Samba

Nmap discovered a Samba service on the target ports 139 and 445 The running service is Samba smbd 4.10.4 (workgroup: SAMBA)

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/snookums]
└─$ nmap --script smb-enum-shares -sV -p139,445 $IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-23 20:56 CET
Nmap scan report for 192.168.132.58
Host is up (0.019s latency).
 
PORT    STATE SERVICE     VERSION
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
Service Info: Host: SNOOKUMS
 
Host script results:
| smb-enum-shares: 
|   account_used: <blank>
|   \\192.168.132.58\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (Samba 4.10.4)
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|   \\192.168.132.58\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\drivers
|_    Anonymous access: <none>
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.57 seconds

Share mapping successful The target Samba server allows anonymous access to the IPC$ share

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/snookums]
└─$ nxc smb $IP -u '' -p '' --shares --interfaces 
SMB         192.168.132.58  445    SNOOKUMS         [*] Unix - Samba (name:SNOOKUMS) (domain:) (signing:False) (SMBv1:True)
SMB         192.168.132.58  445    SNOOKUMS         [+] \: 
SMB         192.168.132.58  445    SNOOKUMS         [*] Enumerated shares
SMB         192.168.132.58  445    SNOOKUMS         Share           Permissions     Remark
SMB         192.168.132.58  445    SNOOKUMS         -----           -----------     ------
SMB         192.168.132.58  445    SNOOKUMS         print$                          Printer Drivers
SMB         192.168.132.58  445    SNOOKUMS         IPC$                            IPC Service (Samba 4.10.4)

The instance is Samba 4.10.4

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/snookums]
└─$ enum4linux -a -r -o -n -A -U $IP
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Mar 23 20:58:05 2025
 
 =========================================( Target Information )=========================================
 
Target ........... 192.168.132.58
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
 
 
 ===========================( Enumerating Workgroup/Domain on 192.168.132.58 )===========================
 
 
[E] Can't find workgroup/domain
 
 
 
 ===============================( Nbtstat Information for 192.168.132.58 )===============================
 
Looking up status of 192.168.132.58
No reply from 192.168.132.58
 
 ==================================( Session Check on 192.168.132.58 )==================================
 
 
[+] Server 192.168.132.58 allows sessions using username '', password ''
 
 
 ===============================( Getting domain SID for 192.168.132.58 )===============================
 
Domain Name: SAMBA
Domain Sid: (NULL SID)
 
[+] Can't determine if host is part of domain or part of a workgroup
 
 
 ==================================( OS information on 192.168.132.58 )==================================
 
 
[E] Can't get OS info with smbclient
 
 
[+] Got OS info for 192.168.132.58 from srvinfo: 
	SNOOKUMS       Wk Sv PrQ Unx NT SNT Samba 4.10.4
	platform_id     :	500
	os version      :	6.1
	server type     :	0x809a03
 
 
 ======================================( Users on 192.168.132.58 )======================================
 
Use of uninitialized value $users in print at ./enum4linux.pl line 972.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.
 
Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.
 
 ================================( Share Enumeration on 192.168.132.58 )================================
 
 
	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	IPC$            IPC       IPC Service (Samba 4.10.4)
Reconnecting with SMB1 for workgroup listing.
 
	Server               Comment
	---------            -------
 
	Workgroup            Master
	---------            -------
	SAMBA                
 
[+] Attempting to map shares on 192.168.132.58
 
//192.168.132.58/print$	Mapping: DENIED Listing: N/A Writing: N/A
 
[E] Can't understand response:
 
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//192.168.132.58/IPC$	Mapping: N/A Listing: N/A Writing: N/A
 
 ===========================( Password Policy Information for 192.168.132.58 )===========================
 
 
 
[+] Attaching to 192.168.132.58 using a NULL share
 
[+] Trying protocol 139/SMB...
 
[+] Found domain(s):
 
	[+] SNOOKUMS
	[+] Builtin
 
[+] Password Info for Domain: SNOOKUMS
 
	[+] Minimum password length: 5
	[+] Password history length: None
	[+] Maximum password age: 37 days 6 hours 21 minutes 
	[+] Password Complexity Flags: 000000
 
		[+] Domain Refuse Password Change: 0
		[+] Domain Password Store Cleartext: 0
		[+] Domain Password Lockout Admins: 0
		[+] Domain Password No Clear Change: 0
		[+] Domain Password No Anon Change: 0
		[+] Domain Password Complex: 0
 
	[+] Minimum password age: None
	[+] Reset Account Lockout Counter: 30 minutes 
	[+] Locked Account Duration: 30 minutes 
	[+] Account Lockout Threshold: None
	[+] Forced Log off Time: 37 days 6 hours 21 minutes 
 
 
 
[+] Retieved partial password policy with rpcclient:
 
 
Password Complexity: Disabled
Minimum Password Length: 5
 
 
 ======================================( Groups on 192.168.132.58 )======================================
 
 
[+] Getting builtin groups:
 
 
[+]  Getting builtin group memberships:
 
 
[+]  Getting local groups:
 
 
[+]  Getting local group memberships:
 
 
[+]  Getting domain groups:
 
 
[+]  Getting domain group memberships:
 
 
 =================( Users on 192.168.132.58 via RID cycling (RIDS: 500-550,1000-1050) )=================
 
 
[I] Found new SID: 
S-1-22-1
 
[I] Found new SID: 
S-1-5-32
 
[I] Found new SID: 
S-1-5-32
 
[I] Found new SID: 
S-1-5-32
 
[I] Found new SID: 
S-1-5-32
 
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
 
S-1-22-1-1000 Unix User\michael (Local User)
 
[+] Enumerating users using SID S-1-5-21-1827434953-4144285930-3050528427 and logon username '', password ''
 
S-1-5-21-1827434953-4144285930-3050528427-501 SNOOKUMS\nobody (Local User)
S-1-5-21-1827434953-4144285930-3050528427-513 SNOOKUMS\None (Domain Group)
 
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
 
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
 
 ==============================( Getting printer info for 192.168.132.58 )==============================
 
No printers returned.
 
 
enum4linux complete on Sun Mar 23 21:00:03 2025

enum4linux found a valid system user via the RID Cycling; michael

InfoSec LAB

Explorer

Snookums_Samba

Samba

Interactive Graph View

Backlinks