SMB (139,445) - JA Smith

# Server Message Block (SMB) Introduction - client-server protocol for regulating access to files and directrories as well as other network resources such as printers, routers, or interfaces - main application area has beent he Windows OS with downward-compatible support - Samba free SW project enables the use of SMB on Linux and Unix distros - implements CIFS (common internet fs), which is a dialect of SMB - within IP networks, SMB uses TCP - SMB server can provide arbitrary parts of its local fs as shares - access rights to shares are defined by ACLs, which can be finely managed based on attributes such as execute, read, and full access for individual users or groups - in a network, each host participates int he same workgroup, which is a group name identifying an arbitrary collection of computers and resources - can be multiple workgroups on a network ## Footprinting SMB ```bash sudo nmap <ip_addr> -sC -sV -p139,445 ``` ## SMB Enumeration with SMBClient ```bash smbclient -N -L //<ip_addr> #list shares for null session - anonymous access without password smbclient //<ip_addr> -u <user_name> #connect as specified user, will prompt fpr password smbclient //<ip_addr> --user <user_name>%'<password>' #connect with specified user and password smb: \> help # list options smb: \> ls #list files and directories smb: \> get sample.txt #download file smb: \> !ls #execute ls against local systemctl smb: \> !cat sample.txt #cat downloaded file ``` ## SMB Enumeration with SMBmap & CME ```bash smbmap -H <ip_addr> cme smb <ip_addr> --shares -u '' -p '' ``` ## enum4linux-ng ```bash #automates many enumeration queries including smb git clone https://github.org/cddmp/enum4linux-ng.git cd enum4linux-ng pip3 install -r requirements.txt ./enum4linux-ng.py <ip_addr> -A ``` ## SMB Enumeration with RPCClient ```bash rpcclient -U "" <ip_addr> #manually inteact with SMB # rpc domain and share enumeration rpcclient gt; servinfo rpcclient gt; enumdomains rpcclient gt; querydominfo rpcclient gt; netshareenumall rpcclient gt; netsharegetinfo <share_name> # rpc user and group enumeration rpcclient gt; enumdomusers rpcclient gt; queryuser <0xRID> rpcclient gt; querygroup <0xRID> ``` ### brute force user RIDs ```bash for i in $(seq 500 1100); do rpcclient -N -U "" <ip_addr> -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo ""; done samrdump.py <ip_addr> #python script from Impacket ``` ## SMB Config ```bash cat /etc/samba/smb.conf | grep -v "#\|\;" #filter out comments and sudo systemctl restart smbd #after adjusting the config file, reload the service for changes to take hold ``` | Setting | Description | | ---------------------------- | --------------------------------------------------------------------- | | [sharename] | name of network share | | workgroup = WORKGROUP/DOMAIN | workgroup that apepars when clients query | | path = /path/here/ | directory to which user is given access | | server string = STRING | string that shows up when a connection is initiated | | unix password sync = yes | synchronize unix password with SMb password | | usershare allow guests = yes | allow non-authenticated user to access defined share | | map to guest = bas usr | what is done with a user login request doesnt match a valid unix user | | browseable = yes | should this share be shown in list of available shares | | enable privileges = yes | honor privs assigned to specific SID | | guest ok = yes | allow connecting to service without password | | read only = yes | allow user to only read files | | writable = yes | allow users to ceate an dmodify files | | create mask = 700 | perms mask for new files | | directory mask = 0777 | perms mask for new directories | | logon script = script.sh | what script runs on login | - per share settings as defined in `/etc/samba/smb.conf` ## SMB Version History | SMB Version | Supported OS | Features | | ----------- | ----------------------------------- | ----------------------------------------------------------------- | | CIFS | Windows NT 4.0 | comms via NetBIOS | | SMB 1.0 | Windows 2000 | direct connection via TCP | | SMB 2.0 | Windows Vistsa, Windows Server 2008 | performance upgardes, improved message signing, caching inetrface | | SMB 2.1 | Windows 7, Windows Server 2008 R2 | locking mechanism | | SMB 3.0 | Windows 8, Windows Server 2012 | multichannel connections, e2e encryption, remote storage access | | SMB 3.0.2 | Windows 8.1, Windows Server 2012 R2 | | | SMB 3.1.1 | Windows 10, Windows Server 2016 | integrity checking, AES-128 encryption | - with version 3.0, the Samba server gained the ability to be a full member of an AD domain - with version 4.0, the Samba server may be a domain controller ## SMB Server Status Info ```bash smbstatus #show smb server info ```