SMB information enumeration Checklist
Posted on July 1st, 2019
Checklist
- Enumerate hostname –
nmblookup -A [ip]
- Shared directory acquisition
smbmap -H [ip/hostname]
echo exit | smbclient -L \\\\[ip]
nmap --script smb-enum-shares -p 139,445 [ip]
- Empty session detection
smbmap -H [ip/hostname]
rpcclient -U "" -N [ip]
smbclient \\\\[ip]\\[share name]
- Vulnerability detection –
nmap --script smb-vuln* -p 139,445 [ip]
- Full scan –
enum4linux -a [ip]
- Manual detection
smbver.sh [IP] (port)
[Samba]- Check pcap file
Tool list
nmblookup
– Get NetBIOS information via TCP/IP clientsmbclient
– SMB share access tool like FTP clientnmap
– the most common port scanning toolrpcclient
– a tool that performs the client-side MS-RPC methodenum4linux
– Enumeration to get various SMB information- Wireshark – the famous catching tool
Detailed use of tools
Enumerate the host name
Nmblookup
nmblookup -A [IP]
-A
– Query by IP address
How to use the tool:
root@xax007:~# nmblookup -A [ip] Looking up status of [ip] [hostname] <00> - M <ACTIVE> [hostname] <20> - M <ACTIVE> WORKGROUP <00> - <GROUP> M <ACTIVE> WORKGROUP <1e> - <GROUP> M <ACTIVE> <03> - M <ACTIVE> INet~Services <1c> - <GROUP> M <ACTIVE> IS~[hostname] <00> - M <ACTIVE> MAC Address = 00-50-56-XX-XX-XX
List sharing
Smbmap
smbmap -H [ip/hostname]
This command will show you the shares on the host, as well as your access to them.
This command will display the shared list and permissions of the target, NO ACCESS
means unable to access, READ ONLY
means only read
How to use the tool:
root@xax007:/# smbmap -H [ip] [+] Finding open SMB ports.... [+] User SMB session establishd on [ip]... [+] IP: [ip]:445 Name: [ip] Disk Permissions ---- ----------- ADMIN$ NO ACCESS C$ NO ACCESS IPC$ NO ACCESS NETLOGON NO ACCESS Replication READ ONLY SYSVOL NO ACCESS
If you have a password, you can re-run it with a password to get more access.
root@xax007:/# smbmap -H [ip] -d [domain] -u [user] -p [password] [+] Finding open SMB ports.... [+] User SMB session establishd on [ip]... [+] IP: [ip]:445 Name: [ip] Disk Permissions ---- ----------- ADMIN$ NO ACCESS C$ NO ACCESS IPC$ NO ACCESS NETLOGON READ ONLY Replication READ ONLY SYSVOL READ ONLY
Smbclient
echo exit | smbclient -L \\\\[ip]
- Exit takes care of any password request that might pop up, since we’re checking for null login
-L
– get a list of shares for the given host
How to use the tool:
root@xax007:~# smbclient -L \\[ip] Enter WORKGROUP\root's password: Sharename Type Comment --------- ---- ------- IPC$ IPC Remote IPC share Disk wwwroot Disk ADMIN$ Disk Remote Admin C$ Disk Default share Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- -------
Nmap
nmap --script smb-enum-shares -p 139,445 [ip]
--script smb-enum-shares
– specify smb information enumeration script-p 139,445
– specify smb port
How to use the tool:
root@xax007:~# nmap --script smb-enum-shares -p 139,445 [ip] Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-27 16:25 EDT Nmap scan report for [ip] Host is up (0.037s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:50:56:XX:XX:XX (VMware) Host script results: | smb-enum-shares: | account_used: guest | \\[ip]\ADMIN$: | Type: STYPE_DISKTREE_HIDDEN | Comment: Remote Admin | Anonymous access: <none> | Current user access: <none> | \\[ip]\C$: | Type: STYPE_DISKTREE_HIDDEN | Comment: Default share | Anonymous access: <none> | Current user access: <none> | \\[ip]\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: Remote IPC | Anonymous access: READ | Current user access: READ/WRITE | \\[ip]\share: | Type: STYPE_DISKTREE | Comment: | Anonymous access: <none> | Current user access: READ/WRITE | \\[ip]\wwwroot: | Type: STYPE_DISKTREE | Comment: | Anonymous access: <none> |_ Current user access: READ Nmap done: 1 IP address (1 host up) scanned in 10.93 seconds
Check for a null session
Smbmap
smbmap -H [ip/hostname]
will show what you can do with given credentials (or null session if no credentials). See examples in the previous section .
Rpcclient
rpcclient -U "" -N [ip]
-U ""
– null session-N
– no password
How to use the tool:
root@xax007:~# rpcclient -U "" -N [ip] rpcclient $>
After the empty (password) session connection is complete, you can execute the rpc
command.
Smbclient
smbclient \\\\[ip]\\[share name]
This will attempt to connect to the share. Can try without a password (or sending a blank password) and still potentially connect.
How to use the tool:
root@xax007:~/pwk/lab/public# smbclient \\\\[ip]\\share Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Thu Sep 27 16:26:00 2018 .. D 0 Thu Sep 27 16:26:00 2018 New Folder (9) D 0 Sun Dec 13 05:26:59 2015 New Folder - 6 D 0 Sun Dec 13 06:55:42 2015 Shortcut to New Folder (2).lnk A 420 Sun Dec 13 05:24:51 2015 1690825 blocks of size 2048. 794699 blocks available
Check for SMB vulnerabilities
Nmap
nmap --script smb-vuln* -p 139,445 [ip]
--script smb-vuln*
– Choose to use vulnerability scanning scripts-p 139,445
– smb port
How to use the tool:
root@xax007:~# nmap --script smb-vuln * -p 139,445 [ ip] Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-27 16:37 EDT Nmap scan report for [ ip] Host is up ( 0.030s latency ) . PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:50:56:XX:XX:XX ( VMware ) Host script results: | smb-vuln-ms06-025: | VULNERABLE: | RRAS Memory Corruption vulnerability ( MS06-025 ) | State: VULNERABLE | IDs: CVE:CVE-2006-2370 | A buffer overflow vulnerability in the Routing and Remote Access service ( RRAS ) in Microsoft Windows 2000 SP4, XP SP1 | and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to | execute arbitrary code via certain crafted "RPC related requests" aka the "RRAS Memory Corruption Vulnerability." | | Disclosure date: 2006-6-27 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name = CVE-2006-2370 |_ https://technet.microsoft.com/en-us/library/security/ms06-025.aspx |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: false | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers ( ms17-010 ) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers ( ms17-010 ) . | | Disclosure date: 2017-03-14 | References: | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx | https://cve.mitre.org/cgi-bin/cvename.cgi?name = CVE-2017-0143 |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ |_smb-vuln-regsvc-dos: ERROR: Script execution failed ( use -d to debug ) Nmap done : 1 IP address ( 1 host up ) scanned in 5.58 seconds
Full scan
Enum4linux
enum4linux -a [ip]
-a
– all enumeration
The output of this tool is relatively long, but mainly consists of these pieces of information:
- Similar to the output of nmblookup
- Check if you can log in to the share with a null session (password)
- List shared list
- Domain information
- Password policy
- RID loop output
Version identification
Samba
ngrep
is a tool for viewing filtered network data. Execute the following command in a terminal window: ngrep -i -d tap0 's.?a.?m.?b.?a.*[[:digit:]]' port 139
Execute the following command in another terminal window: echo exit | smbclient -L [IP]
to get the version information of Samba
Use the following script [smbver.sh] to get access to the version information of Samba:
#!/bin/sh #Author: rewardone #Description: # Requires root or enough permissions to use tcpdump # Will listen for the first 7 packets of a null login # and grab the SMB Version #Notes: # Will sometimes not capture or will print multiple # lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi if [ ! -z $2 ]; then rport=$2; else rport=139; fi tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " & echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null sleep 0.5 && echo ""
When you use this script, you will have the following similar output:
root@kali:~/pwk# ./smbver.sh 10.11.1.x 139 10.11.1.x: UnixSamba 223a
When in doubt, we can check the smb version in PCAP. Here’s an example Unix Samba 2.2.3a:
Identify the SMB version with Wireshark
method one:
Use metasploit
‘s auxiliary/scanner/smb/smb_version
module
Method Two:
Initiate an NTLMv1 request to the SMB service using smbclient
and capture NIC traffic with wireshark
smbclient -U ""%"" -m NT1 -N -L //ip
Then use smb.native_lanman
to filter the captured traffic, you can see the target operating system and the version of the SMB server.
Windows and Linux Universal
Reference: https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html#smbclient