SMB
Server Message Block (SMB) is a client-server protocol that regulates access to files and entire directories and other network resources such as printers, routers, or interfaces released for the network. Information exchange between different system processes can also be handled based on the SMB protocol.
The SMB protocol enables the client to communicate with other participants in the same network to access files or services shared with it on the network. The other system must also have implemented the network protocol and received and processed the client request using an SMB server application. Before that, however, both parties must establish a connection, which is why they first exchange corresponding messages.
Samba
As mentioned earlier, there is an alternative variant to the SMB server, called Samba, developed for Unix-based operating system. Samba implements the Common Internet File System (CIFS) network protocol. CIFS is a "dialect" of SMB. In other words, CIFS is a very specific implementation of the SMB protocol, which in turn was created by Microsoft. This allows Samba to communicate with newer Windows systems. Therefore, it usually is referred to as SMB / CIFS. However, CIFS is the extension of the SMB protocol. So when we pass SMB commands over Samba to an older NetBIOS service, it usually connects to the Samba server over TCP ports 137, 138, 139, but CIFS uses TCP port 445 only. There are several versions of SMB, including outdated versions that are still used in specific infrastructures.
SMB Version
Supported
Features
CIFS
Windows NT 4.0
Communication via NetBIOS interface
SMB 1.0
Windows 2000
Direct connection via TCP
SMB 2.0
Windows Vista, Windows Server 2008
Performance upgrades, improved message signing, caching feature
SMB 2.1
Windows 7, Windows Server 2008 R2
Locking mechanisms
SMB 3.0
Windows 8, Windows Server 2012
Multichannel connections, end-to-end encryption, remote storage access
SMB 3.0.2
Windows 8.1, Windows Server 2012 R2
SMB 3.1.1
Windows 10, Windows Server 2016
Integrity checking, AES-128 encryption
With version 3, the Samba server gained the ability to be a full member of an Active Directory domain. With version 4, Samba even provides an Active Directory domain controller. It contains several so-called daemons for this purpose - which are Unix background programs. The SMB server daemon (smbd) belonging to Samba provides the first two functionalities, while the NetBIOS message block daemon (nmbd) implements the last two functionalities. The SMB service controls these two background programs.
Basic Commands and Enumeration
Here's a basic rundown of some common SMB/CIFS commands and tools you can use for documentation and enumeration:
SMB/CIFS Enumeration Tools:
net view: Lists shares on a remote server.
net file: Lists files and directories on a shared folder.
net user: Lists users on a remote server.
net group: Lists groups on a remote server.
net localgroup: Lists local groups on a remote server.
net share: Lists shares on a remote server.
nbtstat: Displays NetBIOS information about a remote server.
wmiprv (Windows Management Instrumentation Provider): Queries WMI data from a remote server.
SMB/CIFS File Access Tools:
copy: Copies files between local and remote systems.
move: Moves files between local and remote systems.
del: Deletes files on a remote server.
mkdir: Creates directories on a remote server.
rmdir: Deletes directories on a remote server.
attrib: Displays and modifies file attributes.
Additional Resources:
Microsoft SMB Documentation: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-smb/f210069c-7086-4dc2-885e-861d837df688
Samba Wiki: https://wiki.samba.org/index.php/Main_Page
Wireshark Protocol Reference: https://wiki.wireshark.org/SMB2
Dangerous Settings
Some of the above settings already bring some sensitive options. However, suppose we question the settings listed below and ask ourselves what the employees could gain from them, as well as attackers. In that case, we will see what advantages and disadvantages the settings bring with them. Let us take the setting browseable = yes as an example. If we as administrators adopt this setting, the company's employees will have the comfort of being able to look at the individual folders with the contents. Many folders are eventually used for better organization and structure. If the employee can browse through the shares, the attacker will also be able to do so after successful access.
Setting
Description
browseable = yes
Allow listing available shares in the current share?
read only = no
Forbid the creation and modification of files?
writable = yes
Allow users to create and modify files?
guest ok = yes
Allow connecting to the service without using a password?
enable privileges = yes
Honor privileges assigned to specific SID?
create mask = 0777
What permissions must be assigned to the newly created files?
directory mask = 0777
What permissions must be assigned to the newly created directories?
logon script = script.sh
What script needs to be executed on the user's login?
magic script = script.sh
Which script should be executed when the script gets closed?
magic output = script.out
Where the output of the magic script needs to be stored?
SMBclient - Connecting to the Share
$ smbclient -N -L //<IP or HOSTNAME>If we are not familiar with the client program, we can use the help command on successful login, listing all the possible commands we can execute.
SMBclient - Connecting to the Share
$ smbclient //<IP or HOSTNAME>/notes
Enter WORKGROUP\<username>'s password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> help
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del deltree dir
du echo exit get getfacl
geteas hardlink help history iosize
lcd link lock lowercase ls
l mask md mget mkdir
more mput newer notify open
posix posix_encrypt posix_open posix_mkdir posix_rmdir
posix_unlink posix_whoami print prompt put
pwd q queue quit readlink
rd recurse reget rename reput
rm rmdir showacls setea setmode
scopy stat symlink tar tarmode
timeout translate unlock volume vuid
wdel logon listconnect showconnect tcon
tdis tid utimes logoff ..
!
smb: \> ls
. D 0 Wed Sep 22 18:17:51 2021
.. D 0 Wed Sep 22 12:03:59 2021
prep-prod.txt N 71 Sun Sep 19 15:45:21 2021
30313412 blocks of size 1024. 16480084 blocks availableOnce we have discovered interesting files or folders, we can download them using the get command. Smbclient also allows us to execute local system commands using an exclamation mark at the beginning (!<cmd>) without interrupting the connection.
Download Files from SMB
smb: \> get prep-prod.txt Footprinting the Service
Nmap
$ sudo nmap <IP or HOSTNAME> -sV -sC -p139,445
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-19 15:15 CEST
Nmap scan report for sharing.inlanefreight.htb (10.129.14.128)
Host is up (0.00024s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
MAC Address: 00:00:00:00:00:00 (VMware)
Host script results:
|_nbstat: NetBIOS name: HTB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-09-19T13:16:04
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.35 secondsWe can see from the results that it is not very much that Nmap provided us with here. Therefore, we should resort to other tools that allow us to interact manually with the SMB and send specific requests for the information. One of the handy tools for this is rpcclient. This is a tool to perform MS-RPC functions.
The Remote Procedure Call (RPC) is a concept and, therefore, also a central tool to realize operational and work-sharing structures in networks and client-server architectures. The communication process via RPC includes passing parameters and the return of a function value.
RPCclient
$ rpcclient -U "" <IP or HOSTNAME>
Enter WORKGROUP\'s password:
rpcclient $> The rpcclient offers us many different requests with which we can execute specific functions on the SMB server to get information. A complete list of all these functions can be found on the man page of the rpcclient.
Query
Description
srvinfo
Server information.
enumdomains
Enumerate all domains that are deployed in the network.
querydominfo
Provides domain, server, and user information of deployed domains.
netshareenumall
Enumerates all available shares.
netsharegetinfo <share>
Provides information about a specific share.
enumdomusers
Enumerates all domain users.
queryuser <RID>
Provides information about a specific user.
RPCclient - Enumeration
rpcclient $> srvinfo
DEVSMB Wk Sv PrQ Unx NT SNT DEVSM
platform_id : 500
os version : 6.1
server type : 0x809a03
rpcclient $> enumdomains
name:[DEVSMB] idx:[0x0]
name:[Builtin] idx:[0x1]
rpcclient $> querydominfo
Domain: DEVOPS
Server: DEVSMB
Comment: DEVSM
Total Users: 2
Total Groups: 0
Total Aliases: 0
Sequence No: 1632361158
Force Logoff: -1
Domain Server State: 0x1
Server Role: ROLE_DOMAIN_PDC
Unknown 3: 0x1
rpcclient $> netshareenumall
netname: print$
remark: Printer Drivers
path: C:\var\lib\samba\printers
password:
netname: home
remark: INFREIGHT Samba
path: C:\home\
password:
netname: dev
remark: DEVenv
path: C:\home\sambauser\dev\
password:
netname: notes
remark: CheckIT
path: C:\mnt\notes\
password:
netname: IPC$
remark: IPC Service (DEVSM)
path: C:\tmp
password:
rpcclient $> netsharegetinfo notes
netname: notes
remark: CheckIT
path: C:\mnt\notes\
password:
type: 0x0
perms: 0
max_uses: -1
num_uses: 1
revision: 1
type: 0x8004: SEC_DESC_DACL_PRESENT SEC_DESC_SELF_RELATIVE
DACL
ACL Num ACEs: 1 revision: 2
---
ACE
type: ACCESS ALLOWED (0) flags: 0x00
Specific bits: 0x1ff
Permissions: 0x101f01ff: Generic all access SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS
SID: S-1-1-0These examples show us what information can be leaked to anonymous users. Once an anonymous user has access to a network service, it only takes one mistake to give them too many permissions or too much visibility to put the entire network at significant risk.
Rpcclient - User Enumeration
rpcclient $> enumdomusers
user:[mrb3n] rid:[0x3e8]
user:[cry0l1t3] rid:[0x3e9]
rpcclient $> queryuser 0x3e9
User Name : cry0l1t3
Full Name : cry0l1t3
Home Drive : \\devsmb\cry0l1t3
...
...Rpcclient - Group Information
rpcclient $> querygroup 0x201
Group Name: None
Description: Ordinary Users
Group Attribute:7
Num Members:2Brute Forcing User RIDs
$ for i in $(seq 500 1100);do rpcclient -N -U "" <IP or HOSTNAME> -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
An alternative to this would be a Python script from Impacket called samrdump.py.
Impacket - Samrdump.py
$ samrdump.py <IP or HOSTNAME>
Impacket v0.9.22 - Copyright 2020 SecureAuth CorporationThe information we have already obtained with rpcclient can also be obtained using other tools. For example, the SMBMap and CrackMapExec tools are also widely used and helpful for the enumeration of SMB services.
SMBmap
$ smbmap -H <IP or HOSTNAME>
[+] Finding open SMB ports....
[+] User SMB session established on 10.129.14.128...
[+] IP: 10.129.14.128:445 Name: 10.129.14.128
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
home NO ACCESS INFREIGHT Samba
dev NO ACCESS DEVenv
notes NO ACCESS CheckIT
IPC$ NO ACCESS IPC Service (DEVSM)CrackMapExec
$ crackmapexec smb <IP or HOSTNAME> --shares -u '' -p ''
SMB 10.129.14.128 445 DEVSMB [*] Windows 6.1 Build 0 (name:DEVSMB) (domain:) (signing:False) (SMBv1:False)
SMB 10.129.14.128 445 DEVSMB [+] \:
SMB 10.129.14.128 445 DEVSMB [+] Enumerated shares
SMB 10.129.14.128 445 DEVSMB Share Permissions Remark
SMB 10.129.14.128 445 DEVSMB ----- ----------- ------
SMB 10.129.14.128 445 DEVSMB print$ Printer Drivers
SMB 10.129.14.128 445 DEVSMB home INFREIGHT Samba
SMB 10.129.14.128 445 DEVSMB dev DEVenv
SMB 10.129.14.128 445 DEVSMB notes READ,WRITE CheckIT
SMB 10.129.14.128 445 DEVSMB IPC$ IPC Service (DEVSM)Another tool worth mentioning is the so-called enum4linux-ng, which is based on an older tool, enum4linux. This tool automates many of the queries, but not all, and can return a large amount of information.
Enum4Linux-ng - Installation
$ git clone https://github.com/cddmp/enum4linux-ng.git
$ cd enum4linux-ng
$ pip3 install -r requirements.txtEnum4Linux-ng - Enumeration
$ ./enum4linux-ng.py 10.129.14.128 -A
ENUM4LINUX - next generationLast updated