2022-11-19 17:04:13 +08:00
|
|
|
|
package Plugins
|
|
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
|
"fmt"
|
2024-12-18 22:00:18 +08:00
|
|
|
|
"github.com/shadow1ng/fscan/Common"
|
2022-11-19 17:04:13 +08:00
|
|
|
|
"net"
|
|
|
|
|
|
"os"
|
|
|
|
|
|
"strings"
|
|
|
|
|
|
"time"
|
|
|
|
|
|
|
|
|
|
|
|
"github.com/hirochachacha/go-smb2"
|
|
|
|
|
|
)
|
|
|
|
|
|
|
2024-12-18 15:19:47 +08:00
|
|
|
|
// SmbScan2 执行SMB2服务的认证扫描,支持密码和哈希两种认证方式
|
2024-12-19 16:15:53 +08:00
|
|
|
|
func SmbScan2(info *Common.HostInfo) (tmperr error) {
|
2024-12-20 03:46:09 +08:00
|
|
|
|
if Common.DisableBrute {
|
2022-11-19 17:04:13 +08:00
|
|
|
|
return nil
|
|
|
|
|
|
}
|
2024-12-18 15:19:47 +08:00
|
|
|
|
|
|
|
|
|
|
// 使用哈希认证模式
|
2024-12-18 22:00:18 +08:00
|
|
|
|
if len(Common.HashBytes) > 0 {
|
2024-12-31 20:25:54 +08:00
|
|
|
|
return smbHashScan(info)
|
2024-12-18 15:19:47 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 使用密码认证模式
|
2024-12-31 20:25:54 +08:00
|
|
|
|
return smbPasswordScan(info)
|
2024-12-18 15:19:47 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2025-01-01 05:24:49 +08:00
|
|
|
|
func smbPasswordScan(info *Common.HostInfo) error {
|
|
|
|
|
|
if Common.DisableBrute {
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
2024-12-31 20:25:54 +08:00
|
|
|
|
|
2025-01-01 05:24:49 +08:00
|
|
|
|
hasprint := false
|
2024-12-31 20:25:54 +08:00
|
|
|
|
|
2025-01-01 07:18:36 +08:00
|
|
|
|
// 遍历每个用户
|
2024-12-18 22:00:18 +08:00
|
|
|
|
for _, user := range Common.Userdict["smb"] {
|
2025-01-04 17:00:03 +08:00
|
|
|
|
accountLocked := false // 添加账户锁定标志
|
|
|
|
|
|
|
2025-01-01 07:18:36 +08:00
|
|
|
|
// 遍历该用户的所有密码
|
2025-01-01 05:24:49 +08:00
|
|
|
|
for _, pass := range Common.Passwords {
|
2025-01-04 17:00:03 +08:00
|
|
|
|
if accountLocked { // 如果账户被锁定,跳过剩余密码
|
|
|
|
|
|
break
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-01-01 05:24:49 +08:00
|
|
|
|
pass = strings.ReplaceAll(pass, "{user}", user)
|
2024-12-31 20:25:54 +08:00
|
|
|
|
|
2025-01-01 07:18:36 +08:00
|
|
|
|
// 重试循环
|
|
|
|
|
|
for retryCount := 0; retryCount < Common.MaxRetries; retryCount++ {
|
|
|
|
|
|
success, err, printed := Smb2Con(info, user, pass, []byte{}, hasprint)
|
|
|
|
|
|
|
|
|
|
|
|
if printed {
|
|
|
|
|
|
hasprint = true
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if success {
|
|
|
|
|
|
logSuccessfulAuth(info, user, pass, []byte{})
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
logFailedAuth(info, user, pass, []byte{}, err)
|
|
|
|
|
|
|
|
|
|
|
|
// 检查是否账户锁定
|
2025-01-04 17:00:03 +08:00
|
|
|
|
if strings.Contains(err.Error(), "account has been automatically locked") ||
|
|
|
|
|
|
strings.Contains(err.Error(), "account has been locked") {
|
|
|
|
|
|
accountLocked = true // 设置锁定标志
|
2025-01-01 05:24:49 +08:00
|
|
|
|
break
|
|
|
|
|
|
}
|
2024-12-31 20:25:54 +08:00
|
|
|
|
|
2025-01-01 07:18:36 +08:00
|
|
|
|
// 其他登录失败情况
|
|
|
|
|
|
if strings.Contains(err.Error(), "LOGIN_FAILED") ||
|
|
|
|
|
|
strings.Contains(err.Error(), "Authentication failed") ||
|
|
|
|
|
|
strings.Contains(err.Error(), "attempted logon is invalid") ||
|
|
|
|
|
|
strings.Contains(err.Error(), "bad username or authentication") {
|
|
|
|
|
|
break
|
|
|
|
|
|
}
|
2024-12-18 15:19:47 +08:00
|
|
|
|
|
2025-01-01 07:18:36 +08:00
|
|
|
|
if retryCount < Common.MaxRetries-1 {
|
|
|
|
|
|
time.Sleep(time.Second * time.Duration(retryCount+2))
|
|
|
|
|
|
continue
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
break
|
|
|
|
|
|
}
|
2024-08-29 09:50:32 +08:00
|
|
|
|
}
|
2024-12-18 15:19:47 +08:00
|
|
|
|
}
|
2024-12-31 20:25:54 +08:00
|
|
|
|
|
2024-12-18 15:19:47 +08:00
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-01-01 05:24:49 +08:00
|
|
|
|
func smbHashScan(info *Common.HostInfo) error {
|
|
|
|
|
|
if Common.DisableBrute {
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-12-31 20:25:54 +08:00
|
|
|
|
hasprint := false
|
|
|
|
|
|
|
2025-01-01 07:18:36 +08:00
|
|
|
|
// 遍历每个用户
|
2024-12-18 22:00:18 +08:00
|
|
|
|
for _, user := range Common.Userdict["smb"] {
|
2025-01-01 07:18:36 +08:00
|
|
|
|
// 遍历该用户的所有hash
|
2025-01-01 05:24:49 +08:00
|
|
|
|
for _, hash := range Common.HashBytes {
|
2025-01-01 07:18:36 +08:00
|
|
|
|
// 重试循环
|
|
|
|
|
|
for retryCount := 0; retryCount < Common.MaxRetries; retryCount++ {
|
|
|
|
|
|
success, err, printed := Smb2Con(info, user, "", hash, hasprint)
|
|
|
|
|
|
|
|
|
|
|
|
if printed {
|
|
|
|
|
|
hasprint = true
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if success {
|
|
|
|
|
|
logSuccessfulAuth(info, user, "", hash)
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
2024-12-31 20:25:54 +08:00
|
|
|
|
|
2025-01-01 07:18:36 +08:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
logFailedAuth(info, user, "", hash, err)
|
|
|
|
|
|
|
|
|
|
|
|
// 检查是否账户锁定
|
|
|
|
|
|
if strings.Contains(err.Error(), "user account has been automatically locked") {
|
|
|
|
|
|
// 账户锁定,跳过该用户的剩余hash
|
2025-01-01 05:24:49 +08:00
|
|
|
|
break
|
|
|
|
|
|
}
|
2024-12-31 20:25:54 +08:00
|
|
|
|
|
2025-01-01 07:18:36 +08:00
|
|
|
|
// 其他登录失败情况
|
|
|
|
|
|
if strings.Contains(err.Error(), "LOGIN_FAILED") ||
|
|
|
|
|
|
strings.Contains(err.Error(), "Authentication failed") ||
|
|
|
|
|
|
strings.Contains(err.Error(), "attempted logon is invalid") ||
|
|
|
|
|
|
strings.Contains(err.Error(), "bad username or authentication") {
|
|
|
|
|
|
break
|
|
|
|
|
|
}
|
2024-12-31 20:25:54 +08:00
|
|
|
|
|
2025-01-01 07:18:36 +08:00
|
|
|
|
if retryCount < Common.MaxRetries-1 {
|
|
|
|
|
|
time.Sleep(time.Second * time.Duration(retryCount+1))
|
|
|
|
|
|
continue
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
break
|
|
|
|
|
|
}
|
2022-11-19 17:04:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
2024-12-31 20:25:54 +08:00
|
|
|
|
|
2024-12-18 15:19:47 +08:00
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// logSuccessfulAuth 记录成功的认证
|
2024-12-19 16:15:53 +08:00
|
|
|
|
func logSuccessfulAuth(info *Common.HostInfo, user, pass string, hash []byte) {
|
2025-01-14 23:38:58 +08:00
|
|
|
|
credential := pass
|
|
|
|
|
|
if len(hash) > 0 {
|
|
|
|
|
|
credential = Common.HashValue
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 保存认证成功结果
|
|
|
|
|
|
result := &Common.ScanResult{
|
|
|
|
|
|
Time: time.Now(),
|
|
|
|
|
|
Type: Common.VULN,
|
|
|
|
|
|
Target: info.Host,
|
|
|
|
|
|
Status: "success",
|
|
|
|
|
|
Details: map[string]interface{}{
|
|
|
|
|
|
"port": info.Ports,
|
|
|
|
|
|
"service": "smb2",
|
|
|
|
|
|
"username": user,
|
|
|
|
|
|
"domain": Common.Domain,
|
|
|
|
|
|
"type": "weak-auth",
|
|
|
|
|
|
"credential": credential,
|
|
|
|
|
|
"auth_type": map[bool]string{true: "hash", false: "password"}[len(hash) > 0],
|
|
|
|
|
|
},
|
|
|
|
|
|
}
|
|
|
|
|
|
Common.SaveResult(result)
|
|
|
|
|
|
|
|
|
|
|
|
// 控制台输出
|
|
|
|
|
|
var msg string
|
2024-12-18 22:00:18 +08:00
|
|
|
|
if Common.Domain != "" {
|
2025-01-14 23:38:58 +08:00
|
|
|
|
msg = fmt.Sprintf("SMB2认证成功 %s:%s %s\\%s", info.Host, info.Ports, Common.Domain, user)
|
2024-12-18 15:19:47 +08:00
|
|
|
|
} else {
|
2025-01-14 23:38:58 +08:00
|
|
|
|
msg = fmt.Sprintf("SMB2认证成功 %s:%s %s", info.Host, info.Ports, user)
|
2024-12-18 15:19:47 +08:00
|
|
|
|
}
|
2024-08-29 09:50:32 +08:00
|
|
|
|
|
2024-12-18 15:19:47 +08:00
|
|
|
|
if len(hash) > 0 {
|
2025-01-14 23:38:58 +08:00
|
|
|
|
msg += fmt.Sprintf(" Hash:%s", Common.HashValue)
|
2024-12-18 15:19:47 +08:00
|
|
|
|
} else {
|
2025-01-14 23:38:58 +08:00
|
|
|
|
msg += fmt.Sprintf(" Pass:%s", pass)
|
2024-12-18 15:19:47 +08:00
|
|
|
|
}
|
2025-01-14 23:38:58 +08:00
|
|
|
|
Common.LogSuccess(msg)
|
2022-11-19 17:04:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2024-12-18 15:19:47 +08:00
|
|
|
|
// logFailedAuth 记录失败的认证
|
2024-12-19 16:15:53 +08:00
|
|
|
|
func logFailedAuth(info *Common.HostInfo, user, pass string, hash []byte, err error) {
|
2024-12-18 15:19:47 +08:00
|
|
|
|
var errlog string
|
|
|
|
|
|
if len(hash) > 0 {
|
2025-01-01 05:24:49 +08:00
|
|
|
|
errlog = fmt.Sprintf("SMB2认证失败 %s:%s %s Hash:%s %v",
|
2024-12-20 03:46:09 +08:00
|
|
|
|
info.Host, info.Ports, user, Common.HashValue, err)
|
2024-12-18 15:19:47 +08:00
|
|
|
|
} else {
|
2025-01-01 05:24:49 +08:00
|
|
|
|
errlog = fmt.Sprintf("SMB2认证失败 %s:%s %s:%s %v",
|
2024-12-18 15:19:47 +08:00
|
|
|
|
info.Host, info.Ports, user, pass, err)
|
|
|
|
|
|
}
|
|
|
|
|
|
errlog = strings.ReplaceAll(errlog, "\n", " ")
|
2024-12-18 22:00:18 +08:00
|
|
|
|
Common.LogError(errlog)
|
2024-12-18 15:19:47 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Smb2Con 尝试SMB2连接并进行认证,检查共享访问权限
|
2024-12-19 16:15:53 +08:00
|
|
|
|
func Smb2Con(info *Common.HostInfo, user string, pass string, hash []byte, hasprint bool) (flag bool, err error, flag2 bool) {
|
2024-12-18 15:19:47 +08:00
|
|
|
|
// 建立TCP连接
|
|
|
|
|
|
conn, err := net.DialTimeout("tcp", fmt.Sprintf("%s:445", info.Host),
|
2024-12-18 22:00:18 +08:00
|
|
|
|
time.Duration(Common.Timeout)*time.Second)
|
2022-11-19 17:04:13 +08:00
|
|
|
|
if err != nil {
|
2024-12-18 15:19:47 +08:00
|
|
|
|
return false, fmt.Errorf("连接失败: %v", err), false
|
2022-11-19 17:04:13 +08:00
|
|
|
|
}
|
2023-11-13 16:23:19 +08:00
|
|
|
|
defer conn.Close()
|
2024-12-18 15:19:47 +08:00
|
|
|
|
|
|
|
|
|
|
// 配置NTLM认证
|
2022-11-19 17:04:13 +08:00
|
|
|
|
initiator := smb2.NTLMInitiator{
|
|
|
|
|
|
User: user,
|
2024-12-18 22:00:18 +08:00
|
|
|
|
Domain: Common.Domain,
|
2022-11-19 17:04:13 +08:00
|
|
|
|
}
|
2024-12-18 15:19:47 +08:00
|
|
|
|
|
|
|
|
|
|
// 设置认证方式(哈希或密码)
|
2022-11-19 17:04:13 +08:00
|
|
|
|
if len(hash) > 0 {
|
|
|
|
|
|
initiator.Hash = hash
|
|
|
|
|
|
} else {
|
|
|
|
|
|
initiator.Password = pass
|
|
|
|
|
|
}
|
2024-12-18 15:19:47 +08:00
|
|
|
|
|
|
|
|
|
|
// 创建SMB2会话
|
2022-11-19 17:04:13 +08:00
|
|
|
|
d := &smb2.Dialer{
|
|
|
|
|
|
Initiator: &initiator,
|
|
|
|
|
|
}
|
2024-12-18 15:19:47 +08:00
|
|
|
|
session, err := d.Dial(conn)
|
2022-11-19 17:04:13 +08:00
|
|
|
|
if err != nil {
|
2024-12-18 15:19:47 +08:00
|
|
|
|
return false, fmt.Errorf("SMB2会话建立失败: %v", err), false
|
2022-11-19 17:04:13 +08:00
|
|
|
|
}
|
2024-12-18 15:19:47 +08:00
|
|
|
|
defer session.Logoff()
|
|
|
|
|
|
|
|
|
|
|
|
// 获取共享列表
|
|
|
|
|
|
shares, err := session.ListSharenames()
|
2022-11-19 17:04:13 +08:00
|
|
|
|
if err != nil {
|
2024-12-18 15:19:47 +08:00
|
|
|
|
return false, fmt.Errorf("获取共享列表失败: %v", err), false
|
2022-11-19 17:04:13 +08:00
|
|
|
|
}
|
2024-12-18 15:19:47 +08:00
|
|
|
|
|
|
|
|
|
|
// 打印共享信息(如果未打印过)
|
2022-11-19 17:04:13 +08:00
|
|
|
|
if !hasprint {
|
2024-12-18 15:19:47 +08:00
|
|
|
|
logShareInfo(info, user, pass, hash, shares)
|
2022-11-19 17:04:13 +08:00
|
|
|
|
flag2 = true
|
|
|
|
|
|
}
|
2024-12-18 15:19:47 +08:00
|
|
|
|
|
|
|
|
|
|
// 尝试访问C$共享以验证管理员权限
|
|
|
|
|
|
fs, err := session.Mount("C$")
|
2022-11-19 17:04:13 +08:00
|
|
|
|
if err != nil {
|
2024-12-18 15:19:47 +08:00
|
|
|
|
return false, fmt.Errorf("挂载C$失败: %v", err), flag2
|
2022-11-19 17:04:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
defer fs.Umount()
|
2024-12-18 15:19:47 +08:00
|
|
|
|
|
|
|
|
|
|
// 尝试读取系统文件以验证权限
|
2022-11-19 17:04:13 +08:00
|
|
|
|
path := `Windows\win.ini`
|
|
|
|
|
|
f, err := fs.OpenFile(path, os.O_RDONLY, 0666)
|
|
|
|
|
|
if err != nil {
|
2024-12-18 15:19:47 +08:00
|
|
|
|
return false, fmt.Errorf("访问系统文件失败: %v", err), flag2
|
2022-11-19 17:04:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
defer f.Close()
|
|
|
|
|
|
|
2024-12-18 15:19:47 +08:00
|
|
|
|
return true, nil, flag2
|
2022-11-19 17:04:13 +08:00
|
|
|
|
}
|
2023-11-13 11:24:44 +08:00
|
|
|
|
|
2024-12-18 15:19:47 +08:00
|
|
|
|
// logShareInfo 记录SMB共享信息
|
2024-12-19 16:15:53 +08:00
|
|
|
|
func logShareInfo(info *Common.HostInfo, user string, pass string, hash []byte, shares []string) {
|
2025-01-14 23:38:58 +08:00
|
|
|
|
credential := pass
|
|
|
|
|
|
if len(hash) > 0 {
|
|
|
|
|
|
credential = Common.HashValue
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 保存共享信息结果
|
|
|
|
|
|
result := &Common.ScanResult{
|
|
|
|
|
|
Time: time.Now(),
|
|
|
|
|
|
Type: Common.VULN,
|
|
|
|
|
|
Target: info.Host,
|
|
|
|
|
|
Status: "shares-found",
|
|
|
|
|
|
Details: map[string]interface{}{
|
|
|
|
|
|
"port": info.Ports,
|
|
|
|
|
|
"service": "smb2",
|
|
|
|
|
|
"username": user,
|
|
|
|
|
|
"domain": Common.Domain,
|
|
|
|
|
|
"shares": shares,
|
|
|
|
|
|
"credential": credential,
|
|
|
|
|
|
"auth_type": map[bool]string{true: "hash", false: "password"}[len(hash) > 0],
|
|
|
|
|
|
},
|
|
|
|
|
|
}
|
|
|
|
|
|
Common.SaveResult(result)
|
|
|
|
|
|
|
|
|
|
|
|
// 控制台输出
|
|
|
|
|
|
var msg string
|
2024-12-18 22:00:18 +08:00
|
|
|
|
if Common.Domain != "" {
|
2025-01-14 23:38:58 +08:00
|
|
|
|
msg = fmt.Sprintf("SMB2共享信息 %s:%s %s\\%s", info.Host, info.Ports, Common.Domain, user)
|
2024-12-18 15:19:47 +08:00
|
|
|
|
} else {
|
2025-01-14 23:38:58 +08:00
|
|
|
|
msg = fmt.Sprintf("SMB2共享信息 %s:%s %s", info.Host, info.Ports, user)
|
2024-12-18 15:19:47 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if len(hash) > 0 {
|
2025-01-14 23:38:58 +08:00
|
|
|
|
msg += fmt.Sprintf(" Hash:%s", Common.HashValue)
|
2024-12-18 15:19:47 +08:00
|
|
|
|
} else {
|
2025-01-14 23:38:58 +08:00
|
|
|
|
msg += fmt.Sprintf(" Pass:%s", pass)
|
2024-12-18 15:19:47 +08:00
|
|
|
|
}
|
2025-01-14 23:38:58 +08:00
|
|
|
|
msg += fmt.Sprintf(" 共享:%v", shares)
|
|
|
|
|
|
Common.LogInfo(msg)
|
2024-12-18 15:19:47 +08:00
|
|
|
|
}
|
