search

smb-ejpt-lab

hashtag
Lab 1 — nmap SMB enumeration (guest + authenticated)

1

hashtag
Discover SMB sessions as guest

nmap output (guest):

Host script results:
| smb-enum-sessions:
|   Users logged in
|_    WIN-OMCNBKR66MN\bob since <unknown>

Bob is logged in without credentials because guest login is enabled.

2

hashtag
Enumerate the same sessions using provided credentials

nmap -p445 --script smb-enum-sessions --script-args smbusername=administrator,smbpassword=smbserver_771 10.2.24.25

Output:

Host script results:
| smb-enum-sessions:
|   Users logged in
|     WIN-OMCNBKR66MN\bob since 2023-02-13T20:37:26
|   Active SMB sessions
|_    ADMINISTRATOR is connected from \\10.10.24.4 for [just logged in, it's probably you], idle for [not idle]
3

hashtag
Enumerate SMB shares as guest

nmap -p445 --script smb-enum-shares 10.2.24.25

Output (guest):

Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\10.2.24.25\ADMIN$:
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Remote Admin
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.2.24.25\C:
|     Type: STYPE_DISKTREE
|     Comment:
|     Anonymous access: <none>
|     Current user access: READ
|   \\10.2.24.25\C$:
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Default share
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.2.24.25\D$:
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Default share
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.2.24.25\Documents:
|     Type: STYPE_DISKTREE
|     Comment:
|     Anonymous access: <none>
|     Current user access: READ
|   \\10.2.24.25\Downloads:
|     Type: STYPE_DISKTREE
|     Comment:
|     Anonymous access: <none>
|     Current user access: READ
|   \\10.2.24.25\IPC$:
|     Type: STYPE_IPC_HIDDEN
|     Comment: Remote IPC
|     Anonymous access: <none>
|     Current user access: READ/WRITE
|   \\10.2.24.25\print$:
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Anonymous access: <none>
|_    Current user access: READ

Note: IPC$ (null session connection) allows guest anonymous users enumerate names of domain accounts and network shares.

4

hashtag
Enumerate SMB shares with authenticated user (administrator)

nmap -p445 --script smb-enum-shares --script-args smbusername=administrator,smbpassword=smbserver_771 10.2.24.25

Output (administrator):

Host script results:
| smb-enum-shares:
|   account_used: administrator
|   \\10.2.24.25\ADMIN$:
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Remote Admin
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\Windows
|     Anonymous access: <none>
|     Current user access: READ/WRITE
[...]
|_    Current user access: READ/WRITE

Authenticated administrator has Read & Write privileges to the entire C$ (and D$) drive.

5

hashtag
Enumerate Windows users

nmap -p445 --script smb-enum-users --script-args smbusername=administrator,smbpassword=smbserver_771 10.2.24.25

Output:

Host script results:
| smb-enum-users:
|   WIN-OMCNBKR66MN\Administrator (RID: 500)
|     Description: Built-in account for administering the computer/domain
|     Flags:       Password does not expire, Normal user account
|   WIN-OMCNBKR66MN\bob (RID: 1010)
|     Flags:       Password does not expire, Normal user account
|   WIN-OMCNBKR66MN\Guest (RID: 501)
|     Description: Built-in account for guest access to the computer/domain
|_    Flags:       Password does not expire, Password not required, Normal user account

Observations:

  • Guest: no password expiration, password not required

  • Administrator and bob: no password expiration

6

hashtag
Server statistics

nmap -p445 --script smb-server-stats --script-args smbusername=administrator,smbpassword=smbserver_771 10.2.24.25

Output:

Host script results:
| smb-server-stats:
|   Server statistics collected since 2023-02-13T20:37:19 (40m18s):
|     94675 bytes (39.15 b/s) sent, 80383 bytes (33.24 b/s) received
|_    34 failed logins, 7 permission errors, 0 system errors, 0 print jobs, 35 files opened
7

hashtag
Enumerate domains and policies

nmap -p445 --script smb-enum-domains--script-args smbusername=administrator,smbpassword=smbserver_771 10.2.24.25

Output:

Host script results:
| smb-enum-domains:
|   WIN-OMCNBKR66MN
|     Groups: WinRMRemoteWMIUsers__
|     Users: Administrator, bob, Guest
|     Creation time: 2013-08-22T14:47:57
|     Passwords: min length: n/a; min age: n/a days; max age: 42 days; history: n/a passwords
|     Properties: Complexity requirements exist # Important
|     Account lockout disabled
[...]
|_    Account lockout disabled
8

hashtag
Enumerate groups

nmap -p445 --script smb-enum-groups--script-args smbusername=administrator,smbpassword=smbserver_771 10.2.24.25

Output:

Host script results:
| smb-enum-groups:
|   Builtin\Administrators (RID: 544): Administrator, bob
|   Builtin\Users (RID: 545): bob
|   Builtin\Guests (RID: 546): Guest
[...]
|_  WIN-OMCNBKR66MN\WinRMRemoteWMIUsers__ (RID: 1000): <empty>

Note: bob has administrator privileges too.

9

hashtag
Enumerate services

nmap -p445 --script smb-enum-services --script-args smbusername=administrator,smbpassword=smbserver_771 10.2.24.25

Partial output:

PORT    STATE SERVICE
445/tcp open  microsoft-ds
| smb-enum-services:
|   AmazonSSMAgent:
|     display_name: Amazon SSM Agent
|     state:
|       SERVICE_RUNNING
|       SERVICE_PAUSED
[...]
|   TrustedInstaller:
|     display_name: Windows Modules Installer
|     state:
|       SERVICE_RUNNING
[...]
|   vds:
|     display_name: Virtual Disk
|     state:
|       SERVICE_RUNNING
|_      SERVICE_CONTROL_STOP
10

hashtag
List files on all shared folders (smb-ls)

nmap -p445 --script smb-enum-shares,smb-ls --script-args smbusername=administrator,smbpassword=smbserver_771 10.2.24.25

Partial output (smb-ls excerpts):

| smb-ls: Volume \\10.2.24.25\ADMIN$
|   maxfiles limit reached (10)
| SIZE   TIME                 FILENAME
| <DIR>  2013-08-22T13:36:16  .
| <DIR>  2013-08-22T13:36:16  ..
| <DIR>  2013-08-22T15:39:31  ADFS
[...]
| Volume \\10.2.24.25\C
|   maxfiles limit reached (10)
| SIZE   TIME                 FILENAME
| <DIR>  2013-08-22T15:39:30  PerfLogs
| <DIR>  2013-08-22T13:36:16  Program Files
[...]
| Volume \\10.2.24.25\print$
|   maxfiles limit reached (10)
| SIZE    TIME                 FILENAME
| <DIR>   2013-08-22T15:39:31  .
| <DIR>   2013-08-22T15:39:31  ..
| <DIR>   2013-08-22T15:39:31  color
| 1058    2013-08-22T06:54:44  color\D50.camp
|_

hashtag
Lab 2 — Windows Recon: SMBMap (target 10.2.21.233)

1

hashtag
Discovery & ports

Commands:

ping 10.2.21.233
nmap 10.2.21.233

nmap ports:

135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49165/tcp open  unknown
2

hashtag
List SMB protocols on port 445

nmap -p445 --script smb-protocols 10.2.21.233

Output:

Host script results:
| smb-protocols:
|   dialects:
|     NT LM 0.12 (SMBv1) [dangerous, but default]
|     2.02
|     2.10
|     3.00
|_    3.02
3

hashtag
Enumerate with smbmap as guest

smbmap -u guest -p "" -d . -H 10.2.21.233

Output:

[+] Guest session   IP: 10.2.21.233:445   Name: 10.2.21.233
  Disk       Permissions   Comment
  ----       -----------   -------
  ADMIN$     NO ACCESS	   Remote Admin
  C          NO ACCESS
  C$         NO ACCESS	   Default share
  D$         NO ACCESS	   Default share
  Documents  NO ACCESS
  Downloads  NO ACCESS
  IPC$       READ ONLY	   Remote IPC
  print$     READ ONLY	   Printer Drivers
4

hashtag
Login with administrator and enumerate with smbmap

smbmap -u administrator -p smbserver_771 -d . -H 10.2.21.233

And run a remote command:

smbmap -u administrator -p smbserver_771 -H 10.2.21.233 -x 'ipconfig'

Note: smbmap can be used to run commands remotely (RCE risk).

5

hashtag
List drives and directories, upload/download files

List drives:

smbmap -u administrator -p 'smbserver_771' -H 10.2.21.233 -L

List directory contents:

smbmap -u administrator -p 'smbserver_771' -H 10.2.21.233 -r 'C$'

Upload sample file:

touch sample_backdoor
smbmap -u administrator -p 'smbserver_771' -H 10.2.21.233 --upload '/root/sample_backdoor' 'C$\sample_backdoor'

Download flag:

smbmap -u administrator -p 'smbserver_771' -H 10.2.21.233 --download 'C$\flag.txt'

Then view:

cat 10.2.21.233-C_flag.txt

Reveal Flag:

25f492dbef8453cdca69a173a75790f0

hashtag
Lab 3 — Samba Recon: Basics 1 (target 192.28.157.3)

1

hashtag
Network interface and target

ip -br -c a
# eth1@if107855   UP   192.28.157.2/24
# Target IP: 192.28.157.3
2

hashtag
Port scan and service detection

nmap 192.28.157.3
nmap -sV -p 139,445 192.28.157.3

Service detection output:

139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: RECONLABS)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: RECONLABS)
Service Info: Host: SAMBA-RECON
3

hashtag
UDP NetBIOS discovery

nmap -sU --top-ports 25 --open 192.28.157.3

Output:

137/udp open          netbios-ns
138/udp open|filtered netbios-dgm
4

hashtag
SMB OS discovery

nmap --script smb-os-discovery -p 445 192.28.157.3

Output:

Host script results:
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: victim-1
|   NetBIOS computer name: SAMBA-RECON\x00
|   Domain name: \x00
|   FQDN: victim-1
|_  System time: 2023-02-14T15:33:34+00:00

Samba version: Samba 4.3.11-Ubuntu, NetBIOS computer name: SAMBA-RECON.

5

hashtag
Metasploit smb version scan

msfconsole
use auxiliary/scanner/smb/smb_version
set RHOSTS 192.28.157.3
exploit

Output (indicative):

[*] 192.28.157.3:445 - Host could not be identified: Windows 6.1 (Samba 4.3.11-Ubuntu)
[*] 192.28.157.3:445 - Scanned 1 of 1 hosts (100% complete)
6

hashtag
NetBIOS name lookup

nmblookup -A 192.28.157.3

Output includes:

SAMBA-RECON     <00> -         H <ACTIVE>
..__MSBROWSE__. <01> - <GROUP> H <ACTIVE>
RECONLABS       <00> - <GROUP> H <ACTIVE>
7

hashtag
smbclient listing

smbclient -L 192.28.157.3 -N

Output (shares):

Sharename       Type      Comment
public          Disk
john            Disk
aisha           Disk
emma            Disk
everyone        Disk
IPC$            IPC       IPC Service (samba.recon.lab)
8

hashtag
rpcclient connection

rpcclient -U "" -N 192.28.157.3

Reveal Flag — NetBIOS computer name:

SAMBA-RECON

hashtag
Lab 4 — Samba Recon: Basics 2 (target 192.230.128.3)

1

hashtag
Discovery & ports

ip -br -c a
# eth1@if108147   UP   192.230.128.2/24
# Target IP: 192.230.128.3

nmap 192.230.128.3
# 139/tcp open  netbios-ssn
# 445/tcp open  microsoft-ds
2

hashtag
rpcclient srvinfo

rpcclient -U "" -N 192.230.128.3
rpcclient $> srvinfo

Output indicates os version 6.1.

3

hashtag
enum4linux scan

enum4linux -o 192.230.128.3

Output extracts:

  • Workgroup/domain: RECONLABS

  • Server: SAMBA-RECON

4

hashtag
smbclient list and protocols

smbclient -L 192.230.128.3 -N
nmap -p445 --script smb-protocols 192.230.128.3

smbclient shares:

public, john, aisha, emma, everyone, IPC$

nmap smb-protocols shows SMBv1 and SMB2/3 dialects (3.11 supported).

5

hashtag
Metasploit smb2 scanner & enum users

msfconsole
use auxiliary/scanner/smb/smb2
set RHOSTS 192.230.128.3
exploit

use auxiliary/scanner/smb/smb_enumusers
set RHOSTS 192.230.128.3
exploit

Output lists users: john, elie, aisha, shawn, emma, admin

Also:

nmap -p445 --script smb-enum-users 192.230.128.3

Shows the same user list with RIDs.

6

hashtag
rpcclient lookupnames for admin SID

rpcclient -U "" -N 192.230.128.3
rpcclient $> enumdomusers
rpcclient $> lookupnames admin

Output:

admin S-1-5-21-4056189605-2085045094-1961111545-1005 (User: 1)

Reveal Flag — SID of user "admin":

S-1-5-21-4056189605-2085045094-1961111545-1005

hashtag
Lab 5 — Samba Recon: Basics 3 (target 192.187.39.3)

1

hashtag
Setup & ports

ip -br -c a
# eth1@if170030   UP   192.187.39.2/24
# Target IP: 192.187.39.3

nmap 192.187.39.3
# 139/tcp open  netbios-ssn
# 445/tcp open  microsoft-ds
2

hashtag
List Samba shares (nmap / enum4linux / smbclient)

nmap -p445 --script smb-enum-shares 192.187.39.3
msfconsole
use auxiliary/scanner/smb/smb_enumshares
set RHOSTS 192.187.39.3
exploit
enum4linux -S 192.187.39.3
smbclient -L 192.187.39.3 -N

Collected shares:

IPC$, aisha, emma, everyone, john, public

Note: public share allows READ/WRITE (anonymous); other shares may be restricted.

3

hashtag
Domain groups

enum4linux -G 192.187.39.3
rpcclient -U "" -N 192.187.39.3

Domain groups found:

Maintainer, Reserved
4

hashtag
Check printers

enum4linux -i 192.187.39.3

Output: No printers returned.

5

hashtag
Explore public share with smbclient

smbclient //192.187.39.3/public -N
smb: \> ls
smb: \> cd secret
smb: \secret\> ls
smb: \secret\> get flag

Result: Retrieved flag file.

Reveal Flag:

03ddb97933e716f5057a18632badb3b4

hashtag
Lab 6 — Samba Recon: Dictionary Attack (target 192.174.58.3)

1

hashtag
Preparation: wordlists

Unzip rockyou (example):

2

hashtag
Target discovery

3

hashtag
Brute force with Metasploit smb_login (jane)

Result: Success for jane: abc123

4

hashtag
Brute force with hydra (admin)

Result: admin password found: password1

5

hashtag
Use found credentials to map shares and retrieve files

Examples:

  • Mapped shares show shawn, nancy (read-only), admin, IPC$

  • From admin share: cd hidden then get flag.tar.gz, extract and cat flag

  • From secret directory: get flag

Reveal Flag 1:

6

hashtag
Named pipes enumeration via Metasploit

Named pipes found:

7

hashtag
RID cycling to list users' SIDs

Output (example SIDs):

Notes:

  • shawn SID: S-1-22-1-1000

  • jane SID: S-1-22-1-1001

  • nancy SID: S-1-22-1-1002

  • admin SID: S-1-22-1-1003

Previous: mysql-enum | Next: smtp-enum

Last updated 3 hours ago

PreviousSetting-Up-sambaNextsmtp-enum

Last updated