THM – Network Services – SMB – Part 3
Last Updated on January 25, 2022 by aghanim
Table Of Contents
Understanding SMB
SMB – Server Message Block Protocol – is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network.
Servers make file systems and other resources available to clients on the network. Client computers may have their own hard disks, but they also want access to the shared file systems and printers on the servers.
The SMB protocol is known as a response-request protocol, meaning that it transmits multiple messages between the client and server to establish a connection. Clients connect to servers using TCP/IP, NetBEUI or IPX/SPX.
How does SMB work?
Once they have established a connection, clients can then send commands (SMBs) to the server that allow them to access shares, open files, read and write files, and generally do all the sort of things that you want to do with a file system. With SMB, this is done over the network.
What runs SMB?
Microsoft Windows operating system since windows 95 have included client and server SMB protocol support. Samba, an open source server that supports the SMB protocol, was released for UNIX systems.
| Questions | Answers |
|---|---|
| What type of protocol is SMB? | Response-request |
| What do clients connect to server using? | TCP/IP |
Enumerating SMB
What is enumerations?
Enumerations is the process of gathering information on a target in order to find potential attack vectors and aid in exploitation.
The first step of enumeration is to conduct a port scan. Find out as much info as you can about the services, applications, structure and operating system of the target machine.
Enum4linux is a tool used to enumerate SMB shares on both Windows and Linux systems. Makes it easy to quickly extract information from the target pertaining to SMB.
The syntax for enum4linux:
enum4linux [options] ip
| TAG | FUNCTION |
| -U | Get userlist |
| -M | Get machine list |
| -N | Get namelist dump |
| -S | Get sharelist |
| -P | Get password policy info |
| -G | Get group and member list |
| -A | All of the above |
Conduct a full basic enumeration with enum4linux.
Enum4linux –A 10.10.182.32
What is the workgroup name?
What operating system version is running?
What comes up as the name of the machine?
What share sticks out as something we might want to investigate?
PROFILES
Exploiting SMB
More likely to encounter a situation where the best way into a system is due to misconfigurations in the system. In this case we’re going to be exploiting anonymous SMB share access- a common misconfiguration that can allow us to gain information that will lead to. Shell.
From our enumeration state we know:
- The SMB share location
- The name of an interesting SMB share
SMB client
When trying to access SMB share, we need a client. Will be using SMBClient because its default samba suit. When trying to access SMB share, we need a client. Will be using SMBClient because its default samba suit.
Remotely access the SMB share using the syntax:
smbclient //IP/Share
Followed by the tags:
-U name: to specify the user
-p port: to specify the port
What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with IP 10.10.10.2 on the default port?
smbclient //10.10.10.2/secret -U suit -p 445
Now let’s have a look at trying to exploit this vulnerability. We have the list of users, the name of the share and suspected vulnerability.
Look for any interesting documents that could contain valuable information. Who does this profile belong to?
John Cactus
What services has been configured to allow him to work from home?
.ssh
The directory contains authentication keys that allow a user to authenticate themselves on, the access a server. Which keys is the most useful to us?
Id_rsa. Private key for ssh.
Download the file to local machine, change the permission to 600 using
chmod 600 file
Use the service and key to log-in to the server and find the flag!
