Smb all — различия между версиями
Материал из InformationSecurity WIKI
Drakylar (обсуждение | вклад) м (→Разведка) |
Drakylar (обсуждение | вклад) м (→Атака) |
||
| (не показано 14 промежуточных версий этого же участника) | |||
| Строка 9: | Строка 9: | ||
====enum4linux==== | ====enum4linux==== | ||
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
| − | enum4linux -a | + | enum4linux -a [-u USERNAME] [-w WORKGROUP] [-p PASSWORD] ip |
</syntaxhighlight> | </syntaxhighlight> | ||
| + | ====nullinux==== | ||
| + | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
| + | nullinux [-u 'Domain\User'] [-w WORKGROUP] [-P password] ip | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | ===Поиск сервисов=== | ||
| + | |||
| + | ====nmap==== | ||
| + | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
| + | nmap _ips_ -p 139,445 -v --script=smb-enum* | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | ====nbtscan==== | ||
| + | Доменные имена, мак-адреса. | ||
| + | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
| + | nbtscan 192.168.1.0/24 | ||
| + | </syntaxhighlight> | ||
===Сбор информации=== | ===Сбор информации=== | ||
| Строка 18: | Строка 36: | ||
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
nmblookup -A target | nmblookup -A target | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | ====smb_version==== | ||
| + | Определяем версию | ||
| + | |||
| + | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
| + | msf auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_version | ||
| + | msf auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.31.142 | ||
| + | RHOSTS => 192.168.31.142 | ||
| + | msf auxiliary(scanner/smb/smb_version) > run | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | ===Поиск пользователей=== | ||
| + | |||
| + | ====smb_lookupsid==== | ||
| + | |||
| + | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
| + | msf auxiliary(scanner/smb/smb_lookupsid) > use auxiliary/scanner/smb/smb_lookupsid | ||
| + | msf auxiliary(scanner/smb/smb_lookupsid) > set RHOSTS 192.168.31.142 | ||
| + | RHOSTS => 192.168.31.142 | ||
| + | msf auxiliary(scanner/smb/smb_lookupsid) > run | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | ====nmap==== | ||
| + | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
| + | nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.200-254 | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | ====impacket-samrdump==== | ||
| + | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
| + | python /usr/share/doc/python-impacket-doc/examples | ||
| + | /samrdump.py 192.168.XXX.XXX | ||
| + | |||
| + | impacket-samrdump 192.168.XXX.XXX | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| Строка 40: | Строка 92: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| + | ==Тестирование== | ||
===Проверка на доступ с пустой сессией=== | ===Проверка на доступ с пустой сессией=== | ||
| Строка 60: | Строка 113: | ||
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
smbclient \\\\target\\share_name | smbclient \\\\target\\share_name | ||
| + | |||
| + | smbclient -L //target | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | ====Windows CMD==== | ||
| + | |||
| + | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
| + | net use \\TARGET\IPC$ "" /u:"" | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| Строка 67: | Строка 128: | ||
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
| − | nmap --script smb-vuln* -p 139,445 target | + | nmap --script smb-vuln* -p 139,445 target --script-args=unsafe=1 |
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | ===Перебор RID (юзеры)=== | ||
| + | |||
| + | ====ridenum==== | ||
| + | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
| + | ridenum.py 192.168.XXX.XXX 500 50000 dict.txt | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | ====smb_lookupsid==== | ||
| + | use auxiliary/scanner/smb/smb_lookupsid | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | ===Работа с файлами=== | ||
| + | |||
| + | ====smbclient==== | ||
| + | Загрузка файла | ||
| + | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
| + | smbclient //192.168.31.142/ADMIN$ -U "nobody"%"somepassword" -c "put 40280.py" | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | Примонтировать директорию | ||
| + | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
| + | smbclient -L \\WIN7\ -I 192.168.13.218 | ||
| + | smbclient -L \\WIN7\ADMIN$ -I 192.168.13.218 | ||
| + | smbclient -L \\WIN7\C$ -I 192.168.13.218 | ||
| + | smbclient -L \\WIN7\IPC$ -I 192.168.13.218 | ||
| + | smbclient \\192.168.13.236\some-share -o user=root,pass=root,workgroup=BOB | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | ====mount==== | ||
| + | |||
| + | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
| + | mount -t auto --source //192.168.31.147/kathy --target /tmp/smb/ -o username=root,workgroup=WORKGROUP | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | ====Windows CMD==== | ||
| + | |||
| + | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
| + | net use X: \\<server>\<sharename> /USER:<domain>\<username> <password> /PERSISTENT:YES | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | ====smbspider==== | ||
| + | |||
| + | Утверждают что одна из лучших тулз для работы в виндовыми сетевыми хранилищами. | ||
| + | |||
| + | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
| + | smbspider [-h] -ip IPADDRESS -s SHARE [-f SUBFOLDER] [-pa PATTERN] | ||
| + | [-pf PATTERNFILE] [-u USER] [-p PWD] [-d DOMAIN] | ||
| + | [-r RECURSIVE] [-t THREADS] | ||
</syntaxhighlight> | </syntaxhighlight> | ||
==Атака== | ==Атака== | ||
| − | |||
| − | === | + | ===Перебор паролей=== |
| + | |||
| + | ====smb_login==== | ||
| + | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
| + | use auxiliary/scanner/smb/smb_login | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | ====smbrute.py==== | ||
| + | |||
| + | https://github.com/m4ll0k/SMBrute | ||
| + | |||
| + | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
| + | python3 smbrute.py -h 2.35.69.44 -U user.txt -P pass.txt -t 10 | ||
| + | </syntaxhighlight> | ||
==Ссылки== | ==Ссылки== | ||
| + | |||
| + | [https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/#smb-enumeration-tools cheatsheet pentest] | ||
Текущая версия на 13:58, 6 мая 2020
Содержание
Описание
Разведка
Все вместе
enum4linux
enum4linux -a [-u USERNAME] [-w WORKGROUP] [-p PASSWORD] ipnullinux
nullinux [-u 'Domain\User'] [-w WORKGROUP] [-P password] ipПоиск сервисов
nmap
nmap _ips_ -p 139,445 -v --script=smb-enum*
nbtscan
Доменные имена, мак-адреса.
nbtscan 192.168.1.0/24Сбор информации
nmblookup
Входит в enum4linux
nmblookup -A targetsmb_version
Определяем версию
msf auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_version
msf auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.31.142
RHOSTS => 192.168.31.142
msf auxiliary(scanner/smb/smb_version) > runПоиск пользователей
smb_lookupsid
msf auxiliary(scanner/smb/smb_lookupsid) > use auxiliary/scanner/smb/smb_lookupsid
msf auxiliary(scanner/smb/smb_lookupsid) > set RHOSTS 192.168.31.142
RHOSTS => 192.168.31.142
msf auxiliary(scanner/smb/smb_lookupsid) > runnmap
nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.200-254impacket-samrdump
python /usr/share/doc/python-impacket-doc/examples
/samrdump.py 192.168.XXX.XXX
impacket-samrdump 192.168.XXX.XXXСписок сетевых хранилищ
smbmap
smbmap -H targetsmbclient
echo exit | smbclient -L \\\\targetnmap
nmap --script smb-enum-shares -p 139,445 targetТестирование
Проверка на доступ с пустой сессией
smbmap
smbmap -H target
rpcclient
rpcclient -U "" -N targetsmbclient
smbclient \\\\target\\share_name
smbclient -L //targetWindows CMD
net use \\TARGET\IPC$ "" /u:""Поиск уязвимостей
nmap
nmap --script smb-vuln* -p 139,445 target --script-args=unsafe=1
Перебор RID (юзеры)
ridenum
ridenum.py 192.168.XXX.XXX 500 50000 dict.txtsmb_lookupsid
use auxiliary/scanner/smb/smb_lookupsid </syntaxhighlight>
Работа с файлами
smbclient
Загрузка файла
smbclient //192.168.31.142/ADMIN$ -U "nobody"%"somepassword" -c "put 40280.py"Примонтировать директорию
smbclient -L \\WIN7\ -I 192.168.13.218
smbclient -L \\WIN7\ADMIN$ -I 192.168.13.218
smbclient -L \\WIN7\C$ -I 192.168.13.218
smbclient -L \\WIN7\IPC$ -I 192.168.13.218
smbclient \\192.168.13.236\some-share -o user=root,pass=root,workgroup=BOBmount
mount -t auto --source //192.168.31.147/kathy --target /tmp/smb/ -o username=root,workgroup=WORKGROUPWindows CMD
net use X: \\<server>\<sharename> /USER:<domain>\<username> <password> /PERSISTENT:YESsmbspider
Утверждают что одна из лучших тулз для работы в виндовыми сетевыми хранилищами.
smbspider [-h] -ip IPADDRESS -s SHARE [-f SUBFOLDER] [-pa PATTERN]
[-pf PATTERNFILE] [-u USER] [-p PWD] [-d DOMAIN]
[-r RECURSIVE] [-t THREADS]Атака
Перебор паролей
smb_login
use auxiliary/scanner/smb/smb_loginsmbrute.py
https://github.com/m4ll0k/SMBrute
python3 smbrute.py -h 2.35.69.44 -U user.txt -P pass.txt -t 10