Metasploitable 2 — Walkthrough — SMB Enumeration Techniques
These articles are some of my notes as I practice my penetration testing knowledge targeting the Metasploitable 2 box. The contents and techniques shown and used here are for instructions and educational purposes only. For other articles on this series, please see here.
What is SMB?
SMB or Server Message Block Protocol is such an important protocol in modern computing. Microsoft defines SMB as a “network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network.”
When you have a shared folder setup on your desktop, the service that enables that is your SMB. As you can see this is a good attack vector for any threat actor. If access to resources and files from folders that are shared through SMB are compromised, then we can leverage that to our advantage for pentesting.
Two ports are relevant for SMB. These are the TCP ports 445 and 139.
In this short walkthrough, we will demonstrate the basic tools and techniques you can use in the enumeration phase of pentesting. This will prepare us as we prepare for the next phase which is vulnerability assessment and exploitation of this VM.
Setup
We follow the same setup as the series as found here.
Enumeration using NMAP
As per normal, we can try to use nmap for basic enumeration of the services found on the Metasploitable box, the service version for each open port found, and then preliminary scripts that can be helpful for further analysis.
We already found the open ports and services as shown in the previous post.
However, we can deep dive into the SMB port 445 and 139 itself, using the NMAP command as below. We will be running a version scan (-sV) and basic scripts (-sC)
nmap -p 445,139 -sV -sC 10.10.10.4
The above tells us the version of SMB which seems to be a Samba smbd 3.x — 4.x and further it seems to be a 3.0.20-Debian. This tells us that this is surely a Linux machine as Samba is primarily used in this OS.
This is further verified with the discovery scripts under smb-os-discovery and further tells us of the computer name of the target.
Another script that can be handy is to use nmap to discover shared drives and folders that are possibly exposed by your target. To do this we can use the enumshares script of nmap using the command below:
nmap -p 445 --script smb-enum-shares 10.10.10.4The above command will yield the following output:
This has interesting output.
We can see several shared drives that are present in the system. These are the following:
Enumerated shared drives:
\\10.10.10.4\ADMIN$
\\10.10.10.4\IPC$
\\10.10.10.4\opt
\\10.10.10.4\print$
\\10.10.10.4\tmpNoteworthy is the fact that some shared drives have anonymous access enabled. This means that we can perform a READ/WRITE function as shown in the output for example with the \\10.10.10.4\tmp. We may attempt to login there using a tool called smbclient and can be a way for us to establish a foothold as mentioned in the description of this nmap script here.
Further to that it seems that the \\10.10.10.4\tmp directory is super interesting as we look at the comment as below. Once we finish our enumeration, we will go back to this and examine the content of this folder.
\\10.10.10.4\tmp
.
Comment: oh noes!Other useful scripting tool is to enumerate and identify the exact protocols used using the nmap script as below:
nmap -p 445, 139 --script smb-protocols 10.10.10.4Which will yield the following output:
Last nmap script that can be handy will be enumerating the possible users of the drive, which can be an enumeration of all the local and group users in the host. The nmap command is below:
nmap -p 445, 139 --script smb-enum-usersA snapshot of some of the output of that script is below. This can be helpful in further exploitation or brute forcing of credentials at the next stage of penetration testing.
Enumeration using smbclient
Other tools maybe handy for verification of the above output. One of which is the already alluded smbclient.
Using the command below,
smbclient -L //10.10.10.4will list the available shares, the type and comments, domains, and workgroup of the host, if there are any. Below is the output that verifies our initial finding.
Enumeration using smbmap
Another handy tool will be smbmap which may list out several of the items that we have already considered.
Using the command below
smbmap -H 10.10.10.4Will yield almost similar data we have already seen using the last two previous tools.
Enumeration using crackmapexec
Another tool to use is the crackmapexec, which when the command below is executed
crackmapexec smb 10.10.10.4Will yield few information to confirm what we already have seen.
Enumeration using Metasploit
There are also several Metasploit scanner modules that may be handy for us. We will not show the output and we may need to test some user accounts and password lists for this one, but good to know if you are more comfortable with your msfconsole.
These auxiliary scanners are:
auxiliary/scanner/smb/smb_version
auxiliary/scanner/smb/smb_enumshares
auxiliary/scanner/smb/smb_enumusers
auxiliary/scanner/smb/smb_loginEnumeration using Enum4Linux
Lastly, we can use Enum4Linux which is a powerful enumeration tool since you already know that we are dealing with a Linux machine.
Using the simple command below will yield rich information for us:
enum4linux -a 10.10.10.4And output of interests for us will be the following:
The value for this known usernames again gives us a confirmation of what we have already known about some of the usernames from our our previous enumeration.
Further output of Enum4linux gives us below
And again verifies all these findings. Note though, that enum4linux seems to map the drives and has been denied except with the //10.10.10.4/tmp and //10.10.10.4/opt. This gives us further clue on what we can focus our attention on the next few steps.
Recap…
So by this time, we are able to enumerate details about the target’s SMB protocol. We have used several key tools like Nmap, SMBClient, SMBMap, CrackmapExec, Metasploit and finally Enum4Linux. All the information we have gathered can be useful as we try to move into the exploitation phase of this penetration testing exercise. Watch out for the next blog. Happy learning!
