枚举远程主机的用户 nasl 脚本_

枚举远程主机的用户 nasl 脚本

2005-4-29 7:58:44　　作者：模板天下收集整理　　来源：未知　网友评论 0 条　论坛

　　if(description)
{
script_id(10000);
script_version ("$Revision: 1.23 $");
name["english"] = "SMB username enumeration";
name["francais"] = "Enumeration username";

script_name(english:name["english"],
         francais:name["francais"]);

desc["english"] = "
This script connects to the remote host
using a null session, and enumerates the
username

Risk factor : Medium";

  script_description(english:desc["english"],
               francais:desc["francais"]);

summary["english"] = "Gets the list of remote shares";
summary["francais"] = "Obtention de la liste des shares distantes";
script_summary(english:summary["english"],
            francais:summary["francais"]);

script_category(ACT_GATHER_INFO);

script_copyright(english:"This script is Copyright (C) 2000 Renaud Deraison");
family["english"] = "Windows";
script_family(english:family["english"]);

script_dependencies("netbios_name_get.nasl", "smb_login.nasl");
script_require_keys("SMB/transport", "SMB/name", "SMB/login", "SMB/password");
script_require_ports(139, 445);
exit(0);
}

include("smb_nt.inc");

if ( get_kb_item("SMB/samba") ) exit(0);

name = kb_smb_name();
if(!name)
name = "*SMBSERVER";

_smb_port = kb_smb_transport();
if(!_smb_port)
_smb_port = 139;

if(!get_port_state(_smb_port))return(FALSE);

login = kb_smb_login();
pass  = kb_smb_password();

domain = kb_smb_domain();

if(!login)login = "";
if(!pass) pass = "";

soc = open_sock_tcp(_smb_port);
if(!soc)return(FALSE);

#
# Request the session
#
r = smb_session_request(soc:soc,  remote:name);
if(!r) { close(soc); return(FALSE); }

#
# Negociate the protocol
#
prot = smb_neg_prot(soc:soc);
if(!prot){ close(soc); return(FALSE); }

#
# Set up our session
#
r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain, prot:prot);
if(!r){ close(soc); return(FALSE); }
# and extract our uid
UID = session_extract_uid(reply:r);

UID_hi = UID/256;
UID_low = UID%256;

#
# Connect to the remote IPC and extract the TID
# we are attributed
#
r = smb_tconx(soc:soc, name:name, uid:UID, share:"IPC$");
# and extract our tree id
TID = tconx_extract_tid(reply:r);

TID_hi = TID/256;
TID_low = TID%256;

#if(!tid){ close(soc); return(FALSE); }

#NT create AndX request
  FID = OpenPipeToSamr(soc:soc, uid:UID, tid:TID);

FID_hi = FID/256;
FID_low = FID%256;

recv(socket:soc, length:1024);

samrhdl = SamrConnect2(soc:soc, tid:TID, uid:UID, pipe:FID, name:"*SMBSERVER");

#SAMR EnumDomains
dom = _SamrEnumDomains(soc:soc, uid:UID, tid:TID, pipe:FID, samrhdl:samrhdl);

sid = SamrDom2Sid(soc:soc, tid:TID, uid:UID, pipe:FID, samrhdl:samrhdl, dom:dom);

hdl = SamrOpenDomain(soc:soc, tid:TID, uid:UID, pipe:FID, samrhdl:samrhdl, sid:sid);

#samrQueryDisplayInformatio
  reqDisplay= raw_string(0x00, 0x00, 0x00, 0x90, 0xff, 0x53, 0x4d, 0x42,
0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xc8,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, TID_low, TID_hi, 0xd4, 0x05,
UID_low, UID_hi, 0xa0, 0x00, 0x10, 0x00, 0x00, 0x3c,
0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x54, 0x00, 0x3c, 0x00, 0x54, 0x00, 0x02,
0x00, 0x26, 0x00, FID_low, FID_hi, 0x4d, 0x00, 0x32,
0x5c, 0x00, 0x50, 0x00, 0x49, 0x00, 0x50, 0x00,
0x45, 0x00, 0x5c, 0x00, 0x00, 0x00, 0x00, 0x00,
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
0x3c, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00) + hdl+ raw_string(0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xe8, 0x03, 0x00, 0x00,
0x00, 0x10, 0x00, 0x00);

send(socket:soc, data:reqDisplay);
r = recv(socket:soc, length:4028);
display(r);

共分1页 [1]

>> 相关文章