139,445 - SMB
Introduction
Port: 139,445 (TCP)
The Server Message Block (SMB) is a network protocol used by Windows-based computers that allow systems within the same network to share files. This service can run on either port 139 or port 445 by default.
SMB General Enumeration
A quick way to discover NetBIOS services on a network is with nbtscan.
nbtscan -r <NETWORK>/<MASK>
With Nmap, you can obtain domains, groups, processes, services, sessions, shares and users.
sudo nmap --script "smb-enum-*" -p139,445 <TARGET>
sudo nmap --script "smb2*" -p139,445 <TARGET>
Then, you can check for vulnerabilities.
sudo nmap --script "smb-vuln-*" -p139,445 <TARGET>
Thanks to crackmapexec and valid credentials, you can obtain helpful information with the following options:
--sam
--lsa
--sessions
--loggedon-users
--disks
--local-groups
--pass-pol
--rid-brute
--shares
crackmapexec smb <IP|RANGE> -d <DOMAIN> -u '<USERNAME>' -p '[ <PASSWORD> ]' [--<Option>]
Finally, you can use enum4linux to gather even more information:
enum4linux -a [-u "username" -p "password"] <IP>enum4linux -A [-u "username" -p "password"] <IP>enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>
User enumeration
After executing the Nmap scan, you should check if it allows NULL
, guest or anonymous login to check if shares are available.
Note: -N
is for not prompting for a password.
smbclient -N -L //<IP>/ [-U "[guest|anonymous]%[guest]"]
With crackmapexec this can be achieve with the following command.
crackmapexec smb <IP|RANGE> -d <DOMAIN> -u '<USERNAMES.TXT>' -p '[ <PASSWORDS.TXT> ]'
rpcclient enumeration - port: 135
Thanks to rpcclient, you can obtain information about the domain, printers, groups and users.
rpcclient -U '[<USERNAME>]' [-N] <TARGET>
> querydominfo
> querydispinfo
> getdompwinfo
> enumdomusers
> enumprinters
> querydispinfo
> netshareenum
> netshareenumall
RID CYCLING ATTACK
Enumerate users by brute-forcing the RID on the remote target.
crackmapexec smb <IP> -d <DOMAIN> -u '<USERNAME>' -p '<PASSWORD>' {--rid-brute | --users}
lookupsid.py '<DOMAIN>/<USERNAME>%<PASSWORD>'@<TARGET> [-no-pass]
Shares enumeration
Once checked that the attacker has access to the SMB service, it has to check the permissions for each share:
smbmap [-u "<USERNAME>" -p "[<PASSWORD>|<NTLM<_HASH>]"] -H <IP>
crackmapexec smb <IP|RANGE> -u '[<USERNAME>]' [-p '[<PASSWORD>]' | -H <NTLM_HASH> ] --shares
./checkSMBPermissions.sh <DOMAIN\\USER> <PASSWORD> <IP>
In case of read access, you can list the files of each share:
smbclient -L //<IP>/<SHARE> -U "[<USERNAME>]%[<PASSWORD>]"
# Recursive list
smbmap [-u "<USERNAME>" -p "<PASSWORD>"] -R [<SHARE>] -H <IP> [-P <PORT>]
# Non-Recursive list
smbmap [-u "<USERNAME>" -p "<PASSWORD>"] -r [<SHARE>] -H <IP> [-P <PORT>]
Finally, you can access a share to upload or download the files manually or recursively.
smbclient //IP/<SHARE> -U "[<USERNAME>]%[<PASSWORD>]"
# Manually
smb: \> get <FILE>
smb: \> put <LOCAL_FILE>
# Recursive download
smb: \> prompt
smb: \> recurse
smb: \> mget *
Alternatively, you can mount a share to explore it.
sudo apt-get install cifs-utils
mount -t cifs //<IP>/<SHARE> <LOCAL_FOLDER> -o 'user=,password='
Netbios Enumeration- Port 139
nmblookup -A IPnbtscan IP
LANMAN1 Error
On older hosts, you can encounter errors interacting with them. As a solution add client min protocol = LANMAN1
to GLOBAL setting in /etc/samba/smb.conf
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = WORKGROUP
client min protocol = LANMAN1
#### Networking ####
Another alternative is using --option='client min protocol'=LANMAN1
with the smbclient command.
Last updated