inH1THM

SMB & Netbios Enumeration

SMB (Server Message Block)

SMB is a network sharing protocol widely used for file, printer, and resource sharing in Windows networks. It allows users to access files on remote systems as if they were local.

SMB Versions:

  • SMB 1.0: Early versions were prone to security issues and are now largely deprecated.

  • SMB 2.0/2.1: Introduced in Windows Vista/Server 2008, with improved security and performance.

  • SMB 3.0: Added in Windows 8/Server 2012, with features like encryption and multichannel support.

Ports: SMB operates over port 445 for direct connections, while port 139 is used for NetBIOS integration.

Modern networks often rely on SMB with DNS, with NetBIOS being optional or enabled for backward compatibility.

🔹 How it Works:

  • A client connects to an SMB server to access shared files/services.

  • It operates over TCP and establishes connections using a 3-way handshake.

  • Access permissions are controlled by ACLs (Access Control Lists) for fine-grained control.

Samba and CIFS Protocol Summary

What is Samba?

Samba is an open-source SMB server for Linux and Unix, allowing them to communicate with Windows systems over a network.

What is CIFS?

  • CIFS (Common Internet File System) is an older SMB version developed by Microsoft.

  • It primarily works with SMB 1, whereas newer versions like SMB 2 & SMB 3 offer better performance and security.

  • CIFS uses TCP port 445, while NetBIOS SMB uses ports 137, 138, and 139.

# use to restart Samba
sudo systemctl restart smbd

Exploring SMB Shares with smbclient

We can list available shares on an SMB server using a Null Session (anonymous access) with the following command:

smbclient -N -L //10.129.14.128

📌 Explanation:

  • N → No password (anonymous login).

  • L //10.129.14.128 → List available shares on the target server.

Sample Output:

Sharename       Type      Comment
---------       ----      -------
IPC$            IPC       Remote IPC
ADMIN$          Disk      Remote Admin
C$              Disk      Default share
notes           Disk      Personal Notes

to access share file

smbclient //10.129.14.128/notes # added name of file

to run command on samba we use !

smb: \\> !cat test.txt

Monitoring Samba Connections with smbstatus

The smbstatus command helps administrators track active connections on a Samba server. It provides details about:

  • Connected users

  • Machines accessing the server

  • Samba version

  • Active SMB protocol version

📌 Example Output:

Samba version 4.15.0
PID     Username      Group        Machine             Protocol Version
------------------------------------------------------------------------
2103    alice         users        192.168.1.10        SMB3_02
2207    bob           admins       192.168.1.15        SMB3_11

Footprinting the service

sudo nmap 10.129.14.128 -sV -sC -p139,445

Why use rpcclient instead of Nmap?

rpcclient -U "" ip_add

Nmap may not reveal enough SMB information. rpcclient is a powerful tool that allows manual interaction with SMB and retrieves details like:

  • User accounts

  • User groups

  • Shared folders and security policies

it depend on RPC (Remote procedure call)

Key rpcclient commands:

Query

Description

srvinfo

Server information.

enumdomains

Enumerate all domains that are deployed in the network.

querydominfo

Provides domain, server, and user information of deployed domains.

netshareenumall

Enumerates all available shares.

netsharegetinfo <share>

Provides information about a specific share.

enumdomusers

Enumerates all domain users.

queryuser <RID>

Provides information about a specific user.

Brute Forcing User RIDs

 for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\\n' $i)" | grep "User Name\\|user_rid\\|group_rid" && echo "";done

we use smbmap and crackmapexec

crackmapexec smb 10.129.14.128 --shares -u '' -p ''

smbmap -H 10.129.14.128

enum4linux-ng which this tool use to automate process

git clone <https://github.com/cddmp/enum4linux-ng.git>
cd enum4linux-ng
pip3 install -r requirements.txt
 ./enum4linux-ng.py 10.129.14.128 -A

SMB cheat sheet

Command

Description

smbclient -N -L //<FQDN/IP>

Null session authentication on SMB.

smbclient //<FQDN/IP>/<share>

Connect to a specific SMB share.

rpcclient -U "" <FQDN/IP>

Interaction with the target using RPC.

samrdump.py <FQDN/IP>

Username enumeration using Impacket scripts.

smbmap -H <FQDN/IP>

Enumerating SMB shares.

crackmapexec smb <FQDN/IP> --shares -u '' -p ''

Enumerating SMB shares using null session authentication.

enum4linux-ng.py <FQDN/IP> -A

SMB enumeration using enum4linux.

Quick Summary

Samba allows Linux/Unix to communicate with Windows using SMB/CIFS for file and printer sharing.

Samba 3 can join Active Directory, while Samba 4 can act as a Domain Controller (DC).

✅ It has two main services: smbd (file sharing) and nmbd (name resolution with NetBIOS).

✅ Works in Workgroup (small networks) or Active Directory (large, secure networks).

NetBIOS (Network Basic Input/Output System)

NetBIOS is an API and set of network protocols for communication over local networks, allowing applications on different computers to find and interact with each other. NetBIOS offers three primary services:

  1. Name Services: Facilitates name resolution, allowing devices to register and resolve NetBIOS names over port 137.

  2. Datagram Distribution Services: Supports connectionless communication, typically over port 138.

  3. Session Services: Manages connection-oriented communication on port 139 for reliable data transfers.

Link : https://xmind.ai/share/OlDJ7Hxu?xid=D3uFkSl9

PreviousFTPNextLabs

Last updated