(139,445)SMB

Short for Server Message Block, It uses TCP, and ACL for authentication and can have either non-encrypted connection, or an SSL/TLS one.

About

This protocol primarily regulates access to files, directories and networks resources (Like printers, routers ..etc) and also used for process communication.

Due to historical reasons and the way this protocol was created, in the course there's a lot of talk about NetBIOS and multiple ports related to the Windows OS not only SMB, which was somehow confusing and could be hard to get to the rest of the course.

Here's a breakdown of how SMB and NetBIOS are related and why we're running into both of them.

SMB and NetBIOS

Initially, SMB was implemented over NetBIOS (Network Basic Input/Output System), which provided services for network communication on older Windows networks.

Here's a brief evolution:

  1. SMB over NetBIOS:

    • SMB relied on NetBIOS to handle network communication.

    • NetBIOS used the following ports:

      • Port 137: NetBIOS name service (NBNS)

      • Port 138: NetBIOS datagram service (NBDS)

      • Port 139: NetBIOS session service (NBSS)

  2. Transition to Direct TCP/IP (Port 445):

    • Microsoft introduced SMB over TCP/IP directly, eliminating the need for the NetBIOS layer.

    • Port 445 was designated for direct SMB communication over TCP/IP, simplifying the protocol stack and improving performance and reliability.

This transition allowed SMB to function more efficiently and became the standard method for modern SMB implementations.

Samba

In short, Samba is a software suite that implements both SMB and CIFS (Common Internet File System) protocols. to let non-Windows OS communicate with Windows-based clients and servers using the SMB/CIFS protocols. CIFS being a dialect of SMB (older version).

To be more technical, depending on the client's host version and configuration, there are many ports in which we can find the SMB protocol or an equivalent in use.

Drawing

Enumeration

Nmap

$ sudo nmap <target-ip> -sV -sC -p139,445

RPC

As the courses states, RPC (Remote Procedure Call) is often encountered when enumerating SMB shares because SMB uses RPC to facilitate certain operations and services. Here's a brief explanation:

  1. RPC in SMB:

    • RPC is a protocol that one program can use to request a service from a program located on another computer in a network without the need to know details about the network.

    • In the context of SMB, RPC is used for a variety of administrative tasks and services, such as managing shared resources, querying information about the network, and controlling access permissions.

  2. Enumerating SMB Shares:

    • When you enumerate SMB shares, you're essentially asking the server for detailed information about its shared resources.

    • Some of these requests and the responses they generate are handled using RPC. For instance, retrieving information about users, groups, and specific share properties might involve RPC communication.

$ rpcclient -U "" <target-ip>
Enter WORKGROUP\'s password:
rpcclient$> ...

$ rpcclient -N -U "" <target-ip>

srvinfo

Server information.

enumdomains

Enumerate all domains that are deployed in the network.

querydominfo

Provides domain, server, and user information of deployed domains.

netshareenumall

Enumerates all available shares.

netsharegetinfo <share>

Provides information about a specific share.

enumdomusers

Enumerates all domain users.

queryuser <RID>

Provides information about a specific user. RID stands for Relative Identifier

querygroup <RID>

Provides information about a specific group

Upon enumerating a certain group, we won't surely be able to list the users' RIDs due to configuration. BUT, by brute forcing our way in, we should get the information we need.

Brute forcing RIDs with a For loop

$ for i in $(seq 500 1100);do rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

Brute forcing RIDs with Impacket's Samrdumb.py

$ samrdump.py <target-ip>

SMBmap

$ smbmap -H <target-ip>
# If we got a valid credentials from another service (look for password reuse) or this service.
$ smbmap -H <target-ip> -u "" -p ""

More on the official repo.

CrackMapExec

$ crackmapexec smb <target-ip> --shares -u '' -p ''

Enum4Linux-ng.py

This tool isn't only a tool for SMB, but for various purposes and goals, but still it's a good tool maybe we get hits from other stuff that's running on the machine we didn't know about.

$ git clone https://github.com/cddmp/enum4linux-ng.git
$ cd enum4linux-ng
$ pip3 install -r requirements.txt
$ ./enum4linux-ng.py <target-ip> -A
Previous(21)FTPNext(111,2049 for NFSv4.1)NFS

Last updated