Global settings/2 shares are intended for printers
The global settings are the config of avail SMB server used for all shares
In the individual shares, the settings can be overwritten, which can be config
# Settings[sharename] # name of shareworkgroup=WORKGROUP/DOMAIN# workgroup that appears when queriedpath=/path/# dir which users have accessserverstring=STRING# str that will show up when a connection's initiatedunixpasswordsync=yes# sync unix/smb passwordusershareallowguests=yes# allow non-auth users to access sharemaptoguest=baduser# what happens when login doens't match unix userbrowseable=yes# should this share be shownguestok=yes# allow guest connections without passwordsreadonly=yescreatemask=0700# perms set
If we adopt this setting, employees will be able to look at individual folders with contents
If an employee can browse through the shares, an attacker could also
# settingsbrowseable=yes# allow listings in current sharereadonly=no# forbid creation and modification of fileswritable=yes# allow users to create/mod filesguestok=yes# allow connecting to service without passwordenableprivileges=yes# honor privs assigned to specific SIDscreatemask=0777# perms assigned to newly created filesdirectorymask=0777# perms assigned to newly created dirslogonscript=script.sh# script executed on user login magicscript=script.sh# script executed when the script gets closedmagicoutput=script.out# output of magic script needs to be stored
-L - Display a list of server shares with smbclient -N- Null session: Anonymous access without input of existing users/valid passwds SMBclient - Connecting to the Share
smbclient-N-L//10.129.14.128SharenameTypeComment--------------------print$ DiskPrinterDrivershomeDiskINFREIGHTSambadevDiskDEVenvnotesDiskCheckITIPC$IPCIPCService (DEVSM)SMB1disabled--noworkgroupavailable# print$ and an IPC$ are included by default in the basic setting
smbclient//10.129.14.128/notessmb: \> helpsmb: \> lssmb: \> getprep-prod.txt# get filesmb: \> !ls# list smb: \> !catprep-prod.txt# catsmbstatus# check connections: see who/which host/share is connectedsudonmap10.10.10.1-sV-sC-p139,445
RPC: Remote Procedure Call is a op/work-sharing structures in networks/client-server archs.
The comm process via RPC includes passing params/return of function val RPCclient
rpcclient-U""10.129.14.128srvinfo# server infoenumdomains# enum all domains deployedquerydominfo# domain/server/user info of domainsnetshareenumall# enum all avail sharesnetsharegetinfo<share># info about a specific shareenumdomusers# enum all domain usrsqueryuser<RID># info about a specific usr
rpcclient has many diff requests with which we can exec specific functions on SMB server to get info
We can then use the results to identify the group's RID, which we can then use to retrieve information from the entire group. Rpcclient - Group Information
# bash loop that sends cmds to rpcclient to filter brute forcing ridsfor i in $(seq5001100);do rpcclient -N -U "" 10.10.10.1 -c "queryuser 0x$(printf '%x\n' $i)"|grep"User Name\|user_rid\|group_rid"&&echo"";done
crackmapexecsmb10.10.10.1--shares-u''-p''# -u (user) -p (pass)smbmap-H10.10.10.1Impacket-samrdump.py10.10.10.1# newer version of enum4linuxgitclonehttps://github.com/cddmp/enum4linux-ng.gitcdenum4linux-ng&&pip3install-rrequirements.txt./enum4linux-ng.py10.10.10.1-A