About me
Edit

SMB Attack

  • SMB and SAMBA are different

  • SMB was made by IBM and adopted into windows

  • SAMBA uses the Common Internet File System (CIFS) to talk to SMB

    • CIFS is a very specific implementation of the SMB protocol

    • This allows Samba to communicate with newer Windows systems

    • it usually is referred to as SMB / CIFS.

  • IBM developed an application programming interface (API) for networking computers called the Network Basic Input/Output System (NetBIOS).

    • The NetBIOS API provided a blueprint for an application to connect and share data with other computers.

    • In a NetBIOS environment, when a machine goes online, it needs a name, which is done through the so-called name registration procedure.

    • Either each host reserves its hostname on the network, or the NetBIOS Name Server (NBNS) is used for this purpose.

    • It also has been enhanced to Windows Internet Name Service (WINS).

  • TCP port 139 or 445 SMB over TCP

    • main

  • UDP 138 SMB over UDP (datagram).

  • UDP 137 SMB over user datagram protocol (UDP or Name Services).

Default Configuration

cat /etc/samba/smb.conf | grep -v "#\|\;"

Setting

Description

[sharename]

The name of the network share.

workgroup = WORKGROUP/DOMAIN

Workgroup that will appear when clients query.

path = /path/here/

The directory to which user is to be given access.

server string = STRING

The string that will show up when a connection is initiated.

unix password sync = yes

Synchronize the UNIX password with the SMB password?

usershare allow guests = yes

Allow non-authenticated users to access defined share?

map to guest = bad user

What to do when a user login request doesn't match a valid UNIX user?

browseable = yes

Should this share be shown in the list of available shares?

guest ok = yes

Allow connecting to the service without using a password?

read only = yes

Allow users to read files only?

create mask = 0700

What permissions need to be set for newly created files?

Dangerous Settings

Setting

Description

browseable = yes

Allow listing available shares in the current share?

read only = no

Forbid the creation and modification of files?

writable = yes

Allow users to create and modify files?

guest ok = yes

Allow connecting to the service without using a password?

enable privileges = yes

Honor privileges assigned to specific SID?

create mask = 0777

What permissions must be assigned to the newly created files?

directory mask = 0777

What permissions must be assigned to the newly created directories?

logon script = script.sh

What script needs to be executed on the user's login?

magic script = script.sh

Which script should be executed when the script gets closed?

Ways of interacting with SMB

SMbclient

  • -L to List the shares

  • -N for null session

    • which is anonymous access without the input of existing users or valid passwords.

  • guest login is different from authenticated login and is also different from Anonymous login

!ls

  • !ls for listing on local directory (not smb)

Attacks

rpcclient

Query

Description

srvinfo

Server information.

enumdomains

Enumerate all domains that are deployed in the network.

querydominfo

Provides domain, server, and user information of deployed domains.

netshareenumall

Enumerates all available shares.

netsharegetinfo <share>

Provides information about a specific share.

enumdomusers

Enumerates all domain users.

queryuser <RID>

Provides information about a specific user.

RPCclient - Enumeration

Rpcclient - User Enumeration

Rpcclient - Group Information

Brute Forcing User RIDs

impacket

Impacket - Samrdump.py

crackmapexec

Null Authentication

Anonymous Authentication

  • put any value in the user field

Login with username and password

SMBmap

With creds

Nmap

Enum4Linux-ng

Installation

Enumeration

PreviousSMTP AttacksNextNFS Attacks

Last updated