TwitterGitHubBlogSponsor

SMB

Server Message Block

Check for SMB vulnerablities with Nmap:

$ sudo nmap -sV --script-args=unsafe=1 --script smb-os-discovery 10.10.13.37 -p139,445
$ sudo nmap -n -Pn -sV --script 'smb-vuln*' 10.10.13.37 -p445

Check if SMB Signing is enabled with CME:

$ cme smb smb.txt | grep -a 'signing:False'

Fingerprint

Enumerate SMB version for old versions of Samba (for security reasons modern clients will not initiate connection with legacy protocols in use):

$ sudo ngrep -i -d eth0 's.?a.?m.?b.?a.*[[:digit:]]' port 139
$ echo exit | smbclient -N -L 10.10.13.37 --option='client min protocol=LANMAN1'

Mounting

Mount:

$ sudo mount -t cifs '//127.0.0.1/Users' /mnt/smb -v -o user=snovvcrash,[pass='Passw0rd!']

Status:

$ mount -v | grep 'type cifs'
$ df -k -F cifs

Unmount:

$ sudo umount /mnt/smb

SMB Share with Null Authentication

Create an SMB share allowing null authentication.

Linux

/etc/samba/smb.conf
[global]
   map to guest = bad user
   server role = standalone server
   usershare allow guests = yes
   smb ports = 445

[smb]
   comment = Samba
   path = /srv/smb
   guest ok = yes
   read only = no
   browsable = yes
   force user = nobody
$ sudo service smbd restart
$ sudo chown -R nobody:root /srv/smb/
$ sudo chmod -R 777 /srv/smb/

Windows

PS > mkdir C:\share
PS > icacls C:\share\ /T /grant Anonymous` logon:r
PS > icacls C:\share\ /T /grant Everyone:r
PS > New-SmbShare -Path C:\share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone'
PS > REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f  # this will overwrite existing NullSessionPipes
PS > REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d share /f
PS > REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f
PS > REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f

Hunt for Shares & Content

Tools

rpcclient

Check for null authentication:

$ rpcclient -N -L 127.0.0.1

With user creds:

$ rpcclient -U 'snovvcrash%Passw0rd!' 127.0.0.1

smbclient

Check for null authentication:

$ smbclient -N -L 127.0.0.1
$ smbclient -N '\\127.0.0.1\Data'

With user creds:

$ smbclient -U snovvcrash '\\127.0.0.1\Users' 'Passw0rd!'

Get all files recursively:

smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *

smbmap

$ smbmap -H 127.0.0.1
$ smbmap -H 127.0.0.1 -u anonymous
$ smbmap -H 127.0.0.1 -u '' -p ''
$ smbmap -H 127.0.0.1 -u snovvcrash -p 'Passw0rd!' -R ShareName
$ smbmap -H 127.0.0.1 -u snovvcrash -p 'Passw0rd!' -R ShareName -A .

Last updated