OSCP Security Technology - Enumeration(2)
SMB Enumeration
We found the tcp port 111 is open from the scanning result.
locate smb.conf
nano /etc/samba/smb.conf
Add some new global settings and save it.
enum4linux 192.168.2.28
kali@kali:~$ sudo enum4linux 192.168.2.28
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Jun 17 10:17:55 2021
==========================
| Target Information |
==========================
Target ........... 192.168.2.28
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
====================================================
| Enumerating Workgroup/Domain on 192.168.2.28 |
====================================================
[+] Got domain/workgroup name: MYGROUP
============================================
| Nbtstat Information for 192.168.2.28 |
============================================
Looking up status of 192.168.2.28
KIOPTRIX <00> - B <ACTIVE> Workstation Service
KIOPTRIX <03> - B <ACTIVE> Messenger Service
KIOPTRIX <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
MYGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
MYGROUP <1d> - B <ACTIVE> Master Browser
MYGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
=====================================
| Session Check on 192.168.2.28 |
=====================================
[+] Server 192.168.2.28 allows sessions using username '', password ''
===========================================
| Getting domain SID for 192.168.2.28 |
===========================================
Domain Name: MYGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
======================================
| OS information on 192.168.2.28 |
======================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.2.28 from smbclient:
[+] Got OS info for 192.168.2.28 from srvinfo:
KIOPTRIX Wk Sv PrQ Unx NT SNT Samba Server
platform_id : 500
os version : 4.5
server type : 0x9a03
=============================
| Users on 192.168.2.28 |
=============================
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.
Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.
=========================================
| Share Enumeration on 192.168.2.28 |
=========================================
lpcfg_do_global_parameter: WARNING: The "client use spnego" option is deprecated
lpcfg_do_global_parameter: WARNING: The "client ntlmv2 auth" option is deprecated
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server)
ADMIN$ IPC IPC Service (Samba Server)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
KIOPTRIX Samba Server
Workgroup Master
--------- -------
MYGROUP KIOPTRIX
[+] Attempting to map shares on 192.168.2.28
//192.168.2.28/IPC$ [E] Can't understand response:
lpcfg_do_global_parameter: WARNING: The "client use spnego" option is deprecated
lpcfg_do_global_parameter: WARNING: The "client ntlmv2 auth" option is deprecated
NT_STATUS_NETWORK_ACCESS_DENIED listing *
//192.168.2.28/ADMIN$ [E] Can't understand response:
lpcfg_do_global_parameter: WARNING: The "client use spnego" option is deprecated
lpcfg_do_global_parameter: WARNING: The "client ntlmv2 auth" option is deprecated
tree connect failed: NT_STATUS_WRONG_PASSWORD
====================================================
| Password Policy Information for 192.168.2.28 |
====================================================
[E] Unexpected error from polenum:
[+] Attaching to 192.168.2.28 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: SMB SessionError: 0x5
[+] Trying protocol 445/SMB...
[!] Protocol failed: [Errno Connection error (192.168.2.28:445)] [Errno 111] Connection refused
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 0
==============================
| Groups on 192.168.2.28 |
==============================
[+] Getting builtin groups:
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Power Users] rid:[0x223]
group:[Account Operators] rid:[0x224]
group:[System Operators] rid:[0x225]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
[+] Getting builtin group memberships:
Group 'Power Users' (RID: 547) has member: Couldn't find group Power Users
Group 'Administrators' (RID: 544) has member: Couldn't find group Administrators
Group 'Guests' (RID: 546) has member: Couldn't find group Guests
Group 'Users' (RID: 545) has member: Couldn't find group Users
Group 'Replicator' (RID: 552) has member: Couldn't find group Replicator
Group 'System Operators' (RID: 549) has member: Couldn't find group System Operators
Group 'Account Operators' (RID: 548) has member: Couldn't find group Account Operators
Group 'Print Operators' (RID: 550) has member: Couldn't find group Print Operators
Group 'Backup Operators' (RID: 551) has member: Couldn't find group Backup Operators
[+] Getting local groups:
group:[sys] rid:[0x3ef]
group:[tty] rid:[0x3f3]
group:[disk] rid:[0x3f5]
group:[mem] rid:[0x3f9]
group:[kmem] rid:[0x3fb]
group:[wheel] rid:[0x3fd]
group:[man] rid:[0x407]
group:[dip] rid:[0x439]
group:[lock] rid:[0x455]
group:[users] rid:[0x4b1]
group:[slocate] rid:[0x413]
group:[floppy] rid:[0x40f]
group:[utmp] rid:[0x415]
[+] Getting local group memberships:
[+] Getting domain groups:
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
[+] Getting domain group memberships:
Group 'Domain Users' (RID: 513) has member: Couldn't find group Domain Users
Group 'Domain Admins' (RID: 512) has member: Couldn't find group Domain Admins
=======================================================================
| Users on 192.168.2.28 via RID cycling (RIDS: 500-550,1000-1050) |
=======================================================================
[I] Found new SID: S-1-5-21-4157223341-3243572438-1405127623
[+] Enumerating users using SID S-1-5-21-4157223341-3243572438-1405127623 and logon username '', password ''
S-1-5-21-4157223341-3243572438-1405127623-500 KIOPTRIX
(0)
S-1-5-21-4157223341-3243572438-1405127623-501 KIOPTRIX (0)
S-1-5-21-4157223341-3243572438-1405127623-502 KIOPTRIXunix_group.2147483399 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-503 KIOPTRIXunix_group.2147483399 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-504 KIOPTRIXunix_group.2147483400 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-505 KIOPTRIXunix_group.2147483400 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-506 KIOPTRIXunix_group.2147483401 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-507 KIOPTRIXunix_group.2147483401 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-508 KIOPTRIXunix_group.2147483402 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-509 KIOPTRIXunix_group.2147483402 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-510 KIOPTRIXunix_group.2147483403 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-511 KIOPTRIXunix_group.2147483403 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-512 KIOPTRIXDomain Admins (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-513 KIOPTRIXDomain Users (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-514 KIOPTRIXDomain Guests (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-515 KIOPTRIXunix_group.2147483405 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-516 KIOPTRIXunix_group.2147483406 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-517 KIOPTRIXunix_group.2147483406 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-518 KIOPTRIXunix_group.2147483407 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-519 KIOPTRIXunix_group.2147483407 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-520 KIOPTRIXunix_group.2147483408 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-521 KIOPTRIXunix_group.2147483408 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-522 KIOPTRIXunix_group.2147483409 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-523 KIOPTRIXunix_group.2147483409 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-524 KIOPTRIXunix_group.2147483410 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-525 KIOPTRIXunix_group.2147483410 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-526 KIOPTRIXunix_group.2147483411 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-527 KIOPTRIXunix_group.2147483411 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-528 KIOPTRIXunix_group.2147483412 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-529 KIOPTRIXunix_group.2147483412 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-530 KIOPTRIXunix_group.2147483413 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-531 KIOPTRIXunix_group.2147483413 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-532 KIOPTRIXunix_group.2147483414 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-533 KIOPTRIXunix_group.2147483414 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-534 KIOPTRIXunix_group.2147483415 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-535 KIOPTRIXunix_group.2147483415 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-536 KIOPTRIXunix_group.2147483416 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-537 KIOPTRIXunix_group.2147483416 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-538 KIOPTRIXunix_group.2147483417 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-539 KIOPTRIXunix_group.2147483417 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-540 KIOPTRIXunix_group.2147483418 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-541 KIOPTRIXunix_group.2147483418 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-542 KIOPTRIXunix_group.2147483419 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-543 KIOPTRIXunix_group.2147483419 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-544 KIOPTRIXunix_group.2147483420 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-545 KIOPTRIXunix_group.2147483420 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-546 KIOPTRIXunix_group.2147483421 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-547 KIOPTRIXunix_group.2147483421 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-548 KIOPTRIXunix_group.2147483422 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-549 KIOPTRIXunix_group.2147483422 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-550 KIOPTRIXunix_group.2147483423 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1000 KIOPTRIX
oot (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1001 KIOPTRIX
oot (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1002 KIOPTRIXin (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1003 KIOPTRIXin (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1004 KIOPTRIXdaemon (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1005 KIOPTRIXdaemon (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1006 KIOPTRIXadm (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1007 KIOPTRIXsys (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1008 KIOPTRIXlp (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1009 KIOPTRIXadm (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1010 KIOPTRIXsync (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1011 KIOPTRIX ty (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1012 KIOPTRIXshutdown (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1013 KIOPTRIXdisk (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1014 KIOPTRIXhalt (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1015 KIOPTRIXlp (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1016 KIOPTRIXmail (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1017 KIOPTRIXmem (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1018 KIOPTRIX
ews (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1019 KIOPTRIXkmem (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1020 KIOPTRIXuucp (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1021 KIOPTRIXwheel (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1022 KIOPTRIXoperator (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1023 KIOPTRIXunix_group.11 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1024 KIOPTRIXgames (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1025 KIOPTRIXmail (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1026 KIOPTRIXgopher (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1027 KIOPTRIX
ews (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1028 KIOPTRIXftp (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1029 KIOPTRIXuucp (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1030 KIOPTRIXunix_user.15 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1031 KIOPTRIXman (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1032 KIOPTRIXunix_user.16 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1033 KIOPTRIXunix_group.16 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1034 KIOPTRIXunix_user.17 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1035 KIOPTRIXunix_group.17 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1036 KIOPTRIXunix_user.18 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1037 KIOPTRIXunix_group.18 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1038 KIOPTRIXunix_user.19 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1039 KIOPTRIXfloppy (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1040 KIOPTRIXunix_user.20 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1041 KIOPTRIXgames (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1042 KIOPTRIXunix_user.21 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1043 KIOPTRIXslocate (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1044 KIOPTRIXunix_user.22 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1045 KIOPTRIXutmp (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1046 KIOPTRIXsquid (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1047 KIOPTRIXsquid (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1048 KIOPTRIXunix_user.24 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1049 KIOPTRIXunix_group.24 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1050 KIOPTRIXunix_user.25 (Local User)
=============================================
| Getting printer info for 192.168.2.28 |
=============================================
No printers returned.
enum4linux complete on Thu Jun 17 10:18:05 2021
msfconsole
search smb
use auxiliary/scanner/smb/smb_version
set rhosts 192.168.2.28
exploit
searchsploit samba 2.2
Search ''trans2open'' on Exploit-DB.
https://www.exploit-db.com/exploits/22468
https://www.exploit-db.com/exploits/22470
nbtscan 192.168.2.28
smbclient -L 192.168.2.28
smbclient "\\192.168.2.28IPC$"
