SMB

• Server message block

• default config

  • cat /etc/samba/smb.conf | grep -v "#\|\;" 
    

• dangerous settings

  • browseable = yes

  • read only = no

  • writable = yes

  • guest ok = yes

  • enable privileges = yes

  • create mask = 0777

  • directory mask = 0777

  • logon script = script.sh

  • magic script = script.sh

  • magic output = script.out

• restart service

  • sudo systemctl restart smbd
    

• connect

  • lists shares on server

    smbclient -N -L //10.129.14.128

  • connect to notes share

    smbclient //10.129.14.128/notes

• get status

  • smbstatus

• nmap

  • nmap 10.129.14.128 -sV -sC -p139,445

• rpclient

  • rpcclient -U "" 10.129.14.128    

  • can offer us different requests

    • srvinfo - server info

    • enumdomains - enumerate all domains

    • querydominfo - provides domains, server and user info

    • netshareenumall - enumerates all shares

    • netsharegetinfo <share> - enumerates specific share

    • enumdomusers - enumerates all domain users

    • queryuser <rid> - enumerates specific user

• Brute force user RIDs

  • for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

  • alternative to this is to use samrdump.py from impacket.

  • samrdump.py 10.129.14.128

• smbmap

  • smbmap -H 10.129.14.128

• crackmapexec

  • crackmapexec smb 10.129.14.128 --shares -u '' -p ''

• enum4linux

  • enum4linux-ng.py 10.129.14.128 -A