SMB (Server Message Block) is a network file and resource sharing protocol initially released in 1984 by IBM for Disk Operating System (DOS) and adapted by Microsoft for Windows systems. Although it has evolved to also include communication via the Samba dialect with Unix based hosts.
SMB enables a set of network services such as file, print, and device sharing. Earlier version of Windows SMB ran on top of the NetBIOS protocol. However, Microsoft changed SMB in later Windows versions to operate on top of TCP/IP protocol using the Common Internet File System (CIFS) dialect. Advancement continued, birthing SMB2, which reduced protocol chattiness, improved performance and opportunistic locking, and SMB3 which increased security and enabled end-to-end encryption. SMB running over NetBIOS relied on ports 137, 138 and 139 while SMB running over TCP/IP it uses port 445.
Let’s now observe the traffic on the wire, see SMB Communication traffic flow.
1
2
3
4
5
# on terminal onesudo tcpdump -Uni $INTERFACE tcp port 139 or 445# unbuffered SMB capture filter# on terminal twosmbclient -L //$IP/ -U '$USERNAME%$PASSWORD'# login list share content and exit
Common Server Application
Unix systems
Samba
Windows systems
Microsoft LanmanServer
Common Commands
COMMAND
USAGE
DESCRIPTION
cd
cd
change directory
del/rm
del/rm $FILENAME*
delete or remove specified glob matched files
dir/ls
dir/ls $FOLDERNAME
list contents of current or specified directory
get
get $FILENAME
get specified file to local directory
help
help
list supported commands
mget
mget *
multi get all files in current directory
mkdir/md
mkdir/md $FOLDERNAME
make specified directory
mput
mput $FILENAME*
multi put all files current directory to remote share
Ensure Authentication, Admission and Authorization are enabled.
Enable Firewall or Endpoint protection.
Implement VLANs to isolate internal network traffic.
Exploitation SMB servers are also sink for valueable information. And an attacker could gain a shell on improperly configured servers and tranverse the network. Some inclination of an attacker when an SMB service is encountered includes:
What valuable information they can collect from the share.
Whether the share is writable with intent to steal NTLM Hash or gain a shell.
Which high value users he can harvest their credentials.