Wednesday, December 16, 2015

More with smbclient, smbget, enum4linux


More notes because I can never remember and I'm sick of looking it up

Testing open shares/445

List shares with smbclient -L 1.2.3.4

root@localhost:~# smbclient -L 1.2.3.4
Enter root's password: 
Anonymous login successful
Domain=[MSHOME] OS=[VxWorks] Server=[NQ 4.32]

        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC       
        MEMORY_CARD     Disk      FLASH MEMORY PHOTO
Anonymous login successful
Domain=[MSHOME] OS=[VxWorks] Server=[NQ 4.32]

        Server               Comment
        ---------            -------

        Workgroup            Master

        ---------            -------

Try to connect to the share

root@localhost:~# smbclient \\\\1.2.3.4\\MEMORY_CARD
Enter root's password: 
Anonymous login successful
Domain=[MSHOME] OS=[VxWorks] Server=[NQ 4.32]
tree connect failed: NT_STATUS_ACCESS_DENIED

Boo

When it works

root@localhost:~# smbclient \\\\2.3.4.5\\MDMLOAD
Enter root's password: 
Anonymous login successful
Domain=[DEMO] OS=[Unix] Server=[Samba 3.6.23-20.el6]
smb: \> l
  .                                   D        0  Wed Nov  4 02:42:15 2015
  ..                                  D        0  Mon Oct 12 20:38:40 2015
  input.csv                           A     2024  Mon Nov  2 22:13:18 2015

59400 blocks of size 2097152. 19612 blocks available

enum4linux can help out when you have a bunch of shares to check or just want to do things quickly. -S to check shares, although you probably just want to do a -a for all.


root@localhost:~/enum4linux-0.8.9# perl enum4linux.pl -S 3.4.5.6
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Dec 15 22:34:52 2015

 ==========================
|    Target Information    |
 ==========================
Target ........... 3.4.5.6   
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 ========================================== 
|    Share Enumeration on 3.4.5.6    |
 ========================================== 
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.12]
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.12]

        Sharename       Type      Comment
        ---------       ----      -------
        www             Disk      Public Stuff
        IPC$            IPC       IPC Service (Samba Server Version 4.1.12)

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

[+] Attempting to map shares on 3.4.5.6
//3.4.5.6/www     Mapping: OK, Listing: OK
//3.4.5.6/IPC$    Mapping: OK     Listing: DENIED
enum4linux complete on Tue Dec 15 22:35:09 2015

root@localhost:~# smbclient \\\\3.4.5.6\\www
Enter root's password:
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.12]
smb: \> ls
  .                            DR        0  Sat Dec 12 14:23:20 2015
  ..                            D        0  Thu Oct  8 11:53:20 2015

 oops                           D        0  Fri Nov 27 17:38:04 2015
---SNIP---

Want to download a whole folder?


root@localhost:~# smbget -R smb://3.4.5.6/www/oops
Username for www at 3.4.5.6 [guest] 
Password for www at 3.4.5.6: 
Using workgroup WORKGROUP, guest user
smb://3.4.5.6/www/oops/images/defaultpic.gif   smb://3.4.5.6/www/oops/images/ad2.jpg            
---SNIP---

enum4liux is also super handy internally as it tries multiple ways to get a domain SID, if successful it will brute force the SID to enumerate all the SIDs/user accounts for the domain.
CG

3 comments:

Anonymous said...

I always wonder how shodan get its share names. On my local machine there is no problem, but I couldn´t figure out share names on a remote machine. I´ve portforwarding turned on (echo '1' > /proc/sys/net/ipv4/ip_forward) and a positive TTL response, but always get this error: failed (Error NT_STATUS_IO_TIMEOUT)
I think the request is blocked by firewall, but how do Shodan.com get it´s results?

CG said...

you know i dont know I have definitely experience some similar issues. Also be aware that a good chunk of ISPs filter 135/139/445 on purpose and you cant connect to the hosts. I have to use a colo (digital ocean, rackspace, linode, etc) to get unfiltered access to the internet.

You can always ask John, he's pretty assessable over twitter.

Anonymous said...

I´m appreciated, thank you a lot. You were right. Netbios request was blocked by my ISP-Router. I turned it off and now getting the same answer as John gets. Thanks and happy X-Mas.