Hacking Network Services: LAB1: SMB.
SMB: server message block protocol
A client-server communication protocol used for sharing access to files. printers serial port and other resources on a network.
Server make file systems and other resource (printers, named pipes, APIs) available to clients on the network. Client computers may have their own hard disks, but they also want access to the shared file systems and printers on the servers
The SMB protocol is known as a response-request protocol, meaning that it transmits multiple messages between the client and server to establish a connection.
Clients connect to servers using TCP/IP (Actually, NetBOIS over TCP/IP as specified in RFC1001 and RFC1002), NetBEUI or IPX/SPX
[ NetBEUI: NetBEUI stands for NetBIOS Extended User Interface, is a networking protocol developed by IBM and Microsoft in 1985 that is used for workgroup-size local area networks (LANs) with up to 200 stations. NetBEUI is an extension of the NetBIOS protocol. NetBIOS Extended User Interface was the primary protocol for LAN Manager and Windows for Workgroups.
IPX/SPX: IPX/SPX stands for Internetwork Packet Exchange/Sequenced Packet Exchange is a set of network protocols that provide packet switching and sequencing for small and large networks, used initially on networks using the Novell NetWare operating systems.
IPX and SPX are derived from Xerox Network Systems' IDP and SPP protocols, respectively.
IPX is a network layer protocol (layer 3 of the OSI Model), while SPX is a transport layer protocol (layer 4 of the OSI Model).
The SPX layer sits on top of the IPX layer and provides connection-oriented services between two nodes on the network. ]
Once they have established a connection, clients can then send commands (SMBs) to the server that allow them to access shares, open files, read and write files, and generally do all the sort of things that you want to do with a file system. However, in the case of SMB, these things are done over the network.
What runs SMB?
Microsoft Windows operating systems since Windows 95 have included client and server SMB protocol support. Samba, an open source server that supports the SMB protocol, was released for Unix systems.
The client-server communication protocol, the SMB protocol is known as a response-request protocol.
-----------------------------------------------------------------------------------------------------------------------------
Enumerating SMB: Enumeration is the process of gathering information on a target in order to find potential attack vectors and aid in exploitation.
This process is essential for an attack to be successful, as wasting time with exploits that either don't work or can crash the system can be a waste of energy. Enumeration can be used to gather usernames, passwords, network information, hostnames, application data, services, or any other information that may be valuable to an attacker.
SMB
Typically, there are SMB share drives on a server that can be connected to and used to view or transfer files. SMB can often be a great starting point for an attacker looking to discover sensitive information — you'd be surprised what is sometimes included on these shares.
Enum4Linux:
----------------------
Enum4linux is a tool used to enumerate SMB shares on both Windows and Linux systems. It is basically a wrapper around the tools in the Samba package and makes it easy to quickly extract information from the target pertaining to SMB. It's installed by default on Parrot and Kali, however if you need to install it, you can do so from the official
The syntax of Enum4Linux is nice and simple: "enum4linux [options] ip"
TAG FUNCTION
-U get userlist
-M get machine list
-N get namelist dump (different from -U and-M)
-S get sharelist
-P get password policy information
-G get group and member list
-a all of the above (full basic enumeration)
commands:
sudo nmap -vv -A <target ip>
enum4linux -a <target ip>
---------------------------------------------------------------------------------------------------------
Exploiting SMB CVE-2017-7494 can allow remote code execution by exploiting SMB
Method Breakdown
So, from our enumeration stage, we know:
- The SMB share location
- The name of an interesting SMB share
SMBClient:
Because we're trying to access an SMB share, we need a client to access resources on servers. We will be using SMBClient because it's part of the default samba suite. While it is available by default on Kali and Parrot, if you do need to install it, you can find the documentation here: https://www.samba.org/samba/docs/current/man-html/smbclient.1.html
We can remotely access the SMB share using the syntax:
smbclient //[IP]/[SHARE]
Followed by the tags:
-U [name] : to specify the user
-p [port] : to specify the port
What would be the correct syntax to access an SMB share called "secret" as user "suit" on a machine with the IP 10.10.10.2 on the default port?
syntax answer: smbclient //10.10.10.2/secret -U suit -p 445
smb unix command(samba): more " "
new commands: export,tee
to connect to an ssh server with id_rsa key
syntax: ssh -i id_rsa username@ip
also check id_rsa.pub for info
-----------------------------------------------------------------------------------------------------------------------------
Question 1: What does SMB stand for?
Answer: Server Message Block
Question 2: What type of protocol is SMB?
Answer: response-request
Question 3: What do clients connect to servers using?
Answer: TCP/IP
Question 4: What systems does Samba run on?
Answer: Unix
Question 5: Conduct an nmap scan of your choosing, How many ports are open?
Answer: 3
Question 6: What ports is SMB running on?
Answer: 139/445
Question 7: What is the workgroup name?
Answer: WORKGROUP
Question 8: What comes up as the name of the machine?
Answer: POLOSMB
Question 9: What Operating System Version is running?
Answer: 6.1
Question 10: What share sticks out as something we might want to investigate?
Answer: profiles
Question 11: Who can we assume this profile folder belongs to?
Answer: John Cactus
Question 12: What service has been configured to allow him to work from home?
Answer: ssh
Question 13: what directory on the share should we look in?
Answer: .ssh
Question 14: Which of these keys is most useful to us?
Answer: id_rsa
Question 15: What is the smb.txt flag?
Answer: [solve the LAB]
-----------------------------------------------------------------------------------------------------------------------------
Thanks for reading! -
Roger - Ozz961.
Comments