File Share Services
Server Message Block (SMB)
SMB is commonly used in Windows networks, and we will often find share folders in a Windows network.
Windows
Windows GUI
[WINKEY] + [R] → open the Run dialog box and type the file share location, e.g.:
\\192.168.220.129\Finance\
Windows CMD - DIR
dir \\192.168.220.129\Finance\The command net use connects a computer to or disconnects a computer from a shared resource or displays information about computer connections. We can connect to a file share with the following command and map its content to the drive letter n.
net use n: \\192.168.220.129\Financenet use n: \\192.168.220.129\Finance /user:plaintext Password123With the shared folder mapped as the n drive, we can execute Windows commands as if this shared folder is on our local computer. Let’s find how many files the shared folder and its subdirectories contain.
dir n: /a-d /s /b | find /c ":\"| Syntax | Description |
|---|---|
dir | Application |
n: | Directory or drive to search |
/a-d | /a is the attribute and -d means not directories |
/s | Displays files in a specified directory and all subdirectories |
/b | Uses bare format (no heading information or summary) |
With dir we can search for specific names in files such as: |
- cred
- password
- users
- secrets
- key
- Common File Extensions for source code such as: .cs, .c, .go, .java, .php, .asp, .aspx, .html.
dir /? to see the full help.
n:\*cred* /s /bn:\*secret* /s /bIf we want to search for a specific word within a text file, we can use findstr.
Windows CMD - Findstr
findstr /s /i cred n:\*.*We can find more findstr examples here.
Windows PowerShell
Get-ChildItem \\192.168.220.129\Finance\
New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance"
-PSProvider "FileSystem"To provide a username and password with Powershell, we need to create a PSCredential object. It offers a centralized way to manage usernames, passwords, and credentials.
Windows PowerShell - PSCredential Object
$username = 'plaintext'$password = 'Password123'
$secpassword = ConvertTo-SecureString $password -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential $username, $secpassword
New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem" -Credential $credIn PowerShell, we can use the command Get-ChildItem or the short variant gci instead of the command dir.
Windows PowerShell - GCI
N:(Get-ChildItem -File -Recurse | Measure-Object).CountGet-ChildItem -Recurse -Path N:\ -Include *cred* -FileWindows PowerShell - Select-String
Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -ListLinux
Linux - Mount
sudo mkdir /mnt/Financesudo mount -t cifs -o username=plaintext,password=Password123,
domain=. //192.168.220.129/Finance /mnt/Financecredential file.
mount -t cifs //192.168.220.129/Finance /mnt/Finance -o credentials=/path/credentialfileCredential File Structure
username=plaintext
password=Password123
domain=.We need to install cifs-utils to connect to an SMB share folder. To install it we can execute from the command line sudo apt install cifs-utils.
Linux - Find
find /mnt/Finance/ -name *cred*find files that contain the string cred:
grep -rn /mnt/Finance/ -ie credOther Services
Linux - Install Evolution
sudo apt-get install evolutionIf an error appears when starting evolution indicating “bwrap: Can’t create file at …”, use this command to start evolution export WEBKIT_FORCE_SANDBOX=0 && evolution.
Video - Connecting to IMAP and SMTP using Evolution
Click on the image below to see a short video demonstration.
Databases
We have three common ways to interact with databases:
| No. | Tools/Applications |
|---|---|
| 1. | Command Line Utilities (mysql or sqsh) |
| 2. | Programming Languages |
| 3. | A GUI application to interact with databases such as HeidiSQL, MySQL Workbench, or SQL Server Management Studio. |
Command Line Utilities
To interact with MSSQL (Microsoft SQL Server) with Linux we can use sqsh or sqlcmd if you are using Windows. Sqsh is much more than a friendly prompt. It is intended to provide much of the functionality provided by a command shell, such as variables, aliasing, redirection, pipes, back-grounding, job control, history, command substitution, and dynamic configuration. We can start an interactive SQL session as follows:
Linux - SQSH
sqsh -S 10.129.20.13 -U username -P Password123The sqlcmd utility lets you enter Transact-SQL statements, system procedures, and script files through a variety of available modes:
- At the command prompt.
- In Query Editor in SQLCMD mode.
- In a Windows script file.
- In an operating system (Cmd.exe) job step of a SQL Server Agent job.
Windows - SQLCMD
sqlcmd -S 10.129.20.13 -U username -P Password123MySQL
To interact with MySQL, we can use MySQL binaries for Linux (mysql) or Windows (mysql.exe).
Linux - MySQL
mysql -u username -pPassword123 -h 10.129.20.13Windows - MySQL
mysql.exe -u username -pPassword123 -h 10.129.20.13dbeaver is a multi-platform database tool for Linux, macOS, and Windows that supports connecting to multiple database engines such as MSSQL, MySQL, PostgreSQL, among others, making it easy for us, as an attacker, to interact with common database servers.
To install dbeaver using a Debian package we can download the release .deb package from https://github.com/dbeaver/dbeaver/releases and execute the following command:
Install dbeaver
sudo dpkg -i dbeaver-<version>.debRun dbeaver
dbeaver &Video - Connecting to MSSQL DB using dbeaver
Click on the image below for a short video demonstration of connecting to an MSSQL database using dbeaver.
Click on the image below for a short video demonstration of connecting to a MySQL database using dbeaver.
Video - Connecting to MySQL DB using dbeaver
Once we have access to the database using a command-line utility or a GUI application, we can use
Tools to Interact with Common Services
Some reasons why we may not have access to a resource:
- Authentication
- Privileges
- Network Connection
- Firewall Rules
- Protocol Support