SMB

SMB service can be used to enumerate users or important files that may be left unattended in one of the shares. It is important to be able to enumerate a SMB service properly to gather as much information as possible.

There are multiple protocols within SMB with SMB 2.0 the most widely used and SMB 3.0 being the latest entrant. CIFS is an early dialect of SMB and is not used anymore due to its complexity in maintenance and the security issues that come with it.

NMAP Scripts

Nmap scripts can be used for enumerating various information from an SMB service and also to scan them for vulnerabilities. A simple enumeration of the shares can be done using the following command,

nmap --script /usr/share/nmap/scripts/smb-enum-shares.nse 10.11.1.231

In the Kali operating system various scripts for enumerating and vulnerability scanning can be found under the path "/usr/share/nmap/scripts/".

Enum4linux

Enum4linux is another SMB enumeration tool that can be used for gathering information about the service. All encompassing scan can be done using the following command,

enum4linux -a 192.168.1.10

The "-a" flag will run all the tests with the SMB service and list all information collected.

U - This flag can be used to list the users on the server

S - This flag will list all the shares on the server

P - This flag displays the password policy

o - This flag gives information about the Operating System

l - This flag will provide limited information about the ldap service on the system

i - This flag will display an printer info that may be available

n - This flag lists the netbios information on the server

SMBClient

SMBClient can be used for interacting with the shares on the SMB server.

smbclient -L //192.168.1.10/
smbclient -L //192.168.1.10/ -U '' -N #for no username and null password
smbclient --no-pass -L 192.168.1.10
smbclient -L //192.168.1.10/ -U 'domain\user' -p 'password'

The following command can be used to access the available folders and files,

smbclient //192.168.1.10/home

Once within the command prompt of SMBclient, files can be downloaded, uploaded, permissions changed, etc. The following command is to download the file,

get <remote filename> <local filename>

While accessing Windows shares backward slash "\" have to be used and when using a Linux system to access the "\" has to be escaped with another "\". So the command may look like,

smbclient \\\\192.168.1.10\\home

SMBMAP

Another tool for accessing a SMB share,

smbmap -H 192.168.1.10
smbmap -H 192.168.1.10 -u '' -p ''
smbmap -H 192.168.1.10 -s share_name    //Access a share 

Crackmapexec

Crackmapexec is a enumeration tool for various services and it can be used on an SMB share to get list of shared folders and validate whether a username & password is valid.

crackmapexec smb 192.168.1.10 -u '' -p '' --shares //The same can be tried with names & passwords
crackmapexec smb 192.168.1.10 -u '' -p '' --share share_name
crackmapexec smb 192.168.1.10 -u '' -p '' --shares --pass-pol

Mount SMB Share

Besides browsing through the files on the server, the share can also be mounted on the local machine and you can browse through the files like that of a NFS.

The following command can be used to mount the share on your local machine,

sudo mount -t cifs //10.1.1.68/IPC /mount/smb -o guest
sudo mount -t cifs //10.1.1.68/IPC /mount/smb -o username='test'

t - This option is used to indicate the type of filesystem.Supported filesystems are usually ext2, ext3, ext4, xfs, btrfs, vfat, sysfs, proc, nfs and cifs(Most commonly found).

Last updated