Re: Samba hacking ?

• Next in thread: Jon Hart: "Re: Samba hacking ?"
• Reply: Jon Hart: "Re: Samba hacking ?"
• Reply: T: "Re: Samba hacking ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 01 Apr 2005 13:12:10 +0200
To: pen-test@securityfocus.com

Hi Bones,
Concerning samba enumeration, you can use samba-tng to get more than
share names.

(with $rpc = samba-tng's smbclient, maybe it works with normal samba now)

$rpc -S $ipaddress -c 'wksinfo' -N
$rpc -S $ipaddress -c 'enumdomains' -N
$rpc -S $ipaddress -c 'lsaquery' -N
$rpc -S $ipaddress -c 'lsaenumsid' -N
$rpc -S $ipaddress -c 'enumgroups' -N
$rpc -S $ipaddress -c 'enumusers' -N
$rpc -S $ipaddress -c 'srvshares' -N

then, for each user found :
$rpc -S $ipaddress -c 'samuser $user -u' -N

GFI languard enumerates lot of information as well, on a windows platform.

Brute forcing user/pwd is a good idea (with hydra) and bruteforcing
share name is also possible with handmade script.

Fred.

Bones wrote:
> All-
>
> Got tools galore for banging away on Windows-based SMB shares, but am
> currently working on a PT where the client has a number of unprotected
> (TCP 139, et al.) shares identified by nmap and Nessus as "Samba".
> Haven't really spent that much time with Samba before.
>
> I can cover the basics, such as null connections, and the old enum.exe
> tool from Razor seems to enumerate users and shares to a degree. Most
> other Win32 tools just crap out.
>
> Just wondering if there are any Samba-specific tools out there that I
> can get my hands on.
>
> Recommendations?
>

-- 
_______________________________________
Frederic Charpentier - Xmco Partners
Security Consulting / Pentest
web  : http://www.xmcopartners.com
Bones wrote:
> All-
> 
> Got tools galore for banging away on Windows-based SMB shares, but am
> currently working on a PT where the client has a number of unprotected
> (TCP 139, et al.) shares identified by nmap and Nessus as "Samba".
> Haven't really spent that much time with Samba before.
> 
> I can cover the basics, such as null connections, and the old enum.exe
> tool from Razor seems to enumerate users and shares to a degree. Most
> other Win32 tools just crap out.
> 
> Just wondering if there are any Samba-specific tools out there that I
> can get my hands on.
> 
> Recommendations?
> 
-- 
_______________________________________
Frederic Charpentier - Xmco Partners
Security Consulting / Pentest
web  : http://www.xmcopartners.com

• Next in thread: Jon Hart: "Re: Samba hacking ?"
• Reply: Jon Hart: "Re: Samba hacking ?"
• Reply: T: "Re: Samba hacking ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [DDI-1013] Buffer Overflow in Samba allows remote root compromise ... Samba 3.0 Alpha Versions, CVS Versions of Samba-TNG ... A workaround in the current source code for this specific vulnerability ... The exploit will cause the target host ... (Bugtraq) [VulnWatch] [DDI-1013] Buffer Overflow in Samba allows remote root compromise ... Samba 3.0 Alpha Versions, CVS Versions of Samba-TNG ... A workaround in the current source code for this specific vulnerability ... The exploit will cause the target host ... (VulnWatch) Samba-TNG 0.3.1 Security Release (fwd) ... Samba-TNG 0.3.1 Security Release ... Today the Samba-TNG team announces a new version of Samba-TNG ... Exploit code for Samba is known to be circulating; ... Source tarball: ... (Bugtraq)