SMB
Server Message Block (SMB) is a client-server protocol that regulates access to files and entire directories and other network resources such as printers, routers, or interfaces released for the network. Information exchange between different system processes can also be handled based on the SMB protocol.
The SMB protocol enables the client to communicate with other participants in the same network to access files or services shared with it on the network. The other system must also have implemented the network protocol and received and processed the client request using an SMB server application. Before that, however, both parties must establish a connection, which is why they first exchange corresponding messages.
Samba
As mentioned earlier, there is an alternative variant to the SMB server, called Samba, developed for Unix-based operating system. Samba implements the Common Internet File System (CIFS) network protocol. CIFS is a "dialect" of SMB. In other words, CIFS is a very specific implementation of the SMB protocol, which in turn was created by Microsoft. This allows Samba to communicate with newer Windows systems. Therefore, it usually is referred to as SMB / CIFS. However, CIFS is the extension of the SMB protocol. So when we pass SMB commands over Samba to an older NetBIOS service, it usually connects to the Samba server over TCP ports 137, 138, 139, but CIFS uses TCP port 445 only. There are several versions of SMB, including outdated versions that are still used in specific infrastructures.
SMB Version
Supported
Features
CIFS
Windows NT 4.0
Communication via NetBIOS interface
SMB 1.0
Windows 2000
Direct connection via TCP
SMB 2.0
Windows Vista, Windows Server 2008
Performance upgrades, improved message signing, caching feature
SMB 2.1
Windows 7, Windows Server 2008 R2
Locking mechanisms
SMB 3.0
Windows 8, Windows Server 2012
Multichannel connections, end-to-end encryption, remote storage access
SMB 3.0.2
Windows 8.1, Windows Server 2012 R2
SMB 3.1.1
Windows 10, Windows Server 2016
Integrity checking, AES-128 encryption
With version 3, the Samba server gained the ability to be a full member of an Active Directory domain. With version 4, Samba even provides an Active Directory domain controller. It contains several so-called daemons for this purpose - which are Unix background programs. The SMB server daemon (smbd) belonging to Samba provides the first two functionalities, while the NetBIOS message block daemon (nmbd) implements the last two functionalities. The SMB service controls these two background programs.
Basic Commands and Enumeration
Here's a basic rundown of some common SMB/CIFS commands and tools you can use for documentation and enumeration:
SMB/CIFS Enumeration Tools:
net view: Lists shares on a remote server.
net file: Lists files and directories on a shared folder.
net user: Lists users on a remote server.
net group: Lists groups on a remote server.
net localgroup: Lists local groups on a remote server.
net share: Lists shares on a remote server.
nbtstat: Displays NetBIOS information about a remote server.
wmiprv (Windows Management Instrumentation Provider): Queries WMI data from a remote server.
SMB/CIFS File Access Tools:
copy: Copies files between local and remote systems.
move: Moves files between local and remote systems.
del: Deletes files on a remote server.
mkdir: Creates directories on a remote server.
rmdir: Deletes directories on a remote server.
attrib: Displays and modifies file attributes.
Additional Resources:
Microsoft SMB Documentation: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-smb/f210069c-7086-4dc2-885e-861d837df688
Samba Wiki: https://wiki.samba.org/index.php/Main_Page
Wireshark Protocol Reference: https://wiki.wireshark.org/SMB2
Dangerous Settings
Some of the above settings already bring some sensitive options. However, suppose we question the settings listed below and ask ourselves what the employees could gain from them, as well as attackers. In that case, we will see what advantages and disadvantages the settings bring with them. Let us take the setting browseable = yes as an example. If we as administrators adopt this setting, the company's employees will have the comfort of being able to look at the individual folders with the contents. Many folders are eventually used for better organization and structure. If the employee can browse through the shares, the attacker will also be able to do so after successful access.
Setting
Description
browseable = yes
Allow listing available shares in the current share?
read only = no
Forbid the creation and modification of files?
writable = yes
Allow users to create and modify files?
guest ok = yes
Allow connecting to the service without using a password?
enable privileges = yes
Honor privileges assigned to specific SID?
create mask = 0777
What permissions must be assigned to the newly created files?
directory mask = 0777
What permissions must be assigned to the newly created directories?
logon script = script.sh
What script needs to be executed on the user's login?
magic script = script.sh
Which script should be executed when the script gets closed?
magic output = script.out
Where the output of the magic script needs to be stored?
SMBclient - Connecting to the Share
If we are not familiar with the client program, we can use the help command on successful login, listing all the possible commands we can execute.
SMBclient - Connecting to the Share
Once we have discovered interesting files or folders, we can download them using the get command. Smbclient also allows us to execute local system commands using an exclamation mark at the beginning (!<cmd>) without interrupting the connection.
Download Files from SMB
Footprinting the Service
Nmap
We can see from the results that it is not very much that Nmap provided us with here. Therefore, we should resort to other tools that allow us to interact manually with the SMB and send specific requests for the information. One of the handy tools for this is rpcclient. This is a tool to perform MS-RPC functions.
The Remote Procedure Call (RPC) is a concept and, therefore, also a central tool to realize operational and work-sharing structures in networks and client-server architectures. The communication process via RPC includes passing parameters and the return of a function value.
RPCclient
The rpcclient offers us many different requests with which we can execute specific functions on the SMB server to get information. A complete list of all these functions can be found on the man page of the rpcclient.
Query
Description
srvinfo
Server information.
enumdomains
Enumerate all domains that are deployed in the network.
querydominfo
Provides domain, server, and user information of deployed domains.
netshareenumall
Enumerates all available shares.
netsharegetinfo <share>
Provides information about a specific share.
enumdomusers
Enumerates all domain users.
queryuser <RID>
Provides information about a specific user.
RPCclient - Enumeration
These examples show us what information can be leaked to anonymous users. Once an anonymous user has access to a network service, it only takes one mistake to give them too many permissions or too much visibility to put the entire network at significant risk.
Rpcclient - User Enumeration
Rpcclient - Group Information
Brute Forcing User RIDs
An alternative to this would be a Python script from Impacket called samrdump.py.
Impacket - Samrdump.py
The information we have already obtained with rpcclient can also be obtained using other tools. For example, the SMBMap and CrackMapExec tools are also widely used and helpful for the enumeration of SMB services.
SMBmap
CrackMapExec
Another tool worth mentioning is the so-called enum4linux-ng, which is based on an older tool, enum4linux. This tool automates many of the queries, but not all, and can return a large amount of information.
Enum4Linux-ng - Installation
Enum4Linux-ng - Enumeration
Last updated