SMB (Server Message Block) #
At a Glance #
Default Ports
- SMB over NBT (NetBIOS over TCP/IP): 139
- SMB over TCP/IP: 445
SMB is a network communication protocol for providing shared access to files, printers, and serial ports between nodes on a network. It also provides an authenticated IPC (inter-process communication) mechanism.1
Windows SMB Ports and Protocols #
Originally, in Windows NT, SMB ran on top of NBT (NetBIOS over TCP/IP), which uses ports UDP 137 and 138, and TCP 139. With Windows 2000, was introduced what Microsoft calls “direct hosting”, the option to run “NetBIOS-less” SMB, directly over TCP/445.
Older versions of Windows (with NBT enabled) will try to connect to both port 139 and 445 simultaneously, while in newer versions, port 139 is a fall-back port, as clients will try to connect to port 445 by default.2
SMB Host Discovery #
Refer to host discovert with nbtscan.
Server Version #
Metasploit SMB Auxiliary Module 3 #
msf> use auxiliary/scanner/smb/smb_version
msf> set rhost 10.0.0.3
msf> run
Common Login Credentials #
Backup and Management software requires dedicated user accounts on the server or local machine to function, and are often set with a weak password. 4
| Usernmae | Password |
|---|---|
| (blank) | (blank) |
Administrator admin guest | (blank) admin password |
arcserve | arcserve backup |
tivoli | tivoli |
backupexec | backupexec backup |
test | test |
Enumeration #
Note:
If Protocol negotiation failed: NT_STATUS_IO_TIMEOUT is returned,
refer to SMB Protocol Negotiation Failed
enum4linux 5 #
enum4linux -a 10.0.0.3
With credentials:
enum4linux -a -u "<username>" -p "<passwd>" 10.0.0.3
Parameters
-a: Do all simple enumeration (-U -S -G -P -r -o -n -i).-u <user>: specify username to use.-p <pass>: specify password to use.
NSE Scripts #
nmap --script "safe or smb-enum-*" -p 139,445 10.0.0.3
Note:
NSE SMB enumeration scripts:
smb-enum-domainssmb-enum-groupssmb-enum-processessmb-enum-servicessmb-enum-sessionssmb-enum-sharessmb-enum-users
smbclient 6 #
List available shares.
smbclient -N -L //10.0.0.3
Connect to a share.
smbclient -N //10.0.0.3/Share
Parameters
-N: remove the password prompt from the client to the user.-L: list services available on the server.
RPC Enumeration #
Note:
rpcclient, impacket, and more, under RPC Enumeration.
Null Session #
Windows Administrative Shares #
Administrative shares are hidden shares that provide administrators the ability to remotely manage hosts. They are automatically created and enabled by default.
Note:
It is worth clarifying these shares are not hidden but removed from views just by appending a dollar sign ($) to the share name. Ultimately, the share will be part of the result if listing from a Unix-based system or by using: net share and net view /all.
Various shares are exposed to clients via SMB, as follows:
C$: C Drive on the remote machine.Admin$: Windows installation directory.IPC$: The inter-process communication or IPC share.SYSVOLandNETLOGON: domain controller shares.PRINT$andFAX$: printer and fax shares.
IPC$ Share #
IPC$ is a special share
used to facilitate inter-process communication (IPC).
It does not allow access to files or directories,
but it allows to communicate
with processes running on the remote system.
Specifically, IPC$, exposes named pipes,
which can be written or read
to communicate with remote processes.
These named pipes
are opened by the application
and registered with SMB
so that it can be exposed by the IPC$ share.
They are usually used to perform specific functions on the remote system, also known as RPC or remote procedure calls.
Some versions of Windows
allow you to authenticate
and mount the IPC$ share
without providing a username and password.
Such a connection is often called a NULL session,
which,
despite its limited privileges,
could be used to make multiple RPC calls
and obtain useful information
about the remote system.7
Note: RPC endpoints exposed via IPC$ include the Server service, Task Scheduler, Local Security Authority (LSA), and Service Control Manager (SCM). Upon authenticating, you can use these to enumerate user and system details, access the registry, and execute commands
In Linux enum4linux utility can be used to dump data from these service
Refer to MSRPC for more about RPC.
Mount Shares 8 #
mount -t cifs -o username=user,password=password //10.0.0.3/Share /mnt/share
Download Files #
Create a tar file of the files beneath users/docs. 6
smbclient //10.0.0.3/Share "" -N -Tc backup.tar users/docs
Parameters
-N: remove the password prompt from the client to the user.-T: TAR options.c: Create a tar backup archive on the local system.
Brute Forcing #
Refer to SMB Brute Forcing
SMB Exploits Search #
Refer to Exploits Search
Contributors to Wikimedia projects. “Server Message Block - Wikipedia.” Wikipedia, the Free Encyclopedia, Wikimedia Foundation, Inc., 26 Oct. 2003, https://en.wikipedia.org/wiki/Server_Message_Block. ↩︎
“The Use of TCP Ports 139 and 445 in Windows.” Vidstrom Labs, https://vidstromlabs.com/blog/the-use-of-tcp-ports-139-and-445-in-windows/. ↩︎
“Scanner SMB Auxiliary Modules - Metasploit Unleashed.” Infosec Training and Penetration Testing | Offensive Security, https://www.offensive-security.com/metasploit-unleashed/scanner-smb-auxiliary-modules/. ↩︎
McNab, Chris. Network Security Assessment. “O’Reilly Media, Inc.,” 2007, p. 281. ↩︎
“Enum4linux.” Enum4linux | Portcullis Labs, Portcullis Computer Security Ltd & Portcullis Inc., 16 Sept. 2008, https://labs.portcullis.co.uk/tools/enum4linux/. ↩︎
“Smbclient.” Samba - Opening Windows to a Wider World, https://www.samba.org/samba/docs/current/man-html/smbclient.1.html. ↩︎
“A New Look at Null Sessions and User Enumeration.” SensePost, https://sensepost.com/blog/2018/a-new-look-at-null-sessions-and-user-enumeration/. ↩︎
“Mounting Samba Shares from a Unix Client.” SambaWiki, https://wiki.samba.org/index.php/Mounting_samba_shares_from_a_unix_client. ↩︎