If you see a service with TCP port 445 open, then it is probably running SMB. SMB is used for file sharing services. You will also see it related to other protocols in its operation:
Here is a check list of common things to check:
- Can you enumerate the server version?
- Can you enumerate shares?
- What versions of the protocol are enabled?
- Can you connect using anon bind?
- Are there any known vulnerabilities?
- Can you enumerate usernames?
- Is SMB signing enabled?
- Are there other hosts in the subnet that can be used?
The following nmap script will:
Run verbose (-vvvv)
Enumerate service versions (-sV)
Connect to port 445 (-p 445)
Run in aggressive mode (-A)
Run all scripts named smb-enum* (–script smb-enum*)
Against the target IP or name ([target])
|nmap -vvvv -sV -p 445 -A –script smb-enum-* [target]|
You should also consider that ICMP (Ping) may be disabled and therefore -Pn (do not ping) may be required.
In linux you can use smbclient. The syntax for smbclient is not super intuitive however let us take a look at some common commands:
Let us check for anon access and list shares
|smbclient -L \\\\192.168.1.2\\|
Enter a blank password when prompted
Now if we found a share using nmap lets connect:
Now if we have access, we can run the following commands:
List Files = ls
Download File = get
Upload file = put
Delete file = rm
Help = help
There are a range of attack paths which include:
- Known vulnerabilities
- e.g., Eternal Blue
- Brute Force
- Password Spray
- Credential Stuffing
Common Tools for attacking smb will include:
- Metasploit Framework
- Crackmapexec (CME)
Here are some of the defences you can leverage:
- Enforce strong authentication policies
- Enable account lockouts
- Conduct password audits
- Restrict SMB to known locations
- Enable SMB Signing
- Ensure SMB is patched
- Disable Legacy SMB versions e.g., SMBv1
- Disable Anonymous Access
A lot of networks are flat, they have SMB enabled and very few controls. In a domain environment this leaves them wide open for lateral movement. Review your group policies and look to harden your SMB implementations. Jack in finance really probably should not be connecting to Sarah’s PC in facilities over SMB etc.
Remember as well, SMBv1 is old, if you have it enabled Ned will cry! Disable it for Ned!