# 139,445 - SMB

## Introduction

**Port**: 139,445 (TCP)

The **Server Message Block** (SMB) is a network protocol used by Windows-based computers that allow systems within the same network to share files. This service can run on either port 139 or port 445 by default.

## SMB General Enumeration

A quick way to discover NetBIOS services on a network is with **nbtscan**.

```bash
nbtscan -r <NETWORK>/<MASK>
```

With Nmap, you can obtain domains, groups, processes, services, sessions, shares and users.

```bash
sudo nmap --script "smb-enum-*" -p139,445 <TARGET>
sudo nmap --script "smb2*" -p139,445 <TARGET>
```

Then, you can check for vulnerabilities.

```bash
sudo nmap --script "smb-vuln-*" -p139,445 <TARGET>
```

Thanks to crackmapexec and valid credentials, you can obtain helpful information with the following options:

* \--sam
* \--lsa
* \--sessions
* \--loggedon-users
* \--disks
* \--local-groups
* \--pass-pol
* \--rid-brute
* \--shares

```bash
crackmapexec smb <IP|RANGE> -d <DOMAIN> -u '<USERNAME>' -p '[ <PASSWORD> ]' [--<Option>]
```

Finally, you can use enum4linux to gather even more information:

```bash
enum4linux -a [-u "username" -p "password"] <IP>enum4linux -A [-u "username" -p "password"] <IP>enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>
```

## User enumeration

After executing the Nmap scan, you should check if it allows `NULL`, guest or anonymous login to check if shares are available.

**Note**: `-N` is for not prompting for a password.

```bash
smbclient -N -L //<IP>/ [-U "[guest|anonymous]%[guest]"]
```

With crackmapexec this can be achieve with the following command.

```
crackmapexec smb <IP|RANGE> -d <DOMAIN> -u '<USERNAMES.TXT>' -p '[ <PASSWORDS.TXT> ]'
```

## rpcclient enumeration - port: 135

Thanks to rpcclient, you can obtain information about the domain, printers, groups and users.

```bash
rpcclient -U '[<USERNAME>]' [-N] <TARGET> 
> querydominfo
> querydispinfo
> getdompwinfo
> enumdomusers
> enumprinters
> querydispinfo
> netshareenum
> netshareenumall
```

### RID CYCLING ATTACK

Enumerate users by brute-forcing the RID on the remote target.

```bash
crackmapexec smb <IP> -d <DOMAIN>  -u '<USERNAME>' -p '<PASSWORD>' {--rid-brute | --users}
lookupsid.py '<DOMAIN>/<USERNAME>%<PASSWORD>'@<TARGET> [-no-pass]
```

## Shares enumeration

Once checked that the attacker has access to the SMB service, it has to check the permissions for each share:

```bash
smbmap [-u "<USERNAME>" -p "[<PASSWORD>|<NTLM<_HASH>]"] -H <IP>
crackmapexec smb <IP|RANGE> -u '[<USERNAME>]' [-p '[<PASSWORD>]' | -H <NTLM_HASH> ] --shares
./checkSMBPermissions.sh <DOMAIN\\USER> <PASSWORD> <IP>
```

In case of read access, you can list the files of each share:

```bash
smbclient -L //<IP>/<SHARE> -U "[<USERNAME>]%[<PASSWORD>]"
# Recursive list
smbmap [-u "<USERNAME>" -p "<PASSWORD>"] -R [<SHARE>] -H <IP> [-P <PORT>] 
# Non-Recursive list
smbmap [-u "<USERNAME>" -p "<PASSWORD>"] -r [<SHARE>] -H <IP> [-P <PORT>] 
```

Finally, you can access a share to upload or download the files manually or recursively.

```bash
smbclient //IP/<SHARE> -U "[<USERNAME>]%[<PASSWORD>]"
# Manually
smb: \> get <FILE>
smb: \> put <LOCAL_FILE>
# Recursive download
smb: \> prompt
smb: \> recurse
smb: \> mget *
```

Alternatively, you can mount a share to explore it.

```bash
sudo apt-get install cifs-utils
mount -t cifs //<IP>/<SHARE> <LOCAL_FOLDER> -o 'user=,password='
```

## Netbios Enumeration- Port 139

```bash
nmblookup -A IPnbtscan IP 
```

### LANMAN1 Error

On older hosts, you can encounter errors interacting with them. As a solution add `client min protocol = LANMAN1` to GLOBAL setting in `/etc/samba/smb.conf`

```bash
# Change this to the workgroup/NT-domain name your Samba server will part of
    workgroup = WORKGROUP
    client min protocol = LANMAN1
#### Networking ####
```

Another alternative is using `--option='client min protocol'=LANMAN1` with the smbclient command.