Enumeration Cheatsheets

Enumerating SMB, RPC, and NetBIOS for Pentesting (Ports 445, 135-139)

This post contains various commands and methods for performing enumeration of the SMB, RPC, and NetBIOS services. This article will be expanded upon as time goes on.


Using NMAP

Scan for popular RCE exploits.
sudo nmap -p 139,445 --script smb-vuln* <ip-addr> -oA nmap/smb-vuln

Identify the SMB/OS version.
nmap -v -p 139,445 --script=smb-os-discovery.nse <ip-addr>

Enumerate users once you have valid credentials:
sudo nmap --script=smb-enum-users -p 445 10.130.40.70 --script-args smbuser=<user>,smbpass=<password>


Using NBTSCAN

To scan a subnet for list of hostnames:
nbtscan -v <targetRange>


Using SMBMAP

To list out the shares and associated permissions with Anonymous Access:
smbmap -H <ip-addr>

To list out shares recursively from hosts in a file and enumerate OS:

smbmap.py --host-file <targets.txt> -v -R -g

To list out the shares recursively:
smbmap -R <sharename> -H <ip-addr>

To list shares as an authenticated user:
smbmap -d <domain> -u <username> -p <password> -H <ip-addr>

To list the shares as a Guest user, just provide a username that doesn’t exist.
smbmap -u DoesNotExist -H <ip-addr>

To download a particular file.
smbmap -R <sharename> -H <ip-addr> -A <filename> -q


Using SMBCLIENT

To list out the shares:
smbclient -L \\\\<ip-addr>

To connect to shares:
sudo smbclient \\\\<ip-addr>\\<share>

Downloading files:
Once connected, you can download files. You’ll want to disable interactive prompts and turn recursive mode ON.

smb: /> prompt
smb: /> recurse

smb: /> mget *


Using RPCCLIENT

Testing for Null or Authenticated Sessions:
To test for null sessions, you can use the following command. If it connects, then you’ll be able to issue rpc client commands for further enumeration.
rpcclient -U "" -N [ip]

Have valid credentials? Use them to connect:
rpcclient -U <user> 10.10.10.193

Once connected, there are various queries you can run.

To enumerate printers:
enumprinters

To enumerate users and groups:
enumdomusers
enumdomgroups

The above command will output user/group RIDs. You can pass those into further queries like:
querygroup <RID>
querygroupmem <RID>
queryuser <RID>


Using ENUM4LINUX

The following command will attempt to establish a null session with the target and then use RPC to extract useful information.
enum4linux -a [ip]

Example output is long, but some highlights to look for:

  • Listing of file shares and printers.
  • Domain/Workgroup information.
  • Password policy information.
  • RID cycling output to enumerate users and groups.

Using METASPLOIT

Bruteforcing credentials:
use auxiliary/scanner/smb/smb_login
set BLANK_PASSWORDS true
set PASS_FILE /usr/share/seclists/Passwords/Common-Credentials/best15.txt
set USER_FILE /usr/share/seclists/Usernames/top-usernames-shortlist.txt
set RHOSTS <ipAddr>


Mounting SMB Shares in Linux

The following command will mount the remote file-share to /mnt/smb/ (this directory must exist first) and prompt you for the password.
mount -t cifs -o username=<user> //<targetIP>/<shareName> /mnt/smb/

Another way to mount a share from Linux is as follows:
sudo mount.cifs //<targetIP>/share /mnt/share username=,password=


Using SMBCACLS

Viewing file permissions, owners, and ACLs of shares.
smbcacls -N '//<targetIP>/<shareName>' /<childDir>

To use this recursively, you can use a for loop in Bash.
cd <mountedShare>
for i in $(ls); do echo $1; smbcacls -N '//<targetIP>/<shareName>' /$i; done


Enumeration from Windows Utilities

To get the Name Table:
nbtstat -A <targetIP>

To see a list of running shares:
net view <targetIP>

You can map a share to a drive letter, such as K:
net use K: \\<targetIP>\share

Testing for null session:
net use \\<targetIP>\IPC$ "" /u:""

Various Additional Tools:

  • WinFingerPrint
  • Nat10Bin
  • DumpSec

Gaining a Shell

Once you have valid credentials on the machine, or a valid NTLM hash, you can leverage the following guide to gain a shell.
https://infinitelogins.com/2020/09/05/popping-remote-shells-pth-winexe-on-windows/


Enumerating SMB Version

If your tools aren’t working to enumerate the version, you can establish a connection via smbclient and then extract the Samba/SMB version through a packetcapture. To automate the process, you can use the script available at https://github.com/rewardone/OSCPRepo/blob/master/scripts/recon_enum/smbver.sh


Troubleshooting Common Errors:

protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED

This error occurs because your modern tools are not able to communicate to older, insecure protocols. You just need to tell your smbd daemon to use the weaker and more insecure protocols.

Note: If you are using smbd in real life for file and printer sharing, I don’t recommend leaving you system like this.

Open the following files in your favorite text editor.

/etc/samba/smb.conf

Find the Global section, and add the following line.

client min protocol = LANMAN1

With that line added, restart your smdb service and you should now be able to connect.

service smbd restart

Hacking Tutorial

Abusing Zoom Webinar/Meeting Software to Steal Windows Credentials

A vulnerability exists within Zoom with the way that it handles UNC paths in its chat feature. UNC (Universal Naming Convention) paths are used by computer systems to reference network resources and typically look like the following:

\\computer\share

As you can see from the above text, this path is listed out in this blog post as text, but isn’t a clickable link. The vulnerability that exists in Zoom is the fact that these paths are clickable links that will automatically attempt to take users that click on them to the share, whether it exists or not.

Why is this a problem? Most webinars/meetings in Zoom will allow all attendees to type in the chat. This would allow a nefarious actor to place a malicious UNC path into the chat and direct users to interact with it.

The exploit we’re going to use isn’t new. In fact, I’ve already written about it in a previous blog post! I highly recommend that you check it out, as I’m not going to go as in depth as I did in that post; Abusing LLMNR/NBT-NS in Active Directory Domains: Part 1 (Capturing NTLMv2 Hashes).

Table of Contents:

  • Performing the attack
  • But wait.. You need local network access?
  • Mitigation Strategies

Performing the attack

To begin, let’s ensure our Responder tool is configured with all servers on.

sudo gedit /opt/Responder/Responder.conf

With all servers active, let’s go ahead and Run Responder on our primary interface (note yours may differ depending on your environment).
sudo python Responder.py -I eth0

So what’s happening here? Responder.py is listening for all incoming requests in the three listed Poisoners (LLMNR, NBT-NS, DNS/MDNS).

Why does this matter? Computers will send their username & passwords (in hashed format) to any SMB shares when trying to connect. They do this by design so that the SMB server can determine whether or not the user is allowed to access this share.

What do we need to do? Now we just need a way to get machines to reach out and request to connect to a server of ours, such as an SMB share. If only there was a way to share a clickable link to a SMB share with multiple users all at once.. Enter Zoom!

From within a Zoom webinar/meeting, let’s go ahead and place a UNC path to see the vulnerability in action.

As you can see, the path lights up and is clickable. With Responder.py running on our attacking machine, let’s go ahead and click the link from the victim machine. Clicking the link from the victim machine doesn’t appear to do anything at all, but let’s check the output of our Responder.py window..

Check it out, we’ve got a NTLMv2 hash along with its username. From here, we could utilize additional tools to relay this hash to other machines on the network or even crack it to obtain the password in clear-text. Tutorials on these topics are coming in the future.

Note: This above example is abusing LLMNR in the network in order for Responder.py to receive the request. This is because the share \\infinitelogins\share doesn’t actually exist. If LLMNR is disabled in the network, a UNC path that directly points to the attacking machine is necessary.


But wait.. You need local network access?

Everything I’ve shown you up to this point DOES require that your attacking machine is on the same local network as the victims. With that said, it is possible to leverage this same technique to have machines connect to a publically routable address that is running Responder.py (assuming that SMB is allowed out of your network and over your internet provider).


Mitigation Strategies

Don’t allow everybody to chat within Zoom. You should be able to limit chat capabilities to specific users of panelists-only. If a UNC share can’t be shared, the exploit can’t take place.

Perform egress filtering on port 445. If outbound SMB requests are denied in your network, or at the gateway, Responder.py will never see the request come in and will never ask for the machine’s NTLM credentials.

Educate users. User awareness training will help prevent attacks like this along with other common phishing techniques. If users know what not to click on, they won’t click.

Disable LLMNR/NBT-NS. You should really just disable LLMNR in your network for a number of reasons, but this won’t prevent the attack if the UNC path provided in the chat points directly to the attacking box. It will stop the attack if the share entered within the chat window doesn’t exist however.