Hacking with Samba

by dknfy  (dknfy@hotmail.com)

Like it or not, we are living in a Microsoft world.

When you have Christmas dinner with your grandparents, chances are you won't see a Slackware box with the latest kernel running on their shiny new Dell or Gateway.  Never fear!  Thankfully, for the minority who have chosen to install Linux, Samba is here to connect us to the world of Windows.

This article gives the reader a quick grasp of Samba's usage and commands, shows the power these tools give when combined with Linux, and how these tools could be abused.  This assumes some Linux knowledge, so if you don't understand what a command does, use the man page!

The tools that comprise the Samba suite (www.samba.org) operate with the SMB protocol (a.k.a. NetBIOS or LAN Manager).  SMB is used with Windows NT/95/98 to share files and printers.  Using Samba's tools (created by Andrew Tridgell), Linux hosts can share files with Windows machines.  If you did a full Linux install of any distribution, you probably already have these programs.

The Commands

Below is a list of Linux commands with their Microsoft equivalent.

First is the Samba server program called smbd.  This daemon runs off the config file /etc/smb.conf and listens on port 139.

If a Windows machine was accessing a share on our Linux box, smbd would serve up the directories specified in smb.conf.  smdb is highly configurable.  See the man page for more details.

Linux smbd nmblookup -A 10.0.0.1 smbclient -L NetBIOSName -I 10.0.0.1 -N smbclient //NetBIOSName/share -I 10.0.0.1 smbmount //NetBIOSName/share /mnt/mountpoint ip=10.0.0.1 Microsoft File and Print Sharing Service nbtstat -A 10.0.0.1 net view \\10.0.0.1 (May need to do a "net use \\IPaddress\ipc$" first) net use x:\\NetBIOSName\share (May need to substitute IP for the NetBIOSName) net use c:\\NetBIOSName\share

Not the difference in slashes.  Each of these commands will get us one step closer to accessing the shares on our target.  Now onto the fun stuff!

Finding a Target

First, we need an IP address of a machine running NetBIOS.

You could play around on your school's LAN, or go on IRC and look for people who use mIRC.

But a better method is to use:

# nmap -sS -p139 -iR 0 -oM results

And let that run all night.  Then:

$ grep open results | cut results -f2 -d"" > ip_address

the output results file the next day.

You will have a huge list of IPs of boxes running NetBIOS and many that have shares.  (Keep in mind that just because a box runs Samba or NetBIOS doesn't mean it has shares.)

Some of these boxes are Windows NT, Windows 2000, and even UNIX.  And while Windows 95/98 boxes have a huge security hole in file sharing (see www.nsfocus.com/english/homepage/sa_05.htm), very often shares are left unprotected with no passwords at all.

Locating Computers with Shares

Now that we have our list of IP addresses, we must locate which ones have shares.

Instead of downloading a fancy scanner, let's be efficient and use a few shell commands.  Bash is the default shell with Red Hat Linux, so we will use it.

From a Bash prompt enter the following:

$ for x in `cat ip_address` > do > nmblookup -A $x >> computer_list & > done

The for loop will then step through the file and execute nmblookup -A the.ip.addy.here on each IP in the list.

You will eventually get your prompt back.  This is a handy method of dealing with IP addresses.  Especially considering the body of the loop can be anything you want (ping, showmount -e, or the IIS exploit of the month), and a Bash shell is likely to be on every Linux box you find.

Enumerating Shares

Now we have a file called computer_list which contains the NetBIOS nametables of all the machines we scanned for.

Each entry should look something like this:

Looking up status of 192.168.0.10 USER18 <00> - B <ACTIVE> WORKGROUP <00> - <GROUP> B <ACTIVE> USER18 <03> - B <ACTIVE> USER18 <20> - B <ACTIVE> WORKGROUP <1e> - <GROUP> B <ACTIVE> USER24 <03> - B <ACTIVE> WORKGROUP <1d> - B <ACTIVE> __MSBROWSE__ <01> - <GROUP> B <ACTIVE> num_good_sends=0 num_good_receives_0

An __MSBROWSE__ entry indicates sharing is enabled.  We are only concerned about computers with this entry.  (Note that although sharing is enabled there may be no shares.)

The <00> entry lists the NetBIOS name, which we will need to query his machine for a list of shares by doing:

$ smbclient -L USER18 -I 192.168.0.10 -N

This will return something like the following:

Sharename Type Comment --------- ---- ------- C Disk HP Printer MIRC Disk MUSIC Disk IPC$ IPC Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] Sharename Type Comment --------- ---- ------- IPC$ IPC Remote IPC ADMIN$ Disk Remote Admin C$ Disk Default share Server Comment --------- ------- 006097EFC730 Workgroup Master --------- ------- QEDUX IPENGUINI WORKGROUP 006097EFC730

Getting In

You will be surprised at how many C: drives are left unprotected, along with other interesting shares.

If the above case, we would try:

$ smbclient //USER18/C -I 192.168.0.10

and use a blank password.

If it does have a password (and they are using Windows 95/98), we can take advantage of the security hole mentioned above, which was made popular by the Windows program PQwak.

When you find a share, think of how that access can be leveraged.  Gaining access to a C: drive can be used to:

• Decrypt *.PWL files to obtain more passwords.
• Add programs to the Start-up folder you want to have them run.
• Use the system as a jumping off point for other activities.
• Set up other shares to preserve access.
• Obtain a CMD.EXE shell.
• Discover personal information about the user.

Samba unites the file sharing efforts of Windows and Linux.  And if unsecured, it allows exploration of other systems and networks.

Hopefully, I have demystified the Samba commands and showed how a UNIX shell can reduce hundreds of commands to a few lines.

Remember: work smarter, not harder!