Samba

Nmap discovered a Samba service on the target ports 139 and 445 The running service is Samba smbd 3.0.26a

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/payday]
└─$ nmap --script smb-enum-shares -sV -p139,445 $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-08 21:29 CET
Nmap scan report for 192.168.198.39
Host is up (0.020s latency).
 
PORT    STATE SERVICE     VERSION
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
 
Host script results:
| smb-enum-shares: 
|   account_used: <blank>
|   \\192.168.198.39\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (payday server (Samba, Ubuntu))
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|   \\192.168.198.39\print$: 
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|_    Anonymous access: <none>
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.02 seconds

Shares mapping complete

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/payday]
└─$ nxc smb $IP -u '' -p '' --shares --interfaces 
SMB         192.168.198.39  445    PAYDAY           [*] Unix (name:PAYDAY) (domain:PAYDAY) (signing:False) (SMBv1:True)
SMB         192.168.198.39  445    PAYDAY           [+] PAYDAY\: 
SMB         192.168.198.39  445    PAYDAY           [*] Enumerated shares
SMB         192.168.198.39  445    PAYDAY           Share           Permissions     Remark
SMB         192.168.198.39  445    PAYDAY           -----           -----------     ------
SMB         192.168.198.39  445    PAYDAY           print$                          Printer Drivers
SMB         192.168.198.39  445    PAYDAY           IPC$                            IPC Service (payday server (Samba, Ubuntu))

N/A

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/payday]
└─$ enum4linux -a -r -o -n -A -U $IP 
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Feb  8 21:31:46 2025
 
 =========================================( Target Information )=========================================
 
Target ........... 192.168.198.39
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
 
 
 ===========================( Enumerating Workgroup/Domain on 192.168.198.39 )===========================
 
 
[+] Got domain/workgroup name: MSHOME
 
 
 ===============================( Nbtstat Information for 192.168.198.39 )===============================
 
Looking up status of 192.168.198.39
	PAYDAY          <00> -         B <ACTIVE>  Workstation Service
	PAYDAY          <03> -         B <ACTIVE>  Messenger Service
	PAYDAY          <20> -         B <ACTIVE>  File Server Service
	..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
	MSHOME          <1d> -         B <ACTIVE>  Master Browser
	MSHOME          <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
	MSHOME          <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
 
	MAC Address = 00-00-00-00-00-00
 
 ==================================( Session Check on 192.168.198.39 )==================================
 
 
[+] Server 192.168.198.39 allows sessions using username '', password ''
 
 
 ===============================( Getting domain SID for 192.168.198.39 )===============================
 
Domain Name: MSHOME
Domain Sid: (NULL SID)
 
[+] Can't determine if host is part of domain or part of a workgroup
 
 
 ==================================( OS information on 192.168.198.39 )==================================
 
 
[E] Can't get OS info with smbclient
 
 
[+] Got OS info for 192.168.198.39 from srvinfo: 
	PAYDAY         Wk Sv PrQ Unx NT SNT payday server (Samba, Ubuntu)
	platform_id     :	500
	os version      :	4.9
	server type     :	0x809a03
 
 
 ======================================( Users on 192.168.198.39 )======================================
 
index: 0x1 RID: 0x3f2 acb: 0x00000010 Account: games	Name: games	Desc: (null)
index: 0x2 RID: 0x1f5 acb: 0x00000010 Account: nobody	Name: nobody	Desc: (null)
index: 0x3 RID: 0x402 acb: 0x00000010 Account: proxy	Name: proxy	Desc: (null)
index: 0x4 RID: 0x4b2 acb: 0x00000010 Account: syslog	Name: (null)	Desc: (null)
index: 0x5 RID: 0x42a acb: 0x00000010 Account: www-data	Name: www-data	Desc: (null)
index: 0x6 RID: 0x3e8 acb: 0x00000010 Account: root	Name: root	Desc: (null)
index: 0x7 RID: 0x3fa acb: 0x00000010 Account: news	Name: news	Desc: (null)
index: 0x8 RID: 0x3ec acb: 0x00000010 Account: bin	Name: bin	Desc: (null)
index: 0x9 RID: 0x3f8 acb: 0x00000010 Account: mail	Name: mail	Desc: (null)
index: 0xa RID: 0x4b0 acb: 0x00000010 Account: dhcp	Name: (null)	Desc: (null)
index: 0xb RID: 0x3ea acb: 0x00000010 Account: daemon	Name: daemon	Desc: (null)
index: 0xc RID: 0x4bc acb: 0x00000010 Account: sshd	Name: (null)	Desc: (null)
index: 0xd RID: 0x3f4 acb: 0x00000010 Account: man	Name: man	Desc: (null)
index: 0xe RID: 0x3f6 acb: 0x00000010 Account: lp	Name: lp	Desc: (null)
index: 0xf RID: 0x4b6 acb: 0x00000010 Account: mysql	Name: MySQL Server,,,	Desc: (null)
index: 0x10 RID: 0x4b8 acb: 0x00000010 Account: dovecot	Name: Dovecot mail server,,,	Desc: (null)
index: 0x11 RID: 0x43a acb: 0x00000010 Account: gnats	Name: Gnats Bug-Reporting System (admin)	Desc: (null)
index: 0x12 RID: 0x42c acb: 0x00000010 Account: backup	Name: backup	Desc: (null)
index: 0x13 RID: 0x3ee acb: 0x00000010 Account: sys	Name: sys	Desc: (null)
index: 0x14 RID: 0x4b4 acb: 0x00000010 Account: klog	Name: (null)	Desc: (null)
index: 0x15 RID: 0x4ba acb: 0x00000010 Account: postfix	Name: (null)	Desc: (null)
index: 0x16 RID: 0x434 acb: 0x00000010 Account: list	Name: Mailing List Manager	Desc: (null)
index: 0x17 RID: 0x436 acb: 0x00000010 Account: irc	Name: ircd	Desc: (null)
index: 0x18 RID: 0x3f0 acb: 0x00000010 Account: sync	Name: sync	Desc: (null)
index: 0x19 RID: 0x3fc acb: 0x00000010 Account: uucp	Name: uucp	Desc: (null)
 
user:[games] rid:[0x3f2]
user:[nobody] rid:[0x1f5]
user:[proxy] rid:[0x402]
user:[syslog] rid:[0x4b2]
user:[www-data] rid:[0x42a]
user:[root] rid:[0x3e8]
user:[news] rid:[0x3fa]
user:[bin] rid:[0x3ec]
user:[mail] rid:[0x3f8]
user:[dhcp] rid:[0x4b0]
user:[daemon] rid:[0x3ea]
user:[sshd] rid:[0x4bc]
user:[man] rid:[0x3f4]
user:[lp] rid:[0x3f6]
user:[mysql] rid:[0x4b6]
user:[dovecot] rid:[0x4b8]
user:[gnats] rid:[0x43a]
user:[backup] rid:[0x42c]
user:[sys] rid:[0x3ee]
user:[klog] rid:[0x4b4]
user:[postfix] rid:[0x4ba]
user:[list] rid:[0x434]
user:[irc] rid:[0x436]
user:[sync] rid:[0x3f0]
user:[uucp] rid:[0x3fc]
 
 ================================( Share Enumeration on 192.168.198.39 )================================
 
 
	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	IPC$            IPC       IPC Service (payday server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
 
	Server               Comment
	---------            -------
 
	Workgroup            Master
	---------            -------
	MSHOME               PAYDAY
 
[+] Attempting to map shares on 192.168.198.39
 
//192.168.198.39/print$	Mapping: DENIED Listing: N/A Writing: N/A
 
[E] Can't understand response:
 
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
//192.168.198.39/IPC$	Mapping: N/A Listing: N/A Writing: N/A
 
 ===========================( Password Policy Information for 192.168.198.39 )===========================
 
 
 
[+] Attaching to 192.168.198.39 using a NULL share
 
[+] Trying protocol 139/SMB...
 
[+] Found domain(s):
 
	[+] PAYDAY
	[+] Builtin
 
[+] Password Info for Domain: PAYDAY
 
	[+] Minimum password length: 5
	[+] Password history length: None
	[+] Maximum password age: Not Set
	[+] Password Complexity Flags: 000000
 
		[+] Domain Refuse Password Change: 0
		[+] Domain Password Store Cleartext: 0
		[+] Domain Password Lockout Admins: 0
		[+] Domain Password No Clear Change: 0
		[+] Domain Password No Anon Change: 0
		[+] Domain Password Complex: 0
 
	[+] Minimum password age: None
	[+] Reset Account Lockout Counter: 30 minutes 
	[+] Locked Account Duration: 30 minutes 
	[+] Account Lockout Threshold: None
	[+] Forced Log off Time: Not Set
 
 
 
[+] Retieved partial password policy with rpcclient:
 
 
Password Complexity: Disabled
Minimum Password Length: 0
 
 
 ======================================( Groups on 192.168.198.39 )======================================
 
 
[+] Getting builtin groups:
 
 
[+]  Getting builtin group memberships:
 
 
[+]  Getting local groups:
 
 
[+]  Getting local group memberships:
 
 
[+]  Getting domain groups:
 
 
[+]  Getting domain group memberships:
 
 
 =================( Users on 192.168.198.39 via RID cycling (RIDS: 500-550,1000-1050) )=================
 
 
[I] Found new SID: 
S-1-5-21-711259059-4024229656-2467103629
 
[I] Found new SID: 
S-1-5-21-711259059-4024229656-2467103629
 
[I] Found new SID: 
S-1-5-32
 
[I] Found new SID: 
S-1-5-32
 
[I] Found new SID: 
S-1-5-32
 
[I] Found new SID: 
S-1-5-32
 
[+] Enumerating users using SID S-1-5-21-711259059-4024229656-2467103629 and logon username '', password ''
 
S-1-5-21-711259059-4024229656-2467103629-501 PAYDAY\nobody (Local User)
S-1-5-21-711259059-4024229656-2467103629-513 PAYDAY\None (Domain Group)
S-1-5-21-711259059-4024229656-2467103629-1000 PAYDAY\root (Local User)
S-1-5-21-711259059-4024229656-2467103629-1002 PAYDAY\daemon (Local User)
S-1-5-21-711259059-4024229656-2467103629-1004 PAYDAY\bin (Local User)
S-1-5-21-711259059-4024229656-2467103629-1006 PAYDAY\sys (Local User)
S-1-5-21-711259059-4024229656-2467103629-1008 PAYDAY\sync (Local User)
S-1-5-21-711259059-4024229656-2467103629-1010 PAYDAY\games (Local User)
S-1-5-21-711259059-4024229656-2467103629-1012 PAYDAY\man (Local User)
S-1-5-21-711259059-4024229656-2467103629-1014 PAYDAY\lp (Local User)
S-1-5-21-711259059-4024229656-2467103629-1016 PAYDAY\mail (Local User)
S-1-5-21-711259059-4024229656-2467103629-1018 PAYDAY\news (Local User)
S-1-5-21-711259059-4024229656-2467103629-1020 PAYDAY\uucp (Local User)
S-1-5-21-711259059-4024229656-2467103629-1026 PAYDAY\proxy (Local User)
 
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
 
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
 
 ==============================( Getting printer info for 192.168.198.39 )==============================
 
No printers returned.
 
 
enum4linux complete on Sat Feb  8 21:32:55 2025

Found several system accounts

Null Session

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/payday]
└─$ smbclient -L //$IP/                  
Password for [WORKGROUP\kali]:
Anonymous login successful
 
	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	IPC$            IPC       IPC Service (payday server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
 
	Server               Comment
	---------            -------
 
	Workgroup            Master
	---------            -------
	MSHOME               PAYDAY

No none default share available, but workgroup is configured

InfoSec LAB

Explorer

PayDay_Samba

Samba

Null Session

Interactive Graph View

Table of Contents

Backlinks