How to Enumerate SMB with Enum4linux & Smbclient

Oct 8, 2019 11:28 PM
636942770800777963.jpg

SMB (Server Message Block) is a protocol that allows resources on the same network to share files, browse the network, and print over the network. It was initially used on Windows, but Unix systems can use SMB through Samba. Today, we will be using a tool called Enum4linux to extract information from a target, as well as smbclient to connect to an SMB share and transfer files.

Enumeration is the process of gathering information on a target in order to find potential attack vectors and aid in exploitation. This process is essential for an attack to be successful, as wasting time with exploits that either don't work or can crash the system can be disastrous. Enumeration can be used to gather usernames, passwords, network information, hostnames, application data, services, or any other information that may be valuable to an attacker.

Typically, there are SMB share drives on a server that can be connected to and used to view or transfer files. SMB can often be a great starting point for an attacker looking to discover sensitive information — you'd be surprised what is sometimes included on these shares. In some rare situations, such as when the SMB share directory and the webserver root directory are the same, an attacker could even exploit the misconfiguration to achieve code execution.

In our example article here, we will be using Metasploitable 2 as the target and Kali Linux as the attacking machine, to simulate what happens in a real-world attack.

Step 1: Gather Information with Enum4linux

The first thing we need to do is determine if SMB is present on the target. It's usually a safe bet that if ports 139 and 445 are open, SMB is running. Let's do a simple Nmap scan to see what's open:

~# nmap -Pn 10.10.0.50

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-23 08:44 CDT
Nmap scan report for 10.10.0.50
Host is up (0.0024s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown

It looks like SMB is open, so we're in business.

Enum4linux is a tool used to enumerate SMB shares on both Windows and Linux systems. It is basically a wrapper around the tools in the Samba package and makes it easy to quickly extract information from the target pertaining to SMB.

Enter enum4linux in the terminal by itself to view the help and usage information:

~# enum4linux

enum4linux v0.8.9 (http://labs.portcullis.co.uk/application/enum4linux/)
Copyright (C) 2011 Mark Lowe (mrl@portcullis-security.com)

Simple wrapper around the tools in the samba package to provide similar
functionality to enum.exe (formerly from www.bindview.com).  Some additional
features such as RID cycling have also been added for convenience.

Usage: ./enum4linux.pl [options] ip

Options are (like "enum"):
    -U        get userlist
    -M        get machine list*
    -S        get sharelist
    -P        get password policy information
    -G        get group and member list
    -d        be detailed, applies to -U and -S
    -u user   specify username to use (default "")
    -p pass   specify password to use (default "")

The following options from enum.exe aren't implemented: -L, -N, -D, -f

Additional options:
    -a        Do all simple enumeration (-U -S -G -P -r -o -n -i).
              This opion is enabled if you don't provide any other options.
    -h        Display this help message and exit
    -r        enumerate users via RID cycling
    -R range  RID ranges to enumerate (default: 500-550,1000-1050, implies -r)
    -K n      Keep searching RIDs until n consective RIDs don't correspond to
              a username.  Impies RID range ends at 999999. Useful
          against DCs.
    -l        Get some (limited) info via LDAP 389/TCP (for DCs only)
    -s file   brute force guessing for share names
    -k user   User(s) that exists on remote system (default: administrator,guest,krbtgt,domain admins,root,bin,none)
              Used to get sid with "lookupsid known_username"
              Use commas to try several users: "-k admin,user1,user2"
    -o        Get OS information
    -i        Get printer information
    -w wrkg   Specify workgroup manually (usually found automatically)
    -n        Do an nmblookup (similar to nbtstat)
    -v        Verbose.  Shows full commands being run (net, rpcclient, etc.)

RID cycling should extract a list of users from Windows (or Samba) hosts
which have RestrictAnonymous set to 1 (Windows NT and 2000), or "Network
access: Allow anonymous SID/Name translation" enabled (XP, 2003).

NB: Samba servers often seem to have RIDs in the range 3000-3050.

Dependancy info: You will need to have the samba package installed as this
script is basically just a wrapper around rpcclient, net, nmblookup and
smbclient.  Polenum from http://labs.portcullis.co.uk/application/polenum/
is required to get Password Policy info.

We can see a dependency note at the bottom telling us that the Samba package needs to be installed to use the tool. If it's not already present on your system, you can install it with the package manager.

~# apt-get install samba

The most basic usage of Enum4linux takes an option and the IP address of the target. We can use the -U flag to view users on the target:

~# enum4linux -U 10.10.0.50

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed May 22 15:39:59 2019

 ==========================
|    Target Information    |
 ==========================
Target ........... 10.10.0.50
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 ==================================================
|    Enumerating Workgroup/Domain on 10.10.0.50    |
 ==================================================
[+] Got domain/workgroup name: WORKGROUP

 ===================================
|    Session Check on 10.10.0.50    |
 ===================================
[+] Server 10.10.0.50 allows sessions using username '', password ''

 =========================================
|    Getting domain SID for 10.10.0.50    |
 =========================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ===========================
|    Users on 10.10.0.50    |
 ===========================
index: 0x1 RID: 0x3f2 acb: 0x00000011 Account: games    Name: games Desc: (null)
index: 0x2 RID: 0x1f5 acb: 0x00000011 Account: nobody   Name: nobody    Desc: (null)
index: 0x3 RID: 0x4ba acb: 0x00000011 Account: bind Name: (null)    Desc: (null)
index: 0x4 RID: 0x402 acb: 0x00000011 Account: proxy    Name: proxy Desc: (null)
index: 0x5 RID: 0x4b4 acb: 0x00000011 Account: syslog   Name: (null)    Desc: (null)
index: 0x6 RID: 0xbba acb: 0x00000010 Account: user Name: just a user,111,, Desc: (null)
index: 0x7 RID: 0x42a acb: 0x00000011 Account: www-data Name: www-data  Desc: (null)
index: 0x8 RID: 0x3e8 acb: 0x00000011 Account: root Name: root  Desc: (null)
index: 0x9 RID: 0x3fa acb: 0x00000011 Account: news Name: news  Desc: (null)
index: 0xa RID: 0x4c0 acb: 0x00000011 Account: postgres Name: PostgreSQL administrator,,,   Desc: (null)
index: 0xb RID: 0x3ec acb: 0x00000011 Account: bin  Name: bin   Desc: (null)
index: 0xc RID: 0x3f8 acb: 0x00000011 Account: mail Name: mail  Desc: (null)
index: 0xd RID: 0x4c6 acb: 0x00000011 Account: distccd  Name: (null)    Desc: (null)
index: 0xe RID: 0x4ca acb: 0x00000011 Account: proftpd  Name: (null)    Desc: (null)
index: 0xf RID: 0x4b2 acb: 0x00000011 Account: dhcp Name: (null)    Desc: (null)
index: 0x10 RID: 0x3ea acb: 0x00000011 Account: daemon  Name: daemon    Desc: (null)
index: 0x11 RID: 0x4b8 acb: 0x00000011 Account: sshd    Name: (null)    Desc: (null)
index: 0x12 RID: 0x3f4 acb: 0x00000011 Account: man Name: man   Desc: (null)
index: 0x13 RID: 0x3f6 acb: 0x00000011 Account: lp  Name: lp    Desc: (null)
index: 0x14 RID: 0x4c2 acb: 0x00000011 Account: mysql   Name: MySQL Server,,,   Desc: (null)
index: 0x15 RID: 0x43a acb: 0x00000011 Account: gnats   Name: Gnats Bug-Reporting System (admin)    Desc: (null)
index: 0x16 RID: 0x4b0 acb: 0x00000011 Account: libuuid Name: (null)    Desc: (null)
index: 0x17 RID: 0x42c acb: 0x00000011 Account: backup  Name: backup    Desc: (null)
index: 0x18 RID: 0xbb8 acb: 0x00000010 Account: msfadmin    Name: msfadmin,,,   Desc: (null)
index: 0x19 RID: 0x4c8 acb: 0x00000011 Account: telnetd Name: (null)    Desc: (null)
index: 0x1a RID: 0x3ee acb: 0x00000011 Account: sys Name: sys   Desc: (null)
index: 0x1b RID: 0x4b6 acb: 0x00000011 Account: klog    Name: (null)    Desc: (null)
index: 0x1c RID: 0x4bc acb: 0x00000011 Account: postfix Name: (null)    Desc: (null)
index: 0x1d RID: 0xbbc acb: 0x00000011 Account: service Name: ,,,   Desc: (null)
index: 0x1e RID: 0x434 acb: 0x00000011 Account: list    Name: Mailing List Manager  Desc: (null)
index: 0x1f RID: 0x436 acb: 0x00000011 Account: irc Name: ircd  Desc: (null)
index: 0x20 RID: 0x4be acb: 0x00000011 Account: ftp Name: (null)    Desc: (null)
index: 0x21 RID: 0x4c4 acb: 0x00000011 Account: tomcat55    Name: (null)    Desc: (null)
index: 0x22 RID: 0x3f0 acb: 0x00000011 Account: sync    Name: sync  Desc: (null)
index: 0x23 RID: 0x3fc acb: 0x00000011 Account: uucp    Name: uucp  Desc: (null)

user:[games] rid:[0x3f2]
user:[nobody] rid:[0x1f5]
user:[bind] rid:[0x4ba]
user:[proxy] rid:[0x402]
user:[syslog] rid:[0x4b4]
user:[user] rid:[0xbba]
user:[www-data] rid:[0x42a]
user:[root] rid:[0x3e8]
user:[news] rid:[0x3fa]
user:[postgres] rid:[0x4c0]
user:[bin] rid:[0x3ec]
user:[mail] rid:[0x3f8]
user:[distccd] rid:[0x4c6]
user:[proftpd] rid:[0x4ca]
user:[dhcp] rid:[0x4b2]
user:[daemon] rid:[0x3ea]
user:[sshd] rid:[0x4b8]
user:[man] rid:[0x3f4]
user:[lp] rid:[0x3f6]
user:[mysql] rid:[0x4c2]
user:[gnats] rid:[0x43a]
user:[libuuid] rid:[0x4b0]
user:[backup] rid:[0x42c]
user:[msfadmin] rid:[0xbb8]
user:[telnetd] rid:[0x4c8]
user:[sys] rid:[0x3ee]
user:[klog] rid:[0x4b6]
user:[postfix] rid:[0x4bc]
user:[service] rid:[0xbbc]
user:[list] rid:[0x434]
user:[irc] rid:[0x436]
user:[ftp] rid:[0x4be]
user:[tomcat55] rid:[0x4c4]
user:[sync] rid:[0x3f0]
user:[uucp] rid:[0x3fc]
enum4linux complete on Wed May 22 15:40:01 2019

We can see this gives us some information about the workgroup name, whether the server allows null sessions (blank username and password — this will come in handy later), and the users present on the system.

The -S flag will give us information about the SMB shares on the machine:

~# enum4linux -S 10.10.0.50

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed May 22 15:41:26 2019

 ==========================
|    Target Information    |
 ==========================
Target ........... 10.10.0.50
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 ==================================================
|    Enumerating Workgroup/Domain on 10.10.0.50    |
 ==================================================
[+] Got domain/workgroup name: WORKGROUP

 ===================================
|    Session Check on 10.10.0.50    |
 ===================================
[+] Server 10.10.0.50 allows sessions using username '', password ''

 =========================================
|    Getting domain SID for 10.10.0.50    |
 =========================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 =======================================
|    Share Enumeration on 10.10.0.50    |
 =======================================

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    tmp             Disk      oh noes!
    opt             Disk
    IPC$            IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
    ADMIN$          IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------
    WORKGROUP            METASPLOITABLE

[+] Attempting to map shares on 10.10.0.50
//10.10.0.50/print$ Mapping: DENIED, Listing: N/A
//10.10.0.50/tmp    Mapping: OK, Listing: OK
//10.10.0.50/opt    Mapping: DENIED, Listing: N/A
//10.10.0.50/IPC$   [E] Can't understand response:
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
//10.10.0.50/ADMIN$ Mapping: DENIED, Listing: N/A
enum4linux complete on Wed May 22 15:41:27 2019

We can see there are a few shares present, such as default shares like print$, IPC$, and ADMIN$, but also custom shares like opt and tmp. There even appears to be a comment on one of them, which could prove useful later.

It also attempts to map the shares, telling us whether we have access or not to a particular share. We can view the password policy on the target using the -P flag:

~# enum4linux -P 10.10.0.50

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed May 22 15:42:27 2019

 ==========================
|    Target Information    |
 ==========================
Target ........... 10.10.0.50
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 ==================================================
|    Enumerating Workgroup/Domain on 10.10.0.50    |
 ==================================================
[+] Got domain/workgroup name: WORKGROUP

 ===================================
|    Session Check on 10.10.0.50    |
 ===================================
[+] Server 10.10.0.50 allows sessions using username '', password ''

 =========================================
|    Getting domain SID for 10.10.0.50    |
 =========================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ==================================================
|    Password Policy Information for 10.10.0.50    |
 ==================================================

[+] Attaching to 10.10.0.50 using a NULL share

[+] Trying protocol 445/SMB...

[+] Found domain(s):

    [+] METASPLOITABLE
    [+] Builtin

[+] Password Info for Domain: METASPLOITABLE

    [+] Minimum password length: 5
    [+] Password history length: None
    [+] Maximum password age: Not Set
    [+] Password Complexity Flags: 000000

        [+] Domain Refuse Password Change: 0
        [+] Domain Password Store Cleartext: 0
        [+] Domain Password Lockout Admins: 0
        [+] Domain Password No Clear Change: 0
        [+] Domain Password No Anon Change: 0
        [+] Domain Password Complex: 0

    [+] Minimum password age: None
    [+] Reset Account Lockout Counter: 30 minutes
    [+] Locked Account Duration: 30 minutes
    [+] Account Lockout Threshold: None
    [+] Forced Log off Time: Not Set

[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 0

enum4linux complete on Wed May 22 15:42:30 2019

This gives us information about any password policies present. In this case, we can see some info for the "METASPLOITABLE" domain. We can see things like the minimum password length, password age, and complexity requirements. This can be extremely useful for the information-gathering phase of an attack, as this can help narrow down password brute-force attempts later on.

We can use the -o flag to get some operating system information:

~# enum4linux -o 10.10.0.50

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed May 22 15:43:40 2019

 ==========================
|    Target Information    |
 ==========================
Target ........... 10.10.0.50
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 ==================================================
|    Enumerating Workgroup/Domain on 10.10.0.50    |
 ==================================================
[+] Got domain/workgroup name: WORKGROUP

 ===================================
|    Session Check on 10.10.0.50    |
 ===================================
[+] Server 10.10.0.50 allows sessions using username '', password ''

 =========================================
|    Getting domain SID for 10.10.0.50    |
 =========================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ====================================
|    OS information on 10.10.0.50    |
 ====================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.0.50 from smbclient:
[+] Got OS info for 10.10.0.50 from srvinfo:
    METASPLOITABLE Wk Sv PrQ Unx NT SNT metasploitable server (Samba 3.0.20-Debian)
    platform_id     :   500
    os version      :   4.9
    server type     :   0x9a03
enum4linux complete on Wed May 22 15:43:40 2019

Here we can see the Samba version number and that the server is Debian-based.

If the target is a domain controller, the -l flag will attempt to get some limited information about LDAP running on the server:

~# enum4linux -l 10.10.0.50

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed May 22 15:44:23 2019

 ==========================
|    Target Information    |
 ==========================
Target ........... 10.10.0.50
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 ==================================================
|    Enumerating Workgroup/Domain on 10.10.0.50    |
 ==================================================
[+] Got domain/workgroup name: WORKGROUP

 ===================================
|    Session Check on 10.10.0.50    |
 ===================================
[+] Server 10.10.0.50 allows sessions using username '', password ''

 ===================================================
|    Getting information via LDAP for 10.10.0.50    |
 ===================================================
[E] Connection error

 =========================================
|    Getting domain SID for 10.10.0.50    |
 =========================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
enum4linux complete on Wed May 22 15:44:24 2019

In this case, our target is not a DC, so it doesn't return anything.

Printers are often shared on a network and can often be an overlooked attack vector. We can use the -i flag to view any printer information:

~# enum4linux -i 10.10.0.50

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed May 22 15:45:20 2019

 ==========================
|    Target Information    |
 ==========================
Target ........... 10.10.0.50
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 ==================================================
|    Enumerating Workgroup/Domain on 10.10.0.50    |
 ==================================================
[+] Got domain/workgroup name: WORKGROUP

 ===================================
|    Session Check on 10.10.0.50    |
 ===================================
[+] Server 10.10.0.50 allows sessions using username '', password ''

 =========================================
|    Getting domain SID for 10.10.0.50    |
 =========================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ===========================================
|    Getting printer info for 10.10.0.50    |
 ===========================================
No printers returned.

enum4linux complete on Wed May 22 15:45:20 2019

There are no printers attached to our target, so again, nothing is returned.

We can also perform an nmblookup to see NetBIOS information on the server. Use the -n flag to do so:

~# enum4linux -n 10.10.0.50

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed May 22 15:45:41 2019

 ==========================
|    Target Information    |
 ==========================
Target ........... 10.10.0.50
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 ==================================================
|    Enumerating Workgroup/Domain on 10.10.0.50    |
 ==================================================
[+] Got domain/workgroup name: WORKGROUP

 ==========================================
|    Nbtstat Information for 10.10.0.50    |
 ==========================================
Looking up status of 10.10.0.50
    METASPLOITABLE  <00> -         B <ACTIVE>  Workstation Service
    METASPLOITABLE  <03> -         B <ACTIVE>  Messenger Service
    METASPLOITABLE  <20> -         B <ACTIVE>  File Server Service
    ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
    WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
    WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
    WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

    MAC Address = 00-00-00-00-00-00

 ===================================
|    Session Check on 10.10.0.50    |
 ===================================
[+] Server 10.10.0.50 allows sessions using username '', password ''

 =========================================
|    Getting domain SID for 10.10.0.50    |
 =========================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
enum4linux complete on Wed May 22 15:45:41 2019

Perhaps the most useful option for this tool is the option to run all these tests at once. That way we can quickly get all the SMB information we need in one scan — use the -a flag to run all simple enumeration:

~# enum4linux -a 10.10.0.50

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed May 22 15:46:25 2019

 ==========================
|    Target Information    |
 ==========================
Target ........... 10.10.0.50
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 ==================================================
|    Enumerating Workgroup/Domain on 10.10.0.50    |
 ==================================================
[+] Got domain/workgroup name: WORKGROUP

 ==========================================
|    Nbtstat Information for 10.10.0.50    |
 ==========================================
Looking up status of 10.10.0.50
    METASPLOITABLE  <00> -         B <ACTIVE>  Workstation Service
    METASPLOITABLE  <03> -         B <ACTIVE>  Messenger Service
    METASPLOITABLE  <20> -         B <ACTIVE>  File Server Service
    ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
    WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
    WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
    WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

    MAC Address = 00-00-00-00-00-00

 ===================================
|    Session Check on 10.10.0.50    |
 ===================================
[+] Server 10.10.0.50 allows sessions using username '', password ''

...

 ============================
|    Groups on 10.10.0.50    |
 ============================

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 =====================================================================
|    Users on 10.10.0.50 via RID cycling (RIDS: 500-550,1000-1050)    |
 =====================================================================
[I] Found new SID: S-1-5-21-1042354039-2475377354-766472396
[+] Enumerating users using SID S-1-5-21-1042354039-2475377354-766472396 and logon username '', password ''
S-1-5-21-1042354039-2475377354-766472396-500 METASPLOITABLE\Administrator (Local User)
S-1-5-21-1042354039-2475377354-766472396-501 METASPLOITABLE\nobody (Local User)
S-1-5-21-1042354039-2475377354-766472396-502 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-503 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-504 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-505 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-506 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-507 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-508 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-509 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-510 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-511 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-512 METASPLOITABLE\Domain Admins (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-513 METASPLOITABLE\Domain Users (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-514 METASPLOITABLE\Domain Guests (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-515 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-516 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-517 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-518 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-519 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-520 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-521 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-522 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-523 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-524 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-525 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-526 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-527 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-528 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-529 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-530 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-531 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-532 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-533 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-534 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-535 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-536 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-537 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-538 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-539 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-540 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-541 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-542 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-543 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-544 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-545 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-546 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-547 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-548 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-549 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-550 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1000 METASPLOITABLE\root (Local User)
S-1-5-21-1042354039-2475377354-766472396-1001 METASPLOITABLE\root (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1002 METASPLOITABLE\daemon (Local User)
S-1-5-21-1042354039-2475377354-766472396-1003 METASPLOITABLE\daemon (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1004 METASPLOITABLE\bin (Local User)
S-1-5-21-1042354039-2475377354-766472396-1005 METASPLOITABLE\bin (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1006 METASPLOITABLE\sys (Local User)
S-1-5-21-1042354039-2475377354-766472396-1007 METASPLOITABLE\sys (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1008 METASPLOITABLE\sync (Local User)
S-1-5-21-1042354039-2475377354-766472396-1009 METASPLOITABLE\adm (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1010 METASPLOITABLE\games (Local User)
S-1-5-21-1042354039-2475377354-766472396-1011 METASPLOITABLE\tty (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1012 METASPLOITABLE\man (Local User)
S-1-5-21-1042354039-2475377354-766472396-1013 METASPLOITABLE\disk (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1014 METASPLOITABLE\lp (Local User)
S-1-5-21-1042354039-2475377354-766472396-1015 METASPLOITABLE\lp (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1016 METASPLOITABLE\mail (Local User)
S-1-5-21-1042354039-2475377354-766472396-1017 METASPLOITABLE\mail (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1018 METASPLOITABLE\news (Local User)
S-1-5-21-1042354039-2475377354-766472396-1019 METASPLOITABLE\news (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1020 METASPLOITABLE\uucp (Local User)
S-1-5-21-1042354039-2475377354-766472396-1021 METASPLOITABLE\uucp (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1022 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1023 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1024 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1025 METASPLOITABLE\man (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1026 METASPLOITABLE\proxy (Local User)
S-1-5-21-1042354039-2475377354-766472396-1027 METASPLOITABLE\proxy (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1028 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1029 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1030 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1031 METASPLOITABLE\kmem (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1032 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1033 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1034 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1035 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1036 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1037 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1038 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1039 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1040 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1041 METASPLOITABLE\dialout (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1042 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1043 METASPLOITABLE\fax (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1044 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1045 METASPLOITABLE\voice (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1046 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1047 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1048 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1049 METASPLOITABLE\cdrom (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1050 *unknown*\*unknown* (8)

 ===========================================
|    Getting printer info for 10.10.0.50    |
 ===========================================
No printers returned.

enum4linux complete on Wed May 22 15:46:41 2019

This is usually the quickest way to enumerate SMB on a target, and since the results are all together in one place, they can easily be saved for later use.

Step 2: Use Smbclient to List Shares & Transfer Files

Now that we've used Enum4linux to gather some information about the target, we can use one of the underlying tools to actually interact with SMB on the system.

Smbclient is a tool used to access SMB resources on a server, much like an FTP client is used to access files. It offers a simple command-line interface that is trivial to use if you're at all familiar with FTP.

We can view the help and usage options with the following command:

~# smbclient --help

Usage: smbclient service <password>
  -R, --name-resolve=NAME-RESOLVE-ORDER     Use these name resolution services only
  -M, --message=HOST                        Send message
  -I, --ip-address=IP                       Use this IP to connect to
  -E, --stderr                              Write messages to stderr instead of stdout
  -L, --list=HOST                           Get a list of shares available on a host
  -m, --max-protocol=LEVEL                  Set the max protocol level
  -T, --tar=<c|x>IXFqgbNan                  Command line tar
  -D, --directory=DIR                       Start from directory
  -c, --command=STRING                      Execute semicolon separated commands
  -b, --send-buffer=BYTES                   Changes the transmit/send buffer
  -t, --timeout=SECONDS                     Changes the per-operation timeout
  -p, --port=PORT                           Port to connect to
  -g, --grepable                            Produce grepable output
  -q, --quiet                               Suppress help message
  -B, --browse                              Browse SMB servers using DNS

Help options:
  -?, --help                                Show this help message
      --usage                               Display brief usage message

Common samba options:
  -d, --debuglevel=DEBUGLEVEL               Set debug level
  -s, --configfile=CONFIGFILE               Use alternate configuration file
  -l, --log-basename=LOGFILEBASE            Base name for log files
  -V, --version                             Print version
      --option=name=value                   Set smb.conf option from command line

Connection options:
  -O, --socket-options=SOCKETOPTIONS        socket options to use
  -n, --netbiosname=NETBIOSNAME             Primary netbios name
  -W, --workgroup=WORKGROUP                 Set the workgroup name
  -i, --scope=SCOPE                         Use this Netbios scope

Authentication options:
  -U, --user=USERNAME                       Set the network username
  -N, --no-pass                             Don't ask for a password
  -k, --kerberos                            Use kerberos (active directory) authentication
  -A, --authentication-file=FILE            Get the credentials from a file
  -S, --signing=on|off|required             Set the client signing state
  -P, --machine-pass                        Use stored machine account password
  -e, --encrypt                             Encrypt SMB transport
  -C, --use-ccache                          Use the winbind ccache for authentication
      --pw-nt-hash                          The supplied password is the NT hash

There are a lot of different options for connection and authentication, but today we will keep it simple. We can get a list of shares on the target, much like we did earlier with Enum4linux, by using the -L flag followed by the IP address of the server:

~# smbclient -L //10.10.0.50/

Enter WORKGROUP\root's password:
Anonymous login successful

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    tmp             Disk      oh noes!
    opt             Disk
    IPC$            IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
    ADMIN$          IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------
    WORKGROUP            METASPLOITABLE

When connecting to SMB, we need to use slashes around the address. Now, it will prompt us to enter root's password, but if it isn't configured properly, we can log in anonymously by simply hitting Enter at the prompt.

We saw earlier that null sessions are allowed, which means that we can log in with a blank username and password as well. Use the -U flag to specify the username (in this case a blank string) and the -N flag to specify no password:

~# smbclient -L //10.10.0.50/ -U '' -N

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    tmp             Disk      oh noes!
    opt             Disk
    IPC$            IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
    ADMIN$          IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------
    WORKGROUP            METASPLOITABLE

We have now listed the shares without supplying any credentials, and we can now connect to a share by specifying the host IP address followed by the name of a share. There's an interesting comment on the tmp share, and we were able to successfully map it earlier, so let's connect to that:

~# smbclient //10.10.0.50/tmp

Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> help
?              allinfo        altname        archive        backup
blocksize      cancel         case_sensitive cd             chmod
chown          close          del            deltree        dir
du             echo           exit           get            getfacl
geteas         hardlink       help           history        iosize
lcd            link           lock           lowercase      ls
l              mask           md             mget           mkdir
more           mput           newer          notify         open
posix          posix_encrypt  posix_open     posix_mkdir    posix_rmdir
posix_unlink   posix_whoami   print          prompt         put
pwd            q              queue          quit           readlink
rd             recurse        reget          rename         reput
rm             rmdir          showacls       setea          setmode
scopy          stat           symlink        tar            tarmode
timeout        translate      unlock         volume         vuid
wdel           logon          listconnect    showconnect    tcon
tdis           tid            utimes         logoff         ..
!
smb: \> pwd
Current directory is \\10.10.0.50\tmp\
smb: \>

We can either log in with a blank password for root or with a blank username and password like we did before. Once we are connected, we can type help to get a list of available commands.

Use the dir command to list the contents of the current directory:

smb: \> dir

  .                                   D        0  Wed Aug  8 10:12:28 2018
  ..                                 DR        0  Tue Jan 15 09:17:21 2019
  example.txt                         A        5  Wed Aug  8 10:12:28 2018
  .ICE-unix                          DH        0  Wed Aug  8 08:57:04 2018
  .X11-unix                          DH        0  Wed Aug  8 08:57:50 2018
  .X0-lock                           HR       11  Wed Aug  8 08:57:50 2018
  4596.jsvc_up                        R        0  Wed Aug  8 08:58:43 2018

        7282168 blocks of size 1024. 5331432 blocks available

Let's say there is a juicy looking file on the server. We can download it to our local machine using the get command:

smb: \> get example.txt

getting file \example.txt of size 5 as example.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)

The reverse is true as well. If we had a malicious file we wanted to upload to the server, we can do that with the put command:

smb: \> put evil_file

putting file evil_file as \evil_file (0.4 kb/s) (average 0.4 kb/s)

smb: \> dir

  .                                   D        0  Wed Aug  8 10:14:23 2018
  ..                                 DR        0  Tue Jan 15 09:17:21 2019
  example.txt                         A        5  Wed Aug  8 10:12:28 2018
  .ICE-unix                          DH        0  Wed Aug  8 08:57:04 2018
  .X11-unix                          DH        0  Wed Aug  8 08:57:50 2018
  evil_file                           A        5  Wed Aug  8 10:14:23 2018
  .X0-lock                           HR       11  Wed Aug  8 08:57:50 2018
  4596.jsvc_up                        R        0  Wed Aug  8 08:58:43 2018

        7282168 blocks of size 1024. 5331428 blocks available

SMB shares can sometimes be a treasure trove of information or even a direct avenue of attack depending on how they are configured.

Wrapping Up

Today, we learned about SMB and how it can be utilized by an attacker to gather valuable information about a target. We used Enum4linux to enumerate shares and smbclient to connect to and interact with the server. SMB can prove to be a valuable resource for an attacker — you never know what you might find.

Cover image by ColossusCloud/Pixabay

Comments

No Comments Exist

Be the first, drop a comment!