root@KaliLinux:~# cat /usr/share/nmap/scripts/smb-check-vulns.nse | more
local msrpc = require "msrpc"
local nmap = require "nmap"
local smb = require "smb"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
description = [[
Checks for vulnerabilities:
* MS08-067, a Windows RPC vulnerability
* Conficker, an infection by the Conficker worm
* Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in Windows 2000
* SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
* MS06-025, a Windows Ras RPC service vulnerability
* MS07-029, a Windows Dns Server RPC service vulnerability
WARNING: These checks are dangerous, and are very likely to bring down a server. These should not be run in a production environment unless you (and, more importantly, the business) understand the risks!
```
在提供的示例中,我们可以看到`smb-check-vulns.nse`脚本检测 SMB 服务相关的一些拒绝服务和远程执行漏洞。 这里,可以找到每个评估的漏洞描述,以及 Microsoft 补丁和CVE 编号的引用,还有可以在线查询的其他信息。 通过进一步阅读,我们可以进一步了解脚本,像这样:
This module exploits a password bypass vulnerability in MySQL in order to extract the usernames and encrypted password hashes from a MySQL server. These hashes are stored as loot for later cracking.
msf auxiliary(ms12_020_check) > set RHOSTS 172.16.36.225
RHOSTS => 172.16.36.225
msf auxiliary(ms12_020_check) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed In this particular case, the system was not found to be vulnerable. However, in the case that a vulnerable system is identified, there is a corresponding exploitation module that can be used to actually cause a denial-of-service on the vulnerable system. This can be seen in the example provided:
msf auxiliary(ms12_020_check) > use auxiliary/dos/windows/rdp/ms12_020_ maxchannelids
msf auxiliary(ms12_020_maxchannelids) > info
Name: MS12-020 Microsoft Remote Desktop Use-After-Free DoS Module: auxiliary/dos/windows/rdp/ms12_020_maxchannelids
Version: 0
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Luigi Auriemma Daniel Godas-Lopez
Alex Ionescu jduck <jduck@metasploit.com> #ms12-020
Basic options:
Name Current Setting Required Description
---- --------------- -------- ----------
RHOST yes The target address
RPORT 3389 yes The target port
Description:
This module exploits the MS12-020 RDP vulnerability originally discovered and reported by Luigi Auriemma.
The flaw can be found in the way the T.125 ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result an invalid pointer being used, therefore causing a denial-of-service condition.