Introduction

If you see a service with TCP port 445 open, then it is probably running SMB. SMB is used for file sharing services. You will also see it related to other protocols in its operation:

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/06451bf2-578a-4b9d-94c0-8ce531bf14c4

Checklist

Here is a check list of common things to check:

  • Can you enumerate the server version?
  • Can you enumerate shares?
  • What versions of the protocol are enabled?
  • Can you connect using anon bind?
  • Are there any known vulnerabilities?
  • Can you enumerate usernames?
  • Is SMB signing enabled?
  • Are there other hosts in the subnet that can be used?

Enumeration

Nmap

The following nmap script will:

Run verbose (-vvvv)

Enumerate service versions (-sV)

Connect to port 445 (-p 445)

Run in aggressive mode (-A)

Run all scripts named smb-enum* (–script smb-enum*)

Against the target IP or name ([target])

nmap -vvvv -sV -p 445 -A –script smb-enum-* [target]

You should also consider that ICMP (Ping) may be disabled and therefore -Pn (do not ping) may be required.

SMBClient

In linux you can use smbclient. The syntax for smbclient is not super intuitive however let us take a look at some common commands:

Let us check for anon access and list shares

smbclient -L \\\\192.168.1.2\\

Enter a blank password when prompted

Now if we found a share using nmap lets connect:

smbclient \\\\192.168.1.2\\sharename

Now if we have access, we can run the following commands:

List Files = ls

Download File = get

Upload file = put

Delete file = rm

Help = help

SMB Attacks

There are a range of attack paths which include:

  • Known vulnerabilities
  • e.g., Eternal Blue
  • Brute Force
  • Password Spray
  • Credential Stuffing
  • LLMNR
  • SMBRelay

Common Tools for attacking smb will include:

  • Nmap
  • Metasploit Framework
  • Impacket
  • Responder
  • Hydra
  • Crackmapexec (CME)

Defence

Here are some of the defences you can leverage:

  • Enforce strong authentication policies
    • Enable account lockouts
  • Conduct password audits
  • Restrict SMB to known locations
  • Enable SMB Signing
  • Ensure SMB is patched
  • Disable Legacy SMB versions e.g., SMBv1
  • Disable Anonymous Access

Summary

A lot of networks are flat, they have SMB enabled and very few controls. In a domain environment this leaves them wide open for lateral movement. Review your group policies and look to harden your SMB implementations. Jack in finance really probably should not be connecting to Sarah’s PC in facilities over SMB etc.

Remember as well, SMBv1 is old, if you have it enabled Ned will cry! Disable it for Ned!

Leave a Reply

Your email address will not be published. Required fields are marked *