A Little Guide to SMB Enumeration

Enumeration is a very essential phase of Penetration testing, because when a pentester established an active connection with the victim, then he tries to retrieve as much as possible information of victim’s machine, which could be useful to exploit further.

In this article, we had explored SMB enumeration using Kali Linux inbuilt command-line tools only.

Table of Content

  • Nmblookup
  • nbtscan
  • SMBMap
  • Smbclient
  • Rpcclient
  • Nmap
  • Enum4linux

nmblookup

nmblookup is used to query NetBIOS names and map them to IP addresses in a network using NetBIOS over TCP/IP queries. The options allow the name queries to be directed at a particular IP broadcast area or to a particular machine. All queries are done over UDP.

nmblookup is a helpful command for enumerating domain/workstation and MAC address. NetBIOS work with the help of NetBIOS suffixes as a state following information:

For unique names:

    00: Workstation Service (workstation name)

    03: Windows Messenger service

    06: Remote Access Service

    20: File Service (also called Host Record)

    21: Remote Access Service client

    1B: Domain Master Browser – Primary Domain Controller for a domain

    1D: Master Browser

For group names:

    00: Workstation Service (workgroup/domain name)

    1C: Domain Controllers for a domain

    1E: Browser Service Elections

nbtscan

This is a command utility that tries to scan NetBIOS name servers open on a local or remote TCP/IP network and because it is a first step in finding open shares. It is created on the functionality of the Windows standard tool “nbtstat”, and it works on a whole subnet instead of individual IP.

 As you can observe it has dumped almost the same result as above, but the most important fact is that it enumerates the whole subnet.

SMBMap

SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind and is intended to simplify searching for potentially sensitive data across large networks.

As you can observe, this tool not only shows share files even show their permission. If you will notice the second command then you will perceive that it has shown permission for user “msfadmin”.

Smbclient

smbclient is a client that can ‘talk’ to an SMB/CIFS server. It offers an interface similar to that of the FTP program. Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on.

As you can observe with the help of smbclient we are able to view the shared folder of victim’s machine. Moreover, we can use smbclient for sharing the file in the network. Here you can observe we had login successfully using anonymous login and transferred the user.txt file.

Rpcclient

rpcclient is a utility initially developed to test MS-RPC functionality in Samba itself. It has undergone several stages of development and stability. Many system administrators have now written scripts around it to manage Windows NT clients from their UNIX workstation.

We can use rpcclient to open an authenticated SMB session to a target machine by running the below command on our system where we have used a NULL Session, as we have entered a username of “”.

Further, we had use enumerate user command, and you can see the usernames as well as their RID (the suffix of their SID) in hexadecimal form.

We have to use the queryuser command to catch-all kinds of information related to an individual user based uniquely on the users RID in hex form, here RID: 0x3e8 denotes root user account.

Here note that the output result shows the last logon time for the user root, as well as the Password last set Time. Such kind of things is very valuable for penetration testers. And, this all can be achieved without an admin username and password.

Nmap

Following Script attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability (ms17-010, a.k.a. EternalBlue). The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware.

The script connects to the $IPC tree, executes a transaction on FID 0 and checks if the error “STATUS_INSUFF_SERVER_RESOURCES” is returned to determine if the target is not patched against ms17-010. Additionally, it checks for known error codes returned by patched systems.

From the given below image you can observe, it found the target machine is vulnerable to ms17-010 due to SMBv1.

Enum4linux

Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.

It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net, and nmblookup.

Key features:

  • RID cycling (When RestrictAnonymous is set to 1 on Windows 2000)
  • User listing (When RestrictAnonymous is set to 0 on Windows 2000)
  • Listing of group membership information
  • Share enumeration
  • Detecting if the host is in a workgroup or a domain
  • Identifying the remote operating system
  • Password policy retrieval

As you can observe, it has shown target belongs to Workgroup and dump NetBIOS name along with their suffix and much more information.

Also, perform enumerate user along with their RID in hexadecimal form with the help of rpcclient. Hence enum4linux is Swiss-knife when it comes to performing enumeration. But it cannot identify SMB vulnerability like Nmap.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Defend against Brute Force Attack with Fail2ban

Daily we hear some news related to cybercrime just, like, some malicious users or bots have successfully defaced some publicly accessible websites or some services. As we always try to explain through our articles, how such types of activities are possible when the system is weakly configured or misconfigured. It is therefore important to build some security measures, such as IDS / IPS in the firewall, to defend your server and clients while configuring it.

In this article, we will show how you can protect your network from brute force attacks and running network services?

The answer is: Using IPS in your network.

Table of Content

  • What is an IPS?
  • Introduction to fail2ban
  • Lab Setup Requirement
  • Brute Force Attack in Absence of IPS
  • Intrusion Prevention Lab Set-Up
  • Configure Fail2Ban
  • Protect SSH Against Brute Force Attack
  • Testing Fail2ban
  • How to unban IP in fail2ban for SSH
  • Protect FTP against Brute Force Attack
  • Testing Fail2ban for VSFTP
  • Unban IP for VSFTPD

What is an IPS?

Intrusion Prevention System is short-term as IPS, it networks security measures to examine the incoming traffic to perform intrusion detection and then block the detected incidents. For example, IPS can drop malicious packets, ban the traffic coming from an offending IP address.

Introduction to fail2ban

Fail2ban scans log files (e.g. /var/log/apache/error_log) and ban IPs that show the malicious signs — too many password failures, seeking for exploits, etc. Generally, Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time.

In this article, I will discuss how to prevent your running services against brute force attack using fail2ban.

Source: https://www.fail2ban.org/wiki/index.php/Main_Page

Lab Setup Requirement

Victim’s Machine: Ubuntu 14.04  (192.168.0.105)

Pentester’s Machine: Kali Linux (192.168.0.105)

Brute Force Attack in Absence of IPS

Now let’s try to launch a brute force attack when on port 22 which is open in the target’s network to make unauthorized login. With the help hydra, we will try to guess SSH login credential.

As you can observe in the above image that it has successfully found aarti:123 for ssh login. Similarly, let’s try to launch a brute force attack when on port 21 which is open in the target’s network to make unauthorized login. With the help hydra, we will try to guess FTP login credential.

And from the given below image, you can observe, how badly these services are configured. Even the network administrator has not followed the password complexity rules as a result, it is so easy to launch a brute force against such type of network.

Intrusion Prevention Lab Set-Up

Therefore, I decided to set up the Intrusion Prevention system in this network which will monitor the incoming packets and detects the malicious activities and blocks that traffic coming from wicked IP. It is very easy to install fail2ban as Ubuntu already has a package for fail2ban in apt-repositories.

First of all, let me show you, the iptables rule list, which is empty as shown in the below image and then executes the installation command. Once it gets completed, then copy the configuration of jail.conf file inside jail.local file.

NOTE: While configuring fail2ban in your local machine, you must have root access or can use a non-root user with sudo rights.

Configure Fail2Ban

The service fail2ban has its default configuration files “jail.local” in the /etc/fail2ban directory, therefore, you should not edit this file, but you can override this into jail.local file with the help of below command and then open that file for configuring it as per your requirement.

Above you have seen that we had successfully launched brute force attack on SSH and FTP, therefore I will configure fail2ban to stop brute force attack in the network.

Once the file gets opened you need to focus a few things such as “ignoreip, bantime, maxretry” and then modify their value as per your requirement. Set the IPs you want fail2ban to ignore as ignoreip, set the ban time (in seconds) for a particular time period and maximum number for the user attempts.

Protect SSH Against Brute Force Attack

Ultimately, we come towards that portion of the configuration file which deals with specific services. These are identified by the section headers, such as [ssh].

To enable each of these sections to uncomment header [ssh] and modify the enabled value into “true” as shown in the below image, and then save the jail.local file and restart the fail2ban service:

Testing Fail2ban for SSH

Fail2ban offers a command “fail2ban-client” that can be used to execute Fail2ban from the command line, to check that the Fail2Ban is running and the SSH jail is enabled you can follow the given syntax to confirm its status.

Syntax: fail2ban-client COMMAND

As you can observe, the current filter list and action list is set as 0 or all I can say, it is empty. These values will get change if someone tries to cross the limit of maxretry.

As said above fail2ban will update iptables rules to reject the IP addresses for a specified amount of time and from the given below image you can observe, last 3 policies are automatically created by fail2ban.

Now let’s test host machine against brute force attack for ssh login once again:

And as you can obverse, this time we got “Connection refused” error while brute forcing attack on port 22.

Hmm!! Not bad, let’s also check the status for ssh jail status after this attack.

Now you can observe that in the given below image, it has shown 1 ban IP: 192.168.0.104 and anybody can explore log file too for more details.

How to unban IP in fail2ban for SSH

If you wish to unban the IP then again, you can go with fail2ban-client commands and do the same as done here:

And when you will check ssh jail status one more time, this time it won’t be showing any IP in the IP list.

Protect FTP against Brute Force Attack

Similarly, to enable FTP sections to uncomment [vsftpd] header and change the enabled line to be “true” as shown in the below image and even you can modify maxretry or log file path as per your requirement.

[vsftpd]

enabled = true

maxretry = 3

Testing Fail2ban for VSFTPD

Now save jail.local file and restart the fail2ban service and then you can check fail2ban and its Jail status including iptables rules.

With the help of the above command, we concluded that now there are two jails: ssh and vsftpd and also some new fail2ban policies have been created within iptables.

Now let’s test host machine against brute force attack for FTP login:

And as you can obverse, this time we got connection refused error while brute force attack and let’s check status for vsftpd jail status once again.

Yet again you can observe that in the given below image, it has shown 1 ban IP: 192.168.0.104 and anybody can check log file too for more details.

And look at the vsftpd log file, contains all detailed related to login attempt.

Unban IP in fail2ban for VSFTPD

If you wish to unban or unblock the IP then again, you can go with fail2ban-client commands and do the same as done here:

And when you will check vsftpd jail status once again, this time it won’t be showing any IP in the IP list.

Hope! You people will enjoy the article and find helpful in your network penetration testing and you can do more with fail2ban for securing your network.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Comprehensive Guide on Dymerge

Hello friends! This article is a comprehensive guide on the Dymerge tool. This is a handy little tool that helps you manage all the dictionaries that you’ve created reading through our blog and using all the amazing tools we’ve written about.

Table of Content

  • What is Dymerge
  • Installing and Launching Dymerge
  • Standard Merge
  • Fast Mode
  • Removing Duplicates
  • Reverse Listing
  • Alphabetic and Numeric Sorting
  • Defining Output
  • Including Characters
  • Compressing Output

Introduction to Dymerge

Dymerge is a tool that gives you the ability to manage dictionaries. By manage we mean it lets you give the ability to reshape and merge them. Reshaping and merging may seem trivial but considering the fact that you could be dealing with millions of words, even the smallest of operation can turn into a mammoth and complicated task.

Installing and Launching Dymerge

We can install Dymerge from GitHub and launch it in two simple commands. We have used the “– h” flag to display the various options Dymerge has to offer.

Standard Merge

We hope you have a few dictionaries handy to follow through with what we are doing. This a standard merge where we specify the paths to 2 different dictionaries and Dymerge combines them.

To avoid any confusion, the command is “./dymerge.py” followed by the path of the first dictionary, then a space and the path to the second dictionary. The output by default will be in a file named “dymerged.txt

Fast Mode

Arguably if the dictionaries are very large, performing any operation on them will take time. The person who made Dymerge thought of this conundrum and gave us a way to speed up the process by using the “-f” flag.

Removing Duplicates

A lot of the dictionary making software’s follow the same logic, so there are bound to be similar words from time to time. Dymerge gives us the option to remove duplicate words from dictionaries while combining them. To achieve this, we will be using the “-u” flag.

Reverse Listing

Dymerge gives us the option to reverse the order of the words in the dictionaries that we merge, this means that the first word in the new dictionary will be the last word of the second dictionary.

Alphabetic and Numeric Sorting

This option lets us sort words alphabetically, it also sorts numbers by following the progression of a number line from left to right when merging 2 dictionaries to 1. We will be using the “-s” flag to perform this operation.

Defining Output

So far we have been letting Dymerge save the output using it’s default settings, this time we will define the file name and destination of the output by using the “-o” flag.

Including Characters

Just in case we find that we need something specific added to the dictionary, we can use the “-I” flag. Any characters placed after using the include flag are added to the dictionary.

And here we see “raj” being added to the dictionary.

Compressing Output

Dictionaries can be pretty big in size, especially when you’re talking about a unified dictionary comprised of multiple dictionaries. Dymerge gives us the option to compress our output using the “-z” flag.

All said and done, this is a pretty neat little tool to use when you’re dealing with multiple dictionaries and need something to bring a little bit of order. The functions it performs may seem simple of the face of it but are without a doubt very useful.

Stay tuned for more articles on the latest and greatest in hacking.

Author: Shubham Sharma is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Comprehensive Guide on Dirbuster Tool

In this article, we are focusing on the transient directory using Kali Linux tool Dibuster and trying to find hidden files and directories within a web server.

Table of Content

  • What is DirBuster
  • Default Mode
  • GET Request Method
  • Pure Brute Force (Numeric)
  • Single Sweep (Non-recursive)
  • Targeted Start
  • Blank Extensions
  • Search by File Type (.txt)
  • Changing the DIR List
  • Following Redirects
  • Attack Through Proxy
  • Adding File Extensions
  • Evading Detective Measures (Requests Per Second)

What is DirBuster

DirBuster is an application within the Kali arsenal that is designed to brute force web and application servers. The tool can brute force directories and files. The application lets users take advantage of multi-thread functionality to get things moving faster. In this article, we will give you an overview of the tool and its basic functions.

Default Mode

We start DirBuster and only input http://testphp.vulnweb.com/ in the target URL field. Leave the rest of the options as they are. DirBuster will now auto switch between HEAD and GET requests to perform a list based brute force attack.

Let’s hit Start. DirBuster gets to work and starts brute forcing and we see various files and directories popping up in the result window.

GET Request Method

We will now set DirBuster to only use the GET request method. To make things go a little faster, the thread count is set to 200 and the “Go Faster” checkbox is checked.

In the Results – Tree View we can see findings.

Pure Brute Force (Numeric)

DirBuo performs step allows a lot of control over the attack process, in this set we will be using only numerals to perform a pure brute force attack. This is done by selecting “Pure Brute Force” in the scanning type option and selecting “0-9” in the charset drop-down menu. By default, the minimum and maximum character limit are set.

In the Results – Tree View we can see findings.

Single Sweep (Non-recursive)

We will now perform a single sweep brute force where the dictionary words are used only once. To achieve this, we will unselect the “Be Recursive” checkbox.

In the Results – ListView we can see findings.

Targeted Start

Further exploring the control options provided by DirBuster, we will set it up to start looking from the “admin” directory. In the “Dir to start with” field, type “/admin” and hit start.

In the Results – Tree View we can see findings.

Blank Extensions

DirBuster can also look into directories with a blank extension, this could potentially uncover data that might be otherwise left untouched. All we do is check the “Use Blank Extension” checkbox.

We can see the processing happen and DirBuster testing to find directories with blank extensions.

Search by File Type (.txt)

We will be setting the file extension type to .txt, by doing so, DirBuster will look specifically for files with a .txt extension. Type “.txt” in the File extension field and hit start.

We can see the processing happen and DirBuster testing to find directories with a .txt extension.

Changing the DIR List

We will now be changing the directory list in DirBuster. Options > Advanced Options > DirBuster Options > Dir list to use. Here is where we can browse and change the list to “directory-list-2.3-medium.txt”, found at /usr/share/dirbuster/wordlists/ in Kali.

We can see the word list is now set.

Following Redirects

DirBuster by default is not set to follow redirects during the attack, but we can enable this option under Options > Follow Redirects.

We can see the results in the scan information as the test progresses.

Results in the Tree View.

Attack through Proxy

DirBuster can also attack using a proxy. In this scenario, we try to open a webpage at 192.168.1.108 but are denied access.

We set the IP in DirBuster as the attack target.

Before we start the attack, we set up the proxy option under Options > Advance Options > Http Options. Here we check the “Run through a proxy” checkbox, input the IP 192.168.1.108 in the Host field and set the port to 3129.

We can see the test showing results.

Adding File Extensions

Some file extensions are not set to be searched for in DirBuster, mostly image formats. We can add these to be searched for by navigating to Options > Advanced Options > HTML Parsing Options.

We will delete jpeg in this instance and click OK.

In the File Extension filed we will type in “jpeg” to explicitly tell DirBuster to look for .jpeg format files.

We can see in the testing process, DirBuster is looking for and finding jpeg files.

Evading Detective Measures

Exceeding the warranted requests per second during an attack is a sure shot way to get flagged by any kind of detective measures put into place. DirBuster lets us control the requests per second to bypass this defense. Options > Advanced Options > Scan Options is where we can enable this setting.

We are setting Connection Time Out to 500, checking the Limit number of requests per second and setting that field to 20.

Once the test initiated, we will see the results. The scan was stopped to show the initial findings.

Once the scan is complete the actual findings can be seen.

We hope you enjoy using this tool. It is a great tool that’s a must in a pentester’s arsenal.

Stay tuned for more articles on the latest and greatest in hacking.

Author: Shubham Sharma is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here