Enumerating And Exploiting SMB , the basics | Tryhackme Network Services

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's up guys welcome back to it security labs and today i just want to share with you how to enumerate smb this is part of my goal to complete the cyber defense challenge in try hack me and if you go to the first introduction here i'm working on smb today under network services so i'll be sharing with you how i'm doing that and if you're just curious i actually have a roadmap for myself to complete that room so this week here i'm just doing the first part but as you can see until the end of february i'll be going through the whole cyber defense section here i've already done 21 percent of it like introduction to networking and everything but if you go to network services which is the one i'm working on this week you'll notice that i've done the getting started understanding smb so if you're interested in following along make sure to do this on your own there's a lot of things to read and understand i'm more interested in showing you the technical side of things and you can always read and try to understand i deployed my machine for this room it's on 10 10 to 38.41 so i need to first conduct an nmip scan and you do this for every system if you want to enumerate smb you need to first do an end scan right while i'm signing in here let me show you some resources that i really like here's an smb checklist you need to have a checklist and i have always found that this is a very very helpful checklist when i see smb ports open i always make sure to use this checklist here it's just easier that way so i'll link it in the description make sure to understand what smb is and also use this as a checklist i also have some notes that you have to write yourself common things that you write you can use the nmap scripts which you we can hear on 1 39 and 445 on windows systems and also smb client syntax you need to just have this down easy to know but for windows here's a link that i use and of course the notes that i just shared with you i also have a git page here and a few examples of what i have done so that's smb for us once kali linux starts here we'll run in mm-scan right so in my kali linux i already have a folder called a new smb because i always like to work in folders then we just go back here with us to conduct an nmp scan then of course see how many ports are open smb ports are usually not high nmap minus sv minus ac so let's see which how many ports come this will not scan all ports this will just scan the top 1000 ports but that's okay all right so after nmap is done only have three ports here and remember i only scanned the top 1000 ports here but i do see smbd is running and here's a version so you can already go and try to see if this version is vulnerable for exploitation and if everything else but for now our first answer is going to be three all right let's get started with enumfalinas conduct a full basic enumeration for pentesters for starters what is the workgroup name all right so a new for linux is a tool that you can use to enumerate smb shares and if we go to our our checklist here you'll notice that it's one of the tools that you can use here so a new for linux minus a then the ip address capture a i think is more inclusive so we're just going to do that so these two will go in a numerator smb and tell us if there's any way group it will tell us information about the domain if there's any and some users sometimes if it finds any which is really good so right now we've got a domain or a group of work group we also found some shares here are some shares for user profiles which are shared which is interesting so you just have to know how to use this to find information that you want so let's answer some questions here what ports is smb signing running on or we have two ports from our nmap scan we have uh 139 and five and that is correct yeah so 139 and 445 that's from the results you can see this from nmap then let's get started with a new for linux and we did that what is the work group name the word group name is somewhere in here you see the domain or web group in this case it's called work group what comes up is the name of the machine from a nymph linux you can find the host name for the machine which is kind of nice i think it's yeah it's this one it's called polo smb so this is where you find the name of the machine the platform id in this case it's the samba we're going to share and here's the version so you have everything that you need here then uh what operating system version is running okay we already found that is this one all this information here is valuable for you to be able to exploit the system because you are now knowing more about the target than you did before you even started what share takes out is something we might want to investigate okay what shares let's look at the shares here are the shares net logon that's just a default one user profiles i mean if you can get into user profiles you find their ssh keys uh whatever their artifacts are so of course user profiles is it profiles all right so we just finished the enumerating smb now we need to move to okay how do we exploit that smb so the same smb is is right there so now we just need to find out okay what would be the quality syntax to access smb called secret as a user suite on the on that machine on this machine or they didn't even they're not even using the same machine the correct syntax is say smba client then the ip address the share that you want to get to minus capital u then specify the user then minus p for port that is the correct syntax and you can have this in your notes as well but that's the correct syntax here now that we have the syntax let's see if we can try to exploit this vulnerability you can list users the name of the share and the suspected vulnerability we're going to use the username of anonymous to the share that we found earlier and we're not giving it any password so does it allow anonymous access there's a few ways you can test this for anonymous access profiles or profile that's the one that we are after all right and then of course the user is anonymous no password all right we're in so it does allow anonymous the answer is yes have a look around for any interesting documents that could contain valuable information okay who can we assume this profile for that belongs to so alice that's my slay sudo is admin successful oh that's interesting working from home.text that's the only one that is interesting usually i'm looking for oh there's also a dot ssh file here so there's a dot ssh file all right so we need to steal all these things here i'm going to exit for now so i can be in a clean directory so i need to be in my machines a new smb okay so once you're in a directory then you can start stealing and everything will be in here all right yes so i'm going to do a get mostly for this one i would like to get this one working from home.text so i'll steal that file you need to put quotes if the space is there cd.ssh the only file that's interesting in there is going to be get id underscore you say like that that that would do it then we can exit all right now let's answer some questions here who can we assume the profile belongs to or from what i just stole here uh john okay this must be john then all right what's it what service has been configured to allow him to work from home ssh okay we know we now know this directory the same i said ssh that's what they're asking for we already found that and we go in and restore things this directory contains authentication keys that allow which case is most useful to us the one that is most useful to us is id underscore rsa that's the key that we will use to get in download this file to local machine smart 600 yeah you need to make sure that it's 600 id underscore say otherwise it won't work okay now using this information that we've got that here can we try to log into the server what is smb.text okay so we should be able to just ssh into the system so using the information that we have here is john cactus to ssh we just need to say ssh using john's last name you could have tried john 2. talk just add then we need to say minus i to specify id underscore rsa because we want to use that file and see if we can get in it's asking us to accept just edit the host and we're in it's john so if we clear ls get smb.text and of course we just enumerated smb here i hope this room helps you get some grounding on smb enumeration and exploitation there's obviously more that you can do with smb than what it was what we just covered here but i hope this really helps you if you can please complete the learning path that i'm on is this one the cyber defense the learning path and as you can see i've done some portion of it i'm doing it by myself i'm on 22 you will learn a lot do not neglect the introduction here otherwise if you like this please remember to like and subscribe otherwise i will see you next time

Info

Channel: I.T Security Labs

Views: 7,322

Rating: undefined out of 5

Keywords:

Id: 3OtFDod0I80

Channel Id: undefined

Length: 11min 1sec (661 seconds)

Published: Fri Jan 21 2022