为什么 smbclient 和 enum4linux 无法识别 Kioptrix level 1 中的 Samba 版本?

为什么 smbclient 和 enum4linux 无法识别 Kioptrix level 1 中的 Samba 版本?

我一直在尝试 kioptrix-level-1 练习https://www.vulnhub.com/entry/kioptrix-level-1-1,22/并想知道为什么smbclient无法识别 Samba 版本?

smbclient 版本 4.11.5-Debian

wolf@linux:~$ smbclient -V
Version 4.11.5-Debian
wolf@linux:~$ 

例如

wolf@linux:~$ smbclient -L 10.10.10.10
Server does not support EXTENDED_SECURITY  but 'client use spnego = yes' and 'client ntlmv2 auth = yes' is set
Anonymous login successful
Enter WORKGROUP\wolf's password: 

    Sharename       Type      Comment
    ---------       ----      -------
    IPC$            IPC       IPC Service (Samba Server)
    ADMIN$          IPC       IPC Service (Samba Server)
Reconnecting with SMB1 for workgroup listing.
Server does not support EXTENDED_SECURITY  but 'client use spnego = yes' and 'client ntlmv2 auth = yes' is set
Anonymous login successful

    Server               Comment
    ---------            -------
    KIOPTRIX             Samba Server

    Workgroup            Master
    ---------            -------
    MYGROUP              KIOPTRIX
wolf@linux:~$

enum4linux 尝试也没有透露 Samba 的版本号

wolf@linux:/etc/samba$ enum4linux 10.10.10.10
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu May 21 00:04:57 2020

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.10.10
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ====================================================== 
|    Enumerating Workgroup/Domain on 10.10.10.10    |
 ====================================================== 
[+] Got domain/workgroup name: MYGROUP

 ============================================== 
|    Nbtstat Information for 10.10.10.10    |
 ============================================== 
Looking up status of 10.10.10.10
    KIOPTRIX        <00> -         B <ACTIVE>  Workstation Service
    KIOPTRIX        <03> -         B <ACTIVE>  Messenger Service
    KIOPTRIX        <20> -         B <ACTIVE>  File Server Service
    ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
    MYGROUP         <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
    MYGROUP         <1d> -         B <ACTIVE>  Master Browser
    MYGROUP         <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

    MAC Address = 00-00-00-00-00-00

 ======================================= 
|    Session Check on 10.10.10.10    |
 ======================================= 
[+] Server 10.10.10.10 allows sessions using username '', password ''

 ============================================= 
|    Getting domain SID for 10.10.10.10    |
 ============================================= 
Domain Name: MYGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ======================================== 
|    OS information on 10.10.10.10    |
 ======================================== 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.10.10 from smbclient: 
[+] Got OS info for 10.10.10.10 from srvinfo:
    KIOPTRIX       Wk Sv PrQ Unx NT SNT Samba Server
    platform_id     :   500
    os version      :   4.5
    server type     :   0x9a03

 =============================== 
|    Users on 10.10.10.10    |
 =============================== 
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

 =========================================== 
|    Share Enumeration on 10.10.10.10    |
 =========================================== 

    Sharename       Type      Comment
    ---------       ----      -------
    IPC$            IPC       IPC Service (Samba Server)
    ADMIN$          IPC       IPC Service (Samba Server)
Reconnecting with SMB1 for workgroup listing.

    Server               Comment
    ---------            -------
    KIOPTRIX             Samba Server

    Workgroup            Master
    ---------            -------
    MYGROUP              KIOPTRIX

[+] Attempting to map shares on 10.10.10.10
//10.10.10.10/IPC$  [E] Can't understand response:
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
//10.10.10.10/ADMIN$    [E] Can't understand response:
tree connect failed: NT_STATUS_WRONG_PASSWORD

 ====================================================== 
|    Password Policy Information for 10.10.10.10    |
 ====================================================== 
[E] Unexpected error from polenum:


[+] Attaching to 10.10.10.10 using a NULL share

[+] Trying protocol 139/SMB...

    [!] Protocol failed: SMB SessionError: 0x5

[+] Trying protocol 445/SMB...

    [!] Protocol failed: [Errno Connection error (10.10.10.10:445)] [Errno 111] Connection refused


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 0


 ================================ 
|    Groups on 10.10.10.10    |
 ================================ 

[+] Getting builtin groups:
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Power Users] rid:[0x223]
group:[Account Operators] rid:[0x224]
group:[System Operators] rid:[0x225]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]

[+] Getting builtin group memberships:
Group 'Users' (RID: 545) has member: Couldn't find group Users
Group 'Guests' (RID: 546) has member: Couldn't find group Guests
Group 'Replicator' (RID: 552) has member: Couldn't find group Replicator
Group 'Account Operators' (RID: 548) has member: Couldn't find group Account Operators
Group 'Print Operators' (RID: 550) has member: Couldn't find group Print Operators
Group 'Power Users' (RID: 547) has member: Couldn't find group Power Users
Group 'System Operators' (RID: 549) has member: Couldn't find group System Operators
Group 'Administrators' (RID: 544) has member: Couldn't find group Administrators
Group 'Backup Operators' (RID: 551) has member: Couldn't find group Backup Operators

[+] Getting local groups:
group:[sys] rid:[0x3ef]
group:[tty] rid:[0x3f3]
group:[disk] rid:[0x3f5]
group:[mem] rid:[0x3f9]
group:[kmem] rid:[0x3fb]
group:[wheel] rid:[0x3fd]
group:[man] rid:[0x407]
group:[dip] rid:[0x439]
group:[lock] rid:[0x455]
group:[users] rid:[0x4b1]
group:[slocate] rid:[0x413]
group:[floppy] rid:[0x40f]
group:[utmp] rid:[0x415]

[+] Getting local group memberships:

[+] Getting domain groups:
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]

[+] Getting domain group memberships:
Group 'Domain Users' (RID: 513) has member: Couldn't find group Domain Users
Group 'Domain Admins' (RID: 512) has member: Couldn't find group Domain Admins

我一直在看其他写的这样的https://blog.roskyfrosky.com/vulnhub/2017/04/01/Kioptrix1.0-vulnhub.html并发现他们没有这样的问题。

在此输入图像描述

或者https://blog.bladeism.com/kioptrix-level-1/

enum4linux 192.168.33.133


========================== | Target Information |
==========================
Target ……….. 192.168.33.133
RID Range …….. 500-550,1000-1050
Username ……… ”
Password ……… ”
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
======================================================
| Enumerating Workgroup/Domain on 192.168.33.133 |
======================================================
[+] Got domain/workgroup name: MYGROUP

==============================================
| Nbtstat Information for 192.168.33.133 |
==============================================
Looking up status of 192.168.33.133
KIOPTRIX <00> – B <ACTIVE> Workstation Service
KIOPTRIX <03> – B <ACTIVE> Messenger Service
KIOPTRIX <20> – B <ACTIVE> File Server Service
..__MSBROWSE__. <01> – <GROUP> B <ACTIVE> Master Browser
MYGROUP <00> – <GROUP> B <ACTIVE> Domain/Workgroup Name
MYGROUP <1d> – B <ACTIVE> Master Browser
MYGROUP <1e> – <GROUP> B <ACTIVE> Browser Service Elections

MAC Address = 00-00-00-00-00-00

=======================================
| Session Check on 192.168.33.133 |
=======================================
[+] Server 192.168.33.133 allows sessions using username ”, password ”

=============================================
| Getting domain SID for 192.168.33.133 |
=============================================
Domain Name: MYGROUP
Domain Sid: (NULL SID)
[+] Can’t determine if host is part of domain or part of a workgroup

========================================
| OS information on 192.168.33.133 |
========================================
[+] Got OS info for 192.168.33.133 from smbclient: Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
[+] Got OS info for 192.168.33.133 from srvinfo:
KIOPTRIX Wk Sv PrQ Unx NT SNT Samba Server
platform_id : 500
os version : 4.5
server type : 0x9a03

===============================
| Users on 192.168.33.133 |
===============================
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

===========================================
| Share Enumeration on 192.168.33.133 |
===========================================
WARNING: The “syslog” option is deprecated
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]

Sharename Type Comment
——— —- ——-
IPC$ IPC IPC Service (Samba Server)
ADMIN$ IPC IPC Service (Samba Server)

Server Comment
——— ——-
KIOPTRIX Samba Server

Workgroup Master
——— ——-
MYGROUP KIOPTRIX
WORKGROUP BLADEISM

[+] Attempting to map shares on 192.168.33.133
//192.168.33.133/IPC$ [E] Can’t understand response:
WARNING: The “syslog” option is deprecated
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
//192.168.33.133/ADMIN$ [E] Can’t understand response:
WARNING: The “syslog” option is deprecated
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
tree connect failed: NT_STATUS_WRONG_PASSWORD

答案1

关于什么:

nmap -p 445 --script=smb-enum-user.nse,smb-enum-shares.nse 10.10.10.10

答案2

我面临着同样的问题。看起来最新版本的 smbclient 中已经删除了一些内容,实际上 enum4linux 正在使用此模块来获取 smb 版本。我能够通过元漏洞获取 smb 版本在此输入图像描述

我希望这将帮助您解决挑战。

答案3

尝试使用脚本smbver.sh来自 GitHub 上的“OSCPRepo”项目,但将您的接口更改tap0为您的接口(通常tun0在 VPN 的情况下)。

相关内容