139,445 - SMB

Introduction

Port: 139,445 (TCP)

The Server Message Block (SMB) is a network protocol used by Windows-based computers that allow systems within the same network to share files. This service can run on either port 139 or port 445 by default.

SMB General Enumeration

A quick way to discover NetBIOS services on a network is with nbtscan.

nbtscan -r <NETWORK>/<MASK>

With Nmap, you can obtain domains, groups, processes, services, sessions, shares and users.

sudo nmap --script "smb-enum-*" -p139,445 <TARGET>
sudo nmap --script "smb2*" -p139,445 <TARGET>

Then, you can check for vulnerabilities.

sudo nmap --script "smb-vuln-*" -p139,445 <TARGET>

Thanks to crackmapexec and valid credentials, you can obtain helpful information with the following options:

--sam
--lsa
--sessions
--loggedon-users
--disks
--local-groups
--pass-pol
--rid-brute
--shares

crackmapexec smb <IP|RANGE> -d <DOMAIN> -u '<USERNAME>' -p '[ <PASSWORD> ]' [--<Option>]

Finally, you can use enum4linux to gather even more information:

enum4linux -a [-u "username" -p "password"] <IP>enum4linux -A [-u "username" -p "password"] <IP>enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>

User enumeration

After executing the Nmap scan, you should check if it allows NULL, guest or anonymous login to check if shares are available.

Note: -N is for not prompting for a password.

smbclient -N -L //<IP>/ [-U "[guest|anonymous]%[guest]"]

With crackmapexec this can be achieve with the following command.

crackmapexec smb <IP|RANGE> -d <DOMAIN> -u '<USERNAMES.TXT>' -p '[ <PASSWORDS.TXT> ]'

rpcclient enumeration - port: 135

Thanks to rpcclient, you can obtain information about the domain, printers, groups and users.

rpcclient -U '[<USERNAME>]' [-N] <TARGET> 
> querydominfo
> querydispinfo
> getdompwinfo
> enumdomusers
> enumprinters
> querydispinfo
> netshareenum
> netshareenumall

RID CYCLING ATTACK

Enumerate users by brute-forcing the RID on the remote target.

crackmapexec smb <IP> -d <DOMAIN>  -u '<USERNAME>' -p '<PASSWORD>' {--rid-brute | --users}
lookupsid.py '<DOMAIN>/<USERNAME>%<PASSWORD>'@<TARGET> [-no-pass]

Shares enumeration

Once checked that the attacker has access to the SMB service, it has to check the permissions for each share:

smbmap [-u "<USERNAME>" -p "[<PASSWORD>|<NTLM<_HASH>]"] -H <IP>
crackmapexec smb <IP|RANGE> -u '[<USERNAME>]' [-p '[<PASSWORD>]' | -H <NTLM_HASH> ] --shares
./checkSMBPermissions.sh <DOMAIN\\USER> <PASSWORD> <IP>

In case of read access, you can list the files of each share:

smbclient -L //<IP>/<SHARE> -U "[<USERNAME>]%[<PASSWORD>]"
# Recursive list
smbmap [-u "<USERNAME>" -p "<PASSWORD>"] -R [<SHARE>] -H <IP> [-P <PORT>] 
# Non-Recursive list
smbmap [-u "<USERNAME>" -p "<PASSWORD>"] -r [<SHARE>] -H <IP> [-P <PORT>]

Finally, you can access a share to upload or download the files manually or recursively.

smbclient //IP/<SHARE> -U "[<USERNAME>]%[<PASSWORD>]"
# Manually
smb: \> get <FILE>
smb: \> put <LOCAL_FILE>
# Recursive download
smb: \> prompt
smb: \> recurse
smb: \> mget *

Alternatively, you can mount a share to explore it.

sudo apt-get install cifs-utils
mount -t cifs //<IP>/<SHARE> <LOCAL_FOLDER> -o 'user=,password='

Netbios Enumeration- Port 139

nmblookup -A IPnbtscan IP

LANMAN1 Error

On older hosts, you can encounter errors interacting with them. As a solution add client min protocol = LANMAN1 to GLOBAL setting in /etc/samba/smb.conf

# Change this to the workgroup/NT-domain name your Samba server will part of
    workgroup = WORKGROUP
    client min protocol = LANMAN1
#### Networking ####

Another alternative is using --option='client min protocol'=LANMAN1 with the smbclient command.

Last updated 1 year ago