SMB
Source CTF and HTB Academy
Usually on ports 137, 138, 139, 445
Server Message Block (SMB) is a client-server protocol that regulates access to files and entire directories and other network resources such as printers, routers, or interfaces released for the network. With the free software project Samba, there is also a solution that enables the use of SMB in Linux and Unix distributions and thus cross-platform communication via SMB. Access rights are defined by Access Control Lists (ACL). They can be controlled in a fine-grained manner based on attributes such as execute, read, and full access for individual users or user groups. The ACLs are defined based on the shares and therefore do not correspond to the rights assigned locally on the server.
Samba
Samba implements the Common Internet File System (CIFS) network protocol. CIFS is a "dialect" of SMB. CIFS is the extension of the SMB protocol. So when we pass SMB commands over Samba to an older NetBIOS service, it usually connects to the Samba server over TCP ports 137, 138, 139, but CIFS uses TCP port 445 only. With version 3, the Samba server gained the ability to be a full member of an Active Directory domain. With version 4, Samba even provides an Active Directory domain controller. It contains several so-called daemons for this purpose - which are Unix background programs. The SMB server daemon (smbd) belonging to Samba provides the first two functionalities, while the NetBIOS message block daemon (nmbd) implements the last two functionalities. The SMB service controls these two background programs.
Default configuration
cat /etc/samba/smb.conf | grep -v "#\|\;"
see default configuration
Setting | Description |
---|---|
| The name of the network share. |
| Workgroup that will appear when clients query. |
| The directory to which user is to be given access. |
| The string that will show up when a connection is initiated. |
| Synchronize the UNIX password with the SMB password? |
| Allow non-authenticated users to access defined shared? |
| What to do when a user login request doesn't match a valid UNIX user? |
| Should this share be shown in the list of available shares? |
| Allow connecting to the service without using a password? |
| Allow users to read files only? |
| What permissions need to be set for newly created files? |
Dangerous Settings
Setting | Description |
---|---|
| Allow listing available shares in the current share? |
| Forbid the creation and modification of files? |
| Allow users to create and modify files? |
| Allow connecting to the service without using a password? |
| Honor privileges assigned to specific SID? |
| What permissions must be assigned to the newly created files? |
| What permissions must be assigned to the newly created directories? |
| What script needs to be executed on the user's login? |
| Which script should be executed when the script gets closed? |
| Where the output of the magic script needs to be stored? |
Enumerate SMB
Nmap
sudo nmap 10.129.14.128 -sV -sC -p139,445
You can use dedicated smb scripts
rpcclient
rpcclient -U "" 10.129.14.128
Query | Description |
---|---|
| Server information. |
| Enumerate all domains that are deployed in the network. |
| Provides domain, server, and user information of deployed domains. |
| Enumerates all available shares. |
| Provides information about a specific share. |
| Enumerates all domain users. |
| Provides information about a specific user. |
| Provides information about a specific group. |
Sometimes not all commands are available.
for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
bruteforce userid
Impacket Samrdump
samrdump.py 10.129.14.128
Enum with Metasploit
msfconsole
use auxiliary/scanner/smb/smb_version
options
set RHOSTS IP-ADD
(in my example instead of IP-ADD I will put 10.0.2.4)We see the version of Samba so it is something that is going to be worth writing down in our notes.
smbclient
Tool that will help us to list shares or see useful info
smbclient -L \\10.10.55.112
list sharesConnect anonymously
smbclient --no-pass \\\\10.10.10.100\\SHARE
orsmbclient //10.10.10.134/SHARE
Use
-N
option in smbclient to suppress the password promptsmbclient -U user \\\\10.129.42.197\\SHARENAME
SMBmap
smbmap -H 192.168.1.40
Enum4linux
Installation
Commands
enum4linux -a 10.10.10.100
output all sorts of info
Crackmapexec
crackmapexec smb 10.129.14.128 --shares -u '' -p ''
Password attack
Hydra
hydra -L user.list -P password.list smb://10.129.42.197
Pass attack with Metasploit
What to try
smbclient --no-pass \\\\10.10.10.100\\SHARE
connect to a share anonymouslyYou might find interesting files this way
Check out the win version to see if it is vulnerable to anything (eternal blue for example)
We can also try this command
smbclient //10.10.10.134/SHARE
!<cmd>
run local system command even if connected to smb (exanple:!ls
)get
Download a file from smbsmbstatus
check connections on smb server
Resources
Last updated