SMBCLIENT

INSTALLATION

root@oco:~$ sudo apt install smbclient

LISTING SHARES: PASSWORD MISCONFIGURATION

#test whether the server have password misconfiguration
root@oco:~$ smbclient -h
root@oco:~$ smbclient -L {\\\\targetIP} -U {userName}

 * the -L flag is used to list available server shares on the target.
 * the -U flag is used to specify the Login identity to use.
    - misconfigured smb servers typically have administrator as the username
      with an unset password

LISTING SHARES: W/O PASSWORD


root@oco:~$ smbclient -h
root@oco:~$ smbclient -N -L \\\\10.129.42.253
 Sharename       Type      Comment
 --------       ----      -------
 print$          Disk      Printer Drivers
 users           Disk      
 IPC$            IPC       IPC Service (gs-svcscan server (Samba, Ubuntu))

 SMB1 disabled -- no workgroup available
 
 * the -N (null session) is used for anonymous access 
    - it suppresses the input of existing users or valid passwords - password prompt
    - the -N MUST come before the -L
 * the -L is used to list available shares on the target
 * the print$ and an IPC$ are included by default in the basic setting (if configured)
 

ACCESSING SHARES: W/ FULL CREDENTIALS

root@oco:~$ smbclient \\\\10.129.150.91\\users -U bob%Welcome1

 * MUST list shares first prior to connecting with credentials
    - the use of back slashes can be used as well
       - //10.129.150.91//users

Enter WORKGROUP\<username>'s password: 
Anonymous login successful
Try "help" to get a list of possible commands.

CONNECTION: W/ PASSWORD

root@oco:~$ smbclient //10.129.150.91/users -U bob%Welcome1
 Try "help" to get a list of possible commands.

 * MUST list shares first prior to connecting with credentials
    - smbclient needs a share path, like //IP/SHARE.
       - Without a share, it doesn't know what to connect to.

 * can use backslash instead of forward slashes
    - \\\\10.129.150.91\\users -U bob%Welcome1

smb: \> ls
 .                                   D        0  Thu Feb 25 16:42:23 2021
 ..                                  D        0  Thu Feb 25 15:05:31 2021
 bob                                 D        0  Thu Feb 25 16:42:23 2021

	4062912 blocks of size 1024. 1332480 blocks available
		
smb: \> cd bob

smb: \bob\> ls
 .                                   D        0  Thu Feb 25 16:42:23 2021
 ..                                  D        0  Thu Feb 25 16:42:23 2021
 passwords.txt                       N      156  Thu Feb 25 16:42:23 2021

	4062912 blocks of size 1024. 1332480 blocks available
		
smb: \bob\> get passwords.txt 
 getting file \bob\passwords.txt of size 156 as passwords.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)

smb: \> exit

root@oco:~$ cat passwords.txt
 ...

CONNECTION W/O PASSWORD

root@oco:~$ smbclient //10.129.202.5/sambashare
 Password for [WORKGROUP\htb-ac-53539]:
 Try "help" to get a list of possible commands.

smb: \> 

 * after listing share, test whether connection to the share is possible
    - this is only possible if anonymous login is enabled or if there's a misconfiguration

DOWNLOADING FILES

The smbclient allows for the execution of local system commands (non-target side)

smb: \> get prep-prod.txt 
 getting file \prep-prod.txt of size 71 as prep-prod.txt (8,7 KiloBytes/sec) 
 (average 8,7 KiloBytes/sec)

smb: \> !ls
 prep-prod.txt

smb: \> !cat prep-prod.txt
 [] check your code with the templates
 [] run code-assessment.py
 [] …	
 
 * the "!" followed by a cmd can be used to execute local system commands (non-target side)
    - this will not interrupt the connection.

EXECUTING LOCAL SYSTEM CMDS

The !<cmd> in smbclient will run a command in the local shell without leaving the smbclient interactive prompt. This executes on the system, not on the SMB server connected to. This is useful as it saves time when you want to manipulate local files (e.g., listing directories, moving files) while still staying inside the smbclient session.

//list local files while connected to the target
smb: \> !ls
 notes.txt  exploit.c  loot/

Last updated