139, 445 - SMB
Version of SMB
SMB1 version susceptible to known attacks (Eternal blue , wanna cry), Disabled by default in newer Windows version
SMB2 reduced “chattiness” of SMB1. Guest access disabled by default
SMB3 guest access disabled, uses encryption. Most secure.
Nmap Scanning
nmap -n -v -Pn -p139,445 -sV 192.168.0.101
# Getting version information
nmap 192.168.0.101 --script=smb-enum*
nmap 192.168.0.101 --script=smb-vuln*
nmap 192.168.0.101 --script=smb-os*
nmap 192.168.0.101 --script smb-enum-shares -p 139,445
List Available Shares
smbclient
smbclient -L \\\\192.168.1.101\\
# Will list all shares
smbclient -L \\$ip --option='client min protocol=NT1'
# if getting error "protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED"
smbclient //HOST/PATH -c 'recurse;ls'
# List all files recursly
smbmap
smbmap -H $ip
# Will list all shares with available permissions
smbmap -H $ip -R $sharename
# Recursively list dirs, and files
smbmap -u '' -p '' -H $ip
smbmap -u guest -p '' -H $ip
smbmap -u jsmith -p password1 -d workgroup -H 192.168.0.1
# With credentials
Connecting To Shares
smbclient \\\\192.168.1.101\\C$
smbclient \\\\192.168.1.101\\C$ --option='client min protocol=NT1'
smbclient \\\\192.168.1.101\\admin$ -U t-skid
# Connect with valid username and password
# Specify username with -U
Downloading multi files
smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *
# With smbclient
smbmap -R $sharename -H $ip -A $fileyouwanttodownload -q
# Downloads a file in quiet mode
smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -s wwwroot -R -A '.*'
# download everything recursively in the wwwroot share to /usr/share/smbmap. great when smbclient doesnt work
Enum4Linux
enum4linux -a $ip
enum4linux -u 'guest' -p '' -a $ip
RPCclient
A null session is a connection with a samba or SMB server that does not require authentication with a password.
Kar0n@htb[/htb]$ rpcclient -U "" 10.129.14.128
RPCclient Commands
| Command | Description |
|---|---|
srvinfo |
Get general server information. |
enumdomains |
Enumerate all domains in the network. |
querydominfo |
Retrieve domain, server, and user details of deployed domains. |
netshareenumall |
List all available network shares. |
netsharegetinfo <share> |
Get detailed information about a specific share. |
enumdomusers |
Enumerate all domain users. |
queryuser <RID> |
Get information about a specific user by RID. |
getdompwinfo |
Retrieve domain password policy settings. |
Enumerating users with IPC$
if IPC$ share is enabled , and have anonymous access we can enumerate users through lookupsid.py
lookupsid.py anonymous@10.10.215.206
Google to see if version is vulnerable
SAMBA 3.5.11 exploit
Scripts
smbver.sh - SMB version
#!/bin/sh
#Author: rewardone
#Description:
# Requires root or enough permissions to use tcpdump
# Will listen for the first 7 packets of a null login
# and grab the SMB Version
#Notes:
# Will sometimes not capture or will print multiple
# lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
sleep 0.5 && echo ""
smbenum.sh - SMB Enumeration
#!/bin/bash
# smbenum 0.2 - This script will enumerate SMB using every tool in the arsenal
# SECFORCE - Antonio Quina
# All credits to Bernardo Damele A. G. <bernardo.damele@gmail.com> for the ms08-067_check.py script
IFACE="eth0"
if [ $# -eq 0 ]
then
echo "Usage: $0 <IP>"
echo "eg: $0 10.10.10.10"
exit
else
IP="$1"
fi
echo -e "\n########## Getting Netbios name ##########"
nbtscan -v -h $IP
echo -e "\n########## Checking for NULL sessions ##########"
output=`bash -c "echo 'srvinfo' | rpcclient $IP -U%"`
echo $output
echo -e "\n########## Enumerating domains ##########"
bash -c "echo 'enumdomains' | rpcclient $IP -U%"
echo -e "\n########## Enumerating password and lockout policies ##########"
polenum $IP
echo -e "\n########## Enumerating users ##########"
nmap -Pn -T4 -sS -p139,445 --script=smb-enum-users $IP
bash -c "echo 'enumdomusers' | rpcclient $IP -U%"
bash -c "echo 'enumdomusers' | rpcclient $IP -U%" | cut -d[ -f2 | cut -d] -f1 > /tmp/$IP-users.txt
echo -e "\n########## Enumerating Administrators ##########"
net rpc group members "Administrators" -I $IP -U%
echo -e "\n########## Enumerating Domain Admins ##########"
net rpc group members "Domain Admins" -I $IP -U%
echo -e "\n########## Enumerating groups ##########"
nmap -Pn -T4 -sS -p139,445 --script=smb-enum-groups $IP
echo -e "\n########## Enumerating shares ##########"
nmap -Pn -T4 -sS -p139,445 --script=smb-enum-shares $IP
echo -e "\n########## Bruteforcing all users with 'password', blank and username as password"
hydra -e ns -L /tmp/$IP-users.txt -p password $IP smb -t 1
rm /tmp/$IP-users.txt