Service Enumeration - SMB
Rikunj Sindhwad
Senior Consultant @E&Y | Red & Purple Team | SecOps | Automation | Instructor | OSEP | OSWE | OSCP
Introduction
SMB (Server Message Block) is a protocol used for sharing files, printers, and other resources over a network, particularly in Windows environments. In this article, we will explore SMB enumeration techniques, focusing on null sessions and guest sessions, and how these vulnerabilities can expose sensitive information. SMB is a critical protocol for network services, and improper configurations can lead to severe security issues. Understanding how to enumerate SMB services effectively is crucial for penetration testers and network security professionals.
Understanding SMB and Its Ports
SMB operates primarily over port 445. In older configurations, it also uses ports 137, 138, and 139 for NetBIOS-related services. SMB allows file and printer sharing across the network. Two services that are frequently encountered when dealing with SMB are LanMan Server (Windows) and Samba (Linux), both of which enable these network functionalities.
Key Ports:
Null and Guest Sessions
Null Session: A null session is an unauthenticated SMB session. This type of session allows access without providing any credentials (no username or password). It's often used by attackers to enumerate resources on the network, such as shared folders and permissions.
Guest Session: A guest session, on the other hand, requires a username, but no password. This provides limited access to shared resources, often with read-only privileges.
SMB Enumeration Tools
SMBMap:
smbmap -H <target_ip>
SMBClient:
smbclient -L <target_ip> -U guest
Impacket SMBClient:
python3 smbclient.py <target_ip>
Nmap:
领英推荐
nmap --script smb-enum-shares -p445 <target_ip>
Exploiting Insecure ACLs
Access Control Lists (ACLs) on SMB shares determine who can read, write, and execute files within those shares. Misconfigured ACLs that allow both read and write access can be exploited by attackers to upload malicious files or gain further access.
For example, an attacker could upload a script or malware to a writable share using:
put malicious_file
Once uploaded, if the file is executed, it can provide the attacker with remote access or escalate privileges.
BruteForce Users with Hydra
Hydra is a popular tool for performing brute-force attacks on login credentials. Using Hydra, you can try multiple username and password combinations to gain access to SMB services.
Example command:
hydra -l <username_list> -P <password_list> smb://<target_ip>
Hydra will try each username and password combination until valid credentials are found, allowing further access to the SMB service.
Conclusion
SMB enumeration is an essential step in assessing the security of network services. Misconfigurations such as null sessions, guest sessions, and insecure ACLs can expose sensitive data and provide attackers with footholds in the network. Using tools like SMBMap, SMBClient, Impacket, and Hydra can help security professionals uncover these vulnerabilities and take action to secure SMB services.
Watch video to know more about practical approach