SMB (Server Message Block) hacking
SMB (Server Message Block) is a widely used protocol on Windows systems that offers various paths for vertical and lateral movement within a network. Samba allows Linux and Unix distributions to utilize the SMB protocol.
The SMB protocol enables the client to communicate with other participants in the same network to access files or services shared with it on the network. Both parties must establish a connection, which is why they first exchange corresponding messages. In IP networks, SMB uses TCP protocol for this purpose, which provides for a three-way handshake between client and server before a connection is finally established.
An SMB server can provide arbitrary parts of its local file system as shares. Therefore the hierarchy visible to a client is partially independent of the structure on the server. Access rights are defined by Access Control Lists (ACL). The ACLs are defined based on the shares and therefore do not correspond to the rights assigned locally on the server.
Samba
Samba implements the Common Internet File System (CIFS) network protocol, which is a dialect of the Server Message Block (SMB) protocol originally created by Microsoft. This allows Samba to communicate effectively with newer Windows systems. When SMB commands are sent over Samba to an older NetBIOS service, connections typically occur over TCP ports (insert port numbers here). In contrast, CIFS operates exclusively over TCP port (insert port number here).
| SMB Version | Supported | Features |
|---|---|---|
| CIFS | Windows NT 4.0 | Communication via NetBIOS interface |
| SMB 1.0 | Windows 2000 | Direct connection via TCP |
| SMB 2.0 | Windows Vista, Windows Server 2008 | Performance upgrades, improved message signing, caching feature |
| SMB 2.1 | Windows 7, Windows Server 2008 R2 | Locking mechanisms |
| SMB 3.0 | Windows 8, Windows Server 2012 | Multichannel connections, end-to-end encryption, remote storage access. Can be a full member of an Active Directory domain. |
| SMB 3.0.2 | Windows 8.1, Windows Server 2012 R2 | |
| SMB 3.1.1 | Windows 10, Windows Server 2016 | Integrity checking, AES-128 encryption |
smbd (SMB server daemon)
The “smbd” command is the main daemon responsible for managing file and printer sharing services on a network. It listens for requests from clients and facilitates the sharing of files and printers. The “smbd” process allows computers to share resources with other users on the network, including those using Windows or macOS machines. The Server Message Block (SMB) protocol primarily uses port 445 for file sharing over TCP/IP, although it also historically operated on port 139 with NetBIOS.
nmbd (NetBIOS message block daemon)
nmbd is an essential daemon that manages NetBIOS over TCP/IP (NBT) name resolution and network browsing, particularly for SMB/CIFS clients. Essentially, it enables computers to discover one another on a network, browse shared resources, and communicate using NetBIOS protocols. nmbd responds to name service requests, allowing Windows clients and others to convert NetBIOS names (such as computer names) into IP addresses. Additionally, nmbd can function as a WINS (Windows Internet Name Service) server, providing name-to-address mapping for older clients that may not support NBT. nmbd listens for name queries on UDP port 137.
NetBIOS
IBM developed a protocol for networking computers called the NetBIOS (Network Basic Input/Output System). The NetBIOS API provided a framework for applications to connect and share data with other computers. When a machine goes online, it needs a name, which is assigned through a process known as the naming procedure. Each host can either reserve its hostname on the network or utilize the NetBIOS Name Server (NBNS) for this purpose. The system has also been enhanced with the Windows Internet Name Service (WINS).
smbclient
A tool that can enumerate and interact with SMB shares is smbclient. The -L flag specifies that we want to retrieve a list of available shares on the remote host, while -N suppresses the password prompt.
smbclient -N -L \\10.129.42.253This would connect as the guest user.
smbclient //10.129.42.253/usersHere we try to connect to the share using the user “bob”.
smbclient -U bob //10.129.42.253/userssmbclient supports ls too, for directory and file lising.
Connect to a share
smbclient //10.129.14.128/notes
Enter WORKGROUP\<username>'s password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> help
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del deltree dir
du echo exit get getfacl
geteas hardlink help history iosize
lcd link lock lowercase ls
l mask md mget mkdir
more mput newer notify open
posix posix_encrypt posix_open posix_mkdir posix_rmdir
posix_unlink posix_whoami print prompt put
pwd q queue quit readlink
rd recurse reget rename reput
rm rmdir showacls setea setmode
scopy stat symlink tar tarmode
timeout translate unlock volume vuid
wdel logon listconnect showconnect tcon
tdis tid utimes logoff ..
!
smb: \> ls
. D 0 Wed Sep 22 18:17:51 2021
.. D 0 Wed Sep 22 12:03:59 2021
prep-prod.txt N 71 Sun Sep 19 15:45:21 2021
30313412 blocks of size 1024. 16480084 blocks availableOnce we have discovered interesting files or folders, we can download them using the get command. Smbclient also allows us to execute local system commands using an exclamation mark at the beginning (!<cmd>) without interrupting the connection.
smb: \> get prep-prod.txt
getting file \prep-prod.txt of size 71 as prep-prod.txt (8,7 KiloBytes/sec)
(average 8,7 KiloBytes/sec)
smb: \> !ls
prep-prod.txt
smb: \> !cat prep-prod.txt
[] check your code with the templates
[] run code-assessment.py
[] …smbstatus
You can check connections using smbstatus. With domain-level security, the samba server acts as a member of a Windows domain. Each domain has at least one domain controller, usually a Windows NT server providing password authentication. This domain controller provides the workgroup with a definitive password server. The domain controllers keep track of users and passwords in their own NTDS.dit and Security Authentication Module (SAM) and authenticate each user when they log in for the first time and wish to access another machine’s share.
smbstatus
Samba version 4.11.6-Ubuntu
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
75691 sambauser samba 10.10.14.4 (ipv4:10.10.14.4:45564) SMB3_11 - -
Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------
notes 75691 10.10.14.4 Do Sep 23 00:12:06 2021 CEST - -
No locked filesnmap for SMB scanning
Note that nmap with SMB service can be very slow. It is recommended that you examine the SMB service manually.
In this scan, -sV denotes version detection and -sC is default script scan for the service.
sudo nmap 10.129.14.128 -sV -sC -p139,445
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-19 15:15 CEST
Nmap scan report for sharing.inlanefreight.htb (10.129.14.128)
Host is up (0.00024s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
MAC Address: 00:00:00:00:00:00 (VMware)
Host script results:
|_nbstat: NetBIOS name: HTB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-09-19T13:16:04
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.35 secondsnmap can be used to scan SMB:
nmap --script smb-os-discovery.nse -p445 10.10.10.40Conduct further enumeration:
nmap -A -p445 10.129.42.253SMB allows users and administrators to share folders and make them accessible remotely by other users.
RPCclient utility
Performs MS-RPC functions.
rpcclient -U "" 10.129.14.128
Enter WORKGROUP\'s password:
rpcclient $>Some functions include:
| Query | Description |
|---|---|
srvinfo | Server information. |
enumdomains | Enumerate all domains that are deployed in the network. |
querydominfo | Provides domain, server, and user information of deployed domains. |
netshareenumall | Enumerates all available shares. |
netsharegetinfo <share> | Provides information about a specific share. |
enumdomusers | Enumerates all domain users. |
queryuser <RID> | Provides information about a specific user. |
Here are examples of the commands.
rpcclient $> srvinfo
DEVSMB Wk Sv PrQ Unx NT SNT DEVSM
platform_id : 500
os version : 6.1
server type : 0x809a03
rpcclient $> enumdomains
name:[DEVSMB] idx:[0x0]
name:[Builtin] idx:[0x1]
rpcclient $> querydominfo
Domain: DEVOPS
Server: DEVSMB
Comment: DEVSM
Total Users: 2
Total Groups: 0
Total Aliases: 0
Sequence No: 1632361158
Force Logoff: -1
Domain Server State: 0x1
Server Role: ROLE_DOMAIN_PDC
Unknown 3: 0x1
rpcclient $> netshareenumall
netname: print$
remark: Printer Drivers
path: C:\var\lib\samba\printers
password:
netname: home
remark: INFREIGHT Samba
path: C:\home\
password:
netname: dev
remark: DEVenv
path: C:\home\sambauser\dev\
password:
netname: notes
remark: CheckIT
path: C:\mnt\notes\
password:
netname: IPC$
remark: IPC Service (DEVSM)
path: C:\tmp
password:
rpcclient $> netsharegetinfo notes
netname: notes
remark: CheckIT
path: C:\mnt\notes\
password:
type: 0x0
perms: 0
max_uses: -1
num_uses: 1
revision: 1
type: 0x8004: SEC_DESC_DACL_PRESENT SEC_DESC_SELF_RELATIVE
DACL
ACL Num ACEs: 1 revision: 2
---
ACE
type: ACCESS ALLOWED (0) flags: 0x00
Specific bits: 0x1ff
Permissions: 0x101f01ff: Generic all access SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS
SID: S-1-1-0Once you find a username, you can query information about them using rpcclient.
rpcclient $> enumdomusers
user:[mrb3n] rid:[0x3e8]
user:[cry0l1t3] rid:[0x3e9]
rpcclient $> queryuser 0x3e9
User Name : cry0l1t3
Full Name : cry0l1t3
Home Drive : \\devsmb\cry0l1t3
Dir Drive :
Profile Path: \\devsmb\cry0l1t3\profile
Logon Script:
Description :
Workstations:
Comment :
Remote Dial :
Logon Time : Do, 01 Jan 1970 01:00:00 CET
Logoff Time : Mi, 06 Feb 2036 16:06:39 CET
Kickoff Time : Mi, 06 Feb 2036 16:06:39 CET
Password last set Time : Mi, 22 Sep 2021 17:50:56 CEST
Password can change Time : Mi, 22 Sep 2021 17:50:56 CEST
Password must change Time: Do, 14 Sep 30828 04:48:05 CEST
unknown_2[0..31]...
user_rid : 0x3e9
group_rid: 0x201
acb_info : 0x00000014
fields_present: 0x00ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x00000000
padding1[0..7]...
logon_hrs[0..21]...Notice the group_rid in the query above. Now you can query group information using that id.
rpcclient $> querygroup 0x201
Group Name: None
Description: Ordinary Users
Group Attribute:7
Num Members:2Here is a script that uses a rpcclient loop to enumerate users.
for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
User Name : sambauser
user_rid : 0x1f5
group_rid: 0x201
User Name : mrb3n
user_rid : 0x3e8
group_rid: 0x201
User Name : cry0l1t3
user_rid : 0x3e9
group_rid: 0x201Other SMB utilities
An alternative to this would be a Python script from Impacket called samrdump.py. The SMBMap and CrackMapExec tools are also widely used and helpful for the enumeration of SMB services.
enum4linux-ng
enum4linux-ng automates many of the queries, but not all, and can return a large amount of information. Install it like this:
brianhaddock@htb[/htb]$ git clone https://github.com/cddmp/enum4linux-ng.git
brianhaddock@htb[/htb]$ cd enum4linux-ng
brianhaddock@htb[/htb]$ pip3 install -r requirements.txtThen run it like this:
./enum4linux-ng.py 10.129.14.128 -A
