A Little Guide to SMB
Enumeration
Enumeration is very essential phase of Penetration
testing, because when a pentester established active connection with victim,
then he try to retrieve as much as possible information of victim’s machine,
which could be useful to exploit further.
In this article, we had explore SMB enumeration using Kali
Linux inbuilt command-line tools only.
Table of Content
§ Nmblookup
§ nbtscan
§ SMBMap
§ Smbclient
§ Rpcclient
§ Nmap
§ Enum4linux
nmblookup
nmblookup is used to query
NetBIOS names and map them to IP addresses in a network using NetBIOS over
TCP/IP queries. The options allow the name queries to be directed at a
particular IP broadcast area or to a particular machine. All queries are done
over UDP.
nmblookup -A 192.168.1.103
nmblookup is
helpful command for enumerating domain/workstation and MAC address. NetBIOS
work with the help of NetBIOS suffixes as state following information:
For unique names:
00: Workstation
Service (workstation name)
03: Windows
Messenger service
06: Remote
Access Service
20: File
Service (also called Host Record)
21: Remote
Access Service client
1B: Domain
Master Browser – Primary Domain Controller for a domain
1D: Master
Browser
For group names:
00: Workstation
Service (workgroup/domain name)
1C: Domain
Controllers for a domain
1E: Browser
Service Elections
nbtscan
This is a command utility that try to scan NETBIOS name
servers open on a local or remote TCP / IP network and because it is a first
step in finding open shares. It is created on the functionality of the Windows
standard tool “nbtstat”, and it works on a whole subnet instead of individual
IP.
nbtscan
192.168.1.1/24
As you can observe it
has dump almost same result as above, but the most important fact is that it
enumerate whole subnet.
SMBMap
SMBMap allows users to enumerate samba share drives across
an entire domain. List share drives, drive permissions, share contents,
upload/download functionality, file name auto-download pattern matching, and
even execute remote commands. This tool was designed with pen testing in mind,
and is intended to simplify searching for potentially sensitive data across
large networks.
smbmap -H
192.168.1.102
smbmap -H
192.168.1.102 -d metasploitable -u msfadmin -p msfadmin
As you can observe, this tool not only shows share files even
show their permission. If you will notice second command then you will perceive
that it has shown permission for user “msfadmin”.
Smbclient
smbclient is a client that can 'talk' to an SMB/CIFS server.
It offers an interface similar to that of the ftp program. Operations include
things like getting files from the server to the local machine, putting files
from the local machine to the server, retrieving directory information from the
server and so on
smbclient -L
192.168.1.102
smbclient
//192.168.1.102/tmp
As you can observe with the help of smbclient we are able
to view share folder of victim’s machine. Moreover we can use smbclient for
sharing file in the network. Here you can observe we had login successfully
using anonymous login and transfer the user.txt file.
Rpcclient
rpcclient is a utility initially developed to test MS-RPC
functionality in Samba itself. It has undergone several stages of development
and stability. Many system administrators have now written scripts around it to
manage Windows NT clients from their UNIX workstation.
We can use rpcclient to open an authenticated SMB session to
a target machine by running the below command on our system where we have used
a NULL Session, as we have entered a username of "".
rpcclient -U “” -N
192.168.1.102
enumdomusers
Further we had use enumerate user command, and you can
see the user names as well as their RID (the suffix of their SID) in
hexadecimal form.
We have use the queryuser command to catch all kinds of
information related to an individual user based uniquely on the users RID in hexa
form, here RID: 0x3e8 denotes root user account.
queryuse 0x3e8
Here note that the output result shows the last logon
time for the user root, as well as the Password last set Time. Such kind of
things is very valuable for penetration testers. And, this all can be achieve without
an admin user name and password.
Nmap
Following Script attempts to detect if a Microsoft SMBv1
server is vulnerable to a remote code execution vulnerability (ms17-010, a.k.a.
EternalBlue). The vulnerability is actively exploited by WannaCry and Petya
ransomware and other malware.
nmap --script
smb-vuln* -p 139,445 192.168.1.103
The script connects to the $IPC tree, executes a
transaction on FID 0 and checks if the error
"STATUS_INSUFF_SERVER_RESOURCES" is returned to determine if the
target is not patched against ms17-010. Additionally it checks for known error
codes returned by patched systems.
From the given below image you can observe, it found
target machine is vulnerable to ms17-010 due to SMBv1.
Enum4linux
Enum4linux is a tool for enumerating information from
Windows and Samba systems. It attempts to offer similar functionality to
enum.exe formerly available from www.bindview.com.
It is written in Perl and is basically a wrapper around the
Samba tools smbclient, rpclient, net and nmblookup.
The tool usage can be found below followed by examples, previous
versions of the tool can be found at the bottom of the page.
Key features:
- RID
cycling (When RestrictAnonymous is set to 1 on Windows 2000)
- User
listing (When RestrictAnonymous is set to 0 on Windows 2000)
- Listing
of group membership information
- Share
enumeration
- Detecting
if host is in a workgroup or a domain
- Identifying
the remote operating system
- Password
policy retrieval (using polenum)
enumlinux -a
192.168.1.102
As you can observe, it has shown target belongs to
Workgroup and dump NetBIOS name along with their suffix and many more
informations.
Also perform enumerate user along with their RID in
hexadecimal form with the help of rpcclient. Hence enum4linux is Swiss-knife
when we perform enumeration. But it cannot identify SMB vulnerability like
Nmap.
0 comments:
Post a Comment