SMB

Enum4linux

HETEMIT        Wk Sv PrQ Unx NT SNT Samba 4.11.2
cmeeks USER
139/tcp open  netbios-ssn syn-ack ttl 63 Samba smbd 4.6.2
Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit)       | linux/remote/42084.rb
smbmap -H 192.168.135.117                                                                      
[+] IP: 192.168.135.117:445	Name: 192.168.135.117                                   
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	print$                                            	NO ACCESS	Printer Drivers
	Cmeeks                                            	NO ACCESS	cmeeks Files
	IPC$                                              	NO ACCESS	IPC Service (Samba 4.11.2)

Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Aug  2 11:25:38 2022

#[34m =========================================( #[0m#[32mTarget Information#[0m#[34m )=========================================

#[0mTarget ........... 192.168.135.117
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


#[34m ==========================( #[0m#[32mEnumerating Workgroup/Domain on 192.168.135.117#[0m#[34m )==========================

#[0m#[33m
[E] #[0m#[31mCan't find workgroup/domain

#[0m

#[34m ==============================( #[0m#[32mNbtstat Information for 192.168.135.117#[0m#[34m )==============================

#[0mLooking up status of 192.168.135.117
No reply from 192.168.135.117

#[34m ==================================( #[0m#[32mSession Check on 192.168.135.117#[0m#[34m )==================================

#[0m#[33m
[+] #[0m#[32mServer 192.168.135.117 allows sessions using username '', password ''

#[0m
#[34m ==========================( #[0m#[32mGetting information via LDAP for 192.168.135.117#[0m#[34m )==========================

#[0m#[33m
[+] #[0m#[32m192.168.135.117 appears to be a child DC

#[0m
#[34m ===============================( #[0m#[32mGetting domain SID for 192.168.135.117#[0m#[34m )===============================

#[0mDomain Name: SAMBA
Domain Sid: (NULL SID)
#[33m
[+] #[0m#[32mCan't determine if host is part of domain or part of a workgroup

#[0m
#[34m =================================( #[0m#[32mOS information on 192.168.135.117#[0m#[34m )=================================

#[0m#[33m
[E] #[0m#[31mCan't get OS info with smbclient

#[0m#[33m
[+] #[0m#[32mGot OS info for 192.168.135.117 from srvinfo:
#[0m	HETEMIT        Wk Sv PrQ Unx NT SNT Samba 4.11.2
	platform_id     :	500
	os version      :	6.1
	server type     :	0x809a03


#[34m ======================================( #[0m#[32mUsers on 192.168.135.117#[0m#[34m )======================================

#[0mUse of uninitialized value $users in print at ./enum4linux.pl line 972.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.

Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.

#[34m ===============================( #[0m#[32mMachine Enumeration on 192.168.135.117#[0m#[34m )===============================

#[0m#[33m
[E] #[0m#[31mNot implemented in this version of enum4linux.

#[0m
#[34m ================================( #[0m#[32mShare Enumeration on 192.168.135.117#[0m#[34m )================================

#[0msmbXcli_negprot_smb1_done: No compatible protocol selected by server.

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	Cmeeks          Disk      cmeeks Files
	IPC$            IPC       IPC Service (Samba 4.11.2)
Reconnecting with SMB1 for workgroup listing.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
#[33m
[+] #[0m#[32mAttempting to map shares on 192.168.135.117

#[0m//192.168.135.117/print$	#[35mMapping: #[0mDENIED#[35m Listing: #[0mN/A#[35m Writing: #[0mN/A
//192.168.135.117/Cmeeks	#[35mMapping: #[0mOK#[35m Listing: #[0mDENIED#[35m Writing: #[0mN/A
#[33m
[E] #[0m#[31mCan't understand response:

#[0mNT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//192.168.135.117/IPC$	#[35mMapping: #[0mN/A#[35m Listing: #[0mN/A#[35m Writing: #[0mN/A

#[34m ==========================( #[0m#[32mPassword Policy Information for 192.168.135.117#[0m#[34m )==========================

#[0m

[+] Attaching to 192.168.135.117 using a NULL share

[+] Trying protocol 139/SMB...

[+] Found domain(s):

	[+] HETEMIT
	[+] Builtin

[+] Password Info for Domain: HETEMIT

	[+] Minimum password length: 5
	[+] Password history length: None
	[+] Maximum password age: 37 days 6 hours 21 minutes
	[+] Password Complexity Flags: 000000

		[+] Domain Refuse Password Change: 0
		[+] Domain Password Store Cleartext: 0
		[+] Domain Password Lockout Admins: 0
		[+] Domain Password No Clear Change: 0
		[+] Domain Password No Anon Change: 0
		[+] Domain Password Complex: 0

	[+] Minimum password age: None
	[+] Reset Account Lockout Counter: 30 minutes
	[+] Locked Account Duration: 30 minutes
	[+] Account Lockout Threshold: None
	[+] Forced Log off Time: 37 days 6 hours 21 minutes


#[33m
[+] #[0m#[32mRetieved partial password policy with rpcclient:


#[0mPassword Complexity: Disabled
Minimum Password Length: 5


#[34m =====================================( #[0m#[32mGroups on 192.168.135.117#[0m#[34m )=====================================

#[0m#[33m
[+] #[0m#[32mGetting builtin groups:

#[0m#[33m
[+] #[0m#[32m Getting builtin group memberships:

#[0m#[33m
[+] #[0m#[32m Getting local groups:

#[0m#[33m
[+] #[0m#[32m Getting local group memberships:

#[0m#[33m
[+] #[0m#[32m Getting domain groups:

#[0m#[33m
[+] #[0m#[32m Getting domain group memberships:

#[0m
#[34m =================( #[0m#[32mUsers on 192.168.135.117 via RID cycling (RIDS: 500-550,1000-1050)#[0m#[34m )=================

#[0m#[33m
[I] #[0m#[36mFound new SID:
#[0mS-1-22-1
#[33m
[I] #[0m#[36mFound new SID:
#[0mS-1-5-32
#[33m
[I] #[0m#[36mFound new SID:
#[0mS-1-5-32
#[33m
[I] #[0m#[36mFound new SID:
#[0mS-1-5-32
#[33m
[I] #[0m#[36mFound new SID:
#[0mS-1-5-32
#[33m
[+] #[0m#[32mEnumerating users using SID S-1-5-32 and logon username '', password ''

#[0mS-1-5-32-544 BUILTIN\Administrators (Local Group)
#[33m
[E] #[0m#[31mNo info found


#[0mS-1-5-32-545 BUILTIN\Users (Local Group)
#[33m
[E] #[0m#[31mNo info found


#[0mS-1-5-32-546 BUILTIN\Guests (Local Group)
#[33m
[E] #[0m#[31mNo info found


#[0mS-1-5-32-547 BUILTIN\Power Users (Local Group)
#[33m
[E] #[0m#[31mNo info found


#[0mS-1-5-32-548 BUILTIN\Account Operators (Local Group)
#[33m
[E] #[0m#[31mNo info found


#[0mS-1-5-32-549 BUILTIN\Server Operators (Local Group)
#[33m
[E] #[0m#[31mNo info found


#[0mS-1-5-32-550 BUILTIN\Print Operators (Local Group)
#[33m
[E] #[0m#[31mNo info found


#[0m#[33m
[+] #[0m#[32mEnumerating users using SID S-1-5-21-3325954428-699464429-3406591564 and logon username '', password ''

#[0mS-1-5-21-3325954428-699464429-3406591564-501 HETEMIT\nobody (Local User)
	User Name   :	nobody
	Full Name   :	Kernel Overflow User
	Home Drive  :
	Dir Drive   :	(null)
	Profile Path:
	Logon Script:
	Description :
	Workstations:
	Comment     :
	Remote Dial :
	Logon Time               :	Wed, 31 Dec 1969 19:00:00 EST
	Logoff Time              :	Wed, 13 Sep 30828 22:48:05 EDT
	Kickoff Time             :	Wed, 13 Sep 30828 22:48:05 EDT
	Password last set Time   :	Wed, 31 Dec 1969 19:00:00 EST
	Password can change Time :	Wed, 31 Dec 1969 19:00:00 EST
	Password must change Time:	Wed, 31 Dec 1969 19:00:00 EST
	unknown_2[0..31]...
	user_rid :	0x1f5
	group_rid:	0x201
	acb_info :	0x00000010
	fields_present:	0x00ffffff
	logon_divs:	168
	bad_password_count:	0x00000000
	logon_count:	0x00000000
	padding1[0..7]...
	logon_hrs[0..21]...
	Account Disabled         : False
	Password does not expire : False
	Account locked out       : False
	Password expired         : False
	Interdomain trust account: False
	Workstation trust account: False
	Server trust account     : False
	Trusted for delegation   : False

S-1-5-21-3325954428-699464429-3406591564-513 HETEMIT\None (Domain Group)
	Group Name:	None
	Description:	Ordinary Users
	Group Attribute:7
	Num Members:0

#[33m
[+] #[0m#[32mEnumerating users using SID S-1-22-1 and logon username '', password ''

#[0mS-1-22-1-1000 Unix User\cmeeks (Local User)
Use of uninitialized value $user_info in pattern match (m//) at ./enum4linux.pl line 1030.


#[34m ==============================( #[0m#[32mGetting printer info for 192.168.135.117#[0m#[34m )==============================

#[0mNo printers returned.


enum4linux complete on Tue Aug  2 11:31:15 2022

NMAP

PORT    STATE SERVICE     REASON         VERSION
139/tcp open  netbios-ssn syn-ack ttl 63 Samba smbd 4.6.2
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)

Host script results:
| smb2-capabilities: 
|   2.0.2: 
|     Distributed File System
|   2.1: 
|     Distributed File System
|     Leasing
|   3.0: 
|     Distributed File System
|     Leasing
|   3.0.2: 
|     Distributed File System
|     Leasing
|   3.1.1: 
|     Distributed File System
|_    Leasing
|_smb-print-text: false
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [9]
| smb-mbenum: 
|_  ERROR: Failed to connect to browser service: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [9]
| smb2-time: 
|   date: 2022-08-02T15:25:59
|_  start_date: N/A
| smb-protocols: 
|   dialects: 
|     2.0.2
|     2.1
|     3.0
|     3.0.2
|_    3.1.1

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Aug  2 11:26:41 2022 -- 1 IP address (1 host up) scanned in 63.81 seconds

PreviousFTP NextExploitation

Last updated 2 years ago