SMB

Introduction

  • Server Message Block (SMB) is a client-server protocol that regulates access to files and entire directories and other network resources.

  • The SMB protocol enables the client to communicate with other participants in the same network to access files or services shared with it on the network.

  • An SMB server can provide arbitrary parts of its local file system as shares.

  • Access rights are defined by Access Control Lists (ACL).

  • SMB runs on port 445 TCP by default


SMB Shares Enumeration

  • Run Snaffler from a Windows host to find useful data in shares: .\Snaffler.exe -d INLANEFREIGHT.LOCAL -s -v data

  • Run Scavenger from a Linux host to find useful data in shares: python3 ./scavenger.py smb -t 10.0.0.10 -u administrator -p Password123 -d testdomain.local

  • Shares enumeration from Windows: net view \MachineName /all

  • CME Shares Enumeration from Linux: sudo crackmapexec smb 172.16.5.5 -u validuser -p validpassword --shares

  • CME Share Spidering from Linux: sudo crackmapexec smb 172.16.5.5 -u validuser -p validpassword -M spider_plus --share sharename

  • SMBMap Share Enumeration from Linux: smbmap -u validuser -p validpassword -d INLANEFREIGHT.LOCAL -H 172.16.5.5

  • SMBMap Share Recursive Directory Listing from Linux smbmap -u validuser -p validpassword -d INLANEFREIGHT.LOCAL -H 172.16.5.5 -R SHARENAME --dir-only

  • Download Shares Recursively from Linux: smbget -u guest -R smb://10.129.8.111/Development/


SMB NULL Session, Guest and Common Credentials Authentication

  • Guest Authentication: enum4linux -a -u "guest" -p "" <DC IP>

  • Guest Authentication: smbmap -u "guest" -p "" -P 445 -H <DC IP>

  • Guest Authentication: smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //

  • NULL Session: smbclient -N -L //<FQDN/IP>

  • NULL Session: crackmapexec smb <FQDN/IP> --shares -u '' -p ''

  • NULL Session: smbmap -u "" -p "" -P 445 -H <DC IP>

  • NULL Session: enum4linux -a -u "" -p "" <DC IP>

  • Check for common SMB credentials, as listed below


Common SMB Credentials

Source: https://book.hacktricks.xyz/network-services-pentesting/pentesting-smb#possible-credentials


Enumerating SMB via RPC Client

The rpcclient utility offers us many different requests with which we can execute specific functions on the SMB server to get information.

Bruteforcing user RIDs:

  • Oneliner: for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

  • Impacket Samrdump: samrdump.py 10.129.14.128


CrackMapExec (CME) Utilities

Last updated