SMB Enumeration
SMB, which stands for "Server Message Block," is a way computers talk and share stuff, like files and printers, on a network. It's like a language they use to understand each other. Imagine it as a system that helps computers in an office share documents with each other easily. Just like passing notes between friends, SMB lets computers pass files and info back and forth, so everyone can work together and access the same stuff on the network. The default port for SMB (Server Message Block) is TCP port 445. This is the port used for communication between computers sharing files and resources on a network using the SMB protocol.
SMB: Windows Discover & Mount
In this section, the focus was on SMB (Server Message Block) and its protocol (port 445). The content covered how to detect SMB on a Windows system and provided a general example of SMB usage. Below are the commands that can aid in identifying SMB services on any Windows system:
To identify SMB services using Nmap, you can use the following command:
To check if the target system supports SMB version 1 using Nmap, you can use the following command:
Other Nmap Flags which can help: -sV
-p-
-A
-T4
Remove / Delete SMB Drive from your computer:
Add / Access SMB Drive from your computer:
SMB: Nmap Enumeration Scripts
Nmap Scripts to enumerate the running SMB and Samba services.
Knowledge Center:
A "null session
" in SMB networking is an unauthenticated connection allowing access to resources without credentials. Historically for tasks like resource enumeration, it's now a security risk, potentially granting unauthorized entry to sensitive data and system resources if not managed properly.
SMB: SMBMap
This command uses "
smbmap
" to list accessible shares on the specified target using a null session (guest access) without a password and specifying a comma as a delimiter for domain enumeration.
This command uses "
smbmap
" to enumerate shares on the indicated target, employing the "administrator" username and "smbserver_771" password for authentication, while using a comma as a domain delimiter.
This command employs "
smbmap
" to execute the 'ipconfig' command on the specified target using the "administrator" username and "smbserver_771" password for authentication, aiming to gather network configuration information.
This command utilizes "
smbmap
" to list shares on the provided target, authenticating as "administrator" with the password "smbserver_771" and displaying share information.
This command employs "
smbmap
" to access the 'C$' administrative share on the specified target, using "administrator" as the username and "smbserver_771" as the password for authentication.
This command uses "
smbmap
" to upload the 'backdoor' file from '/root' to the 'C$\backdoor' directory on the specified target, authenticating as "administrator" with the password "smbserver_771".
This command employs "smbmap" to download the 'flag.txt' file from the 'C$' share on the given target, using "administrator" as the username and "smbserver_771" as the password for authentication.
SMB: Samba
Samba is an open-source software suite that provides seamless file and print services to SMB/CIFS clients, enabling interoperability between Unix/Linux servers and Windows-based clients. It allows Unix/Linux systems to share files, printers, and other services with Windows systems, facilitating cross-platform network communication and resource sharing. we will explore SMB on Linux systems, also known as Samba (utilizing Port No. 139 & 445). Through the utilization of various tools and scripts, we will conduct Samba discovery and enumeration on Linux systems. The tools and scripts used are outlined below.
RPC-Client tool for Samba Enumeration
RPC (Remote Procedure Call) is a protocol that lets programs on different computers communicate and request services from each other over a network. It allows remote execution of functions and procedures as if they were local. The most common port for RPC is 135, and additional ports are dynamically allocated for specific services.
This command is used to connect to the specified target's RPC services without providing a username or password, using anonymous authentication.
This command is used to retrieve basic information about the remote server's operating system and version using the RPC protocol.
This command is used to list user accounts from the domain using the RPC protocol.
This command is used to retrieve information about a specific user's SID (Security Identifier) and related attributes using the RPC protocol.
This command is used to enumerate domain groups on a remote system using the RPC protocol.
Enum4linux tool for Samba Enumeration
This command is used to perform a comprehensive enumeration of information from the specified target's SMB services, revealing details about users, shares, and more.
This command is used to enumerate user and group information from the specified target in a Windows network using SMB and NetBIOS.
This command is used to perform a complete enumeration of information from the specified target using the SMB protocol, focusing on gathering user and group information.
This command is used to enumerate group memberships from the specified target using the SMB protocol.
This command is used to retrieve information about the specified target's users, shares, and other details using the SMB protocol.
Smbclient tool for Samba Enumeration
This command is used to list available shares on the specified target without providing a password, using anonymous authentication.
This command is used to access the "Public" share on the specified target without providing a password, using anonymous authentication.
These commands are used within an interactive SMB session (smbclient) for: displaying help, listing files and directories, changing directories, and retrieving files:
Msfconsole tool for Samba Enumeration
auxiliary/scanner/smb/smb_version
: is used to select the SMB version scanner module for identifying SMB protocol versions on a target network.auxiliary/scanner/smb/smb2
: is used to perform SMB version 2 scanning for vulnerabilities and information gathering.auxiliary/scanner/smb/smb_enumshares
: it is use to perform SMB share enumeration for network analysis.
Nmblookup tool for Samba Enumeration
This command is used to perform a NetBIOS lookup for the specified target, providing information about its NetBIOS name and associated IP address.
SMB: SMB Dictionary Attack
SMB Dictionary Attack is a method used to guess credentials for SMB (Server Message Block) services by systematically trying a list of usernames and passwords. Attackers use tools to automate the process of attempting different username-password combinations to gain unauthorized access to shared resources or administrative functions on a target system.
In
msfconsole
, you can use thesmb_login
auxiliary module to test SMB credentials and attempt to log in to target systems.
The following command uses Hydra to perform a brute-force attack on the SMB service of the target using the username "admin" and the rockyou.txt wordlist for password guessing.
In msfconsole
, the pipe_auditor
auxiliary module is employed to perform SMB named pipe security assessments on a target network.
In SMB, pipes are virtual communication channels between computers. They allow programs on different machines to exchange messages and share information. Think of them as "secret tunnels" for sending data and commands across the network, enabling computers to work together and share resources like files or instructions.
Hacker's Mantra:
If security were all that mattered, computers would never be turned on, let alone hooked into a network with literally millions of potential intruders. - Dan Farmer
Last updated
Was this helpful?