# Network Services

## SMB

This stands for the Server Message Block protocol. It's a client-server communication protocol used for sharing access to files, printers and other resources on a network. Windows & Unix systems run the SMB protocol.

It's known as a response request protocol, meaning that it transmits multiple messages between the client and server to establish a connection and clients will connect with TCP/IP generally.

Once a connection is established, clients can send commands (known as SMB's) to the server to access files, etc. but over a network.

### Enumeration

This is the process of gathering information on a target to find potential attack vectors to exploit. This is essential to a successful attack as it can be used to gather information that is valuable to a hacker such as passwords, hostnames, application data and usernames.

Typically, there are SMB shares on a server that can be connected to, to view files and there is sometimes valuable, sensitive information within these shares.

The first step of enumeration is to do a port scan. We have covered Nmap previously. Enum4Linux is a tool to enumerate SMB shares on both Windows & Linux systems. It makes it easy to quickly extract information from the target pertaining to SMB. `-pn`

The syntax is very easy: `enum4linux [options] ip`

<table><thead><tr><th width="146">TAG</th><th>FUNCTION</th></tr></thead><tbody><tr><td>-U</td><td>Get user list</td></tr><tr><td>-M</td><td>Get machine list</td></tr><tr><td>-N</td><td>Get name list dump</td></tr><tr><td>-S</td><td>Get share list</td></tr><tr><td>-P</td><td>Get password policy information</td></tr><tr><td>-G</td><td>Get the group and member list</td></tr><tr><td>-a</td><td>Do all of the above (a full enumeration)</td></tr></tbody></table>

### Exploitation

Once you have enumerated what we just went through, we now know the SMB share’s name and location. We are going to use smbclient to remotely access the SMB share using the following:

```bash
smbclient //10.10.10.10/sharename
```

You can add tags after the sharename separated by a space such as (`-U` to specify user and`-p` to specify a port).

### Extra Explanation

This part is aimed to help you solve Task 3 as the syntax of smbclient is very different to normal bash.

<figure><img src="https://1297820784-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIncHpQE9Q1Ax4cr7Wbpu%2Fuploads%2FMjJEVPgxSUeXASzP9b7c%2Fimage.png?alt=media&#x26;token=d71d99ee-f36b-40b6-85c6-d2bcd09a69e5" alt=""><figcaption><p>The first step is to use smbclient to login via the user Anonymous</p></figcaption></figure>

We are interested in the file (Working From Home Information.txt). However, to`cat` that file doesn’t work. For some reason,`openfile`or`open <file>`doesn’t work either.

<figure><img src="https://1297820784-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIncHpQE9Q1Ax4cr7Wbpu%2Fuploads%2FtJ5nwWVdpQsUbMFNvvRh%2Fimage.png?alt=media&#x26;token=68f7e39f-7773-4952-a1c9-e6127d7fd4b0" alt=""><figcaption><p>To open a file</p></figcaption></figure>

Once that’s done you’ll see that its a letter or note to John Cactus so we are assuming that he is the owner. We can use`cd`to move into the`.ssh`directory and use`ls`to view the files there. Then go back into the home directory and use the command below to download the file id\_rsa:

```bash
get .ssh/id_rsa id_rsa
```

Now go to your machine, and open the file id\_rsa and it’ll show a private key. First, change the permissions via `chmod`. Now, you can ssh into the server like so:

<figure><img src="https://1297820784-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIncHpQE9Q1Ax4cr7Wbpu%2Fuploads%2F2XY2KuIIIad0YGkfv6B9%2Fimage.png?alt=media&#x26;token=c45f1a26-c151-49f2-b5c6-92c92c0305c0" alt=""><figcaption><p>Now we are in the server, we can list the files and find the flag!</p></figcaption></figure>

***

## Answers

### Task 2 <a href="#c8ce" id="c8ce"></a>

> What does SMB stand for?\
> Server Message Block

> What type of protocol is SMB?\
> response-request

> What do clients connect to servers using? *for every port?*\
> TCP/IP

> What systems does Samba run on?\
> Unix

### Task 3 <a href="#id-4a04" id="id-4a04"></a>

> Conduct a **nmap** scan of your choosing, How many ports are open?\
> 3

> What ports is **SMB** running on?\
> 139/445

> For starters, what is the **workgroup** name?\
> WORKGROUP

> What comes up as the **name** of the machine?\
> POLOSMB

> What operating system **version** is running?\
> 6.1

> What share sticks out as something we might want to investigate?\
> profiles

### Task 4 <a href="#id-6c68" id="id-6c68"></a>

> What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.10.2 on the default port?\
> smbclient //10.10.10.2/secret -U suit -p 445

> Does the share allow anonymous access? Y/N?\
> Y

> Who can we assume this profile folder belongs to?\
> John Cactus

> What service has been configured to allow him to work from home?\
> ssh

> Okay! Now we know this, what directory on the share should we look in?\
> .ssh

> Which of these keys is most useful to us?\
> id\_rsa

> What is the smb.txt flag?\
> THM{smb\_is\_fun\_eh?}

***