SMB: Samba 3
1
2
ip a
eth1 192.4.17.2/24
1
nmap 192.4.17.3
1
nmap 192.4.17.3 -p 445 --script smb-enum-shares
1
2
3
4
5
6
7
msfconsole
use auxiliary/scanner/smb/smb_enumshares
set rhosts 192.4.17.3
show options
exploit
exit
1
enum4linux -S 192.4.17.3
1
smbclient -L 192.4.17.3 -N
1
enum4linux -G 192.4.17.3
1
2
3
rpcclient -U "" -N 192.4.17.3
rpcclient $> enumdomgroups
rpcclient $> exit
1
enum4linux -i 192.4.17.3
1
2
3
4
5
6
7
smbclient //192.4.17.3/Public -N
smb: \> help
smb: \> ls
smb: \> cd secret
smb: \secret\> ls
smb: \secret\> get flag
smb: \secret\> exit
1
cat flag
Samba Recon: Basics III
概述
在本次挑战中,我们将了解 SMB 服务器侦察的基础知识。请开始实验并回答以下问题:
问题
- 使用 Nmap 脚本列出 samba 服务器上的所有可用共享。
- 使用 smb_enumshares Metasploit 模块列出 samba 服务器上的所有可用共享。
- 使用 enum4Linux 列出 samba 服务器上的所有可用共享。
- 使用 smbclient 列出 samba 服务器上的所有可用共享。
- 使用 enum4Linux 查找存在于 samba 服务器上的域组。
- 使用 rpcclient 查找 samba 服务器上存在的域组。
- samba 服务器是否配置为打印?
- 共享“公共”中有多少目录?
- 从 samba 服务器获取标志。
指示:
- 这个实验室是献给你的!此网络上没有其他用户 :)
- 开始实验室后,您将可以访问 Kali 实例的根终端
- 你的 Kali 有一个 IP 地址为 192.XYZ 的接口运行“ip addr”来知道 X 和 Y 的值。
- 目标机器应位于 IP 地址 192.XY3。
- 不要攻击位于 IP 地址 192.XY1 的网关
我自己的思路
In this challenge, we will look at the basics of SMB server reconnaissance. Please start the lab and answer the following questions:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@attackdefense:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
27440: eth0@if27441: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:0a:01:00:0d brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.1.0.13/16 brd 10.1.255.255 scope global eth0
valid_lft forever preferred_lft forever
27443: eth1@if27444: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:c0:0d:6d:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.13.109.2/24 brd 192.13.109.255 scope global eth1
valid_lft forever preferred_lft forever
target: 192.13.109.3
1
2
3
4
5
6
7
8
9
10
11
root@attackdefense:~# nmap 192.13.109.3
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-19 08:48 UTC
Nmap scan report for target-1 (192.13.109.3)
Host is up (0.000010s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 02:42:C0:0D:6D:03 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds
Questions
List all available shares on the samba server using Nmap script.
IPC$, aisha, emma, everyone, john, public
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
root@attackdefense:~# nmap 192.13.109.3 -p 445 --script smb-enum-shares
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-19 08:50 UTC
Nmap scan report for target-1 (192.13.109.3)
Host is up (0.000055s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 02:42:C0:0D:6D:03 (Unknown)
Host script results:
| smb-enum-shares:
| account_used: guest
| \\192.13.109.3\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (samba.recon.lab)
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\192.13.109.3\aisha:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\samba\aisha
| Anonymous access: <none>
| Current user access: <none>
| \\192.13.109.3\emma:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\samba\emma
| Anonymous access: <none>
| Current user access: <none>
| \\192.13.109.3\everyone:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\samba\everyone
| Anonymous access: <none>
| Current user access: <none>
| \\192.13.109.3\john:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\samba\john
| Anonymous access: <none>
| Current user access: <none>
| \\192.13.109.3\public:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\samba\public
| Anonymous access: READ/WRITE
|_ Current user access: READ/WRITE
Nmap done: 1 IP address (1 host up) scanned in 0.86 seconds
List all available shares on the samba server using smb_enumshares Metasploit module.
public, john, aisha, emma, everyone, IPC$
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
root@attackdefense:~# msfconsole -q
msf5 > use auxiliary/scanner/smb/smb_enumshares
msf5 auxiliary(scanner/smb/smb_enumshares) > show options
Module options (auxiliary/scanner/smb/smb_enumshares):
Name Current Setting Required Description
---- --------------- -------- -----------
LogSpider 3 no 0 = disabled, 1 = CSV, 2 = table (txt), 3 = one liner (txt) (Accepted: 0, 1, 2, 3)
MaxDepth 999 yes Max number of subdirectories to spider
RHOSTS yes The target address range or CIDR identifier
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
ShowFiles false yes Show detailed information when spidering
SpiderProfiles true no Spider only user profiles when share = C$
SpiderShares false no Spider shares recursively
THREADS 1 yes The number of concurrent threads
msf5 auxiliary(scanner/smb/smb_enumshares) > set RHOSTS 192.13.109.3
RHOSTS => 192.13.109.3
msf5 auxiliary(scanner/smb/smb_enumshares) > exploit
[+] 192.13.109.3:139 - public - (DS)
[+] 192.13.109.3:139 - john - (DS)
[+] 192.13.109.3:139 - aisha - (DS)
[+] 192.13.109.3:139 - emma - (DS)
[+] 192.13.109.3:139 - everyone - (DS)
[+] 192.13.109.3:139 - IPC$ - (I) IPC Service (samba.recon.lab)
[*] 192.13.109.3: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_enumshares) > exit
List all available shares on the samba server using enum4Linux.
public, john, aisha, emma, everyone, IPC$
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
root@attackdefense:~# enum4linux -S 192.13.109.3
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Aug 19 09:04:23 2022
==========================
| Target Information |
==========================
Target ........... 192.13.109.3
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
====================================================
| Enumerating Workgroup/Domain on 192.13.109.3 |
====================================================
[+] Got domain/workgroup name: RECONLABS
=====================================
| Session Check on 192.13.109.3 |
=====================================
[+] Server 192.13.109.3 allows sessions using username '', password ''
===========================================
| Getting domain SID for 192.13.109.3 |
===========================================
Domain Name: RECONLABS
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
=========================================
| Share Enumeration on 192.13.109.3 |
=========================================
Sharename Type Comment
--------- ---- -------
public Disk
john Disk
aisha Disk
emma Disk
everyone Disk
IPC$ IPC IPC Service (samba.recon.lab)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
RECONLABS SAMBA-RECON
[+] Attempting to map shares on 192.13.109.3
//192.13.109.3/public Mapping: OK, Listing: OK
//192.13.109.3/john Mapping: DENIED, Listing: N/A
//192.13.109.3/aisha Mapping: DENIED, Listing: N/A
//192.13.109.3/emma Mapping: DENIED, Listing: N/A
//192.13.109.3/everyone Mapping: DENIED, Listing: N/A
//192.13.109.3/IPC$ [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
enum4linux complete on Fri Aug 19 09:04:23 2022
List all available shares on the samba server using smbclient.
public, john, aisha, emma, everyone, IPC$
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@attackdefense:~# smbclient -L 192.13.109.3 -N
Sharename Type Comment
--------- ---- -------
public Disk
john Disk
aisha Disk
emma Disk
everyone Disk
IPC$ IPC IPC Service (samba.recon.lab)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
RECONLABS SAMBA-RECON
Find domain groups that exist on the samba server by using enum4Linux.
Maintainer, Reserved
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
root@attackdefense:~# enum4linux -G 192.13.109.3
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Aug 19 09:13:46 2022
==========================
| Target Information |
==========================
Target ........... 192.13.109.3
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
====================================================
| Enumerating Workgroup/Domain on 192.13.109.3 |
====================================================
[+] Got domain/workgroup name: RECONLABS
=====================================
| Session Check on 192.13.109.3 |
=====================================
[+] Server 192.13.109.3 allows sessions using username '', password ''
===========================================
| Getting domain SID for 192.13.109.3 |
===========================================
Domain Name: RECONLABS
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
==============================
| Groups on 192.13.109.3 |
==============================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
group:[Testing] rid:[0x3f0]
[+] Getting local group memberships:
[+] Getting domain groups:
group:[Maintainer] rid:[0x3ee]
group:[Reserved] rid:[0x3ef]
[+] Getting domain group memberships:
enum4linux complete on Fri Aug 19 09:13:46 2022
Find domain groups that exist on the samba server by using rpcclient.
Maintainer, Reserved
1
2
3
4
5
root@attackdefense:~# rpcclient -U "" -N 192.13.109.3
rpcclient $> enumdomgroups
group:[Maintainer] rid:[0x3ee]
group:[Reserved] rid:[0x3ef]
rpcclient $> exit
Is samba server configured for printing?
No printers returned.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
root@attackdefense:~# enum4linux -i 192.13.109.3
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Aug 19 09:20:16 2022
==========================
| Target Information |
==========================
Target ........... 192.13.109.3
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
====================================================
| Enumerating Workgroup/Domain on 192.13.109.3 |
====================================================
[+] Got domain/workgroup name: RECONLABS
=====================================
| Session Check on 192.13.109.3 |
=====================================
[+] Server 192.13.109.3 allows sessions using username '', password ''
===========================================
| Getting domain SID for 192.13.109.3 |
===========================================
Domain Name: RECONLABS
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
=============================================
| Getting printer info for 192.13.109.3 |
=============================================
No printers returned.
enum4linux complete on Fri Aug 19 09:20:16 2022
How many directories are present inside share “public”?
2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
root@attackdefense:~# smbclient //192.13.109.3/Public -N
Try "help" to get a list of possible commands.
smb: \> help
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del deltree dir
du echo exit get getfacl
geteas hardlink help history iosize
lcd link lock lowercase ls
l mask md mget mkdir
more mput newer notify open
posix posix_encrypt posix_open posix_mkdir posix_rmdir
posix_unlink posix_whoami print prompt put
pwd q queue quit readlink
rd recurse reget rename reput
rm rmdir showacls setea setmode
scopy stat symlink tar tarmode
timeout translate unlock volume vuid
wdel logon listconnect showconnect tcon
tdis tid utimes logoff ..
!
smb: \> ls
. D 0 Fri Aug 19 08:50:41 2022
.. D 0 Tue Nov 27 13:36:13 2018
dev D 0 Tue Nov 27 13:36:13 2018
secret D 0 Tue Nov 27 13:36:13 2018
1981094964 blocks of size 1024. 97702952 blocks available
smb: \> cd secret
smb: \secret\> ls
. D 0 Tue Nov 27 13:36:13 2018
.. D 0 Fri Aug 19 08:50:41 2022
flag N 33 Tue Nov 27 13:36:13 2018
1981094964 blocks of size 1024. 97702744 blocks available
smb: \secret\> get flag
getting file \secret\flag of size 33 as flag (32.2 KiloBytes/sec) (average 32.2 KiloBytes/sec)
smb: \secret\> exit
Fetch the flag from samba server.
1
2
root@attackdefense:~# cat flag
03ddb97933e716f5057a18632badb3b4
解决方案
此实验室的解决方案可在以下手册中找到:https://assets.ine.com/labs/ad-manuals/walkthrough-555.pdf
