Category:Penetration-testing/Samba

From aldeid
Jump to navigation Jump to search
You are here
Samba

Description

What is Samba?

Samba is the standard Windows interoperability suite of programs for Linux and Unix. It allows end users to access and use files, printers and other commonly shared resources on a companies intranet or internet. Its often refereed to as a network file system.

Samba is based on the common client/server protocol of Server Message Block (SMB). SMB is developed only for Windows, without Samba, other computer platforms would be isolated from Windows machines, even if they were part of the same network.

Ports

SMB has two ports, 445 and 139.

  • Port 139: SMB originally ran on top of NetBIOS using port 139. NetBIOS is an older transport layer that allows Windows computers to talk to each other on the same network.
  • Port 445: Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the Internet.

List Samba shares

Nmap

Nmap scripts can be found here: https://svn.nmap.org/nmap/scripts/ 

$ nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.139.109
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-14 08:36 CEST
Nmap scan report for 10.10.139.109
Host is up (0.046s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.139.109\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (kenobi server (Samba, Ubuntu))
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.139.109\anonymous: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\kenobi\share
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.139.109\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>
|_smb-enum-users: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 7.36 seconds

smbclient

$ smbclient -L 10.10.123.186
Enter WORKGROUP\unknown's password: 

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	anonymous       Disk      
	IPC$            IPC       IPC Service (kenobi server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

enum4linux

$ enum4linux 10.10.123.186 | tee enum4linux.txt
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu May 14 12:55:31 2020

...[SNIP]...

 ========================================== 
|    Share Enumeration on 10.10.123.186    |
 ========================================== 

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	anonymous       Disk      
	IPC$            IPC       IPC Service (kenobi server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 10.10.123.186
//10.10.123.186/print$	Mapping: DENIED, Listing: N/A
//10.10.123.186/anonymous	Mapping: OK, Listing: OK
//10.10.123.186/IPC$	[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

List files in a network share

smbclient

$ smbclient //$IP/anonymous
Enter WORKGROUP\unknown's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Sep  4 12:49:09 2019
  ..                                  D        0  Wed Sep  4 12:56:07 2019
  log.txt                             N    12237  Wed Sep  4 12:49:09 2019

		9204224 blocks of size 1024. 6872616 blocks available

Download file from remote share

smbclient

$ smbclient //$IP/anonymous
Enter WORKGROUP\unknown's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Sep  4 12:49:09 2019
  ..                                  D        0  Wed Sep  4 12:56:07 2019
  log.txt                             N    12237  Wed Sep  4 12:49:09 2019

		9204224 blocks of size 1024. 6872616 blocks available
smb: \> get log.txt 
getting file \log.txt of size 12237 as log.txt (57.2 KiloBytes/sec) (average 57.2 KiloBytes/sec)
smb: \> quit

smbget

smbget allows to recursively (-R flag) download files from a share 

$ smbget -R smb://10.10.139.109/anonymous
Password for [unknown] connecting to //anonymous/10.10.139.109: 
Using workgroup SAMBA, user unknown
smb://10.10.139.109/anonymous/log.txt                                                                                                                            
Downloaded 11.95kB in 4 seconds

Tools

findsmb
list Windows machines on the network
nmblookup
Converts a NetBios name into IP
rpcclient
RPC client. Sends an RPC command to a remote machine
smbcacls
Set or get ACLs on an NT file or directory names
smbclient
ftp-like client to access SMB/CIFS resources on servers
smbcquotas
Set or get QUOTAs of NTFS 5 shares
smbget
wget-like utility for download files over SMB
smbmount
mounts a windows or Samba shared directory on the local machine
smbpasswd
change a user´s SMB password
smbspool
send a print file to an SMB printer
smbstatus
displays current connections
smbtar
shell script for backing up SMB/CIFS shares directly to UNIX tape drives
smbtree
A text based smb network browser
Retrieved from "https://www.aldeid.com/w/index.php?title=Category:Penetration-testing/Samba&oldid=36866"