执行smbmap
smbmap -H {target_ip}
显示
[*] Detected 0 hosts serving SMB [*] Closed 0 connections
vps连目标机时正常,vps距离目标时延较低
抓包显示本机直接syn, syn+ack, 第三个包直接rst
怀疑是timeout设置问题
查看帮助man smbmap
发现可以设置--timeout, 默认0.5s
于是设置为10,发现还是老样子
smbmap -H {target_ip} --timeout 10
于是查看smbmap.py关于timeout的代码,如下:
if args.scan_timeout:
if args.scan_timeout > 0 and args.scan_timeout < 10:
PORT_SCAN_TIMEOUT = args.scan_timeout
执行连接时的代码如下:
def find_open_ports(address):
result = 1
address = address.strip()
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(PORT_SCAN_TIMEOUT)
result = sock.connect_ex((address, 445))
if result == 0:
sock.close()
return address
else:
return False
except Exception as e:
return False
终于发现问题了
PORT_SCAN_TIMEOUT默认值0.5
问题一,PORT_SCAN_TIMEOUT在设置该值的函数中没有声明global,导致该设置是无效的,find_open_ports在调用PORT_SCAN_TIMEOUT恒为0.5
问题二,scan_timeout只接受0 ~ 10之间的值,超出这个范围就是0.5,但是帮助里没给提示
上面问题,导致时延大于500MS的环境,就会扫描失败,看提示还看不出来,设置timeout也不管用
解决方法:
在设置PORT_SCAN_TIMEOUT的代码前加global,并且--timeout只能用0~10之间的数
global PORT_SCAN_TIMEOUT
if args.scan_timeout:
if args.scan_timeout > 0 and args.scan_timeout < 10:
PORT_SCAN_TIMEOUT = args.scan_timeout
还有个问题,Authenticating认证时如果因为超时报Connection error on {target_ip}
是因为认证连接时的代码也有设置timeout,这个timeout默认3秒,执行脚本时不提供修改该值的参数,只能直接修改代码
def login(host):
smbconn = None
try:
if host['port'] == 445:
smbconn = SMBConnection(host['ip'], host['ip'], sess_port=host['port'], timeout=3)
else:
smbconn = SMBConnection('*SMBSERVER', host['host'], sess_port=host['port'], timeout=3)
直接改为timeout=10即可
标签:serving,SCAN,scan,args,host,hosts,timeout,smbmap,PORT From: https://www.cnblogs.com/guxh/p/18352673