SMB Enumeration Guide

Introduction

Server Message Block is a network protocol used to provide shared access to files, printers, and serial ports between nodes on a network. SMB servers can be accessed through various command-line tools such as SMBClient or through file browsing tools. This service runs on either port 139 or port 445 by default.

This guide will cover the main methods to enumerate an SMB server in order to find potential vulnerabilities or misconfiguration.

SMB Versions

Before diving into the various methods using to collect information from SMB, it is important to understand the iterations SMB went through over the years and why some of them are known to be highly insecure:

• SMB1 was the first implementation of SMB. It used 16-bit packet and small data buffers, which greatly limited performance, it did not have any encryption for data in transit whatsoever, which is why it is so insecure. In addition to this, it is highly susceptible to MITM (man-in-the-middle) attacks.
• SMB2 improved performance by increasing packets to 32-bit and 128-bit for files, furthermore unnecessary data that was transmitted when performing operating via SMB was substantially reduced. Security was improved to prevent MITM attacks through packet signing although still no built-in encryption support.
• SMB3 added more performance and security enhancements such as multichannel and end-to-end encryption using AES were introduced in, as well as functionality to enforce secure connections with newer clients.

Identifying an SMB Server

Port scanning tools such as Nmap can be used to identify whether an SMB server is running on the target host:

nmap -p 139,445 X.X.X.X

The scan has identified that the remote server is running SMB on port 139/445.

Identifying SMB/OS Version

A fundamental step in enumerating SMB is to identify the version that the server is running on, as this will help in determining whether any known exploit for that version can be abused to obtain remote code execution.

One way to do this is to use the -sV flag in Nmap, although this will often fail as most versions SMB do not display the version number in the banner when initiating a connection:

nmap -p 139,445 -sV -Pn X.X.X.X

If this fails, a connection can be initiated using Nmap or any tool capable to connect to SMB shares and the traffic can be intercepted using Wireshark, which will reveal the hostname of the machine, the SMB version, the operating system version, and other useful information:

The SMB version can also potentially be identified by using the auxiliary/scanner/smb/smb_version Metasploit module.

Identifying Known Vulnerabilities

Tools such as SearchSploit can then be used to identify known vulnerabilities:

searchsploit microsoft smb [Windows or SMB version]

search type:exploit platform:windows target:[Windows version]

Alternatively, vulnerablity databases such as CVE, NVD and VULDB can be consulted.

Null Session Attack

A null session allows users to remotely authenticate to SMB by using an empty username and password. This usually only allows access to the hidden share called IPC$ (which stands for interprocess communication), but additional shares could have been configured to use this method.

Null sessions could be used to gather more information about the host and its network, or to access data stored in shares that allow this type of authentication. This is only enabled by default in Windows 2000 and older versions bydefault, although SMB can still be configured to use null sessions with newer operating systems.

A null session can be initiated by using the SmbClient tool:

smbclient -N -L \\\\X.X.X.X

The command above is simply listing the available shares, although this concept can be applied to any SMBClient command.

Nmap Scripts

The Nmap Scripting Engine (NSE) allows users to write (and share) simple scripts (using the Lua programming language ) to automate a wide variety of networking tasks.

Nmap comes with several SMB-related scripts such as:

• smb-enum-shares – Enumerates SMB shares in an SMB server.
• smb-brute – Performs brute-force password auditing against SMB servers.
• smb-system-info – Collects system information through SMB/NetBios.
• smb-vuln-smb/cve* – Identifies whether the SMB server is vulnerable to any known exploits.

It is good practice to run smb-enum* to collect general information about the server and smb-vuln* to collect information about any known exploits that might affect the server..

When using Nmap, scripts can be specified using the –script flag as follows:

nmap -p 139,445 --script [script name] X.X.X.X

Nmap scripts can be very powerful and can help greatly in speeding up reconassaince. The -sC flag will perform all scripts deemed as safe by Nmap when doing a port scan.

Common Credentials

A few common passwords or usernames (if unknown) such as admin, administrator, root, test, etc. should be tried if null sessions are disabled on the remote SMB server. This is safer than brute-forcing and it should always be tried when possible.

In the example above, a connection was established as the test by using a password of “test”.

An SMB authentication can also be performed using the auxilliary/scanner/smb/smb_login Metasploit module, graphical user interfaces such as xdg-open, or simply typing smb://X.X.X.X/ in the top bar of a file browser.

Bruteforcing Credentials

A brute-force attack consists of an attacker submitting a number of passwords or usernames with the purpose of identifying the correct combination to access a given system.

Network cracking tools such as Hydra can be used to perform bruteforce attacks against online services such as FTP, HTTP, SMB etc. In this specific case, it will be a dictionary attack, meaning hydra will use a list of usernames and passwords from a text file to perform the authentication attempts.

The following command can be used in Hydra to brute-force FTP credentials:

hydra [-L users.txt or -l user_name] [-P pass.txt or -p password] -f [-S port] ftp://X.X.X.X

The command above has identified the password for the “test” user, by providing a list of usernames and passwords.

SMB servers credentials can also be bruteforced by using the Nmap smb-brute script or the Metasploit auxiliary/scanner/smb/smb_login module.

Packet Sniffing

Packet sniffing is the practice of gathering, collecting, and logging some or all packets that pass through a computer network, regardless of how the packet is addressed.

Because data transmitted over older versions of SMB (version 1) on port 139,445 is unencrypted, an attacker could intercept traffic on the network and identify the credentials being used to perform the authentication. In newer versions of SMB (version 2), traffic could be intercepted to capture the password hash used to authenticate and potentially crack it.

Wireshark is a widely popular network sniffing and packet analyzing tool that can be used to perform packet sniffing.

Enumerating Shares

The easiest way to enumerate credentials is by using the SMBClient tool, with the following coommand:

smbclient [-U username] [-P password or -N for no password] -L \\\\X.X.X.X

The command above has enumerated the ADMIN$, C$ and IPC$ shares which are default, and the Backups share as well.

Shares can also be enumerated by using either the Nmap smb-enum-shares script or the Metasploit auxiliary/scanner/smb/smb_enumshares module.

Enumerating Files & Folders

Once an authentication has been performed successfully, steps should be performed in order to identify the following:

• Current working directory
• Whether SMB is granting access to directories being used by other services
• Files and folders the current user has access to read/write to

These enumeration steps are key in order to further exploit SMB. For example, if SMB grants access to a folder used by a web server, a malicious script can be uploaded and executed from a browser. Alternatively, if the current SMB user can access or modify critical system files such as logs, history files, the SYSTEM/SAM files, etc. it could potentially grant remote access to the system.

The following command can be used to connect to an SMB share:

smbclient [-U username] [-P password or -N for no password] \\\\X.X.X.X\\share

Similar to using the FTP command line, commands such as cd, ls and rm can be used in SMB to interact with folders and files. A more comprehensive list of commands can be found in this section.

Useful SMB Enumeration Tools

There are a number of tools that can be used to automate the testing of SMB shares, in order to collect important information about the host, enumerate shares, files and folders and identify known vulnerabilities:

Tool	Description
SMBClient	SMBClient is a client that is part of the Samba software suite. It communicates with a LAN Manager server, offering an interface similar to that of the FTP program. Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server, and so on.
Enum4Linux	Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com. It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup
SMBMap	SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind and is intended to simplify searching for potentially sensitive data across large networks.
Impacket	Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself.
CrackMapExec	CrackMapExec is a post-exploitation tool that helps automate assessing the security of large Active Directory networks (including SMB shares), it uses the concept of “Living off the Land” i.e. abusing built-in features/tools to achieve its functionality.

Common SMB Commands

Below are some of the most common commands that can be used when communicating with an SMB server:

Command	Description
help	List the available commands.
cd	Move to the specified directory.
del/rm	Delete the specified file(s).
dir/ls	List contents of the specified directory.
get	Download the specified files.
mget	Download the specified files.
put	Upload the specified file.
mput	Upload the specified files.
mkdir/md	Create the specified directory.
rmdir/rd	Delete the specified directory.
quit/exit	Exit SMB.

Conclusion

SMB is a very common service when performing penetration testing, especially in Windows systems, and although in most cases it does not pose a huge threat by itself, it can often help attackers in gaining remote system access by accessing/modifying sensitive files, exploiting known vulnerabilities or gathering critical system information.

Null sessions should be disabled unless absolutely necessary, strong passwords should be enforced, when practicable, SMB version 3 should be used over version 2 and it should be patched regularly.

Sources & Additional Resources

• https://book.hacktricks.xyz/pentesting/pentesting-smb
• https://www.samba.org/samba/docs/current/man-html/smbclient.1.html
• https://www.hackingarticles.in/a-little-guide-to-smb-enumeration/