With this blog post, I want to explain SMB Protocol briefly and “acccheck” tool. This tool is licensed with GPLv2 and written by Faisal Dean. Detailed description can be found in this page. The “acccheck” tool is designed as a password dictionary attack tool that targets windows authentication via the SMB protocol. It is really a wrapper script around the ‘smbclient’ binary, and as a result is dependent on it for its execution.
In computer networking, Server Message Block (SMB), one version of which was also known as Common Internet File System (CIFS). It operates as an application-layer network protocol mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. It also provides an authenticated inter-process communication mechanism. Most usage of SMB involves computers running Microsoft Windows, where it was known as “Microsoft Windows Network” before the subsequent introduction of Active Directory. Corresponding Windows services are LAN Manager Server (for the server component) and LAN Manager Workstation (for the client component)
SMB can run on top of the Session (and lower) network layers in several ways:
- Directly over TCP, port 445;
- Via the NetBIOS API, which in turn can run on several transports;
- On UDP ports 137, 138 & TCP ports 137, 139 (NetBIOS over TCP/IP);
- On several legacy protocols such as NBF (incorrectly referred to as NetBEUI).
The SMB “Inter-Process Communication” (IPC) system provides named pipes and was one of the first inter-process mechanisms commonly available to programmers that provides a means for services to inherit the authentication carried out when a client first connected to an SMB server.
acccheck tool Description
The acccheck tool attempts to connect to the IPC$ and ADMIN$ shares depending on which flags have been chosen. It tries a combination of user names and passwords in the hope to identify the password to a given account via a dictionary password guessing attack. The detailed help and usage example output is below.
acccheck v0.2.1 - By Faiz
Attempts to connect to the IPC$ and ADMIN$ shares depending on which flags have been chosen, and tries a combination of usernames and passwords in the hope to identify the password to a given account via a dictionary password guessing attack.
Usage = ./acccheck [optional]
-t [single host IP address]
-T [file containing target ip address(es)]
-p [single password]
-P [file containing passwords]
-u [single user]
-U [file containing usernames]
-v [verbose mode]
Attempt the 'Administrator' account with a [BLANK] password.
acccheck -t 10.10.10.1
Attempt all passwords in 'password.txt' against the 'Administrator' account.
acccheck -t 10.10.10.1 -P password.txt
Attempt all password in 'password.txt' against all users in 'users.txt'.
acccehck -t 10.10.10.1 -U users.txt -P password.txt
Attempt a single password against a single user.
acccheck -t 10.10.10.1 -u administrator -p password
root@kali:~# acccheck.pl -T smb-ips.txt -v
Host:192.168.1.201, Username:Administrator, Password:BLANK
Scan the IP addresses contained in smb-ips.txt (-T) and use verbose output (-v):
You can use single user name, password option. There is also a parameter which lets to get IP addresses and passwords from the specified source file. You should use this tool and others with legal permission against the systems you tested.