滲透測試中SMB服務漏洞檢查checklist
- 2019 年 10 月 8 日
- 筆記
來源: https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html#list-shares 由於我上個月一直在使用PWK / OSCP,在這個過程中,我注意到滲透SMB服務是一件很棘手的事情,不同的工具在不同的主機上有的失敗有的成功。通過參考NetSecFocus發布的一些內容,我整理了一份在滲透測試中掃描SMB服務漏洞的檢查列表。我將在每個部分中包含示例,但在我使用PWK實驗室的地方,我會按照規則對數據進行脫敏展示。
- 清單
- 工具
- 細節
- 枚舉主機名 – nmblookup
- 掃描共享 – smbmap – smbclient – NMAP
- 檢查空會話 – smbmap – rpcclient – smbclient
- 檢查漏洞 – NMAP
- 整體掃描 – enum4linux
- 手動檢查
- Samba服務 – Windows
檢查清單
- 枚舉主機名 – nmblookup -A [ip]
- 列出共享文件
smbmap -H [ip/hostname] echo exit | smbclient -L \\[ip] nmap --script smb-enum-shares -p 139,445 [ip]
檢查空會話
smbmap -H [ip/hostname] rpcclient -U "" -N [ip] smbclient \\[ip]\[share name]
檢查漏洞
nmap --script smb-vuln* -p 139,445 [ip]
整體掃描
enum4linux -a [ip]
手動檢查
smbver.sh [IP] (port) [samba] - 檢查pcap
工具
- nmblookup – 收集用於查找NetBIOS名稱的TCP / IP客戶端上的NetBIOS資訊
- smbclient – 一個類似於ftp的客戶端,用於訪問SMB共享
- nmap – 通用的掃描工具,自帶檢查腳本
- rpcclient – 執行客戶端MS-RPC功能的工具
- enum4linux – 枚舉各種smb功能
- wireshark
操作細節
枚舉主機名
- nmblookup
nmblookup -A [IP] -A - 按IP地址查找 使用示例: root@kali:~# nmblookup -A [ip] Looking up status of [ip] [hostname] <00> - M <ACTIVE> [hostname] <20> - M <ACTIVE> WORKGROUP <00> - <GROUP> M <ACTIVE> WORKGROUP <1e> - <GROUP> M <ACTIVE> <03> - M <ACTIVE> INet~Services <1c> - <GROUP> M <ACTIVE> IS~[hostname] <00> - M <ACTIVE> MAC Address = 00-50-56-XX-XX-XX
掃描共享
- smbmap
smbmap -H [ip/hostname]
此命令將顯示主機上的共享以及你擁有的訪問許可權。 使用示例:
root@kali:/# smbmap -H [ip] [+] Finding open SMB ports.... [+] User SMB session establishd on [ip]... [+] IP: [ip]:445 Name: [ip] Disk Permissions ---- ----------- ADMIN$ NO ACCESS C$ NO ACCESS IPC$ NO ACCESS NETLOGON NO ACCESS Replication READ ONLY SYSVOL NO ACCESS
如果你獲得了登錄憑據,則可以重新運行來顯示新訪問許可權:
root@kali:/# smbmap -H [ip] -d [domain] -u [user] -p [password] [+] Finding open SMB ports.... [+] User SMB session establishd on [ip]... [+] IP: [ip]:445 Name: [ip] Disk Permissions ---- ----------- ADMIN$ NO ACCESS C$ NO ACCESS IPC$ NO ACCESS NETLOGON READ ONLY Replication READ ONLY SYSVOL READ ONLY
- smbclient
echo exit | smbclient -L \\[ip]
exit會處理可能彈出的任何密碼請求,因為我們正在檢查null登錄
-L - 獲取給定主機的共享列表
使用示例:
root@kali:~# smbclient -L \[ip] Enter WORKGROUProot's password: Sharename Type Comment --------- ---- ------- IPC$ IPC Remote IPC share Disk wwwroot Disk ADMIN$ Disk Remote Admin C$ Disk Default share Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- -------
- NMAP
nmap --script smb-enum-shares -p 139,445 [ip] --script smb-enum-shares - 指定smb枚舉腳本 -p 139,445 - 指定smb埠
使用示例:
root@kali:~# nmap --script smb-enum-shares -p 139,445 [ip] Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-27 16:25 EDT Nmap scan report for [ip] Host is up (0.037s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:50:56:XX:XX:XX (VMware) Host script results: | smb-enum-shares: | account_used: guest | \[ip]ADMIN$: | Type: STYPE_DISKTREE_HIDDEN | Comment: Remote Admin | Anonymous access: <none> | Current user access: <none> | \[ip]C$: | Type: STYPE_DISKTREE_HIDDEN | Comment: Default share | Anonymous access: <none> | Current user access: <none> | \[ip]IPC$: | Type: STYPE_IPC_HIDDEN | Comment: Remote IPC | Anonymous access: READ | Current user access: READ/WRITE | \[ip]share: | Type: STYPE_DISKTREE | Comment: | Anonymous access: <none> | Current user access: READ/WRITE | \[ip]wwwroot: | Type: STYPE_DISKTREE | Comment: | Anonymous access: <none> |_ Current user access: READ Nmap done: 1 IP address (1 host up) scanned in 10.93 seconds
檢查空會話
- smbmap
smbmap -H [ip/hostname]
將顯示你可以使用給定憑據執行的操作(如果沒有憑據,則顯示空會話)。請參閱上一節中的示例。
- rpcclient
rpcclient -U "" -N [ip] -U "" -空會話 -N -沒有密碼
使用示例:
root@kali:~# rpcclient -U "" -N [ip] rpcclient $>
之後,你可以運行rpc命令。
smbclient smbclient \\[ip]\[share name]
此命令會嘗試連接到共享。包括嘗試無密碼(或發送空密碼),這仍然有可能連接成功。 使用示例:
root@kali:~/pwk/lab/public# smbclient \\[ip]\share Enter WORKGROUProot's password: Try "help" to get a list of possible commands. smb: > ls . D 0 Thu Sep 27 16:26:00 2018 .. D 0 Thu Sep 27 16:26:00 2018 New Folder (9) D 0 Sun Dec 13 05:26:59 2015 New Folder - 6 D 0 Sun Dec 13 06:55:42 2015 Shortcut to New Folder (2).lnk A 420 Sun Dec 13 05:24:51 2015 1690825 blocks of size 2048. 794699 blocks available
檢查漏洞
- NMAP
nmap --script smb-vuln* -p 139,445 [ip]
–script smb-vuln* – 將運行所有smb漏洞掃描腳本 -p 139,445 – smb埠使用示例:
root@kali:~# nmap --script smb-vuln* -p 139,445 [ip] Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-27 16:37 EDT Nmap scan report for [ip] Host is up (0.030s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:50:56:XX:XX:XX (VMware) Host script results: | smb-vuln-ms06-025: | VULNERABLE: | RRAS Memory Corruption vulnerability (MS06-025) | State: VULNERABLE | IDs: CVE:CVE-2006-2370 | A buffer overflow vulnerability in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 | and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to | execute arbitrary code via certain crafted "RPC related requests" aka the "RRAS Memory Corruption Vulnerability." | | Disclosure date: 2006-6-27 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2370 |_ https://technet.microsoft.com/en-us/library/security/ms06-025.aspx |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: false | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ |_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug) Nmap done: 1 IP address (1 host up) scanned in 5.58 seconds
整體掃描
- enum4linux
enum4linux -a [ip]
-a – 枚舉所有 使用示例的輸出很長,但要查找一些要點:
- 輸出類似於nmblookup
- 檢查空會話
- 共享文件
- 密碼策略
- RID循環輸出
- 域名資訊
手動檢查
- samba ngrep是一個很好用的網路數據工具。在一個終端中運行
ngrep -i -d tap0 's.?a.?m.?b.?a.*[[:digit:]]' port 139
然後在另一個終端中運行
echo exit | smbclient -L [IP]
將丟棄包括版本在內的大量資訊。 在PWK論壇上的rewardone發布了一個簡潔的腳本來輕鬆獲得Samba版本:
#!/bin/sh #Author: rewardone #Description: # Requires root or enough permissions to use tcpdump # Will listen for the first 7 packets of a null login # and grab the SMB Version #Notes: # Will sometimes not capture or will print multiple # lines. May need to run a second time for success. if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi if [ ! -z $2 ]; then rport=$2; else rport=139; fi tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d 'n' & echo -n "$rhost: " & echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null sleep 0.5 && echo "" 當您在運行Samba的盒子上運行它時,您會得到結果: root@kali:~/pwk/lab/public# ./smbver.sh [IP] [IP]: UnixSamba 227a
如有疑問,我們可以在PCAP中檢查smb版本。下面是Unix Samba 2.2.3a的一個例子:
Window環境的滲透——Windows SMB版本比較複雜,但通過查看wireshark的抓取的數據包,會提供有關連接的大量資訊。例如,我們可以過濾ntlmssp.ntlmv2_response來查看NTLMv2流量,就可以獲取很多關於目標主機的系統資訊。
