Welcome, today I am writing about SMB Penetration Testing fundamentals, first I will explain the protocol basics and then how to attack the service. It is necessary to have basic knowledge of the SMB protocol.
You can get a free course here!
Samba Protocol
Samba is used to share network resources between different Operating Systems it controls access to network shares, printer services, and interconnection with old protocols.
SMB (Samba) was defined as a standard to share folders between Windows and Linux it can act like a domain controller or connect to an Active directory as a client, so many features can’t be offered without vulnerabilities.
Since 1992 many versions were released carrying tons of vulnerabilities with each one, next I compile a table with each version to help us search CVEs.
Versions of Windows SMB
Version | Operating System | |
CIFS | Microsoft Windows NT 4.0 | |
SMB 1.0 | Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2003 R2 | |
SMB 2.0 | Windows Vista and Windows Server 2008 | |
SMB 2.1 | Windows 7 and Windows Server 2008 R2 | |
SMB 3.0 | Windows 8 and Windows Server 2012 | |
SMB 3.02 | Windows 8.1 and Windows Server 2012 R2 | |
SMB 3.1 | Windows Server 2016 and Windows 10 |
Last Version: 4.16 – March 21, 2022
I am coding the complete table.
Port Number | Layer 4 Protocol | Layer 5 Protocol | RFC | Description |
---|---|---|---|---|
137 | UDP | NETBIOS | Name Services | |
138 | UDP | NETBIOS | Datagram | |
139 | TCP | NETBIOS | Session service | |
445 | TCP | SMB | SMB |
At this point, we know what Samba is and for what can be used, we need to enumerate remote shares, users/groups, disks, and respective privileges and obviously passwords 😀
Enumerate SMB Protocol
After we have detected SMB service running on port 445 or on another port we can start enumerating remote shares and understand their permissions (Read/Write/Execute) associated with each user/group on the system.
If we are lucky and find a remote share with RWX permissions without authentication containing documents or mapped to a Web Server document root with Apache running as root… This shit still happens nowadays.
Before starting the enumeration phase on SMB we need to know one thing previously, what is the Operating System running on the remote machine?
SMB Penetration Testing
We scanned a remote machine and we notice that port 445 is open running SMB on it, the remote Operating System is a Linux machine with Ubuntu 18.04 on it! At the moment we don’t know anything related to users, shares, passwords, permissions, or exploits.
Enumerating SMB Running on Linux
It exists many tools on the Internet to scan and attack SMB, here I will explain the most common ones like smbmap, smbclient, crackmapexec, and enum4linux. For this example, I use the metasploitable2 machine.
Let’s start scanning our remote machine and try to root it!
nmap 192.168.1.91
After scanning our machine we can validate that ports 139 e 445 are open and running SMB with Netbios integration capabilities. Next step is to verify if exists any shared folder and what permissions they have.
Read the Full SMBMap Guide
SMB Pentesting – Public Shares
smbmap -H 192.168.1.91
As we can see we have five shares available and only one of them has Read & Write permissions but t this point we don’t know any usernames or passwords, what can we do? Investigate the /tmp folder using another parameter. -r
List Remote Share
smbmap -H 192.168.1.91 -R tmp
Pentesting SMB Null Sessions
By default, smbmap tests the null sessions but if you need it here it is the command:
smbmap -H 192.168.1.91 -u "" -p "" -R tmp
Enumerate Users
nmblookup -A <IP>
Enumerating SMB on Windows
we can deal with other protocols like Netbios, CIFS, and WMI.
Enumerate Windows machine with Samba
Remote Command Execution on SMB
enum4linux -a -R 500-600,950-1150
python smbmap.py -u 'admin' -p 'qwerty1234!' -d ACME -H 10.1.3.30 -x 'net group "Domain Admins" /domain'
Metasploit SMB vulnerability scanner
Eternal Blue
SMB login via Brute Force
PSexec to connect SMB
Rundll32 One-liner to Exploit SMB
SMB Exploit via NTLM Capture
SMB Vulnerability
Samba Symlink Directory Traversal
Detecting Zerologon with CrackMapExec (CVE-2020-1472
CrackMapExec SMB: Hacking Samba service
SMB Exploits – Linux
SMB Exploits – Windows
- ms08_067_netapi
- Eternal Blue
- SMB login via Brute Force
- PSexec to connect SMB
- Rundll32 One-liner to Exploit SMB
- SMB Exploit via NTLM Capture
References
https://smb-penetration-testing.popdocs.net/