{"id":1113,"date":"2022-10-04T19:59:07","date_gmt":"2022-10-04T11:59:07","guid":{"rendered":"https:\/\/byy3.com\/?p=1113"},"modified":"2022-10-04T22:24:30","modified_gmt":"2022-10-04T14:24:30","slug":"%e6%8a%8anmap%e6%89%ab%e6%8f%8f%e7%bb%93%e6%9e%9c%e5%8f%91%e9%80%81%e5%88%b0%e9%82%ae%e7%ae%b1","status":"publish","type":"post","link":"https:\/\/byy3.com\/?p=1113","title":{"rendered":"\u628anmap\u626b\u63cf\u7ed3\u679c\u53d1\u9001\u5230\u90ae\u7bb1"},"content":{"rendered":"

VPS\u4e0a\u7684Nmap\u8fd8\u5728\u626b\u63cf\u5de5\u4f5c\u7740\uff0c\u800c\u4f60\u5df2\u7ecf\u628a\u5b83\u5fd8\u4e86\u5fd9\u7740\u5176\u4ed6\u4e8b\u60c5\u3002\u7a81\u7136\uff0c\u4e00\u5c01\u90ae\u4ef6\u53d1\u6765\uff0c\u5411\u4f60\u6c47\u62a5\u672c\u6b21\u626b\u63cf\u5b8c\u6bd5\uff0c\u548c\u5177\u4f53\u7684\u626b\u63cf\u62a5\u544a\u3002\u662f\u4e0d\u662f\u89c9\u5f97\u5f88\u65b9\u4fbf\uff1f\u501f\u52a9Nmap\u7684\u5e93\u6587\u4ef6\u548cNSE\u5f15\u64ce\uff0c\u8fd9\u4ef6\u4e8b\u60c5\u5c06\u53d8\u5f97\u7b80\u5355\u3002<\/p>\n

0x01 \u4eceSMTP\u534f\u8bae\u8bf4\u8d77<\/h2>\n
\u4f18\u79c0\u7684\u626b\u63cf\u5668\u90fd\u6709\u90ae\u4ef6\u901a\u77e5\u7684\u529f\u80fd\uff0cNmap\u4e5f\u4e00\u6837\uff0c\u5728Nmap\u7684\u5e93\u6587\u4ef6\u4e2d\u5df2\u7ecf\u4e3a\u6211\u4eec\u63d0\u4f9b\u4e86\u7528\u6765\u64cd\u4f5cSMTP\u534f\u8bae\u7684\u5e93\u6587\u4ef6`smtp.lua<\/code>\u3002<\/p>\n`
\u90ae\u4ef6\u7684\u53d1\u9001\u4f9d\u9760\u7684\u662fSMTP\u534f\u8bae\uff0c\u5728smtp.lua<\/code>\u8fd9\u4e2a\u5e93\u6587\u4ef6\uff0c\u517114\u4e2a\u51fd\u6570\u6709\u5173SMTP\u90ae\u4ef6\u7684\u53d1\u9001\uff0c\u4e14\u8be5\u5e93\u652f\u6301SMTP\u6307\u4ee4EHLO<\/code>\uff0cHELP<\/code>\uff0cAUTH<\/code>\uff0cMAIL<\/code>\uff0cRCPT<\/code>\uff0cDATA<\/code>\uff0cSTARTTLS<\/code>\uff0cRSET<\/code>\uff0cVREY<\/code>\uff0cEXPN<\/code>10\u4e2a\u6307\u4ee4\uff0c\u501f\u52a9socket\u6211\u4eec\u5176\u5b9e\u53ef\u4ee5\u53d1\u9001\u4efb\u4f55\u7684SMTP\u6307\u4ee4\u3002<\/p>\n
`\u4e3a\u4e86\u4fbf\u4e8e\u6211\u4eec\u6765\u7406\u89e3SMTP\u6307\u4ee4\u7684\u4f7f\u7528\uff0c\u4e0b\u9762\u6211\u7b80\u5355\u4ecb\u7ecd\u4e0b\uff0c\u5728CMD\u4e0b\uff0c\u5982\u4f55\u7528telnet\u53d1\u9001SMTP\u6307\u4ee4\u7684\u65b9\u5f0f\u53d1\u51fa\u4e00\u5c01\u90ae\u4ef6\u3002<\/p>\n`
`telnet smtp.163.com 25<\/code><\/p>\n`
`\n<\/code><\/p>\n`
`\u00a0<\/code><\/p>\n`
`\u6253\u5f00163\u90ae\u7bb1\uff0c\u6536\u5230\u53d1\u51fa\u7684\u90ae\u4ef6\u3002<\/p>\n`
`<\/p>\n`
`\u719f\u6089\u4e86\u4ee5\u4e0a\u8fc7\u7a0b\uff0c\u5c31\u80fd\u591f\u660e\u767dsmtp.lua<\/code>\u8fd9\u4e2a\u5e93\u7684\u6bcf\u4e2a\u51fd\u6570\u90fd\u662f\u5728\u5e72\u4e9b\u4ec0\u4e48\u4e86\uff0c\u4e5f\u65b9\u4fbf\u6211\u4eec\u53bb\u6269\u5145\u548c\u4fee\u6539\u3002<\/p>\n`

0x02 smtp\u5e93\u6587\u4ef6\u00a0 cd \/usr\/share\/nmap\/scripts\/smtp.nse<\/h2>\n\u6839\u636e\u4e0a\u8ff0\u8fc7\u7a0b\uff0c\u6211\u4eec\u6765\u8ba4\u8bc6\u4e0bsmtp.lua<\/code>\u6211\u4eec\u9700\u8981\u7528\u5230\u7684\u51e0\u4e2a\u51fd\u6570\u3002<\/p>\n
\nconnect\u51fd\u6570<\/strong>\u53d1\u8d77SMTP\u8fde\u63a5\uff0c\u5e76\u786e\u8ba4\u5bf9\u65b9\u662f\u5426\u9700\u8981ssl<\/code>\u7684\u652f\u6301\u3002<\/li>\n
ehlo\u51fd\u6570<\/strong>ehlo<\/code>\u51fd\u6570\uff0c\u5176\u5b9e\u5c31\u662f\u53d1\u9001ehlo<\/code>\u7684\u6307\u4ee4\uff0c\u662f\u6269\u5c55\u7684helo<\/code>\u6307\u4ee4\uff0c\u670d\u52a1\u5668\u4f1a\u5728\u54cd\u5e94\u4e2d\u8868\u660e\u81ea\u5df1\u652f\u6301\u7684\u8ba4\u8bc1\u65b9\u5f0f\u3002<\/li>\n
login\u51fd\u6570<\/strong>login = function(socket, username, password, mech)<\/code>mech<\/code>\uff1a\u6307\u5f97\u662f\u8ba4\u8bc1\u65b9\u5f0f\uff0c\u8be5\u51fd\u6570\u652f\u6301LOGIN<\/code>,\u00a0PLAIN<\/code>,\u00a0CRAM-MD5<\/code>,\u00a0DIGEST-MD5<\/code>\u548cNTLM<\/code>\u8fd95\u79cd\u65b9\u5f0f\uff0c\u4e00\u822c\u6211\u4eec\u4f7f\u7528LOGIN<\/code>\u3002<\/li>\n
mail\u51fd\u6570<\/strong>mail = function(socket, address, esmtp_opts)<\/code>\uff1a\u53d1\u9001mail<\/code>\u6307\u4ee4\u3002address<\/code>\uff1a\u53c2\u6570\u7528\u6765\u6307\u5b9a\u53d1\u4ef6\u4eba\u5730\u5740\u3002esmtp_opts<\/code>\uff1a \u7528\u6765\u8bbe\u5b9a\u90ae\u4ef6\u5927\u5c0f\uff0cenvid\uff0ctransid\u7b49\uff0c\u4e0d\u8bbe\u5b9a\u53ef\u4ee5\u8bbe\u4e3anil<\/li>\n
recipient\u51fd\u6570<\/strong>recipient = function(socket, address)<\/code>address<\/code>\uff1a\u53c2\u6570\u7528\u6765\u6307\u5b9a\u6536\u4ef6\u4eba\u5730\u5740\u3002<\/li>\n
datasend\u51fd\u6570<\/strong>datasend = function(socket, data)<\/code>\u53d1\u9001\u90ae\u4ef6\u5185\u5bb9\u3002<\/li>\n
query\u51fd\u6570<\/strong>query = function(socket, cmd, data, lines)<\/code>\u53d1\u9001\u90ae\u4ef6\u8bf7\u6c42\u3002cmd<\/code>\uff1a\u662fSMTP\u7684\u6307\u4ee4\u53c2\u6570\u3002data<\/code>\uff1a\u662f\u6307\u4ee4\u7684\u5185\u5bb9\u3002<\/li>\n<\/ul>\n0x03 \u7f16\u5199NSE\u811a\u672c\u53d1\u9001\u626b\u63cf\u62a5\u544a<\/h2>\n\u7f16\u5199\u811a\u672c\u9047\u5230\u7684\u4e24\u4e2a\u95ee\u9898\uff0c\u4e00\u4e2a\u662f\u5982\u4f55\u83b7\u53d6\u626b\u63cf\u7ed3\u679c\uff0c\u53e6\u5916\u4e00\u4e2a\u662f\u5982\u4f55\u53d1\u9001\u90ae\u4ef6\u6b63\u6587\u3002<\/p>\n
\u867d\u7136\u6211\u4eec\u6709API\u53ef\u4ee5\u8c03\u7528\uff0c\u4f46\u662f\u4e00\u76f4\u6ca1\u6709\u627e\u5230\u8c03\u7528\u6240\u6709\u7ed3\u679c\u7684\u90a3\u4e2aAPI\uff0c\u6240\u4ee5\u5c31\u51b3\u5b9a\u5148\u628a\u626b\u63cf\u7ed3\u679c\u5199\u5728\u4e00\u4e2a\u6587\u4ef6\u91cc\uff0c\u7136\u540e\u8bfb\u53d6\u8be5\u6587\u4ef6\u3002nmap <TARGET> --script smtp -oG 1.txt<\/code>\u8fd9\u4e2a\u65b9\u6cd5\u6709\u70b9\u7b80\u5355\u7c97\u66b4\u54c8\uff0c\u6709\u66f4\u597d\u65b9\u6848\u7684\u5c0f\u4f19\u4f34\u5417\uff1f<\/p>\n
\u6ce8\u610f\uff0c\u56e0\u4e3a\u53d1\u9001\u90ae\u4ef6\u5934\u548c\u90ae\u4ef6\u6b63\u6587\u662f\u6709\u4e00\u4e2a\u56de\u8f66\u6362\u884c\u7684\uff0c\u4f46\u662f\u5b9e\u9645\u4ee3\u7801\uff0c\u6211\u786e\u662f\u62fc\u63a5\u4e862\u4e2a\\r\\n<\/code>\u624d\u533a\u5206\u5f00\u6b63\u6587\u548c\u90ae\u4ef6\u5934\u3002<\/p>\n
\u5b8c\u6574\u7684NSE\u811a\u672c\uff1a<\/p>\n
local shortport = require \"shortport\"\r\nlocal smtp = require \"smtp\"\r\n\r\ndescription = [[send the scan result use smtp]]\r\nauthor = \"reborn\"\r\nlicense = \"Same as Nmap--See http:\/\/nmap.org\/book\/man-legal.html\"\r\ncategories = {\"default\"}\r\n\r\n--[[\r\n example:nmap <TARGET> --script smtp -oG 1.txt\r\n 1.txt is the smtp.nse use ,if you want replace or rename , modify the code.\r\n]]\r\n\r\npostrule = function () return true end\r\naction = function(host, port)\r\n local socket,resp = smtp.connect(\"smtp.163.com\",25,{ssl = false,recv_before = true})\r\n\r\n if ( not(socket) ) then return fail(\"Failed to connect to SMTP server\") end\r\n\r\n local st, resp =smtp.ehlo(socket,\"smtp.163.com\") -- \u53d1\u9001ehlo\uff0c\u83b7\u53d6\u90ae\u4ef6\u670d\u52a1\u5668\u652f\u6301\u7684\u767b\u9646\u65b9\u5f0f\r\n local status, err =smtp.login(socket,\"rebornxxx@163.com\",\"xxxxxx\",\"LOGIN\") -- \u767b\u9646 \u5bc6\u7801xxx\u4e3a\u4f60\u7684\u90ae\u7bb1\u6388\u6743\u7801\r\n\r\n if(status) then\r\n local mail_st,mail_response = smtp.mail(socket,\"rebornxxx@163.com\",nil) --\u8bbe\u7f6e\u53d1\u4ef6\u4eba\r\n\r\n local recipient_st,recipient_response = smtp.recipient(socket,\"rebornxxx@163.com\") --\u8bbe\u7f6e\u6536\u4ef6\u4eba \r\n\r\n -- \u8bfb\u53d6\u626b\u63cf\u7ed3\u679c\uff0c\u8bbe\u7f6e\u90ae\u4ef6\u5934\u548c\u6b63\u6587\r\n local result = ''\r\n for line in io.lines(\"\/root\/1.txt\") do\r\n line = string.gsub(line,\"\/\",\" \")\r\n line = string.gsub(line,\",\",\"\\r\\n\")\r\n result = result .. line .. \"\\r\\n\"\r\n end \r\n senddata=\"subject:The scan result\\r\\n\" .. \"from:reborn\\r\\n\" ..\"\\r\\n\".. result\r\n -- \u90ae\u4ef6\u53d1\u9001\r\n local st2 ,resp2 = smtp.datasend(socket,senddata) \r\n print(st2,resp2)\r\n smtp.quit(socket)\r\n socket:close()\r\n end\r\n return \"send mail test....\"\r\nend\r\n<\/pre>\n<\/p>\n
\u6536\u53d6\u5230Nmap\u626b\u63cf\u7ed3\u679c\u7684\u90ae\u4ef6\uff1a<\/strong><\/p>\n

\n<\/strong><\/p>\n
<\/p>\n
0x04 \u5173\u4e8e\u5199\u4e0a\u8ff0\u811a\u672c\u7684\u4e00\u4e9b\u5176\u4ed6\u601d\u8def<\/h2>\n\n\u6709\u7684\u5c0f\u4f19\u4f34\u8bf4python\u73a9\u5f97\u6e9c\uff0c\u4e3a\u5565\u8981\u7528lua\u3002<\/li>\n<\/ul>\n\u6ca1\u9519\uff0c\u7528python\u53d1\u90ae\u4ef6\u66f4\u52a0\u5bb9\u6613\uff0c\u800c\u4e14\u6211\u4eec\u53ef\u4ee5\u5728lua\u4e2d\u6765\u6267\u884cpython\u811a\u672c\uff0c\u7b80\u5355\u7c97\u66b4\u7684\u65b9\u5f0f\u5982\u4e0b\uff1a\u76f4\u63a5\u7528lua\u7684os.execute<\/code>\u547d\u4ee4\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\uff0c\u800csendmail.py<\/code>\u5219\u5199\u597d\u4e86\u5982\u4f55\u53d1\u9001\u90ae\u4ef6\u3002os.execute('python \"C:\\\\Program Files (x86)\\\\Nmap\\\\nselib\\\\sendmail.py\"')<\/code><\/p>\n
\n\u5173\u4e8e\u6269\u5c55smtp.lua<\/code>\u5e93\u5176\u5b9esmtp\u5e93\u7684\u5404\u79cd\u8fde\u63a5\uff0c\u767b\u9646\uff0c\u53d1\u9001\u6570\u636e\uff0c\u5b8c\u5168\u53ef\u4ee5\u7528socket<\/code>\u6765\u76f4\u63a5\u5b8c\u6210\u4e86\uff0c\u4e4b\u524d\u4e00\u76f4\u4e0d\u4f1a\u7528datasend<\/code>\u8fd9\u4e2a\u51fd\u6570\u7684\u7528\u6cd5\uff0c\u662f\u91c7\u7528\u5982\u4e0b\u65b9\u5f0f\u66ff\u4ee3\uff1a\nlocal st, ret, response\r\nst,response =smtp.query(socket, \"DATA\")\r\nst,ret = socket:send(\"subject:test message\\r\\n\")\r\nst,ret = socket:send(\"from:reborn\\r\\n\")\r\nst,ret = socket:send(\"to:rebornxxx@163.com\\r\\n\")\r\nst,ret = socket:send(\"\\r\\n\")\r\nst,ret = socket:send(\"content\\r\\n\")\r\nst, response =smtp.query(socket, \"\\r\\n.\")\r\n<\/pre>\n<\/li>\n<\/ul>\n0x05 \u5c0f\u7ed3<\/h2>\n\u90ae\u4ef6\u53d1\u9001\u626b\u63cf\u62a5\u544a\u89e3\u51b3\u4e86\u5e73\u65f6\u4e0d\u77e5\u4f55\u65f6\u626b\u63cf\u7ed3\u675f\u7684\u4e00\u4e2a\u75db\u70b9\uff0c\u7ecf\u5e38\u505a\u626b\u63cf\u4efb\u52a1\u7684\u7ae5\u978b\u53ef\u4ee5\u8bd5\u8bd5\u54c8\u3002\u672c\u671f\u5185\u5bb9\u5c31\u5230\u8fd9\u91cc\uff0c\u6211\u4eec\u4e0b\u671f\u89c1\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
VPS\u4e0a\u7684Nmap\u8fd8\u5728\u626b\u63cf\u5de5\u4f5c\u7740\uff0c\u800c\u4f60\u5df2\u7ecf\u628a\u5b83\u5fd8\u4e86\u5fd9\u7740\u5176\u4ed6\u4e8b\u60c5\u3002\u7a81\u7136\uff0c\u4e00\u5c01\u90ae\u4ef6\u53d1\u6765\uff0c\u5411\u4f60\u6c47\u62a5\u672c\u6b21\u626b\u63cf\u5b8c\u6bd5\uff0c\u548c\u5177 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14,20,1,21],"tags":[27,731,733,732,734,735],"class_list":["post-1113","post","type-post","status-publish","format-standard","hentry","category-linux","category-python","category-net-security","category-script","tag-nmap","tag-nmap-vps","tag-735"],"_links":{"self":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts\/1113","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1113"}],"version-history":[{"count":0,"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts\/1113\/revisions"}],"wp:attachment":[{"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1113"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1113"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1113"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}