Gained ability to be a full member of an AD domain
Provides AD domain controller: Daemons for this purpose: Unix background programs
smbd: SMB daemon belonging to Samba provides the first 2 functionalities
nmbd: NetBIOS msg block daemon implements the last 2 functionalities
SMB controls 2 background programs
Workgroup: A group name that ID's arbitrary collection of computers/resources on an SMB network
Can be multiple workgroups on the network at any given time
NetBIOS: Network Basic Input/Output System
API Developed by IBM developed for networking computers
NetBIOS API was a blueprint for an app to connect/share data with others
NetBIOS: When machine goes online: Needs name: Name registration procedure
Each host reserves its hostname, or NBNS: NetBIOS Name Server is used
It also has been enhanced to WINS: Windows Internet Name Service
# default config
cat /etc/samba/smb.conf | grep -v "#\|\;"
[global]
workgroup = DEV.INFREIGHT.HTB
server string = DEVSMB
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
Global settings/2 shares are intended for printers
The global settings are the config of avail SMB server used for all shares
In the individual shares, the settings can be overwritten, which can be config
# Settings
[sharename] # name of share
workgroup = WORKGROUP/DOMAIN # workgroup that appears when queried
path = /path/ # dir which users have access
server string = STRING # str that will show up when a connection's initiated
unix password sync = yes # sync unix/smb password
usershare allow guests = yes # allow non-auth users to access share
map to guest = bad user # what happens when login doens't match unix user
browseable = yes # should this share be shown
guest ok = yes # allow guest connections without passwords
read only = yes
create mask = 0700 # perms set
If we adopt this setting, employees will be able to look at individual folders with contents
If an employee can browse through the shares, an attacker could also
# settings
browseable = yes # allow listings in current share
read only = no # forbid creation and modification of files
writable = yes # allow users to create/mod files
guest ok = yes # allow connecting to service without password
enable privileges = yes # honor privs assigned to specific SIDs
create mask = 0777 # perms assigned to newly created files
directory mask = 0777 # perms assigned to newly created dirs
logon script = script.sh # script executed on user login
magic script = script.sh # script executed when the script gets closed
magic output = script.out # output of magic script needs to be stored
-L - Display a list of server shares with smbclient -N- Null session: Anonymous access without input of existing users/valid passwds SMBclient - Connecting to the Share
smbclient -N -L //10.129.14.128
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
home Disk INFREIGHT Samba
dev Disk DEVenv
notes Disk CheckIT
IPC$ IPC IPC Service (DEVSM)
SMB1 disabled -- no workgroup available
# print$ and an IPC$ are included by default in the basic setting
smbclient //10.129.14.128/notes
smb: \> help
smb: \> ls
smb: \> get prep-prod.txt # get file
smb: \> !ls # list
smb: \> !cat prep-prod.txt # cat
smbstatus # check connections: see who/which host/share is connected
sudo nmap 10.10.10.1 -sV -sC -p139,445
The comm process via RPC includes passing params/return of function val RPCclient
rpcclient -U "" 10.129.14.128
srvinfo # server info
enumdomains # enum all domains deployed
querydominfo # domain/server/user info of domains
netshareenumall # enum all avail shares
netsharegetinfo <share> # info about a specific share
enumdomusers # enum all domain usrs
queryuser <RID> # info about a specific usr
rpcclient has many diff requests with which we can exec specific functions on SMB server to get info
We can then use the results to identify the group's RID, which we can then use to retrieve information from the entire group. Rpcclient - Group Information
# bash loop that sends cmds to rpcclient to filter brute forcing rids
for i in $(seq 500 1100);do rpcclient -N -U "" 10.10.10.1 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
crackmapexec smb 10.10.10.1 --shares -u '' -p '' # -u (user) -p (pass)
smbmap -H 10.10.10.1
Impacket-samrdump.py 10.10.10.1
# newer version of enum4linux
git clone https://github.com/cddmp/enum4linux-ng.git
cd enum4linux-ng && pip3 install -r requirements.txt
./enum4linux-ng.py 10.10.10.1 -A
