SMB

Server Message Block Client-server protocol:

Regulates access to files/dirs/printers/routers/ints for networks

  • Became available as part of OS/2 network OS LAN Manager/Server

  • The main app has been Windows, but OS versions can communicate

  • Samba: Free software project: Enables SMB in Linux/Unix

Bother parties must establish a connection via TCP

  • SMB servers can provide arbitrary parts of local file systems as shares

    • Hierarchy visible to client: Partially independent of structure on the server

    • ACL: Access Control List: Access rights

      • Can be controlled based on attributes: execute, read, full access

  • CIFS - WIN NT 4.0 - Communicates via NetBIOS

  • SMB 1.0 - WIN 2000 - Connection via TCP

# default config
cat /etc/samba/smb.conf | grep -v "#\|\;" 

[global]
   workgroup = DEV.INFREIGHT.HTB
   server string = DEVSMB
   log file = /var/log/samba/log.%m
   max log size = 1000
   logging = file
   panic action = /usr/share/samba/panic-action %d

   server role = standalone server
   obey pam restrictions = yes
   unix password sync = yes

   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

   pam password change = yes
   map to guest = bad user
   usershare allow guests = yes

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no

Global settings/2 shares are intended for printers

  • The global settings are the config of avail SMB server used for all shares

  • In the individual shares, the settings can be overwritten, which can be config

# Settings

[sharename] # name of share
workgroup = WORKGROUP/DOMAIN # workgroup that appears when queried
path = /path/ # dir which users have access
server string = STRING # str that will show up when a connection's initiated
unix password sync = yes # sync unix/smb password
usershare allow guests = yes # allow non-auth users to access share
map to guest = bad user # what happens when login doens't match unix user
browseable = yes # should this share be shown
guest ok = yes # allow guest connections without passwords
read only = yes 
create mask = 0700 # perms set

  • If we adopt this setting, employees will be able to look at individual folders with contents

  • If an employee can browse through the shares, an attacker could also

# settings
browseable = yes # allow listings in current share
read only = no # forbid creation and modification of files
writable = yes # allow users to create/mod files
guest ok = yes # allow connecting to service without password
enable privileges = yes # honor privs assigned to specific SIDs
create mask = 0777 # perms assigned to newly created files
directory mask = 0777 # perms assigned to newly created dirs
logon script = script.sh # script executed on user login 
magic script = script.sh # script executed when the script gets closed
magic output = script.out # output of magic script needs to be stored

-L - Display a list of server shares with smbclient -N- Null session: Anonymous access without input of existing users/valid passwds SMBclient - Connecting to the Share

smbclient -N -L //10.129.14.128
        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        home            Disk      INFREIGHT Samba
        dev             Disk      DEVenv
        notes           Disk      CheckIT
        IPC$            IPC       IPC Service (DEVSM)
SMB1 disabled -- no workgroup available
# print$ and an IPC$ are included by default in the basic setting
smbclient //10.129.14.128/notes
smb: \> help
smb: \> ls
smb: \> get prep-prod.txt # get file
smb: \> !ls # list 
smb: \> !cat prep-prod.txt # cat
smbstatus # check connections: see who/which host/share is connected
sudo nmap 10.10.10.1 -sV -sC -p139,445

RPC: Remote Procedure Call is a op/work-sharing structures in networks/client-server archs.

  • The comm process via RPC includes passing params/return of function val RPCclient

rpcclient -U "" 10.129.14.128

srvinfo # server info
enumdomains # enum all domains deployed
querydominfo # domain/server/user info of domains
netshareenumall # enum all avail shares
netsharegetinfo <share> # info about a specific share
enumdomusers # enum all domain usrs
queryuser <RID> # info about a specific usr

  • rpcclient has many diff requests with which we can exec specific functions on SMB server to get info

  • A complete list man page RPCclient - Enumeration

We can then use the results to identify the group's RID, which we can then use to retrieve information from the entire group. Rpcclient - Group Information

# bash loop that sends cmds to rpcclient to filter brute forcing rids

for i in $(seq 500 1100);do rpcclient -N -U "" 10.10.10.1 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
crackmapexec smb 10.10.10.1 --shares -u '' -p '' #  -u (user) -p (pass)
smbmap -H 10.10.10.1 
Impacket-samrdump.py 10.10.10.1

# newer version of enum4linux
git clone https://github.com/cddmp/enum4linux-ng.git
cd enum4linux-ng && pip3 install -r requirements.txt
./enum4linux-ng.py 10.10.10.1 -A
PreviousSNMPNextNFS

Last updated