InfoSec LAB

nara_SMB

Created: 4 min read

SMB

Nmap discovered a Windows Directory service running on the ports 139 and 445 of the nara.nara-security.com(192.168.209.30) host.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara]
└─$ nmap --script smb-enum-shares -sV -p139,445 $IP                             
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-01 14:24 CEST
Nmap scan report for nara.nara-security.com (192.168.209.30)
Host is up (0.020s latency).
 
PORT    STATE SERVICE       VERSION
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.66 seconds

Share mapping failed

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara]
└─$ nxc smb $IP -u '' -p '' --shares --interfaces   
SMB         192.168.209.30  445    NARA             [*] Windows Server 2022 Build 20348 x64 (name:NARA) (domain:nara-security.com) (signing:True) (SMBv1:False)
SMB         192.168.209.30  445    NARA             [+] nara-security.com\: 
SMB         192.168.209.30  445    NARA             [-] Error enumerating shares: STATUS_ACCESS_DENIED
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara]
└─$ nxc smb $IP -u 'blah' -p 'blaah' --shares --interfaces 
SMB         192.168.209.30  445    NARA             [*] Windows Server 2022 Build 20348 x64 (name:NARA) (domain:nara-security.com) (signing:True) (SMBv1:False)
SMB         192.168.209.30  445    NARA             [+] nara-security.com\blah:blaah (Guest)
SMB         192.168.209.30  445    NARA             [-] Error enumerating shares: STATUS_ACCESS_DENIED

The target SMB server allows both guest and anonymous accesses.

Null Session

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara]
└─$ impacket-smbclient blah@nara.nara-security.com 
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 
 
Password:
Type help for list of commands
# shares
ADMIN$
C$
IPC$
nara
NETLOGON
SYSVOL
#

The nara share is the only none default share.

nara Share

# use nara
# tree
/Important.txt
Finished - 2 files and folders
# ls
drw-rw-rw-          0  Sun Jul 30 16:31:58 2023 .
drw-rw-rw-          0  Tue Jul  1 14:04:14 2025 ..
drw-rw-rw-          0  Sun Jul 30 16:22:47 2023 Documents
-rw-rw-rw-       2200  Sun Jul 30 16:22:47 2023 Important.txt
drw-rw-rw-          0  Sun Jul 30 18:22:50 2023 IT

2 empty directory and a single text file are available.

Important.txt

# cat Important.txt
Dear Team,
 
We hope this message finds you well. We wanted to remind all employees to take a moment each day to check the shared documents folder diligently. As part of our commitment to streamline processes and enhance efficiency, important documents are frequently uploaded to this folder for your attention and action.
 
The shared documents folder serves as a central hub for crucial updates, contracts, agreements, and various other essential materials requiring your attention. To ensure that you don't miss any critical information, please make it a habit to access the folder at the beginning of your workday or as often as possible.
 
Here are a few simple steps to stay up-to-date and ensure timely actions:
 
* Access the Shared Documents Folder: Log in to your company account and navigate to the designated shared documents folder. If you encounter any issues accessing the folder, please reach out to the IT department for assistance.
 
* Review New Additions: Look for any new documents that might have been uploaded since your last visit. These documents might require your signature, feedback, or acknowledgment.
 
* Take Action Promptly: If there are documents that need your attention, please act promptly and follow the necessary procedures as indicated within each document. Whether it's a signature, a comment, or any other form of response, timely actions are vital to keep our operations running smoothly.
 
* Seek Clarification: If you encounter any uncertainty or have questions about the documents you find, don't hesitate to reach out to the relevant department or the person mentioned in the document for clarification. It's essential that you fully understand what's required before proceeding.
 
Remember, staying informed and acting promptly ensures that projects progress seamlessly, contracts get executed on time, and the company as a whole operates efficiently. Your cooperation in this matter is greatly appreciated and contributes to our collective success.
 
Thank you for your attention to this matter, and if you have any concerns or suggestions to improve our document management process, please share them with your department head or the HR team.

The Important.txt file outlines the use of the shared Documents directory, and encourages users to check and files within

Write Access
# cd Documents
# put test
# ls
drw-rw-rw-          0  Tue Jul  1 14:50:38 2025 .
drw-rw-rw-          0  Tue Jul  1 14:48:37 2025 ..
-rw-rw-rw-          8  Tue Jul  1 14:50:38 2025 test
# rm test

Given that write access is granted to the Documents directory, this poses a phishing opportunity.

IPC$ Share

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara]
└─$ smbclient //nara.nara-security.com/IPC$
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \>

Session established to the IPC$ share. Performing a RID Cycling attack.

Interactive Graph View

Backlinks