search
DiscordHackTheBoxTryHackMeGitHub

SMB

hashtag
About

Server Message Block (SMB) is a client-server protocol that regulates access to files and entire directories and other network resources such as printers, routers, or interfaces released for the network. The SMB protocol enables the client to communicate with other participants in the same network to access files or services shared with it on the network. By default is using ports 137, 138, 139, and 445

hashtag
TOOLS

There are a lot different tools for SMB interacton:

hashtag
CrackMapExec

Null-session login, or Pass-The-Hash Attack

crackmapexec smb 13.13.13.13 -u Administrator -d . -H 12379N1D2YV31U20931C031 -x whoami
OR
crackmapexec smb {DOMAIN} -u '' -p '' --shares
OR
crackmapexec smb {DOMAIN} -u 'blibbityblabbity' -p '' --shares

Check if there are users from list available

crackmapexec smb {DOMAIN} -u users.txt -p '' -d . --continue-on-success
# Or we could do user=password type of attack with using:
crackmapexec smb {DOMAIN} -u users.txt -d . --no-bruteforce --continue-on-success
Command
Explanation

--shares

Look for SMB shares

--continue-on-success

Continue after finding right creds

--no-bruteforce

just using worlist without any variations

--rid-brute

Bruteforce RID

--local-auth

Local auth, without domain creds

-M

Use module

--sam

Extract SAM hashes

--exec-method

Method used for executing commands

--loggedon-users

Enumerate logged in users

-M spider_plus

Spider module

-x 'type C:\root.txt'

Execute command

hashtag
Samba

Samba is an alternative variant to the SMB server, developed for Unix-based operating system. Samba implements the Common Internet File System (CIFS) network protocol. CIFS is a "dialect" of SMB. In other words, CIFS is a very specific implementation of the SMB protocol, which in turn was created by Microsoft. Therefore, it usually is referred to as SMB / CIFS. However, CIFS is the extension of the SMB protocol.

  • Samba server over TCP ports 137, 138, 139, but CIFS uses TCP port 445 only. In a network,using Samba, each host participates in the same workgroup. A workgroup is a group name that identifies an arbitrary collection of computers and their resources on an SMB network.

  • smbstatus command to see who, from which host, and which share the client is connected.

  • Config location:

hashtag
Smbclient

hashtag
Recursively download all files

hashtag
Connecting to the Share with smbclient

OR

-N is for null session, which is anonymous access without the input user/pass. And -L is to list all shares.

For basic interaction with share, you would need only these commands:

  • help to have list of available commands

  • ls list

  • get download

  • !command user prefix ! before command to execute it locally

hashtag
SMBMap

hashtag
Regular SMB enum

hashtag
Recursive SMB enum

hashtag
Download to SMB server:

hashtag
Upload to SMB server

hashtag
Impacket-smbclient

hashtag
Impacket-psexec

hashtag
RPCclient

Remote Procedure Call (RPC) is a concept and, therefore, also a central tool to realize operational and work-sharing structures in networks and client-server architectures. Other words, RPC is a mechanism for interaction between processes that are executed on different nodes in the network. The communication process via RPC includes passing parameters and the return of a function value. Also RPC have Remote Invocation Descriptor or RID,which is a unique identifier assigned to each remote procedure call. It is used to keep track of and manage the execution of remote procedures. Also there is a nice cheatsheet from SANS Institute [LINK]arrow-up-right

hashtag
Connect to SMB server

With connected RPC client we could use many different functions as:

Function
Description

srvinfo

Server information

enumdomains

Enumerate all domains that are deployed in the network

querydominfo

Provides domain, server, and user information of deployed domains

netshareenumall

Enumerates all available shares

netsharegetinfo <share>

Provides information about a specific share

enumdomusers

Enumerates all domain users

queryuser <RID>

Provides information about a specific user

querygroup <RID>

Provides information about a specific group

hashtag
WINDOWS NET

hashtag
Dangerous Settings

  • browseable = yes - Allow listing available shares in the current share?

  • read only = no - Forbid the creation and modification of files?

  • writable = yes - Allow users to create and modify files?

  • guest ok = yes - Allow connecting to the service without using a password?

  • enable privileges = yes - Honor privileges assigned to specific SID?

  • create mask = 0777 - What permissions must be assigned to the newly created files?

  • directory mask = 0777 - What permissions must be assigned to the newly created directories?

  • logon script = script.sh - What script needs to be executed on the user's login?

  • magic script = script.sh - Which script should be executed when the script gets closed?

  • magic output = script.out - Where the output of the magic script needs to be stored?

hashtag
Making a Share

As example we will be using Windows 10.

For a beginning we need to make a folder.

Then we are going to use the Advanced Sharing option to configure share.

Making the Folder a Share

Keep in mind that with shared resources, both the SMB and NTFS permissions lists apply to every resource that gets shared in Windows.

Share Permissions ACL

Here we could do more precise NTFS permissions control. If the mark is grey, then permissions are inherited from parent directory.

NTFS Permissions ACL (Security Tab)

hashtag
Mount a Share

hashtag
Tips2Hack

  1. To bruteforce RID using rpcclient to do active enum of users and groups you could use this command:

  1. Or for the same cause you could try yo use samrdump.pyarrow-up-right script

  2. You could use enum4linux-ngarrow-up-right or enum4linux

  1. Also you could monitor shares from Computer Management tool, or view Share access logs in Event Viewer

PreviousFTPNextNFS

Last updated