0x00 Preface
---
In penetration testing, especially in internal network penetration, it is often necessary to enable an anonymously accessible file share within the internal network to facilitate vulnerability exploitation.
Therefore, we need a universal method that is not only convenient to use but also capable of running via the command line.
0x01 Introduction
---
This article will cover the following topics:
- Usage Scenarios
- Enabling an anonymously accessible file share server via the GUI
- Enabling an anonymously accessible file share server via the command line
- Open-source code
0x02 Usage Scenarios
---
After enabling an anonymously accessible file share, other users can directly access the shared files on the file server without entering a username or password.
Typically, there are two common uses:
- As a channel for data transmission
- Used in conjunction with vulnerability exploitation, serving as the download address for the payload
File sharing servers need to be deployable across different operating systems
For Linux systems, a file sharing server with anonymous access can be set up using the Samba service
Here is the usage method for Kali systems:
Modify the file /etc/samba/smb.conf with the following content:
[global] |
Start services:
service smbd start |
For Windows systems, domain environment and workgroup environment need to be considered. To support anonymous access, the Guest user needs to be enabled, allowing Guest users to access the content of the file sharing server.
0x03 Enabling an anonymously accessible file sharing server via the interface
---
The specific method is as follows:
1. Enable the Guest user
Run gpedit.msc to open Group Policy
Location: Computer Configuration->Windows Settings->Security Settings->Local Policies->Security Options
Select the policy Accounts: Guest account status and set it to Enabled
2. Apply Everyone permissions to anonymous users
Location: Computer Configuration->Windows Settings->Security Settings->Local Policies->Security Options
Select policy Network access: Let Everyone permissions apply to anonymous users, set to Enabled
3. Specify the location for anonymous shared files
Location: Computer Configuration->Windows Settings->Security Settings->Local Policies->Security Options
Select policy Network access: Shares that can be accessed anonymously, set the name, here you can enter smb
4. Remove Guest user from the policy "Deny access to this computer from the network"
Location: Computer Configuration->Windows Settings->Security Settings->Local Policies->User Rights Assignment
Select policy Deny access to this computer from the network, remove user Guest
5. Set up file sharing
Select the folder to share, set up advanced sharing, share name as smb, share permissions group or username as Everyone
At this point, the anonymously accessible file sharing server is successfully enabled, and the access address is ///smb
0x04 Enable an anonymously accessible file sharing server via command line
---
The corresponding commands for the specific methods are as follows:
1. Enable Guest user
net user guest /active:yes |
2. Apply Everyone permissions to anonymous users
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f |
3. Specify the location of anonymous shared files
REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d smb /f |
4. Remove Guest user from the policy "Deny access to this computer from the network"
Export Group Policy:
secedit /export /cfg gp.inf /quiet |
Modify the file gp.inf, change SeDenyNetworkLogonRight = Guest to SeDenyNetworkLogonRight =, save
Re-import Group Policy:
secedit /configure /db gp.sdb /cfg gp.inf /quiet |
Force refresh Group Policy to take effect immediately (otherwise, it will take effect after reboot):
gpupdate/force |
5. Set up file sharing
icacls C:\share\ /T /grant Everyone:r |
At this point, the anonymous access file sharing server has been successfully enabled, and the access address is ///smb
0x05 Open Source Code
---
The complete PowerShell code has been open-sourced, and the address is as follows:
An open-source project
The code has been successfully tested on the following operating systems:
- Windows 7
- Windows 8
- Windows 10
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
Supports Windows operating systems in both domain and workgroup environments
Requires local administrator privileges to execute
Enable anonymously accessible file sharing server:
Invoke-BuildAnonymousSMBServer -Path c:\share -Mode Enable |
Disable anonymously accessible file sharing server:
Invoke-BuildAnonymousSMBServer -Path c:\share -Mode Disable |
Note:
Disabling the anonymously accessible file sharing server performs the following operations:
- Disable sharing permissions for the specified directory
- Disable Guest user
- Disable applying Everyone permissions to anonymous users
- Remove the anonymous shared file location specified in Group Policy
- Add Guest user to the policy 'Deny access to this computer from the network'
When exporting Group Policy, if the content in the policy 'Deny access to this computer from the network' is empty, this option will not exist. When we need to add this policy, we must manually add a line: SeDenyNetworkLogonRight = Guest
In the code implementation, I adopted the following method:
SeDenyInteractiveLogonRight = Guest
Replace with
SeDenyNetworkLogonRight = Guest |
Corresponding PowerShell example code:
(Get-Content a.txt) -replace "SeDenyInteractiveLogonRight = Guest","SeDenyNetworkLogonRight = Guest`r`nSeDenyInteractiveLogonRight = Guest" | Set-Content "a.txt" |
0x06 Summary
---
This article implements enabling and disabling anonymous access to shares from the command line, with open-source code, which can be used to test CVE-2021-1675 and CVE-2021-34527.