Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Samba hacking ?

from [Frederic Charpentier] Network Security [Permanent Link]
Subject: Re: Samba hacking ?
Date: Fri, 01 Apr 2005 13:12:10 +0200
Hi Bones,
Concerning samba enumeration, you can use samba-tng to get more than share names.

(with $rpc = samba-tng's smbclient, maybe it works with normal samba now)

$rpc -S $ipaddress -c 'wksinfo' -N
$rpc -S $ipaddress -c 'enumdomains' -N
$rpc -S $ipaddress -c 'lsaquery' -N
$rpc -S $ipaddress -c 'lsaenumsid' -N
$rpc -S $ipaddress -c 'enumgroups' -N
$rpc -S $ipaddress -c 'enumusers' -N
$rpc -S $ipaddress -c 'srvshares' -N

then, for each user found :
$rpc -S $ipaddress -c 'samuser $user -u' -N

GFI languard enumerates lot of information as well, on a windows platform.

Brute forcing user/pwd is a good idea (with hydra) and bruteforcing share name is also possible with handmade script.

Fred.

Bones wrote:
> All-
>
> Got tools galore for banging away on Windows-based SMB shares, but am
> currently working on a PT where the client has a number of unprotected
> (TCP 139, et al.) shares identified by nmap and Nessus as "Samba".
> Haven't really spent that much time with Samba before.
>
> I can cover the basics, such as null connections, and the old enum.exe
> tool from Razor seems to enumerate users and shares to a degree. Most
> other Win32 tools just crap out.
>
> Just wondering if there are any Samba-specific tools out there that I
> can get my hands on.
>
> Recommendations?
>

--
_______________________________________
Frederic Charpentier - Xmco Partners
Security Consulting / Pentest
web  : http://www.xmcopartners.com



Bones wrote: 
All-

Got tools galore for banging away on Windows-based SMB shares, but am
currently working on a PT where the client has a number of unprotected
(TCP 139, et al.) shares identified by nmap and Nessus as "Samba".
Haven't really spent that much time with Samba before.

I can cover the basics, such as null connections, and the old enum.exe
tool from Razor seems to enumerate users and shares to a degree. Most
other Win32 tools just crap out.

Just wondering if there are any Samba-specific tools out there that I
can get my hands on.

Recommendations?


--
_______________________________________
Frederic Charpentier - Xmco Partners
Security Consulting / Pentest
web  : http://www.xmcopartners.com

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] Yersinia, a framework for layer 2 attacks, Yersinia Authors
Next by Date:  Accessing Winxp shares, Anurag Joshi
Previous by Thread:  [Full-disclosure] Yersinia, a framework for layer 2 attacks, Yersinia Authors
Next by Thread:  Re: Samba hacking ?, Jon Hart
Indexes:  [Date] [Thread] [Top] [All Lists]