Server Message Block (SMB) ¶

Server Message Block (SMB) is a protocol used for Windows file exchange system. It's similar to NFS for Linux.

Samba is making both file exchange systems of Linux (NFS), and Windows (SMB) work together. It implements CIFS.

🐊️ Port: 445 (TCP) (139/TCP before)

It's mostly used to share files internally by connecting computers, printers... to a shared folder called share 📂 (def).

For any smbclient commands, you can use:

$ smbclient -U username [...] # specify username
$ smbclient -p port [...]     # specify port

List shares

$ smbclient [...] -L IP
PS> net view \\IP
PS> net share

Connect to a share

$ smbclient //IP/share_name [...]
$ smbclient smb://IP/share_name [...] # same
$ impacket-smbclient 'username':'password'@IP

You may have to add --option='client min protocol=NT1' (old target).

Common commands

smb> help      # list every command
smb> pwd       # get the current folder
smb> ls folder # list files in folder
smb> cd folder # move to folder
smb> stat file # show information
smb> more file # read a file remotely
smb> put /local/path /remote/path # upload
smb> get /remote/path /local/path # download
smb> exit # there is also "q" and "quit"

⚠️ Don't forget to look for hidden files.

Dump everything in a share ¶

You can use smbget:

$ smbget --recursive smb://username@IP/share_name
$ smbget --recursive smb://username:password@IP/share_name

Linux — Set up a SMB server ¶

You can use impacket to create a SMB server on your machine using a script. But, when the script is terminated, the server is terminated too.

📚 This is useful to transfer files between Windows and Linux.

Windows Share Access ¶

• You can use copy to download/upload files.

PS> # use current user credentials to log in
PS> copy \\IP\share\file # Download
PS> copy file \\IP\share # Upload

• You can mount a share as a network drive (s:). This allows you to access the share with custom credentials.

CMD> net use s: \\IP\share_name /user:username password

PS> $credential = New-Object System.Management.Automation.PSCredential 'username', $(ConvertTo-SecureString 'password' -AsPlainText -Force)
PS> New-PSDrive -Name "S" -Root "\\IP\share_name" -PSProvider "FileSystem" -Credential $credential

• You can access a share from the file explorer using smb://[...]
• You may use dir to list the contents of a share

$ dir \\wsl$
$ dir s:\* /s /b

Enumeration ¶

• Using nmap you can try to:

# find users and shares
$ nmap -p 139,445 --script=smb-enum-shares.nse,smb-enum-users.nse IP
# find the operating system
$ nmap -p 139,445 --script smb-os-discovery.nse IP
# run every smb script
$ nmap -p 139,445 --script "*smb*" IP

• If msrpc is available, we may be able to use it to query information such as users, host information, os information, etc.

FootHold ¶

• Try Anonymous user with no password (-N or -no-pass, a.k.a. no session)

# list shares
$ smbclient -L IP -U Anonymous -N
# connect to a share
$ smbclient //IP/share_name -U Anonymous -N
# test Anonymous share
$ smbclient //IP//Anonymous -U Anonymous -N

• The password may be weak and vulnerable to brute force.

$ hydra -L user.list -P password.list smb://IP -V -f
$ nxc smb IP -u username -p password.list

• You can also use metasploit

$ msfconsole -q
msf6> use auxiliary/scanner/smb/smb_login

Exploitation ¶

• You can use crackmapexec/nxc to list shares+accesses, and automatically fetch some basic information about the host.

$ crackmapexec smb IP --shares -u 'username' -p 'password'

• You can use smbmap (1.6k ⭐) to list users/shares+access/files/...

$ smbmap -H IP
$ smbmap -H IP -u 'username' -p 'password'

• You can use enum4linux (1.0k ⭐) or enum4linux-ng (1.0k ⭐) to list shares, devices, users, along basic information about the host.

$ sudo apt-get install enum4linux-ng
$ enum4linux-ng IP -a
$ enum4linux-ng IP <options>
$ enum4linux-ng IP <options> -u 'username' -p 'password'

# -a : list all
# -U : list of users
# -M : list of devices
# -S : list of shares
# -o : print os information
# -i : print printer information

• PsExec (see impacket client) is a tool that allows administrators to run commands on Windows hosts. It relies on SMB.

Well-Known CVEs ¶

• CVE-2017-0144 - EternalBlue - MS17-010

A vulnerability in the SMB protocol allowing Remote Code Execution (RCE). It was discovered by the NSA and stolen by hackers.

➡️ See: ms17_010_eternalblue, ms17_010_psexec, etc.

• CVE-2020-0796 - SMBGhost - Unauthenticated RCE

• CVE-2008-4250 - Unauthenticated RCE

• Samba username map script - Command Execution

• SMBenum
• smbclient can run commands (!cmd)