Exploiting SMB

Last updated 4 years ago

Was this helpful?

Exploiting SMB

Types of SMB Exploit

While there are vulnerabilities such as that can allow remote code execution by exploiting SMB, you're more likely to encounter a situation where the best way into a system is due to misconfigurations in the system. In this case, we're going to be exploiting anonymous SMB share access- a common misconfiguration that can allow us to gain information that will lead to a shell.

Method Breakdown

So, from our enumeration stage, we know:

- The SMB share location

- The name of an interesting SMB share

SMBClient

Because we're trying to access an SMB share, we need a client to access resources on servers. We will be using SMBClient because it's part of the default samba suite. While it is available by default on Kali and Parrot, if you do need to install it, you can find the documentation

We can remotely access the SMB share using the syntax:

"smbclient //[IP]/[SHARE]"

Followed by the tags:

-U [name] : to specify the user

-p [port] : to specify the port

Got it? Okay, let's do this!

What would be the correct syntax to access an SMB share called "secret" as user "suit" on a machine with the IP 10.10.10.2 on the default port?

Great! Now you've got a hang of the syntax, let's have a go at trying to exploit this vulnerability. You have a list of users, the name of the share (smb) and a suspected vulnerability.

Lets see if our interesting share has been configured to allow anonymous access, I.E it doesn't require authentication to view the files. We can do this easily by:

- using the username "Anonymous"

- connecting to the share we found during the enumeration stage

- and not supplying a password.

Does the share allow anonymous access? Y/N?

Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?

What service has been configured to allow him to work from home?

Okay! Now we know this, what directory on the share should we look in?

This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?

Download this file to your local machine, and change the permissions to "600" using "chmod 600 [file]".

Now, use the information you have already gathered to work out the username of the account. Then, use the service and key to log-in to the server.

What is the smb.txt flag?

PreviousUntitled NextAnswers

Last updated 4 years ago

Was this helpful?

Types of SMB Exploit

Method Breakdown

So, from our enumeration stage, we know:

- The SMB share location

- The name of an interesting SMB share

SMBClient

We can remotely access the SMB share using the syntax:

"smbclient //[IP]/[SHARE]"

Followed by the tags:

-U [name] : to specify the user

-p [port] : to specify the port

Got it? Okay, let's do this!

What would be the correct syntax to access an SMB share called "secret" as user "suit" on a machine with the IP 10.10.10.2 on the default port?

Great! Now you've got a hang of the syntax, let's have a go at trying to exploit this vulnerability. You have a list of users, the name of the share (smb) and a suspected vulnerability.

Lets see if our interesting share has been configured to allow anonymous access, I.E it doesn't require authentication to view the files. We can do this easily by:

- using the username "Anonymous"

- connecting to the share we found during the enumeration stage

- and not supplying a password.

Does the share allow anonymous access? Y/N?

Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?

What service has been configured to allow him to work from home?

Okay! Now we know this, what directory on the share should we look in?

This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?

Download this file to your local machine, and change the permissions to "600" using "chmod 600 [file]".

Now, use the information you have already gathered to work out the username of the account. Then, use the service and key to log-in to the server.

What is the smb.txt flag?