قالب وردپرس درنا توس
Home / Tips and Tricks / How to Enumerate SMB with Enum4linux & Smbclient «Null Byte :: WonderHowTo

How to Enumerate SMB with Enum4linux & Smbclient «Null Byte :: WonderHowTo



Step 1: Collect Information Using Enum4linux

First, we need to determine if SMB is present on the target. It is usually safe for SMB to be executed when ports 139 and 445 are open. Let's do a simple Nmap scan to see what's open:

  ~ # nmap -Pn 10.10.0.50

Starting Nmap 7.70 (https://nmap.org) on ​​23/05/2019 at 08:44 (CDT)
Nmap Scan Report for 10.10.0.50
The host is active (0.0024s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21 / tcp open ftp
22 / tcp open ssh
23 / Open tcp telnet
Open 25 / tcp Smtp
53 / tcp open domain
80 / tcp open http
Open 1
11 / tcp rpcbind 139 / tcp open netbios-ssn 445 / tcp open microsoft ds 512 / tcp open exec 513 / tcp Login opens 514 / tcp open shell 1099 / tcp open rmiregistry 1524 / tcp open Ingreslock 2049 / tcp open nfs 2121 / tcp open ccproxy-ftp Open 3306 / tcp MySQL 5432 / tcp open postgresql 5900 / tcp open vnc 6000 / tcp open X11 6667 / tcp open irc 8009 / tcp open ajp13 8180 / tcp open unknown

It looks like SMB is open. So we are in business.

Enum4linux is a tool used to enumerate SMB shares on Windows and Linux systems. It's basically a wrapper around the tools in the Samba package, making it easy to quickly extract information from the target for SMB.

Enter enum4linux in the terminal itself to display the help and usage information:

  ~ # enum4linux

enum4linux v0.8.9 (http://labs.portcullis.co.uk/application/enum4linux/)
Copyright (C) 2011 Mark Lowe (mrl@portcullis-security.com)

Simple wrapper around the tools in the Samba package to provide similar
Functionality to enum.exe (formerly from www.bindview.com). Some extra
Features such as RID cycling have also been added for simplification.

Usage: ./enum4linux.pl [options] ip

Options are (like "enum"):
-U receive user list
-M get machine list *
-S Get Sharelist
-P retrieves information about the password policy
-G Get group and member list
-d be detailed, applies to -U and -S
-u user Specify the user name to use (default is "").
-p pass password (default "")

The following enum.exe options are not implemented: -L, -N, -D, -f

Additional options:
-a Perform all simple enumerations (-U -S -G -P -r -o -n -i).
This option is enabled if you do not specify any other options.
-h Displays this help message and ends it
-r enumerate user by RID cycle
-R Range RID ranges to list (default: 500-550,1000-1050, implies -r)
-Kn Search for RIDs until n matching RIDs no longer match
a username. Impies RID range ends at 999999. Useful
against DCs.
-l Get some (limited) information about LDAP 389 / TCP (for domain controllers only)
-s Guess the file brute force for share names
-k users users that exist on the remote system (default: administrator, guest, krbtgt, domain administrators, root, bin, none)
Used to get sid with "lookupsid known_username".
Use commas to try multiple users: "-k admin, user1, user2"
-o Get information about the operating system
-i Get printer information
-w wrkg manually specify workgroup (usually found automatically)
-n Perform a nmblookup (similar to nbtstat)
-v in detail. Indicates that complete commands are being executed (net, rpcclient, etc.)

RID Cycling was supposed to extract a list of users of Windows (or Samba) hosts
where RestrictAnonymous is set to 1 (Windows NT and 2000) or "Network"
access: Allow anonymous SID / Name translation "enabled (XP, 2003).

NB: Samba servers often seem to have RIDs in the range of 3000-3050.

Dependency info: You must have the Samba package installed as follows
script is basically just a wrapper around rpcclient, net, nmblookup and
smbclient. Polandum from http://labs.portcullis.co.uk/application/polenum/
is required to retrieve password policy information. 

The lower pane displays a dependency stating that the Samba package must be installed to use the tool. If it does not already exist on your system, you can install it with the package manager.

  ~ # apt-get install samba 

The simplest use of Enum4linux requires an option and the IP address of the destination. We can use the -U flag to display users on the target:

  ~ # enum4linux -U 10.10.0.50

Start enum4linux v0.8.9 (http://labs.portcullis.co.uk/application/enum4linux/) on Wednesday, May 22 at 15:39:59 in 2019

=========================
| Destination information |
=========================
Target ........... 10.10.0.50
RID range: 500-550,1000-1050
Username ......... & # 39; & # 39;
Password ......... & # 39; & # 39;
Well-known user names .. administrator, guest, krbtgt, domainadministrators, root, bin, none

================================================
| List of workgroups / domains on 10.10.0.50 |
================================================
[+] Domain / workgroup name obtained: WORKGROUP

==================================
| Session Review on 10.10.0.50 |
==================================
[+] Server 10.10.0.50 allows sessions with username & # 39 ;, password & # 39; & # 39;

=======================================
| Retrieving the Domain SID for 10.10.0.50 |
=======================================
Domain Name: WORKING GROUP
Domain Sid: (NULL SID)
[+] It is not possible to determine if the host is part of a domain or a workgroup

=========================
| User on 10.10.0.50 |
=========================
index: 0x1 RID: 0x3f2 acb: 0x00000011 Account: games Name: games Desc: (null)
index: 0x2 RID: 0x1f5 acb: 0x00000011 Account: nobody Name: nobody Desc: (null)
index: 0x3 RID: 0x4ba acb: 0x00000011 account: bind name: (null) desc: (null)
index: 0x4; RID: 0x402 acb: 0x00000011 Account: Proxy Name: Proxy Desc: (null)
index: 0x5 RID: 0x4b4 acb: 0x00000011 account: syslog name: (null) desc: (null)
index: 0x6 RID: 0xbba acb: 0x00000010 account: username: one user only, 111 ,, desc: (null)
index: 0x7 RID: 0x42a acb: 0x00000011 account: www-data name: www-data desc: (null)
index: 0x8 RID: 0x3e8 acb: 0x00000011 account: root name: root desc: (null)
index: 0x9 RID: 0x3fa acb: 0x00000011 Account: news Name: news Desc: (null)
Index: 0xa RID: 0x4c0 Acb: 0x00000011 Account: Postgres Name: PostgreSQL Administrator ,,, Desc: (null)
Index: 0xb RID: 0x3ec Acb: 0x00000011 Account Name: bin Desc: (null)
Index: 0xc RID: 0x3f8 Acb: 0x00000011 Account: mail Name: mail Desc: (null)
index: 0xd RID: 0x4c6 acb: 0x00000011 account: distccd name: (null) desc: (null)
index: 0xe RID: 0x4ca acb: 0x00000011 account: proftpd name: (null) desc: (null)
index: 0xf RID: 0x4b2 acb: 0x00000011 account: dhcp name: (null) desc: (null)
index: 0x10 RID: 0x3ea acb: 0x00000011 account: daemon name: daemon desc: (null)
index: 0x11 RID: 0x4b8 acb: 0x00000011 account: sshd name: (null) desc: (null)
index: 0x12 RID: 0x3f4 acb: 0x00000011 account: man name: man desc: (null)
index: 0x13 RID: 0x3f6 acb: 0x00000011 account: lp name: lp desc: (null)
Index: 0x14 RID: 0x4c2 Acb: 0x00000011 Account: mysql Name: MySQL Server ,,, Desc: (null)
index: 0x15 RID: 0x43a acb: 0x00000011 account: gnats name: mosquitoes bug reporting system (admin) desc: (null)
index: 0x16 RID: 0x4b0 acb: 0x00000011 account: libuuid name: (null) desc: (null)
Index: 0x17 RID: 0x42c Acb: 0x00000011 Account: backup Name: backup Desc: (null)
Index: 0x18 RID: 0xbb8 Acb: 0x00000010 Account: msfadmin Name: msfadmin ,,, Desc: (null)
index: 0x19 RID: 0x4c8 acb: 0x00000011 account: telnetd name: (null) desc: (null)
index: 0x1a rid: 0x3ee acb: 0x00000011 account: sys name: sys desc: (null)
index: 0x1b rid: 0x4b6 acb: 0x00000011 account: klog name: (null) desc: (null)
index: 0x1c rid: 0x4bc acb: 0x00000011 account: postfix name: (null) desc: (null)
Index: 0x1d RID: 0xbbc Acb: 0x00000011 Account: service Name: ,,, Desc: (null)
Index: 0x1e RID: 0x434 Acb: 0x00000011 Account: List Name: Mailing List Manager Desc: (null)
index: 0x1f rid: 0x436 acb: 0x00000011 account: irc name: ircd desc: (null)
index: 0x20 RID: 0x4be acb: 0x00000011 account: ftp name: (null) desc: (null)
index: 0x21 RID: 0x4c4 acb: 0x00000011 account: tomcat55 name: (null) desc: (null)
index: 0x22 RID: 0x3f0 acb: 0x00000011 account: sync name: sync desc: (null)
index: 0x23 RID: 0x3fc acb: 0x00000011 account: uucp name: uucp desc: (null)

User: [games] rid: [0x3f2]
User: [nobody] rid: [0x1f5]
User: [bind] rid: [0x4ba]
User: [proxy] rid: [0x402]
User: [syslog] rid: [0x4b4]
User: [user] rid: [0xbba]
User: [www-data] rid: [0x42a]
User: [root] rid: [0x3e8]
User: [news] rid: [0x3fa]
User: [postgres] rid: [0x4c0]
User: [bin] rid: [0x3ec]
User: [mail] rid: [0x3f8]
User: [distccd] rid: [0x4c6]
User: [proftpd] rid: [0x4ca]
User: [dhcp] rid: [0x4b2]
User: [daemon] rid: [0x3ea]
User: [sshd] rid: [0x4b8]
User: [man] rid: [0x3f4]
User: [lp] rid: [0x3f6]
User: [mysql] rid: [0x4c2]
User: [gnats] rid: [0x43a]
User: [libuuid] rid: [0x4b0]
User: [backup] rid: [0x42c]
User: [msfadmin] rid: [0xbb8]
User: [telnetd] rid: [0x4c8]
User: [sys] rid: [0x3ee]
User: [klog] rid: [0x4b6]
User: [postfix] rid: [0x4bc]
User: [service] rid: [0xbbc]
User: [list] rid: [0x434]
User: [irc] get rid of: [0x436]
User: [ftp] rid: [0x4be]
User: [tomcat55] rid: [0x4c4]
User: [sync] rid: [0x3f0]
User: [uucp] rid: [0x3fc]
enum4linux completed on 22/05/1540 01 2019 

We can see that this gives us some information about the workgroup name, whether the server allows null sessions (empty username and password – this will be useful later) and the existing users on the system.

The -S flag provides information about the SMB shares on the computer:

  ~ # enum4linux -S 10.10.0.50

Start enum4linux v0.8.9 (http://labs.portcullis.co.uk/application/enum4linux/) on Wednesday, May 22 at 15:41:26 in 2019

=========================
| Destination information |
=========================
Target ........... 10.10.0.50
RID range: 500-550,1000-1050
Username ......... & # 39; & # 39;
Password ......... & # 39; & # 39;
Well-known user names .. administrator, guest, krbtgt, domainadministrators, root, bin, none

================================================
| List of workgroups / domains on 10.10.0.50 |
================================================
[+] Domain / workgroup name obtained: WORKGROUP

==================================
| Session Review on 10.10.0.50 |
==================================
[+] Server 10.10.0.50 allows sessions with username & # 39 ;, password & # 39; & # 39;

=======================================
| Retrieving the Domain SID for 10.10.0.50 |
=======================================
Domain Name: WORKING GROUP
Domain Sid: (NULL SID)
[+] It is not possible to determine if the host is part of a domain or a workgroup

======================================
| Share Enumeration on 10.10.0.50 |
======================================

Share name Type Comment
--------- ---- -------
Print the $ disk printer driver
tmp disk oh no!
opt disc
IPC $ IPC IPC Service (Samba 3.0.20 Debian Server)
ADMIN $ IPC IPC Service (metasploitable server (Samba 3.0.20 Debian))
Reconnect to SMB1 to list the workgroups.

server comment
--------- -------

Workgroup Master
--------- -------
WORKING GROUP METASPLOITABLE

[+] Attempt to allocate releases on 10.10.0.50
//10.10.0.50/print$ Mapping: DENIED, Listing: N / A
//10.10.0.50/tmp Mapping: OK, Listing: OK
//10.10.0.50/opt Mapping: DENIED, Listing: N / A
//10.10.0.50/IPC$ [E] Answer not understood:
NT_STATUS_NETWORK_ACCESS_DENIED Listing  *
//10.10.0.50/ADMIN$ Assignment: DENIED, Listing: N / A
enum4linux completed on May 22 15:41:27 2019 

We can see that there are some stocks, such as: For example, standard stocks such as print $ IPC $ and ADMIN $ but also custom shares such as opt and tmp . There even seems to be a commentary on one of them that might come in handy later.

We also try to assign the shares and let us know if we have access to a particular share or not. The password policy for the destination can be displayed with the flag -P :

  ~ # enum4linux -P 10.10.0.50

Start enum4linux v0.8.9 (http://labs.portcullis.co.uk/application/enum4linux/) on Wednesday, May 22 at 15:42:27 in 2019

=========================
| Destination information |
=========================
Target ........... 10.10.0.50
RID range: 500-550,1000-1050
Username ......... & # 39; & # 39;
Password ......... & # 39; & # 39;
Well-known user names .. administrator, guest, krbtgt, domainadministrators, root, bin, none

================================================
| List of workgroups / domains on 10.10.0.50 |
================================================
[+] Domain / workgroup name obtained: WORKGROUP

==================================
| Session Review on 10.10.0.50 |
==================================
[+] Server 10.10.0.50 allows sessions with username & # 39 ;, password & # 39; & # 39;

=======================================
| Retrieving the Domain SID for 10.10.0.50 |
=======================================
Domain Name: WORKING GROUP
Domain Sid: (NULL SID)
[+] It is not possible to determine if the host is part of a domain or a workgroup

================================================
| About the password policy for 10.10.0.50 |
================================================

[+] Attach to 10.10.0.50 with a NULL share

[+] Experimental Protocol 445 / SMB ...

[+] Found domain (s):

[+] METASPLOITABLE
[+] Built-in

[+] Password info for domain: METASPLOITABLE

[+] Minimum password length: 5
[+] Password History Length: None
[+] Maximum password age: Not set
[+] Password complexity flags: 000000

[+] Domain Refuse password change: 0
[+] Domain Password Store plaintext: 0
[+] Domain password lock administrators: 0
[+] Domain Password No unique change: 0
[+] Domain password None anon. Change: 0
[+] Domain password complex: 0

[+] Minimum age for passwords: None
[+] Reset account lockout counter: 30 minutes
[+] blocked account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced logoff time: Not set

[+] Partial password policy with rpcclient withdrawn:

Password Complexity: Disabled
Minimum password length: 0

enum4linux will be closed at 15:42:30 on Wednesday, May 22nd. In this case we see some information for the domain "METASPLOITABLE". We can see things like the minimum password length, the password age, and the complexity requirements. This can be very useful for the information gathering phase of an attack, as this can later help narrow down brute-force attempts with passwords. Information: 

  ~ # enum4linux -o 10.10.0.50

Start enum4linux v0.8.9 (http://labs.portcullis.co.uk/application/enum4linux/) on Wednesday, May 22 at 15:43:40 in 2019

=========================
| Destination information |
=========================
Target ........... 10.10.0.50
RID range: 500-550,1000-1050
Username ......... & # 39; & # 39;
Password ......... & # 39; & # 39;
Well-known user names .. administrator, guest, krbtgt, domainadministrators, root, bin, none

================================================
| List of workgroups / domains on 10.10.0.50 |
================================================
[+] Domain / workgroup name obtained: WORKGROUP

==================================
| Session Review on 10.10.0.50 |
==================================
[+] Server 10.10.0.50 allows sessions with username & # 39 ;, password & # 39; & # 39;

=======================================
| Retrieving the Domain SID for 10.10.0.50 |
=======================================
Domain Name: WORKING GROUP
Domain Sid: (NULL SID)
[+] It is not possible to determine if the host is part of a domain or a workgroup

===================================
| Information about the operating system on 10.10.0.50 |
===================================
Use the uninitialized $ os_info in the concatenation (.) Or string in the ./enum4linux.pl line 464.
[+] Obtained OS information for 10.10.0.50 from smbclient:
[+] Obtained OS information for 10.10.0.50 from srvinfo:
METASPLOITABLE Wk Sv PrQ Unx NT SNT metasploitable server (Samba 3.0.20 Debian)
platform_id: 500
OS version: 4.9
Server type: 0x9a03
enum4linux completed on May 22 15:43:40 2019 

Here we see the Samba version number and that the server is based on Debian.

If the destination is a domain controller, the -l flag will try to get some limited information about LDAP running on the server:

  ~ # enum4linux -l 10.10. 12:50

Start enum4linux v0.8.9 (http://labs.portcullis.co.uk/application/enum4linux/) on Wednesday, May 22 at 3:44:23 PM in 2019

=========================
| Destination information |
=========================
Target ........... 10.10.0.50
RID range: 500-550,1000-1050
Username ......... & # 39; & # 39;
Password ......... & # 39; & # 39;
Well-known user names .. administrator, guest, krbtgt, domainadministrators, root, bin, none

================================================
| List of workgroups / domains on 10.10.0.50 |
================================================
[+] Domain / workgroup name obtained: WORKGROUP

==================================
| Session Review on 10.10.0.50 |
==================================
[+] Server 10.10.0.50 allows sessions with username & # 39 ;, password & # 39; & # 39;

==========================================
| Get information about LDAP for 10.10.0.50 |
==========================================
[E] Connection error

=======================================
| Retrieving the Domain SID for 10.10.0.50 |
=======================================
Domain Name: WORKING GROUP
Domain Sid: (NULL SID)
[+] It is not possible to determine if the host is part of a domain or a workgroup
enum4linux completed on Wednesday, May 22 at 3:44:24 PM 2019 

In this case, our target is not a domain controller and therefore returns nothing.

Printers are commonly shared on a network and can often be overlooked attack vectors. With the flag -i all printer information can be displayed:

  ~ # enum4linux -i 10.10.0.50

Launch enum4linux v0.8.9 (http://labs.portcullis.co.uk/application/enum4linux/) on Wednesday, May 22 at 3:45:20 p. 2019

=========================
| Destination information |
=========================
Target ........... 10.10.0.50
RID range: 500-550,1000-1050
Username ......... & # 39; & # 39;
Password ......... & # 39; & # 39;
Well-known user names .. administrator, guest, krbtgt, domainadministrators, root, bin, none

================================================
| List of workgroups / domains on 10.10.0.50 |
================================================
[+] Domain / workgroup name obtained: WORKGROUP

==================================
| Session Review on 10.10.0.50 |
==================================
[+] Server 10.10.0.50 allows sessions with username & # 39 ;, password & # 39; & # 39;

=======================================
| Retrieving the Domain SID for 10.10.0.50 |
=======================================
Domain Name: WORKING GROUP
Domain Sid: (NULL SID)
[+] It is not possible to determine if the host is part of a domain or a workgroup

=========================================
| Retrieve printer information for 10.10.0.50 |
=========================================
No printers were returned.

enum4linux completed on Wednesday, May 22 at 15:45:20 h 2019 

There are no printers attached to our destination, so nothing is returned here either.

We can also do a nmblookup to display the NetBIOS information on the server. Use the flag -n :

  ~ # enum4linux -n 10.10.0.50

Start enum4linux v0.8.9 (http://labs.portcullis.co.uk/application/enum4linux/) on Wednesday, May 22 at 15:45:41, 2019

=========================
| Destination information |
=========================
Target ........... 10.10.0.50
RID range: 500-550,1000-1050
Username ......... & # 39; & # 39;
Password ......... & # 39; & # 39;
Well-known user names .. administrator, guest, krbtgt, domainadministrators, root, bin, none

================================================
| List of workgroups / domains on 10.10.0.50 |
================================================
[+] Domain / workgroup name obtained: WORKGROUP

========================================
| Nbtstat information for 10.10.0.50 |
========================================
Look up status of 10.10.0.50
METASPLOITABLE <00> - B  Workplace service
METASPLOITABLE <03> - B  News Service
METASPLOITABLE <20> - B  File Server Service
..__ MSBROWSE__. <01> -  B  Home search service
WORKING GROUP <00> -  B  Name of the domain / workgroup
WORKING GROUP <1d> - B  Home search service
WORKING GROUP <1e> -  B  Browser Service Options

MAC address = 00-00-00-00-00-00

==================================
| Session Review on 10.10.0.50 |
==================================
[+] Server 10.10.0.50 allows sessions with username & # 39 ;, password & # 39; & # 39;

=======================================
| Retrieving the Domain SID for 10.10.0.50 |
=======================================
Domain Name: WORKING GROUP
Domain Sid: (NULL SID)
[+] It is not possible to determine if the host is part of a domain or a workgroup
enum4linux will finish on May 22 15:45:41 2019 

Probably the most useful option for this tool is the option to run all these tests simultaneously. That way, we can quickly get all the needed SMB information in one scan. Use the flag -a to execute all simple enumerations:

  ~ # enum4linux -a 10.10.0.50

Launch enum4linux v0.8.9 (http://labs.portcullis.co.uk/application/enum4linux/) on Wednesday, May 22 at 3:46:25 pm 2019

=========================
| Destination information |
=========================
Target ........... 10.10.0.50
RID range: 500-550,1000-1050
Username ......... & # 39; & # 39;
Password ......... & # 39; & # 39;
Well-known user names .. administrator, guest, krbtgt, domainadministrators, root, bin, none

================================================
| List of workgroups / domains on 10.10.0.50 |
================================================
[+] Domain / workgroup name obtained: WORKGROUP

========================================
| Nbtstat information for 10.10.0.50 |
========================================
Look up status of 10.10.0.50
METASPLOITABLE <00> - B  Workplace service
METASPLOITABLE <03> - B  News Service
METASPLOITABLE <20> - B  File Server Service
..__ MSBROWSE__. <01> -  B  Home search service
WORKING GROUP <00> -  B  Name of the domain / workgroup
WORKING GROUP <1d> - B  Home search service
WORKING GROUP <1e> -  B  Browser Service Options

MAC address = 00-00-00-00-00-00

==================================
| Session Review on 10.10.0.50 |
==================================
[+] Server 10.10.0.50 allows sessions with username & # 39 ;, password & # 39; & # 39;

...

===========================
| Groups on 10.10.0.50 |
===========================

[+] Structure of groups:

[+] Structure of group memberships:

[+] Get local groups:

[+] Get Local Group Membership:

[+] Retrieving domain groups:

[+] Obtaining Domain Group Memberships:

======================================= == ================
| User on 10.10.0.50 about RID cycling (RIDS: 500-550,1000-1050) |
======================================= == ================
[I] New SID found: S-1-5-21-1042354039-2475377354-766472396
[+] Listing users with SID S-1-5-21-1042354039-2475377354-766472396 and login name & # 39 ;, password & # 39; & # 39;
S-1-5-21-1042354039-2475377354-766472396-500 METASPLOITABLE  Administrator (local user)
S-1-5-21-1042354039-2475377354-766472396-501 METASPLOITABLE  nobody (local user)
S-1-5-21-1042354039-2475377354-766472396-502 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-503 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-504 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-505 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-506 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-507 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-508 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-509 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-510 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-511 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-512 METASPLOITABLE  Domain Administrators (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-513 METASPLOITABLE  Domain User (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-514 METASPLOITABLE  Domain Guests (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-515 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-516 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-517 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-518 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-519 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-520 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-521 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-522 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-523 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-524 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-525 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-526 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-527 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-528 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-529 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-530 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-531 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-532 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-533 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-534 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-535 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-536 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-537 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-538 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-539 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-540 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-541 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-542 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-543 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-544 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-545 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-546 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-547 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-548 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-549 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-550 * unknown *  * unknown * (8)
S-1-5-21-1042354039-2475377354-766472396-1000 METASPLOITABLE  root (local user)
S-1-5-21-1042354039-2475377354-766472396-1001 METASPLOITABLE  root (domain group)
S-1-5-21-1042354039-2475377354-766472396-1002 METASPLOITABLE  Daemon (local user)
S-1-5-21-1042354039-2475377354-766472396-1003 METASPLOITABLE  daemon (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1004 METASPLOITABLE  bin (local user)
S-1-5-21-1042354039-2475377354-766472396-1005 METASPLOITABLE  bin (domain group)
S-1-5-21-1042354039-2475377354-766472396-1006 METASPLOITABLE  sys (local user)
S-1-5-21-1042354039-2475377354-766472396-1007 METASPLOITABLE  sys (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1008 METASPLOITABLE  sync (local user)
S-1-5-21-1042354039-2475377354-766472396-1009 METASPLOITABLE  adm (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1010 METASPLOITABLE  games (Local User)
S-1-5-21-1042354039-2475377354-766472396-1011 METASPLOITABLE  tty (Domänengruppe)
S-1-5-21-1042354039-2475377354-766472396-1012 METASPLOITABLE  man (lokaler Benutzer)
S-1-5-21-1042354039-2475377354-766472396-1013 METASPLOITABLE  disk (Domänengruppe)
S-1-5-21-1042354039-2475377354-766472396-1014 METASPLOITABLE  lp (lokaler Benutzer)
S-1-5-21-1042354039-2475377354-766472396-1015 METASPLOITABLE  lp (Domänengruppe)
S-1-5-21-1042354039-2475377354-766472396-1016 METASPLOITABLE  mail (Lokaler Benutzer)
S-1-5-21-1042354039-2475377354-766472396-1017 METASPLOITABLE  mail (Domänengruppe)
S-1-5-21-1042354039-2475377354-766472396-1018 METASPLOITABLE  news (Lokaler Benutzer)
S-1-5-21-1042354039-2475377354-766472396-1019 METASPLOITABLE  news (Domänengruppe)
S-1-5-21-1042354039-2475377354-766472396-1020 METASPLOITABLE  uucp (lokaler Benutzer)
S-1-5-21-1042354039-2475377354-766472396-1021 METASPLOITABLE  uucp (Domänengruppe)
S-1-5-21-1042354039-2475377354-766472396-1022 * unbekannt *  * unbekannt * (8)
S-1-5-21-1042354039-2475377354-766472396-1023 * unbekannt *  * unbekannt * (8)
S-1-5-21-1042354039-2475377354-766472396-1024 * unbekannt *  * unbekannt * (8)
S-1-5-21-1042354039-2475377354-766472396-1025 METASPLOITABLE  man (Domänengruppe)
S-1-5-21-1042354039-2475377354-766472396-1026 METASPLOITABLE  Proxy (lokaler Benutzer)
S-1-5-21-1042354039-2475377354-766472396-1027 METASPLOITABLE  proxy (Domänengruppe)
S-1-5-21-1042354039-2475377354-766472396-1028 * unbekannt *  * unbekannt * (8)
S-1-5-21-1042354039-2475377354-766472396-1029 * unbekannt *  * unbekannt * (8)
S-1-5-21-1042354039-2475377354-766472396-1030 * unbekannt *  * unbekannt * (8)
S-1-5-21-1042354039-2475377354-766472396-1031 METASPLOITABLE  kmem (Domänengruppe)
S-1-5-21-1042354039-2475377354-766472396-1032 * unbekannt *  * unbekannt * (8)
S-1-5-21-1042354039-2475377354-766472396-1033 * unbekannt *  * unbekannt * (8)
S-1-5-21-1042354039-2475377354-766472396-1034 * unbekannt *  * unbekannt * (8)
S-1-5-21-1042354039-2475377354-766472396-1035 * unbekannt *  * unbekannt * (8)
S-1-5-21-1042354039-2475377354-766472396-1036 * unbekannt *  * unbekannt * (8)
S-1-5-21-1042354039-2475377354-766472396-1037 * unbekannt *  * unbekannt * (8)
S-1-5-21-1042354039-2475377354-766472396-1038 * unbekannt *  * unbekannt * (8)
S-1-5-21-1042354039-2475377354-766472396-1039 * unbekannt *  * unbekannt * (8)
S-1-5-21-1042354039-2475377354-766472396-1040 * unbekannt *  * unbekannt * (8)
S-1-5-21-1042354039-2475377354-766472396-1041 METASPLOITABLE  dialout (Domänengruppe)
S-1-5-21-1042354039-2475377354-766472396-1042 * unbekannt *  * unbekannt * (8)
S-1-5-21-1042354039-2475377354-766472396-1043 METASPLOITABLE  fax (Domänengruppe)
S-1-5-21-1042354039-2475377354-766472396-1044 * unbekannt *  * unbekannt * (8)
S-1-5-21-1042354039-2475377354-766472396-1045 METASPLOITABLE  voice (Domänengruppe)
S-1-5-21-1042354039-2475377354-766472396-1046 * unbekannt *  * unbekannt * (8)
S-1-5-21-1042354039-2475377354-766472396-1047 * unbekannt *  * unbekannt * (8)
S-1-5-21-1042354039-2475377354-766472396-1048 * unbekannt *  * unbekannt * (8)
S-1-5-21-1042354039-2475377354-766472396-1049 METASPLOITABLE  cdrom (Domänengruppe)
S-1-5-21-1042354039-2475377354-766472396-1050 * unbekannt *  * unbekannt * (8)

 =========================================
| Abrufen von Druckerinformationen für 10.10.0.50 |
 =========================================
Es wurden keine Drucker zurückgegeben.

enum4linux abgeschlossen am 22. Mai, 15:46:41, 2019 

Dies ist in der Regel die schnellste Methode, um SMB auf einem Ziel aufzulisten. Da sich die Ergebnisse an einem Ort befinden, können sie problemlos für die spätere Verwendung gespeichert werden.

]Step 2: Use Smbclient to List Shares & Transfer Files

Now that we&#39;ve used Enum4linux to gather some information about the target, we can use one of the underlying tools to actually interact with SMB on the system.

Smbclient is a tool used to access SMB resources on a server, much like an FTP client is used to access files. It offers a simple command-line interface that is trivial to use if you&#39;re at all familiar with FTP.

We can view the help and usage options with the following command:

~# smbclient --help

Usage: smbclient service 
  -R, --name-resolve=NAME-RESOLVE-ORDER     Use these name resolution services only
  -M, --message=HOST                        Send message
  -I, --ip-address=IP                       Use this IP to connect to
  -E, --stderr                              Write messages to stderr instead of stdout
  -L, --list=HOST                           Get a list of shares available on a host
  -m, --max-protocol=LEVEL                  Set the max protocol level
  -T, --tar=IXFqgbNan                  Command line tar
  -D, --directory=DIR                       Start from directory
  -c, --command=STRING                      Execute semicolon separated commands
  -b, --send-buffer=BYTES                   Changes the transmit/send buffer
  -t, --timeout=SECONDS                     Changes the per-operation timeout
  -p, --port=PORT                           Port to connect to
  -g, --grepable                            Produce grepable output
  -q, --quiet                               Suppress help message
  -B, --browse                              Browse SMB servers using DNS

Help options:
  -?, --help                                Show this help message
      --usage                               Display brief usage message

Common samba options:
  -d, --debuglevel=DEBUGLEVEL               Set debug level
  -s, --configfile=CONFIGFILE               Use alternate configuration file
  -l, --log-basename=LOGFILEBASE            Base name for log files
  -V, --version                             Print version
      --option=name=value                   Set smb.conf option from command line

Connection options:
  -O, --socket-options=SOCKETOPTIONS        socket options to use
  -n, --netbiosname=NETBIOSNAME             Primary netbios name
  -W, --workgroup=WORKGROUP                 Set the workgroup name
  -i, --scope=SCOPE                         Use this Netbios scope

Authentication options:
  -U, --user=USERNAME                       Set the network username
  -N, --no-pass                             Don&#39;t ask for a password
  -k, --kerberos                            Use kerberos (active directory) authentication
  -A, --authentication-file=FILE            Get the credentials from a file
  -S, --signing=on|off|required             Set the client signing state
  -P, --machine-pass                        Use stored machine account password
  -e, --encrypt                             Encrypt SMB transport
  -C, --use-ccache                          Use the winbind ccache for authentication
      --pw-nt-hash                          The supplied password is the NT hash

There are a lot of different options for connection and authentication, but today we will keep it simple. We can get a list of shares on the target, much like we did earlier with Enum4linux, by using the -L flag followed by the IP address of the server:

~# smbclient -L //10.10.0.50/

Enter WORKGROUProot&#39;s password:
Anonymous login successful

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    tmp             Disk      oh noes!
    opt             Disk
    IPC$            IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
    ADMIN$          IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------
    WORKGROUP            METASPLOITABLE

When connecting to SMB, we need to use slashes around the address. Now, it will prompt us to enter root&#39;s password, but if it isn&#39;t configured properly, we can log in anonymously by simply hitting Enter at the prompt.

We saw earlier that null sessions are allowed, which means that we can log in with a blank username and password as well. Use the -U flag to specify the username (in this case a blank string) and the -N flag to specify no password:

~# smbclient -L //10.10.0.50/ -U &#39;&#39; -N

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    tmp             Disk      oh noes!
    opt             Disk
    IPC$            IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
    ADMIN$          IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------
    WORKGROUP            METASPLOITABLE

We have now listed the shares without supplying any credentials, and we can now connect to a share by specifying the host IP address followed by the name of a share. There&#39;s an interesting comment on the tmp share, and we were able to successfully map it earlier, so let&#39;s connect to that:

~# smbclient //10.10.0.50/tmp

Enter WORKGROUProot&#39;s password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: > help
? allinfo        altname        archive        backup
blocksize      cancel         case_sensitive cd             chmod
chown          close          del            deltree        dir
du             echo           exit           get            getfacl
geteas         hardlink       help           history        iosize
lcd            link           lock           lowercase      ls
l              mask           md             mget           mkdir
more           mput           newer          notify         open
posix          posix_encrypt  posix_open     posix_mkdir    posix_rmdir
posix_unlink   posix_whoami   print          prompt         put
pwd            q              queue          quit           readlink
rd             recurse        reget          rename         reput
rm             rmdir          showacls       setea          setmode
scopy          stat           symlink        tar            tarmode
timeout        translate      unlock         volume         vuid
wdel           logon          listconnect    showconnect    tcon
tdis           tid            utimes         logoff         ..
!
smb: > pwd
Current directory is \10.10.0.50tmp
smb: >

We can either log in with a blank password for root or with a blank username and password like we did before. Once we are connected, we can type help to get a list of available commands.

Use the dir command to list the contents of the current directory:

smb: > dir

, D        0  Wed Aug  8 10:12:28 2018
  ..                                 DR        0  Tue Jan 15 09:17:21 2019
  example.txt                         A        5  Wed Aug  8 10:12:28 2018
  .ICE-unix                          DH        0  Wed Aug  8 08:57:04 2018
  .X11-unix                          DH        0  Wed Aug  8 08:57:50 2018
  .X0-lock                           HR       11  Wed Aug  8 08:57:50 2018
  4596.jsvc_up                        R        0  Wed Aug  8 08:58:43 2018

        7282168 blocks of size 1024. 5331432 blocks available

Let&#39;s say there is a juicy looking file on the server. We can download it to our local machine using the get command:

smb: > get example.txt

getting file example.txt of size 5 as example.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)

The reverse is true as well. If we had a malicious file we wanted to upload to the server, we can do that with the put command:

smb: > put evil_file

putting file evil_file as evil_file (0.4 kb/s) (average 0.4 kb/s)

smb: > dir

, D        0  Wed Aug  8 10:14:23 2018
  ..                                 DR        0  Tue Jan 15 09:17:21 2019
  example.txt                         A        5  Wed Aug  8 10:12:28 2018
  .ICE-unix                          DH        0  Wed Aug  8 08:57:04 2018
  .X11-unix                          DH        0  Wed Aug  8 08:57:50 2018
  evil_file                           A        5  Wed Aug  8 10:14:23 2018
  .X0-lock                           HR       11  Wed Aug  8 08:57:50 2018
  4596.jsvc_up                        R        0  Wed Aug  8 08:58:43 2018

        7282168 blocks of size 1024. 5331428 blocks available

SMB shares can sometimes be a treasure trove of information or even a direct avenue of attack depending on how they are configured.


Source link