SMB 101
SMB (Server Message Block) is a protocol used to share resources such as files, printers, and directories over a network. It uses a client-server architecture, where the server makes resources available, and multiple clients can access them. Although SMB3 introduces encryption to protect data, earlier versions like SMB1 transmit information in plain text, making it vulnerable to certain attacks.
In this article, we will focus on basic concepts, key commands, and common attacks related to SMB, highlighting the use of tools like enum4linux for enumeration.
Theory
Ports Used by SMB
SMB primarily operates on the following ports:
- 445/TCP: Used by modern SMB for direct connections without NetBIOS.
- 139/TCP: Used by older versions relying on NetBIOS.
Authentication in SMB
SMB employs several authentication mechanisms:
- NTLM (LAN Manager): Vulnerable to relay and brute-force attacks.
- Kerberos: More secure, used in environments with Active Directory.
Enumeration with SMB
Enumeration is the initial step to gather information about shared resources, users, and the SMB server configuration. Here are some common tools for this purpose:
Enum4linux
Enum4linux is an enumeration tool specifically designed for SMB. It allows identifying shared resources, password policies, and users on Windows systems.
Common Commands:
Specific Modes:
-
Enumerate users:
-
Enumerate shared resources:
-
Enumerate domain information:
Typical Outputs:
- Available shared resources.
- System users.
- Password policies, such as expiration and minimum length.
SMBClient
SMBClient is a tool integrated into Linux systems for interacting directly with SMB resources.
Example Usage:
After connecting, you can list, download, and upload files with FTP-like commands:
ls # List current directory (file management and navigation commands similar to Linux)
get # Download a file
put # Upload a file
Enumerating shared resources:
Common SMB Attacks
Null Sessions
Null sessions occur when an SMB server allows connections without authentication, exposing information such as shared resources and users.
Enumerating Null Sessions with smbclient:
Danger
Attackers can use this information to plan more advanced attacks, such as brute-force password attacks.
Brute Force and Password Spraying
SMB can be vulnerable to brute-force attacks if proper security measures are not implemented. Tools like Hydra and Medusa are common for this purpose.
Hydra for SMB:
NetExec:
Danger
The attacker may gain unauthorized access to shared resources if valid credentials are cracked.
NTLM Relay
This attack intercepts and forwards NTLM authentications to impersonate the legitimate user. SMB servers with signing disabled are especially vulnerable.
Using Responder:
Tip
In order to mitigate, enable SMB signing and use Kerberos authentication instead of NTLM.
Credential Sniffing
Older versions like SMB1 transmit credentials in plain text, allowing an attacker to capture credentials with tools like Wireshark.
Wireshark Filter:
Danger
An attacker may use captured credentials to access the SMB server.
File Upload for RCE
If an SMB resource allows writing, an attacker may upload malicious files, such as web shells, to execute remote commands.
Uploading with SMBClient:
Danger
This can compromise the server, allowing command execution or malware installation.
Defenses Against SMB Exploits
-
Disable SMB1: It is outdated and vulnerable. Replace it with SMB2 or SMB3:
-
Enable SMB Signing: To prevent NTLM relay attacks.
- Restrict Permissions: Ensure shared resources are protected with strict permissions.
- SMB3 Encryption: SMB3 allows encrypting traffic, protecting against sniffing.
- Regular Monitoring: Use tools like Splunk or Wireshark to detect anomalous activity.
In the next article of this series on SMB we will discuss common implementation errors and some known vulnerabilities of some implementations of the protocol.
Stay safe. Stay smart. Stay secure.