SMB (Server Message Block) is a protocol that allows resources on the same network to share files, browse the network, and print over the network. It was initially used on Windows, but Unix systems can use SMB through Samba. Today, we will be using a tool called Enum4linux to extract information from a target, as well as smbclient to connect to an SMB share and transfer files.
Enumeration is the process of gathering information on a target in order to find potential attack vectors and aid in exploitation. This process is essential for an attack to be successful, as wasting time with exploits that either don't work or can crash the system can be disastrous. Enumeration can be used to gather usernames, passwords, network information, hostnames, application data, services, or any other information that may be valuable to an attacker.
Typically, there are SMB share drives on a server that can be connected to and used to view or transfer files. SMB can often be a great starting point for an attacker looking to discover sensitive information — you'd be surprised what is sometimes included on these shares. In some rare situations, such as when the SMB share directory and the webserver root directory are the same, an attacker could even exploit the misconfiguration to achieve code execution.
In our example article here, we will be using Metasploitable 2 as the target and Kali Linux as the attacking machine, to simulate what happens in a real-world attack.
Step 1: Gather Information with Enum4linux
The first thing we need to do is determine if SMB is present on the target. It's usually a safe bet that if ports 139 and 445 are open, SMB is running. Let's do a simple Nmap scan to see what's open:
~# nmap -Pn 10.10.0.50
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-23 08:44 CDT
Nmap scan report for 10.10.0.50
Host is up (0.0024s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
It looks like SMB is open, so we're in business.
Enum4linux is a tool used to enumerate SMB shares on both Windows and Linux systems. It is basically a wrapper around the tools in the Samba package and makes it easy to quickly extract information from the target pertaining to SMB.
Enter enum4linux in the terminal by itself to view the help and usage information:
~# enum4linux
enum4linux v0.8.9 (http://labs.portcullis.co.uk/application/enum4linux/)
Copyright (C) 2011 Mark Lowe (mrl@portcullis-security.com)
Simple wrapper around the tools in the samba package to provide similar
functionality to enum.exe (formerly from www.bindview.com). Some additional
features such as RID cycling have also been added for convenience.
Usage: ./enum4linux.pl [options] ip
Options are (like "enum"):
-U get userlist
-M get machine list*
-S get sharelist
-P get password policy information
-G get group and member list
-d be detailed, applies to -U and -S
-u user specify username to use (default "")
-p pass specify password to use (default "")
The following options from enum.exe aren't implemented: -L, -N, -D, -f
Additional options:
-a Do all simple enumeration (-U -S -G -P -r -o -n -i).
This opion is enabled if you don't provide any other options.
-h Display this help message and exit
-r enumerate users via RID cycling
-R range RID ranges to enumerate (default: 500-550,1000-1050, implies -r)
-K n Keep searching RIDs until n consective RIDs don't correspond to
a username. Impies RID range ends at 999999. Useful
against DCs.
-l Get some (limited) info via LDAP 389/TCP (for DCs only)
-s file brute force guessing for share names
-k user User(s) that exists on remote system (default: administrator,guest,krbtgt,domain admins,root,bin,none)
Used to get sid with "lookupsid known_username"
Use commas to try several users: "-k admin,user1,user2"
-o Get OS information
-i Get printer information
-w wrkg Specify workgroup manually (usually found automatically)
-n Do an nmblookup (similar to nbtstat)
-v Verbose. Shows full commands being run (net, rpcclient, etc.)
RID cycling should extract a list of users from Windows (or Samba) hosts
which have RestrictAnonymous set to 1 (Windows NT and 2000), or "Network
access: Allow anonymous SID/Name translation" enabled (XP, 2003).
NB: Samba servers often seem to have RIDs in the range 3000-3050.
Dependancy info: You will need to have the samba package installed as this
script is basically just a wrapper around rpcclient, net, nmblookup and
smbclient. Polenum from http://labs.portcullis.co.uk/application/polenum/
is required to get Password Policy info.
We can see a dependency note at the bottom telling us that the Samba package needs to be installed to use the tool. If it's not already present on your system, you can install it with the package manager.
~# apt-get install samba
The most basic usage of Enum4linux takes an option and the IP address of the target. We can use the -U flag to view users on the target:
~# enum4linux -U 10.10.0.50
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed May 22 15:39:59 2019
==========================
| Target Information |
==========================
Target ........... 10.10.0.50
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==================================================
| Enumerating Workgroup/Domain on 10.10.0.50 |
==================================================
[+] Got domain/workgroup name: WORKGROUP
===================================
| Session Check on 10.10.0.50 |
===================================
[+] Server 10.10.0.50 allows sessions using username '', password ''
=========================================
| Getting domain SID for 10.10.0.50 |
=========================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
===========================
| Users on 10.10.0.50 |
===========================
index: 0x1 RID: 0x3f2 acb: 0x00000011 Account: games Name: games Desc: (null)
index: 0x2 RID: 0x1f5 acb: 0x00000011 Account: nobody Name: nobody Desc: (null)
index: 0x3 RID: 0x4ba acb: 0x00000011 Account: bind Name: (null) Desc: (null)
index: 0x4 RID: 0x402 acb: 0x00000011 Account: proxy Name: proxy Desc: (null)
index: 0x5 RID: 0x4b4 acb: 0x00000011 Account: syslog Name: (null) Desc: (null)
index: 0x6 RID: 0xbba acb: 0x00000010 Account: user Name: just a user,111,, Desc: (null)
index: 0x7 RID: 0x42a acb: 0x00000011 Account: www-data Name: www-data Desc: (null)
index: 0x8 RID: 0x3e8 acb: 0x00000011 Account: root Name: root Desc: (null)
index: 0x9 RID: 0x3fa acb: 0x00000011 Account: news Name: news Desc: (null)
index: 0xa RID: 0x4c0 acb: 0x00000011 Account: postgres Name: PostgreSQL administrator,,, Desc: (null)
index: 0xb RID: 0x3ec acb: 0x00000011 Account: bin Name: bin Desc: (null)
index: 0xc RID: 0x3f8 acb: 0x00000011 Account: mail Name: mail Desc: (null)
index: 0xd RID: 0x4c6 acb: 0x00000011 Account: distccd Name: (null) Desc: (null)
index: 0xe RID: 0x4ca acb: 0x00000011 Account: proftpd Name: (null) Desc: (null)
index: 0xf RID: 0x4b2 acb: 0x00000011 Account: dhcp Name: (null) Desc: (null)
index: 0x10 RID: 0x3ea acb: 0x00000011 Account: daemon Name: daemon Desc: (null)
index: 0x11 RID: 0x4b8 acb: 0x00000011 Account: sshd Name: (null) Desc: (null)
index: 0x12 RID: 0x3f4 acb: 0x00000011 Account: man Name: man Desc: (null)
index: 0x13 RID: 0x3f6 acb: 0x00000011 Account: lp Name: lp Desc: (null)
index: 0x14 RID: 0x4c2 acb: 0x00000011 Account: mysql Name: MySQL Server,,, Desc: (null)
index: 0x15 RID: 0x43a acb: 0x00000011 Account: gnats Name: Gnats Bug-Reporting System (admin) Desc: (null)
index: 0x16 RID: 0x4b0 acb: 0x00000011 Account: libuuid Name: (null) Desc: (null)
index: 0x17 RID: 0x42c acb: 0x00000011 Account: backup Name: backup Desc: (null)
index: 0x18 RID: 0xbb8 acb: 0x00000010 Account: msfadmin Name: msfadmin,,, Desc: (null)
index: 0x19 RID: 0x4c8 acb: 0x00000011 Account: telnetd Name: (null) Desc: (null)
index: 0x1a RID: 0x3ee acb: 0x00000011 Account: sys Name: sys Desc: (null)
index: 0x1b RID: 0x4b6 acb: 0x00000011 Account: klog Name: (null) Desc: (null)
index: 0x1c RID: 0x4bc acb: 0x00000011 Account: postfix Name: (null) Desc: (null)
index: 0x1d RID: 0xbbc acb: 0x00000011 Account: service Name: ,,, Desc: (null)
index: 0x1e RID: 0x434 acb: 0x00000011 Account: list Name: Mailing List Manager Desc: (null)
index: 0x1f RID: 0x436 acb: 0x00000011 Account: irc Name: ircd Desc: (null)
index: 0x20 RID: 0x4be acb: 0x00000011 Account: ftp Name: (null) Desc: (null)
index: 0x21 RID: 0x4c4 acb: 0x00000011 Account: tomcat55 Name: (null) Desc: (null)
index: 0x22 RID: 0x3f0 acb: 0x00000011 Account: sync Name: sync Desc: (null)
index: 0x23 RID: 0x3fc acb: 0x00000011 Account: uucp Name: uucp Desc: (null)
user:[games] rid:[0x3f2]
user:[nobody] rid:[0x1f5]
user:[bind] rid:[0x4ba]
user:[proxy] rid:[0x402]
user:[syslog] rid:[0x4b4]
user:[user] rid:[0xbba]
user:[www-data] rid:[0x42a]
user:[root] rid:[0x3e8]
user:[news] rid:[0x3fa]
user:[postgres] rid:[0x4c0]
user:[bin] rid:[0x3ec]
user:[mail] rid:[0x3f8]
user:[distccd] rid:[0x4c6]
user:[proftpd] rid:[0x4ca]
user:[dhcp] rid:[0x4b2]
user:[daemon] rid:[0x3ea]
user:[sshd] rid:[0x4b8]
user:[man] rid:[0x3f4]
user:[lp] rid:[0x3f6]
user:[mysql] rid:[0x4c2]
user:[gnats] rid:[0x43a]
user:[libuuid] rid:[0x4b0]
user:[backup] rid:[0x42c]
user:[msfadmin] rid:[0xbb8]
user:[telnetd] rid:[0x4c8]
user:[sys] rid:[0x3ee]
user:[klog] rid:[0x4b6]
user:[postfix] rid:[0x4bc]
user:[service] rid:[0xbbc]
user:[list] rid:[0x434]
user:[irc] rid:[0x436]
user:[ftp] rid:[0x4be]
user:[tomcat55] rid:[0x4c4]
user:[sync] rid:[0x3f0]
user:[uucp] rid:[0x3fc]
enum4linux complete on Wed May 22 15:40:01 2019
We can see this gives us some information about the workgroup name, whether the server allows null sessions (blank username and password — this will come in handy later), and the users present on the system.
The -S flag will give us information about the SMB shares on the machine:
~# enum4linux -S 10.10.0.50
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed May 22 15:41:26 2019
==========================
| Target Information |
==========================
Target ........... 10.10.0.50
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==================================================
| Enumerating Workgroup/Domain on 10.10.0.50 |
==================================================
[+] Got domain/workgroup name: WORKGROUP
===================================
| Session Check on 10.10.0.50 |
===================================
[+] Server 10.10.0.50 allows sessions using username '', password ''
=========================================
| Getting domain SID for 10.10.0.50 |
=========================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
=======================================
| Share Enumeration on 10.10.0.50 |
=======================================
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP METASPLOITABLE
[+] Attempting to map shares on 10.10.0.50
//10.10.0.50/print$ Mapping: DENIED, Listing: N/A
//10.10.0.50/tmp Mapping: OK, Listing: OK
//10.10.0.50/opt Mapping: DENIED, Listing: N/A
//10.10.0.50/IPC$ [E] Can't understand response:
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
//10.10.0.50/ADMIN$ Mapping: DENIED, Listing: N/A
enum4linux complete on Wed May 22 15:41:27 2019
We can see there are a few shares present, such as default shares like print$, IPC$, and ADMIN$, but also custom shares like opt and tmp. There even appears to be a comment on one of them, which could prove useful later.
It also attempts to map the shares, telling us whether we have access or not to a particular share. We can view the password policy on the target using the -P flag:
~# enum4linux -P 10.10.0.50
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed May 22 15:42:27 2019
==========================
| Target Information |
==========================
Target ........... 10.10.0.50
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==================================================
| Enumerating Workgroup/Domain on 10.10.0.50 |
==================================================
[+] Got domain/workgroup name: WORKGROUP
===================================
| Session Check on 10.10.0.50 |
===================================
[+] Server 10.10.0.50 allows sessions using username '', password ''
=========================================
| Getting domain SID for 10.10.0.50 |
=========================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
==================================================
| Password Policy Information for 10.10.0.50 |
==================================================
[+] Attaching to 10.10.0.50 using a NULL share
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+] METASPLOITABLE
[+] Builtin
[+] Password Info for Domain: METASPLOITABLE
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 0
enum4linux complete on Wed May 22 15:42:30 2019
This gives us information about any password policies present. In this case, we can see some info for the "METASPLOITABLE" domain. We can see things like the minimum password length, password age, and complexity requirements. This can be extremely useful for the information-gathering phase of an attack, as this can help narrow down password brute-force attempts later on.
We can use the -o flag to get some operating system information:
~# enum4linux -o 10.10.0.50
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed May 22 15:43:40 2019
==========================
| Target Information |
==========================
Target ........... 10.10.0.50
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==================================================
| Enumerating Workgroup/Domain on 10.10.0.50 |
==================================================
[+] Got domain/workgroup name: WORKGROUP
===================================
| Session Check on 10.10.0.50 |
===================================
[+] Server 10.10.0.50 allows sessions using username '', password ''
=========================================
| Getting domain SID for 10.10.0.50 |
=========================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
====================================
| OS information on 10.10.0.50 |
====================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.0.50 from smbclient:
[+] Got OS info for 10.10.0.50 from srvinfo:
METASPLOITABLE Wk Sv PrQ Unx NT SNT metasploitable server (Samba 3.0.20-Debian)
platform_id : 500
os version : 4.9
server type : 0x9a03
enum4linux complete on Wed May 22 15:43:40 2019
Here we can see the Samba version number and that the server is Debian-based.
If the target is a domain controller, the -l flag will attempt to get some limited information about LDAP running on the server:
~# enum4linux -l 10.10.0.50
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed May 22 15:44:23 2019
==========================
| Target Information |
==========================
Target ........... 10.10.0.50
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==================================================
| Enumerating Workgroup/Domain on 10.10.0.50 |
==================================================
[+] Got domain/workgroup name: WORKGROUP
===================================
| Session Check on 10.10.0.50 |
===================================
[+] Server 10.10.0.50 allows sessions using username '', password ''
===================================================
| Getting information via LDAP for 10.10.0.50 |
===================================================
[E] Connection error
=========================================
| Getting domain SID for 10.10.0.50 |
=========================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
enum4linux complete on Wed May 22 15:44:24 2019
In this case, our target is not a DC, so it doesn't return anything.
Printers are often shared on a network and can often be an overlooked attack vector. We can use the -i flag to view any printer information:
~# enum4linux -i 10.10.0.50
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed May 22 15:45:20 2019
==========================
| Target Information |
==========================
Target ........... 10.10.0.50
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==================================================
| Enumerating Workgroup/Domain on 10.10.0.50 |
==================================================
[+] Got domain/workgroup name: WORKGROUP
===================================
| Session Check on 10.10.0.50 |
===================================
[+] Server 10.10.0.50 allows sessions using username '', password ''
=========================================
| Getting domain SID for 10.10.0.50 |
=========================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
===========================================
| Getting printer info for 10.10.0.50 |
===========================================
No printers returned.
enum4linux complete on Wed May 22 15:45:20 2019
There are no printers attached to our target, so again, nothing is returned.
We can also perform an nmblookup to see NetBIOS information on the server. Use the -n flag to do so:
~# enum4linux -n 10.10.0.50
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed May 22 15:45:41 2019
==========================
| Target Information |
==========================
Target ........... 10.10.0.50
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==================================================
| Enumerating Workgroup/Domain on 10.10.0.50 |
==================================================
[+] Got domain/workgroup name: WORKGROUP
==========================================
| Nbtstat Information for 10.10.0.50 |
==========================================
Looking up status of 10.10.0.50
METASPLOITABLE <00> - B <ACTIVE> Workstation Service
METASPLOITABLE <03> - B <ACTIVE> Messenger Service
METASPLOITABLE <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
===================================
| Session Check on 10.10.0.50 |
===================================
[+] Server 10.10.0.50 allows sessions using username '', password ''
=========================================
| Getting domain SID for 10.10.0.50 |
=========================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
enum4linux complete on Wed May 22 15:45:41 2019
Perhaps the most useful option for this tool is the option to run all these tests at once. That way we can quickly get all the SMB information we need in one scan — use the -a flag to run all simple enumeration:
~# enum4linux -a 10.10.0.50
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed May 22 15:46:25 2019
==========================
| Target Information |
==========================
Target ........... 10.10.0.50
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==================================================
| Enumerating Workgroup/Domain on 10.10.0.50 |
==================================================
[+] Got domain/workgroup name: WORKGROUP
==========================================
| Nbtstat Information for 10.10.0.50 |
==========================================
Looking up status of 10.10.0.50
METASPLOITABLE <00> - B <ACTIVE> Workstation Service
METASPLOITABLE <03> - B <ACTIVE> Messenger Service
METASPLOITABLE <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
===================================
| Session Check on 10.10.0.50 |
===================================
[+] Server 10.10.0.50 allows sessions using username '', password ''
...
============================
| Groups on 10.10.0.50 |
============================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
=====================================================================
| Users on 10.10.0.50 via RID cycling (RIDS: 500-550,1000-1050) |
=====================================================================
[I] Found new SID: S-1-5-21-1042354039-2475377354-766472396
[+] Enumerating users using SID S-1-5-21-1042354039-2475377354-766472396 and logon username '', password ''
S-1-5-21-1042354039-2475377354-766472396-500 METASPLOITABLE\Administrator (Local User)
S-1-5-21-1042354039-2475377354-766472396-501 METASPLOITABLE\nobody (Local User)
S-1-5-21-1042354039-2475377354-766472396-502 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-503 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-504 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-505 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-506 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-507 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-508 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-509 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-510 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-511 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-512 METASPLOITABLE\Domain Admins (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-513 METASPLOITABLE\Domain Users (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-514 METASPLOITABLE\Domain Guests (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-515 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-516 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-517 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-518 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-519 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-520 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-521 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-522 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-523 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-524 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-525 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-526 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-527 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-528 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-529 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-530 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-531 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-532 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-533 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-534 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-535 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-536 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-537 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-538 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-539 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-540 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-541 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-542 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-543 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-544 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-545 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-546 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-547 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-548 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-549 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-550 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1000 METASPLOITABLE\root (Local User)
S-1-5-21-1042354039-2475377354-766472396-1001 METASPLOITABLE\root (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1002 METASPLOITABLE\daemon (Local User)
S-1-5-21-1042354039-2475377354-766472396-1003 METASPLOITABLE\daemon (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1004 METASPLOITABLE\bin (Local User)
S-1-5-21-1042354039-2475377354-766472396-1005 METASPLOITABLE\bin (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1006 METASPLOITABLE\sys (Local User)
S-1-5-21-1042354039-2475377354-766472396-1007 METASPLOITABLE\sys (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1008 METASPLOITABLE\sync (Local User)
S-1-5-21-1042354039-2475377354-766472396-1009 METASPLOITABLE\adm (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1010 METASPLOITABLE\games (Local User)
S-1-5-21-1042354039-2475377354-766472396-1011 METASPLOITABLE\tty (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1012 METASPLOITABLE\man (Local User)
S-1-5-21-1042354039-2475377354-766472396-1013 METASPLOITABLE\disk (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1014 METASPLOITABLE\lp (Local User)
S-1-5-21-1042354039-2475377354-766472396-1015 METASPLOITABLE\lp (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1016 METASPLOITABLE\mail (Local User)
S-1-5-21-1042354039-2475377354-766472396-1017 METASPLOITABLE\mail (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1018 METASPLOITABLE\news (Local User)
S-1-5-21-1042354039-2475377354-766472396-1019 METASPLOITABLE\news (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1020 METASPLOITABLE\uucp (Local User)
S-1-5-21-1042354039-2475377354-766472396-1021 METASPLOITABLE\uucp (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1022 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1023 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1024 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1025 METASPLOITABLE\man (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1026 METASPLOITABLE\proxy (Local User)
S-1-5-21-1042354039-2475377354-766472396-1027 METASPLOITABLE\proxy (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1028 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1029 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1030 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1031 METASPLOITABLE\kmem (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1032 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1033 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1034 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1035 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1036 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1037 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1038 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1039 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1040 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1041 METASPLOITABLE\dialout (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1042 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1043 METASPLOITABLE\fax (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1044 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1045 METASPLOITABLE\voice (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1046 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1047 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1048 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1049 METASPLOITABLE\cdrom (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1050 *unknown*\*unknown* (8)
===========================================
| Getting printer info for 10.10.0.50 |
===========================================
No printers returned.
enum4linux complete on Wed May 22 15:46:41 2019
This is usually the quickest way to enumerate SMB on a target, and since the results are all together in one place, they can easily be saved for later use.
Step 2: Use Smbclient to List Shares & Transfer Files
Now that we've used Enum4linux to gather some information about the target, we can use one of the underlying tools to actually interact with SMB on the system.
Smbclient is a tool used to access SMB resources on a server, much like an FTP client is used to access files. It offers a simple command-line interface that is trivial to use if you're at all familiar with FTP.
We can view the help and usage options with the following command:
~# smbclient --help
Usage: smbclient service <password>
-R, --name-resolve=NAME-RESOLVE-ORDER Use these name resolution services only
-M, --message=HOST Send message
-I, --ip-address=IP Use this IP to connect to
-E, --stderr Write messages to stderr instead of stdout
-L, --list=HOST Get a list of shares available on a host
-m, --max-protocol=LEVEL Set the max protocol level
-T, --tar=<c|x>IXFqgbNan Command line tar
-D, --directory=DIR Start from directory
-c, --command=STRING Execute semicolon separated commands
-b, --send-buffer=BYTES Changes the transmit/send buffer
-t, --timeout=SECONDS Changes the per-operation timeout
-p, --port=PORT Port to connect to
-g, --grepable Produce grepable output
-q, --quiet Suppress help message
-B, --browse Browse SMB servers using DNS
Help options:
-?, --help Show this help message
--usage Display brief usage message
Common samba options:
-d, --debuglevel=DEBUGLEVEL Set debug level
-s, --configfile=CONFIGFILE Use alternate configuration file
-l, --log-basename=LOGFILEBASE Base name for log files
-V, --version Print version
--option=name=value Set smb.conf option from command line
Connection options:
-O, --socket-options=SOCKETOPTIONS socket options to use
-n, --netbiosname=NETBIOSNAME Primary netbios name
-W, --workgroup=WORKGROUP Set the workgroup name
-i, --scope=SCOPE Use this Netbios scope
Authentication options:
-U, --user=USERNAME Set the network username
-N, --no-pass Don't ask for a password
-k, --kerberos Use kerberos (active directory) authentication
-A, --authentication-file=FILE Get the credentials from a file
-S, --signing=on|off|required Set the client signing state
-P, --machine-pass Use stored machine account password
-e, --encrypt Encrypt SMB transport
-C, --use-ccache Use the winbind ccache for authentication
--pw-nt-hash The supplied password is the NT hash
There are a lot of different options for connection and authentication, but today we will keep it simple. We can get a list of shares on the target, much like we did earlier with Enum4linux, by using the -L flag followed by the IP address of the server:
~# smbclient -L //10.10.0.50/
Enter WORKGROUP\root's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP METASPLOITABLE
When connecting to SMB, we need to use slashes around the address. Now, it will prompt us to enter root's password, but if it isn't configured properly, we can log in anonymously by simply hitting Enter at the prompt.
We saw earlier that null sessions are allowed, which means that we can log in with a blank username and password as well. Use the -U flag to specify the username (in this case a blank string) and the -N flag to specify no password:
~# smbclient -L //10.10.0.50/ -U '' -N
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP METASPLOITABLE
We have now listed the shares without supplying any credentials, and we can now connect to a share by specifying the host IP address followed by the name of a share. There's an interesting comment on the tmp share, and we were able to successfully map it earlier, so let's connect to that:
~# smbclient //10.10.0.50/tmp
Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> help
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del deltree dir
du echo exit get getfacl
geteas hardlink help history iosize
lcd link lock lowercase ls
l mask md mget mkdir
more mput newer notify open
posix posix_encrypt posix_open posix_mkdir posix_rmdir
posix_unlink posix_whoami print prompt put
pwd q queue quit readlink
rd recurse reget rename reput
rm rmdir showacls setea setmode
scopy stat symlink tar tarmode
timeout translate unlock volume vuid
wdel logon listconnect showconnect tcon
tdis tid utimes logoff ..
!
smb: \> pwd
Current directory is \\10.10.0.50\tmp\
smb: \>
We can either log in with a blank password for root or with a blank username and password like we did before. Once we are connected, we can type help to get a list of available commands.
Use the dir command to list the contents of the current directory:
smb: \> dir
. D 0 Wed Aug 8 10:12:28 2018
.. DR 0 Tue Jan 15 09:17:21 2019
example.txt A 5 Wed Aug 8 10:12:28 2018
.ICE-unix DH 0 Wed Aug 8 08:57:04 2018
.X11-unix DH 0 Wed Aug 8 08:57:50 2018
.X0-lock HR 11 Wed Aug 8 08:57:50 2018
4596.jsvc_up R 0 Wed Aug 8 08:58:43 2018
7282168 blocks of size 1024. 5331432 blocks available
Let's say there is a juicy looking file on the server. We can download it to our local machine using the get command:
smb: \> get example.txt
getting file \example.txt of size 5 as example.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
The reverse is true as well. If we had a malicious file we wanted to upload to the server, we can do that with the put command:
smb: \> put evil_file
putting file evil_file as \evil_file (0.4 kb/s) (average 0.4 kb/s)
smb: \> dir
. D 0 Wed Aug 8 10:14:23 2018
.. DR 0 Tue Jan 15 09:17:21 2019
example.txt A 5 Wed Aug 8 10:12:28 2018
.ICE-unix DH 0 Wed Aug 8 08:57:04 2018
.X11-unix DH 0 Wed Aug 8 08:57:50 2018
evil_file A 5 Wed Aug 8 10:14:23 2018
.X0-lock HR 11 Wed Aug 8 08:57:50 2018
4596.jsvc_up R 0 Wed Aug 8 08:58:43 2018
7282168 blocks of size 1024. 5331428 blocks available
SMB shares can sometimes be a treasure trove of information or even a direct avenue of attack depending on how they are configured.
Wrapping Up
Today, we learned about SMB and how it can be utilized by an attacker to gather valuable information about a target. We used Enum4linux to enumerate shares and smbclient to connect to and interact with the server. SMB can prove to be a valuable resource for an attacker — you never know what you might find.
Cover image by ColossusCloud/Pixabay
Comments
No Comments Exist
Be the first, drop a comment!