SMB(全称是[Server Message Block](https://baike.baidu.com/item/Server Message Block/1349786?fromModule=lemma_inlink))是一个网络协议名,它能被用于Web连接和客户端与服务器之间的信息沟通。SMB最初是IBM的贝瑞·费根鲍姆(Barry Feigenbaum)研制的,其目的是将DOS操作系统中的本地文件接口“中断13”改造为网络文件系统。
#search
#1.查询配置文件地址更改配置
# locate smb.conf
/etc/samba/smb.conf
vim /etc/samba/smb.conf
[global]
client use spnego = no
client ntlmv2 auth = no
1.对目标机器进行扫描
enum4linux 192.168.86.135
2.smb上共享的目标枚举结果
===========================================
| Share Enumeration on 192.168.86.135 |
===========================================
lpcfg_do_global_parameter: WARNING: The "client use spnego" option is deprecated
Unknown parameter encountered: "client ntlmv2 ayth"
Ignoring unknown parameter "client ntlmv2 ayth"
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
https://www.freebuf.com/articles/system/256899.html
3.对于目标用户进行链接尝试
[+] Attempting to map shares on 192.168.86.135
//192.168.86.135/print$ Mapping: DENIED, Listing: N/A
//192.168.86.135/tmp Mapping: OK, Listing: OK
//192.168.86.135/opt Mapping: DENIED, Listing: N/A
//192.168.86.135/IPC$ [E] Can't understand response:
lpcfg_do_global_parameter: WARNING: The "client use spnego" option is deprecated
Unknown parameter encountered: "client ntlmv2 ayth"
Ignoring unknown parameter "client ntlmv2 ayth"
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
//192.168.86.135/ADMIN$ Mapping: DENIED, Listing: N/A
4.密码策略信息
======================================================
| Password Policy Information for 192.168.86.135 |
======================================================
[+] Attaching to 192.168.86.135 using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] METASPLOITABLE
[+] Builtin
[+] Password Info for Domain: METASPLOITABLE
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 0
这样看密码策略信息最低为0
5.用户组信息
================================
| Groups on 192.168.86.135 |
================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
6.通过msf 搜寻识别smb版本和系统内核例如
msf6 > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > show options
#msf通过smb扫描组件将
[*] 192.168.86.135:445 - SMB Detected (versions:1) (preferred dialect:) (signatures:optional)
#注意这里输出了探测到的smb版本
[*] 192.168.86.135:445 - Host could not be identified: Unix (Samba 3.0.20-Debian)
[*] 192.168.86.135: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
└─# nbtscan 192.168.86.135
Doing NBT name scan for addresses from 192.168.86.135
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
192.168.86.135 METASPLOITABLE <server> METASPLOITABLE 00:00:00:00:00:00
lpcfg_do_global_parameter: WARNING: The "client use spnego" option is deprecated
Unknown parameter encountered: "client ntlmv2 ayth"
Ignoring unknown parameter "client ntlmv2 ayth"
Enter WORKGROUP\kali's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
DESKTOP-1QCULEM
METASPLOITABLE metasploitable server (Samba 3.0.20-Debian)
Workgroup Master
--------- -------
WORKGROUP METASPLOITABLE
smbclient "\\\\192.168.86.135\IPC$"
#出现交互性命令即便是登录成功
smb: \>