oscp学习（三）

13- SMB Enumeration(Linux Enumeration)

概念

SMB(全称是[Server Message Block](https://baike.baidu.com/item/Server Message Block/1349786?fromModule=lemma_inlink))是一个网络协议名，它能被用于Web连接和客户端与服务器之间的信息沟通。SMB最初是IBM的贝瑞·费根鲍姆（Barry Feigenbaum）研制的，其目的是将DOS操作系统中的本地文件接口“中断13”改造为网络文件系统。

SMB 配置

#search 
#1.查询配置文件地址更改配置
# locate smb.conf
/etc/samba/smb.conf

vim /etc/samba/smb.conf
[global]

client use spnego = no 
client ntlmv2 auth = no 

enum4linux 192.168.86.135

1.对目标机器进行扫描

enum4linux 192.168.86.135

2.smb上共享的目标枚举结果

 =========================================== 
|    Share Enumeration on 192.168.86.135    |
 =========================================== 
lpcfg_do_global_parameter: WARNING: The "client use spnego" option is deprecated
Unknown parameter encountered: "client ntlmv2 ayth"
Ignoring unknown parameter "client ntlmv2 ayth"

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        tmp             Disk      oh noes!
        opt             Disk      
        IPC$            IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
        ADMIN$          IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))

https://www.freebuf.com/articles/system/256899.html

3.对于目标用户进行链接尝试

[+] Attempting to map shares on 192.168.86.135
//192.168.86.135/print$ Mapping: DENIED, Listing: N/A
//192.168.86.135/tmp    Mapping: OK, Listing: OK
//192.168.86.135/opt    Mapping: DENIED, Listing: N/A
//192.168.86.135/IPC$   [E] Can't understand response:
lpcfg_do_global_parameter: WARNING: The "client use spnego" option is deprecated
Unknown parameter encountered: "client ntlmv2 ayth"
Ignoring unknown parameter "client ntlmv2 ayth"
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
//192.168.86.135/ADMIN$ Mapping: DENIED, Listing: N/A

4.密码策略信息

 ====================================================== 
|    Password Policy Information for 192.168.86.135    |
 ====================================================== 


[+] Attaching to 192.168.86.135 using a NULL share

[+] Trying protocol 139/SMB...

[+] Found domain(s):

        [+] METASPLOITABLE
        [+] Builtin

[+] Password Info for Domain: METASPLOITABLE

        [+] Minimum password length: 5
        [+] Password history length: None
        [+] Maximum password age: Not Set
        [+] Password Complexity Flags: 000000

                [+] Domain Refuse Password Change: 0
                [+] Domain Password Store Cleartext: 0
                [+] Domain Password Lockout Admins: 0
                [+] Domain Password No Clear Change: 0
                [+] Domain Password No Anon Change: 0
                [+] Domain Password Complex: 0

        [+] Minimum password age: None
        [+] Reset Account Lockout Counter: 30 minutes 
        [+] Locked Account Duration: 30 minutes 
        [+] Account Lockout Threshold: None
        [+] Forced Log off Time: Not Set


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 0

这样看密码策略信息最低为0

5.用户组信息

 ================================ 
|    Groups on 192.168.86.135    |
 ================================ 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

6.通过msf 搜寻识别smb版本和系统内核例如

msf6 > use auxiliary/scanner/smb/smb_version   
msf6 auxiliary(scanner/smb/smb_version) > show options
#msf通过smb扫描组件将
[*] 192.168.86.135:445    - SMB Detected (versions:1) (preferred dialect:) (signatures:optional)
#注意这里输出了探测到的smb版本
[*] 192.168.86.135:445    -   Host could not be identified: Unix (Samba 3.0.20-Debian)
[*] 192.168.86.135:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

nbtscan

└─# nbtscan  192.168.86.135
Doing NBT name scan for addresses from 192.168.86.135

IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
192.168.86.135   METASPLOITABLE   <server>  METASPLOITABLE   00:00:00:00:00:00

smbclient -L

lpcfg_do_global_parameter: WARNING: The "client use spnego" option is deprecated
Unknown parameter encountered: "client ntlmv2 ayth"
Ignoring unknown parameter "client ntlmv2 ayth"
Enter WORKGROUP\kali's password: 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        tmp             Disk      oh noes!
        opt             Disk      
        IPC$            IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
        ADMIN$          IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

        Server               Comment
        ---------            -------
        DESKTOP-1QCULEM      
        METASPLOITABLE       metasploitable server (Samba 3.0.20-Debian)

        Workgroup            Master
        ---------            -------
        WORKGROUP            METASPLOITABLE

尝试进行登录

 smbclient  "\\\\192.168.86.135\IPC$"  
 #出现交互性命令即便是登录成功
 smb: \>