VMwareUser
| _. 8. 7 1992 179 580 is` -wmiprvse
smb-enum-sessions.nse get the host domain through smb user login session, to see whether the current user logs in, the user hash for us to crawl and to avoid discovery by the user while landing.
SMB-enum---script nmap sessions.nse -p445 <Host>
the sudo nmap the -sU -sS --script SMB -p-enum-sessions.nse the U-: 137, T: 139 <Host>
Script the Output
the Host Script Results:
| smb-enum-Sessions:
| the Users logged in:
| | TESTBOX \ Administrator Operating since 2008-10-21 08:17:14
| | _ DOMAIN \ rbowes Operating since 2008-10-20 09:03:23
| The Active Sessions SMB:
| _ | _ ADMINISTRATOR IS Connected from 10.100.254.138 for [the Just logged in, IT's Probably you], IDLE for [not IDLE]
smb-os-discovery.nse to collect the target host operating system via smb protocol , computer name, domain name, the full name of the domain name, the domain name of the forest, NetBIOS machine name, NetBIOS domain name, workgroup, system time.
SMB-OS---script nmap discovery.nse -p445 127.0.0.1
the sudo nmap the -sU -sS --script SMB -p-OS-discovery.nse the U-: 137, T: 139 127.0.0.1
Script the Output
the Host Script Results:
| smb-os-Discovery:
| OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows Server (R) 2008 Standard 6.0)
| OS the cPE: cpe: / O: in the Microsoft: SP1 windows_2008 ::
| Computer name: SQL2008
| the NetBIOS Computer name: SQL2008
| Domain name: lab.test.local
| Forest name: test.local
| FQDN: Sql2008.lab.test.local
| NetBIOS domain name: LAB
|_ System time: 2011-04-20T13:34:06-05:00