为什么smbclient和enum4linux不能识别Kioptrix 1中的Samba版本？

Question

我一直在https://www.vulnhub.com/entry/kioptrix-level-1-1,22/上尝试kioptrix级别-1的练习，并想知道为什么smbclient不能识别Samba版本？

smbclient版本4.11.5-Debian

wolf@linux:~$ smbclient -V
Version 4.11.5-Debian
wolf@linux:~$ 

例如：

wolf@linux:~$ smbclient -L 10.10.10.10
Server does not support EXTENDED_SECURITY  but 'client use spnego = yes' and 'client ntlmv2 auth = yes' is set
Anonymous login successful
Enter WORKGROUP\wolf's password: 

    Sharename       Type      Comment
    ---------       ----      -------
    IPC$            IPC       IPC Service (Samba Server)
    ADMIN$          IPC       IPC Service (Samba Server)
Reconnecting with SMB1 for workgroup listing.
Server does not support EXTENDED_SECURITY  but 'client use spnego = yes' and 'client ntlmv2 auth = yes' is set
Anonymous login successful

    Server               Comment
    ---------            -------
    KIOPTRIX             Samba Server

    Workgroup            Master
    ---------            -------
    MYGROUP              KIOPTRIX
wolf@linux:~$

enum4linux的尝试也没有显示Samba的版本号

wolf@linux:/etc/samba$ enum4linux 10.10.10.10
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu May 21 00:04:57 2020

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.10.10
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ====================================================== 
|    Enumerating Workgroup/Domain on 10.10.10.10    |
 ====================================================== 
[+] Got domain/workgroup name: MYGROUP

 ============================================== 
|    Nbtstat Information for 10.10.10.10    |
 ============================================== 
Looking up status of 10.10.10.10
    KIOPTRIX        <00> -         B   Workstation Service
    KIOPTRIX        <03> -         B   Messenger Service
    KIOPTRIX        <20> -         B   File Server Service
    ..__MSBROWSE__. <01> -  B   Master Browser
    MYGROUP         <00> -  B   Domain/Workgroup Name
    MYGROUP         <1d> -         B   Master Browser
    MYGROUP         <1e> -  B   Browser Service Elections

    MAC Address = 00-00-00-00-00-00

 ======================================= 
|    Session Check on 10.10.10.10    |
 ======================================= 
[+] Server 10.10.10.10 allows sessions using username '', password ''

 ============================================= 
|    Getting domain SID for 10.10.10.10    |
 ============================================= 
Domain Name: MYGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ======================================== 
|    OS information on 10.10.10.10    |
 ======================================== 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.10.10 from smbclient: 
[+] Got OS info for 10.10.10.10 from srvinfo:
    KIOPTRIX       Wk Sv PrQ Unx NT SNT Samba Server
    platform_id     :   500
    os version      :   4.5
    server type     :   0x9a03

 =============================== 
|    Users on 10.10.10.10    |
 =============================== 
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

 =========================================== 
|    Share Enumeration on 10.10.10.10    |
 =========================================== 

    Sharename       Type      Comment
    ---------       ----      -------
    IPC$            IPC       IPC Service (Samba Server)
    ADMIN$          IPC       IPC Service (Samba Server)
Reconnecting with SMB1 for workgroup listing.

    Server               Comment
    ---------            -------
    KIOPTRIX             Samba Server

    Workgroup            Master
    ---------            -------
    MYGROUP              KIOPTRIX

[+] Attempting to map shares on 10.10.10.10
//10.10.10.10/IPC$  [E] Can't understand response:
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
//10.10.10.10/ADMIN$    [E] Can't understand response:
tree connect failed: NT_STATUS_WRONG_PASSWORD

 ====================================================== 
|    Password Policy Information for 10.10.10.10    |
 ====================================================== 
[E] Unexpected error from polenum:


[+] Attaching to 10.10.10.10 using a NULL share

[+] Trying protocol 139/SMB...

    [!] Protocol failed: SMB SessionError: 0x5

[+] Trying protocol 445/SMB...

    [!] Protocol failed: [Errno Connection error (10.10.10.10:445)] [Errno 111] Connection refused


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 0


 ================================ 
|    Groups on 10.10.10.10    |
 ================================ 

[+] Getting builtin groups:
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Power Users] rid:[0x223]
group:[Account Operators] rid:[0x224]
group:[System Operators] rid:[0x225]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]

[+] Getting builtin group memberships:
Group 'Users' (RID: 545) has member: Couldn't find group Users
Group 'Guests' (RID: 546) has member: Couldn't find group Guests
Group 'Replicator' (RID: 552) has member: Couldn't find group Replicator
Group 'Account Operators' (RID: 548) has member: Couldn't find group Account Operators
Group 'Print Operators' (RID: 550) has member: Couldn't find group Print Operators
Group 'Power Users' (RID: 547) has member: Couldn't find group Power Users
Group 'System Operators' (RID: 549) has member: Couldn't find group System Operators
Group 'Administrators' (RID: 544) has member: Couldn't find group Administrators
Group 'Backup Operators' (RID: 551) has member: Couldn't find group Backup Operators

[+] Getting local groups:
group:[sys] rid:[0x3ef]
group:[tty] rid:[0x3f3]
group:[disk] rid:[0x3f5]
group:[mem] rid:[0x3f9]
group:[kmem] rid:[0x3fb]
group:[wheel] rid:[0x3fd]
group:[man] rid:[0x407]
group:[dip] rid:[0x439]
group:[lock] rid:[0x455]
group:[users] rid:[0x4b1]
group:[slocate] rid:[0x413]
group:[floppy] rid:[0x40f]
group:[utmp] rid:[0x415]

[+] Getting local group memberships:

[+] Getting domain groups:
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]

[+] Getting domain group memberships:
Group 'Domain Users' (RID: 513) has member: Couldn't find group Domain Users
Group 'Domain Admins' (RID: 512) has member: Couldn't find group Domain Admins

我一直在寻找其他人，写这样的https://blog.roskyfrosky.com/vulnhub/2017/04/01/Kioptrix1.0-vulnhub.html，发现他们没有这样的问题。

或https://blog.bladeism.com/kioptrix-level-1/

enum4linux 192.168.33.133


========================== | Target Information |
==========================
Target ……….. 192.168.33.133
RID Range …….. 500-550,1000-1050
Username ……… ”
Password ……… ”
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
======================================================
| Enumerating Workgroup/Domain on 192.168.33.133 |
======================================================
[+] Got domain/workgroup name: MYGROUP

==============================================
| Nbtstat Information for 192.168.33.133 |
==============================================
Looking up status of 192.168.33.133
KIOPTRIX <00> – B  Workstation Service
KIOPTRIX <03> – B  Messenger Service
KIOPTRIX <20> – B  File Server Service
..__MSBROWSE__. <01> –  B  Master Browser
MYGROUP <00> –  B  Domain/Workgroup Name
MYGROUP <1d> – B  Master Browser
MYGROUP <1e> –  B  Browser Service Elections

MAC Address = 00-00-00-00-00-00

=======================================
| Session Check on 192.168.33.133 |
=======================================
[+] Server 192.168.33.133 allows sessions using username ”, password ”

=============================================
| Getting domain SID for 192.168.33.133 |
=============================================
Domain Name: MYGROUP
Domain Sid: (NULL SID)
[+] Can’t determine if host is part of domain or part of a workgroup

========================================
| OS information on 192.168.33.133 |
========================================
[+] Got OS info for 192.168.33.133 from smbclient: Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
[+] Got OS info for 192.168.33.133 from srvinfo:
KIOPTRIX Wk Sv PrQ Unx NT SNT Samba Server
platform_id : 500
os version : 4.5
server type : 0x9a03

===============================
| Users on 192.168.33.133 |
===============================
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

===========================================
| Share Enumeration on 192.168.33.133 |
===========================================
WARNING: The “syslog” option is deprecated
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]

Sharename Type Comment
——— —- ——-
IPC$ IPC IPC Service (Samba Server)
ADMIN$ IPC IPC Service (Samba Server)

Server Comment
——— ——-
KIOPTRIX Samba Server

Workgroup Master
——— ——-
MYGROUP KIOPTRIX
WORKGROUP BLADEISM

[+] Attempting to map shares on 192.168.33.133
//192.168.33.133/IPC$ [E] Can’t understand response:
WARNING: The “syslog” option is deprecated
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
//192.168.33.133/ADMIN$ [E] Can’t understand response:
WARNING: The “syslog” option is deprecated
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
tree connect failed: NT_STATUS_WRONG_PASSWORD

Answer 1

那麽：

nmap -p 445 --script=smb-enum-user.nse,smb-enum-shares.nse 10.10.10.10

Answer 2

我也面临着同样的问题。看起来在最新版本的smbclient中已经删除了一些东西，实际上enum4linux正在使用这个模块来获得smb版本。我能够使用meta漏洞获得smb版本。

。

我希望这将有助于你们解决这一挑战。

Answer 3

尝试从smbver.sh上的"OSCPRepo“项目中使用脚本GitHub，但是将您的tap0更改为您的接口(在VPN情况下通常是tun0 )。