探测Windows主机的NetBIOS信息要点

上传人：y*** IP属地：天津上传时间：2021-12-20 格式：DOCX 页数：33 大小：65.38KB 积分：25 举报 版权申诉

已阅读5页，还剩28页未读，继续免费阅读

版权说明：本文档由用户提供并上传，收益归属内容提供方，若内容存在侵权，请进行举报或认领

文档简介

1、探测 Windows主机的NetBIOS信息作者：TOo2yNetBIOS信二主要函数与相关数据结构分三如何防止NetBIOS信息的泄四源代大家一提到 Windows2000/XP系统的安全性，很快就会想到 NULL Session （空会话）。这可以算是软安置的一个后门，很多简单而容易的攻击都是基于空会话而实现的。在此，我们不讨论如何攻陷台 Windows2000/XP系统，而是要谈谈在建立空会话之后，我们可以得到远程主机的哪些NetBIOS息。（由于本文是针对Windows2000/XP系统，所以使用了 UNICODES）。NetBIOS在我们和远程Windows2000/XP主

2、机建立了空会话之后，我们就有权枚举系统里的各项NetBIOS信了。当然在某些选项中需要较高的权利，不过我们只执行那些匿名用户可以获得的绝大多数系统息。时间：探测远程主机的当前日期和时间信息。它会返回一个数据结构，包括年，月，日，星期，时分，秒等等。不过得到的是 GM而准时间，当然对于我彳门来说就应该换算为 GMT+8:00了。由此可以断出主机所在的时区信息。操作系统指纹：探测远程主机的操作系统指纹信息。一共有三种级别的探测（100, 101, 102）,我使用的是101级，它会返回一个数据结构，可以获取远程主机的平台标识，服务器名称，操作系统主次版本（Windows2000为5.0,Win

3、dowsXP为5.1,而最新操作系统 Longhorn的版本为6.0）,服务类型（每台主机可能同时包含多种类型信息）和注释。共享列表：探测远程主机的共享列表。我们可以获得一个数据结构指针，枚举远程主机的所有共享息（隐藏的共享列表在内）。其中包括共享名称，类型与备注。类型可分为：磁盘驱动器，打印列，通讯设备，进程间通讯与特殊设备。用户列表：探测远程主机的用户列表，返回一个数据结构指针，枚举所有用户信息。可获取用户名全名，用户标识符，说明与标识信息。标识信息可以探测用户的访问权限。本地组列表：探测远程主机的本地组列表信息。枚举所有本地组信息，包含本地组名称和注释信息组列表：探测远程主机的

4、组列表信息。枚举所有的组信息，包括组名称，注释，组标识符与属性。此基础上，我们可以枚举组内的所有用户信息。组用户列表：探测特定组内的用户信息。我们可以获得组内所有用户的名称。当我门获得了所有的户列表，下一步就应该很清楚了，那就是挂一个字典进行破解了。传输协议列表：探测远程主机的传输协议信息，枚举所有的传输列表。可以获得每个传输协议的称，地址，网络地址和当前与本传输协议连接的用户数目。会话列表：探测远程主机的当前会话列表。枚举每个会话的相关信息，包括客户端主机的名称，当用户的名称，活动时间和空闲时间。这可以帮助我们了解远程主机用户的喜好等等。二、主要函数与相关数据结构分析1.建立空会话W

5、NetAddConnection2(&nr,username,password,0;/nr为NETRESOURCE数据结构的对象；/username为建立空会话的用户名，在此将用户名设置为NULL ；/password为登陆密码，在此将密码设置为 NULL ;2.WNetCancelConnection2(ipc,0,TRUE;/ipc为 TCHAR 的指针我们可以这样获得/swprintf(ipc,_T("%sipc$”,argv1,argv1为主机名或地址;3.探测主nStatus=NetRemoteTOD(server,(PBYTE*&pBuf

6、;参数 server 为主机的名称或地址/pBufTIMEOFDAYINFO/nStatus 为 NET_API_STATUSM;4.NetServerGetInfo(server,dwLevel,(PBYTE*&pBi/dwLevel101/pBuf 是 SERVER_INFO_101 据结构的指针;5.NetShareEnum(server,dwLevel,(PBYTE*&pBuf,MAX_PREFERRED_LENGTH,&er,&tr,&re;/dwLevel/pBufSHAREINFO1/er指明返回的/MAX PREF

7、ERRED LENGTH 指/tr /resume用于继续进行共享搜索;6.NetQueryDisplayInformation(server,dwLevel,i,100,0xFFFFFFFF,&dwRec,(PVOID*&pBi/dwLevel的等级数为1级/i为枚举的索引/dwRec返回获取的信息数目/pBuf 为 NET.DISPLAY._USER居结构的指针；7.探测本地组歹1NetLocalGroupEnum(server,dwLevel,(PBYTE*&pBuf,-1,&er,&tr,&resum/dwLevel的等级是1/pBuf返

8、回LOCALGROUP_INF遨据结构的指针；8. 探测组列NetQueryDisplayInformation(server,dwLevel,i,100,0xFFFFFFFF,&dwRec,(PVOID*&pGBuf;/dwLevel的等级为3/pGBuf返回NET_DISPLAY_GROU颤据结构指针；9. 探测组内的用NetGroupGetUsers(server,pGBuffer->grpi3_name,0,(PBYTE*&pUBuf,MAX_PREFERRED_LENGTH,&er,&tr,&resume;/pGBuffer-&g

9、t;grpi3_name为组的名称/pUBuf 返回 GROUP_USERS_INFO_0结构的指针；10. 探测传输协议列NetServerTransportEnum(server,dwLevel,(PBYTE *&pBuf,MAX_PREFERRED_LENGTH,&er,&tr,&resum/dwLevel的等级为0级/pBuf 返回 SERVER_TRANSPORT_INFO®g构的指针；11. 探测会话列NetSessionEnum(server,pszClient,pszUser,dwLevel,(PBYTE*&pBuf,MAX_P

10、REFERRED_LENGTH,&er,&tr,&resume;/pszClient指定客户的地址/pszUser指定用户名/dwLevel的等级是10级/pBuf返回SESSION_INFO_1数据结构的指针；12. 释放内NetApiBufferFree(pBuf;/释放由系统分配的内存空间。三、如何防止 NetBIOS 信息的泄我们可以安装防火墙来禁止空会话的建立，或者我们可以在网络连接属性里禁用TCP/IP上NetBIOS,当然也可以在IP安全策略里禁用445/tcp端口来实现。只要空会话不能成功建立，那就难获得上面提到的各项信

11、息了四、源代码#define UNICODE#define _UNICODE#include#include#include#include "includelmaccess.h"#include "includelmserver.h"#include "includelmshare.h"#include#pragma comment (lib,"mpr"#pragma comment (lib,"netapi32 void start(;void usage(;int datetime(PTSTR

12、server;int fingerprint(PTSTR server;int netbios(PTSTR server;int users(PTSTR server;int localgroup(PTSTR server;int globalgroup(PTSTR server;int transport(PTSTR server;int session(PTSTR server;int wmain(int argc,TCHAR *argvNETRESOURCE nr;DWORD ret;TCHAR username100=_T(""TCHAR password100=_

13、T(""TCHAR ipc100=_T(""system("cls.exe"start(;if(argc!=2usage(;return -1;swprintf(ipc,_T("%sipc$”,argv1；nr.lpLocalName=NULL;nr.lpProvider=NULL;nr.dwType=RESOURCETYPE_ANY;nr.lpRemoteName=ipc;ret=WNetAddConnection2(&nr,username,password,0;if(ret!=ERROR_SUCCESS_tpr

14、intf(_T("nIPC$ Connect Failed.n"return -1;datetime(argv1;fingerprint(argv1;netbios(argv1;users(argv1;localgroup(argv1;globalgroup(argv1;transport(argv1;session(argv1;ret=WNetCancelConnection2(ipc,0,TRUE;if(ret!=ERROR_SUCCESS _tprintf(_T("IPC$ Disconnect Failed.n"return -1;return

15、0;void start(_tprintf(_T("= T-SMB Scan, by TOo2y =n"；_tprintf(_T("= E-mail: TOo2y =n"_tprintf(_T("= HomePage: =n"_tprintf(_T("= Date: 12-12-2002 =n"void usage(_tprintf(_T("nUsage:t T-SMB Remoteip"_tprintf(_T("nRequest: Remote host must be openin

16、g port 445/tcp of Microsoft-DS.n"int datetime(PTSTR serverPTIME_OF_DAY_INFO pBuf=NULL;NET_API_STATUS nStatus;DWORD lerror;_tprintf(_T("n* Date and Time *n"nStatus=NetRemoteTOD(server,(PBYTE*&pBuf;if(nStatus=NERR_Success if(pBuf!=NULL_tprintf(_T("nCurrent date:t%.2d-%.2d-%d&qu

17、ot;,pBuf->tod_month,pBuf->tod_day,pBuf->tod_yea_tprintf(_T("nCurrenttime:t%.2d:%.2d:%.2d.%.2d(GMT",pBuf->tod_hours,pBu>tod_mins,pBuf->tod_secs,pBuf->tod_hunds;pBuf->tod_hours=(pBuf->tod_hours+8%24;_tprintf(_T("nCurrent time:t%.2d:%.2d:%.2d.%.2d (GMT+08:00n&q

18、uot;,pBuf->tod_hours,pBu>tod_mins,pBuf->tod_secs,pBuf->tod_hunds;elselerror=GetLastError(;if(lerror=997_tprintf(_T("nDateTime:tOverlapped I/O operation is in progress. n"else_tprintf(_T("nDatetime Error:t%dn",lerror;if(pBuf!=NULLNetApiBufferFree(pBuf;return 0;int fing

19、erprint(PTSTR serverDWORD dwlength;DWORD dwLevel;NET_API_STATUS nStatus;PSERVER_INFO_101 pBuf;DWORD lerror;dwLevel=101;pBuf=NULL;dwlength=_tcslen(server;_tprintf(_T("n* Fingerprint *n"nStatus=NetServerGetInfo(server,dwLevel,(PBYTE *&pBuf;if(nStatus=NERR_Success_tprintf(_T("nComput

20、ername:t%s",pBuf->sv101_name;_tprintf(_T("nComment:t%s",pBuf->sv101_comment;_tprintf(_T("nPlatform:t%d",pBuf->sv101_platform_id;_tprintf(_T("nVersion:t%d.%d”,pBuf->sv101_version_major,pBuf->sv101_version_minor;_tprintf(_T("nType:"if(pBuf->sv1

21、01_type & SV_TYPE_NOVELL_tprintf(_T("ttNovell server.n"if(pBuf->sv101_type & SV_TYPE_XENIX_SERVER_tprintf(_T("ttXenix server.n"if(pBuf->sv101_type & SV_TYPE_DOMAIN_ENUM_tprintf(_T("ttPrimary domain .n"if(pBuf->sv101_type & SV_TYPE_TERMINALSERVER

22、_tprintf(_T("ttTerminal Server.n"if(pBuf->sv101_type & SV_TYPE_WINDOWS_tprintf(_T("ttWindows 95 or later.n" if(pBuf->sv101_type & SV_TYPE_SERVER_tprintf(_T("ttA LAN Manager server.n"if(pBuf->sv101_type & SV_TYPE_WORKSTATION_tprintf(_T("ttA LAN

23、Manager workstation.n"if(pBuf->sv101_type & SV_TYPE_PRINTQ_SERVER_tprintf(_T("ttServer sharing print queue.n"if(pBuf->sv101_type & SV_TYPE_DOMAIN_CTRL_tprintf(_T("ttPrimary domain controller.n"if(pBuf->sv101_type & SV_TYPE_DOMAIN_BAKCTRL_tprintf(_T("

24、;ttBackup domain controller.n"if(pBuf->sv101_type & SV_TYPE_AFP_tprintf(_T("ttApple File Protocol server.n"if(pBuf->sv101_type & SV_TYPE_DOMAIN_MEMBER_tprintf(_T("ttLAN Manager 2.x domain member.n"if(pBuf->sv101_type & SV_TYPE_LOCAL_LIST_ONLY_tprintf(_T(

25、"ttServers maintained by the browser.n"if(pBuf->sv101_type & SV_TYPE_DIALIN_SERVER_tprintf(_T("ttServer running dial-in service.n"if(pBuf->sv101_type & SV_TYPE_TIME_SOURCE_tprintf(_T("ttServer running the Timesource service.n"if(pBuf->sv101_type & S

26、V_TYPE_SERVER_MFPN_tprintf(_T("ttMicrosoft File and Print for NetWare.n"if(pBuf->sv101_type & SV_TYPE_NT _tprintf(_T("ttWindows NT/2000/XP workstation or server.n"if(pBuf->sv101_type & SV_TYPE_WFW_tprintf(_T("ttServer running Windows for Workgroups.n"if(pB

27、uf->sv101_type & SV_TYPE_POTENTIAL_BROWSER_tprintf(_T("ttServer that can run the browser service.n"if(pBuf->sv101_type & SV_TYPE_BACKUP_BROWSER_tprintf(_T("ttServer running a browser service as backup.n"if(pBuf->sv101_type & SV_TYPE_MASTER_BROWSER_tprintf(_T(

28、"ttServer running the master browser service.n"if(pBuf->sv101_type & SV_TYPE_DOMAIN_MASTER_tprintf(_T("ttServer running the domain master browser.n"if(pBuf->sv101_type & SV_TYPE_CLUSTER_NT_tprintf(_T("ttServer clusters available in the domain.n"if(pBuf->

29、;sv101_type & SV_TYPE_SQLSERVER_tprintf(_T("ttAny server running with Microsoft SQL Server.n"if(pBuf->sv101_type & SV_TYPE_SERVER_NT_tprintf(_T("ttWindows NT/2000 server that is not a domain controller.n"elselerror=GetLastError(;if(lerror=997_tprintf(_T("nFingerpr

30、int:tOverlapped I/O operation is in progress.n"else_tprintf(_T("nFingerprint Error:t%dn”,lerror;if(pBuf!=NULL NetApiBufferFree(pBuf;return 0;int netbios(PTSTR serverDWORD er,tr,resume;DWORD i,dwLength,dwLevel;PSHARE_INFO_1 pBuf,pBuffer;NET_API_STATUS nStatus;DWORD lerror;er=0;tr=0;resume=1

31、;dwLevel=1;dwLength=_tcslen(server;_tprintf(_T("n* Netbios*n"do nStatus=NetShareEnum(server,dwLevel,(PBYTE *&pBuf,MAX_PREFERRED_LENGTH,&er,&tr,&resume if(nStatus=ERROR_SUCCESS | (nStatus=ERROR_MORE_DATApBuffer=pBuf;for(i=1;i<=er;i+_tprintf(_T("nName:tt%s",pBuff

32、er->shi1_netname;_tprintf(_T("nRemark:tt%s",pBuffer->shi1_remark;_tprintf(_T("nType:tt"if(pBuffer->shi1_type=STYPE_DISKTREE_tprintf(_T("Disk drive.n"else if(pBuffer->shi1_type=STYPE_PRINTQ_tprintf(_T("Print queue.n"else if(pBuffer->shi1_type=STY

33、PE_DEVICE_tprintf(_T("Communication device.n"else if(pBuffer->shi1_type=STYPE_IPC_tprintf(_T("Interprocess communication (IPC.n"else if(pBuffer->shi1_type=STYPE_SPECIAL_tprintf(_T("Special share reserved for interprocess communication (IPC$ or rem( administration of th

34、e server (ADMIN$.n"else_tprintf(_T("n"pBuffer+; elselerror=GetLastError(;if(lerror=997_tprintf(_T("nNetbios:tOverlapped I/O operation is in progress.n"else_tprintf(_T("nNetbios Error:t%dn",lerror;if(pBuf!=NULLNetApiBufferFree(pBuf;while(nStatus=ERROR_MORE_DATA;retu

35、rn 0;int users(PTSTR serverPNET_DISPLAY_USER pBuf,pBuffer;DWORD nStatus;DWORD dwRec;DWORD i=0;DWORD lerror;DWORD dwLevel;dwLevel=1;_tprintf(_T("n* Users *n"donStatus=NetQueryDisplayInformation(server,dwLevel,i,100,0xFFFFFFFF,&dwRec,(PVOID *&pBuf if(nStatus=ERROR_SUCCESS | (nStatus=

36、ERROR_MORE_DATApBuffer=pBuf;for(;dwRec>0;dwRec-_tprintf(_T("nName:tt%s",pBuffer->usri1_name;_tprintf(_T("nFull Name:t%s",pBuffer->usri1_full_name;_tprintf(_T("nUser ID:t%u",pBuffer->usri1_user_id;_tprintf(_T("nComment: t%s”,pBuffer->usri1_comment;_tp

37、rintf(_T("nFlag:"if(pBuffer->usri1_flags & UF_ACCOUNTDISABLE_tprintf(_T("ttThe user's account is disabled.n"if(pBuffer->usri1_flags & UF_TRUSTED_FOR_DELEGATION_tprintf(_T("ttThe account is enabled for delegation. n"if(pBuffer->usri1_flags & UF_L

38、OCKOUT_tprintf(_T("ttThe account is currently locked out (blocked.n"if(pBuffer->usri1_flags & UF_SMARTCARD_REQUIRED_tprintf(_T("ttRequires the user to log on to the user account with a smart card. n"if(pBuffer->usri1_flags & UF_DONT_REQUIRE_PREAUTH _tprintf(_T("

39、;ttThis account does not require Kerberos preauthentication for logon.n"if(pBuffer->usri1_flags & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED _tprintf(_T("ttThe user's password is stored under reversible encryption in the Acti Directory. n"if(pBuffer->usri1_flags & UF_NOT_DEL

40、EGATED_tprintf(_T("ttMarks the account as "sensitive、"； other users cannot act as delegat of this user account.n"if(pBuffer->usri1_flags & UF_USE_DES_KEY_ONLY_tprintf(_T("ttRestrictthis principal to use only Data Encryption Standard (Dencryption types for keys.n"

41、if(pBuffer->usri1_flags & UF_HOMEDIR_REQUIRED_tprintf(_T("ttThehome directory is required. Windows NT/Windows 2000/Windowsignores this value.n"if(pBuffer->usri1_flags & UF_SCRIPT_tprintf(_T("ttThe logon script executed. This value must be set for LAN Manager 2 and Window

42、s NT/2000/XP.n"i=pBuffer->usri1_next_index;pBuffer+;elselerror=GetLastError(;if(lerror=997_tprintf(_T("nUsers:ttOverlapped I/O operation is in progress.n"else_tprintf(_T("nUsers Error:t%dn",lerror;if(pBuf!=NULLNetApiBufferFree(pBuf;while(nStatus=ERROR_MORE_DATA;return 0;i

43、nt localgroup(PTSTR serverNET_API_STATUS nStatus;PLOCALGROUP_INFO_1 pBuf,pBuffer;DWORD i,dwLevel;DWORD er,tr,resume;DWORD lerror;resume=0;dwLevel=1;_tprintf(_T("n* Local Group *n"donStatus=NetLocalGroupEnum(server,dwLevel,(PBYTE*&pBuf,MAX_PREFERRED_LENGTH,&er,&tr,&resume;if

44、(nStatus=NERR_Success | (nStatus=ERROR_MORE_DATApBuffer=pBuf;for(i=1;i<=er;i+_tprintf(_T("nName:tt%s",pBuffer->lgrpi1_name;_tprintf(_T("nComment:t%s”,pBuffer->lgrpi1_comment;_tprintf(_T("n"pBuffer+;elselerror=GetLastError(;if(lerror=997_tprintf(_T("nLocal Group

45、:tOverlapped I/O operation is in progress.n"else_tprintf(_T("nLocal Group Error:t%dn",lerror;if(pBuf!=NULLNetApiBufferFree(pBuf;while(nStatus=ERROR_MORE_DATA;return 0;int globalgroup(PTSTR serverPNET_DISPLAY_GROUP pGBuf,pGBuffer;PGROUP_USERS_INFO_0 pUBuf,pUBuffer;DWORD nGStatus,nUStat

46、us;DWORD i;DWORD dwLevel,dwRec;DWORD k;DWORD er,tr,resume;DWORD lerror;i=0;dwLevel=3;er=0;tr=0;resume=0;_tprintf(_T("n* Global group *n"donGStatus=NetQueryDisplayInformation(server,dwLevel,i,100,0xFFFFFFFF,&dwRec,(PVOID*&pGBuif(nGStatus=ERROR_SUCCESS | (nGStatus=ERROR_MORE_DATApGBu

47、ffer=pGBuf;for(;dwRec>0;dwRec-_tprintf(_T("nName:tt%s",pGBuffer->grpi3_name;_tprintf(_T("nComment:t%s”,pGBuffer->grpi3_comment;_tprintf(_T("nGroup ID:t%u",pGBuffer->grpi3_group_id;_tprintf(_T("nAttributs:t%u",pGBuffer->grpi3_attributes;_tprintf(_T(&q

48、uot;nMembers:t"nUStatus=NetGroupGetUsers(server,pGBuffer->grpi3_name,0,(PBYTE*&pUBuf,MAX_PREFERRED_LENGTH,&er,&tr,&resume;if(nUStatus=NERR_SuccesspUBuffer=pUBuf;for(k=1;k<=er;k+_tprintf(_T("%s ",pUBuffer->grui0_name;pUBuffer+;if(pUBuf!=NULLNetApiBufferFree(pUB

49、uf;_tprintf(_T("n"i=pGBuffer->grpi3_next_index;pGBuffer+;else lerror=GetLastError(;if(lerror=997_tprintf(_T("nGlobal Group:tOverlapped I/O operation is in progress.n"else_tprintf(_T("nGlobal Group Error:t%dn",lerror;if(pGBuf!=NULLNetApiBufferFree(pGBuf;while(nGStatus

50、=ERROR_MORE_DATA;return 0;int transport(PTSTR serverNET_API_STATUS nStatus;PSERVER_TRANSPORT_INFO_0 pBuf,pBuffer;DWORD dwLevel;DWORD i;DWORD er,tr,resume;DWORD dwTotalCount;DWORD dwLength;DWORD lerror;er=0;tr=0;resume=0;dwLevel=0;dwTotalCount=0;_tprintf(_T("n* Transport *n"dwLength=_tcslen(server;donStatus=NetServerTransportEnum(server,dwLevel,(PBYTE*&pBuf,MAX_PREFERRED_LENGTH,&er,&tr,&resume;if(nStatus=NERR_Success | (nStatus=ERROR_MORE_DATApBuffer=pBuf;for(i=0;i_tprintf(_T("nTransport:t%s",pBuffer->svti0_transportn

人人文库> 全部分类> 行业资料 > 信息产业

温馨提示

1. 本站所有资源如无特殊说明，都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
2. 本站的文档不包含任何第三方提供的附件图纸等，如果需要附件，请联系上传者。文件的所有权益归上传用户所有。
3. 本站RAR压缩包中若带图纸，网页内容里面会有图纸预览，若没有图纸预览就没有图纸。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 人人文库网仅提供信息存储空间，仅对用户上传内容的表现方式做保护处理，对用户上传分享的文档内容本身不做任何修改或编辑，并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容，请与我们联系，我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

探测Windows主机的NetBIOS信息要点

文档简介

温馨提示

最新文档

评论

探测Windows主机的NetBIOS信息要点

文档简介

温馨提示

最新文档

评论

相关文档