我一直在尝试 kioptrix-level-1 练习https://www.vulnhub.com/entry/kioptrix-level-1-1,22/并想知道为什么smbclient无法识别 Samba 版本?
smbclient 版本 4.11.5-Debian
wolf@linux:~$ smbclient -V
Version 4.11.5-Debian
wolf@linux:~$
例如
wolf@linux:~$ smbclient -L 10.10.10.10
Server does not support EXTENDED_SECURITY but 'client use spnego = yes' and 'client ntlmv2 auth = yes' is set
Anonymous login successful
Enter WORKGROUP\wolf's password:
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server)
ADMIN$ IPC IPC Service (Samba Server)
Reconnecting with SMB1 for workgroup listing.
Server does not support EXTENDED_SECURITY but 'client use spnego = yes' and 'client ntlmv2 auth = yes' is set
Anonymous login successful
Server Comment
--------- -------
KIOPTRIX Samba Server
Workgroup Master
--------- -------
MYGROUP KIOPTRIX
wolf@linux:~$
enum4linux 尝试也没有透露 Samba 的版本号
wolf@linux:/etc/samba$ enum4linux 10.10.10.10
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu May 21 00:04:57 2020
==========================
| Target Information |
==========================
Target ........... 10.10.10.10
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
======================================================
| Enumerating Workgroup/Domain on 10.10.10.10 |
======================================================
[+] Got domain/workgroup name: MYGROUP
==============================================
| Nbtstat Information for 10.10.10.10 |
==============================================
Looking up status of 10.10.10.10
KIOPTRIX <00> - B <ACTIVE> Workstation Service
KIOPTRIX <03> - B <ACTIVE> Messenger Service
KIOPTRIX <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
MYGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
MYGROUP <1d> - B <ACTIVE> Master Browser
MYGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
=======================================
| Session Check on 10.10.10.10 |
=======================================
[+] Server 10.10.10.10 allows sessions using username '', password ''
=============================================
| Getting domain SID for 10.10.10.10 |
=============================================
Domain Name: MYGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
========================================
| OS information on 10.10.10.10 |
========================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.10.10 from smbclient:
[+] Got OS info for 10.10.10.10 from srvinfo:
KIOPTRIX Wk Sv PrQ Unx NT SNT Samba Server
platform_id : 500
os version : 4.5
server type : 0x9a03
===============================
| Users on 10.10.10.10 |
===============================
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.
Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.
===========================================
| Share Enumeration on 10.10.10.10 |
===========================================
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server)
ADMIN$ IPC IPC Service (Samba Server)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
KIOPTRIX Samba Server
Workgroup Master
--------- -------
MYGROUP KIOPTRIX
[+] Attempting to map shares on 10.10.10.10
//10.10.10.10/IPC$ [E] Can't understand response:
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
//10.10.10.10/ADMIN$ [E] Can't understand response:
tree connect failed: NT_STATUS_WRONG_PASSWORD
======================================================
| Password Policy Information for 10.10.10.10 |
======================================================
[E] Unexpected error from polenum:
[+] Attaching to 10.10.10.10 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: SMB SessionError: 0x5
[+] Trying protocol 445/SMB...
[!] Protocol failed: [Errno Connection error (10.10.10.10:445)] [Errno 111] Connection refused
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 0
================================
| Groups on 10.10.10.10 |
================================
[+] Getting builtin groups:
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Power Users] rid:[0x223]
group:[Account Operators] rid:[0x224]
group:[System Operators] rid:[0x225]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
[+] Getting builtin group memberships:
Group 'Users' (RID: 545) has member: Couldn't find group Users
Group 'Guests' (RID: 546) has member: Couldn't find group Guests
Group 'Replicator' (RID: 552) has member: Couldn't find group Replicator
Group 'Account Operators' (RID: 548) has member: Couldn't find group Account Operators
Group 'Print Operators' (RID: 550) has member: Couldn't find group Print Operators
Group 'Power Users' (RID: 547) has member: Couldn't find group Power Users
Group 'System Operators' (RID: 549) has member: Couldn't find group System Operators
Group 'Administrators' (RID: 544) has member: Couldn't find group Administrators
Group 'Backup Operators' (RID: 551) has member: Couldn't find group Backup Operators
[+] Getting local groups:
group:[sys] rid:[0x3ef]
group:[tty] rid:[0x3f3]
group:[disk] rid:[0x3f5]
group:[mem] rid:[0x3f9]
group:[kmem] rid:[0x3fb]
group:[wheel] rid:[0x3fd]
group:[man] rid:[0x407]
group:[dip] rid:[0x439]
group:[lock] rid:[0x455]
group:[users] rid:[0x4b1]
group:[slocate] rid:[0x413]
group:[floppy] rid:[0x40f]
group:[utmp] rid:[0x415]
[+] Getting local group memberships:
[+] Getting domain groups:
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
[+] Getting domain group memberships:
Group 'Domain Users' (RID: 513) has member: Couldn't find group Domain Users
Group 'Domain Admins' (RID: 512) has member: Couldn't find group Domain Admins
我一直在看其他写的这样的https://blog.roskyfrosky.com/vulnhub/2017/04/01/Kioptrix1.0-vulnhub.html并发现他们没有这样的问题。
或者https://blog.bladeism.com/kioptrix-level-1/
enum4linux 192.168.33.133
========================== | Target Information |
==========================
Target ……….. 192.168.33.133
RID Range …….. 500-550,1000-1050
Username ……… ”
Password ……… ”
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
======================================================
| Enumerating Workgroup/Domain on 192.168.33.133 |
======================================================
[+] Got domain/workgroup name: MYGROUP
==============================================
| Nbtstat Information for 192.168.33.133 |
==============================================
Looking up status of 192.168.33.133
KIOPTRIX <00> – B <ACTIVE> Workstation Service
KIOPTRIX <03> – B <ACTIVE> Messenger Service
KIOPTRIX <20> – B <ACTIVE> File Server Service
..__MSBROWSE__. <01> – <GROUP> B <ACTIVE> Master Browser
MYGROUP <00> – <GROUP> B <ACTIVE> Domain/Workgroup Name
MYGROUP <1d> – B <ACTIVE> Master Browser
MYGROUP <1e> – <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
=======================================
| Session Check on 192.168.33.133 |
=======================================
[+] Server 192.168.33.133 allows sessions using username ”, password ”
=============================================
| Getting domain SID for 192.168.33.133 |
=============================================
Domain Name: MYGROUP
Domain Sid: (NULL SID)
[+] Can’t determine if host is part of domain or part of a workgroup
========================================
| OS information on 192.168.33.133 |
========================================
[+] Got OS info for 192.168.33.133 from smbclient: Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
[+] Got OS info for 192.168.33.133 from srvinfo:
KIOPTRIX Wk Sv PrQ Unx NT SNT Samba Server
platform_id : 500
os version : 4.5
server type : 0x9a03
===============================
| Users on 192.168.33.133 |
===============================
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.
Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.
===========================================
| Share Enumeration on 192.168.33.133 |
===========================================
WARNING: The “syslog” option is deprecated
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
Sharename Type Comment
——— —- ——-
IPC$ IPC IPC Service (Samba Server)
ADMIN$ IPC IPC Service (Samba Server)
Server Comment
——— ——-
KIOPTRIX Samba Server
Workgroup Master
——— ——-
MYGROUP KIOPTRIX
WORKGROUP BLADEISM
[+] Attempting to map shares on 192.168.33.133
//192.168.33.133/IPC$ [E] Can’t understand response:
WARNING: The “syslog” option is deprecated
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
//192.168.33.133/ADMIN$ [E] Can’t understand response:
WARNING: The “syslog” option is deprecated
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
tree connect failed: NT_STATUS_WRONG_PASSWORD
答案1
关于什么:
nmap -p 445 --script=smb-enum-user.nse,smb-enum-shares.nse 10.10.10.10
答案2
我面临着同样的问题。看起来最新版本的 smbclient 中已经删除了一些内容,实际上 enum4linux 正在使用此模块来获取 smb 版本。我能够通过元漏洞获取 smb 版本
。
我希望这将帮助您解决挑战。
答案3
尝试使用脚本smbver.sh来自 GitHub 上的“OSCPRepo”项目,但将您的接口更改tap0为您的接口(通常tun0在 VPN 的情况下)。