SMB (Server Message Block) is a client server communication
protocol used for sharing access to files, printer, serial ports, and other
resources on network.
Servers make file systems and other resources available to
clients on the network. Client computers may also want access to the shared
file systems and printers on the servers.
The SMB protocol is known as a response-request protocol
SMB Enumeration
I am working on a TryHackMe machines and trying to enumerate the SMB port. There
are SMB share drives on a server that can be connected to and used to view or
transfer files. SMB can often be a great starting point for an attacker looking
to discover sensitive information — you'd be surprised what is sometimes
included on these shares.
1.
NMAP scanning:
Our first step would be perform NMAP scan on the IP address to identify the
ports which will provide us maximum information on the services, applications,
structure and operating system of the target machine.
nmap -sV -sT -p- 10.10.231.45
-sV: This option helps in
providing the details of the services that are present on the ports.
-sT: This option is used to perform a TCP scan on the IP to check whether the
ports are open or closed.
-p-: This option is used to perform scan on all ports. This is another variant
of (-p 0-65535) option.
In the above provided screenshot
we can see that there are two services that are present on the IP address those
are provided below.
·
Port 22 – SSH service- OpenSSH 7.6p1
·
Port 139 and Port 445 – SMB – smbd 3.x – 4.x
2.
Enum4Linux
Now let’s use a tool called as
Enum4Linux. It is a tool used to enumerate SMB shares on both Windows and Linux systems. It is basically a wrapper around the tools in
the Samba package and makes it easy to quickly extract information from the
target pertaining to SMB.
The syntax of Enum4Linux is nice and simple:
"enum4linux [options] ip"
|
TAG |
FUNCTION |
|
-U |
get userlist |
|
-M |
get machine list |
|
-N |
get namelist dump
(different from -U and-M) |
|
-S |
get sharelist |
|
-P |
get password
policy information |
|
-G |
get group and
member list |
|
-a |
all of the above
(full basic enumeration) |
Below are the screenshots of the
sensitive information that is provided by the enum4linux scan.
There are many different types of vulnerabilities present
for SMB remote code execution, but we are trying a specific attack (CVE-2017-7494).
So, the data that we have received from our enumeration are provided below:
·
The SMB has share locations present.
·
The SMB share files contains user profiles.
3.
SMB Client
We can remotely access the SMB share using
the syntax:
“smbclient //IP/SHARE”
Followed by the tags:
-U [name] : to specify the user
-p [port] : to specify the port
By using smbclient we were able to login
into the client by using null username and password. We can also use the
username of “Anonymous” to login to smbclient and the port provided is 445.
By using the command help we can know what
commands can be used under the smbclient.
After this we can access the files that are present in the smbclient by using ls command and we tried to download few files and tried to check the data out of it (like Working from Home Information.txt and files from .ssh folder).
After going through the “id_rsa” file we received the username to access the ssh service. By doing this we got to know that the permission files are provided within the .ssh files. So, we have downloaded the files and changed the file permissions by providing (“CHMOD 600 id_rsa”) syntax.
We used the permission files to access the ssh and we were successfully able to login to the ssh service and we found the flag that was present. We used CAT command to access the flag.
No comments:
Post a Comment