Skip to content

139,445 - Pentesting smb

139 - NetBIOS 145 - SMB

SMB - Server Message Block Protocol - is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network.

Description

IPC$ share From book Network Security Assessment 3rd edition

With an anonymous null session you can access the IPC$ share and interact with services exposed via named pipes. The enum4linux utility within Kali Linux is particularly useful; with it, you can obtain the following:

  • Operating system information
  • Details of the parent domain
  • A list of local users and groups
  • Details of available SMB shares
  • The effective system security policy

Read Only IPC$ signifies that we can enumerate usernames.

python3 /opt/tools/impacket/examples/lookupsid.py guest@$IP
python3 /opt/tools/impacket/examples/lookupsid.py anonymous@$IP 

Tools

nmap

nmap -p 139,445 -A $IP
ls /usr/share/nmap/scripts/*smb*
nmap -p 139,445 --script=smb-vuln-* $IP
nmap -p 139,445 --script=smb-enum-users.nse $IP
nmap -p 139,445 --script=smb-enum-shares.nse $IP

nbtscan

sudo nbtscan -r $IP/24

enum4linux

enum4linux -a $IP
enum4linux -a -u 'guest' $IP
enum4linux -a -u 'guest' $URL

crackmapexec - bruteforce

crackmapexec smb $IP -u user.txt -p user.txt --shares --continue-on-success

crackmapexec smb $IP -u user.txt -p pass.txt --shares --continue-on-success

crackmapexec - guest user with no password

crackmapexec smb $IP -u '' -p '' --shares
crackmapexec smb $IP -u 'guest' -p '' --shares

crackmapexec smb $IP -u 'guest' -p '' --users
crackmapexec smb $IP -u 'guest' -p '' --groups
crackmapexec smb $IP -u 'guest' -p '' --local-groups
crackmapexec smb $IP -u 'guest' -p '' --loggedon-users
crackmapexec smb $IP -u 'guest' -p '' --rid-brute
crackmapexec smb $IP -u 'guest' -p '' --sessions
crackmapexec smb $IP -u 'guest' -p '' --pass-pol

smbmap

smbmap -H $IP -u anonymous 
smbmap -H $URL -d $DOMAIN -u svc-admin -p management2005

smbclient

smbclient //$IP/shares -U 'guest'
smbclient '\\11.22.33.44\shares' --user='admin' --password='123456'
smbclient '\\11.22.33.44\shares' --no-pass
smbclient '\\11.22.33.44\shares' -U 'guest' -N
smbclient '\\11.22.33.44\shares' -U 'guest'
smbclient '\\11.22.33.44\shares\'

smbclient - get folder

smbclient '\\11.22.33.44\[share]' -U 'guest' -N -c 'prompt OFF;recurse ON;  mget *'
smbclient '\\11.22.33.44\[share]' -U 'guest' -c 'prompt OFF;recurse ON;  mget *'
smbclient '\\11.22.33.44\[share]' -N -c 'prompt OFF;recurse ON;cd "Share\"; lcd "/home/kali/workspace/gatekeeper/smb_dump/Share/"; mget *'
smbclient '\\11.22.33.44\[share]' -N -c 'prompt OFF;recurse ON;cd "Profile\"; lcd "/home/kali/workspace/gatekeeper/smb_dump/Default/"; mget *'

smbget

smbget -R 'smb://11.22.33.44/anonymous/'
smbget -R 'smb://11.22.33.44/Users/desktop.ini'

smb pipes There are many SMB pipes that are used for different purposes in the SMB protocol. Some examples include:

  1. IPC$: The IPC pipe is a special share that is used for inter-process communication (IPC) and it's created automatically on the SMB server. It allows clients to access shared resources such as printers and named pipes.
  2. SRVSVC: The SRVSVC pipe is used for server management and allows clients to manage shared resources such as file shares and printers.
  3. LSARPC: The LSARPC pipe is used for security and authentication in the SMB protocol. It allows clients to manage user and group accounts, security policies, and other security-related tasks.
  4. SAMR: The SAMR pipe is used for managing user and group accounts on an SMB server. It allows clients to create, modify, and delete user and group accounts, as well as manage their permissions and other properties.
  5. SPOOLSS: The SPOOLSS pipe is used for managing printers and print jobs on an SMB server. It allows clients to add, delete, and modify printers, as well as manage print jobs and print queues.
  6. NETLOGON: The NETLOGON pipe is used for authenticating users and managing domain-related tasks such as domain membership and trust relationships.
  7. DRSUAPI: The DRSUAPI pipe is used for Active Directory replication and management. It allows clients to create, modify and delete objects in Active Directory and to perform other Directory Services related operations.
  8. EPMAPPER: The EPMAPPER pipe is used for Distributed Computing Environment (DCE) Remote Procedure Calls (RPCs)
  9. LSASS: The LSASS pipe is used for managing security and authentication. It allows clients to manage user and group accounts, security policies, and other security-related tasks.
  10. WKSSVC: The WKSSVC pipe is used for managing Windows-based services such as the Workstation service and the Server service.
  11. LSASRV: The LSASRV pipe is used for managing security and authentication in the SMB protocol. It allows clients to manage user and group accounts, security policies, and other security-related tasks.
  12. NETDFS: The NETDFS pipe is used for managing Distributed File System (DFS) shares on an SMB server.
  13. NTFRS: The NTFRS pipe is used for managing the File Replication Service (FRS) on an SMB server.
  14. REGISTRY: The REGISTRY pipe is used for managing the Windows Registry remotely.
  15. SVCCTL: The SVCCTL pipe is used for managing Windows-based services such as the Workstation service and the Server service.
  16. SVCHOST: The SVCHOST pipe is used for managing Windows-based services and hosting multiple services in one process.
  17. WINS: The WINS pipe is used for managing the Windows Internet Name Service (WINS) on an SMB server.
  18. WINREG: The WINREG pipe is used for managing the Windows Registry remotely.
  19. RPCEPMAP: The RPCEPMAP pipe is used for Distributed Computing Environment (DCE) Remote Procedure Calls (RPCs)
  20. MSRRAS: The MSRRAS pipe is used for managing RAS (Remote Access Services) on an SMB server.
  21. REMACT: The REMACT pipe is used for managing remote activation on an SMB server.
  22. SRVCTL: The SRVCTL pipe is used for managing server services on an SMB server.
  23. SPOOLSS: The SPOOLSS pipe is used for managing printers and print jobs on an SMB server. It allows clients to add, delete, and modify printers, as well as manage print jobs and print queues.
  24. ROUTER: The ROUTER pipe is used for managing router services on an SMB server.
  25. LSA: The LSA pipe is used for managing security and authentication in the SMB protocol. It allows clients to manage user and group accounts, security policies, and other security-related tasks.
  26. RASMAN: The RASMAN pipe is used for managing RAS (Remote Access Services) on an SMB server.
  27. SAMSRV: The SAMSRV pipe is used for managing user and group accounts on an SMB server. It allows clients to create, modify, and delete user and group accounts, as well as manage their permissions and other properties.
  28. SRV: The SRV pipe is used for managing shared resources such as file shares and printers on an SMB server.
  29. WKSSVC: The WKSSVC pipe is used for managing Windows-based services such as the Workstation service and the Server service.
  30. WMI: The WMI pipe is used for managing Windows Management Instrumentation (WMI) on an SMB server.

exploits - https://github.com/3ndG4me/AutoBlue-MS17-010