SMB Enumeration Demo

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
18 hours 43 minutes
Difficulty
Intermediate
CEU/CPE
22
Video Transcription
00:00
All right. So, if you weren't paying attention or in the power point now is the time to pay attention because I'm gonna go over all the tools we just learned about, about SMB um from the power point
00:10
in a hands on demo.
00:12
So the first thing we're going to use against our target is and map
00:17
and you'll see you have a different terminal window, I'm using terminator.
00:21
There it is terminator.
00:23
Um what I like about this is you can split it vertically, you can split it horizontally.
00:28
You don't have to open new numerous terminal windows. I find myself opening many of them. That's not to say you can't
00:34
also split this horizontally
00:37
and vertically, but I kind of like the layout of terminator a little bit better.
00:42
So for now let's close these windows
00:46
and let's run end Map. So I'm gonna use end map against our target 1921681231
00:55
script is S N. B. A. New mall in um script. SMB. And um script on port 445 And we're making it very very very verbose.
01:06
Yeah.
01:07
And we can see here that it used SMB in um shares as the guest.
01:11
And we can see here if we have anonymous access. We don't to admin.
01:17
Um We don't to see we do have read and write access to I. P. C. Which
01:23
of course we can't look at files and directories but maybe we can use Eternal Blue the exploit if this is vulnerable to it.
01:32
We're not gonna do that though for right now.
01:34
Um users we can read
01:38
and I net public can read ultimately like we would be like to be able to write to a share.
01:45
So from here let's use RPC client and we'll use a knoll session so we're not going to um
01:55
put anything for the user is going to leave it blank.
01:59
And I'm just gonna hit enter here
02:01
and we can see where an RPc client
02:05
so we can do things like the question mark and we can see all the different options we have and we have a lot here.
02:13
So let's say for example we want to look at the server info. Maybe it will give us some info. Hopefully
02:23
we can see here we have a little bit of information
02:25
about
02:29
about this server.
02:30
We can see the os version
02:34
now.
02:36
What we can also do is look at our query users
02:38
we need the red
02:40
our I. D. Relative identifier. And if we're paying attention before let me let me clear out this terminal.
02:49
Well it doesn't like that
02:50
In our PC client. We can do is query user 5000 because rid or I should say 500 because red 500 should be the administrator.
03:01
And we can see here that it is the administrator account.
03:07
So it we might be able to brute force the administrator. Let's try to see who a user is. So we're gonna query user 1000 which should be the first user on this machine.
03:19
So we see here that the first user is E user. And we might be able to brute force the login for I user.
03:28
So let's get out of this.
03:30
Now let's clear our screen
03:32
and let's try to brute force this ie user using hydra
03:38
and see what permissions we have.
03:42
So we'll see here hydra little L. Since we already know the users I. E. User, we could make a list of users that we enumerate with Big L. And and maybe a text file with all the different users. For Right now we're just using ie user
03:54
And I have a custom password list here. You might want to use something like rock you I can tell you that the password is in rock you for this user. It just takes over 40 minutes to find it.
04:04
And that sometimes the trouble with brute forcing logins
04:08
is it can take a very long time depending on what word lists you're using for either a user or a password combination.
04:16
So let this run
04:18
Hopefully doesn't take 40 minutes.
04:23
And we see we found
04:25
that I user's password. Is this fancy password here?
04:30
So from here let's clear this out again
04:33
and let's use End Map. I want to show you the difference now that we have an actual user name and password.
04:40
Someone run End Map again. We're gonna do script SMB Anouma again. But we're using script arguments so I'm using SMB username, I user S and P password again, port 445 against this machine here.
04:55
And you just see it gave us a whole lot more information. SMB and new users. So it gave us all the different users
05:01
along with their relative identifiers here. So we found some of the users S S H. D. So this machine we enumerated it before and we found poor 22 open. So here there are ssh users.
05:15
We see also that we have read and write privileges to Inet Pub. Which is important because we learned that that's the web server. Right?
05:23
So we also
05:26
see that we knew sessions. So we're the only one logged in.
05:30
Um
05:31
let's keep looking here
05:33
because this is really good information. SMB and um groups
05:39
of different groups
05:40
domains.
05:43
So simply adding those arguments in the end map scripting engine
05:46
um
05:47
gave us a whole lot more information and gossip
05:53
like I said, enumeration is the key, right?
05:56
So now that we found this and we see that we can write to I net pub,
06:00
let's see if we can put something on that server
06:05
and just going to this web server here. We see this welcome page.
06:10
Now we'll talk about enumerating web servers a little bit later, but I told you guys to install things like WAP allies, er we can see the web framework is a sp dot net. It's a Windows server. It's using I. S 7.5. We also look at things like cookie values. We see a sp session I. D.
06:27
So it's definitely using Sp which if we're looking at shells
06:30
and S. P shell might be the right thing in this case.
06:35
Something to clear our terminal again.
06:41
And
06:43
now of course I could be splitting terminals for you vertically and horizontally, but I want to make it look clean for the demo. That's why I'm not doing that.
06:50
But let's use SMB client
06:55
and
06:57
we're going to
07:00
and the password
07:05
we can use D I. R.
07:09
You can go to the web root.
07:13
Yeah.
07:13
Now I always like to verify now I see a few, you know, hello? Dot A S P uh script here.
07:19
I just want to make sure that I can write to this directory.
07:23
If I add that here,
07:33
you'll see that. That's right. We're in the web root here and then we can then try to write um or creating a shell with MSF venom.
07:44
We'll talk about shells later. But for now let's go ahead and split this vertically
07:49
and let's create a A S. P. Shell with MSF venom.
07:59
So see here MSF venom, our payload is Windows interpreter. Reverse TCP are listening. host is our machine because we're creating a reverse connection.
08:07
R. L. Port is 4444 and our format is a sp we're making a shelled out a sp script.
08:18
Okay, so we created that.
08:22
I'm going to move this.
08:26
Yeah.
08:28
Mm.
08:28
To the desktop when I told you guys before the tilde is our current user, which is root
08:35
desktop
08:35
so I can move it.
08:37
It's already here. Already created before, but I just like knowing where it is. Exactly.
08:43
Okay,
08:45
so now what we're going to do is we're to launch this medicine plate framework, which we'll talk about a lot more later about shells but I'm going to execute the medicine plate framework
08:54
or executed module or create a module
09:00
within medicine play framework, exploit multi handler.
09:03
And here I'm just doing a whole bunch of things that I'm executing before I actually started up as opposed to starting up and having to enter each of these individually. Already know what I want to do.
09:13
So I'm using um exploit multi handler. I'm setting the payload as Windows interpreter, reverse TCP. And you'll notice it's the same things up above here with MSF venom.
09:24
So I wrote when I run this, gonna put in the background, that's why that tech jay.
09:28
So I'll run this
09:33
and you'll see here or did everything for me. Right?
09:37
It's making it Windows interpreter, reverse TCP as our payload. RL host RL port.
09:43
Now what I want to do is put
09:46
that shell
09:48
in here.
09:52
I need to name it
09:54
Shell
09:56
dot a S P
10:01
mm You'll see you didn't like that.
10:03
So let's actually call the full path.
10:09
So we see that the full path, it likes that. And we can do D I R l s and we should see here that are shelled, A sp file is now in the Web root.
10:22
What should happen now? We can close this
10:26
is going to shell dot ESP.
10:31
Yeah,
10:31
we see that aim. Interpreter, session was opened
10:37
and if we go to sessions we should see that here it is.
10:41
And to interact with it, we just do sessions one,
10:46
you could use this info,
10:48
you drop into our shell
10:50
and we now have a shell on this Windows machine.
10:56
So that's looking at the various tools that we talked about in the power point or the lecture, I should say. Where we looked at End Map, we looked at rpc client, we looked at SMB client, but that's using all of those to enumerate this machine to ultimately get a shell on it.
Up Next