SMB Pentesting Notes

Protocol Overview

Basic Information

• Port: TCP 139 (NetBIOS), TCP 445 (Direct TCP/IP)

• Protocol Type: Application layer

• Purpose: File sharing, printer sharing, and remote administration

• Security: Authentication and ACL-based access control

Protocol Versions

1. SMB 1.0/CIFS

   • Legacy version, highly vulnerable

   • Used in Windows NT/2000/XP

   • Should be disabled due to security risks

2. SMB 2.0/2.1

   • Introduced with Windows Vista

   • Improved performance and reliability

   • Better security features

3. SMB 3.0+

   • Introduced with Windows 8/Server 2012

   • Supports encryption and secure failover

   • Current standard for Windows networks

Initial Enumeration

Port Scanning

Banner Grabbing

Anonymous/Guest Access

Testing Anonymous Access

Brute Force Attacks

Using Hydra

Using CrackMapExec

Using Metasploit

Common NSE Scripts

Share Operations

Listing Shares

Accessing Shares

RPC Enumeration

Using rpcclient

RID Cycling

Advanced Techniques

Pass-the-Hash

SMB Relay Attacks

Configuration Files

Samba Configuration

• Main config: /etc/samba/smb.conf

• Users database: /var/lib/samba/private/passdb.tdb

• Share definitions: /etc/samba/shares.conf

Windows Configuration

• Registry: HKLM\System\CurrentControlSet\Services\LanmanServer

• Group Policy: Computer Configuration\Windows Settings\Security Settings\File System

Common Vulnerabilities

1. Protocol Vulnerabilities

   • EternalBlue (MS17-010)

   • EternalRomance

   • SMBGhost (CVE-2020-0796)

2. Configuration Issues

   • Null sessions allowed

   • Guest access enabled

   • Weak share permissions

   • Unencrypted traffic

3. Authentication Issues

   • Weak passwords

   • Password reuse

   • Clear-text credentials

   • Kerberos misconfiguration

Post-Exploitation

Information Gathering

• Enumerate domain users and groups

• Map network shares

• Identify sensitive files

• Check for hidden shares

• Extract system information

Privilege Escalation

• Check for writeable shares

• Search for sensitive files

• Look for stored credentials

• Test for SeBackupPrivilege

• Exploit service misconfigurations

Common Status Codes

Best Practices for Pentesting

1. Initial Reconnaissance

   • Identify SMB version

   • Check for null sessions

   • Test anonymous access

   • Map available shares

2. Deep Enumeration

   • Enumerate users and groups

   • Check share permissions

   • Look for sensitive data

   • Test write access

   • Identify vulnerabilities

3. Documentation

   • Record share listings

   • Document user accounts

   • Note system information

   • Save vulnerability evidence

4. Risk Assessment

   • Evaluate security posture

   • Assess potential impact

   • Consider attack vectors

   • Prioritize vulnerabilities

5. Reporting

   • Detail findings

   • Provide remediation steps

   • Include evidence

   • Suggest security improvements