# SMB Enumeration (Port 139, 445)

## Quick Intro <a href="#quick-intro" id="quick-intro"></a>

* SMB stand for **Server Message Block**
* SMB allows you to share your resources to other computers over the network,
* There is 3 version of SMB,

1. **SMB1** version susceptible to known attacks (Eternal blue , wanna cry), Disabled by default in newer Windows version
2. **SMB2** reduced "chattiness" of SMB1. Guest access disabled by default
3. **SMB3** guest access disabled, uses encryption. Most secure.

* **TCP port 139** is SMB over NetBios.
* **TCP port 445** is SMB over Ip. This is newer version of SMB

List of SMB versions and corresponding Windows versions:

1. SMB1 – Windows 2000, XP and Windows 2003.
2. SMB2 – Windows Vista SP1 and Windows 2008
3. SMB2.1 – Windows 7 and Windows 2008 R2
4. SMB3 – Windows 8 and Windows 2012.

## Nmap Scanning <a href="#nmap-scanning" id="nmap-scanning"></a>

```
nmap -n -v -Pn -p139,445 -sV 0.0.0.0

# Getting version information
```

```
nmap 0.0.0.0 --script=smb-enum*

nmap 0.0.0.0 --script=smb-vuln*

nmap 0.0.0.0 --script=smb-os*

# Scan with NSE Scripts
```

## List Available Shares <a href="#list-available-shares" id="list-available-shares"></a>

### smbclient

```
smbclient -L \\\\attacker ip\\
# Will list all shares

smbclient -L \\$ip --option='client min protocol=NT1'
# if getting error "protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED"

smbclient //HOST/PATH -c 'recurse;ls'
# List all files recursly
```

### smbmap

```
smbmap -H $ip
# Will list all shares with available permissions

smbmap -H $ip -R $sharename
# Recursively list dirs, and files

smbmap -u '' -p '' -H $ip 
smbmap -u guest -p '' -H $ip
smbmap -u jsmith -p password1 -d workgroup -H 0.0.0.0
# With credentials
```

### Nmap

```
nmap --script smb-enum-shares -p 139,445 $ip
```

## Connecting To Shares <a href="#connecting-to-shares" id="connecting-to-shares"></a>

```
smbclient \\\\0.0.0.0\\C$
or
smbclient \\\\0.0.0.0\\C$ --option='client min protocol=NT1'

smbclient \\\\0.0.0.0\\admin$ -U t-skid
# Connect with valid username and password 
# Specify username with -U
```

## Downloading multi files <a href="#downloading-multi-files" id="downloading-multi-files"></a>

```
smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *
# With smbclient

smbmap -R $sharename -H $ip -A $fileyouwanttodownload -q
# Downloads a file in quiet mode

smbmap -u username -p password -H $ip -s wwwroot -R -A '.*'
# download everything recursively in the wwwroot share to /usr/share/smbmap. great when smbclient doesnt work
```

## Enum4Linux <a href="#enum4linux" id="enum4linux"></a>

```
enum4linux -a $ip

enum4linux -u 'guest' -p '' -a $ip
```

## Null session with rpcclient <a href="#null-session-with-rpcclient" id="null-session-with-rpcclient"></a>

Rpcclient is a Linux tool used for executing client-side MS-RPC functions. A null session is a connection with a samba or SMB server that does not require authentication with a password. Null sessions were enabled by default on legacy systems but have been disabled from Windows XP SP2 and Windows Server 2003. Nowadays it is not very common to encounter hosts that have null sessions enabled, but it is worth a try if you do stumble across one. The connection uses **port 445**.

```
rpcclient -U "" <ip>

# You will be asked for a password but leave it blank and press enter to continue.
```

Some important commands

```
rpcclient>srvinfo

rpcclient>enumdomusers

rpcclient>getdompwinfo
```

## Enumerating users with IPC$ <a href="#enumerating-users-with-ipcusd" id="enumerating-users-with-ipcusd"></a>

if IPC$ share is enabled , and have anonymous access we can enumerate users through **lookupsid.py**

```
lookupsid.py anonymous@0.0.0.0
```

## Google to see if version is vulnerable <a href="#google-to-see-if-version-is-vulnerable" id="google-to-see-if-version-is-vulnerable"></a>

```
SAMBA 3.x-4.x #  vulnerable to linux/samba/is_known_pipename

SAMBA 3.5.11 # vulnerable to linux/samba/is_known_pipename
```

## smbver.sh <a href="#smbver.sh" id="smbver.sh"></a>

good script to use if none of scanner giving version for smb

```
#!/bin/sh
#Author: rewardone
#Description:
# Requires root or enough permissions to use tcpdump
# Will listen for the first 7 packets of a null login
# and grab the SMB Version
#Notes:
# Will sometimes not capture or will print multiple
# lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
sleep 0.5 && echo ""
```

You can also fire up wireshark and list target shares with smbclient , you can use anonymous listing to explained above and after that find , **Session Setup Andx Response** and there you will find smb version :)

## smbenum.sh <a href="#smbenum.sh" id="smbenum.sh"></a>

```
#!/bin/bash
# smbenum 0.2 - This script will enumerate SMB using every tool in the arsenal
# SECFORCE - Antonio Quina
# All credits to Bernardo Damele A. G. <bernardo.damele@gmail.com> for the ms08-067_check.py script

IFACE="eth0"

if [ $# -eq 0 ]
    then
        echo "Usage: $0 <IP>"
        echo "eg: $0 10.10.10.10"
        exit
    else
        IP="$1"
fi

echo -e "\n########## Getting Netbios name ##########"
nbtscan -v -h $IP

echo -e "\n########## Checking for NULL sessions ##########"
output=`bash -c "echo 'srvinfo' | rpcclient $IP -U%"`
echo $output

echo -e "\n########## Enumerating domains ##########"
bash -c "echo 'enumdomains' | rpcclient $IP -U%"

echo -e "\n########## Enumerating password and lockout policies ##########"
polenum $IP

echo -e "\n########## Enumerating users ##########"
nmap -Pn -T4 -sS -p139,445 --script=smb-enum-users $IP
bash -c "echo 'enumdomusers' | rpcclient $IP -U%"
bash -c "echo 'enumdomusers' | rpcclient $IP -U%" | cut -d[ -f2 | cut -d] -f1 > /tmp/$IP-users.txt

echo -e "\n########## Enumerating Administrators ##########"
net rpc group members "Administrators" -I $IP -U%

echo -e "\n########## Enumerating Domain Admins ##########"
net rpc group members "Domain Admins" -I $IP -U%

echo -e "\n########## Enumerating groups ##########"
nmap -Pn -T4 -sS -p139,445 --script=smb-enum-groups $IP

echo -e "\n########## Enumerating shares ##########"
nmap -Pn -T4 -sS -p139,445 --script=smb-enum-shares $IP

echo -e "\n########## Bruteforcing all users with 'password', blank and username as password"
hydra -e ns -L /tmp/$IP-users.txt -p password $IP smb -t 1
rm /tmp/$IP-users.txt
```

## Brute Force SMB <a href="#brute-force-smb" id="brute-force-smb"></a>

```
hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb	

nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt $ip  -vvvv
```