Skip to content

SMB - 139 or 445

The SMB protocol enables the client to communicate with other participants in the same network to access files or services shared with it on the network.

  • Server Message Block - SMB/CIFS is a client-server protocol to manage access to files and directories, other network resources - printers, routers, interfaces
  • Mostly WINDOWS
  • downward-compatible manner -> which means that devices with newer editions can easily communicate with devices that have an older Microsoft operating system installed.

  • The machines must first have established connection and then process the client request using an SMB server application\

  • An SMB server can provide arbitrary parts of its local file system as shares.

  • The hierarchy visible to a client is partially independent of the structure on the server.
  • Access Control Lists (ACL).
  • Give fine-grained control based on attributes such as execute, read, and full access for individual users or user groups.
  • The ACLs are defined based on the shares and therefore do not correspond to the rights assigned locally on the server.
  • Samba software is used in Linux/Unix systems to enable cross-platform commz over SMB

  • Samba implements the CIFS (Common Internet File System) network protocol *

    * Old SMB < 1.0 - operates over NetBIOS on Port 139 * new SMB - operates over TCP on Port 445

    \

  • Samba v3 - can be an AD domain

  • Samba v4 - can provide an AD controller

  • Uses smbd - SMB server daemon; nmbd - NetBIOS Server daemon.\

  • Samba can be used for both Linux and Windows

  • Every host in a network participates in the same workgroup
  • A workgroup ids a collection of hosts and resources on an SMB network

  • Multiple workgroups in one network at a time. *

Configuration

  • cat /etc/samba/smb.conf | grep -v "#\|\;"
  • Global - settings related to the SMB server used for the shares
  • individual shares - folders that need to be shared via the SMB server. Can override the global settings

Dangerous Configs:

  • Configure Samba and test it - /etc/samba/smb.conf
  • Restart Smb server: sudo systemctl restart smbd

Commands:

  • smbclient -N -L //10.129.14.128
  • -N : anonymous login
  • -L : List shares
  • smbclient //10.129.14.128/notes
  • get <filename>
  • !<cmd> : Run local system commands
  • f.ex - !ls - list files in current dir
  • smbstatus - check status and details of the connection

rpcclient:

  • rpcclient -U "" 10.129.14.128
  • All of this info can be leaked to an anonymous user.

RPCCLIENT Enumeration:

  • https://www.hackingarticles.in/active-directory-enumeration-rpcclient/
  • enumdomusers
  • queryuser 0x3e9 - querying the user RID
  • querygroup 0x201 - querying the group RID based on the previous responses.
  • Querying users in loop:
    • for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
  • Enumerating users using Impacket's - samrdump.py
  • samrdump.py 10.129.14.128
  • Using smbmap - smbmap -H 10.129.14.128
  • Using crackmapexec - crackmapexec smb 10.129.14.128 --shares -u '' -p ''
  • Using Enum4Linux-ng - ./enum4linux-ng.py 10.129.14.128 -A
  • Why smbstatus?