Legacy

Target IP: 10.129.131.119
MY IP: 10.10.14.17

$ nmap -sV -sC 10.129.193.207 --top-ports 2000 -max-retries 2 -Pn --open -n -oA legacy

PORT    STATE SERVICE     VERSION
135/tcp open  msrpc       Microsoft Windows RPC
139/tcp open  netbios-ssn Microsoft Windows netbios-ssn
445/tcp open              Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery:
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2023-08-26T17:41:57+03:00
|_nbstat: NetBIOS name: nil, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:0a:17 (VMware)
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 5d20h00m52s, deviation: 2h07m16s, median: 5d18h30m52s

$ smbmap -H 10.129.181.227
[+] IP: 10.129.193.207:445      Name: 10.129.193.207

-H : Host / IP 주소나 호스트 이름을 사용하여 대상 시스템을 식별함
유저명을 주지 않고 실행한 결과이기 때문에 anonymous session/null session enumeration이 가능함.
// 아무런 결과 값이 나오지 않았음.

$ smbmap -H 10.129.193.207 -u "jjing"
[!] Authentication error on 10.129.193.207

-u를 통해 guest session을 만들 수 있는지 확인하였으나 불가능하였다.

nmap --script smb-enum-shares -p 139,445 $ip

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares:
|   note: ERROR: Enumerating shares failed, guessing at common ones (NT_STATUS_ACCESS_DENIED)
|   account_used: <blank>
|   \\10.129.193.207\ADMIN$:
|     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|     Anonymous access: <none>
|   \\10.129.193.207\C$:
|     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|     Anonymous access: <none>
|   \\10.129.193.207\IPC$:
|     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|_    Anonymous access: READ

nmap으로 공유 폴더를 다시 찾아보았다.
개 오래 걸림 주의 & 뭐 나온 것 없음.

>>다음엔 nmap --script smb-vuln* -p 445 -oA smb_vulns [ip] 를 사용해보자

$ rpcclient -U "" -N 10.129.193.207
rpcclient $>

오 이게 웬 횡재?
null session으로 rpcclient에 접근이 가능했다.

https://fareedfauzi.gitbook.io/oscp-playbook/services-enumeration/smb#overall-scan
위 링크에서 smbenum.sh를 발견하여 파일을 가져온 후 돌려보았음. (아무것도 얻지 못했다)
$ chmod +x smbenum.sh
$ ./smbenum.sh

########## Getting Netbios name ##########
Doing NBT name scan for addresses from 10.129.193.207

NetBIOS Name Table for Host 10.129.193.207:
Name             Service          Type
---------------------------------------
Adapter address: 00:50:56:b9:0a:17
---------------------------------------

########## Checking for NULL sessions ##########
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

########## Enumerating domains ##########
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED

########## Enumerating password and lockout policies ##########

[+] Attaching to 10.129.193.207 using a NULL share
[+] Trying protocol 139/SMB...
        [!] Protocol failed: Cannot request session (Called Name:10.129.193.207)

[+] Trying protocol 445/SMB...
        [!] Protocol failed: 'NoneType' object has no attribute 'decode'

########## Enumerating users ##########
You requested a scan type which requires root privileges.
QUITTING!
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
########## Enumerating Administrators ##########
Could not initialise lsa pipe
########## Enumerating Domain Admins ##########
Could not initialise lsa pipe
########## Enumerating groups ##########
You requested a scan type which requires root privileges.
QUITTING!
########## Enumerating shares ##########
You requested a scan type which requires root privileges.
QUITTING!
########## Bruteforcing all users with 'password', blank and username as password

SMBv1을 사용하는 것을 알았기 때문에 eternal blue 취약점에 취약한지 script를 돌려봄 //취약함

$ nmap -p 445 --script smb-vuln-ms17-010 10.129.193.207
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-21 04:08 KST
Nmap scan report for 10.129.193.207
Host is up (0.11s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

SMB 관련 취약점 탐지

## Check Null Sessions
smbmap -H $ip
rpcclient -U "" -N $ip
smbclient \\\\$ip\\[share name]
smbclient -L //10.10.10.3/ --option='client min protocol=NT1'
# if getting error "protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED"

### Check for Vulnerabilities
nmap --script smb-vuln* -p 139,445 $ip

### Overall Scan
enum4linux -a $ip
enum4linux -u 'guest' -p '' -a $ip

---

다시 한다면..?

1. nmap에서 smb(445)가 열린 것을 확인
2. nmap --script smb-vuln* -p 445 -oA smb_vulns [ip]를 돌려 smb 관련 취약점이 있는지 확인하고 있을 경우 공격

$ nmap --script smb-vuln* -p 445 -oA smb_vulns 10.129.65.85
>
PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms08-067:
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|
|     Disclosure date: 2008-10-23
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250


3. ms08_067 exploit 하기로 함
https://github.com/andyacer/ms08_067


4. MS08_067은 OS 버전이 중요하여 아래 스크립트를 한번 더 돌려 OS를 확인해봄 (동일한 값이 나옴)
Also: nmap has a good OS discovery script that pairs well with this exploit:
nmap -p 139,445 --script-args=unsafe=1 --script /usr/share/nmap/scripts/smb-os-discovery 10.129.65.85
```bash
PORT    STATE SERVICE
445/tcp open  microsof0

Host script results:
| smb-os-discovery:
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2023-08-28T17:08:33+03:00