SMB Penetration Testing Fundamentals
SMB Penetration Testing Fundamentals

SMB Penetration Testing Fundamentals

Welcome, today I am writing about SMB Penetration Testing fundamentals, first I will explain the protocol basics and then how to attack the service. It is necessary to have basic knowledge of the SMB protocol.

You can get a free course here!

Samba Protocol

Samba is used to share network resources between different Operating Systems it controls access to network shares, printer services, and interconnection with old protocols.

SMB (Samba) was defined as a standard to share folders between Windows and Linux it can act like a domain controller or connect to an Active directory as a client, so many features can’t be offered without vulnerabilities.

Since 1992 many versions were released carrying tons of vulnerabilities with each one, next I compile a table with each version to help us search CVEs.

Versions of Windows SMB

VersionOperating System
CIFSMicrosoft Windows NT 4.0
SMB 1.0Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2003 R2
SMB 2.0Windows Vista and Windows Server 2008
SMB 2.1Windows 7 and Windows Server 2008 R2
SMB 3.0Windows 8 and Windows Server 2012
SMB 3.02Windows 8.1 and Windows Server 2012 R2
SMB 3.1Windows Server 2016 and Windows 10
SMB Versions

Last Version: 4.16 – March 21, 2022

I am coding the complete table.
Port NumberLayer 4 ProtocolLayer 5 ProtocolRFCDescription
137UDPNETBIOSName Services
138UDPNETBIOSDatagram
139TCPNETBIOSSession service
445TCPSMBSMB
SMB on OSI Model

At this point, we know what Samba is and for what can be used, we need to enumerate remote shares, users/groups, disks, and respective privileges and obviously passwords 😀

SMB RFCs

Here’s a table of common Samba RFCs (Request for Comments) with their corresponding RFC number and a brief description:

RFCDescription
RFC 1001Defines the NetBIOS API and the NetBIOS Name Service used by Samba.
RFC 1002Defines the NetBIOS Session Service used by Samba to establish sessions.
RFC 1761Defines the Remote Procedure Call (RPC) protocol used by Samba.
RFC 2050Defines the Internet Registry (IR) used by Samba.
RFC 2307Defines the schema for representing POSIX accounts in LDAP directories.
RFC 2733Defines the SMB printing protocol used by Samba.
RFC 2849Defines the Lightweight Directory Access Protocol (LDAP) data interchange format.
RFC 3195Defines the Reliable Event Logging Protocol (RELP) used by Samba for logging.
RFC 3280Defines the Internet X.509 Public Key Infrastructure (PKIX) Certificate and Certificate Revocation List (CRL) Profile.
RFC 4120Defines the Kerberos authentication protocol used by Samba.

These RFCs are important for understanding the protocols and standards used by Samba for networking and authentication, as well as for configuring and securing Samba servers.

Enumerate SMB Protocol

After we have detected SMB service running on port 445 or on another port we can start enumerating remote shares and understand their permissions (Read/Write/Execute) associated with each user/group on the system.
If we are lucky and find a remote share with RWX permissions without authentication containing documents or mapped to a Web Server document root with Apache running as root… This shit still happens nowadays.

Before starting the enumeration phase on SMB we need to know one thing previously, what is the Operating System running on the remote machine?

SMB Penetration Testing

We scanned a remote machine and we notice that port 445 is open and running SMB on it, the remote Operating System is a Linux machine with Ubuntu 18.04 on it! At the moment we don’t know anything related to users, shares, passwords, permissions, or exploits.

Enumerating SMB Running on Linux

It exists many tools on the Internet to scan and attack SMB, here I will explain the most common ones like smbmap, smbclient, crackmapexec, and enum4linux. For this example, I use the metasploitable2 machine.

Let’s start scanning our remote machine and try to root it!

nmap 192.168.1.91
SMB Scan

After scanning our machine we can validate that ports 139 e 445 are open and running SMB with Netbios integration capabilities. The next step is to verify if exists any shared folder and what permissions they have.

Read the Full SMBMap Guide

SMB Pentesting – Public Shares

smbmap -H 192.168.1.91
SMB Shares

As we can see we have five shares available and only one of them has Read & Write permissions but t this point we don’t know any usernames or passwords, what can we do? Investigate the /tmp folder using another parameter.

List Remote Share

smbmap -H 192.168.1.91 -R tmp
SMB list remote share

Pentesting SMB Null Sessions

By default, smbmap tests the null sessions but if you need it here it is the command:

smbmap -H 192.168.1.91 -u "" -p "" -R tmp

Enumerate Users

nmblookup -A <IP>

Enumerating SMB on Windows

we can deal with other protocols like Netbios, CIFS, and WMI.

Enumerate Windows machine with Samba

Remote Command Execution on SMB

enum4linux -a -R 500-600,950-1150
python smbmap.py -u 'admin' -p 'qwerty1234!' -d ACME -H 10.1.3.30 -x 'net group "Domain Admins" /domain'

Metasploit SMB vulnerability scanner

Eternal Blue

SMB login via Brute Force

PSexec to connect SMB

Rundll32 One-liner to Exploit SMB

SMB Exploit via NTLM Capture

SMB Vulnerability

Samba Symlink Directory Traversal

Detecting Zerologon with CrackMapExec (CVE-2020-1472

CrackMapExec SMB: Hacking Samba service

SMB Exploits – Linux

In Linux, the SMB protocol is implemented using the Samba software suite, which provides file and printer-sharing services to Windows clients.

  1. EternalBlue: EternalBlue is a remote code execution exploit that targets a vulnerability in the SMBv1 protocol. It was used in the WannaCry ransomware attack in 2017 and can also be used to target Linux systems running Samba.
  2. SambaCry: SambaCry is a remote code execution exploit that targets a vulnerability in the Samba software suite. It was discovered in 2017 and can be used to target Linux systems running Samba versions 3.5.0 to 4.6.4.
  3. SMBLoris: SMBLoris is a denial-of-service (DoS) exploit that targets a vulnerability in the SMB protocol. It can be used to overload the SMB service on a target system, causing it to crash or become unresponsive.
  4. MS17-010: MS17-010 is a vulnerability in the SMBv1 protocol that allows for remote code execution. It was exploited by the WannaCry ransomware and can also be used to target Linux systems running Samba.

It is important for Linux system administrators to keep their systems up to date with the latest security patches and to configure their systems securely to prevent SMB exploits.

This includes disabling SMBv1 and ensuring that Samba is configured securely with proper access controls and authentication mechanisms.

Additionally, network administrators can use intrusion detection systems to monitor for attempts to exploit SMB vulnerabilities and block them in real time.

SMB Exploits – Windows

  1. EternalBlue: EternalBlue is a remote code execution exploit that targets a vulnerability in the SMBv1 protocol. It was used in the WannaCry ransomware attack in 2017 and can also be used to target Windows systems.
  2. MS08-067: MS08-067 is a vulnerability in the Server service in Microsoft Windows that allows remote code execution when the service is running. The vulnerability was discovered in October 2008 and was addressed by Microsoft with a security patch shortly thereafter.
  3. MS17-010: MS17-010 is a vulnerability in the SMBv1 protocol that allows for remote code execution. It was exploited by the WannaCry ransomware and can be used to target Windows systems.
  4. SMBGhost: SMBGhost is a remote code execution exploit that targets a vulnerability in the SMBv3 protocol. It was discovered in March 2020 and can be used to target Windows systems running SMBv3.
  • ms08_067_netapi
  • Eternal Blue
  • SMB login via Brute Force
  • PSexec to connect SMB
  • Rundll32 One-liner to Exploit SMB
  • SMB Exploit via NTLM Capture

It is important for Windows system administrators to keep their systems up to date with the latest security patches and to configure their systems securely to prevent SMB exploits. This includes disabling SMBv1 and ensuring that SMBv2 and SMBv3 are configured securely with proper access controls and authentication mechanisms.

Additionally, network administrators can use intrusion detection systems to monitor for attempts to exploit SMB vulnerabilities and block them in real-time.

References

https://smb-penetration-testing.popdocs.net/

SSH Penetration Testing

FTP Penetration Testing

RDP Penetration Testing

PostgreSQL Penetration Testing

SMB Penetration Testing Fundamentals

Learn how to perform SMB penetration testing to identify vulnerabilities in your network and protect against unauthorized access.

This guide covers the steps involved in SMB penetration testing, from reconnaissance and vulnerability scanning to exploitation and post-exploitation. Follow best practices and use caution to avoid damaging the target network.

With this comprehensive guide, you can improve the security of your SMB network and keep your data safe from potential attacks.

Total Time: 2 hours

SMB Reconnaissance

This involves gathering information about the target SMB network, such as IP addresses, hostnames, network topology, operating systems, and SMB versions. Tools like Nmap, SMBMap, and Enum4Linux can be used for this purpose.

SMB Vulnerability scanning

This involves using vulnerability scanners like Nessus, OpenVAS, and Retina to identify known vulnerabilities in the target SMB network. The scan should focus on SMB-related vulnerabilities such as EternalBlue, MS08-067, and MS17-010.

SMB Exploitation

Once vulnerabilities are identified, exploits can be used to gain access to the target SMB network. Common SMB exploits like EternalBlue and MS08-067 can be used for this purpose. Tools like Metasploit and Empire can automate the exploitation process.

SMB Post-exploitation

After gaining access to the target SMB network, attackers can perform various activities like lateral movement, privilege escalation, and data exfiltration. Tools like Mimikatz and PowerSploit can be used for these activities.

SMB Pentest Reporting

Finally, a detailed report should be prepared to document the vulnerabilities, exploits, and activities performed during the SMB penetration testing. The report should also provide recommendations for remediation and improving the security of the target SMB network.

Why perform SMB penetration testing?

SMB penetration testing is performed to identify vulnerabilities and weaknesses in the SMB protocol that could be exploited by attackers to gain unauthorized access to a network or system.

What are the tools used in SMB penetration testing?

Tools commonly used in SMB penetration testing include Nmap, Metasploit, smbclient, PowerShell Empire, and Recon-ng.

Is SMB penetration testing legal?

SMB penetration testing is legal only if it is conducted with the permission of the target network or system owner. Unauthorized testing can lead to legal consequences.

What are the steps involved in SMB penetration testing?

The steps involved in SMB penetration testing include reconnaissance, enumeration, exploitation, post-exploitation, and reporting.

What are the risks of not performing SMB penetration testing?

Without performing SMB penetration testing, organizations may not be aware of vulnerabilities in their systems that could be exploited by attackers. This could lead to data breaches, loss of sensitive information, or damage to the organization’s reputation and finances.

How often should SMB penetration testing be performed?

SMB penetration testing should be performed regularly, ideally as part of a comprehensive security testing program. The frequency of testing may vary depending on the size and complexity of the organization’s network, as well as the level of risk associated with its systems and data.