# 139,445 - SMB

## Introduction

**Port**: 139,445 (TCP)

The **Server Message Block** (SMB) is a network protocol used by Windows-based computers that allow systems within the same network to share files. This service can run on either port 139 or port 445 by default.

## SMB General Enumeration

A quick way to discover NetBIOS services on a network is with **nbtscan**.

```bash
nbtscan -r <NETWORK>/<MASK>
```

With Nmap, you can obtain domains, groups, processes, services, sessions, shares and users.

```bash
sudo nmap --script "smb-enum-*" -p139,445 <TARGET>
sudo nmap --script "smb2*" -p139,445 <TARGET>
```

Then, you can check for vulnerabilities.

```bash
sudo nmap --script "smb-vuln-*" -p139,445 <TARGET>
```

Thanks to crackmapexec and valid credentials, you can obtain helpful information with the following options:

* \--sam
* \--lsa
* \--sessions
* \--loggedon-users
* \--disks
* \--local-groups
* \--pass-pol
* \--rid-brute
* \--shares

```bash
crackmapexec smb <IP|RANGE> -d <DOMAIN> -u '<USERNAME>' -p '[ <PASSWORD> ]' [--<Option>]
```

Finally, you can use enum4linux to gather even more information:

```bash
enum4linux -a [-u "username" -p "password"] <IP>enum4linux -A [-u "username" -p "password"] <IP>enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>
```

## User enumeration

After executing the Nmap scan, you should check if it allows `NULL`, guest or anonymous login to check if shares are available.

**Note**: `-N` is for not prompting for a password.

```bash
smbclient -N -L //<IP>/ [-U "[guest|anonymous]%[guest]"]
```

With crackmapexec this can be achieve with the following command.

```
crackmapexec smb <IP|RANGE> -d <DOMAIN> -u '<USERNAMES.TXT>' -p '[ <PASSWORDS.TXT> ]'
```

## rpcclient enumeration - port: 135

Thanks to rpcclient, you can obtain information about the domain, printers, groups and users.

```bash
rpcclient -U '[<USERNAME>]' [-N] <TARGET> 
> querydominfo
> querydispinfo
> getdompwinfo
> enumdomusers
> enumprinters
> querydispinfo
> netshareenum
> netshareenumall
```

### RID CYCLING ATTACK

Enumerate users by brute-forcing the RID on the remote target.

```bash
crackmapexec smb <IP> -d <DOMAIN>  -u '<USERNAME>' -p '<PASSWORD>' {--rid-brute | --users}
lookupsid.py '<DOMAIN>/<USERNAME>%<PASSWORD>'@<TARGET> [-no-pass]
```

## Shares enumeration

Once checked that the attacker has access to the SMB service, it has to check the permissions for each share:

```bash
smbmap [-u "<USERNAME>" -p "[<PASSWORD>|<NTLM<_HASH>]"] -H <IP>
crackmapexec smb <IP|RANGE> -u '[<USERNAME>]' [-p '[<PASSWORD>]' | -H <NTLM_HASH> ] --shares
./checkSMBPermissions.sh <DOMAIN\\USER> <PASSWORD> <IP>
```

In case of read access, you can list the files of each share:

```bash
smbclient -L //<IP>/<SHARE> -U "[<USERNAME>]%[<PASSWORD>]"
# Recursive list
smbmap [-u "<USERNAME>" -p "<PASSWORD>"] -R [<SHARE>] -H <IP> [-P <PORT>] 
# Non-Recursive list
smbmap [-u "<USERNAME>" -p "<PASSWORD>"] -r [<SHARE>] -H <IP> [-P <PORT>] 
```

Finally, you can access a share to upload or download the files manually or recursively.

```bash
smbclient //IP/<SHARE> -U "[<USERNAME>]%[<PASSWORD>]"
# Manually
smb: \> get <FILE>
smb: \> put <LOCAL_FILE>
# Recursive download
smb: \> prompt
smb: \> recurse
smb: \> mget *
```

Alternatively, you can mount a share to explore it.

```bash
sudo apt-get install cifs-utils
mount -t cifs //<IP>/<SHARE> <LOCAL_FOLDER> -o 'user=,password='
```

## Netbios Enumeration- Port 139

```bash
nmblookup -A IPnbtscan IP 
```

### LANMAN1 Error

On older hosts, you can encounter errors interacting with them. As a solution add `client min protocol = LANMAN1` to GLOBAL setting in `/etc/samba/smb.conf`

```bash
# Change this to the workgroup/NT-domain name your Samba server will part of
    workgroup = WORKGROUP
    client min protocol = LANMAN1
#### Networking ####
```

Another alternative is using `--option='client min protocol'=LANMAN1` with the smbclient command.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://the-pentesting-guide.marmeus.com/active/services/139-445-smb.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.