这篇文章上次修改于 198 天前，可能其部分内容已经发生变化，如有疑问可询问作者。

主机存活扫描

# 端口扫描
nmap -sV 10.129.7.254
nmap -sV -Pn 10.129.7.254

后台目录扫描

dirb http://10.129.7.254/

dirsearch -u "10.129.7.254"

问题

1、What does the 3-letter acronym SMB stand for?

Server Message Block

2、What port does SMB use to operate at?

445

3、What is the service name for port 445 that came up in our Nmap scan?

microsoft-ds

4、What is the 'flag' or 'switch' that we can use with the smbclient utility to 'list' the available shares on Dancing?

-L

5、How many shares are there on Dancing?

4

6、What is the name of the share we are able to access in the end with a blank password?

WorkShares

7、What is the command we can use within the SMB shell to download the files we find?

get

flag

smbclient -L 10.129.7.254

# 匿名访问 WorkShares
smbclient //10.129.7.254/WorkShares

# 匿名访问可以使用的命令

ls

cd

get

# 最后找到flag.txt
get flag.txt