Skip to content
bruteforce samba with smbrute

Bruteforce Samba with smbrute

Published by tomkraz on 23 May 2022

When doing ctf challenges we often come across servers with smb ports listening. And when we enumerate we find a user but no password. Then we have to do it the hard way and bruteforce samba with “smbrute“.

In this post I will do the following,

  • Set up a samba lab using Docker,
  • Enumerate the container for a user,
  • Brute force the user using smbrute,

Set-Up

For this I will be using my BlackArch install and Docker running on a ubuntu system. You can follow along my post on how to install Archlinux with the BlackArch repos. However any modern Linux system will do the trick.

Enumeration System (BlackArch Linux)192.168.1.150
Samba system (alpine Docker)192.168.1.195
Systems

Enumeration System Setup

To set up the enumeration system we need a couple packages installed.

Install smbclient + cifs-utils

On Ubuntu

sudo apt-get install smbclient cifs-utils enum4linux

On ArchLinux

sudo pacman -S smbclient cifs-utils enum4linux

smbclient is needed so samba commands are available and it’s required to have cifs-utils installed so the enumeration system can mount up samba shares. The command enum4linux allows the scanning of SMB shares. Like the ones samba shares.

Samba Server Setup

For samba server I am going to use docker. So make sure docker is installed and started on your samba server.

On Ubuntu

sudo snap install docker
sudo systemctl enable --now docker

Create a working directory and cd into it. 

mkdir -p ~/docker/samba
cd ~/docker/samba

Pull down the docker image for samba. 

sudo  docker pull  pwntr/samba-alpine

Run the docker image

sudo docker run -d -it --network host  --name samba -v $(pwd)/share/:/shared --rm pwntr/samba-alpine

Confirm the image is running

sudo docker ps
Samba is running in docker

This samba server has a user called rio and you have to set the samba password. Run the following commands and set the password to be “letmein”. 

sudo docker exec -it samba /bin/ash
smbpasswd -a rio
New SMB password:
Retype new SMB password:
Change the password of rio

Enumerate A Samba Server

Before we can bruteforce anything we need to enumerate some details such as shares and users. A great tool to start with for this is nmap.

nmap output

Running nmap against the host quickly shows use that porst 139 and 445 are listening and are smb ports. Using enum4linux we can enumerate even more. Lets get some information on whats shared. 

enum4linux -S 192.168.1.195

Which produces the output,

enumerate a share

Next we get the users that can be used.

enum4linux -U 192.168.1.195

The output of this gives us the user rio.

Now that we have a user “rio” an a share called “/data” we can move to the next step to bruteforce the server password for the user “rio”

Using smbrute

What is smbrute? It’s a python script that uses smbclient to brute force guess the password of smb share if you have a username. It uses a file of usernames and a file of passwords to do it. But first lets get the SMBrute python scripts.

We can use “git” to clone the repository into a local folder. In this case i will put into a directory called /root/scripts

cd /root/scripts
git clone https://github.com/NullByte007/SMBRUTE
Clone SMBrute git repo.

Once cloned you can “cd” into the newly created SMBRUTE directory and run the script to get some help on it. 

cd SMBRUTE/
python ./SMBRUTE.py

The scripts needs a number of options to run,

  • -u, A users file. This is a text file with all the users we want to try.
  • -p, A password file. This is a text file with all the passwords that will be tried against all the users.
  • -t, Target, the ip or hostname of the smb system.

I have created two text files. /tmp/users.txt, which has the users we will try, in this case its only one user “rio”. And /opt/wordlist/fastrack.txt which is a password file with 222 of the most popular passwords. It can be grabed from github.

Lets give it a go. 

python ./SMBRUTE.py \
-u /tmp/SMBRUTE/users \
-p /tmp/SMBRUTE/passwords \
-t localhost
smbrute in action

Bingo!

Youtube

I have posted the basics of this to youtube so you can get a more visual experience of what’s involved.

Wrap-Up

I hope you found this write up of some use. When doing CTF challenges I found that samba is something that pops up quite often and its well working memorizing all the tools required to enumerate. So learn to bruteforce samba with smbrute.

Any questions of comments leave below.

Published inCTFGetting Started With CTF ChallengeskaliLinux

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *