SMB
Server Message Block
it was designed to run on top of NetBIOS over TCP/IP (NBT) using TCP port 139
and UDP ports 137
and 138
.
However, with Windows 2000, Microsoft added the option to run SMB directly over TCP/IP on port 445
without the extra NetBIOS layer.
Enumeration
Misconfigurations
File Share
SMB can be configured not to require authentication, which is often called a null session
. Instead, we can log in to a system with no username or password.
list of the server's shares with the option -L
, and using the option -N
Smbmap
is another tool that helps us enumerate network shares and access associated permissions. An advantage of smbmap
is that it provides a list of permissions for each shared folder.
Using smbmap
with the -r
or -R
(recursive) option, one can browse the directories:
Remote Procedure Call (RPC)
We can use the rpcclient
tool with a null session to enumerate a workstation or Domain Controller.
Enum4linux
is another utility that supports null sessions, and it utilizes nmblookup
, net
, rpcclient
, and smbclient
to automate some common enumeration from SMB targets such as:
Workgroup/Domain name
Users information
Operating system information
Groups information
Shares Folders
Password policy information
Protocol Specifics Attacks
SMB
When attacking a Windows SMB Server, our actions will be limited by the privileges we had on the user we manage to compromise. If this user is an Administrator or has specific privileges, we will be able to perform operations such as:
Remote Command Execution
Extract Hashes from SAM Database
Enumerating Logged-on Users
Pass-the-Hash (PTH)
Enumerating Logged-on Users
Imagine we are in a network with multiple machines. Some of them share the same local administrator account. In this case, we could use CrackMapExec
to enumerate logged-on users on all machines within the same network 10.10.110.17/24
, which speeds up our enumeration process.
Extract Hashes from SAM Database
Pass-the-Hash (PtH)
We can use a PtH attack with any Impacket
tool, SMBMap
, CrackMapExec
, among other tools. Here is an example of how this would work with CrackMapExec
:
Forced Authentication Attacks
When a user or a system tries to perform a Name Resolution (NR), a series of procedures are conducted by a machine to retrieve a host's IP address by its hostname. On Windows machines, the procedure will roughly be as follows:
The hostname file share's IP address is required.
The local host file (C:\Windows\System32\Drivers\etc\hosts) will be checked for suitable records.
If no records are found, the machine switches to the local DNS cache, which keeps track of recently resolved names.
Is there no local DNS record? A query will be sent to the DNS server that has been configured.
If all else fails, the machine will issue a multicast query, requesting the IP address of the file share from other machines on the network.
Suppose a user mistyped a shared folder's name \\mysharefoder\
instead of \\mysharedfolder\
. In that case, all name resolutions will fail because the name does not exist, and the machine will send a multicast query to all devices on the network, including us running our fake SMB server. This is a problem because no measures are taken to verify the integrity of the responses. Attackers can take advantage of this mechanism by listening in on such queries and spoofing responses, leading the victim to believe malicious servers are trustworthy. This trust is usually used to steal credentials.
Example output of responder:
All saved Hashes are located in Responder's logs directory (/usr/share/responder/logs/
). We can copy the hash to a file and attempt to crack it using the hashcat module 5600.
On responder: First, we need to set SMB to OFF
in our responder configuration file (/etc/responder/Responder.conf
).
Then we execute impacket-ntlmrelayx
with the option --no-http-server
, -smb2support
, and the target machine with the option -t
. By default, impacket-ntlmrelayx
will dump the SAM database, but we can execute commands by adding the option -c
.
RPC
In the Footprinting page, we discuss how to enumerate a machine using RPC. Apart from enumeration, we can use RPC to make changes to the system, such as:
Change a user's password.
Create a new domain user.
Create a new shared folder.
Last updated