OSCP Notes

445 SMB

username enum:
nmap --script "safe or smb-enum-*" -p 445 IP
smbmap -H
Looks like we can read from general and Development.
smbmap -H -R --depth 5
Running this will go in those directories and discover files.
smbclient //
and download the file (get creds.txt)
creds.txt content

Share with space

smbclient "\\\\IP\\Bob Share" --no-pass

Brute Forcing SMB

  1. 1.
    Create a user name list and a password list after initial enumeration. i.e) use cewl or hashcat for password list.
cme smb IP -u users.txt -p pass.txt --continue-on-success

Utilizing rpcclient to login

rpcclient -U user IP
once you get in you can perform these commands
enumdomusers #get all the usernames
queryuser [0x40] (enter rid)

Using cme winrm to check if it gets pwned > evil-winrm to get a shell.

cme winrm IP -u user -p 'PASS'
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit)

only need to change the rhost to exploit it.

Changing smb password with smbpasswd

if you get the status (NT_STATUS_PASSWORD_MUST_CHANGE) after entering correct credentials, you can set a new password with this command.
smbpasswd -U user -r IP


#Server requested LANMAN password (share-level security) but 'client lanman auth = no' or 'client ntlmv2 auth = yes'
#In the /etc/samba/smb.conf file to be able to connect to those old servers.
client lanman auth = yes
client ntlmv2 auth = no
Last modified 5mo ago