SMB

  • Server message block

  • default config

    • cat /etc/samba/smb.conf | grep -v "#\|\;"

  • dangerous settings

    • browseable = yes

    • read only = no

    • writable = yes

    • guest ok = yes

    • enable privileges = yes

    • create mask = 0777

    • directory mask = 0777

    • logon script = script.sh

    • magic script = script.sh

    • magic output = script.out

  • restart service

    • sudo systemctl restart smbd

  • connect

    • lists shares on server

      smbclient -N -L //10.129.14.128

    • connect to notes share

      smbclient //10.129.14.128/notes

  • get status

    • smbstatus

  • nmap 

    • nmap 10.129.14.128 -sV -sC -p139,445

  • rpclient

    • rpcclient -U "" 10.129.14.128

    • can offer us different requests

      • srvinfo - server info

      • enumdomains - enumerate all domains

      • querydominfo - provides domains, server and user info

      • netshareenumall - enumerates all shares

      • netsharegetinfo <share> - enumerates specific share

      • enumdomusers - enumerates all domain users

      • queryuser <rid> - enumerates specific user

  • Brute force user RIDs

    • for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

    • alternative to this is to use samrdump.py from impacket.

    • samrdump.py 10.129.14.128

  • smbmap

    • smbmap -H 10.129.14.128

  • crackmapexec

    • crackmapexec smb 10.129.14.128 --shares -u '' -p ''

  • enum4linux

    • enum4linux-ng.py 10.129.14.128 -A

PreviousFTPNextNFS

Last updated