Home SMB-Enumeration
Post
Cancel

SMB-Enumeration

What is SMB

SMB or Server Message Block is the modernized concept of what was used to known as Common Internet File System. It works as an Application Layer Network Protocol. It is designed to be used as a File Sharing Protocol. Different Applications can on a system can read and write simultaneously to the files and request the server for services inside a network. One of the interesting functionalities of SMB is that it can be run atop of its TCP/IP protocol or other network protocols. With the help of SMB, a user or any application or software that is authorized can access files or other resources on a remote server. Actions that can be performed include reading data, creating data, and updating data. The communication between clients and servers is done with the help of something called SMB client request.

nmblookup

It is designed to make use of queries for the NetBIOS names and then map them to their subsequent IP addresses in a network. The options allow the name queries to be directed at a particular IP broadcast area or to a particular machine. All queries are done over UDP.

For unique names:

1
2
3
4
5
6
7
00: Workstation Service (workstation name)
03: Windows Messenger service
06: Remote Access Service
20: File Service (also called Host Record)
21: Remote Access Service client
1B: Domain Master Browser – Primary Domain Controller for a domain
1D: Master Browser

For group names:

1
2
3
00: Workstation Service (workgroup/domain name)
1C: Domain Controllers for a domain
1E: Browser Service Elections
1
nmblookup -A IP

nbtscan

NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human-readable form.

1
nbtscan IP

NMAP

1
nmap --script nbstat.nse IP

nbtstat

This Windows command displays the NetBIOS over TCP/IP (NetBT) protocol statistics. It can read the NetBIOS name tables for both the local computer and remote computers. It can also read the NetBIOS name cache. This command allows a refresh of the NetBIOS name cache and the names registered with Windows Internet Name Service (WINS).

1
nbtstat -A IP

Share and Null Session

SMBMap

SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands.

Open shares

1
smbmap -H IP

With credentials

1
smbmap -H IP -u USER -p PASS

smbclient

smbclient is samba client with an “ftp like” interface. It is a useful tool to test connectivity to a Windows share. It can be used to transfer files, or to look at share names. In addition, it has a nifty ability to ‘tar’ (backup) and restore files from a server to a client and vice versa.

1
2
3
smbclient -L IP
smbclient //IP/SHARE
get flag.txt

Add -U raj%123 for user specific share.

NMAP

1
nmap --script smb-enum-shares -p139,445 IP

Net view

Displays a list of domains, computers, or resources that are being shared by the specified computer. Used without parameters, net view displays a list of computers in your current domain.

net view \\192.168.1.17 /All

CrackMapExec

CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of “Living off the Land”: abusing built-in Active Directory features/protocols to achieve its functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.

1
crackmapexec smb 192.168.1.17 -u 'raj' -p '123' --shares

rpcclient

1
2
3
rpcclient -U "" -N 192.168.1.40
netshareenum
netshareenumall

Vulnerability Scanning

NMAP

1
nmap --script smb-vuln* IP
1
enum4linux IP

Summary

  • Enumerate Hostname - nmblookup -A [ip]
  • List Shares
    • smbmap -H [ip/hostname]
    • echo exitsmbclient -L \\[ip]
    • nmap –script smb-enum-shares -p 139,445 [ip]
  • Check Null Sessions
    • smbmap -H [ip/hostname]
    • rpcclient -U “” -N [ip]
    • smbclient \\[ip]\[share name]
  • Check for Vulnerabilities - nmap –script smb-vuln* -p 139,445 [ip]
  • Overall Scan - enum4linux -a [ip]
  • Manual Inspection
    • smbver.sh [IP] (port) [Samba]
    • check pcap
This post is licensed under CC BY 4.0 by the author.