Interacting

Server Message Block (SMB)

Windows CMD - Net Use

C:\xyz> net use n: \\192.168.220.129\Finance

The command completed successfully.

C:\xyz> net use n: \\192.168.220.129\Finance /user:plaintext Password123

The command completed successfully.

With the shared folder mapped as the n drive, we can execute Windows commands as if this shared folder is on our local computer.

C:\xyz> dir n: /a-d /s /b | find /c ":\"

29302

Syntax	Description
`dir`	Application
`n:`	Directory or drive to search
`/a-d`	`/a` is the attribute and `-d` means not directories
`/s`	Displays files in a specified directory and all subdirectories
`/b`	Uses bare format (no heading information or summary)

The following command | find /c ":\\" process the output of dir n: /a-d /s /b to count how many files exits in the directory and subdirectories. You can use dir /? to see the full help. Searching througth 29,302 files is time comsuming, scripting and command line utilities can help us speed up the search.

C:\xyz>dir n:\*cred* /s /b

n:\Contracts\private\credentials.txt


C:\xyz>dir n:\*secret* /s /b

n:\Contracts\private\secret.txt

Windows CMD - Findstr

c:\xyz>findstr /s /i cred n:\*.*

n:\Contracts\private\secret.txt:file with all credentials
n:\Contracts\private\credentials.txt:admin:SecureCredentials!

Windows PowerShell

PS C:\xyz> Get-ChildItem \\192.168.220.129\Finance\

    Directory: \\192.168.220.129\Finance

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         2/23/2022   3:27 PM                Contracts

Instead of net use, we can use New-PSDrive in PowerShell.

To provide a username and password with Powershell, we need to create a PSCredential object.

PS C:\xyz> $username = 'plaintext'
PS C:\xyz> $password = 'Password123'
PS C:\xyz> $secpassword = ConvertTo-SecureString $password -AsPlainText -Force
PS C:\xyz> $cred = New-Object System.Management.Automation.PSCredential $username, $secpassword
PS C:\xyz> New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem" -Credential $cred

Name           Used (GB)     Free (GB) Provider      Root                                                              CurrentLocation
----           ---------     --------- --------      ----                                                              ---------------
N                                      FileSystem    \\192.168.220.129\Finance

In PowerShell, we can use the command Get-ChildItem or the short variant gci instead of the command dir.

PS C:\xyz> N:
PS N:\> (Get-ChildItem -File -Recurse | Measure-Object).Count

29302

We can use the property -Include to find specific items from the directory specified by the Path parameter.

PS C:\xyz> Get-ChildItem -Recurse -Path N:\ -Include *cred* -File

    Directory: N:\Contracts\private

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         2/23/2022   4:36 PM             25 credentials.txt

The Select-String cmdlet uses regular expression matching to search for text patterns in input strings and files. We can use Select-String similar to grep in UNIX or findstr.exe in Windows.

PS C:\xyz> Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List

N:\Contracts\private\secret.txt:1:file with all credentials
N:\Contracts\private\credentials.txt:1:admin:SecureCredentials!

Linux - Mount

neutron@kali[/kali]$ sudo mkdir /mnt/Finance
neutron@kali[/kali]$ sudo mount -t cifs -o username=plaintext,password=Password123,domain=. //192.168.220.129/Finance /mnt/Finance

As an alternative, we can use a credential file.

neutron@kali[/kali]$ mount -t cifs //192.168.220.129/Finance /mnt/Finance -o credentials=/path/credentialfile

The file credentialfile has to be structured like this:

username=plaintext
password=Password123
domain=.

Once a shared folder is mounted, you can use common Linux tools such as find or grep to interact with the file structure.

neutron@kali[/kali]$ find /mnt/Finance/ -name *cred*

/mnt/Finance/Contracts/private/credentials.txt

Find files that contain the string cred:

neutron@kali[/kali]$ grep -rn /mnt/Finance/ -ie cred

/mnt/Finance/Contracts/private/credentials.txt:1:admin:SecureCredentials!
/mnt/Finance/Contracts/private/secret.txt:1:file with all credentials

Command Line Utilities

MSSQL

Linux - SQSH

neutron@kali[/kali]$ sqsh -S 10.129.20.13 -U username -P Password123

Windows - SQLCMD

C:\xyz> sqlcmd -S 10.129.20.13 -U username -P Password123

MySQL

Linux - MySQL

neutron@kali[/kali]$ mysql -u username -pPassword123 -h 10.129.20.13

Windows - MySQL

C:\xyz> mysql.exe -u username -pPassword123 -h 10.129.20.13