SMB - 139,445

Port 139,445 (default)

• Based on TCP

• Right and access controled by the ACL

• Samba -> SMB for Linux. Allows Linux systems to communicate with newer Windows systems over SMB. Works over CIFS (dialect of SMB)

Enumeration

smbclient

Listing shares with no authentication

smbclient -U '' -L \\\\192.168.184.117\\

#Sometimes it worth trying for 'guest' and 'anonymous' access
smbclient -U 'guest' -L \\\\192.168.184.117\\

Putting file in a share

root@kali# smbclient -U 'bob%password123' //10.10.10.97/new-site -c 'put /opt/shells/netcat/nc.exe nc.exe'

Execute system command using the !

smb: \> !cat prep-prod.txt

Troubleshot

Error: Server does not support Extended Security but 'client use spnego = yes' [...]

smbclient //10.11.1.115/IPC$ --option='client min protocol=NT1' -N

smbmap

Listing shares with no authentication

smbmap -H 192.168.184.117

Listing share with authentication, to test guest access put any username and ignore -p field

smbmap -H 10.10.10.239 -u <username> -p <password>

Download a file with SMBMap

smbmap -u BR086 -p Welcome1 -H 172.16.7.3 --download 'Department Shares\IT\Private\Development\web.config'

enum4linux-ng

The successor of the well known tool enum4linux.

GitHub - cddmp/enum4linux-ng: A next generation version of enum4linux (a Windows/Samba enumeration tool) with additional features like JSON/YAML export. Aimed for security professionals and CTF players.GitHub

Github Repo enum4Linux ng

./enum4linux-ng.py 10.129.14.128 -A

Nmap

Scanning for common vulnerability for the SMB protocol

sudo nmap --script smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-cve-2017-7494.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse,smb-vuln-regsvc-dos.nse,smb-vuln-webexec.nse -p 139,445 192.168.218.45

Enumerate shares with nmap script

sudo nmap --script smb-enum-shares.nse -p445 10.11.1.31

Crackmapexec

Check what SMB shares we have access to

crackmapexec smb 10.10.10.161 -u svc-alfresco -p s3rvice --shares

# We can try anonymously
crackmapexec smb 10.10.10.161 -u '' -p '' --shares

Others commands

Downloading SMB share files recursively

smbget -R smb://10.11.1.31/wwwroot/_vti_pingit

From within an SMB session

smb > recurse on
smb > prompt off
smb > mget *

smbver.sh

Note: Need to be run as sudo.

#!/bin/sh
#Author: rewardone
#Description:
# Requires root or enough permissions to use tcpdump
# Will listen for the first 8 packets of a null login
# and grab the SMB Version
#Notes:
# Will sometimes not capture or will print multiple lines. May need to run a second time for success.

if [ -z $1 ];
   then echo "Usage: ./smbver.sh RHOST {RPORT} [interface]" && exit; 
   else rhost=$1;   
fi

if [ ! -z $2 ]; 
   then rport=$2; 
   else rport=139;   
fi

if [ ! -z $3 ];
    then interface=$3; 
	else interface=tun0;   
fi

tcpdump -s0 -n -i $interface src $rhost and port $rport -A -c 10 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &

echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null

echo "" && sleep .1

Other elements to check for

• Can you login with default or lazy admin credentials?

• Have you tried to login and/or enumerate shares with credentials found elsewhere?

• Is there any exploit or vulnerability associated with the SMB server?

• Can you transfer files on the SMB share ? (upload/download)