SMB ENUM

SMB information enumeration Checklist 

Posted on July 1st, 2019

Checklist

  • Enumerate hostname – nmblookup -A [ip]
  • Shared directory acquisition
    • smbmap -H [ip/hostname]
    • echo exit | smbclient -L \\\\[ip]
    • nmap --script smb-enum-shares -p 139,445 [ip]
  • Empty session detection
    • smbmap -H [ip/hostname]
    • rpcclient -U "" -N [ip]
    • smbclient \\\\[ip]\\[share name]
  • Vulnerability detection – nmap --script smb-vuln* -p 139,445 [ip]
  • Full scan – enum4linux -a [ip]
  • Manual detection
    • smbver.sh [IP] (port) [Samba]
    • Check pcap file

Tool list

  • nmblookup – Get NetBIOS information via TCP/IP client
  • smbclient – SMB share access tool like FTP client
  • nmap – the most common port scanning tool
  • rpcclient – a tool that performs the client-side MS-RPC method
  • enum4linux – Enumeration to get various SMB information
  • Wireshark – the famous catching tool

Detailed use of tools

Enumerate the host name

Nmblookup

nmblookup -A [IP]

  • -A – Query by IP address

How to use the tool:

root@xax007:~# nmblookup -A [ip] Looking up status of [ip] [hostname] <00> - M <ACTIVE> [hostname] <20> - M <ACTIVE> WORKGROUP <00> - <GROUP> M <ACTIVE> WORKGROUP <1e> - <GROUP> M <ACTIVE> <03> - M <ACTIVE> INet~Services <1c> - <GROUP> M <ACTIVE> IS~[hostname] <00> - M <ACTIVE> MAC Address = 00-50-56-XX-XX-XX

List sharing

Smbmap

smbmap -H [ip/hostname]

This command will show you the shares on the host, as well as your access to them.

This command will display the shared list and permissions of the target, NO ACCESSmeans unable to access, READ ONLY means only read

How to use the tool:

root@xax007:/# smbmap -H [ip] [+] Finding open SMB ports.... [+] User SMB session establishd on [ip]... [+] IP: [ip]:445 Name: [ip] Disk Permissions ---- ----------- ADMIN$ NO ACCESS C$ NO ACCESS IPC$ NO ACCESS NETLOGON NO ACCESS Replication READ ONLY SYSVOL NO ACCESS

If you have a password, you can re-run it with a password to get more access.

root@xax007:/# smbmap -H [ip] -d [domain] -u [user] -p [password] [+] Finding open SMB ports.... [+] User SMB session establishd on [ip]... [+] IP: [ip]:445 Name: [ip] Disk Permissions ---- ----------- ADMIN$ NO ACCESS C$ NO ACCESS IPC$ NO ACCESS NETLOGON READ ONLY Replication READ ONLY SYSVOL READ ONLY

Smbclient

echo exit | smbclient -L \\\\[ip]

  • Exit takes care of any password request that might pop up, since we’re checking for null login
  • -L – get a list of shares for the given host

How to use the tool:

root@xax007:~# smbclient -L \\[ip] Enter WORKGROUP\root's password: Sharename Type Comment --------- ---- ------- IPC$ IPC Remote IPC share Disk wwwroot Disk ADMIN$ Disk Remote Admin C$ Disk Default share Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- -------

Nmap

nmap --script smb-enum-shares -p 139,445 [ip]

  • --script smb-enum-shares – specify smb information enumeration script
  • -p 139,445 – specify smb port

How to use the tool:

root@xax007:~# nmap --script smb-enum-shares -p 139,445 [ip] Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-27 16:25 EDT Nmap scan report for [ip] Host is up (0.037s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:50:56:XX:XX:XX (VMware) Host script results: | smb-enum-shares: | account_used: guest | \\[ip]\ADMIN$: | Type: STYPE_DISKTREE_HIDDEN | Comment: Remote Admin | Anonymous access: <none> | Current user access: <none> | \\[ip]\C$: | Type: STYPE_DISKTREE_HIDDEN | Comment: Default share | Anonymous access: <none> | Current user access: <none> | \\[ip]\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: Remote IPC | Anonymous access: READ | Current user access: READ/WRITE | \\[ip]\share: | Type: STYPE_DISKTREE | Comment: | Anonymous access: <none> | Current user access: READ/WRITE | \\[ip]\wwwroot: | Type: STYPE_DISKTREE | Comment: | Anonymous access: <none> |_ Current user access: READ Nmap done: 1 IP address (1 host up) scanned in 10.93 seconds

Check for a null session

Smbmap

smbmap -H [ip/hostname] will show what you can do with given credentials (or null session if no credentials). See examples in the previous section .

Rpcclient

rpcclient -U "" -N [ip]

  • -U "" – null session
  • -N – no password

How to use the tool:

root@xax007:~# rpcclient -U "" -N [ip] rpcclient $>

After the empty (password) session connection is complete, you can execute the rpccommand.

Smbclient

smbclient \\\\[ip]\\[share name]

This will attempt to connect to the share. Can try without a password (or sending a blank password) and still potentially connect.

How to use the tool:

root@xax007:~/pwk/lab/public# smbclient \\\\[ip]\\share Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Thu Sep 27 16:26:00 2018 .. D 0 Thu Sep 27 16:26:00 2018 New Folder (9) D 0 Sun Dec 13 05:26:59 2015 New Folder - 6 D 0 Sun Dec 13 06:55:42 2015 Shortcut to New Folder (2).lnk A 420 Sun Dec 13 05:24:51 2015 1690825 blocks of size 2048. 794699 blocks available

Check for SMB vulnerabilities

Nmap

nmap --script smb-vuln* -p 139,445 [ip]

  • --script smb-vuln* – Choose to use vulnerability scanning scripts
  • -p 139,445 – smb port

How to use the tool:

root@xax007:~# nmap --script smb-vuln * -p 139,445 [ ip] Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-27 16:37 EDT Nmap scan report for [ ip] Host is up ( 0.030s latency ) . PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:50:56:XX:XX:XX ( VMware ) Host script results: | smb-vuln-ms06-025: | VULNERABLE: | RRAS Memory Corruption vulnerability ( MS06-025 ) | State: VULNERABLE | IDs: CVE:CVE-2006-2370 | A buffer overflow vulnerability in the Routing and Remote Access service ( RRAS ) in Microsoft Windows 2000 SP4, XP SP1 | and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to | execute arbitrary code via certain crafted "RPC related requests" aka the "RRAS Memory Corruption Vulnerability." | | Disclosure date: 2006-6-27 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name = CVE-2006-2370 |_ https://technet.microsoft.com/en-us/library/security/ms06-025.aspx |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: false | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers ( ms17-010 ) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers ( ms17-010 ) . | | Disclosure date: 2017-03-14 | References: | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx | https://cve.mitre.org/cgi-bin/cvename.cgi?name = CVE-2017-0143 |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ |_smb-vuln-regsvc-dos: ERROR: Script execution failed ( use -d to debug ) Nmap done : 1 IP address ( 1 host up ) scanned in 5.58 seconds

Full scan

Enum4linux

enum4linux -a [ip]

  • -a – all enumeration

The output of this tool is relatively long, but mainly consists of these pieces of information:

  • Similar to the output of nmblookup
  • Check if you can log in to the share with a null session (password)
  • List shared list
  • Domain information
  • Password policy
  • RID loop output

Version identification

Samba

ngrep is a tool for viewing filtered network data. Execute the following command in a terminal window: ngrep -i -d tap0 's.?a.?m.?b.?a.*[[:digit:]]' port 139 Execute the following command in another terminal window: echo exit | smbclient -L [IP] to get the version information of Samba

Use the following script [smbver.sh] to get access to the version information of Samba:

#!/bin/sh #Author: rewardone #Description: # Requires root or enough permissions to use tcpdump # Will listen for the first 7 packets of a null login # and grab the SMB Version #Notes: # Will sometimes not capture or will print multiple # lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
sleep 0.5 && echo ""

When you use this script, you will have the following similar output:

root@kali:~/pwk# ./smbver.sh 10.11.1.x 139
10.11.1.x: UnixSamba 223a

When in doubt, we can check the smb version in PCAP. Here’s an example Unix Samba 2.2.3a: 

Identify the SMB version with Wireshark

method one:

Use metasploit ‘s auxiliary/scanner/smb/smb_version module

Method Two:

Initiate an NTLMv1 request to the SMB service using smbclient and capture NIC traffic with wireshark

smbclient -U ""%"" -m NT1 -N -L //ip

Then use smb.native_lanman to filter the captured traffic, you can see the target operating system and the version of the SMB server.

Windows and Linux Universal

Reference: https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html#smbclient