关于445端口 SMB-NTML-SSP漏洞嗅探远程主机基本信息的利用过程

2024-11-29 08:38| 发布者: admin| 查看: 397| 评论: 0

摘要: 我们都知道，一般开共享的主机，默认都打开139和445端口，也就是开启SMB服务，但是这两个端口经常被不法分子利用，比较经典的针对这两个端口的入侵就是IPC$管道，结合TFTP，利用任务计划完全控制远程主机，2004年那 ...

我们都知道，一般开共享的主机，默认都打开139和445端口，也就是开启SMB服务，但是这两个端口经常被不法分子利用，比较经典的针对这两个端口的入侵就是IPC$管道，结合TFTP，利用任务计划完全控制远程主机，2004年那会，参加中日黑客大战的时候，日本的机器基本上全都是2000/NT的系统，远程扫描挂密码表，获取NT口令以后，远程开3389或者上灰鸽子，攻陷了好多日本的主机，当然这种方法很低级，高级的可以用Sqlhello ,远程堆栈缓冲区溢出，然后NC反向监听1433端口，就可以获得system32-shell ，今天演示139和445端口下，刺探远程主机基本信息，高手略过，修补方法就是打上微软 445 SSP 补丁。

C# 代码演示

using System;

using System.Collections.Generic;

using System.Linq;

using System.Text;

using System.Net;

using System.Net.Sockets;

namespace SmbSniffer

{

class Program

{

static byte[] d1 ={

0x00, 0x00, 0x00, 0x85, 0xFF, 0x53, 0x4D, 0x42, 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x53, 0xC8,

0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE,

0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x00, 0x02, 0x50, 0x43, 0x20, 0x4E, 0x45, 0x54, 0x57, 0x4F,

0x52, 0x4B, 0x20, 0x50, 0x52, 0x4F, 0x47, 0x52, 0x41, 0x4D, 0x20, 0x31, 0x2E, 0x30, 0x00, 0x02,

0x4C, 0x41, 0x4E, 0x4D, 0x41, 0x4E, 0x31, 0x2E, 0x30, 0x00, 0x02, 0x57, 0x69, 0x6E, 0x64, 0x6F,

0x77, 0x73, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x57, 0x6F, 0x72, 0x6B, 0x67, 0x72, 0x6F, 0x75, 0x70,

0x73, 0x20, 0x33, 0x2E, 0x31, 0x61, 0x00, 0x02, 0x4C, 0x4D, 0x31, 0x2E, 0x32, 0x58, 0x30, 0x30,

0x32, 0x00, 0x02, 0x4C, 0x41, 0x4E, 0x4D, 0x41, 0x4E, 0x32, 0x2E, 0x31, 0x00, 0x02, 0x4E, 0x54,

0x20, 0x4C, 0x4D, 0x20, 0x30, 0x2E, 0x31, 0x32, 0x00

};

static byte[] d2 ={

0x00, 0x00, 0x01, 0x0A, 0xFF, 0x53, 0x4D, 0x42, 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xC8,

0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE,

0x00, 0x00, 0x40, 0x00, 0x0C, 0xFF, 0x00, 0x0A, 0x01, 0x04, 0x41, 0x32, 0x00, 0x00, 0x00, 0x00,

0x00, 0x00, 0x00, 0x4A, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD4, 0x00, 0x00, 0xA0, 0xCF, 0x00, 0x60,

0x48, 0x06, 0x06, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x02, 0xA0, 0x3E, 0x30, 0x3C, 0xA0, 0x0E, 0x30,

0x0C, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x02, 0x0A, 0xA2, 0x2A, 0x04,

0x28, 0x4E, 0x54, 0x4C, 0x4D, 0x53, 0x53, 0x50, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x82, 0x08,

0xA2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

0x00, 0x05, 0x02, 0xCE, 0x0E, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6E, 0x00,

0x64, 0x00, 0x6F, 0x00, 0x77, 0x00, 0x73, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00, 0x72, 0x00,

0x76, 0x00, 0x65, 0x00, 0x72, 0x00, 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x33, 0x00,

0x20, 0x00, 0x33, 0x00, 0x37, 0x00, 0x39, 0x00, 0x30, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00,

0x72, 0x00, 0x76, 0x00, 0x69, 0x00, 0x63, 0x00, 0x65, 0x00, 0x20, 0x00, 0x50, 0x00, 0x61, 0x00,

0x63, 0x00, 0x6B, 0x00, 0x20, 0x00, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x00, 0x69, 0x00,

0x6E, 0x00, 0x64, 0x00, 0x6F, 0x00, 0x77, 0x00, 0x73, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00,

0x72, 0x00, 0x76, 0x00, 0x65, 0x00, 0x72, 0x00, 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,

0x33, 0x00, 0x20, 0x00, 0x35, 0x00, 0x2E, 0x00, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00

};

static void Main(string[] args)

{

Console.WriteLine("SMB Version Detection tool 0.1");

Console.WriteLine("Part of GMH's fuck Tools, Code By zcgonvh.\r\n");

Console.WriteLine("Ip:");

string host = Console.ReadLine();

Console.WriteLine("Port:");

int port =Convert.ToInt32(Console.ReadLine());

try

{

byte[] buf = new byte[1024];

Socket sock = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);

sock.Connect(host, port);

sock.Send(d1);

sock.Receive(buf);

sock.Send(d2);

sock.Receive(buf);

int len = BitConverter.ToInt16(buf, 43);

string[] ss = Encoding.Unicode.GetString(buf, len + 47, buf.Length - len - 47).Split('\0');

Console.WriteLine("native os: " + ss[0]);

Console.WriteLine("native lan manager: " + ss[1]);

int off = 0;

for (int i = 47; i < len - 7; i++)

{

if (buf[i] == 'N' && buf[i + 1] == 'T' && buf[i + 2] == 'L' && buf[i + 3] == 'M' && buf[i + 4] == 'S' && buf[i + 5] == 'S' && buf[i + 6] == 'P') { off = i; break; }

}

byte[] ntlm = new byte[len];

Array.Copy(buf, off, ntlm, 0, len);

len = BitConverter.ToInt16(ntlm, 0xc);

off = BitConverter.ToInt16(ntlm, 0x10);

Console.WriteLine("negotiate target: " + Encoding.Unicode.GetString(ntlm, off, len));

Console.WriteLine("os major version: " + ntlm[off - 8]);

Console.WriteLine("os minor version: " + ntlm[off - 7]);

Console.WriteLine("os build number: " + BitConverter.ToInt16(ntlm, off - 6));

Console.WriteLine("ntlm current revision: " + ntlm[off - 1]);

off += len;

int type = BitConverter.ToInt16(ntlm, off);

while (type != 0)

{

off += 2;

len = BitConverter.ToInt16(ntlm, off);

off += 2;

switch (type)

{

case 1:

{

Console.WriteLine("NetBIOS computer name: " + Encoding.Unicode.GetString(ntlm, off, len));

break;

}

case 2:

{

Console.WriteLine("NetBIOS domain name: " + Encoding.Unicode.GetString(ntlm, off, len));

break;

}

case 3:

{

Console.WriteLine("DNS computer name: " + Encoding.Unicode.GetString(ntlm, off, len));

break;

}

case 4:

{

Console.WriteLine("DNS domain name: " + Encoding.Unicode.GetString(ntlm, off, len));

break;

}

case 5:

{

Console.WriteLine("DNS tree name: " + Encoding.Unicode.GetString(ntlm, off, len));

break;

}

case 7:

{

Console.WriteLine("time stamp: {0:o}", DateTime.FromFileTime(BitConverter.ToInt64(ntlm, off)));

break;

}

default:

{

Console.Write("Unknown type {0}, data: ", type);

for (int i = 0; i < len; i++)

{

Console.Write(ntlm[i + off].ToString("X2"));

}

Console.WriteLine();

break;

}

off += len;

type = BitConverter.ToInt16(ntlm, off);

}

Console.ReadKey();

}

catch (Exception ex)

{

Console.WriteLine("err: " + ex);

}

运行输入目标主机IP和端口，端口这里输入445, 139端口的数据包有问题。

可以看出远程主机操作系统是，server 2008r2 操作系统内部版本号也显示了。

路过

雷人

握手

鲜花

鸡蛋

上一篇：CentOS linux 防火墙操作命令

		自动登录	找回密码
密码			立即注册

关于445端口 SMB-NTML-SSP漏洞 嗅探远程主机基本信息的利用过程

相关分类

关于445端口 SMB-NTML-SSP漏洞嗅探远程主机基本信息的利用过程