SMB Penetration Testing Fundamentals
Posted in: Network Security

The Ultimate Guide to SMB Penetration Testing

Welcome, today I am writing about SMB Penetration Testing fundamentals, first I will explain the protocol basics and then how to attack the service. It is necessary to have basic knowledge of the SMB protocol.

You can get a free course here!

Samba Protocol

Samba is used to share network resources between different Operating Systems it controls access to network shares, printer services, and interconnection with old protocols.

SMB (Samba) was defined as a standard to share folders between Windows and Linux it can act like a domain controller or connect to an Active directory as a client, so many features can’t be offered without vulnerabilities.

Since 1992 many versions were released carrying tons of vulnerabilities with each one, next I compile a table with each version to help us search CVEs.

Versions of Windows SMB

VersionOperating System
CIFSMicrosoft Windows NT 4.0
SMB 1.0Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2003 R2
SMB 2.0Windows Vista and Windows Server 2008
SMB 2.1Windows 7 and Windows Server 2008 R2
SMB 3.0Windows 8 and Windows Server 2012
SMB 3.02Windows 8.1 and Windows Server 2012 R2
SMB 3.1Windows Server 2016 and Windows 10
SMB Versions

Last Version: 4.16 – March 21, 2022

I am coding the complete table.
Port NumberLayer 4 ProtocolLayer 5 ProtocolRFCDescription
137UDPNETBIOSName Services
138UDPNETBIOSDatagram
139TCPNETBIOSSession service
445TCPSMBSMB
SMB on OSI Model

At this point, we know what Samba is and for what can be used, we need to enumerate remote shares, users/groups, disks, and respective privileges and obviously passwords 😀

Enumerate SMB Protocol

After we have detected SMB service running on port 445 or on another port we can start enumerating remote shares and understand their permissions (Read/Write/Execute) associated with each user/group on the system.
If we are lucky and find a remote share with RWX permissions without authentication containing documents or mapped to a Web Server document root with Apache running as root… This shit still happens nowadays.

Before starting the enumeration phase on SMB we need to know one thing previously, what is the Operating System running on the remote machine?

SMB Penetration Testing

We scanned a remote machine and we notice that port 445 is open running SMB on it, the remote Operating System is a Linux machine with Ubuntu 18.04 on it! At the moment we don’t know anything related to users, shares, passwords, permissions, or exploits.

Enumerating SMB Running on Linux

It exists many tools on the Internet to scan and attack SMB, here I will explain the most common ones like smbmap, smbclient, crackmapexec, and enum4linux. For this example, I use the metasploitable2 machine.

Let’s start scanning our remote machine and try to root it!

nmap 192.168.1.91
smb scan
SMB Scan

After scanning our machine we can validate that ports 139 e 445 are open and running SMB with Netbios integration capabilities. Next step is to verify if exists any shared folder and what permissions they have.

Read the Full SMBMap Guide

SMB Pentesting – Public Shares

smbmap -H 192.168.1.91
SMB Shares
SMB Shares

As we can see we have five shares available and only one of them has Read & Write permissions but t this point we don’t know any usernames or passwords, what can we do? Investigate the /tmp folder using another parameter. -r

List Remote Share

smbmap -H 192.168.1.91 -R tmp
SMB  list remote share
SMB list remote share

Pentesting SMB Null Sessions

By default, smbmap tests the null sessions but if you need it here it is the command:

smbmap -H 192.168.1.91 -u "" -p "" -R tmp

Enumerate Users

nmblookup -A <IP>

Enumerating SMB on Windows

we can deal with other protocols like Netbios, CIFS, and WMI.

Enumerate Windows machine with Samba

Remote Command Execution on SMB

enum4linux -a -R 500-600,950-1150
python smbmap.py -u 'admin' -p 'qwerty1234!' -d ACME -H 10.1.3.30 -x 'net group "Domain Admins" /domain'

Metasploit SMB vulnerability scanner

Eternal Blue

SMB login via Brute Force

PSexec to connect SMB

Rundll32 One-liner to Exploit SMB

SMB Exploit via NTLM Capture

SMB Exploits – Linux

SMB Exploits – Windows

  • ms08_067_netapi

References

https://smb-penetration-testing.popdocs.net/

Back to Top