Today using Lame from HTB I will show you how to exploit SMB shares with null authentication. This is for SAMBA 3.0.20 and without the need for Metasploit. This is a more ‘OSCP‘ styled post due to the box being listed as a recommended box for the OSCP journey. As someone who has been studying for the OSCP, I can confirm this is a great box to dip your feet into SMB null authenticate and SMB related exploits.

I would recommend reading on ‘Eternal Series SMB Exploit’ as there is a lot of variations. I would also recommend reviewing the GitHub repo below.

Now onto Lame from HTB; I start off every scan with an AutoRecon scan which I have mentioned on multiple posts.

‘AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services. It is intended as a time-saving tool for use in CTFs and other penetration testing environments (e.g. OSCP). It may also be useful in real-world engagements.’

This essentially means if your just starting off in the security field I would highly recommend this tool. Running an AutoRecon scan shows me that SMB shares are available with null authentication. It also shows me it is for SAMBA 3.0.20.

SMBMap List Contents provided by AutoRecon

I use CME and SMBClient to confirm what AutoRecon has pulled in. CrackMapExec (CME) is another program this should be a staple in your toolkit as it allows you to check multiple protocols: SMB/SSH/LDAP/WinRM/MSSQL with plenty of enumeration and bruteforce capabilities. The reason you will sometimes want to use multiple tools is CME though a good program can sometimes give bad (or no) results. Using multiple programs to confirm helps enforce this is your attack point.

CME confirming I have read/write to a folder.

SMB Client showing the same open share.

After confirming I use SMBClient to login as a null session and exploit the logon command to spawn a reverse shell:

Using SMB Client to login and exploit the logon command.

Using SMB Client to login and exploit the logon command.