| description |
|---|
Server Message Block |
Check for SMB vulnerablities with Nmap:
$ sudo nmap -sV --script-args=unsafe=1 --script smb-os-discovery 10.10.13.37 -p139,445
$ sudo nmap -n -Pn -sV --script 'smb-vuln*' 10.10.13.37 -p445
Check if SMB Signing is enabled with CME:
$ cme smb smb.txt | grep -a 'signing:False'
Enumerate SMB version for old versions of Samba (for security reasons modern clients will not initiate connection with legacy protocols in use):
$ sudo ngrep -i -d eth0 's.?a.?m.?b.?a.*[[:digit:]]' port 139
$ echo exit | smbclient -N -L 10.10.13.37 --option='client min protocol=LANMAN1'
Mount:
$ sudo mount -t cifs '//127.0.0.1/Users' /mnt/smb -v -o user=snovvcrash,[pass='Passw0rd!']
Status:
$ mount -v | grep 'type cifs'
$ df -k -F cifs
Unmount:
$ sudo umount /mnt/smb
Create an SMB share allowing null authentication.
{% code title="/etc/samba/smb.conf" %}
[global]
map to guest = bad user
server role = standalone server
usershare allow guests = yes
smb ports = 445
[smb]
comment = Samba
path = /srv/smb
guest ok = yes
read only = no
browsable = yes
force user = nobody
{% endcode %}
$ sudo service smbd restart
$ sudo chown -R nobody:root /srv/smb/
$ sudo chmod -R 777 /srv/smb/
PS > mkdir C:\share
PS > icacls C:\share\ /T /grant Anonymous` logon:r
PS > icacls C:\share\ /T /grant Everyone:r
PS > New-SmbShare -Path C:\share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone'
PS > REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f # this will overwrite existing NullSessionPipes
PS > REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d share /f
PS > REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f
PS > REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f
- https://github.com/blacklanternsecurity/MANSPIDER
- https://github.com/SnaffCon/Snaffler
- https://github.com/mitchmoser/SharpShares
- https://github.com/punk-security/SMBeagle
- https://github.com/p0dalirius/FindUncommonShares
Check for null authentication:
$ rpcclient -N -L 127.0.0.1
With user creds:
$ rpcclient -U 'snovvcrash%Passw0rd!' 127.0.0.1
Check for null authentication:
$ smbclient -N -L 127.0.0.1
$ smbclient -N '\\127.0.0.1\Data'
With user creds:
$ smbclient -U snovvcrash '\\127.0.0.1\Users' 'Passw0rd!'
Get all files recursively:
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
$ smbmap -H 127.0.0.1
$ smbmap -H 127.0.0.1 -u anonymous
$ smbmap -H 127.0.0.1 -u '' -p ''
$ smbmap -H 127.0.0.1 -u snovvcrash -p 'Passw0rd!' -R ShareName
$ smbmap -H 127.0.0.1 -u snovvcrash -p 'Passw0rd!' -R ShareName -A .