1
2
| ip a
eth1 192.223.132.2/24
|
It is guessing what the service is based on the known port.
1
2
3
4
| nmap 192.223.132.3
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
|
1
| nmap 192.223.132.3 -sV -p 139,445
|
1
2
3
4
| PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: RECONLABS)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: RECONLABS)
Service Info: Host: SAMBA-RECON
|
1
| nmap 192.223.132.3 -sU --top-port 25 --open
|
1
2
3
| PORT STATE SERVICE
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
|
1
| nmap 192.223.132.3 -sU --top-port 25 --open -sV
|
1
2
3
4
| PORT STATE SERVICE VERSION
137/udp open netbios-ns Samba nmbd netbios-ns (workgroup: RECONLABS)
138/udp open|filtered netbios-dgm
Service Info: Host: SAMBA-RECON
|
1
| nmap 192.223.132.3 -p 445 --script smb-os-discovery
|
1
2
3
4
5
6
7
8
9
10
11
| PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: victim-1
| NetBIOS computer name: SAMBA-RECON\x00
| Domain name: \x00
| FQDN: victim-1
| System time: 2021-09-23T04:12:51+00:00
|
1
2
3
4
5
6
| use auxiliary/scanner/smb/smb_version
show options
set rhosts 192.223.132.3
options
run
exploit
|
1
2
3
| nmblookup -h
[-A|--lookup-by-ip]
|
1
| nmblookup -A 192.223.132.3
|
1
2
3
4
5
6
7
8
| Looking up status of 192.223.132.3
SAMBA-RECON <00> - H <ACTIVE>
SAMBA-RECON <03> - H <ACTIVE>
SAMBA-RECON <20> - H <ACTIVE>
..__MSBROWSE__. <01> - <GROUP> H <ACTIVE>
RECONLABS <00> - <GROUP> H <ACTIVE>
RECONLABS <1d> - H <ACTIVE>
RECONLABS <1e> - <GROUP> H <ACTIVE>
|
1
2
3
4
5
| smbclient -h
[-L|--list=HOST]
[-U|--user=USERNAME]
[-N|--no-pass]
|
check null session.
1
| smbclient -L 192.223.132.3 -N
|
1
2
3
4
5
| rpcclient -h
Authentication options:
-U, --user=USERNAME Set the network username
-N, --no-pass Don't ask for a password
|
1
2
| rpcclient -U "" -N 192.223.132.3
rpcclient $> ?
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| root@attackdefense:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
25775: eth0@if25776: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:0a:01:00:04 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.1.0.4/16 brd 10.1.255.255 scope global eth0
valid_lft forever preferred_lft forever
25778: eth1@if25779: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:c0:f8:f8:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.248.248.2/24 brd 192.248.248.255 scope global eth1
valid_lft forever preferred_lft forever
|
1
2
3
4
5
6
7
8
9
10
11
| root@attackdefense:~# nmap 192.248.248.3
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-18 13:01 UTC
Nmap scan report for target-1 (192.248.248.3)
Host is up (0.000010s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 02:42:C0:F8:F8:03 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds
|
1
2
3
4
5
6
7
8
9
10
11
12
13
| root@attackdefense:~# nmap 192.248.248.3 -p139,445 -sV
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-18 13:03 UTC
Nmap scan report for target-1 (192.248.248.3)
Host is up (0.000039s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: RECONLABS)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: RECONLABS)
MAC Address: 02:42:C0:F8:F8:03 (Unknown)
Service Info: Host: SAMBA-RECON
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.48 seconds
|
1
2
3
4
5
6
7
8
9
10
11
| root@attackdefense:~# nmap 192.248.248.3 -sU --top-port 25 --open
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-18 13:07 UTC
Nmap scan report for target-1 (192.248.248.3)
Host is up (0.000059s latency).
Not shown: 23 closed ports
PORT STATE SERVICE
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
MAC Address: 02:42:C0:F8:F8:03 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 23.58 seconds
|
1
2
3
4
5
6
7
8
9
10
11
12
13
| root@attackdefense:~# nmap 192.248.248.3 -sU -p137,138 -sV
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-18 13:10 UTC
Nmap scan report for target-1 (192.248.248.3)
Host is up (0.000050s latency).
PORT STATE SERVICE VERSION
137/udp open netbios-ns Samba nmbd netbios-ns (workgroup: RECONLABS)
138/udp open|filtered netbios-dgm
MAC Address: 02:42:C0:F8:F8:03 (Unknown)
Service Info: Host: SAMBA-RECON
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.38 seconds
|
1
2
3
4
5
6
7
8
9
10
11
12
13
| root@attackdefense:~# nmap 192.248.248.3 -sU --top-port 25 --open -sV
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-18 13:14 UTC
Nmap scan report for target-1 (192.248.248.3)
Host is up (0.000070s latency).
Not shown: 23 closed ports
PORT STATE SERVICE VERSION
137/udp open netbios-ns Samba nmbd netbios-ns (workgroup: RECONLABS)
138/udp open|filtered netbios-dgm
MAC Address: 02:42:C0:F8:F8:03 (Unknown)
Service Info: Host: SAMBA-RECON
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 118.32 seconds
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| root@attackdefense:~# nmap 192.248.248.3 -p445 --script smb-os-discovery
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-18 13:18 UTC
Nmap scan report for target-1 (192.248.248.3)
Host is up (0.000044s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 02:42:C0:F8:F8:03 (Unknown)
Host script results:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: victim-1
| NetBIOS computer name: SAMBA-RECON\x00
| Domain name: \x00
| FQDN: victim-1
|_ System time: 2022-08-18T13:18:53+00:00
Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| root@attackdefense:~# msfconsole -q
msf5 > use auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > show options
Module options (auxiliary/scanner/smb/smb_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.248.248.3
rhosts => 192.248.248.3
msf5 auxiliary(scanner/smb/smb_version) > options
Module options (auxiliary/scanner/smb/smb_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.248.248.3 yes The target address range or CIDR identifier
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
msf5 auxiliary(scanner/smb/smb_version) > run
[*] 192.248.248.3:445 - Host could not be identified: Windows 6.1 (Samba 4.3.11-Ubuntu)
[*] 192.248.248.3:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_version) > exploit
[*] 192.248.248.3:445 - Host could not be identified: Windows 6.1 (Samba 4.3.11-Ubuntu)
[*] 192.248.248.3:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
|
1
2
3
4
| root@attackdefense:~# nmblookup -h
Usage: [-?fMRSTrAV] [-?|--help] [--usage] [-B|--broadcast=BROADCAST-ADDRESS] [-f|--flags] [-U|--unicast=STRING] [-M|--master-browser] [-R|--recursion] [-S|--status]
[-T|--translate] [-r|--root-port] [-A|--lookup-by-ip] [-d|--debuglevel=DEBUGLEVEL] [-s|--configfile=CONFIGFILE] [-l|--log-basename=LOGFILEBASE] [-V|--version]
[--option=name=value] [-O|--socket-options=SOCKETOPTIONS] [-n|--netbiosname=NETBIOSNAME] [-W|--workgroup=WORKGROUP] [-i|--scope=SCOPE] <NODE> ...
|
1
2
3
4
5
6
7
8
9
10
11
| root@attackdefense:~# nmblookup -A 192.248.248.3
Looking up status of 192.248.248.3
SAMBA-RECON <00> - H <ACTIVE>
SAMBA-RECON <03> - H <ACTIVE>
SAMBA-RECON <20> - H <ACTIVE>
..__MSBROWSE__. <01> - <GROUP> H <ACTIVE>
RECONLABS <00> - <GROUP> H <ACTIVE>
RECONLABS <1d> - H <ACTIVE>
RECONLABS <1e> - <GROUP> H <ACTIVE>
MAC Address = 00-00-00-00-00-00
|
1
2
3
4
5
6
| root@attackdefense:~# smbclient -h
Usage: smbclient [-?EgqBVNkPeC] [-?|--help] [--usage] [-R|--name-resolve=NAME-RESOLVE-ORDER] [-M|--message=HOST] [-I|--ip-address=IP] [-E|--stderr] [-L|--list=HOST]
[-m|--max-protocol=LEVEL] [-T|--tar=<c|x>IXFqgbNan] [-D|--directory=DIR] [-c|--command=STRING] [-b|--send-buffer=BYTES] [-t|--timeout=SECONDS] [-p|--port=PORT]
[-g|--grepable] [-q|--quiet] [-B|--browse] [-d|--debuglevel=DEBUGLEVEL] [-s|--configfile=CONFIGFILE] [-l|--log-basename=LOGFILEBASE] [-V|--version] [--option=name=value]
[-O|--socket-options=SOCKETOPTIONS] [-n|--netbiosname=NETBIOSNAME] [-W|--workgroup=WORKGROUP] [-i|--scope=SCOPE] [-U|--user=USERNAME] [-N|--no-pass] [-k|--kerberos]
[-A|--authentication-file=FILE] [-S|--signing=on|off|required] [-P|--machine-pass] [-e|--encrypt] [-C|--use-ccache] [--pw-nt-hash] service <password>
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| root@attackdefense:~# smbclient -L 192.248.248.3 -N
Sharename Type Comment
--------- ---- -------
public Disk
john Disk
aisha Disk
emma Disk
everyone Disk
IPC$ IPC IPC Service (samba.recon.lab)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
RECONLABS SAMBA-RECON
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
| root@attackdefense:~# rpcclient -h
Usage: rpcclient [OPTION...]
-c, --command=COMMANDS Execute semicolon separated cmds
-I, --dest-ip=IP Specify destination IP address
-p, --port=PORT Specify port number
Help options:
-?, --help Show this help message
--usage Display brief usage message
Common samba options:
-d, --debuglevel=DEBUGLEVEL Set debug level
-s, --configfile=CONFIGFILE Use alternate configuration file
-l, --log-basename=LOGFILEBASE Base name for log files
-V, --version Print version
--option=name=value Set smb.conf option from command line
Connection options:
-O, --socket-options=SOCKETOPTIONS socket options to use
-n, --netbiosname=NETBIOSNAME Primary netbios name
-W, --workgroup=WORKGROUP Set the workgroup name
-i, --scope=SCOPE Use this Netbios scope
Authentication options:
-U, --user=USERNAME Set the network username
-N, --no-pass Don't ask for a password
-k, --kerberos Use kerberos (active directory) authentication
-A, --authentication-file=FILE Get the credentials from a file
-S, --signing=on|off|required Set the client signing state
-P, --machine-pass Use stored machine account password
-e, --encrypt Encrypt SMB transport
-C, --use-ccache Use the winbind ccache for authentication
--pw-nt-hash The supplied password is the NT hash
|
1
2
| root@attackdefense:~# rpcclient -U "" -N 192.248.248.3
rpcclient $> ?
|
