枚举远程主机的用户的nasl 脚本
这里还有一篇:猜解默认数据库和conn.asp暴库的NASL脚本 html">http://www.zzzyk.com/kf/200702/16376.html
if(description)
{
script_id(10000);
script_version ("$Revision: 1.23 $");
name["english"] = "SMB username enumeration";
name["francais"] = "Enumeration username";script_name(english:name["english"],
francais:name["francais"]);desc["english"] = "
This script connects to the remote host
using a null session, and enumerates the
usernameRisk factor : Medium";
script_description(english:desc["english"],
francais:desc["francais"]);summary["english"] = "Gets the list of remote shares";
summary["francais"] = "Obtention de la liste des shares distantes";
script_summary(english:summary["english"],
francais:summary["francais"]);script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2000 Renaud Deraison");
family["english"] = "Windows";
script_family(english:family["english"]);script_dependencies("netbios_name_get.nasl", "smb_login.nasl");
script_require_keys("SMB/transport", "SMB/name", "SMB/login", "SMB/password");
script_require_ports(139, 445);
exit(0);
}include("smb_nt.inc");
if ( get_kb_item("SMB/samba") ) exit(0);
name = kb_smb_name();
if(!name)
name = "*SMBSERVER";_smb_port = kb_smb_transport();
if(!_smb_port)
_smb_port = 139;if(!get_port_state(_smb_port))return(FALSE);
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();if(!login)login = "";
if(!pass) pass = "";
soc = open_sock_tcp(_smb_port);
if(!soc)return(FALSE);#
# Request the session
#
r = smb_session_request(soc:soc, remote:name);
if(!r) { close(soc); return(FALSE); }#
# Negociate the protocol
#
prot = smb_neg_prot(soc:soc);
if(!prot){ close(soc); return(FALSE); }
#
# Set up our session
#
r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain, prot:prot);
if(!r){ close(soc); return(FALSE); }
# and extract our uid
UID = session_extract_uid(reply:r);UID_hi = UID/256;
UID_low = UID%256;#
# Connect to the remote IPC and extract the TID
# we are attributed
#
r = smb_tconx(soc:soc, name:name, uid:UID, share:"IPC$");
# and extract our tree id
TID = tconx_extract_tid(reply:r);TID_hi = TID/256;
TID_low = TID%256;#if(!tid){ close(soc); return(FALSE); }
#NT create AndX request
FID = OpenPipeToSamr(soc:soc, uid:UID, tid:TID);
FID_hi = FID/256;
FID_low = FID%256;
recv(socket:soc, length:1024);samrhdl = SamrConnect2(soc:soc, tid:TID, uid:UID, pipe:FID, name:"*SMBSERVER");
#SAMR EnumDomains
dom = _SamrEnumDomains(soc:soc, uid:UID, tid:TID, pipe:FID, samrhdl:samrhdl);
sid = SamrDom2Sid(soc:soc, tid:TID, uid:UID, pipe:FID, samrhdl:samrhdl, dom:dom);hdl = SamrOpenDomain(soc:soc, tid:TID, uid:UID, pipe:FID, samrhdl:samrhdl, sid:sid);
#samrQueryDisplayInformatio
reqDisplay= raw_string(0x00, 0x00, 0x00, 0x90, 0xff, 0x53, 0x4d, 0x42,
0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xc8,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, TID_low, TID_hi, 0xd4, 0x05,
UID_low, UID_hi, 0xa0, 0x00, 0x10, 0x00, 0x00, 0x3c,
0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x54, 0x00, 0x3c, 0x00, 0x54, 0x00, 0x02,
0x00, 0x26, 0x00, FID_low, FID_hi, 0x4d, 0x00, 0x32,
0x5c, 0x00, 0x50, 0x00, 0x49, 0x00, 0x50, 0x00,
0x45, 0x00, 0x5c, 0x00, 0x00, 0x00, 0x00, 0x00,
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
0x3c, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00) + hdl+ raw_string(0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xe8, 0x03, 0x00, 0x00,
0x00, 0x10, 0x00, 0x00);send(socket:soc, data:reqDisplay);
r = recv(socket:soc, length:4028);
display(r);
补充:综合编程 , 安全编程 ,
