Welcome, today I am writing about SMB Penetration Testing fundamentals, first I will explain the protocol basics and then how to attack the service. It is necessary to have basic knowledge of the SMB protocol.
You can get a free course here!
Samba is used to share network resources between different Operating Systems it controls access to network shares, printer services, and interconnection with old protocols.
SMB (Samba) was defined as a standard to share folders between Windows and Linux it can act like a domain controller or connect to an Active directory as a client, so many features can’t be offered without vulnerabilities.
Since 1992 many versions were released carrying tons of vulnerabilities with each one, next I compile a table with each version to help us search CVEs.
|CIFS||Microsoft Windows NT 4.0|
|SMB 1.0||Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2003 R2|
|SMB 2.0||Windows Vista and Windows Server 2008|
|SMB 2.1||Windows 7 and Windows Server 2008 R2|
|SMB 3.0||Windows 8 and Windows Server 2012|
|SMB 3.02||Windows 8.1 and Windows Server 2012 R2|
|SMB 3.1||Windows Server 2016 and Windows 10|
Last Version: 4.16 – March 21, 2022I am coding the complete table.
|Port Number||Layer 4 Protocol||Layer 5 Protocol||RFC||Description|
At this point, we know what Samba is and for what can be used, we need to enumerate remote shares, users/groups, disks, and respective privileges and obviously passwords 😀
Here’s a table of common Samba RFCs (Request for Comments) with their corresponding RFC number and a brief description:
|RFC 1001||Defines the NetBIOS API and the NetBIOS Name Service used by Samba.|
|RFC 1002||Defines the NetBIOS Session Service used by Samba to establish sessions.|
|RFC 1761||Defines the Remote Procedure Call (RPC) protocol used by Samba.|
|RFC 2050||Defines the Internet Registry (IR) used by Samba.|
|RFC 2307||Defines the schema for representing POSIX accounts in LDAP directories.|
|RFC 2733||Defines the SMB printing protocol used by Samba.|
|RFC 2849||Defines the Lightweight Directory Access Protocol (LDAP) data interchange format.|
|RFC 3195||Defines the Reliable Event Logging Protocol (RELP) used by Samba for logging.|
|RFC 3280||Defines the Internet X.509 Public Key Infrastructure (PKIX) Certificate and Certificate Revocation List (CRL) Profile.|
|RFC 4120||Defines the Kerberos authentication protocol used by Samba.|
These RFCs are important for understanding the protocols and standards used by Samba for networking and authentication, as well as for configuring and securing Samba servers.
Enumerate SMB Protocol
After we have detected SMB service running on port 445 or on another port we can start enumerating remote shares and understand their permissions (Read/Write/Execute) associated with each user/group on the system.
If we are lucky and find a remote share with RWX permissions without authentication containing documents or mapped to a Web Server document root with Apache running as root… This shit still happens nowadays.
Before starting the enumeration phase on SMB we need to know one thing previously, what is the Operating System running on the remote machine?
SMB Penetration Testing
We scanned a remote machine and we notice that port 445 is open and running SMB on it, the remote Operating System is a Linux machine with Ubuntu 18.04 on it! At the moment we don’t know anything related to users, shares, passwords, permissions, or exploits.
Enumerating SMB Running on Linux
It exists many tools on the Internet to scan and attack SMB, here I will explain the most common ones like smbmap, smbclient, crackmapexec, and enum4linux. For this example, I use the metasploitable2 machine.
Let’s start scanning our remote machine and try to root it!
After scanning our machine we can validate that ports 139 e 445 are open and running SMB with Netbios integration capabilities. The next step is to verify if exists any shared folder and what permissions they have.
Read the Full SMBMap Guide
SMB Pentesting – Public Shares
smbmap -H 192.168.1.91
As we can see we have five shares available and only one of them has Read & Write permissions but t this point we don’t know any usernames or passwords, what can we do? Investigate the /tmp folder using another parameter.
List Remote Share
smbmap -H 192.168.1.91 -R tmp
Pentesting SMB Null Sessions
By default, smbmap tests the null sessions but if you need it here it is the command:
smbmap -H 192.168.1.91 -u "" -p "" -R tmp
nmblookup -A <IP>
Enumerating SMB on Windows
we can deal with other protocols like Netbios, CIFS, and WMI.
Enumerate Windows machine with Samba
Remote Command Execution on SMB
enum4linux -a -R 500-600,950-1150
python smbmap.py -u 'admin' -p 'qwerty1234!' -d ACME -H 10.1.3.30 -x 'net group "Domain Admins" /domain'
Metasploit SMB vulnerability scanner
SMB login via Brute Force
PSexec to connect SMB
Rundll32 One-liner to Exploit SMB
SMB Exploit via NTLM Capture
SMB Exploits – Linux
In Linux, the SMB protocol is implemented using the Samba software suite, which provides file and printer-sharing services to Windows clients.
- EternalBlue: EternalBlue is a remote code execution exploit that targets a vulnerability in the SMBv1 protocol. It was used in the WannaCry ransomware attack in 2017 and can also be used to target Linux systems running Samba.
- SambaCry: SambaCry is a remote code execution exploit that targets a vulnerability in the Samba software suite. It was discovered in 2017 and can be used to target Linux systems running Samba versions 3.5.0 to 4.6.4.
- SMBLoris: SMBLoris is a denial-of-service (DoS) exploit that targets a vulnerability in the SMB protocol. It can be used to overload the SMB service on a target system, causing it to crash or become unresponsive.
- MS17-010: MS17-010 is a vulnerability in the SMBv1 protocol that allows for remote code execution. It was exploited by the WannaCry ransomware and can also be used to target Linux systems running Samba.
It is important for Linux system administrators to keep their systems up to date with the latest security patches and to configure their systems securely to prevent SMB exploits.
This includes disabling SMBv1 and ensuring that Samba is configured securely with proper access controls and authentication mechanisms.
Additionally, network administrators can use intrusion detection systems to monitor for attempts to exploit SMB vulnerabilities and block them in real time.
SMB Exploits – Windows
- EternalBlue: EternalBlue is a remote code execution exploit that targets a vulnerability in the SMBv1 protocol. It was used in the WannaCry ransomware attack in 2017 and can also be used to target Windows systems.
- MS08-067: MS08-067 is a vulnerability in the Server service in Microsoft Windows that allows remote code execution when the service is running. The vulnerability was discovered in October 2008 and was addressed by Microsoft with a security patch shortly thereafter.
- MS17-010: MS17-010 is a vulnerability in the SMBv1 protocol that allows for remote code execution. It was exploited by the WannaCry ransomware and can be used to target Windows systems.
- SMBGhost: SMBGhost is a remote code execution exploit that targets a vulnerability in the SMBv3 protocol. It was discovered in March 2020 and can be used to target Windows systems running SMBv3.
- Eternal Blue
- SMB login via Brute Force
- PSexec to connect SMB
- Rundll32 One-liner to Exploit SMB
- SMB Exploit via NTLM Capture
It is important for Windows system administrators to keep their systems up to date with the latest security patches and to configure their systems securely to prevent SMB exploits. This includes disabling SMBv1 and ensuring that SMBv2 and SMBv3 are configured securely with proper access controls and authentication mechanisms.
Additionally, network administrators can use intrusion detection systems to monitor for attempts to exploit SMB vulnerabilities and block them in real-time.
Learn how to perform SMB penetration testing to identify vulnerabilities in your network and protect against unauthorized access.
This guide covers the steps involved in SMB penetration testing, from reconnaissance and vulnerability scanning to exploitation and post-exploitation. Follow best practices and use caution to avoid damaging the target network.
With this comprehensive guide, you can improve the security of your SMB network and keep your data safe from potential attacks.
Total Time: 2 hours
This involves gathering information about the target SMB network, such as IP addresses, hostnames, network topology, operating systems, and SMB versions. Tools like Nmap, SMBMap, and Enum4Linux can be used for this purpose.
SMB Vulnerability scanning
This involves using vulnerability scanners like Nessus, OpenVAS, and Retina to identify known vulnerabilities in the target SMB network. The scan should focus on SMB-related vulnerabilities such as EternalBlue, MS08-067, and MS17-010.
Once vulnerabilities are identified, exploits can be used to gain access to the target SMB network. Common SMB exploits like EternalBlue and MS08-067 can be used for this purpose. Tools like Metasploit and Empire can automate the exploitation process.
After gaining access to the target SMB network, attackers can perform various activities like lateral movement, privilege escalation, and data exfiltration. Tools like Mimikatz and PowerSploit can be used for these activities.
SMB Pentest Reporting
Finally, a detailed report should be prepared to document the vulnerabilities, exploits, and activities performed during the SMB penetration testing. The report should also provide recommendations for remediation and improving the security of the target SMB network.
Why perform SMB penetration testing?
SMB penetration testing is performed to identify vulnerabilities and weaknesses in the SMB protocol that could be exploited by attackers to gain unauthorized access to a network or system.
What are the tools used in SMB penetration testing?
Tools commonly used in SMB penetration testing include Nmap, Metasploit, smbclient, PowerShell Empire, and Recon-ng.
Is SMB penetration testing legal?
SMB penetration testing is legal only if it is conducted with the permission of the target network or system owner. Unauthorized testing can lead to legal consequences.
What are the steps involved in SMB penetration testing?
The steps involved in SMB penetration testing include reconnaissance, enumeration, exploitation, post-exploitation, and reporting.
What are the risks of not performing SMB penetration testing?
Without performing SMB penetration testing, organizations may not be aware of vulnerabilities in their systems that could be exploited by attackers. This could lead to data breaches, loss of sensitive information, or damage to the organization’s reputation and finances.
How often should SMB penetration testing be performed?
SMB penetration testing should be performed regularly, ideally as part of a comprehensive security testing program. The frequency of testing may vary depending on the size and complexity of the organization’s network, as well as the level of risk associated with its systems and data.