Small white diary 12:kali Penetration Testing Service Scan (ii)-SMB scan

SMB Scan

Server Message Block Protocol. Unlike other standard TCP/IP protocols, the SMB protocol is a complex protocol because with the development of Windows computers, more and more features are being added to the protocol, it is difficult to distinguish which concepts and features should belong to the Windows operating system itself, and which concepts should belong to the SMB protocol. Because the protocol is complex, it is the most security-related protocol in Microsoft's history.

1, Nmap

Easiest way: Scan its fixed open port 139,445, but it cannot be accurately judged as a Windows system

[email protected]:~# <strong>nmap-v-p139,445 192.168.1.0/24 #-v Show more detailed information </strong>starting Nmap 7.01 (https://nmap.org) at 2016-09-12 15:35 cstinitiating ARP Ping Scan at 15:35scanning 255 hosts [1 port/host]complete D ARP Ping Scan at 15:35, 1.70s elapsed (255 total hosts) initiating Parallel DNS resolution of 255 hosts. At 15:35completed Parallel DNS resolution of 255 hosts. At 15:35, 0.01s elapsednmap Scan report for 192.168.1.0 [host DOWN]NMAP Scan report for 192.168.1.2 [host Down]nmap scan R                                                                               Eport for 192.168.1.3 [host DOWN]NMAP Scan report for 192.168.1.4 [host down] ................................................ Nmap Scan Report for 192.168.1.255 [host down]initiating Parallel DNS resolution of 1 host. At 15:35completed Parallel DNS resolution of 1 host. At 15:35, 0.00s elapsedinitiating SYN Stealth Scan in 15:35scanning 4 hosts [2 ports/host]discovered open Port 445/tcp on 192.168.1.141Discovered Open Port 139/TCP on 192.168.1.141Discovered Open port 445/tcp on 192.168.1.107Discovered open port 139/tcp on 192.168.1.107Complet Ed SYN Stealth Scan at 15:35, 0.05s elapsed (8 total ports) NMAP Scan report for DD-WRT (192.168.1.1) Host was up (0.0088s LA tency). PORT state service139/tcp closed netbios-ssn445/tcp closed Microsoft-dsmac address:1c:bd:b9:27:d5:32 (D-Link Internat ional) Nmap Scan report for 192.168.1.107Host are up (0.0011s latency). PORT State service139/tcp Open netbios-ssn445/tcp Open Microsoft-dsmac address:08:00:27:eb:1d:bc (Oracle VirtualBox Virtual NIC) Nmap Scan report for DESKTOP-TA5DCRJ (192.168.1.141) Host was up (0.0027s latency). PORT State service139/tcp Open netbios-ssn445/tcp Open Microsoft-dsmac address:2c:6e:85:c4:0d:5b (Intel Corporate) Nm AP Scan report for Kali (192.168.1.143) Host was up (0.0032s latency). PORT state service139/tcp closed netbios-ssn445/tcp closed Microsoft-dsmac address:08:00:27:ca:63:99 (Oracle virtualb Ox virtual NIC) initiating SYN STealth Scan at 15:35scanning 192.168.1.127 [2 ports]completed SYN Stealth Scan @ 15:35, 0.06s elapsed (2 total ports) Nmap Scan report for 192.168.1.127Host was up (0.00015s latency). PORT state service139/tcp closed netbios-ssn445/tcp closed microsoft-dsread data files from:/usr/bin/. /share/nmapnmap done:256 IP addresses (5 hosts up) scanned in 2.03 seconds Raw packets sent:516 (14.608KB) | Rcvd:16 (616B)

Advanced Scanning

1. Discovery of Windows systems with open SMB protocol

[Email protected]:~# nmap 192.168.1.141-p139,445 <strong>--script=smb-os-discovery.nse  #用于发现smb协议的脚本 < /strong>starting Nmap 7.01 (https://nmap.org) at 2016-09-12 15:43 cstnmap Scan report for DESKTOP-TA5DCRJ (192.168.1. 141) Host is up (0.00030s latency). PORT State    service139/tcp Open  netbios-ssn445/tcp open  microsoft-dsmac address:2c:6e:85:c4:0d:5b (Intel Corporate) Host script results:| smb-os-discovery: |   Os:windows Home China 10586 (Windows ten home China 6.3) |   OS cpe:cpe:/o:microsoft:windows_10::-|   NetBIOS Computer name:desktop-ta5dcrj|   Workgroup:workgroup|_  System time:2016-09-12t15:43:52+08:00nmap done:1 IP address (1 host up) scanned in 0.59 Secon Ds

2. Scanning Windows System SMB protocol for vulnerabilities
Since Nmap 6.49beta6 started, the Smb-check-vulns.nse script was canceled. It is divided into Smb-vuln-conficker, smb-vuln-cve2009-3103, smb-vuln-ms06-025, smb-vuln-ms07-029, Smb-vuln-regsvc-dos, smb-vuln-ms08-067 these six scripts. The user selects the corresponding script as needed. If you are not sure which one to execute, you can use Smb-vuln-*.nse to specify all the script files for a full scan.

[email protected]:~# nmap-v-p139,445--script=smb-vuln-*.nse--script-args=unsafe=1 192.168.1.115-PN <strong> #unsafe = 1: High-intensity scanning, may cause downtime, optional 0 (Security scan) #-pn: There is a firewall filter package, also continue to scan </strong>starting Nmap 7.01 (https:// nmap.org) at 2016-09-12 19:59 cstnse:loaded 8 scripts for scanning. Nse:script pre-scanning.initiating NSE at 19:59completed nse @ 19:59, 0.00s elapsedinitiating ARP Ping Scan at 19:59scan Ning 192.168.1.115 [1 port]completed ARP Ping Scan at 19:59, 0.09s elapsed (1 total hosts) initiating Parallel DNS Resoluti On 1 host. At 19:59completed Parallel DNS resolution of 1 host. At 19:59, 0.01s elapsedinitiating SYN Stealth Scan at 19:59scanning PC (192.168.1.115) [2 ports]discovered Open Port 139/t CP on 192.168.1.115Discovered Open port 445/tcp on 192.168.1.115Completed SYN Stealth Scan at 19:59, 0.04s elapsed (2 Tota L ports) nse:script scanning 192.168.1.115.Initiating nse at 19:59completed nse @ 19:59, 5.00s elapsednmap Scan report fo R PC (192.168.1.115) Host is up (0.00028s latency). PORT State service139/tcp Open netbios-ssn445/tcp Open Microsoft-dsmac address:08:00:27:2b:32:0f (Oracle VirtualBox   Virtual NIC) Host script results:| smb-vuln-cve2009-3103: |   vulnerable:|     SMBv2 exploit (cve-2009-3103, Microsoft Security advisory 975497) |     state:vulnerable|           ids:cve:cve-2009-3103|           Array index Error in the SMBV2 protocol implementation in Srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, |           Windows Server Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a | Denial of service (System crash) via an & (ampersand) character in a Process ID high header field in a Negotia           TE |           PROTOCOL REQUEST packet, which triggers an attempted dereference of a out-of-bounds memory location, |           aka "SMBV2 Negotiation vulnerability." |     |     Disclosure date:2009-09-08| references:| Http://www.cve.mitre.org/cgi-bin/cvename. cgi?name=cve-2009-3103|_ Https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103|_smb-vuln-ms10-054:ERROR : Script execution failed (use-d to debug) |_smb-vuln-ms10-061:nt_status_access_deniednse:script Post-scanning.initiating NSE at 19:59completed nse @ 19:59, 0.00s elapsedread data files from:/usr/bin/. /share/nmapnmap done:1 IP Address (1 host up) scanned in 5.47 seconds Raw packets Sent:3 (116B) | Rcvd:3 (116B)

2, Nbtscan

#-r: Using local port 137, good compatibility, can find the old version of the system, the most complete scan results

#支持网段扫描

Advantage: can scan MAC address across network segment, if firewall filter is not good enough

IP address       NetBIOS Name     Server    User             MAC address      --------------------------------------------- ---------------------------------192.168.1.0Sendto failed:permission denied192.168.1.127    <unknown>                  <unknown>        192.168.1.107    metasploitable   <server>  metasploitable   00:00:00:00:00:00192.168.1.141    desktop-ta5dcrj  <server>  <unknown>        2c:6e:85:c4 : 0d:5b192.168.1.115    PC               <server>  <unknown>        08:00:27:2b:32:0f192.168.1.255sendto Failed:permission denied

3, Enum4linux

The Windows system under Linux is not supported for network segment scanning, but the results are very detailed

[email protected]:~# enum4linux-a 192.168.1.141Starting enum4linux v0.8.9 (http://labs.portcullis.co.uk/    application/enum4linux/) on Mon Sep 12 20:22:19 2016 ========================== | Target Information | ========================== Target ...... 192.168.1.141RID Range ..... 500-550,1000-1050username ..... "Password ..... "Known Usernames."    Administrator, Guest, krbtgt, Domain Admins, root, Bin, none ===================================================== | Enumerating Workgroup/domain on 192.168.1.141 | ===================================================== [+] Got domain/workgroup name:workgroup =====================    ======================== | Nbtstat Information for 192.168.1.141 | ============================================= looking up status of 192.168.1.141DESKTOP-TA5DCRJ <00>-B &lt ; active> Workstation SERVICEDESKTOP-TA5DCRJ <20>-B <ACTIVE> File Server Serviceworkgroup & Lt;00>-<group> B <ACTIVE> domain/workgroup namemac Address = 2c-6e-85-c4-0d-5b ====================================== | Session Check on 192.168.1.141 | ====================================== [+] Server 192.168.1.141 allows sessions using username ', password ' <strong    > #尝试建立空连接 </strong> ============================================ | Getting domain SID for 192.168.1.141 | ============================================ could not initialise LSA pipe. Error is nt_status_access_deniedcould not obtain SID for Domain workgrouperror:nt_status_access_denied[+] Can ' t determi    NE If host is part of the domain or part of a workgroup ======================================= | OS Information on 192.168.1.141 | ======================================= [+] Got OS info for 192.168.1.141 from SMBCLIENT:DOMAIN=[DESKTOP-TA5DCRJ] os=[  Windows home China 10586] server=[windows home China 6.3][e] Can ' t get OS info with srvinfo:nt_status_access_denied ============================== | Users on 192.168.1.141 | ============================== [E] couldn ' t find users using querydispinfo:nt_status_access_denied[e] Couldn ' t find    Users using enumdomusers:nt_status_access_denied ========================================== | Share Enumeration on 192.168.1.141 | ========================================== [E] Can ' t list shares:nt_status_access_denied[+] attempting to map shares on    192.168.1.141 ===================================================== | Password Policy information for 192.168.1.141 | ===================================================== [E] Unexpected error from polenum:[+] attaching to 192.168.1.141 Using a NULL share[+] Trying protocol 445/SMB ... [!] Protocol failed:smb sessionerror:status_access_denied ({access DENIED} A process have requested ACCESS to an object but HA s not been granted those access rights.) [+] Trying Protocol 139/SMB ... [!] Protocol failed:smb sessionerror:status_access_denied ({ACCESS DENIED} A process has requested Access to a object but have not been granted those access rights.)    [E] Failed to get password policy with rpcclient =============================== | Groups on 192.168.1.141 | =============================== [+] Getting builtin groups:[e] Can ' t get builtin groups:nt_status_access_denied[+] Getting Builtin Group memberships:[+] Getting local groups:[e] Can ' t get local groups:nt_status_access_denied[+] Getting Local group memberships:[+] Getting domain groups:[e] Can ' t get domain groups:nt_status_access_denied[+] Getting domain g    Roup Memberships: ======================================================================== | Users on 192.168.1.141 via RID Cycling (rids:500-550,1000-1050) | ======================================================================== [E] couldn ' t get Sid:nt_status_access_  DENIED. RID Cycling not possible.    ============================================== | Getting printer info for 192.168.1.141 | ============================================== CoUld not initialise LSA pipe. Error is nt_status_access_deniedcould not obtain SID for Domain Workgrouperror:nt_status_access_deniedenum4linux Complete on Mon Sep 20:22:20 2016<strong></strong>

Little white Diary, not to be continued ...

Small white diary 12:kali Penetration Testing Service Scan (ii)-SMB scan