渗透杂记-2013-07-13 关于SMB版本的扫描

smb2的溢出,其实在metasploit里面有两个扫描器可以用,效果都差不多,只是一个判断的更加详细,一个只是粗略的判断。

Welcome to the Metasploit Web Console!
_ _
_ | | (_)_
____ ____| |_ ____ ___ ____ | | ___ _| |_
| \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _)
| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__
|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)
|_|
=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 566 exploits - 283 auxiliary
+ -- --=[ 210 payloads - 27 encoders - 8 nops
=[ svn r9834 updated 329 days ago (2010.07.14)
Warning: This copy of the Metasploit Framework was last updated 329 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
http://www.metasploit.com/redmine/projects/framework/wiki/Updating
>> search smb
[*] Searching loaded modules for pattern ‘smb‘...
Auxiliary
=========
Name Rank Description
---- ---- -----------
admin/oracle/ora_ntlm_stealer normal Oracle SMB Relay Code Execution
admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversal
dos/windows/smb/ms05_047_pnp normal Microsoft Plug and Play Service Registry Overflow
dos/windows/smb/ms06_035_mailslot normal Microsoft SRV.SYS Mailslot Write Corruption
dos/windows/smb/ms06_063_trans normal Microsoft SRV.SYS Pipe Transaction No Null
dos/windows/smb/ms09_001_write normal Microsoft SRV.SYS WriteAndX Invalid DataOffset
dos/windows/smb/ms09_050_smb2_negotiate_pidhigh normal Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
dos/windows/smb/ms09_050_smb2_session_logoff normal Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference
dos/windows/smb/ms10_006_negotiate_response_loop normal Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop
dos/windows/smb/rras_vls_null_deref normal Microsoft RRAS InterfaceAdjustVLSPointers NULL Dereference
dos/windows/smb/vista_negotiate_stop normal Microsoft Vista SP0 SMB Negotiate Protocol DoS
fuzzers/smb/smb2_negotiate_corrupt normal SMB Negotiate SMB2 Dialect Corruption
fuzzers/smb/smb_create_pipe normal SMB Create Pipe Request Fuzzer
fuzzers/smb/smb_create_pipe_corrupt normal SMB Create Pipe Request Corruption
fuzzers/smb/smb_negotiate_corrupt normal SMB Negotiate Dialect Corruption
fuzzers/smb/smb_ntlm1_login_corrupt normal SMB NTLMv1 Login Request Corruption
fuzzers/smb/smb_tree_connect normal SMB Tree Connect Request Fuzzer
fuzzers/smb/smb_tree_connect_corrupt normal SMB Tree Connect Request Corruption
scanner/smb/pipe_auditor normal SMB Session Pipe Auditor
scanner/smb/pipe_dcerpc_auditor normal SMB Session Pipe DCERPC Auditor
scanner/smb/smb2 normal SMB 2.0 Protocol Detection
scanner/smb/smb_enumshares normal SMB Share Enumeration
scanner/smb/smb_enumusers normal SMB User Enumeration (SAM EnumUsers)
scanner/smb/smb_login normal SMB Login Check Scanner
scanner/smb/smb_lookupsid normal SMB Local User Enumeration (LookupSid)
scanner/smb/smb_version normal SMB Version Detection
server/capture/smb normal Authentication Capture: SMB
Exploits
========
Name Rank Description
---- ---- -----------
netware/smb/lsass_cifs average Novell NetWare LSASS CIFS.NLM Driver Stack Buffer Overflow
windows/browser/java_ws_arginject_altjvm excellent Sun Java Web Start Plugin Command Line Argument Injection
windows/browser/ms10_022_ie_vbscript_winhlp32 great Internet Explorer Winhlp32.exe MsgBox Code Execution
windows/fileformat/ursoft_w32dasm good URSoft W32Dasm Disassembler Function Buffer Overflow
windows/fileformat/vlc_smb_uri great VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow
windows/smb/ms03_049_netapi good Microsoft Workstation Service NetAddAlternateComputerName Overflow
windows/smb/ms04_007_killbill low Microsoft ASN.1 Library Bitstring Heap Overflow
windows/smb/ms04_011_lsass good Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow
windows/smb/ms04_031_netdde good Microsoft NetDDE Service Overflow
windows/smb/ms05_039_pnp good Microsoft Plug and Play Service Overflow
windows/smb/ms06_025_rasmans_reg good Microsoft RRAS Service RASMAN Registry Overflow
windows/smb/ms06_025_rras average Microsoft RRAS Service Overflow
windows/smb/ms06_040_netapi great Microsoft Server Service NetpwPathCanonicalize Overflow
windows/smb/ms06_066_nwapi good Microsoft Services MS06-066 nwapi32.dll
windows/smb/ms06_066_nwwks good Microsoft Services MS06-066 nwwks.dll
windows/smb/ms06_070_wkssvc normal Microsoft Workstation Service NetpManageIPCConnect Overflow
windows/smb/ms08_067_netapi great Microsoft Server Service Relative Path Stack Corruption
windows/smb/ms09_050_smb2_negotiate_func_index good Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
windows/smb/msdns_zonename great Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)
windows/smb/netidentity_xtierrpcpipe great Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow.
windows/smb/psexec excellent Microsoft Windows Authenticated User Code Execution
windows/smb/smb_relay excellent Microsoft Windows SMB Relay Code Execution
windows/smb/timbuktu_plughntcommand_bof great Timbuktu <= 8.6.6 PlughNTCommand Named Pipe Buffer Overflow
>> use auxiliary/scanner/smb/smb2
>> info
Name: SMB 2.0 Protocol Detection
Version: 9550
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
hdm <hdm@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The target port
THREADS 1 yes The number of concurrent threads
Description:
Detect systems that support the SMB 2.0 protocol
>> set RHOSTS 172.16.1.0/24
RHOSTS => 172.16.1.0/24
>> set THREADS 100
THREADS => 100
>> info
Name: SMB 2.0 Protocol Detection
Version: 9550
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
hdm <hdm@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 172.16.1.0/24 yes The target address range or CIDR identifier
RPORT 445 yes The target port
THREADS 100 yes The number of concurrent threads
Description:
Detect systems that support the SMB 2.0 protocol
>> run
[*] 172.16.1.102 supports SMB 2 [dialect 255.2] and has been online for 23 hours
[*] 172.16.1.107 supports SMB 2 [dialect 255.2] and has been online for 2 hours
[*] 172.16.1.110 supports SMB 2 [dialect 255.2] and has been online for 6 hours
[*] Scanned 042 of 256 hosts (016% complete)
[*] Scanned 055 of 256 hosts (021% complete)
[*] Scanned 084 of 256 hosts (032% complete)
[*] Scanned 104 of 256 hosts (040% complete)
[*] Scanned 128 of 256 hosts (050% complete)
[*] Scanned 155 of 256 hosts (060% complete)
[*] Scanned 184 of 256 hosts (071% complete)
[*] Scanned 205 of 256 hosts (080% complete)
[*] Scanned 235 of 256 hosts (091% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
>> back
>> use auxiliary/scanner/smb/smb_version
>> info
Name: SMB Version Detection
Version: 9827
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
hdm <hdm@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads
Description:
Display version information about each system
>> set RHOSTS 172.16.1.0/24
RHOSTS => 172.16.1.0/24
>> set THREADS 100
THREADS => 100
>> info
Name: SMB Version Detection
Version: 9827
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
hdm <hdm@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 172.16.1.0/24 yes The target address range or CIDR identifier
THREADS 100 yes The number of concurrent threads
Description:
Display version information about each system
>> run
[*] Scanned 026 of 256 hosts (010% complete)
[*] Scanned 061 of 256 hosts (023% complete)
[*] Scanned 087 of 256 hosts (033% complete)
[*] 172.16.1.107 is running Windows 7 Ultimate (Build 7600) (language: Unknown) (name:PC) (domain:WORKGROUP)
[*] 172.16.1.110 is running Windows 7 Ultimate (Build 7600) (language: Unknown) (name:YANG*-PC) (domain:WORKGROUP)
[*] 172.16.1.102 is running Windows 7 Ultimate (Build 7600) (language: Unknown) (name:WANG*) (domain:YANGYANGWO)
[*] 172.16.1.111 is running Windows XP Service Pack 3 (language: Chinese - Traditional) (name:WWW-95A235B5556) (domain:WORKGROUP)
[*] Scanned 112 of 256 hosts (043% complete)
[*] Scanned 133 of 256 hosts (051% complete)
[*] Scanned 168 of 256 hosts (065% complete)
[*] Scanned 181 of 256 hosts (070% complete)
[*] Scanned 208 of 256 hosts (081% complete)
[*] Scanned 232 of 256 hosts (090% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
时间: 2024-07-29 10:24:14

渗透杂记-2013-07-13 关于SMB版本的扫描的相关文章

张珺 2015/07/13 个人文档

姓名 张珺 日期 2015/07/13 主要工作及心得 今天主要和任笑萱一起完成了对客户端中提供者的调试以及数据库的修改工作. 通过今天的调试工作,我对整个项目有了更深入的认识,对于用java编写客户端服务器程序的流程有了更进一步的了解. 遇到的问题 在今天的工作中,我们发现了之前构建数据库时未考虑到的一些问题,也发现了之前完成的任务中存在的一些错误. 最开始时无法登陆,服务器端不返回消息.次问题结局后,提供者界面中主要的问题主要在于对会员.服务编号进行验证时出现的问题,例如返回的信息不满足预期

9x25 LED 驱动框架分析 2016.07.13

进入内核 make menuconfig 输入 /led 回车搜索到 │ Location: │ │ -> Device Drivers │ │ -> LED Support (NEW_LEDS [=y]) 进入LED Support发现有这一项 []LED Support for GPIO connected LEDs 在内核搜索该字符串 grep "LED Support for GPIO connected LEDs" * -nR 搜索到 drivers/leds/K

宝爷Debug小记——Cocos2d-x(3.13之前的版本)底层BUG导致Spine渲染花屏

最近在工作中碰到不少棘手的BUG,其中的一个是Spine骨骼的渲染花屏,在战斗中派发出大量士兵之后有概率出现花屏闪烁(如下图所示),这种莫名奇妙且难以重现的BUG最为蛋疼. 前段时间为了提高Spine骨骼动画的加载速度,将Spine库进行了升级,新的Spine库支持skel二进制格式,二进制格式的加载速度比json格式要快5倍以上. 这是一个大工程,游戏中所有的骨骼动画都需要使用更高版本的Spine编辑器重新导出,由于部分美术没有对源文件进行版本管理,丢失了源文件,导致部分骨骼动画要重新制作,浪

「深入 Exchange 2013」13 发送连接器

啥是连接器? 连接器是一种存储在AD里的对象,被Exchange的传输服务所调用,以获取邮件流的逻辑连接路径.目前版本中连接器的大部分设置都只能在Exchange Management Shell里来设置,Exchange Administration Center(EAC)里并没有包含全部的选项(哪怕是之前版本里能够在EMC里设置的).图形界面下咱们主要通过EAC里,邮件流那块里头的接收连接器选项卡和发送连接器选项卡来配置连接器.当你选择了一个连接器之后,右侧的窗格里就会出来关于改连接器的一些

渗透杂记-2013-07-12

[email protected]:~# msfpro [*] Starting Metasploit Console... [-] WARNING! The following modules could not be loaded! [-] /opt/metasploit/apps/pro/msf3/modules/exploits/freebsd/local/mmap.rb: NameError uninitialized constant Msf::Post::Common Call t

通达OA 2013版和2013增强版两个版本开发的一些差异

最近在用这两个版本做些东西的时候,发现两个版本里面确实有些差异,记录分享一下: 通达2013版里面有CRM这个模块,而在2013增强版缺没有了,而且安装之后的数据库里也没有这些数据表. 在引用的文件里,2013版里的auth.php,在增强版里叫auth.inc.php,如果两个版本切换开发的话,容易出现找不到文件的情况.类似的情况还有header.inc.php这个文件,找不到的话你就看看有没有这种情况.

陈嘉 2015/07/13 个人文档

姓名 陈嘉 日期 2015/7/13 主要工作及心得 今天,我们将上周分工做的各部分组合起来,进行调试.结果和我们想的一样,根本不能运行.然后我们就开始了一天漫长的调试. 首先是数据从客户端,到服务器.数据库的传送.在第一个登陆界面输入完用户名和密码之后,点击登录按钮之后并没有反应.但是点击返回按钮仍然可以返回.说明并没有卡在某个函数里.数据从客户端传到了服务器,又成功返回,但是并没有执行对错判断.我们利用System.out.println来进行测试,验证猜想,检查数据在哪部分出了问题.结果是

Pig安装及简单使用(pig版本0.13.0,Hadoop版本2.5.0)

原文地址:http://www.linuxidc.com/Linux/2014-03/99055.htm 我们用MapReduce进行数据分析.当业务比较复杂的时候,使用MapReduce将会是一个很复杂的事情,比如你需要对数据进行很多预处理或转换,以便能够适应MapReduce的处理模式,另一方面,编写MapReduce程序,发布及运行作业都将是一个比较耗时的事情. Pig的出现很好的弥补了这一不足.Pig能够让你专心于数据及业务本身,而不是纠结于数据的格式转换以及MapReduce程序的编写

渗透杂记-2013-07-13 ms10_061_spoolss

[*] Please wait while the Metasploit Pro Console initializes... [*] Starting Metasploit Console... MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMM MMMMMMMMMM MMMN$ vMMMM MMMNl MMMMM MMMMM JMMMM MMMNl MMMMMMMN NMMMMMMM JMMMM MMMNl MMMMMMMMMNmmmNMMMM