What is SMB
SMB or Server Message Block is the modernized concept of what was used to known as Common Internet File System. It works as an Application Layer Network Protocol. It is designed to be used as a File Sharing Protocol. Different Applications can on a system can read and write simultaneously to the files and request the server for services inside a network. One of the interesting functionalities of SMB is that it can be run atop of its TCP/IP protocol or other network protocols. With the help of SMB, a user or any application or software that is authorized can access files or other resources on a remote server. Actions that can be performed include reading data, creating data, and updating data. The communication between clients and servers is done with the help of something called SMB client request.
nmblookup
It is designed to make use of queries for the NetBIOS names and then map them to their subsequent IP addresses in a network. The options allow the name queries to be directed at a particular IP broadcast area or to a particular machine. All queries are done over UDP.
For unique names:
1
2
3
4
5
6
7
| 00: Workstation Service (workstation name)
03: Windows Messenger service
06: Remote Access Service
20: File Service (also called Host Record)
21: Remote Access Service client
1B: Domain Master Browser – Primary Domain Controller for a domain
1D: Master Browser
|
For group names:
1
2
3
| 00: Workstation Service (workgroup/domain name)
1C: Domain Controllers for a domain
1E: Browser Service Elections
|
nbtscan
NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human-readable form.
NMAP
1
| nmap --script nbstat.nse IP
|
nbtstat
This Windows command displays the NetBIOS over TCP/IP (NetBT) protocol statistics. It can read the NetBIOS name tables for both the local computer and remote computers. It can also read the NetBIOS name cache. This command allows a refresh of the NetBIOS name cache and the names registered with Windows Internet Name Service (WINS).
Share and Null Session
SMBMap
SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands.
Open shares
With credentials
1
| smbmap -H IP -u USER -p PASS
|
smbclient
smbclient is samba client with an “ftp like” interface. It is a useful tool to test connectivity to a Windows share. It can be used to transfer files, or to look at share names. In addition, it has a nifty ability to ‘tar’ (backup) and restore files from a server to a client and vice versa.
1
2
3
| smbclient -L IP
smbclient //IP/SHARE
get flag.txt
|
Add -U raj%123 for user specific share.
NMAP
1
| nmap --script smb-enum-shares -p139,445 IP
|
Net view
Displays a list of domains, computers, or resources that are being shared by the specified computer. Used without parameters, net view displays a list of computers in your current domain.
net view \\192.168.1.17 /All
CrackMapExec
CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of “Living off the Land”: abusing built-in Active Directory features/protocols to achieve its functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.
1
| crackmapexec smb 192.168.1.17 -u 'raj' -p '123' --shares
|
rpcclient
1
2
3
| rpcclient -U "" -N 192.168.1.40
netshareenum
netshareenumall
|
Vulnerability Scanning
NMAP
1
| nmap --script smb-vuln* IP
|
Summary
- Enumerate Hostname - nmblookup -A [ip]
- List Shares
- smbmap -H [ip/hostname]
| echo exit | smbclient -L \\[ip] |
- nmap –script smb-enum-shares -p 139,445 [ip]
- Check Null Sessions
- smbmap -H [ip/hostname]
- rpcclient -U “” -N [ip]
- smbclient \\[ip]\[share name]
- Check for Vulnerabilities - nmap –script smb-vuln* -p 139,445 [ip]
- Overall Scan - enum4linux -a [ip]
- Manual Inspection
- smbver.sh [IP] (port) [Samba]
- check pcap
