Hacking Network Services: LAB1: SMB.

-

SMB: server message block protocol 

A client-server communication protocol used for sharing access to files. printers serial port and other resources on a network.

Server make file systems and other resource (printers, named pipes, APIs) available to clients on the network. Client computers may have their own hard disks, but they also want access to the shared file systems and printers on the servers

The SMB protocol is known as a response-request protocol, meaning that it transmits multiple messages between the client and server to establish a connection. 

Clients connect to servers using TCP/IP (Actually, NetBOIS over TCP/IP as specified in RFC1001 and RFC1002), NetBEUI or IPX/SPX

[ NetBEUI: NetBEUI stands for NetBIOS Extended User Interface, is a networking protocol developed by IBM and Microsoft in 1985 that is used for workgroup-size local area networks (LANs) with up to 200 stations. NetBEUI is an extension of the NetBIOS protocol. NetBIOS Extended User Interface was the primary protocol for LAN Manager and Windows for Workgroups.

IPX/SPX: IPX/SPX stands for Internetwork Packet Exchange/Sequenced Packet Exchange is a set of network protocols that provide packet switching and sequencing for small and large networks, used initially on networks using the Novell NetWare operating systems.

IPX and SPX are derived from Xerox Network Systems' IDP and SPP protocols, respectively.

IPX is a network layer protocol (layer 3 of the OSI Model), while SPX is a transport layer protocol (layer 4 of the OSI Model).

The SPX layer sits on top of the IPX layer and provides connection-oriented services between two nodes on the network.   ]

Once they have established a connection, clients can then send commands (SMBs) to the server that allow them to access shares, open files, read and write files, and generally do all the sort of things that you want to do with a file system. However, in the case of SMB, these things are done over the network.

What runs SMB?

Microsoft Windows operating systems since Windows 95 have included client and server SMB protocol support. Samba, an open source server that supports the SMB protocol, was released for Unix systems.

The client-server communication protocol, the SMB protocol is known as a response-request protocol.

-----------------------------------------------------------------------------------------------------------------------------

Enumerating SMB: Enumeration is the process of gathering information on a target in order to find potential attack vectors and aid in exploitation.

This process is essential for an attack to be successful, as wasting time with exploits that either don't work or can crash the system can be a waste of energy. Enumeration can be used to gather usernames, passwords, network information, hostnames, application data, services, or any other information that may be valuable to an attacker.

SMB

Typically, there are SMB share drives on a server that can be connected to and used to view or transfer files. SMB can often be a great starting point for an attacker looking to discover sensitive information — you'd be surprised what is sometimes included on these shares.

Enum4Linux:
----------------------

Enum4linux is a tool used to enumerate SMB shares on both Windows and Linux systems. It is basically a wrapper around the tools in the Samba package and makes it easy to quickly extract information from the target pertaining to SMB. It's installed by default on Parrot and Kali, however if you need to install it, you can do so from the official 

The syntax of Enum4Linux is nice and simple: "enum4linux [options] ip"


TAG            FUNCTION


-U             get userlist

-M             get machine list

-N             get namelist dump (different from -U and-M)

-S             get sharelist

-P             get password policy information

-G             get group and member list

-a             all of the above (full basic enumeration)

commands: 

sudo nmap -vv -A <target ip>

enum4linux -a <target ip>

--------------------------------------------------------------------------------------------------------- 

Exploiting SMB  CVE-2017-7494 can allow remote code execution by exploiting SMB

Method Breakdown

So, from our enumeration stage, we know:

    - The SMB share location

    - The name of an interesting SMB share

SMBClient:

Because we're trying to access an SMB share, we need a client to access resources on servers. We will be using SMBClient because it's part of the default samba suite. While it is available by default on Kali and Parrot, if you do need to install it, you can find the documentation here: https://www.samba.org/samba/docs/current/man-html/smbclient.1.html

We can remotely access the SMB share using the syntax:

smbclient //[IP]/[SHARE]

Followed by the tags:

-U [name] : to specify the user

-p [port] : to specify the port

What would be the correct syntax to access an SMB share called "secret" as user "suit" on a machine with the IP 10.10.10.2 on the default port?

syntax answer: smbclient //10.10.10.2/secret -U suit -p 445

smb unix command(samba): more " "

new commands: export,tee

to connect to an ssh server with id_rsa key

syntax: ssh -i id_rsa username@ip

also check id_rsa.pub for info

-----------------------------------------------------------------------------------------------------------------------------

Question 1: What does SMB stand for?
Answer: Server Message Block

Question 2: What type of protocol is SMB?
Answer: response-request

Question 3: What do clients connect to servers using?
Answer: TCP/IP

Question 4: What systems does Samba run on?
Answer:  Unix

Question 5: Conduct an nmap scan of your choosing, How many ports are open?
Answer: 3

Question 6: What ports is SMB running on?
Answer: 139/445

Question 7: What is the workgroup name?
Answer: WORKGROUP

Question 8: What comes up as the name of the machine?
Answer: POLOSMB

Question 9: What Operating System Version is running? 
Answer: 6.1

Question 10: What share sticks out as something we might want to investigate?
Answer: profiles

Question 11: Who can we assume this profile folder belongs to?
Answer: John Cactus

Question 12: What service has been configured to allow him to work from home?
Answer: ssh

Question 13: what directory on the share should we look in?
Answer: .ssh

Question 14: Which of these keys is most useful to us?
Answer: id_rsa

Question 15: What is the smb.txt flag?
Answer: [solve the LAB]

-----------------------------------------------------------------------------------------------------------------------------

Thanks for reading! -  

Roger - Ozz961.

Comments

Post a Comment

Popular posts from this blog

Common Network Commands: IP R

-
IP R Command Overview The `ip r` command is part of the `iproute2` package in Linux systems. It is used for displaying and manipulating the routing table, which determines how network packets are directed to their destinations. This command is vital for network configuration, management, and troubleshooting. Origin and Development The `iproute2` package was created to replace the older `net-tools` package, which included commands like `ifconfig` and `route`. The `ip` command provides a more unified interface for network management, supporting advanced features and modern networking protocols. It offers better capabilities for managing complex networking scenarios, making it a crucial tool for system and network administrators. Basic Functionality The `ip r` command serves several functions: - Displays current routing table entries. - Shows destination networks, gateways, and associated interfaces. - Allows for the addition, deletion, and modification of routes. Key Command Syntax 1. Di...
Read more

Junior Security Analyst Intro

-
Why SOC Analyst L1 is Considered a Triage Specialist. A Level 1 Security Operations Center (SOC) Analyst is often regarded as a triage specialist because they are the first responders to cybersecurity alerts. Much like how a triage nurse assesses patients' conditions in a hospital, a Level 1 SOC Analyst evaluates and categorizes alerts generated by security tools to determine their severity and prioritize response efforts. Their primary focus is to: Filter Noise: Modern networks generate massive amounts of data, with many false positives. SOC L1 analysts must sift through this data to identify real threats. Categorize Alerts: Assign severity levels to incidents, such as low, medium, or high priority. Initial Response: Perform basic investigations (e.g., checking IP addresses, scanning logs) and decide whether to escalate incidents to Level 2 or 3 analysts. This role is vital because it ensures that high-priority threats are addressed quickly and resources are allocated ...
Read more

Example of A Day in the Life of a Junior (Associate) Security Analyst

-
The day begins early for the Junior Security Analyst, stepping into the office or logging into their remote workstation. The quiet hum of servers and the glow of multiple screens set the stage for another day at the heart of the cybersecurity battlefield. Their first task is to review the handover notes from the previous shift or the daily briefing. This update includes summaries of unresolved incidents, ongoing investigations, and any notable changes in the organization’s threat landscape. Equipped with this crucial information, the analyst prepares to navigate a world where even the smallest anomaly could signify a major threat. Logging into the array of tools—a Security Information and Event Management (SIEM) platform, endpoint detection systems, firewalls, and intrusion detection/prevention systems (IDS/IPS)—the analyst is immediately immersed in the flow of alerts. Every beep, flash, and log entry represents a potential threat. The first challenge is triage. Like a digital detecti...
Read more