Explotacion SMB

Iniciado por blackhouse, Enero 14, 2021, 05:29:00 AM

Tema anterior - Siguiente tema

0 Miembros y 1 Visitante están viendo este tema.

Imprimir
Ir Abajo Páginas1
Acciones del Usuario
Enero 14, 2021, 05:29:00 AM Ultima modificación: Enero 14, 2021, 01:58:39 PM por Gabriela
Hola Foro!
Estoy tratando de explotar un servicio samba.
Con enum4linux obtengo la siguiente salida:

Código: php


root@ip-10-10-127-5:~# enum4linux 10.10.31.74
WARNING: polenum.py is not in your path.  Check that package is installed and your PATH is sane.
WARNING: ldapsearch is not in your path.  Check that package is installed and your PATH is sane.
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Jan 14 08:21:56 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.31.74
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 =================================================== 
|    Enumerating Workgroup/Domain on 10.10.31.74    |
 =================================================== 
[+] Got domain/workgroup name: WORKGROUP

 =========================================== 
|    Nbtstat Information for 10.10.31.74    |
 =========================================== 
Looking up status of 10.10.31.74
	POLOSMB         <00> -         B <ACTIVE>  Workstation Service
	POLOSMB         <03> -         B <ACTIVE>  Messenger Service
	POLOSMB         <20> -         B <ACTIVE>  File Server Service
	..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
	WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
	WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
	WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

	MAC Address = 00-00-00-00-00-00

 ==================================== 
|    Session Check on 10.10.31.74    |
 ==================================== 
[+] Server 10.10.31.74 allows sessions using username '', password ''

 ========================================== 
|    Getting domain SID for 10.10.31.74    |
 ========================================== 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ===================================== 
|    OS information on 10.10.31.74    |
 ===================================== 
Use of uninitialized value $os_info in concatenation (.) or string at /root/Desktop/Tools/Miscellaneous/enum4linux.pl line 464.
[+] Got OS info for 10.10.31.74 from smbclient: 
[+] Got OS info for 10.10.31.74 from srvinfo:
	POLOSMB        Wk Sv PrQ Unx NT SNT polosmb server (Samba, Ubuntu)
	platform_id     :	500
	os version      :	6.1
	server type     :	0x809a03

 ============================ 
|    Users on 10.10.31.74    |
 ============================ 
Use of uninitialized value $users in print at /root/Desktop/Tools/Miscellaneous/enum4linux.pl line 876.
Use of uninitialized value $users in pattern match (m//) at /root/Desktop/Tools/Miscellaneous/enum4linux.pl line 879.

Use of uninitialized value $users in print at /root/Desktop/Tools/Miscellaneous/enum4linux.pl line 892.
Use of uninitialized value $users in pattern match (m//) at /root/Desktop/Tools/Miscellaneous/enum4linux.pl line 894.

 ======================================== 
|    Share Enumeration on 10.10.31.74    |
 ======================================== 
WARNING: The "syslog" option is deprecated

	Sharename       Type      Comment
	---------       ----      -------
	netlogon        Disk      Network Logon Service
	profiles        Disk      Users profiles
	print$          Disk      Printer Drivers
	IPC$            IPC       IPC Service (polosmb server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP            POLOSMB

[+] Attempting to map shares on 10.10.31.74
//10.10.31.74/netlogon	[E] Can't understand response:
WARNING: The "syslog" option is deprecated
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
//10.10.31.74/profiles	Mapping: OK, Listing: OK
//10.10.31.74/print$	Mapping: DENIED, Listing: N/A
//10.10.31.74/IPC$	[E] Can't understand response:
WARNING: The "syslog" option is deprecated
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

 =================================================== 
|    Password Policy Information for 10.10.31.74    |
 =================================================== 
[E] Dependent program "polenum.py" not present.  Skipping this check.  Download polenum from http://labs.portcullis.co.uk/application/polenum/


 ============================= 
|    Groups on 10.10.31.74    |
 ============================= 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 ====================================================================== 
|    Users on 10.10.31.74 via RID cycling (RIDS: 500-550,1000-1050)    |
 ====================================================================== 
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-434125608-3964652802-3194254534
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\cactus (Local User)
[+] Enumerating users using SID S-1-5-21-434125608-3964652802-3194254534 and logon username '', password ''
S-1-5-21-434125608-3964652802-3194254534-500 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-501 POLOSMB\nobody (Local User)
S-1-5-21-434125608-3964652802-3194254534-502 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-503 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-504 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-505 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-506 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-507 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-508 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-509 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-510 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-511 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-512 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-513 POLOSMB\None (Domain Group)
S-1-5-21-434125608-3964652802-3194254534-514 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-515 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-516 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-517 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-518 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-519 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-520 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-521 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-522 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-523 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-524 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-525 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-526 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-527 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-528 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-529 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-530 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-531 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-532 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-533 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-534 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-535 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-536 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-537 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-538 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-539 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-540 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-541 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-542 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-543 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-544 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-545 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-546 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-547 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-548 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-549 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-550 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1000 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1001 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1002 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1003 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1004 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1005 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1006 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1007 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1008 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1009 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1010 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1011 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1012 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1013 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1014 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1015 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1016 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1017 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1018 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1019 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1020 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1021 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1022 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1023 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1024 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1025 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1026 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1027 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1028 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1029 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1030 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1031 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1032 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1033 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1034 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1035 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1036 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1037 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1038 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1039 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1040 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1041 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1042 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1043 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1044 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1045 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1046 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1047 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1048 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1049 *unknown*\*unknown* (8)
S-1-5-21-434125608-3964652802-3194254534-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)
S-1-5-32-502 *unknown*\*unknown* (8)
S-1-5-32-503 *unknown*\*unknown* (8)
S-1-5-32-504 *unknown*\*unknown* (8)
S-1-5-32-505 *unknown*\*unknown* (8)
S-1-5-32-506 *unknown*\*unknown* (8)
S-1-5-32-507 *unknown*\*unknown* (8)
S-1-5-32-508 *unknown*\*unknown* (8)
S-1-5-32-509 *unknown*\*unknown* (8)
S-1-5-32-510 *unknown*\*unknown* (8)
S-1-5-32-511 *unknown*\*unknown* (8)
S-1-5-32-512 *unknown*\*unknown* (8)
S-1-5-32-513 *unknown*\*unknown* (8)
S-1-5-32-514 *unknown*\*unknown* (8)
S-1-5-32-515 *unknown*\*unknown* (8)
S-1-5-32-516 *unknown*\*unknown* (8)
S-1-5-32-517 *unknown*\*unknown* (8)
S-1-5-32-518 *unknown*\*unknown* (8)
S-1-5-32-519 *unknown*\*unknown* (8)
S-1-5-32-520 *unknown*\*unknown* (8)
S-1-5-32-521 *unknown*\*unknown* (8)
S-1-5-32-522 *unknown*\*unknown* (8)
S-1-5-32-523 *unknown*\*unknown* (8)
S-1-5-32-524 *unknown*\*unknown* (8)
S-1-5-32-525 *unknown*\*unknown* (8)
S-1-5-32-526 *unknown*\*unknown* (8)
S-1-5-32-527 *unknown*\*unknown* (8)
S-1-5-32-528 *unknown*\*unknown* (8)
S-1-5-32-529 *unknown*\*unknown* (8)
S-1-5-32-530 *unknown*\*unknown* (8)
S-1-5-32-531 *unknown*\*unknown* (8)
S-1-5-32-532 *unknown*\*unknown* (8)
S-1-5-32-533 *unknown*\*unknown* (8)
S-1-5-32-534 *unknown*\*unknown* (8)
S-1-5-32-535 *unknown*\*unknown* (8)
S-1-5-32-536 *unknown*\*unknown* (8)
S-1-5-32-537 *unknown*\*unknown* (8)
S-1-5-32-538 *unknown*\*unknown* (8)
S-1-5-32-539 *unknown*\*unknown* (8)
S-1-5-32-540 *unknown*\*unknown* (8)
S-1-5-32-541 *unknown*\*unknown* (8)
S-1-5-32-542 *unknown*\*unknown* (8)
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)
S-1-5-32-1002 *unknown*\*unknown* (8)
S-1-5-32-1003 *unknown*\*unknown* (8)
S-1-5-32-1004 *unknown*\*unknown* (8)
S-1-5-32-1005 *unknown*\*unknown* (8)
S-1-5-32-1006 *unknown*\*unknown* (8)
S-1-5-32-1007 *unknown*\*unknown* (8)
S-1-5-32-1008 *unknown*\*unknown* (8)
S-1-5-32-1009 *unknown*\*unknown* (8)
S-1-5-32-1010 *unknown*\*unknown* (8)
S-1-5-32-1011 *unknown*\*unknown* (8)
S-1-5-32-1012 *unknown*\*unknown* (8)
S-1-5-32-1013 *unknown*\*unknown* (8)
S-1-5-32-1014 *unknown*\*unknown* (8)
S-1-5-32-1015 *unknown*\*unknown* (8)
S-1-5-32-1016 *unknown*\*unknown* (8)
S-1-5-32-1017 *unknown*\*unknown* (8)
S-1-5-32-1018 *unknown*\*unknown* (8)
S-1-5-32-1019 *unknown*\*unknown* (8)
S-1-5-32-1020 *unknown*\*unknown* (8)
S-1-5-32-1021 *unknown*\*unknown* (8)
S-1-5-32-1022 *unknown*\*unknown* (8)
S-1-5-32-1023 *unknown*\*unknown* (8)
S-1-5-32-1024 *unknown*\*unknown* (8)
S-1-5-32-1025 *unknown*\*unknown* (8)
S-1-5-32-1026 *unknown*\*unknown* (8)
S-1-5-32-1027 *unknown*\*unknown* (8)
S-1-5-32-1028 *unknown*\*unknown* (8)
S-1-5-32-1029 *unknown*\*unknown* (8)
S-1-5-32-1030 *unknown*\*unknown* (8)
S-1-5-32-1031 *unknown*\*unknown* (8)
S-1-5-32-1032 *unknown*\*unknown* (8)
S-1-5-32-1033 *unknown*\*unknown* (8)
S-1-5-32-1034 *unknown*\*unknown* (8)
S-1-5-32-1035 *unknown*\*unknown* (8)
S-1-5-32-1036 *unknown*\*unknown* (8)
S-1-5-32-1037 *unknown*\*unknown* (8)
S-1-5-32-1038 *unknown*\*unknown* (8)
S-1-5-32-1039 *unknown*\*unknown* (8)
S-1-5-32-1040 *unknown*\*unknown* (8)
S-1-5-32-1041 *unknown*\*unknown* (8)
S-1-5-32-1042 *unknown*\*unknown* (8)
S-1-5-32-1043 *unknown*\*unknown* (8)
S-1-5-32-1044 *unknown*\*unknown* (8)
S-1-5-32-1045 *unknown*\*unknown* (8)
S-1-5-32-1046 *unknown*\*unknown* (8)
S-1-5-32-1047 *unknown*\*unknown* (8)
S-1-5-32-1048 *unknown*\*unknown* (8)
S-1-5-32-1049 *unknown*\*unknown* (8)
S-1-5-32-1050 *unknown*\*unknown* (8)

 ============================================ 
|    Getting printer info for 10.10.31.74    |
 ============================================ 
No printers returned.


enum4linux complete on Thu Jan 14 08:22:52 2021







Nmap:

Código: php


root@ip-10-10-127-5:~# nmap -vv -T4 -sS 10.10.31.74

Starting Nmap 7.60 ( https://nmap.org ) at 2021-01-14 08:24 GMT
Initiating ARP Ping Scan at 08:24
Scanning 10.10.31.74 [1 port]
Completed ARP Ping Scan at 08:24, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:24
Completed Parallel DNS resolution of 1 host. at 08:24, 0.00s elapsed
Initiating SYN Stealth Scan at 08:24
Scanning ip-10-10-31-74.eu-west-1.compute.internal (10.10.31.74) [1000 ports]
Discovered open port 445/tcp on 10.10.31.74
Discovered open port 139/tcp on 10.10.31.74
Discovered open port 22/tcp on 10.10.31.74
Completed SYN Stealth Scan at 08:24, 1.25s elapsed (1000 total ports)
Nmap scan report for ip-10-10-31-74.eu-west-1.compute.internal (10.10.31.74)
Host is up, received arp-response (0.00090s latency).
Scanned at 2021-01-14 08:24:23 GMT for 2s
Not shown: 997 closed ports
Reason: 997 resets
PORT    STATE SERVICE      REASON
22/tcp  open  ssh          syn-ack ttl 64
139/tcp open  netbios-ssn  syn-ack ttl 64
445/tcp open  microsoft-ds syn-ack ttl 64
MAC Address: 02:AB:E0:AB:6E:B5 (Unknown)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.63 seconds
           Raw packets sent: 1002 (44.072KB) | Rcvd: 1002 (40.080KB)





Vemos que tenemos varios usuarios y passwords y porsupuesto estan los puertos 139 y 445 abiertos por lo que podemos ver que el servicio smb esta corriendo.
Pero lo curioso es que si intento conectarme al servicio con smbclient me deja entrar y ver los archivos. Aunque me invente los users y passwords.  La autenticacion anonima tambien podemos ver que esta activada pero el usuario es Anonymous.

Lo que esperaba es que me permitiera autenticacion con las credenciales que hemos podido conseguir con enum4linux pero a que es debido que me deje conectarme, listar ficheros y ejecutar comandos con cualquier credencial inventada? 

Gracias!


Imprimir
Ir Arriba Páginas1
Acciones del Usuario