search

rectangle-history-circle-userSMB Pentesting Notes

hashtag
Protocol Overview

hashtag
Basic Information

  • Port: TCP 139 (NetBIOS), TCP 445 (Direct TCP/IP)

  • Protocol Type: Application layer

  • Purpose: File sharing, printer sharing, and remote administration

  • Security: Authentication and ACL-based access control

hashtag
Protocol Versions

  1. SMB 1.0/CIFS

    • Legacy version, highly vulnerable

    • Used in Windows NT/2000/XP

    • Should be disabled due to security risks

  2. SMB 2.0/2.1

    • Introduced with Windows Vista

    • Improved performance and reliability

    • Better security features

  3. SMB 3.0+

    • Introduced with Windows 8/Server 2012

    • Supports encryption and secure failover

    • Current standard for Windows networks

hashtag
Initial Enumeration

hashtag
Port Scanning

hashtag
Anonymous/Guest Access

hashtag
Testing Anonymous Access

hashtag
Brute Force Attacks

hashtag
Using Hydra

hashtag
Using CrackMapExec

hashtag
Using Metasploit

hashtag
Common NSE Scripts

hashtag
Share Operations

hashtag
Listing Shares

hashtag
Accessing Shares

hashtag
RPC Enumeration

hashtag
Using rpcclient

hashtag
RID Cycling

hashtag
Advanced Techniques

hashtag
Pass-the-Hash

hashtag
SMB Relay Attacks

hashtag
Configuration Files

hashtag
Samba Configuration

  • Main config: /etc/samba/smb.conf

  • Users database: /var/lib/samba/private/passdb.tdb

  • Share definitions: /etc/samba/shares.conf

hashtag
Windows Configuration

  • Registry: HKLM\System\CurrentControlSet\Services\LanmanServer

  • Group Policy: Computer Configuration\Windows Settings\Security Settings\File System

hashtag
Common Vulnerabilities

  1. Protocol Vulnerabilities

    • EternalBlue (MS17-010)

    • EternalRomance

    • SMBGhost (CVE-2020-0796)

  2. Configuration Issues

    • Null sessions allowed

    • Guest access enabled

    • Weak share permissions

    • Unencrypted traffic

  3. Authentication Issues

    • Weak passwords

    • Password reuse

    • Clear-text credentials

    • Kerberos misconfiguration

hashtag
Post-Exploitation

hashtag
Information Gathering

  • Enumerate domain users and groups

  • Map network shares

  • Identify sensitive files

  • Check for hidden shares

  • Extract system information

hashtag
Privilege Escalation

  • Check for writeable shares

  • Search for sensitive files

  • Look for stored credentials

  • Test for SeBackupPrivilege

  • Exploit service misconfigurations

hashtag
Common Status Codes

Code
Meaning

0x00000000

Success

0xC0000022

Access Denied

0xC000006D

Logon Failure

0xC0000203

User Session Deleted

0xC0000224

Password Change Required

hashtag
Best Practices for Pentesting

  1. Initial Reconnaissance

    • Identify SMB version

    • Check for null sessions

    • Test anonymous access

    • Map available shares

  2. Deep Enumeration

    • Enumerate users and groups

    • Check share permissions

    • Look for sensitive data

    • Test write access

    • Identify vulnerabilities

  3. Documentation

    • Record share listings

    • Document user accounts

    • Note system information

    • Save vulnerability evidence

  4. Risk Assessment

    • Evaluate security posture

    • Assess potential impact

    • Consider attack vectors

    • Prioritize vulnerabilities

  5. Reporting

    • Detail findings

    • Provide remediation steps

    • Include evidence

    • Suggest security improvements

PreviousFTP Pentesting NotesNextSSH Pentesting Notes