Samba

Nmap discovered a Samba server on the target port 445 The running service is smbd 4.7.6-Ubuntu

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/bratarina]
└─$ nmap --script smb-enum-shares -sV -p445 $IP                         
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-24 11:59 CET
Nmap scan report for 192.168.132.71
Host is up (0.019s latency).
 
PORT    STATE SERVICE     VERSION
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: COFFEECORP)
Service Info: Host: BRATARINA
 
Host script results:
| smb-enum-shares: 
|   account_used: <blank>
|   \\192.168.132.71\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (Samba 4.7.6-Ubuntu)
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|   \\192.168.132.71\backups: 
|     Type: STYPE_DISKTREE
|     Comment: Share for backups
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\opt\samba
|_    Anonymous access: READ/WRITE
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.73 seconds

Share mapping successful The target Samba server has 2 shares and allows anonymous access for both read and write

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/bratarina]
└─$ nxc smb $IP -u '' -p '' --shares --interfaces                                                       
SMB         192.168.132.71  445    BRATARINA        [*] Unix - Samba (name:BRATARINA) (domain:) (signing:False) (SMBv1:True)
SMB         192.168.132.71  445    BRATARINA        [+] \: (Guest)
SMB         192.168.132.71  445    BRATARINA        [*] Enumerated shares
SMB         192.168.132.71  445    BRATARINA        Share           Permissions     Remark
SMB         192.168.132.71  445    BRATARINA        -----           -----------     ------
SMB         192.168.132.71  445    BRATARINA        backups         READ            Share for backups
SMB         192.168.132.71  445    BRATARINA        IPC$                            IPC Service (Samba 4.7.6-Ubuntu)

//$IP/backups share is the only none default share

Null Session

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/bratarina]
└─$ smbclient //$IP/backups                        
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> put test 
NT_STATUS_ACCESS_DENIED opening remote file \test
smb: \> ls
  .                                   D        0  Mon Jul  6 09:46:41 2020
  ..                                  D        0  Mon Jul  6 09:46:41 2020
  passwd.bak                          N     1747  Mon Jul  6 09:46:41 2020
 
		10253588 blocks of size 1024. 6338472 blocks available
 
smb: \> get passwd.bak 
getting file \passwd.bak of size 1747 as passwd.bak (20.8 KiloBytes/sec) (average 20.8 KiloBytes/sec)

The backups share contains what appears to be a backup file for password Additionally, the write access was false-positive

passwd.bak

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/bratarina]
└─$ cat passwd.bak 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
neil:x:1000:1000:neil,,,:/home/neil:/bin/bash
_smtpd:x:1001:1001:SMTP Daemon:/var/empty:/sbin/nologin
_smtpq:x:1002:1002:SMTPD Queue:/var/empty:/sbin/nologin
postgres:x:111:116:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash

The content resembles that of the /etc/passwd file Notably, neil is a valid system user

InfoSec LAB

Explorer

Bratarina_Samba

Samba

Null Session

passwd.bak

Interactive Graph View

Table of Contents

Backlinks