Footprinting SMB
Introduction
Server Message Block (SMB) enables access to files, directories, and network resources over TCP. It is primarily used on windows devices; however, Samba allows for Linux support as well. Misconfigurations in SMB/Samba could lead to unauthorized access as well as lateral movement throughout the network. Therefore, it is imperative that the service is properly configured.
During a penetration test, SMB should be thoroughly explored, as it can give us an easy in to the network. In this post, we will be going over the HTB Academy questions for the SMB Footprining module.
1. What version of the SMB server is running on the target system? Submit the entire banner as the answer.
Once again, we start out by running an nmap on SMB ports (139, 445) using default scripts -sC and enumerate versions -sV:
sudo nmap -sC -sV 10.129.134.185 -p139,445 -oA smb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-18 20:29 EDT
Nmap scan report for 10.129.134.185
Host is up (0.068s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn [Redacted Version]
445/tcp open netbios-ssn [Redacted Version]
Host script results:
|_nbstat: NetBIOS name: DEVSMB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
| date: 2024-05-19T00:29:54
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.92 seconds
Now that we have the version, lets move on.
2. What is the name of the accessible share on the target?
Let’s use smbclient to start a null session -L and list -L shares:
smbclient -N -L //10.129.134.185
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
[Redacted] Disk [Redacted Version Info]
IPC$ IPC IPC Service (InlaneFreight SMB server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Protocol negotiation to server 10.129.134.185 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
Great! We have the name of the share, now we can try to connect to it!
3. Connect to the discovered share and find the flag.txt file. Submit the contents as the answer.
Lets try to connect to the share as an anonymous user:
smbclient //10.129.134.185/[redacted]] -U ""
Password for [WORKGROUP\]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Mon Nov 8 08:43:14 2021
.. D 0 Mon Nov 8 10:53:19 2021
.profile H 807 Tue Feb 25 07:03:22 2020
contents D 0 Mon Nov 8 08:43:45 2021
.bash_logout H 220 Tue Feb 25 07:03:22 2020
.bashrc H 3771 Tue Feb 25 07:03:22 2020
5090944 blocks of size 1024. 1765892 blocks available
smb: \> cd contents
smb: \contents\> dir
. D 0 Mon Nov 8 08:43:45 2021
.. D 0 Mon Nov 8 08:43:14 2021
flag.txt N 38 Mon Nov 8 08:43:45 2021
5090944 blocks of size 1024. 1765892 blocks available
smb: \contents\> get flag.txt
getting file \contents\flag.txt of size 38 as flag.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
In the above, we connected to the share anonymously, listed directories, navigated to the directory contents (It was the first directory with a size greater than 0), and downloaded the flag. We can now read the flag:
cat flag.txt
[Redacted flag]
4. Find out which domain the server belongs to.
We can use rpcclient to connect and enumerate server info srvinfo and domain info querydominfo:
rpcclient -U "" 10.129.134.185
Password for [WORKGROUP\]:
rpcclient $> srvinfo
DEVSMB Wk Sv PrQ Unx NT SNT InlaneFreight SMB server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03
rpcclient $> querydominfo
Domain: [Redacted]
Server: DEVSMB
Comment: InlaneFreight SMB server (Samba, Ubuntu)
Total Users: 0
Total Groups: 0
Total Aliases: 0
Sequence No: 1716079719
Force Logoff: -1
Domain Server State: 0x1
Server Role: ROLE_DOMAIN_PDC
Unknown 3: 0x1
Great, we got the domain! Lets move on!
5. Find additional information about the specific share we found previously and submit the customized version of that specific share as the answer.
This was revealed during our intial share enumeration, but lets try a different way to explore options. This time we will use crackmapexec:
crackmapexec smb 10.129.134.185 --shares -u '' -p ''
SMB 10.129.134.185 445 DEVSMB [*] Windows 6.1 Build 0 (name:DEVSMB) (domain:) (signing:False) (SMBv1:False)
SMB 10.129.134.185 445 DEVSMB [+] \:
SMB 10.129.134.185 445 DEVSMB [+] Enumerated shares
SMB 10.129.134.185 445 DEVSMB Share Permissions Remark
SMB 10.129.134.185 445 DEVSMB ----- ----------- ------
SMB 10.129.134.185 445 DEVSMB print$ Printer Drivers
SMB 10.129.134.185 445 DEVSMB [Redacted] READ [Redacted Custom version]
SMB 10.129.134.185 445 DEVSMB IPC$ IPC Service (InlaneFreight SMB server (Samba, Ubuntu))
Cool, crackmapexec works as well!
6. What is the full system path of that specific share? (format: “/directory/names”)
For this, we can go back to rpcclient and use netshareenumall:
rpcclient -U "" 10.129.134.185
Password for [WORKGROUP\]:
rpcclient $> netshareenumall
netname: print$
remark: Printer Drivers
path: C:\var\lib\samba\printers
password:
netname: [Redacted]
remark: InFreight SMB v3.1
path: C:\redacted\path\
password:
netname: IPC$
remark: IPC Service (InlaneFreight SMB server (Samba, Ubuntu))
path: C:\tmp
password:
Notice it returns the path as C:\redacted\path. The question is asking for it in /directory/names, so we can submit the answer as:
/redacted/path