Checklist

  • 枚举主机名 - nmblookup -A [ip]
  • 共享目录获取
    • smbmap -H [ip/hostname]
    • echo exit | smbclient -L \\\\[ip]
    • nmap --script smb-enum-shares -p 139,445 [ip]
  • 空会话检测
    • smbmap -H [ip/hostname]
    • rpcclient -U "" -N [ip]
    • smbclient \\\\[ip]\\[share name]
  • 漏洞检测 - nmap --script smb-vuln* -p 139,445 [ip]
  • 全量扫描 - enum4linux -a [ip]
  • 手动检测
    • smbver.sh [IP] (port) [Samba]
    • 检查 pcap 文件

工具列表

  • nmblookup - 通过 TCP/IP客户端获取 NetBIOS 信息
  • smbclient - 类似FTP客户端的SMB共享访问工具
  • nmap - 最常用的端口扫描工具
  • rpcclient - 执行客户端侧的 MS-RPC 方法的工具
  • enum4linux - 枚举获取各种SMB信息
  • wireshark - 大名鼎鼎的抓包工具

工具详细使用方法

枚举主机名

nmblookup

nmblookup -A [IP]

  • -A - 通过IP地址查询

工具使用方法:

root@xax007:~# nmblookup -A [ip]
Looking up status of [ip]
        [hostname]      <00> -         M <ACTIVE>
        [hostname]      <20> -         M <ACTIVE>
        WORKGROUP       <00> - <GROUP> M <ACTIVE>
        WORKGROUP       <1e> - <GROUP> M <ACTIVE>
                        <03> -         M <ACTIVE>
        INet~Services   <1c> - <GROUP> M <ACTIVE>
        IS~[hostname]   <00> -         M <ACTIVE>

        MAC Address = 00-50-56-XX-XX-XX

列出共享

smbmap

smbmap -H [ip/hostname]

This command will show you the shares on the host, as well as your access to them.

这条命令会显示目标的共享列表和权限,NO ACCESS 表示无法访问,READ ONLY表示只能读取

工具使用方法:

root@xax007:/# smbmap -H [ip]
[+] Finding open SMB ports....
[+] User SMB session establishd on [ip]...
[+] IP: [ip]:445        Name: [ip]                                      
        Disk                                                    Permissions
        ----                                                    -----------
        ADMIN$                                                  NO ACCESS
        C$                                                      NO ACCESS
        IPC$                                                    NO ACCESS
        NETLOGON                                                NO ACCESS
        Replication                                             READ ONLY
        SYSVOL                                                  NO ACCESS

如果你有密码,可以带上密码重新运行获取更多的访问权限

root@xax007:/# smbmap -H [ip] -d [domain] -u [user] -p [password]
[+] Finding open SMB ports....
[+] User SMB session establishd on [ip]...
[+] IP: [ip]:445        Name: [ip]                                      
        Disk                                                    Permissions
        ----                                                    -----------
        ADMIN$                                                  NO ACCESS
        C$                                                      NO ACCESS
        IPC$                                                    NO ACCESS
        NETLOGON                                                READ ONLY
        Replication                                             READ ONLY
        SYSVOL                                                  READ ONLY

smbclient

echo exit | smbclient -L \\\\[ip]

  • exit takes care of any password request that might pop up, since we’re checking for null login
  • -L - get a list of shares for the given host 获取目标的共享列表

工具使用方法:

root@xax007:~# smbclient -L \\[ip]
Enter WORKGROUP\root's password:

        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC       Remote IPC
        share           Disk
        wwwroot         Disk
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

nmap

nmap --script smb-enum-shares -p 139,445 [ip]

  • --script smb-enum-shares - 指定 smb 信息枚举脚本
  • -p 139,445 - 指定 smb 端口

工具使用方法:

root@xax007:~# nmap --script smb-enum-shares -p 139,445 [ip]
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-27 16:25 EDT
Nmap scan report for [ip]
Host is up (0.037s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:50:56:XX:XX:XX (VMware)

Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\[ip]\ADMIN$:
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Remote Admin
|     Anonymous access: <none>
|     Current user access: <none>
|   \\[ip]\C$:
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Default share
|     Anonymous access: <none>
|     Current user access: <none>
|   \\[ip]\IPC$:
|     Type: STYPE_IPC_HIDDEN
|     Comment: Remote IPC
|     Anonymous access: READ
|     Current user access: READ/WRITE
|   \\[ip]\share:
|     Type: STYPE_DISKTREE
|     Comment:
|     Anonymous access: <none>
|     Current user access: READ/WRITE
|   \\[ip]\wwwroot:
|     Type: STYPE_DISKTREE
|     Comment:
|     Anonymous access: <none>
|_    Current user access: READ

Nmap done: 1 IP address (1 host up) scanned in 10.93 seconds

检查空会话

smbmap

smbmap -H [ip/hostname] will show what you can do with given credentials (or null session if no credentials). See examples in the previous section.

rpcclient

rpcclient -U "" -N [ip]

  • -U "" - null session
  • -N - no password

工具使用方法:

root@xax007:~# rpcclient -U "" -N [ip]
rpcclient $>

空(密码)会话连接完成后,就可以执行 rpc 命令了

smbclient

smbclient \\\\[ip]\\[share name]

This will attempt to connect to the share. Can try without a password (or sending a blank password) and still potentially connect.

工具使用方法:

root@xax007:~/pwk/lab/public# smbclient \\\\[ip]\\share
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Sep 27 16:26:00 2018
  ..                                  D        0  Thu Sep 27 16:26:00 2018
  New Folder (9)                      D        0  Sun Dec 13 05:26:59 2015
  New Folder - 6                      D        0  Sun Dec 13 06:55:42 2015
  Shortcut to New Folder (2).lnk      A      420  Sun Dec 13 05:24:51 2015

                1690825 blocks of size 2048. 794699 blocks available

检查 SMB 漏洞

nmap

nmap --script smb-vuln* -p 139,445 [ip]

  • --script smb-vuln* - 选择使用漏洞扫描脚本
  • -p 139,445 - smb 端口

工具使用方法:

root@xax007:~# nmap --script smb-vuln* -p 139,445 [ip]
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-27 16:37 EDT
Nmap scan report for [ip]
Host is up (0.030s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:50:56:XX:XX:XX (VMware)

Host script results:
| smb-vuln-ms06-025:
|   VULNERABLE:
|   RRAS Memory Corruption vulnerability (MS06-025)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2006-2370
|           A buffer overflow vulnerability in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1
|           and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to
|           execute arbitrary code via certain crafted "RPC related requests" aka the "RRAS Memory Corruption Vulnerability."
|
|     Disclosure date: 2006-6-27
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2370
|_      https://technet.microsoft.com/en-us/library/security/ms06-025.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 5.58 seconds

全量扫描

enum4linux

enum4linux -a [ip]

  • -a - all enumeration

此工具的输出结果比较长,但是主要有这几部分信息组成:

  • 类似 nmblookup 的输出
  • 检查是否能空会话(密码)登录共享
  • 列出共享列表
  • 域名信息
  • 密码策略
  • RID 循环输出

版本识别

Samba

ngrep 是一个查看过滤网络数据的工具. 在一个终端窗口执行以下命令: ngrep -i -d tap0 's.?a.?m.?b.?a.*[[:digit:]]' port 139 在另一个终端窗口执行以下命令: echo exit | smbclient -L [IP] 就可以获取到 Samba 的版本信息

使用以下的脚本可以很访问的获取 Samba 的版本信息:

#!/bin/sh
#Author: rewardone
#Description:
# Requires root or enough permissions to use tcpdump
# Will listen for the first 7 packets of a null login
# and grab the SMB Version
#Notes:
# Will sometimes not capture or will print multiple
# lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
sleep 0.5 && echo ""

当你使用此脚本时会有以下类似的输出:

root@xax007:~/pwk/lab/public# ./smbver.sh [IP]
[IP]: UnixSamba 227a

When in doubt, we can check the smb version in PCAP. Here’s an example Unix Samba 2.2.3a:

使用 Wireshark 识别 SMB 版本

方法一:

使用 metasploitauxiliary/scanner/smb/smb_version 模块

方法二:

使用 smbclient 对 SMB 服务发起 NTLMv1 请求,并用 wireshark 捕获网卡流量

smbclient -U ""%"" -m NT1 -N -L //ip

随后使用 smb.native_lanman 对捕获的流量进行过滤,可以看到目标的操作系统和SMB服务器的版本

Windows 和 Linux 通用

参考: https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html#smbclient