- Регистрация
- 20.01.2011
- Сообщения
- 7,665
- Розыгрыши
- 0
- Реакции
- 135
Checklist
On seeing TCP 445 on Windows host:- Enumerate Host
- netexec smb [ip]
- List Shares
- netexec smb [host/ip] -u [user] -p [pass] --shares
- netexec smb [host/ip] -u guest -p '' --shares
- smbclient -N -L //[ip]
- Enumerate Files
- smbclient //[ip]/[share] -N
- smbclieng //[ip]/[share] -U [username] [password]
- netexec smb -u [user] -p [pass] -M spider_plus
- smbclient.py '[domain]/[user]:[pass]@[ip/host] -k -no-pass - Kerberos auth
- RID Cycling - User enumeration
- lookupsid.py guest@[ip] -no-pass
- netexec smb [ip] -u guest -p '' --rid-brute
- Check for Vulnerabilities - nmap --script smb-vuln* -p 139,445 [ip]
Tools
Recommended
- netexec
- General network service enumeration / exploitation tool, great SMB support.
- Для просмотра ссылки Войди
или Зарегистрируйся - Install with pipx - pipx install git+Для просмотра ссылки Войди
или Зарегистрируйся - Formerly crackmapexec.
- smbclient
- Linux SMB client
- Для просмотра ссылки Войди
или Зарегистрируйся - Install with apt install smbclient.
- Impacket Example Scripts
- Impacket is a collection of Python classes for working with network protocols. The Example Scripts contain some really great tools for pentesters / hackers, including for SMB scripts like smbclient.py and lookupsids.py.
- Для просмотра ссылки Войди
или Зарегистрируйся - Install with pipx - pipx install impacket.
- nmap
- General port scanner.
- Useful to identify open TCP 445, as well as scripts to identify vulnerabilities.
- Install with apt install nmap.
Other Tools
There are a bunch of other tools out there that can be useful in different scenarios, some of which showed up in older versions of this post. For example, smbmap and enum4linux. There’s nothing wrong with these tools. I just find myself not using them much anymore.Background
SMB, or Server Message Block, is a very complicated protocol designed to handle file sharing, printer sharing, serial ports, and other communications between nodes in a network. It is primarily a Windows protocol, but Linux implementations like Samba do exist.Today, the SMB server listens on TCP port 445. It would be very strange to see it on another port. Before Windows 2000, SMB happened over NETBIOS, and thus used TCP/UDP 137,138, and 139. But this is rare today.
In general, when enumerating SMB, the primary goal is the file system - finding interesting files to read, or writable locations. It’s also worth trying to enumeration users (see RID Cycling) and keep in mind to look for serious vulnerabilities in older / unpatched networks.
Details
Enumerate Host
The most basic run of netexec will give a wealth of information about the host, including the hostname, the domain, the OS version, and details about SMB version and if signing is enabled.
Код:
oxdf@hacky$ netexec smb 10.10.11.236
SMB 10.10.11.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)List Shares
netexec
netexec with the --shares flag provides a nice list of the shares on the host. With valid creds, I’ll use the -u [username] and -p [password] flags:
Код:
oxdf@hacky$ crackmapexec smb flight.htb -u svc_apache -p 'S@Ss!K@*t13' --shares
SMB flight.htb 445 G0 [*] Windows 10.0 Build 17763 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB flight.htb 445 G0 [+] flight.htb\svc_apache:S@Ss!K@*t13
SMB flight.htb 445 G0 [+] Enumerated shares
SMB flight.htb 445 G0 Share Permissions Remark
SMB flight.htb 445 G0 ----- ----------- ------
SMB flight.htb 445 G0 ADMIN$ Remote Admin
SMB flight.htb 445 G0 C$ Default share
SMB flight.htb 445 G0 IPC$ READ Remote IPC
SMB flight.htb 445 G0 NETLOGON READ Logon server share
SMB flight.htb 445 G0 Shared READ
SMB flight.htb 445 G0 SYSVOL READ Logon server share
SMB flight.htb 445 G0 Users READ
SMB flight.htb 445 G0 Web READWithout creds, it’s worth trying a couple different ways:
- Without providing creds.
- Bad username and/or guest account with blank password.
- Bad username and/or guest account and bad password.
Код:
oxdf@hacky$ netexec smb 10.10.11.236 --shares
SMB 10.10.11.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.236 445 DC01 [-] Error getting user: list index out of range
SMB 10.10.11.236 445 DC01 [-] Error enumerating shares: STATUS_USER_SESSION_DELETED
oxdf@hacky$ netexec smb 10.10.11.236 --shares -u '0xdf' -p '0xdf'
SMB 10.10.11.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.236 445 DC01 [+] manager.htb\0xdf:0xdf
SMB 10.10.11.236 445 DC01 [-] Error enumerating shares: STATUS_ACCESS_DENIED
oxdf@hacky$ netexec smb 10.10.11.236 --shares -u 'guest' -p ''
SMB 10.10.11.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.236 445 DC01 [+] manager.htb\guest:
SMB 10.10.11.236 445 DC01 [*] Enumerated shares
SMB 10.10.11.236 445 DC01 Share Permissions Remark
SMB 10.10.11.236 445 DC01 ----- ----------- ------
SMB 10.10.11.236 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.236 445 DC01 C$ Default share
SMB 10.10.11.236 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.236 445 DC01 NETLOGON Logon server share
SMB 10.10.11.236 445 DC01 SYSVOL Logon server sharesmbclient
Different Windows configurations can be a bit finicky when enumerating shares, so I like to always try a couple different tools if the first fails. smbclient has a nice way to specify null auth, with the -N flag. To list shares:
Код:
oxdf@hacky$ smbclient -N -L //10.10.11.236
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup availableThe downside to this output is that it doesn’t show permissions. An alternative way to run this is to pipe “exit” into the connection like echo exit | smbclient -L //[ip].
Other Tools
smbmap will also provide similar output, and there are nmap enumeration scripts that will try to list shares as well. I’ve found myself not using these lately in favor of netexec and smbclient.Enumerate Files
smbclient
To connect to an SMB share, smbclient takes the following format:- smbclient //[ip]/[share name] -U [username] [password] - With creds
- smbclient //[ip]/[share name] -N - Null authentication
Код:
oxdf@hacky$ smbclient //10.10.11.202/Public -N
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Nov 19 06:51:25 2022
.. D 0 Sat Nov 19 06:51:25 2022
SQL Server Procedures.pdf A 49551 Fri Nov 18 08:39:43 2022
5184255 blocks of size 4096. 1450035 blocks available
Код:
oxdf@hacky$ smbclient //flight.htb/users -U svc_apache 'S@Ss!K@*t13'
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Thu Sep 22 20:16:56 2022
.. DR 0 Thu Sep 22 20:16:56 2022
.NET v4.5 D 0 Thu Sep 22 19:28:03 2022
.NET v4.5 Classic D 0 Thu Sep 22 19:28:02 2022
Administrator D 0 Fri Oct 21 18:49:50 2022
All Users DHSrn 0 Sat Sep 15 07:28:48 2018
C.Bum D 0 Thu Sep 22 20:08:23 2022
Default DHR 0 Tue Jul 20 19:20:24 2021
Default User DHSrn 0 Sat Sep 15 07:28:48 2018
desktop.ini AHS 174 Sat Sep 15 07:16:48 2018
Public DR 0 Tue Jul 20 19:23:25 2021
svc_apache D 0 Fri Sep 23 07:10:00 2022
7706623 blocks of size 4096. 3749019 blocks availablenetexec
netexec has a module spider_plus that will run through all the shares and collect data about all the files:
Код:
oxdf@hacky$ netexec smb 10.10.11.222 -u oxdf -p '' -M spider_plus
SMB 10.10.11.222 445 AUTHORITY [*] Windows 10 / Server 2019 Build 17763 x64 (name:AUTHORITY) (domain:authority.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.222 445 AUTHORITY [+] authority.htb\oxdf:
SPIDER_P... 10.10.11.222 445 AUTHORITY [*] Started module spidering_plus with the following options:
SPIDER_P... 10.10.11.222 445 AUTHORITY [*] DOWNLOAD_FLAG: False
SPIDER_P... 10.10.11.222 445 AUTHORITY [*] STATS_FLAG: True
SPIDER_P... 10.10.11.222 445 AUTHORITY [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_P... 10.10.11.222 445 AUTHORITY [*] EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_P... 10.10.11.222 445 AUTHORITY [*] MAX_FILE_SIZE: 50 KB
SPIDER_P... 10.10.11.222 445 AUTHORITY [*] OUTPUT_FOLDER: /tmp/nxc_spider_plus
SMB 10.10.11.222 445 AUTHORITY [*] Enumerated shares
SMB 10.10.11.222 445 AUTHORITY Share Permissions Remark
SMB 10.10.11.222 445 AUTHORITY ----- ----------- ------
SMB 10.10.11.222 445 AUTHORITY ADMIN$ Remote Admin
SMB 10.10.11.222 445 AUTHORITY C$ Default share
SMB 10.10.11.222 445 AUTHORITY Department Shares
SMB 10.10.11.222 445 AUTHORITY Development READ
SMB 10.10.11.222 445 AUTHORITY IPC$ READ Remote IPC
SMB 10.10.11.222 445 AUTHORITY NETLOGON Logon server share
SMB 10.10.11.222 445 AUTHORITY SYSVOL Logon server share
SPIDER_P... 10.10.11.222 445 AUTHORITY [+] Saved share-file metadata to "/tmp/nxc_spider_plus/10.10.11.222.json".
SPIDER_P... 10.10.11.222 445 AUTHORITY [*] SMB Shares: 7 (ADMIN$, C$, Department Shares, Development, IPC$, NETLOGON, SYSVOL)
SPIDER_P... 10.10.11.222 445 AUTHORITY [*] SMB Readable Shares: 2 (Development, IPC$)
SPIDER_P... 10.10.11.222 445 AUTHORITY [*] SMB Filtered Shares: 1
SPIDER_P... 10.10.11.222 445 AUTHORITY [*] Total folders found: 27
SPIDER_P... 10.10.11.222 445 AUTHORITY [*] Total files found: 52
SPIDER_P... 10.10.11.222 445 AUTHORITY [*] File size average: 1.5 KB
SPIDER_P... 10.10.11.222 445 AUTHORITY [*] File size min: 4 B
SPIDER_P... 10.10.11.222 445 AUTHORITY [*] File size max: 11.1 KBFrom that output, it shows that these creds can read two of seven shares. It finds 27 folders and 52 files, and stored data about all of them in /tmp/nxc_spider_plus/10.10.11.222.json. That data looks like:
Код:
oxdf@hacky$ cat /tmp/nxc_spider_plus/10.10.11.222.json
{
"Development": {
"Automation/Ansible/ADCS/.ansible-lint": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "259 B"
},
"Automation/Ansible/ADCS/.yamllint": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "205 B"
},
"Automation/Ansible/ADCS/LICENSE": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "11.1 KB"
},
"Automation/Ansible/ADCS/README.md": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "7.11 KB"
},
"Automation/Ansible/ADCS/SECURITY.md": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "924 B"
},
"Automation/Ansible/ADCS/defaults/main.yml": {
"atime_epoch": "2023-04-23 18:50:28",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-04-23 18:50:28",
"size": "1.54 KB"
},
"Automation/Ansible/ADCS/meta/main.yml": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-04-23 18:50:36",
"size": "549 B"
},
"Automation/Ansible/ADCS/meta/preferences.yml": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-04-23 18:50:33",
"size": "22 B"
},
"Automation/Ansible/ADCS/molecule/default/converge.yml": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "106 B"
},
"Automation/Ansible/ADCS/molecule/default/molecule.yml": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "526 B"
},
"Automation/Ansible/ADCS/molecule/default/prepare.yml": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "371 B"
},
"Automation/Ansible/ADCS/requirements.txt": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "466 B"
},
"Automation/Ansible/ADCS/requirements.yml": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "264 B"
},
"Automation/Ansible/ADCS/tasks/assert.yml": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "2.87 KB"
},
"Automation/Ansible/ADCS/tasks/generate_ca_certs.yml": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-04-23 18:50:56",
"size": "2.21 KB"
},
"Automation/Ansible/ADCS/tasks/init_ca.yml": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "1.21 KB"
},
"Automation/Ansible/ADCS/tasks/main.yml": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-04-23 18:50:44",
"size": "1.33 KB"
},
"Automation/Ansible/ADCS/tasks/requests.yml": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "4.12 KB"
},
"Automation/Ansible/ADCS/templates/extensions.cnf.j2": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "1.62 KB"
},
"Automation/Ansible/ADCS/templates/openssl.cnf.j2": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "11.03 KB"
},
"Automation/Ansible/ADCS/tox.ini": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "419 B"
},
"Automation/Ansible/ADCS/vars/main.yml": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "2.1 KB"
},
"Automation/Ansible/LDAP/.bin/clean_vault": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "677 B"
},
"Automation/Ansible/LDAP/.bin/diff_vault": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "357 B"
},
"Automation/Ansible/LDAP/.bin/smudge_vault": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "768 B"
},
"Automation/Ansible/LDAP/.travis.yml": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "1.38 KB"
},
"Automation/Ansible/LDAP/README.md": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "5.63 KB"
},
"Automation/Ansible/LDAP/TODO.md": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "119 B"
},
"Automation/Ansible/LDAP/Vagrantfile": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "640 B"
},
"Automation/Ansible/LDAP/defaults/main.yml": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-04-23 18:51:08",
"size": "1.02 KB"
},
"Automation/Ansible/LDAP/files/pam_mkhomedir": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "170 B"
},
"Automation/Ansible/LDAP/handlers/main.yml": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "277 B"
},
"Automation/Ansible/LDAP/meta/main.yml": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "416 B"
},
"Automation/Ansible/LDAP/tasks/main.yml": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "5.11 KB"
},
"Automation/Ansible/LDAP/templates/ldap_sudo_groups.j2": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "131 B"
},
"Automation/Ansible/LDAP/templates/ldap_sudo_users.j2": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "106 B"
},
"Automation/Ansible/LDAP/templates/sssd.conf.j2": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "2.5 KB"
},
"Automation/Ansible/LDAP/templates/sudo_group.j2": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "30 B"
},
"Automation/Ansible/LDAP/vars/debian.yml": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "174 B"
},
"Automation/Ansible/LDAP/vars/main.yml": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "75 B"
},
"Automation/Ansible/LDAP/vars/redhat.yml": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "222 B"
},
"Automation/Ansible/LDAP/vars/ubuntu-14.04.yml": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "203 B"
},
"Automation/Ansible/PWM/README.md": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "1.26 KB"
},
"Automation/Ansible/PWM/ansible.cfg": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "491 B"
},
"Automation/Ansible/PWM/ansible_inventory": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "174 B"
},
"Automation/Ansible/PWM/defaults/main.yml": {
"atime_epoch": "2023-04-23 18:51:38",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-04-23 18:51:38",
"size": "1.55 KB"
},
"Automation/Ansible/PWM/handlers/main.yml": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "4 B"
},
"Automation/Ansible/PWM/meta/main.yml": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "199 B"
},
"Automation/Ansible/PWM/tasks/main.yml": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "1.79 KB"
},
"Automation/Ansible/PWM/templates/context.xml.j2": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "422 B"
},
"Automation/Ansible/PWM/templates/tomcat-users.xml.j2": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "388 B"
},
"Automation/Ansible/SHARE/tasks/main.yml": {
"atime_epoch": "2023-03-17 09:20:48",
"ctime_epoch": "2023-03-17 09:20:48",
"mtime_epoch": "2023-03-17 09:37:52",
"size": "1.83 KB"
}
}Kerberos Auth
Some environments will have NTLM authentication disabled, forcing all auth to occur over Kerberos. netexec typically works really well with the -k flag.My success with smbclient has been limited in this case, but the Impacket smbclient.py example has worked great.
Connecting takes the typical Impacket “target” in the format of [domain]/[user]:[password]@[target host/ip], as well as the -k to use Kerberos and -no-pass to use tickets:
Код:
oxdf@hacky$ smbclient.py 'absolute.htb/d.klay:Darkmoonsky248girl@dc.absolute.htb' -k -no-pass
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] CCache file is not found. Skipping...
Type help for list of commands
#shares will list the shares, use [share] will select a share, and then ls, cd, etc work within the share:
Код:
# shares
ADMIN$
C$
IPC$
NETLOGON
Shared
SYSVOL
# use sysvol
# ls
drw-rw-rw- 0 Thu Jun 9 04:16:22 2022 .
drw-rw-rw- 0 Thu Jun 9 04:16:22 2022 ..
drw-rw-rw- 0 Thu Jun 9 04:16:22 2022 absolute.htbRID Cycling
Background
Every Windows object (including users and groups) has a Для просмотра ссылки ВойдиWithin a domain or stand-alone host, the entire SID except the last number will be the same, and the last number is the relative identifier, or RID. These values fall in a predictable range, and thus, we can brute force the numbers across that range and get a list of users and groups.
Manually
To see how this works manually, rpcclient can be used. It takes an IP and a -U '[username]%[password]'. Must like with other SMB tools, it’s worth trying -U 'guest%' for an empty password:
Код:
oxdf@hacky$ rpcclient 10.10.11.222 -U 'guest%'
rpcclient $>lookupnames [username] will get the SID for a user:
Код:
rpcclient $> lookupnames administrator
administrator S-1-5-21-622327497-3269355298-2248959698-500 (User: 1)lookupsids [sid] will do the reverse, get the username for a SID:
Код:
rpcclient $> lookupsids S-1-5-21-622327497-3269355298-2248959698-500
S-1-5-21-622327497-3269355298-2248959698-500 HTB\Administrator (1)If I check RID 1601 on this host, it returns another user:
Код:
rpcclient $> lookupsids S-1-5-21-622327497-3269355298-2248959698-1601
S-1-5-21-622327497-3269355298-2248959698-1601 HTB\svc_ldap (1)lookupsids.py
The Impacket script lookupsids.py will brute force this range for me:
Код:
oxdf@hacky$ lookupsid.py guest@10.10.11.222 -no-pass
Impacket v0.10.1.dev1+20230608.100331.efc6a1c3 - Copyright 2022 Fortra
[*] Brute forcing SIDs at 10.10.11.222
[*] StringBinding ncacn_np:10.10.11.222[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-622327497-3269355298-2248959698
498: HTB\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: HTB\Administrator (SidTypeUser)
501: HTB\Guest (SidTypeUser)
502: HTB\krbtgt (SidTypeUser)
512: HTB\Domain Admins (SidTypeGroup)
513: HTB\Domain Users (SidTypeGroup)
514: HTB\Domain Guests (SidTypeGroup)
515: HTB\Domain Computers (SidTypeGroup)
516: HTB\Domain Controllers (SidTypeGroup)
517: HTB\Cert Publishers (SidTypeAlias)
518: HTB\Schema Admins (SidTypeGroup)
519: HTB\Enterprise Admins (SidTypeGroup)
520: HTB\Group Policy Creator Owners (SidTypeGroup)
521: HTB\Read-only Domain Controllers (SidTypeGroup)
522: HTB\Cloneable Domain Controllers (SidTypeGroup)
525: HTB\Protected Users (SidTypeGroup)
526: HTB\Key Admins (SidTypeGroup)
527: HTB\Enterprise Key Admins (SidTypeGroup)
553: HTB\RAS and IAS Servers (SidTypeAlias)
571: HTB\Allowed RODC Password Replication Group (SidTypeAlias)
572: HTB\Denied RODC Password Replication Group (SidTypeAlias)
1000: HTB\AUTHORITY$ (SidTypeUser)
1101: HTB\DnsAdmins (SidTypeAlias)
1102: HTB\DnsUpdateProxy (SidTypeGroup)
1601: HTB\svc_ldap (SidTypeUser)netexec
netexec can also do this with the --rid-brute flag:
Код:
oxdf@hacky$ netexec smb 10.10.11.222 -u guest -p '' --rid-brute
SMB 10.10.11.222 445 AUTHORITY [*] Windows 10 / Server 2019 Build 17763 x64 (name:AUTHORITY) (domain:authority.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.222 445 AUTHORITY [+] authority.htb\guest:
SMB 10.10.11.222 445 AUTHORITY 498: HTB\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.222 445 AUTHORITY 500: HTB\Administrator (SidTypeUser)
SMB 10.10.11.222 445 AUTHORITY 501: HTB\Guest (SidTypeUser)
SMB 10.10.11.222 445 AUTHORITY 502: HTB\krbtgt (SidTypeUser)
SMB 10.10.11.222 445 AUTHORITY 512: HTB\Domain Admins (SidTypeGroup)
SMB 10.10.11.222 445 AUTHORITY 513: HTB\Domain Users (SidTypeGroup)
SMB 10.10.11.222 445 AUTHORITY 514: HTB\Domain Guests (SidTypeGroup)
SMB 10.10.11.222 445 AUTHORITY 515: HTB\Domain Computers (SidTypeGroup)
SMB 10.10.11.222 445 AUTHORITY 516: HTB\Domain Controllers (SidTypeGroup)
SMB 10.10.11.222 445 AUTHORITY 517: HTB\Cert Publishers (SidTypeAlias)
SMB 10.10.11.222 445 AUTHORITY 518: HTB\Schema Admins (SidTypeGroup)
SMB 10.10.11.222 445 AUTHORITY 519: HTB\Enterprise Admins (SidTypeGroup)
SMB 10.10.11.222 445 AUTHORITY 520: HTB\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.11.222 445 AUTHORITY 521: HTB\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.222 445 AUTHORITY 522: HTB\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.11.222 445 AUTHORITY 525: HTB\Protected Users (SidTypeGroup)
SMB 10.10.11.222 445 AUTHORITY 526: HTB\Key Admins (SidTypeGroup)
SMB 10.10.11.222 445 AUTHORITY 527: HTB\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.11.222 445 AUTHORITY 553: HTB\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.11.222 445 AUTHORITY 571: HTB\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.222 445 AUTHORITY 572: HTB\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.222 445 AUTHORITY 1000: HTB\AUTHORITY$ (SidTypeUser)
SMB 10.10.11.222 445 AUTHORITY 1101: HTB\DnsAdmins (SidTypeAlias)
SMB 10.10.11.222 445 AUTHORITY 1102: HTB\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.11.222 445 AUTHORITY 1601: HTB\svc_ldap (SidTypeUser)Check for Vulnerabilities
While SMB vulnerabilities are pretty rare, when they do hit, they often hit big. A couple examples:- MS06-025 - RCE vulnerability.
- MS08-067 / CVE-2008-4250 - RCE vulnerability exploited by the Conficker worm.
- MS17-010 / CVE-2017-0144 - RCE vulnerability allegedly leaked from the NSA.
nmap has a nice scanner that will alert for these: nmap --script smb-vuln* -p 139,445 [ip]
- --script smb-vuln* - will run all smb vulnerability scan scripts
- -p 139,445 - smb ports
Код:
root@hacky# nmap --script smb-vuln* -p 139,445 [ip]
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-27 16:37 EDT
Nmap scan report for [ip]
Host is up (0.030s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:50:56:XX:XX:XX (VMware)
Host script results:
| smb-vuln-ms06-025:
| VULNERABLE:
| RRAS Memory Corruption vulnerability (MS06-025)
| State: VULNERABLE
| IDs: CVE:CVE-2006-2370
| A buffer overflow vulnerability in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1
| and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to
| execute arbitrary code via certain crafted "RPC related requests" aka the "RRAS Memory Corruption Vulnerability."
|
| Disclosure date: 2006-6-27
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2370
|_ https://technet.microsoft.com/en-us/library/security/ms06-025.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 5.58 secondsSamba
smbclient works just fine to connect to Samba SMB shares on Linux hosts.It is useful to look for vulnerabilities in the version of Samba. nmap is mostly good at doing this now when the -sCV option is given.
Years ago this script from rewardone in the PWK forums was handy for grabbing Samba versions:
Код:
#!/bin/sh
#Author: rewardone
#Description:
# Requires root or enough permissions to use tcpdump
# Will listen for the first 7 packets of a null login
# and grab the SMB Version
#Notes:
# Will sometimes not capture or will print multiple
# lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
sleep 0.5 && echo ""When you run this on a box running Samba, you get results:
Код:
root@# ./smbver.sh [IP]
[IP]: UnixSamba 227aДля просмотра ссылки Войди
Для просмотра ссылки Войди
Для просмотра ссылки Войди
[/QUOTE]