SMB Protocol Explained | COMPTIA Pentest+ | TryHackMe Network Services.

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's going on welcome back in today's video we are going to step to network services this room is also part of comptia apprentice plus um just to give you an idea of where we are right now so basically we have finished application based vulnerabilities and testing tools we've talked about birth suite metasploit news is also in map but it is not finished yet i haven't answered the questions but we've talked about this in these videos um now network-based vulnerabilities in the last video we gave an introduction about networks networking now in this video we're going to go over network services part one and two and uh kenobi is a virtual machine or a room that we have sold before so basically once we finish these two rooms in addition i'm gonna provide an introduction to active directory basics we're gonna solve this room as well and we will be finishing with comptia aventas plus okay so for network services as you can see here i am going to break down jerome into multiple videos so in one video which is the one we are i'm doing right now i'm going to go over from task 1 all the way to task 4 talking about smb then we do separate video for telnet separate video for ftp and that's it okay so in this video we're going to go over smb understanding smb enumerating and exploiting the smb for that basically you need to deploy the machine attached to the room and uh to get started so basically here in a nutshell we have the questions and the answers and of course in all of you know smp server message block for sharing files printers between computers server and clients and basically it is smb for windows and somewhat for linux so here goes the answers what does smb stand for server message block the abbreviation for that the type of protocol is response request why it is response request because the client as you can see requests info from the server request to get access to a specific file request to get access to a civic printer and the server as you can see sends back a response with access granted or denied that's why it's called response request what do clients connect to servers using of course these cpi pieces smp is a protocol which is part of the cpip we talked about this in the previous videos what systems does samba run on so basically samba samba runs on linux somebody is same as smb but it's different because it's called samba because it's running on unix so for linux it is sample for windows it is smb okay now we come to the innovation and exploitation so basically uh we're gonna enumerate smb discover the tools to internet smp and then we're gonna see how we can exploit smp now since we are saying smb right the target machine is linux okay so basic nmap scan reveals the following we have 139 445 which means we are dealing with sum samba server that means that we have smb open but in linux we call it samba so samba now is running on the server meaning that we have files we have printers that are shared on the system which means the first step in attacking this box is finding out more about these shares how we can get access to them so as you can see samba runs on port 139 445 and to start enumerating the server samba server we use a tool called indium for linux and most of you guys who do hack the box and sold boxes in hack the box very never have even try hack me know how to enumerate smb but this since this is part of conte aventus plus we have to break this down for people who are just getting started so i want to enumerate smb now samba so what i would use i would do sudo in you for linux which is tool for enumerating smb on windows or sample on linux doesn't matter so there are a couple of switches we can use with indium for linux for example let's say for example we have dash view here we're saying that to get the users list right so let's say i want to get the user's list on the or the users that are sharing the files on the samba server so type dash u and then type the ip address of the target let's start with this so here we should get the user list as you can see users on and we haven't found any but here you can see we have no username administrator guest it doesn't mean they exist it just means that there are no usernames used when sharing files but none of the usernames have been found in this scenario so so instead of dashing we can also use other switches to enumerate for enumeration for example we can use um dash s to get these shares or a list of the shares on defy system or in the server server you can hit enter as you can see here we can see we have the following shares net log on profiles print ipc the one that stands out for me is profiles since all the time when we list the shares on the system we see ipc we see print with logon but profiles not all the time so it means that the shirt directory on the system or in the summer server is profiles so so instead of just going about enumerating bit by bits we can we can just type dash a to enumerate everything on the samba server users groups shares and we hit enter all right so we start going through the results so we see you're looking up status here you see work group polo smp so the work group name is workgroup as you can see um domain name workgroup domain sid no info about this here we can see the if about the operating system which is um you point to polo smb server the version 6.1 and here we see the list of shares found domain follow smp bulletin password info for domain okay and it's still enumerating by the way but most of the time you won't need more than the list of shares okay the operating system running the domain whether it is a work group or a domain joint machine and of course if anonymous access is possible or not so with that in mind we can just start answering the questions so here conduct an nmap scan of your choosing how many ports are open let's get back and see the in-map scan results so filling up scan we have one two three so we have three ports open what ports is smb running on so basically if we get back we can see we have 139 145 the typical ports samba server runs on so we have here 139 445. let's get started with any for linux conduct a full basic enumeration for starter what is the work group name we saw that it is worker group the same what comes up as the name of the machine so if we go get back here we see the name of the machine all right scroll more so this is the name of the machine polo smp what our printing system version is running so if we get back we can see the version is 6.1 what share sticks out as something we might want to investigate so basically here the shares we got the list of shares and the one that stands out is the profiles okay so now we have done the enumeration for the smb now we will go over the exploitation phase and answer the questions here let's get back okay so now now i know that i have samba server running i know the list of shares i know the computer name the worker group name and of course i know what operating system is running on the box so the next step for me is to connect to these shares i want to know if i want if i can connect to these shares and see the content of the file system so if i want to connect to the shares i would use a tool called smb client and the syntax for this if we are talking about linux we would use through back slash forward slash and we type the ip address of the machine in this case it is this one and here i type the shared name if i want to get access to shared if i want just to list the shares i would just type dash l and enter so here it's asking for the work group roots password we don't have password we're gonna just hit enter see if it's gonna work okay so with sap client we were able to get some of the results we have got with any for linux which is listing the shares now that's good if i don't use any for linux but if i want to connect to these shares i want to remove the dash l and here specifying the share i want to connect to for example i'm gonna connect to profiles all right so and i click and i hit enter i don't have a password but i was able to connect which means the profiles shared right allows for anonymous access so if i type ls i see the content of that directory right let's get back for a bit and see more for example here if i want what if the profile sure allows or asks for a username i would say for example that's you let's see there's a name required in this challenge so here it is asking somewhere anonymous so here it's saying what would be the correct syntax to access an smb share called secret as user suite when a machine with the ip on the default port so we would go back here and change the ip to the one pointed out in the challenge three tens two and the name of the share is secret and username is sweet okay and the port the default port is the hp445 that's a syntax let's try i guess it is not like that secret my caps lock is still on this is not something i wanted i guess i'm not going to be able to connect since this seems to be this is an ip out of the current subnet but this is a syntax let's try to answer with this question with this answer and it's correct okay let's get back a bit for what where we were we were at here so so to specify username we just type dash you and username okay capsule now let's get back and connect to the share so i'm going to hit enter now we are connected we type ls to list the files on this share we have cache profile suite as admin successful [Music] ssh so we have this one and this one sticks out but as well so type cd.ssh ls and we have a private key now if you see something that you want to grab out of the samba server you would want to type get id rsa it will just download this to your current machine or local machine now the audio rsa has been downloaded to your local machine you will just type exit ls and you have the audio essay here number four connecting before trying and connect to the host you would want to run ch mode adjust the permissions of the key id rsa okay then you would want to connect sudo sh i id rsa and the username let's see what is there is a name the username now we want to find out what is this and then we want to connect with all right so here as you can see [Music] uh whatever it has been configured to allow him okay there is some guy here or some name we want to find out so let's get back to the let's connect back and see what is the username let's so we have something here working from home information so if we count this or let's get it or i think let's give device or local machine would be better not found okay get let's put code double quotes okay now we would disconnect at working from home so john cactus as you are well aware due to the current pandemic most of polo incorporation has insisted that wherever possible employees would work from home as such shared account has now been enabled with ssh access to the main server if there are any problems please consult contact the department at it.internal.com uk regarding so basically the one who's supposed to connect with this server and use the private key we have just downloaded it's junk cactus now figuring out the username has become easier we will try cactus or john so sudos xh dash i i the rsa john x let's do this work yes it didn't work now we would try with cactus [Music] okay and now we have been granted access so the correct username is cactus and this is how you exploit smp okay just enumerate any for linux connect to the shares see if there is data looking around and it's valuable for your exploitation and you will have access and as actually i can call it exploitation we haven't exploited the vulnerability rather rather than we have just um connected to an anonymous to a share that allows anonymous access so it's security misconfiguration not actually in exploitation okay let's get back now and answer the questions so does the share allow anonymous access yes great have a look around for any interesting documents that could contain valuable info who can we assume this profile folder belongs to is actually just the name of the person okay what service has been configured to allow him to work from home as a sage okay now we notice what directory on the share should we look in of course dot ssh it is where we found the private key this directory contains authentication keys that allow a user to authenticate themselves on and then access a server which of these keys is most useful to us of course it is the private key download this file to your local machine and change the permissions to 600 now use the okay now the flag got smp [Music] and this is the flag smb is fun no copy okay and that was still missing we have something missing okay click on that and yes that was for smp now the next video we're gonna talk about we're gonna do the tasks for exploring any working and understanding telnet task five all the way to task 7 alright thank you for watching
Info
Channel: Motasem Hamdan
Views: 27,422
Rating: undefined out of 5
Keywords: COMPTIA, pentesting, pentest+, tryhackme
Id: eedTXtYiOK4
Channel Id: undefined
Length: 20min 50sec (1250 seconds)
Published: Thu Dec 10 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.