第二十二课:基于SMB发现内网存活主机

释放双眼,带上耳机,听听看~!

基于msf

模块: scanner/smb/smb_version

msf auxiliary(scanner/smb/smb_version) > show options
Module options (auxiliary/scanner/smb/smb_version): 
Name Current Setting Required Description‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifierSMBDomain . no The Windows domain to use for authenticationSMBPass no The password for the specified usernameSMBUser no The username to authenticate asTHREADS 1 yes The number of concurrent threads 
msf auxiliary(scanner/smb/smb_version) > set threads 20threads => 20msf auxiliary(scanner/smb/smb_version) > exploit 
[+] 192.168.1.4:445 ‐ Host is running Windows 7 Ultimate SP1 (build:7601) (name:XXXXXX) (workgroup:WORKGROUP )[*] Scanned 39 of 256 hosts (15% complete)[*] Scanned 61 of 256 hosts (23% complete)[*] Scanned 81 of 256 hosts (31% complete)[+] 192.168.1.99:445 ‐ Host is running Windows 7 Ultimate SP1 (build:7601) (name:XXXXXX) (workgroup:WORKGROUP )[+] 192.168.1.119:445 ‐ Host is running Windows 2003 R2 SP2 (build:3790) (name:XXXXXX)[*] Scanned 103 of 256 hosts (40% complete)[*] Scanned 130 of 256 hosts (50% complete)[*] Scanned 154 of 256 hosts (60% complete)[*] Scanned 181 of 256 hosts (70% complete)[*] Scanned 205 of 256 hosts (80% complete)[*] Scanned 232 of 256 hosts (90% complete)[*] Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed

基于cme(参考第九十三课)

root@John:~# cme smb 192.168.1.0/24SMB 192.168.1.4 445 JOHN‐PC [*] Windows 7 Ultimate 7601 Service Pack 1x64 (name:JOHN‐PC) (domain:JOHN‐PC) (signing:False) (SMBv1:True)SMB 192.168.1.99 445 JOHN‐PC [*] Windows 7 Ultimate 7601 Service Packx64 (name:JOHN‐PC) (domain:JOHN‐PC) (signing:False) (SMBv1:True)SMB 192.168.1.119 445 WIN03X64 [*] Windows Server 2003 R2 3790 ServicePack 2 x32 (name:WIN03X64) (domain:WIN03X64) (signing:False) (SMBv1:True

基于nmap

root@John:~# nmap ‐sU ‐sS ‐‐script smb‐enum‐shares.nse ‐p 445 192.168.1.119Starting Nmap 7.70 ( https://nmap.org ) at 2019‐01‐29 08:45 ESTNmap scan report for 192.168.1.119Host is up (0.0029s latency). 
PORT STATE SERVICE445/tcp open microsoft‐ds445/udp open|filtered microsoft‐dsMAC Address: 00:0C:29:85:D6:7D (VMware) 
Host script results:| smb‐enum‐shares:| account_used: guest| \\192.168.1.119\ADMIN$:| Type: STYPE_DISKTREE_HIDDEN| Comment: \xE8\xBF\x9C\xE7\xA8\x8B\xE7\xAE\xA1\xE7\x90\x86| Anonymous access: <none>| Current user access: <none>| \\192.168.1.119\C$:| Type: STYPE_DISKTREE_HIDDEN| Comment: \xE9\xBB\x98\xE8\xAE\xA4\xE5\x85\xB1\xE4\xBA\xAB| Anonymous access: <none>| Current user access: <none>| \\192.168.1.119\E$:| Type: STYPE_DISKTREE_HIDDEN| Comment: \xE9\xBB\x98\xE8\xAE\xA4\xE5\x85\xB1\xE4\xBA\xAB| Anonymous access: <none>| Current user access: <none>| \\192.168.1.119\IPC$:| Type: STYPE_IPC_HIDDEN| Comment: \xE8\xBF\x9C\xE7\xA8\x8B IPC| Anonymous access: READ| Current user access: READ/WRITE| \\192.168.1.119\share:| Type: STYPE_DISKTREE| Comment:| Anonymous access: <none>|_ Current user access: READ/WRITE 
Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds

基于CMD:

for /l %a in (1,1,254) do start /min /low telnet 192.168.1.%a 445

基于powershell:

一句话扫描: 单IP:

445 | %{ echo ((new‐object Net.Sockets.TcpClient).Connect("192.168.1.119",$_)) "$_ is open"} 2>$null

多ip:

1..5 | % { $a = $_; 445 | % {echo ((new‐objectNet.Sockets.TcpClient).Connect("192.168.1.$a",$_)) "Port $_ is open"}2>$null}

多port,多IP:

118..119 | % { $a = $_; write‐host "‐‐‐‐‐‐"; write‐host"192.168.1.$a"; 80,445 | % {echo ((new‐object Net.Sockets.TcpClient).Connect("192.168.1.$a",$_)) "Port $_ is open"} 2>$null}

Micropoor

人已赞赏
安全工具安全教程

第二十一课:基于ICMP发现内网存活主机

2019-11-1 16:52:51

安全教程

thinkphp v5.x 远程代码执行漏洞-POC集合

2019-11-2 22:15:33

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
搜索