mirrors/fscan
1
0
Fork 0
mirror of https://github.com/shadow1ng/fscan.git synced 2025-07-14 13:22:35 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

refactor: SMB2模块重构

Browse Source
This commit is contained in:
ZacharyZcR 2024-12-18 15:19:47 +08:00
parent 42908d3319
commit e15f8e8cc0
1 changed files with 166 additions and 162 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

328
Plugins/smb2.go
View File

@ -11,208 +11,212 @@ import (
"github.com/hirochachacha/go-smb2" "github.com/hirochachacha/go-smb2"
) )
// SmbScan2 执行SMB2服务的认证扫描支持密码和哈希两种认证方式
func SmbScan2(info *common.HostInfo) (tmperr error) { func SmbScan2(info *common.HostInfo) (tmperr error) {
// 如果未启用暴力破解则直接返回
if common.IsBrute { if common.IsBrute {
return nil return nil
} }
hasprint := false hasprint := false
starttime := time.Now().Unix() startTime := time.Now().Unix()
// 使用哈希认证模式
if len(common.HashBytes) > 0 { if len(common.HashBytes) > 0 {
for _, user := range common.Userdict["smb"] { return smbHashScan(info, hasprint, startTime)
for _, hash := range common.HashBytes {
pass := ""
flag, err, flag2 := Smb2Con(info, user, pass, hash, hasprint)
if flag2 {
hasprint = true
}
if flag == true {
var result string
if common.Domain != "" {
result = fmt.Sprintf("[+] SMB2 %v:%v:%v\\%v ", info.Host, info.Ports, common.Domain, user)
} else {
result = fmt.Sprintf("[+] SMB2 %v:%v:%v ", info.Host, info.Ports, user)
}
if len(hash) > 0 {
result += "hash: " + common.Hash
} else {
result += pass
}
common.LogSuccess(result)
return err
} else {
var errlog string
if len(common.Hash) > 0 {
errlog = fmt.Sprintf("[-] smb2 %v:%v %v %v %v", info.Host, 445, user, common.Hash, err)
} else {
errlog = fmt.Sprintf("[-] smb2 %v:%v %v %v %v", info.Host, 445, user, pass, err)
}
errlog = strings.Replace(errlog, "\n", " ", -1)
common.LogError(errlog)
tmperr = err
if common.CheckErrs(err) {
return err
}
if time.Now().Unix()-starttime > (int64(len(common.Userdict["smb"])*len(common.HashBytes)) * common.Timeout) {
return err
}
}
if len(common.Hash) > 0 {
break
}
}
}
} else {
for _, user := range common.Userdict["smb"] {
for _, pass := range common.Passwords {
pass = strings.Replace(pass, "{user}", user, -1)
hash := []byte{}
flag, err, flag2 := Smb2Con(info, user, pass, hash, hasprint)
if flag2 {
hasprint = true
}
if flag == true {
var result string
if common.Domain != "" {
result = fmt.Sprintf("[+] SMB2 %v:%v:%v\\%v ", info.Host, info.Ports, common.Domain, user)
} else {
result = fmt.Sprintf("[+] SMB2 %v:%v:%v ", info.Host, info.Ports, user)
}
if len(hash) > 0 {
result += "hash: " + common.Hash
} else {
result += pass
}
common.LogSuccess(result)
return err
} else {
var errlog string
if len(common.Hash) > 0 {
errlog = fmt.Sprintf("[-] smb2 %v:%v %v %v %v", info.Host, 445, user, common.Hash, err)
} else {
errlog = fmt.Sprintf("[-] smb2 %v:%v %v %v %v", info.Host, 445, user, pass, err)
}
errlog = strings.Replace(errlog, "\n", " ", -1)
common.LogError(errlog)
tmperr = err
if common.CheckErrs(err) {
return err
}
if time.Now().Unix()-starttime > (int64(len(common.Userdict["smb"])*len(common.Passwords)) * common.Timeout) {
return err
}
}
if len(common.Hash) > 0 {
break
}
}
}
} }
return tmperr // 使用密码认证模式
return smbPasswordScan(info, hasprint, startTime)
} }
// smbHashScan 使用哈希进行认证扫描
func smbHashScan(info *common.HostInfo, hasprint bool, startTime int64) error {
for _, user := range common.Userdict["smb"] {
for _, hash := range common.HashBytes {
success, err, printed := Smb2Con(info, user, "", hash, hasprint)
if printed {
hasprint = true
}
if success {
logSuccessfulAuth(info, user, "", hash)
return err
}
logFailedAuth(info, user, "", hash, err)
if shouldStopScan(err, startTime, len(common.Userdict["smb"])*len(common.HashBytes)) {
return err
}
if len(common.Hash) > 0 {
break
}
}
}
return nil
}
// smbPasswordScan 使用密码进行认证扫描
func smbPasswordScan(info *common.HostInfo, hasprint bool, startTime int64) error {
for _, user := range common.Userdict["smb"] {
for _, pass := range common.Passwords {
pass = strings.ReplaceAll(pass, "{user}", user)
success, err, printed := Smb2Con(info, user, pass, []byte{}, hasprint)
if printed {
hasprint = true
}
if success {
logSuccessfulAuth(info, user, pass, []byte{})
return err
}
logFailedAuth(info, user, pass, []byte{}, err)
if shouldStopScan(err, startTime, len(common.Userdict["smb"])*len(common.Passwords)) {
return err
}
if len(common.Hash) > 0 {
break
}
}
}
return nil
}
// logSuccessfulAuth 记录成功的认证
func logSuccessfulAuth(info *common.HostInfo, user, pass string, hash []byte) {
var result string
if common.Domain != "" {
result = fmt.Sprintf("[✓] SMB2认证成功 %v:%v Domain:%v\\%v ",
info.Host, info.Ports, common.Domain, user)
} else {
result = fmt.Sprintf("[✓] SMB2认证成功 %v:%v User:%v ",
info.Host, info.Ports, user)
}
if len(hash) > 0 {
result += fmt.Sprintf("Hash:%v", common.Hash)
} else {
result += fmt.Sprintf("Pass:%v", pass)
}
common.LogSuccess(result)
}
// logFailedAuth 记录失败的认证
func logFailedAuth(info *common.HostInfo, user, pass string, hash []byte, err error) {
var errlog string
if len(hash) > 0 {
errlog = fmt.Sprintf("[x] SMB2认证失败 %v:%v User:%v Hash:%v Err:%v",
info.Host, info.Ports, user, common.Hash, err)
} else {
errlog = fmt.Sprintf("[x] SMB2认证失败 %v:%v User:%v Pass:%v Err:%v",
info.Host, info.Ports, user, pass, err)
}
errlog = strings.ReplaceAll(errlog, "\n", " ")
common.LogError(errlog)
}
// shouldStopScan 检查是否应该停止扫描
func shouldStopScan(err error, startTime int64, totalAttempts int) bool {
if common.CheckErrs(err) {
return true
}
if time.Now().Unix()-startTime > (int64(totalAttempts) * common.Timeout) {
return true
}
return false
}
// Smb2Con 尝试SMB2连接并进行认证检查共享访问权限
func Smb2Con(info *common.HostInfo, user string, pass string, hash []byte, hasprint bool) (flag bool, err error, flag2 bool) { func Smb2Con(info *common.HostInfo, user string, pass string, hash []byte, hasprint bool) (flag bool, err error, flag2 bool) {
conn, err := net.DialTimeout("tcp", info.Host+":445", time.Duration(common.Timeout)*time.Second) // 建立TCP连接
conn, err := net.DialTimeout("tcp", fmt.Sprintf("%s:445", info.Host),
time.Duration(common.Timeout)*time.Second)
if err != nil { if err != nil {
return return false, fmt.Errorf("连接失败: %v", err), false
} }
defer conn.Close() defer conn.Close()
// 配置NTLM认证
initiator := smb2.NTLMInitiator{ initiator := smb2.NTLMInitiator{
User: user, User: user,
Domain: common.Domain, Domain: common.Domain,
} }
// 设置认证方式(哈希或密码)
if len(hash) > 0 { if len(hash) > 0 {
initiator.Hash = hash initiator.Hash = hash
} else { } else {
initiator.Password = pass initiator.Password = pass
} }
// 创建SMB2会话
d := &smb2.Dialer{ d := &smb2.Dialer{
Initiator: &initiator, Initiator: &initiator,
} }
session, err := d.Dial(conn)
if err != nil {
return false, fmt.Errorf("SMB2会话建立失败: %v", err), false
}
defer session.Logoff()
s, err := d.Dial(conn) // 获取共享列表
shares, err := session.ListSharenames()
if err != nil { if err != nil {
return return false, fmt.Errorf("获取共享列表失败: %v", err), false
}
defer s.Logoff()
names, err := s.ListSharenames()
if err != nil {
return
} }
// 打印共享信息(如果未打印过)
if !hasprint { if !hasprint {
var result string logShareInfo(info, user, pass, hash, shares)
if common.Domain != "" {
result = fmt.Sprintf("[*] SMB2-shares %v:%v:%v\\%v ", info.Host, info.Ports, common.Domain, user)
} else {
result = fmt.Sprintf("[*] SMB2-shares %v:%v:%v ", info.Host, info.Ports, user)
}
if len(hash) > 0 {
result += "hash: " + common.Hash
} else {
result += pass
}
result = fmt.Sprintf("%v shares: %v", result, names)
common.LogSuccess(result)
flag2 = true flag2 = true
} }
fs, err := s.Mount("C$")
// 尝试访问C$共享以验证管理员权限
fs, err := session.Mount("C$")
if err != nil { if err != nil {
return return false, fmt.Errorf("挂载C$失败: %v", err), flag2
} }
defer fs.Umount() defer fs.Umount()
// 尝试读取系统文件以验证权限
path := `Windows\win.ini` path := `Windows\win.ini`
f, err := fs.OpenFile(path, os.O_RDONLY, 0666) f, err := fs.OpenFile(path, os.O_RDONLY, 0666)
if err != nil { if err != nil {
return return false, fmt.Errorf("访问系统文件失败: %v", err), flag2
} }
defer f.Close() defer f.Close()
flag = true
return
//bs, err := ioutil.ReadAll(f)
//if err != nil {
// return
//}
//fmt.Println(string(bs))
//return
return true, nil, flag2
} }
//if info.Path == ""{ // logShareInfo 记录SMB共享信息
//} func logShareInfo(info *common.HostInfo, user string, pass string, hash []byte, shares []string) {
//path = info.Path var result string
//f, err := fs.OpenFile(path, os.O_RDONLY, 0666)
//if err != nil { // 构建基础信息
// return if common.Domain != "" {
//} result = fmt.Sprintf("[*] SMB2共享信息 %v:%v Domain:%v\\%v ",
//flag = true info.Host, info.Ports, common.Domain, user)
//_, err = f.Seek(0, io.SeekStart) } else {
//if err != nil { result = fmt.Sprintf("[*] SMB2共享信息 %v:%v User:%v ",
// return info.Host, info.Ports, user)
//} }
//bs, err := ioutil.ReadAll(f)
//if err != nil { // 添加认证信息
// return if len(hash) > 0 {
//} result += fmt.Sprintf("Hash:%v ", common.Hash)
//fmt.Println(string(bs)) } else {
//return result += fmt.Sprintf("Pass:%v ", pass)
//f, err := fs.Create(`Users\Public\Videos\hello.txt`) }
//if err != nil {
// return // 添加共享列表
//} result += fmt.Sprintf("可用共享: %v", shares)
//flag = true common.LogSuccess(result)
// }
//_, err = f.Write([]byte("Hello world!"))
//if err != nil {
// return
//}
//
//_, err = f.Seek(0, io.SeekStart)
//if err != nil {
// return
//}
//bs, err := ioutil.ReadAll(f)
//if err != nil {
// return
//}
//fmt.Println(string(bs))
//return