SMB Services
SMB Services
Server Message Block (SMB) is a protocol used for file and resource sharing over a network. It is one of the most common protocols found in both enterprise and small business environments, making it a critical component to understand for penetration testing.
Understanding SMB
SMB operates on TCP ports 139 and 445:
Port 139: SMB originally ran on top of NetBIOS over TCP/IP
Port 445: Direct SMB over TCP/IP (modern implementations)
SMB was invented by IBM in the mid-1980s. The UNIX/Linux equivalent is Samba, which implements the Common Internet File System (CIFS) protocol.
SMB/Samba Architecture
Samba is a collection of applications that implements the SMB protocol for Unix and Linux systems. It allows for seamless integration between Windows and Linux/Unix environments.
The main configuration file for Samba resides in /etc/samba/smb.conf. This file controls all aspects of the Samba server's behavior, including:
Share definitions
Authentication methods
Access controls
Server settings
Connecting to SMB Shares
Using smbclient
The primary tool for interacting with SMB shares from Linux is smbclient.
Listing Available Shares
Output:
Parameters explained:
-N: Suppresses password prompt (null session)-L: Lists shares available on the target
Connecting to a Share
This establishes a connection to the share, allowing for file operations if permissions allow.
Common SMB Commands
Once connected to a share, you can use these commands:
ls: List filesget: Download a fileput: Upload a filecd: Change directorymkdir: Create directoryrmdir: Remove directorydel: Delete filehelp: Show available commands
SMB Access Restrictions
Access to SMB shares depends on the permission settings in the server's configuration. Common scenarios include:
Anonymous Access: Server allows null sessions (no credentials required)
Read-Only Access: Users can view but not modify files
Read-Write Access: Users can view and modify files
No Access: Authentication required and/or specific permissions needed
Example of different behavior with different permissions:
Alternative Enumeration Tools
Several tools can be used to enumerate and interact with SMB services:
RPCClient
Common RPCClient queries:
srvinfo: Server informationenumdomains: Enumerate domainsquerydominfo: Domain informationnetshareenumall: List all sharesenumdomusers: List domain usersqueryuser RID: User information
SMBMap
SMBMap allows for easier enumeration of SMB shares:
CrackMapExec
For more advanced enumeration:
Enum4linux
A comprehensive tool for enumerating SMB servers:
Common SMB Attacks
Information Disclosure
Even with limited access, SMB shares might expose sensitive information:
Internal documentation
Password files
Configuration files
Backup files
Password Attacks
SMB authentication mechanisms can be targeted with:
Password guessing
Pass-the-hash attacks
Token impersonation
Example with CrackMapExec:
SMB Relay Attacks
When SMB signing is not enforced, relay attacks are possible:
Exploiting Vulnerabilities
Historical vulnerabilities like EternalBlue (MS17-010) targeted SMB. Newer implementations are generally more secure, but misconfigurations remain common.
Defensive Best Practices
As a penetration tester, you should understand these defensive measures:
Disable SMB v1: Legacy versions are insecure
Enable SMB Signing: Prevents relay attacks
Restrict Access: Implement proper ACLs
Regular Updates: Keep Samba/Windows updated
Logging and Monitoring: Detect unusual access patterns
Practical Assessment Approach
When assessing SMB services:
Enumerate shares: List all available shares
Test access levels: Check permissions on each share
Review content: Examine files for sensitive information
Test authentication: Attempt to authenticate with common credentials
Check configurations: Look for misconfigurations
Test for known vulnerabilities: Check for unpatched systems
By thoroughly understanding SMB services, you can effectively test and evaluate their security posture in target environments.
Last updated