Server Message Block (SMB) Enumeration, Attack and Defence

Introduction

If you see a service with TCP port 445 open, then it is probably running SMB. SMB is used for file sharing services. You will also see it related to other protocols in its operation:

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/06451bf2-578a-4b9d-94c0-8ce531bf14c4

Checklist

Here is a check list of common things to check:

Can you enumerate the server version?
Can you enumerate shares?
What versions of the protocol are enabled?
Can you connect using anon bind?
Are there any known vulnerabilities?
Can you enumerate usernames?
Is SMB signing enabled?
Are there other hosts in the subnet that can be used?

CTF

mRr3b00t Learns to play HTB again!

I rarely get a chance to play HTB these days 🙁 but today I thought i’d get back on it.. then I had a three hour battle with a graphics driver and Vmware Workstation so that basically ruined that idea…. but I thouht I’d try and remember how to CTF again.. and boy do you get slow fast! Well to try and help people and myself I’ve started to write down some notes to get my mind back into the CTF world of HTB!

Setup & Scope

Ok this is the setup phase. Let’s grab the details

Take note of the machine name
- Remember most boxes are called .htb or .htb.local
- There’s not an “internet” dns inside the arena so you need to update hosts files
Take note of the box author
- This is useful for OSINT
Take note of the IP
- This is your scope
Take note of the OS version
Get you digital notebook ready

CTF

Installing Subfinder on Windows

Subdomain Enumeration is a key part to security testing from an internet facing perspective. Today we are going to install Subfinder on a Windows Server.

Installation

Install GOLANG
- https://golang.org/doc/install

Launch a command prompt Read more “Installing Subfinder on Windows” →

CTF

How to enable NULL Bind on LDAP with Windows…

History of NULL bind

Back in the early Active Directory days NULL bind was actually enabled by default, these days you can get a rootDSE NULL bind out of the box but on Windows Server 2019 you can even disable this!

So why would I want to enable NULL bind? Well, some legacy apps may need it but generally speaking you don’t want NULL bind enabled.

The lesson here is DO NOT copy what I am doing here! Simples! Read more “How to enable NULL Bind on LDAP with Windows Server 2019” →

Defense

CyberChef Taster

A quick snack

Everyone knows about cyber chef, right? Well, I can tell you now that my misses knows so if you don’t now’s a great time to get to know! Cyber Chef is a tool created by GCHQ distrubted via an apache license that’s hosted on GitHub or you can download and run locally. Read more “CyberChef Taster” →

CTF

Try Hack Me: Part 5 – Game Zone

Getting my agent on!

Today we look at a vulnerable web application room based upon the Hitman series!

https://tryhackme.com/room/gamezone

This is a fun room where we see an old but common vulnerability in untrusted user input lead to sensitive information disclosure (hashed credentials) which results in a threat actor gaining initial access. From here we then discover there is a weak security configuration (in effective network segmentation) and a vulnerable unpatched service. This chain leads to total system compromise. Read more “Try Hack Me: Part 5 – Game Zone” →

CTF

Thinking of building a Capture the Flag game?

Capture all the things!

Capture the Flag (CTF) games seem to be all the rage now! I mean, I’m not complaining, I’ve been using these for years now and I’ve been building games for about a year so I’m super excited they are more popular, but popular != great. Read more “Thinking of building a Capture the Flag game?” →

Tag: ctf