What is SMB
SMB - Server Message Block Protocol - is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network. [source (opens in a new tab)]
Servers make file systems and other resources (printers, named pipes, APIs) available to clients on the network. Client computers may have their own hard disks, but they also want access to the shared file systems and printers on the servers.
The SMB protocol is known as a response-request protocol, meaning that it transmits multiple messages between the client and server to establish a connection. Clients connect to servers using TCP/IP (actually NetBIOS over TCP/IP as specified in RFC1001 and RFC1002), NetBEUI or IPX/SPX.
-
How does SMB work?
Once they have established a connection, clients can then send commands (SMBs) to the server that allow them to access shares, open files, read and write files, and generally do all the sort of things that you want to do with a file system. However, in the case of SMB, these things are done over the network.
-
What runs SMB?
Microsoft Windows operating systems since Windows 95 have included client and server SMB protocol support. Samba, an open source server that supports the SMB protocol, was released for Unix systems.
-
SMB Ports
SMB run on the port 139 and 445
Find SMB Port
- Nmap
nmap -sV -sC IP -p110
- Possible to find SMB on an other port
Connection
Linux connection
- Enumeration (Need to know the share location & name of interesting file)
Enum4Linux ---> https://github.com/CiscoCXSecurity/enum4linux
Enum4Linux Commands
-
-U get userlist
-
-M get machine list
-
-N get namelist dump (different from -U and-M)
-
-S get sharelist
-
-P get password policy information
-
-G get group and member list
-
-a all of the above (full basic enumeration)
-
SMBclient
- smbclient -U USER '//[IP]/[SHARE]' ---> Connect
- smbclient //<ip>/anonymous` ---> Find Files
- smbget -R smb://<ip>/anonymous ---> Download all available files
- smbclient -U milesdyson '\\10.10.33.22\milesdyson ---> Example
-
-U [name] ---> Specify the user
-
-p [port] ---> Specify the port
-
SMB Terminal (Important commands)
- put ---> Upload Text
- get ---> Download text
- more ---> Read text
Windows Connection
- Crackmapexec (VERY GOOD)
crackmapexec smb IP -u '' -p '' -M spider_plus
crackmapexec smb IP -u 'guest' -p '' -M spider_plus
Trying no user and guest to see if enable on machine
-
-M spider_plus ---> Module in crackmapexec to map all directory we have read access and return the data in a json file
- It should return the json file in the /tmp/cme_spider_plus/IP.json
- You can then run the following command to see the result (cat /tmp/cme_spider_plus/IP.json |jq '. |map_values(keys)')
-
SMBmap
smbmap -H IP -d DOMAIN.local -u '' -p ''
- -u [name] ---> Specify the user (empty = Anonymous)
- -p [port] ---> Specify the port (empty = Anonymous)