SMB
Server Message Block
Check for SMB vulnerablities with Nmap:
$ sudo nmap -sV --script-args=unsafe=1 --script smb-os-discovery 10.10.13.37 -p139,445
$ sudo nmap -n -Pn -sV --script 'smb-vuln*' 10.10.13.37 -p445

Fingerprint

Enumerate SMB version for old versions of Samba (for security reasons modern clients will not initiate connection with legacy protocols in use):
$ sudo ngrep -i -d eth0 's.?a.?m.?b.?a.*[[:digit:]]' port 139
$ echo exit | smbclient -N -L 10.10.13.37 --option='client min protocol=LANMAN1'

Mounting

Mount:
$ sudo mount -t cifs '//127.0.0.1/Users' /mnt/smb -v -o user=snovvcrash,[pass='Passw0rd!']
Status:
$ mount -v | grep 'type cifs'
$ df -k -F cifs
Unmount:
$ sudo umount /mnt/smb

SMB Share with Null Authentication

Create an SMB share allowing null authentication.

Linux

/etc/samba/smb.conf
[global]
map to guest = bad user
server role = standalone server
usershare allow guests = yes
smb ports = 445
[smb]
comment = Samba
path = /srv/smb
guest ok = yes
read only = no
browsable = yes
force user = nobody
$ sudo service smbd restart
$ sudo chown -R nobody:root /srv/smb/
$ sudo chmod -R 777 /srv/smb/

Windows

PS > mkdir C:\share
PS > icacls C:\share\ /T /grant Anonymous` logon:r
PS > icacls C:\share\ /T /grant Everyone:r
PS > New-SmbShare -Path C:\share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone'
PS > REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f # this will overwrite existing NullSessionPipes
PS > REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d share /f
PS > REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f
PS > REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f

Hunt for Shares & Content

Tools

rpcclient

Check for null authentication:
$ rpcclient -N -L 127.0.0.1
With user creds:
$ rpcclient -U 'snovvcrash%Passw0rd!' 127.0.0.1

smbclient

Check for null authentication:
$ smbclient -N -L 127.0.0.1
$ smbclient -N '\\127.0.0.1\Data'
With user creds:
$ smbclient -U snovvcrash '\\127.0.0.1\Users' 'Passw0rd!'
Get all files recursively:
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *

smbmap

$ smbmap -H 127.0.0.1
$ smbmap -H 127.0.0.1 -u anonymous
$ smbmap -H 127.0.0.1 -u '' -p ''
$ smbmap -H 127.0.0.1 -u snovvcrash -p 'Passw0rd!' -R ShareName
$ smbmap -H 127.0.0.1 -u snovvcrash -p 'Passw0rd!' -R ShareName -A .
Last modified 27d ago