Chuyển đến nội dung chính

Penetration Testing in SMB Protocol

In Hacking, Ports and Protocols play a major role as hacking is not possible without them. And to work with them, let us first understand ports and protocols.
In information technology, a protocol is the special set of rules that end points in a telecommunication connection use when they communicate. Protocols specify interactions between the communicating entities. So, basically, Network protocols are the language of rules and conventions used for handing communicated between network devices and ensuring the optimal operation of a network. Network protocols include key internet protocols such as IP and IPv6 as well as DNS and FTP, and it also includes more network-specific protocols like SNMP and NTP.
In the internet protocol suite, a port is an endpoint of communication in an operating system. A port in computer networking is a logical access channel for communication between two devices. Bi-directional communications and more complex connections may use multiple ports (channels) simultaneously. It is always associated with an IP address of a host and the protocol type of the communication, and thus completes the destination or origination address of a communication session.
A port is identified for each address and protocol by a 16-bit number, commonly known as the port number.
This understood Ports and Protocols. Now, to work with SMB protocol, let us understand it.
SMB:  Server Message Block, the modern dialect of which was known as Common Internet File System, operates as an application-layer network protocol for file sharing  that allows applications on a computer to read and write to files and to request services from server programs in a computer network. The SMB protocol can be used on top of its TCP/IP protocol or other network protocols. Using the SMB protocol, an application (or the user of an application) can access files or other resources at a remote server. This allows applications to read, create, and update files on the remote server. It can also communicate with any server program that is set up to receive an SMB client request.
Presently, the latest version of SMB is the SMB 3.1.1 which was introduced with Windows 10 and Windows Server 2016. This version supports AES 128 GCM encryption in addition to AES 128 CCM encryption added in SMB3, and implements pre-authentication integrity check using SHA-512 hash. SMB 3.1.1 also makes secure negotiation mandatory when connecting to clients using SMB 2.x and higher.
Working of SMB: SMB functions as a request-response or client-server protocol. The only time that the protocol does not work in a response-request framework is when a client requests an opportunistic lock (oplock) and the server has to break an existing oplock because the current mode is incompatible with the existing oplock. Client computers using SMB connect to a supporting server using NetBIOS over TCP/IP, IPX/SPX, or NetBUI. Once the connection is established, the client computer or program can then open, read/write, and access files similar to the file system on a local computer.
SMB Protocol Security: The SMB protocol supports two levels of security. The first is the share level. The server is protected at this level and each share has a password. The client computer or user has to enter the password to access data or files saved under the specific share. This is the only security model available in the Core and Core plus SMG protocol definitions. User level protection was later added to the SMB protocol. It is applied to individual files and each share is based on specific user access rights. Once a server authenticates the client, he/she is given a unique identification (UID) that is presented upon access to the server. The SMB protocol has supported individual security since LAN Manager 1.0 was implemented.
In metaslpoit, there are very simple commands to know if the remote host or remote PC supports SMB or not.
SMB 2.0 Protocol Detection
Detect systems that support the SMB 2.0 protocol
use auxiliary/scanner/smb/smb2
msf exploit (smb2)>set rhosts 192.168.0.104
msf exploit (smb2)>set rport 445
msf exploit (smb2)>exploit
Once you hit enter after exploit, you will see the result providing you with al the information about the opened SMB Protocol.
SMB Version Detection
Display version information about each system
use auxiliary/scanner/smb/smb_version
msf exploit (smb_version)>set rhosts 192.168.0.104
msf exploit (smb_version)>exploit
After the command has been run, it will inform you about the version of SMB running on our remote PC.
SMB Share Enumeration
This module determines what shares are provided by the SMB service and which ones are readable/writable. It also collects additional information such as share types, directories, files, time stamps, etc. By default, a netshareenum request is done in order to retrieve share information, but if this fails, you may also fall back to SRVSVC.
use auxiliary/scanner/smb/smb_enumshares
msf exploit (smb_enumshares)>set rhosts 192.168.0.104
msf exploit (smb_enumshares)>smb smbuser raj
msf exploit (smb_enumshares)>smb passuser raj
msf exploit (smb_enumshares)>exploit
And so, after the execution of the command the result will be displayed. Some of the access is denied a most of the systems that are probed. Passing user credentials to the scanner will produce much different results.
SMB User Enumeration (SAM EnumUsers)
Determine what local users exist via the SAM RPC service
use auxiliary/scanner/smb/smb_enumusers
msf exploit (smb_enumusers)>set rhosts 192.168.0.104
msf exploit (smb_enumusers)>smb smbuser raj
msf exploit (smb_enumusers)>smb passuser raj
msf exploit (smb_enumusers)>exploit
As the command executes we can see that it has provided us with the list of users of our remote PC.
SMB SID User Enumeration (LookupSid)
Determine what users exist via brute force SID lookups. This module can enumerate both local and domain accounts by setting ACTION to either LOCAL and DOMAIN
 use auxiliary/scanner/smb/smb_lookupsid
msf exploit (smb_lookupsid)>set rhosts 192.168.0.104
msf exploit (smb_lookupsid)>smb smbuser raj
msf exploit (smb_lookupsid)>smb passuser raj
msf exploit (smb_lookupsid)>exploit
And so, you can find all the users which you never even knew that existed.
Now that you scan your remote PC’s IP with nmap you will see that these ports were opened through which you gathered all the desired information.
nmap -sV 192.168.0.104
And in the result, as above, you can see that Ports 445, 139 were infecting open.
Conclusion: Understanding a port and finding such things through a given port helps us to exploit our victim much more accurately as gather the most minute piece of information. Collecting such information about a port and knowing what to do with it give the exploiter certain power of manipulation. Therefore, understanding a port and what it can do and how to find information about it on our remote PC helps us improve our hacking skills as this is the foundation of hacking.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast.
Nhãn:

Bài đăng phổ biến từ blog này

Pentest lab - Metasploitable 2

Today I will walk through different ways of exploiting Metasploitable 2, the newer release of Rapid7’s popular vulnerable machine. First, what is Metasploitable? Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques. In my lab environment, the IP of the attacker machine is 192.168.127.159, and the victim machine is 192.168.127.154. Since this is a test lab, I won’t be concerned about stealth. Instead, I will try to get the most information out of the scans. Let’s start by port scanning the target with nmap. I did a full port, aggresive scan against the target. Here are the results. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 ...
Đọc thêm

Metasploitable 2 vulnerability assessment

A vulnerability assessment is a crucial part in every penetration test and is the process of identifying and assessing vulnerabilities on a target system. In this part of the tutorial we will be assessing the vulnerabilities available on the network side of the Metasploitable 2 virtual machine. We will be assessing the web applications on the Metasploitable 2 machine in a later tutorial. In the previous Metasploit enumeration and fingerprinting tutorial we’ve learned that the Metasploitable 2 machine contains a lot of vulnerabilities. We have collected valuable information about the target system which we will be using to find known vulnerabilities both on- and offline. Exploitation of these vulnerabilities will be demonstrated in the next exploitation tutorial. In this tutorial we will be looking at a few different ways to perform vulnerability analysis. We will be manually searching for exploits, use scanning tools like Nmap with scripts and we will be...
Đọc thêm

CEH v9 (CEHVIETNAM.COM) - Hacking Metasploitable Lab

CEH v9 : Hacking Metasploitable VM In this guide, I will demonstrate how to root a Metasploitable 2 virtual machine. Metasploitable is an intentionally vulnerable Ubuntu machine. I’ll explore just a few of the many ways Metasploitable can be attacked, from vulnerabilities in common services to little known exploits and web vulnerabilities. I’ve set up Kali Linux and Metasploitable VMs in VirtualBox on the same network (bridged mode). Kali – 192.168.56.101 Metasploitable – 192.168.56.102 - Hãy thay IP của bạn cho thích hợp Contents   1 Footprinting 1.1 Ping 1.2 Traceroute 2 Scanning 2.1 Port Scanning 2.2 OS Fingerprinting 2.2.1 nmap 2.2.2 xprobe2 3 Enumeration 3.1 FTP (TCP 21) Enumeration 3.2 Telnet (TCP 53) Enumeration 3.3 SMTP (TCP 25) Enumeration 3.4 VNC (TCP 5900) Enumeration 3.5 X11 (TCP 6000) Enumeration 3.6 RLogin (TCP 513) Enumeration 3.7 IRC (TCP 6667) Enumeration 4 Exploitation 4.1 FTP Exploit 4.2 VNC Password Cracking 4.3 IRC E...
Đọc thêm