Testing open shares/445
List shares with smbclient -L 1.2.3.4
root@localhost:~# smbclient -L 1.2.3.4
Enter root's password:
Anonymous login successful
Domain=[MSHOME] OS=[VxWorks] Server=[NQ 4.32]
Sharename Type Comment
--------- ---- -------
IPC$ IPC
MEMORY_CARD Disk FLASH MEMORY PHOTO
Anonymous login successful
Domain=[MSHOME] OS=[VxWorks] Server=[NQ 4.32]
Server Comment
--------- -------
Workgroup Master
--------- -------
Try to connect to the share
root@localhost:~# smbclient \\\\1.2.3.4\\MEMORY_CARD
Enter root's password:
Anonymous login successful
Domain=[MSHOME] OS=[VxWorks] Server=[NQ 4.32]
tree connect failed: NT_STATUS_ACCESS_DENIED
Boo
When it works
root@localhost:~# smbclient \\\\2.3.4.5\\MDMLOAD
Enter root's password:
Anonymous login successful
Domain=[DEMO] OS=[Unix] Server=[Samba 3.6.23-20.el6]
smb: \> l
. D 0 Wed Nov 4 02:42:15 2015
.. D 0 Mon Oct 12 20:38:40 2015
input.csv A 2024 Mon Nov 2 22:13:18 2015
59400 blocks of size 2097152. 19612 blocks available
enum4linux can help out when you have a bunch of shares to check or just want to do things quickly. -S to check shares, although you probably just want to do a -a for all.
enum4linux can help out when you have a bunch of shares to check or just want to do things quickly. -S to check shares, although you probably just want to do a -a for all.
root@localhost:~/enum4linux-0.8.9# perl enum4linux.pl -S 3.4.5.6
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Dec 15 22:34:52 2015
==========================
| Target Information |
==========================
Target ........... 3.4.5.6
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==========================================
| Share Enumeration on 3.4.5.6 |
==========================================
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.12]
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.12]
Sharename Type Comment
--------- ---- -------
www Disk Public Stuff
IPC$ IPC IPC Service (Samba Server Version 4.1.12)
Server Comment
--------- -------
Workgroup Master
--------- -------
[+] Attempting to map shares on 3.4.5.6
//3.4.5.6/www Mapping: OK, Listing: OK
//3.4.5.6/IPC$ Mapping: OK Listing: DENIED
enum4linux complete on Tue Dec 15 22:35:09 2015
root@localhost:~# smbclient \\\\3.4.5.6\\www
Enter root's password:
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.12]
smb: \> ls
. DR 0 Sat Dec 12 14:23:20 2015
.. D 0 Thu Oct 8 11:53:20 2015
oops D 0 Fri Nov 27 17:38:04 2015
---SNIP---
Want to download a whole folder?
Want to download a whole folder?
root@localhost:~# smbget -R smb://3.4.5.6/www/oops
Username for www at 3.4.5.6 [guest]
Password for www at 3.4.5.6:
Using workgroup WORKGROUP, guest user
smb://3.4.5.6/www/oops/images/defaultpic.gif
smb://3.4.5.6/www/oops/images/ad2.jpg
---SNIP---
enum4liux is also super handy internally as it tries multiple ways to get a domain SID, if successful it will brute force the SID to enumerate all the SIDs/user accounts for the domain.
---SNIP---
enum4liux is also super handy internally as it tries multiple ways to get a domain SID, if successful it will brute force the SID to enumerate all the SIDs/user accounts for the domain.
3 comments:
I always wonder how shodan get its share names. On my local machine there is no problem, but I couldn´t figure out share names on a remote machine. I´ve portforwarding turned on (echo '1' > /proc/sys/net/ipv4/ip_forward) and a positive TTL response, but always get this error: failed (Error NT_STATUS_IO_TIMEOUT)
I think the request is blocked by firewall, but how do Shodan.com get it´s results?
you know i dont know I have definitely experience some similar issues. Also be aware that a good chunk of ISPs filter 135/139/445 on purpose and you cant connect to the hosts. I have to use a colo (digital ocean, rackspace, linode, etc) to get unfiltered access to the internet.
You can always ask John, he's pretty assessable over twitter.
I´m appreciated, thank you a lot. You were right. Netbios request was blocked by my ISP-Router. I turned it off and now getting the same answer as John gets. Thanks and happy X-Mas.
Post a Comment