SMB Samba 2
1
2
3
4
| ip a
eth1
192.76.242.2/24
|
1
2
3
| PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
|
1
| nmap 192.76.242.3 -p 445 -sV
|
1
2
3
| PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Samba smbd 3.X - 4.X (workgroup: RECONLABS)
Service Info: Host: SAMBA-RECON
|
1
| rpcclient -U "" -N 192.76.242.3
|
1
2
3
| rpcclient $> srvinfo
os version : 6.1
rpcclient $> exit
|
1
2
3
| enum4linux -h
-o Get OS information
|
1
| enum4linux -o 192.76.242.3
|
List with null session.
1
| smbclient -L 192.76.242.3 -N
|
1
| nmap 192.76.242.3 -p 445 --script smb-protocols
|
1
2
3
4
5
6
7
| msfconsole
use auxiliary/scanner/smb/smb2
set RHOSTS 192.76.242.3
options
run
exit
|
1
| 192.76.242.3 supports SMB 2 [dialect 255.2] and has been online for 3688012 hours
|
1
| nmap 192.76.242.3 -p 445 --script smb-enum-users
|
1
2
3
4
| enum4linux -h
Options are (like "enum"):
-U get userlist
|
1
| enum4linux -U 192.76.242.3
|
1
2
3
| rpcclient -U "" -N 192.76.242.3
rpcclient $> enumdomusers
rpcclient $> lookupnames admin
|
Samba Recon: Basics II
概述
在这个挑战中,我们将了解 SMB 服务器侦察的基础知识。请开始实验并回答以下问题:
问题
- 使用 rpcclient 查找 samba 服务器的操作系统版本。
- 使用 enum4Linux 查找 samba 服务器的操作系统版本。
- 使用 smbclient 查找 samba 服务器的服务器描述。
- samba 服务器是否支持 NT LM 0.12 (SMBv1) 方言?使用适当的 nmap 脚本。
- samba 服务器是否支持 SMB2 协议?使用 smb2 metasploit 模块。
- 使用适当的 nmap 脚本列出 samba 服务器上存在的所有用户。
- 使用 smb_enumusers metasploit 模块列出 samba 服务器上存在的所有用户。
- 使用 enum4Linux 列出存在于 samba 服务器上的所有用户。
- 使用 rpcclient 列出 samba 服务器上存在的所有用户。
- 使用 rpcclient 查找用户“admin”的 SID。
指示:
- 这个实验室是献给你的!此网络上没有其他用户 :)
- 开始实验室后,您将可以访问 Kali 实例的根终端
- 你的 Kali 有一个 IP 地址为 192.XYZ 的接口运行“ip addr”以了解 X 和 Y 的值。
- 目标机器应位于 IP 地址 192.XY3。
- 不要攻击位于 IP 地址 192.XY1 的网关
我自己的思路
In this challenge we will look at the basics of SMB server reconnaissance. Please start the lab and answer the following questions:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| root@attackdefense:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
26154: eth0@if26155: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:0a:01:00:0b brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.1.0.11/16 brd 10.1.255.255 scope global eth0
valid_lft forever preferred_lft forever
26157: eth1@if26158: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:c0:64:73:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.100.115.2/24 brd 192.100.115.255 scope global eth1
valid_lft forever preferred_lft forever
|
target: 192.100.115.3
1
2
3
4
5
6
7
8
9
10
11
| root@attackdefense:~# nmap 192.100.115.3
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-19 01:47 UTC
Nmap scan report for target-1 (192.100.115.3)
Host is up (0.000010s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 02:42:C0:64:73:03 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds
|
1
2
3
4
5
6
7
8
9
10
11
12
| root@attackdefense:~# nmap 192.100.115.3 -p445 -sV
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-19 01:48 UTC
Nmap scan report for target-1 (192.100.115.3)
Host is up (0.000040s latency).
PORT STATE SERVICE VERSION
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: RECONLABS)
MAC Address: 02:42:C0:64:73:03 (Unknown)
Service Info: Host: SAMBA-RECON
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.56 seconds
|
Questions
Find the OS version of samba server using rpcclient.
os version: 6.1
1
2
3
4
5
6
| root@attackdefense:~# rpcclient -U "" -N 192.100.115.3
rpcclient $> srvinfo
SAMBA-RECON Wk Sv PrQ Unx NT SNT samba.recon.lab
platform_id : 500
os version : 6.1
server type : 0x809a03
|
Find the OS version of samba server using enum4Linux.
os version: 6.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
| root@attackdefense:~# enum4linux -o 192.100.115.3
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Aug 19 01:51:37 2022
==========================
| Target Information |
==========================
Target ........... 192.100.115.3
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=====================================================
| Enumerating Workgroup/Domain on 192.100.115.3 |
=====================================================
[+] Got domain/workgroup name: RECONLABS
======================================
| Session Check on 192.100.115.3 |
======================================
[+] Server 192.100.115.3 allows sessions using username '', password ''
============================================
| Getting domain SID for 192.100.115.3 |
============================================
Domain Name: RECONLABS
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
=======================================
| OS information on 192.100.115.3 |
=======================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.100.115.3 from smbclient:
[+] Got OS info for 192.100.115.3 from srvinfo:
SAMBA-RECON Wk Sv PrQ Unx NT SNT samba.recon.lab
platform_id : 500
os version : 6.1
server type : 0x809a03
enum4linux complete on Fri Aug 19 01:51:38 2022
|
Find the server description of samba server using smbclient.
samba.recon.lab
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| root@attackdefense:~# smbclient -L 192.100.115.3 -N
Sharename Type Comment
--------- ---- -------
public Disk
john Disk
aisha Disk
emma Disk
everyone Disk
IPC$ IPC IPC Service (samba.recon.lab)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
RECONLABS SAMBA-RECON
|
Is NT LM 0.12 (SMBv1) dialects supported by the samba server? Use appropriate nmap script.
yes, it is supported.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| root@attackdefense:~# nmap 192.100.115.3 -p445 --script smb-protocols
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-19 01:58 UTC
Nmap scan report for target-1 (192.100.115.3)
Host is up (0.000038s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 02:42:C0:64:73:03 (Unknown)
Host script results:
| smb-protocols:
| dialects:
| NT LM 0.12 (SMBv1) [dangerous, but default]
| 2.02
| 2.10
| 3.00
| 3.02
|_ 3.11
Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds
|
Is SMB2 protocol supported by the samba server? Use smb2 metasploit module.
Yes. the samba server supports SMB 2 [dialect 255.2].
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| root@attackdefense:~# msfconsole -q
msf5 > use auxiliary/scanner/smb/smb2
msf5 auxiliary(scanner/smb/smb2) > set RHOSTS 192.100.115.3
RHOSTS => 192.100.115.3
msf5 auxiliary(scanner/smb/smb2) > options
Module options (auxiliary/scanner/smb/smb2):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.100.115.3 yes The target address range or CIDR identifier
RPORT 445 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads
msf5 auxiliary(scanner/smb/smb2) > run
[+] 192.100.115.3:445 - 192.100.115.3 supports SMB 2 [dialect 255.2] and has been online for 3695930 hours
[*] 192.100.115.3:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
|
List all users that exists on the samba server using appropriate nmap script.
john, elie, aisha, shawn, emma, admin
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
| root@attackdefense:~# nmap 192.100.115.3 -p445 --script smb-enum-users
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-19 02:04 UTC
Nmap scan report for target-1 (192.100.115.3)
Host is up (0.000055s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 02:42:C0:64:73:03 (Unknown)
Host script results:
| smb-enum-users:
| SAMBA-RECON\admin (RID: 1005)
| Full name:
| Description:
| Flags: Normal user account
| SAMBA-RECON\aisha (RID: 1004)
| Full name:
| Description:
| Flags: Normal user account
| SAMBA-RECON\elie (RID: 1002)
| Full name:
| Description:
| Flags: Normal user account
| SAMBA-RECON\emma (RID: 1003)
| Full name:
| Description:
| Flags: Normal user account
| SAMBA-RECON\john (RID: 1000)
| Full name:
| Description:
| Flags: Normal user account
| SAMBA-RECON\shawn (RID: 1001)
| Full name:
| Description:
|_ Flags: Normal user account
Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds
|
List all users that exists on the samba server using smb_enumusers metasploit modules.
john, elie, aisha, shawn, emma, admin
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
| msf5 > search smb_enumusers
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 auxiliary/scanner/smb/smb_enumusers normal Yes SMB User Enumeration (SAM EnumUsers)
2 auxiliary/scanner/smb/smb_enumusers_domain normal Yes SMB Domain User Enumeration
msf5 > use auxiliary/scanner/smb/smb_enumusers
msf5 auxiliary(scanner/smb/smb_enumusers) > show options
Module options (auxiliary/scanner/smb/smb_enumusers):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
msf5 auxiliary(scanner/smb/smb_enumusers) > set RHOSTS 192.100.115.3
RHOSTS => 192.100.115.3
msf5 auxiliary(scanner/smb/smb_enumusers) > run
[+] 192.100.115.3:139 - SAMBA-RECON [ john, elie, aisha, shawn, emma, admin ] ( LockoutTries=0 PasswordMin=5 )
[*] 192.100.115.3: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
|
List all users that exists on the samba server using enum4Linux.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
| root@attackdefense:~# enum4linux -U 192.100.115.3
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Aug 19 02:11:18 2022
==========================
| Target Information |
==========================
Target ........... 192.100.115.3
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=====================================================
| Enumerating Workgroup/Domain on 192.100.115.3 |
=====================================================
[+] Got domain/workgroup name: RECONLABS
======================================
| Session Check on 192.100.115.3 |
======================================
[+] Server 192.100.115.3 allows sessions using username '', password ''
============================================
| Getting domain SID for 192.100.115.3 |
============================================
Domain Name: RECONLABS
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
==============================
| Users on 192.100.115.3 |
==============================
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: john Name: Desc:
index: 0x2 RID: 0x3ea acb: 0x00000010 Account: elie Name: Desc:
index: 0x3 RID: 0x3ec acb: 0x00000010 Account: aisha Name: Desc:
index: 0x4 RID: 0x3e9 acb: 0x00000010 Account: shawn Name: Desc:
index: 0x5 RID: 0x3eb acb: 0x00000010 Account: emma Name: Desc:
index: 0x6 RID: 0x3ed acb: 0x00000010 Account: admin Name: Desc:
user:[john] rid:[0x3e8]
user:[elie] rid:[0x3ea]
user:[aisha] rid:[0x3ec]
user:[shawn] rid:[0x3e9]
user:[emma] rid:[0x3eb]
user:[admin] rid:[0x3ed]
enum4linux complete on Fri Aug 19 02:11:18 2022
|
List all users that exists on the samba server using rpcclient.
1
2
3
4
5
6
7
8
| root@attackdefense:~# rpcclient -U "" -N 192.100.115.3
rpcclient $> enumdomusers
user:[john] rid:[0x3e8]
user:[elie] rid:[0x3ea]
user:[aisha] rid:[0x3ec]
user:[shawn] rid:[0x3e9]
user:[emma] rid:[0x3eb]
user:[admin] rid:[0x3ed]
|
Find SID of user “admin” using rpcclient.
S-1-5-21-4056189605-2085045094-1961111545-1005
1
2
3
| root@attackdefense:~# rpcclient -U "" -N 192.100.115.3
rpcclient $> lookupnames admin
admin S-1-5-21-4056189605-2085045094-1961111545-1005 (User: 1)
|
解决方案
此实验室的解决方案可在以下手册中找到: https://assets.ine.com/labs/ad-manuals/walkthrough-554.pdf
Samba
smbclient
enum4linux
rpcclient
smb-protocols
smb-enum-users
SMB 2.0 Protocol Detection
SMB User Enumeration (SAM EnumUsers)
