Server Message Block
SMB is a communication protocol that Microsoft created for providing features like file sharing, printer sharing, network browsing etc. across nodes on the Network. There was an attempt to create a better version of SMB, CIFS however it wasnât as efficient as SMB itself and was quickly abandoned since then SMB was made publicly available. Nowadays SMB is used not only on Windows machines but also on Linux machines, Samba for example is a package of programs that makes interoperability possible.
Linux still calls it CIFS
Until this day Linux systems the term CIFS when describing somthing related to SMB. An example would be the fstab - File.
Ports
When SMB was first implemented it relied on NetBIOS for functionality later it was updated to use TCP-IP and NetBT. Depending on what implementation is used different ports are used. Most of the time you will see both of these ports used to allow backwards compatibility.
TCP-IP â Port 445 NetBT â Port 139
RPC Port Mapper
The NetBT implementation additionally needs Microsofts RPC Port Mapper to function which is alwasy running on port
135.
SMB Shares
When directories are shared across the Network the new shared directories are called SMB Shares. You can enumerate available shares on a SMB server with SMBClient using the -L option which stands for list.
smbclient -L \\\\<IP>\\
You will see all the SMB shares listed and some of them will have a $ at the end. That means that those shares are hidden and most of the time only accessible by the Administrator.
When you want to connect to an SMB Share add its name after the IP address. Here an example if C$ is a share.
smbclient \\\\<IP>\\C$
Another share to keep in mind is the IPC share. This share is accessible with an anonymous null session by using options -U "" and -N for no password prompt. You can obtain various information like OS version and and the [[Parent domain] from there. Refer to Enumeration for more info.
Don't forget the \
Since in a Windows environments â\â are used instead of â/â when describing paths we have to preface the IP address with two backslashes (\\) however since the backslash also counts as an Escape Character you have to escape each â\â with another â\â. So instead of two slashes we need to use four. Same counts for directory paths.
If you do it this way SMBClient will use your Linux username as the SMB username to access the share. If you want to use a different username use the -U option.
smbclient -U 'Administrator' \\\\<IP>\\<SHARE>
Default Credentials
| Username | Password |
|---|---|
| (blank) | (blank) |
| guest | (blank) |
| Administrator, admin | (blank), password, administrator, admin |
| arcserve | arcserve, backup |
| tivoli, tmersrvd | tivoli, tmersrvd, admin |
| backupexec, backup | backupexec, backup, arcada |
| test, lab, demo | password, test, lab, demo |
Here are a few default usernames worth testing when enumerating an SMB server. However normally Nmap will try simple combinations anyway when you use the -sC option. SMBClient will use your username if you donât specify a username with the -U option.
Mounting a Share
Transclude of fstab---File#smb
Hacking
Generally speaking the Nmap scan will reveal some important information like the Parent Domain and which of the defualt credentials worked. However it is a good idea to use some other tools like Enum4Linux which will enumerate all the information for you.
To browse the Shares directly use SMBClient.Enum4Linux
Enum4Linux
This is generally a pretty simple tool to scan SMB servers which requires just the IP address of the server. You can list all the different options available by using
enum4linux -hbut generally using the-aoption is always a good idea since it includes all the other options like âget userlistâ or âget sharelistâ. You can provide a username and password with the options-uand-p. Include the IP address last.enum4linux -u '<User>' -p '<password>' -a <IP>If the user account has no password just donât use the
-poption or use-p ''. Enum4Linux will also try to guess user accounts like âguestâ or ârootâ however it strangely doesnât include the account âAdministratorâ which is often a default Windows account. It is advisable to manually try that username.Sources
Link to original
Security
SMB allows to use either NTLM or Kerberos to authorize its users. It is also possible to configure Samba to run over LDAP. Mandatory Hacktricks site: link