Scribd
Upload
20 views

Walkthrough 2222

Uploaded by

Leonardo Padovan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
20 views

Walkthrough 2222

Uploaded by

Leonardo Padovan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

Name Windows Recon: SMB: Nmap Scripts

URL https://attackdefense.com/challengedetails?cid=2222

Type Windows Reconnaissance: SMB

Important Note: This document illustrates all the important steps required to complete this lab.
This is by no means a comprehensive step-by-step solution for this exercise. This is only
provided as a reference to various commands needed to complete this exercise and for your
further research on this topic. Also, note that the IP addresses and domain names might be
different in your lab.

Step 1: ​Checking the target IP address.

Note: ​The target IP address is stored in the “​target​” file.

Command: ​cat /root/Desktop/target

Step 2:​ Ping the target machine to see if it’s alive or not.

Command: ​ping -c 5 10.0.17.200


We can observe that the target machine is alive and we have successfully sent and received all
five packets.

Step 3: ​Run a Nmap scan against the target IP.

Command: ​nmap 10.0.17.200

Step 4: ​We have discovered that multiple ports are open. SMB port 445 is also exposed. We
will run the Nmap script to list the supported protocols and dialects of an SMB server.

Command:​ nmap -p445 --script smb-protocols 10.0.17.200


Step 5: ​Running security mode script to return the information about the SMB security level.

Command: ​nmap -p445 --script smb-security-mode 10.0.17.200


We have tried to access the target SMB server using a guest user and we have received SMB
security level information.

We can find more information from the following link:


https://nmap.org/nsedoc/scripts/smb-security-mode.html

Step 6: ​We have the SMB server credentials i.e ​administrator:smbserver_771​. We will use it
with Nmap script to scan the target to discover sensitive information.

Enumerating the users logged into a system through an SMB share with Nmap script.

First, we won’t use any credentials to see the output.

Command: ​nmap -p445 --script smb-enum-sessions 10.0.17.200

We can observe that on the target machine we have discovered that user bob is logged into
without any credentials.

This is possible because the target machine is running with the guest login enable configuration
and it is a misconfiguration.

In case guest login is not enabled we can always use valid credentials of the target machine to
discover the same information.
Command: ​nmap -p445 --script smb-enum-sessions --script-args
smbusername=administrator,smbpassword=smbserver_771 10.0.17.200

Step 7: ​Enumerating all available shares.

Command: ​nmap -p445 --script smb-enum-shares 10.0.17.200


We can observe, in the output that we have accessed all the shares using guest users and we
have received the permission of each folder or drive.

Also, we can notice that ​IPC$ ​share has read and write permissions.

About IPC$ share

“The IPC$ share is also known as a null session connection. By using this session, Windows
lets anonymous users perform certain activities, such as enumerating the names of domain
accounts and network shares.”

Scanning all shares using valid credentials to check the permissions.

Command: ​nmap -p445 --script smb-enum-shares --script-args


smbusername=administrator,smbpassword=smbserver_771 10.0.17.200
We can observe that the administrator user has read and write privilege to the entire ​C$​. i.e ​C:\

Step 8: ​Enumerate the windows users on a target machine.

Command: ​nmap -p445 --script smb-enum-users --script-args


smbusername=administrator,smbpassword=smbserver_771 10.0.17.200
We can observe that there are three users present on the target machine. i.e Administrator,
bob, Guest

Step 9: ​Get information about the server statistics. It uses port 445 and port 139 to fetch the
details.

Command: ​nmap -p445 --script smb-server-stats --script-args


smbusername=administrator,smbpassword=smbserver_771 10.0.17.200
We can notice that we have received failed logins, permission & system errors, and opened files
and print jobs.

Please note:​ There is a possibility that the above output would be different in your case which
is completely okay.

Step 10: ​Enumerating available domains on a target machine.

Command: ​nmap -p445 --script smb-enum-domains --script-args


smbusername=administrator,smbpassword=smbserver_771 10.0.17.200

We have received the information about the built-in domain on the target machine.

Step 11: ​Enumerating available user groups on a target machine.

Command: ​nmap -p445 --script smb-enum-groups --script-args


smbusername=administrator,smbpassword=smbserver_771 10.0.17.200
Step 12: ​Enumerating services on a target machine.

Command: ​nmap -p445 --script smb-enum-services --script-args


smbusername=administrator,smbpassword=smbserver_771 10.0.17.200
Step 12: ​Enumerating all the shared folders and drives then running the ​ls ​command (The ​ls
command is used to list files or directories, similarly ​dir ​in windows) on all the shared folders.

Command: ​nmap -p445 --script smb-enum-shares,smb-ls --script-args


smbusername=administrator,smbpassword=smbserver_771 10.0.17.200
References:

1. Nmap (​https://nmap.org/​)
2. Nmap Scripts (​https://nmap.org/nsedoc/scripts​)

You might also like