Saturday, 17 September 2016

SMB ENUMERATION


SMB  ENUMERATION

DESCRIPTION
There are multiple ways available these days to enumerate SMB. Various tools (OpenSource and Commercial) can make your enumeration task more easier.

In the field of information security, every little information count and while penetration testing if you found port 139 open, either externally or internally then there are more chances of information leakage through SMB service. Lets check it out what information we are talking about and how much these information helps us to take our penetration testing to the next level.

At the time writing this article, my lab setup look like this:

Target Machine: Running Stapler (Vulnerable Machine) with 139 port open.
IP Address: 192.168.1.105

Attacker Machine: Running Kali Linux (With my arsenal :) 

IP Address: 192.168.1.111       
Attacker Machine (Kali Linux)

Note: Here everything is running on VMware environment, just for educational purpose only. If you try this on someone other network take it at your risk.

Now lets directly come to point of enumerating port 139 (SMB). But before that,we gonna check for banners, as-usual revealing a lot information for us. Lets go.

TCP SCAN
TCP PORT SCAN
UDP SCAN
UDP PORT SCAN
NOTE
Before going more deeper, it's very important to understand  services we are targeting i.e NETBIOS. So according to wikipedia NETBIOS provides three distict services:
  1. Session service (NetBIOS-SSN) for connection-oriented communication.
  2. Name Service (NETBIOS-NS) for name registration and resolution.
  3. Datagram distribution service (NetBIOS-DGM) for connectionless communication.
From above three services, we only going to focus on first two of them i.e NetBIOS-SSN & NETBIOS-NS.

Session service (NetBIOS-SSN)
  • Session mode lets two computers establish a connection, allows messages to span multiple packets, and provides error detection and recovery. In NBT (Netbios over TCP/IP), the session service runs on TCP port 139. ~Wikipedia
Name Service (NetBIOS-NS)
  • In order to start sessions or distribute datagrams, an application must register its NetBIOS name using the name service.
  • NetBIOS names are 16 octets in length and vary based on the particular implementation.
  • The name service operates on UDP port 137 (TCP port 137 can also be used, but rarely is). ~Wikipedia
SAMBA 
  • Samba is a free software re-implementation of the SMB/CIFS networking protocol, and was originally developed by Andrew Tridgell. 
  • Samba provides file and print services.
  • Samba runs on most Unix, OpenVMS and Unix-like systems, such as Linux, Solaris, AIX and the BSD variants, including Apple's OS X Server, and OS X client (version 10.2 and greater).
  • The name Samba comes from SMB (Server Message Block), the name of the standard protocol used by the Microsoft Windows network file system. ~Wikipedia
NMAP SHARES SCAN 
Resouces: https://nmap.org/nsedoc/scripts/smb-enum-shares.html
Open the below image in a new windows and try to figure it out what information you got. Nmap script is the good way to start SMB Enumeration. 

AT UDP

ENUM4LINUX 
It is a tool for enumerating information for Windows and Samba systems. It is written in perl and already installed on kali linux.
KEY FEATURES 
RID cycling, User listing, Listing of group membership information, Share enumeration, Detecting host is in workgroup or domain, Identifying the remote operating system, Password Policy retrieval etc. Lets Enumerate SMB with Enum4linux

Help Command: enum4linux -h


Verbose Mode 
Command: enum4linux 192.168.1.105

Retrieve a List of Usernames via RID Cycling (RestrictAnonymous = 1)
To retrieve the usernames corresponding to a default range of RIDs (500-550,1000-1050) use the -r option:

Retrieve a List of Usernames by specifying RID range with -R option:

Retrieve Netbios Information
The -n option causes enum4linux to run nmblookup and does some extra parsing on it’s output to provide human-readable information about the remote host.

Listing Windows Shares
If the server allows it, you can obtain a complete list of shares with the -S option. This uses smbclient under the hood which also seems to grab the browse list.


Listing Windows Shares with Verbose Mode 


The below image helps you to understand smbclient is used to mapping the shares. See the below image for more details: 


Retrieving OS Information 

Retrieving Printer Info
You can get some information about printers known to the remote device with the -i option.

AT THE END 
  • We enumerate SMB by using Nmap and Enum4linux. 
  • Enum4linux automates our SMB enumeration and helps us to take our penetration testing to next level. 
  • I hope this article on "SMB Enumeration" helps someone in infosec community. Signing off :) 
  • Join us on Facebook - https://www.facebook.com/hackingDNA
Resources

          THIS IS JUST FOR EDUCATIONAL PURPOSE ONLY/- 

          2 comments:

          Anonymous said...

          Great article, but it would be cool if you added some more information here rather than just copying and pasting from the Portcullis page...
          https://labs.portcullis.co.uk/tools/enum4linux/

          Anonymous said...

          Any Windows tools?

          Categories

          Angry IPScanner On Backtrack 4 Arduino Arduino Opensource community attacks on router auditing tool Aurora Exploiting Through Kali Linux AUTOSCAN ON BACKTRACK 5 BackBox Linux On hackingDNA Backtrack 5 : Linux Commands Backtrack Bootable Pendrive Backtrack Tool : The Harvester Blender On Backtrack 5 Block Command Prompt Browser Autopwn On Backtrack 5 BUGTRAQ LOG REMOVER BLEACHBIT chkrootkit on Backtrack 5 chntpw on backtrack 5 cisco switches routing auditing tool. Client Side Attack On Backtrack 5 Command Shell Upgrade On Backtrack 5 Conky On Backtrack 5 convert guest account into admin using chntpw in backtrack 5 Convert Jpg Image into Ascii on Backtrack 5 countermeasures Cracking Unix Password On Backtrack 5 Cupp On Backtrack 5 Cutycapt On Kali Linux Detect Sniffer6 On Kali Linux dmitry on backtrack 5 Dnmap On Kali Linux dnsenum on backtrack 5 dnsrecon on backtrack 5 dnstracer on backtrack 5 dnswalk on backtrack 5 DOMAIN TOOL ON BUGTRAQ Dos attack driftnet on backtrack 5 dsniff on backtrack 5 enum4linux esp8266 EtherApe On BackTrack 5 ewizard on backtrack 5 ExifTool On BackTrack 5 Exploit Distccd On BackTrack 5 Exploit RDP Vulnerability On Kali Linux Exploit Samba Server On Backtrack 5 fatback on backtrack 5 FERN CRACKER ON BACKTRACK 5 Fierce in Backtrack 5 findmyhash : Crack the hash on Backtrack 5 Firewalk-Script On BackTrack 5 Firewall On Backtrack 5 Flash Player On Backtrack 5 Genlist On Backtrack 5 Gerix Cracker On Backtrack 5 Get Your Data Back Golismero On BackTrack 5 GOOFILE ON BUGTRAQ Google Kung-Fu goohost on backtrack 5 Grendel-Scan On Backtrack 5 gtk-recordmydesktop on backtrack 5 HACK BACKTRACK 5 via RAT Hack The Database with Backtrack 5 Hack the Facebook with Backtrack 5 Hack the windows in GNS3 Hack Windows XP using Backtrack 5 Hack Windows Xp using msfconsole hacking Hacking Lab 01 Hacking Windows 7 USING Backtrack 5 hackingdna hackingDNA choice :Best Antivirus Detection honeyd on backtrack 5 honeypot on backtrack 5 HOW TO INSTALL REDHAT ENTERPRISE LINUX 5 How to block ICMP request How To Install CAINE How to Install Chromium Browser on Backtrack 5 How to Install Windows 7 Ultimate How To Install Xampp On Kali Linux How to make new User in Backtrack 5 How to see files and directories on Linux how to use arduino in kali linux How to use Host Command on Backtrack 5 How to use Nano Editor on Backtrack 5 How to use Ping Command on Backtrack How to use whois tool on Backtrack 5 hping2 on backtrack 5r2 Httprint On BackTrack 5 icmpv6 flooding attack ifconfig command Installing And Accessing Backdoor On Backtrack 5 Installing software on Backtrack 5 using apt-get ipcalc on backtrack 5 Itrace On BackTrack 5 Jigsaw On Backtrack 5 Joomscan On Backtrack 5 KALI ARMITAGE ON KALI LINUX kali linux kali linux arduino Kali Linux Installation Kali Rolling Release 2016.2 keimpx on backtrack 5 Lanmap On Backtrack 4 Learn arping on Backtrack 5 Learn Basic of Internet with DAWN OF THE NET Learn Basics if Screen Utility Learn cmospwd on Backtrack 5 Learn dnsdict6 on backtrack 5 Learn fping on Backtrack 5 Learn Help Utilities Command On Backtrack 5 Learn hexedit on Backtrack 5 Learn how to hack root account on REDHAT5 Learn How to Install Backtrack 5 Learn how to make Bootable Pendrive Learn how to split Terminal into different regions Learn How To Split Terminal on backtrack 5 Learn how to use Armitage in Backtrack 5 Learn how to use chntpw on backtrack 5 LEARN HOW TO USE CISCO PACK ON BUGTRAQ - II Learn How to use ettercap on Backtrack 5 for hacking username and passwords Learn how to use Netstat Commands On Backtrack 5 Learn how to use nipper Learn How to work with Vim editor on Backtrack 5 Learn Linux Commands on Backtrack Environment Learn Netdiscover On Backtrack 5 Learn Pentbox On Backtrack 5 Learn Recoverjpeg on Backtrack 5 Learn samdump on backtrack 5 Learn TrueCrypt On Backtrack 5 LINUX NETWORKING COMMANDS ON BACKTRACK 5 linux OS LINUX PARTITION ON BACKTRACK 5 List-Urls On Backtrack 4 Load Balancing Detector On Backtrack 5 LOG REMOVER BLEACHBIT Lynis On Backtrack 5 Mac Tracker On Backtrack 5 macchanger on backtrack 5 Matriux Installation On hackingDNA Metaexploit Framework : Collecting Email Addresses Metasploit Framework With Basic Commands Meterpreter on Backtrack 5 mitre-cve on backtrack 5 MSF AUXILIARY SCANNING ON BACKTRACK 5 msf scanning on backtrack 5 nbtscan on backtrack 5 NESSUS ON BACKTRACK 5 Net Card Config Netcat : Learn how to create a instant chat session on Backtrack 5 netenum on backtrack 5 Netifera On Backtrack 5 NETMASK On Backtrack 5 NIKTO ON KALI LINUX Nmap Scanning On Backtrack 5 nmap smb script offensive security Oneko And Cowsay On BackTrack 5 OpenOffice On Backtrack 5 OpenVAS On Backtrack 5 Orion Browser History Dumper v1.0 Penetration Testing Pipal On Backtrack 5 PostgreSQL On Kali Linux Practice Session On Backtrack 5 PROTOS on backtrack 5 Reconnaissance Recover Kali Password Remote Desktop Connection Remote Desktop On Backtrack 5 Remote Desktop Sharing Removing Backdoor on Backtrack 5 Restrict Control Panel Restrict Registry Editor by Group Policies Rkhunter On Backtrack 5 router auditing tool Router Penetration Testing router security Safecopy On Backtrack 5 samba testing samrdump on backtrack 5 Scanning security auditing tool Shell Scripting On Kali Linux Shrink and Create Partition on Windows 7 Shutter On Backtrack 5 siege on backtrack 5 smb enumeration smb hacking Smbclient On Backtrack 5 Smtpscan On Backtrack 5 SMURF6 ON KALI LINUX Sniff Images on Backtrack 5 using Driftnet Snort On Backtrack 5 snurf6 Software Updates On Kali linux Spoof Your MAC Address on Backtrack 5 sql attack SSID ssldump on backtrack 5 sslstrip on backtrack 5 Start Backtrack 5 Without Startx Steam Locomotive On BackTrack5 Stop Bruteforce attack System Monitor On Backtrack 5 tcptraceroute on backtrack 5 Tctrace On Backtrack 5 TeamViewer On BackTrack 5 TELNET On Backtrack 5 Terminator On Backtrack 5 the Harvester On Backtrack 5 Things you should know about Backtrack Tweak Your System Settings On Backtrack 5 Tweak Your System Settings On Backtrack 5 Part 2 Unicornscan On BackTrack 5 Uniscan On Backtrack 5 urlcrazy on backtrack 5 urlsnarf on backtrack 5 WBOX on Backtrack 4 and 5 Weak points Web Httrack::Web Copier Websecurify On BackTrack5 Webshag On Backtrack 5 WEP CRACKING ON BACKTRACK 5 whatweb on backtrack 5 WHATWEB ON BUGTRAQ Wiffit (wafw00f): Firewall Detection Tool On Backtrack 5 wireshark Xpdf On Backtrack 5 xprobe2 on backtrack 5 Zenmap

          Popular Posts