Server Message Block (SMB)

footprinting networkservices adventofcyber2 adventofcyber4

Server Message Block (SMB) is a protocol used for Windows file exchange system. It's similar to NFS for Linux.

Samba is making both file exchange systems of Linux (NFS), and Windows (SMB) work together. It implements CIFS.

🐊️ Port: 445 (TCP) (139/TCP before)

It's mostly used to share files internally by connecting computers, printers... to a shared folder called share πŸ“‚ (def).

For any smbclient commands, you can use:

$ smbclient -U username [...] # specify username
$ smbclient -p port [...]     # specify port

List shares

$ smbclient [...] -L IP
PS> net view \\IP
PS> net share

Connect to a share

$ smbclient //IP/share_name [...]
$ smbclient smb://IP/share_name [...] # same
$ impacket-smbclient 'username':'password'@IP

You may have to add --option='client min protocol=NT1' (old target).

Common commands

smb> help      # list every command
smb> pwd       # get the current folder
smb> ls folder # list files in folder
smb> cd folder # move to folder
smb> stat file # show information
smb> more file # read a file remotely
smb> put /local/path /remote/path # upload
smb> get /remote/path /local/path # download
smb> exit # there is also "q" and "quit"

⚠️ Don't forget to look for hidden files.

Common SMB Usages

Dump everything in a share

You can use smbget:

$ smbget --recursive smb://username@IP/share_name
$ smbget --recursive smb://username:password@IP/share_name

Linux β€” Set up a SMB server

You can use impacket to create a SMB server on your machine using a script. But, when the script is terminated, the server is terminated too.

πŸ“š This is useful to transfer files between Windows and Linux.

Windows Share Access

  • You can use copy to download/upload files.
PS> # use current user credentials to log in
PS> copy \\IP\share\file # Download
PS> copy file \\IP\share # Upload
  • You can mount a share as a network drive (s:). This allows you to access the share with custom credentials.
CMD> net use s: \\IP\share_name /user:username password

PS> $credential = New-Object System.Management.Automation.PSCredential 'username', $(ConvertTo-SecureString 'password' -AsPlainText -Force)
PS> New-PSDrive -Name "S" -Root "\\IP\share_name" -PSProvider "FileSystem" -Credential $credential
  • You can access a share from the file explorer using smb://[...]
  • You may use dir to list the contents of a share
$ dir \\wsl$
$ dir s:\* /s /b

SMB Pentester Notes ☠️

Enumeration

attacking_common_services

  • Using nmap you can try to:
# find users and shares
$ nmap -p 139,445 --script=smb-enum-shares.nse,smb-enum-users.nse IP
# find the operating system
$ nmap -p 139,445 --script smb-os-discovery.nse IP
# run every smb script
$ nmap -p 139,445 --script "*smb*" IP
  • If msrpc is available, we may be able to use it to query information such as users, host information, os information, etc.

FootHold

password_attacks attacking_common_services active_directory_enumeration_attacks kenobi attacktivedirectory blog

  • Try Anonymous user with no password (-N or -no-pass, a.k.a. null session)
# list shares
$ smbclient -L IP -U Anonymous -N
# connect to a share
$ smbclient //IP/share_name -U Anonymous -N
# test Anonymous share
$ smbclient //IP//Anonymous -U Anonymous -N
# additional usage
$ smbclient [...] -c "command" -W "domain"
  • The password may be weak and vulnerable to brute force.
$ hydra -L user.list -P password.list smb://IP -V -f
$ nxc smb IP -u username -p password.list
$ nxc smb IP -u username.list -p password

$ msfconsole -q
msf6> use auxiliary/scanner/smb/smb_login

Exploitation

active_directory_enumeration_attacks adventofcyber2 ccpentesting attacktivedirectory

  • We can use crackmapexec/nxc to list shares+accesses, and automatically fetch information about the host/network.
$ crackmapexec smb IP -u 'username' -p 'password' --shares
$ crackmapexec smb [...] # many more options
  • We can use smbmap (1.7k ⭐) to list users/shares+access/files/...
$ smbmap -H IP
$ smbmap -H IP -u 'username' -p 'password'
$ smbmap [...] -x 'command' -d 'domain' -s 'share'
  • We can use enum4linux (1.0k ⭐) or enum4linux-ng (1.0k ⭐) to list shares, devices, users, along basic information about the host.
$ sudo apt-get install enum4linux-ng
$ enum4linux-ng IP -A
$ enum4linux-ng IP <options>
$ enum4linux-ng IP <options> -u 'username' -p 'password'

# -A : list all
# -U : list of users
# -M : list of devices
# -S : list of shares
# -o : print os information
# -i : print printer information
  • PsExec (see impacket client) is a tool that allows administrators to run commands on Windows hosts. It relies on SMB.

Well-Known CVEs

shells_and_payloads blue blue

A vulnerability in the SMB protocol allowing Remote Code Execution (RCE). It was discovered by the NSA and stolen by hackers.

➑️ See: ms17_010_eternalblue, ms17_010_psexec, etc.

legacy

lame

  • Samba username map script - Command Execution

SMB Relay Attacks

attacking_common_services breachingad

SMB relay is an attack in which we relay the hash to another machine instead of cracking it. It only works if SMB signing is disabled.

We can use impacket script or responder MultiRelay.

$ impacket-ntlmrelayx --no-http-server -smb2support -t IP -c '<command>'

You would usually have a responder running with SMB=Off.

$ sudo responder -I tun0

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • SMBenum
  • smbclient can run commands (!cmd)