Network Share for the Home and Penetration Testing

Samba is a powerful network file-sharing service that enables collaboration, and data accessibility across
your own home, and organizational networks. By following this guide, deploying your own Samba services allows you to:

  • Centralize your notes and files without using cloud storage providers
  • Eliminate the need for an Internet connection or bandwidth to access files that may be large and consume a lot of bandwidth
  • Attack your own network storage service, exploiting and learning about Samba misconfigurations, and security vulnerabilities in older versions of Samba and its clients.


First we need to create a VM, we are going to use the VM template I created in  the article below. These instructions are only for Rocky Linux, please follow the guide to learn how to create a Rocky Linux Virtual Machine, and convert it to a template.

Creating a Virtual Machine Template

Install Samba

Update your system
sudo dnf update

 
Install Samba
sudo dnf install samba samba-client samba-common


Start the smb and nmb services and enable them to start at boot
sudo systemctl start smb
sudo systemctl enable smb
sudo systemctl start nmb
sudo systemctl enable nmb   

SMB is the Samba file sharing service.
NMB is a NetBIOS package used for name resolution for users to easily identify and connect to your file sharing service.

 

Configuring your Samba service

Add firewall rules to allow your server connections to our Samba service
sudo firewall-cmd --add-service=samba --permanent
sudo firewall-cmd --reload

 

Edit the Samba configuration file to add Shared directories. You will likely create more for individual users and groups but this is beyond the scope of setting up your first shared network directory. The brackets [] indicate the network service name, please replace it with something you would like to call it. The path variable defines the share directory path of where it will reside on your machine. 

sudo vim /etc/samba/smb.conf
 
Content to add:
[ShareName]
path = /srv/samba/share
browseable = yes
writable = yes
guest ok = yes
 
WARNING: Having your network resource allow guest access without authentication is not safe and should not be deployed in a production and/or secure environment. This allows access without prompting for authentication.

 
Create the Shared Directory using the path file you input in the configuration file.
sudo mkdir -p /srv/samba/share
sudo chmod 0777 /srv/samba/share
 

Add users yo tour machine and your Samba service, then change their passwords:

sudo useradd tom
sudo passwd tom
 
sudo smbpasswd -a tom
sudo smbpasswd -e sambauser
 
 

Test Samba Configuration

Test your configuration by running the test paramater utility that checks your newly created Samba configuration for errors. This is helpful to test incorrect configuration settings, syntax, or unexpected errors before re-launching the service with misconfiurations.
sudo testparm
 
If successful you can restart SMB and NMB
sudo systemctl restart smb
sudo systemctl restart nmb
 

Change SELinux policies to allow users to access these directories (OPTIONAL)

This is optional only if you are running Samba on a SELinux enabled and enforced machine. If you are running into issues accessing your Samba shares please confirm if SELinux is enforcing and preventing access to them.

RHEL and RHEL-like operating systems will have SELinux installed, enabled, and enforced. SELinux can and will prevent access to your SMB shares on RHEL, and RHEL-like systems like our Rocky Linux instance. To confirm SELinux is enforcing its policies run the command below:
getenforce
 
If it is Enforcing this WILL prevent your users from creating, writing, and deleting directories and files!
To confirm it is SELinux that is preventing you from creating file and directories, run the command below. This will temporarily disable SELinux enforcment and will instead just log unauthorized actions and not prevent them.
sudo setenforce 0
 
Test document creation inside your newly created Samba share. If you are now able to upload and read documents in the Samba share this confirms that SELinux is preventing your users from using their SMB shares.
 
Getting Started with SELinux

Lets create an exception in SELinux to not enforce policies on the directories that are hosting Samba shares. Apply the File Context of Samba Share type to our directory where we are hosting our shares.
sudo semanage fcontext -a -t samba_share_t "/srv/samba(/.*)?"

Apply available contexts recursively to our home shares directory. Will apply samba_share_t context.
sudo restorecon -R /srv/samba

You can confirm this by using the ls -laZ command to list out SELinux contexts for a directory

ls -laZ /srv/samba/share

 

Access Shared Directories

 
Windows: 
 File Explorer: \\IPADDRESS\ShareName
 
GNU/Linux: 
File Manager: smb://IPADDRESS/ShareName
 
 

Penetration Testing with Samba

NIST Vulnerability Database search for vulnerabilities that use or mention exploiting Samba service, or using Samba for data-exfiltration.

NIST Vulnerability Search Results for SMB 

 
TryHackMe even provides a brief overview of how Samba works, and enumerating a Samba server to reveal usernames, machine information, shared directories path and names, password policies and more.

 

Comments

Post a Comment

Popular posts from this blog

SOC Analyst: Phishing Email Analysis

Image
Everyone is looking to level up in their career, and getting a job interview or offer email can be exciting. But sometimes, those emails aren’t what they seem, they’re fake recruitment scams trying to trick you. I came across a perfect example and want to show what I did to confirm my suspicions and what steps I took to report the email, and its domain.      Steps we will take to confirm, and take action: 1) General Social Engineering Red Flags 2) Context and Content Integrity Check 3) Domain Investigation 4) Certificate Investigation 5) Email Header Analysis 6) Reporting the Email Tools we use and/or discuss - VirusTotal - WHOIS.com - MXToolbox - Joe's Sandbox - PhishTank - OpenPhish General Social Engineering Red Flags The email contains no links to their organization's homepage, easy online contact information, nor LinkedIn page. Furthermore, by searching for the official website of Evernow and confirming their logo is the same, they are using a different domain for th...
Read more

Common SPL Commands

Image
  NOTE: I am using datasets provided by Hailie Shaw's " Splunk: Zero to Power User " Udemy course. My results will vary from your own test and live production datasets. Do not perform the queries in this article on equipment and services you do not own, have permission, or do not fully understand what the query does. Common SPL Commands Here are some command SPL commands that you will typically use in your queries to narrow down events in your searches.  Source:  SPL2 Command Quick Reference stats           Calculates aggregate statistic over the incoming search results set. eval             Calculates an expression and puts the resulting value into a search results field. table           Displays selected fields in a table format rex               Command to ...
Read more

Endlessh: SSH Honeypot Analysis

Image
This lab we will use Kali Linux, tcpdump, netcat, NMap, Wireshark, and Hydra. We will be analyzing traffic being sent to a server running endlessh, a honeypot service to thwart or delay automated scans and (possibly) bruteforce SSH attacks.  Purpose:  1) Assess what endlessh is successful at doing 2) Confirming what are its limitation in thwarting attacks 3) What an adversary would face 4) What we could implement in substitute or in addition to further dissuade threats to our network. Skeeto's Github repo of Endlessh Part 1: Set up our victim server Part 2:  Set up Honeypot service Part 3: Attacking and Analysis  Part 4: Closing Notes
Read more