Service Enumeration - SMB

Introduction

SMB (Server Message Block) is a protocol used for sharing files, printers, and other resources over a network, particularly in Windows environments. In this article, we will explore SMB enumeration techniques, focusing on null sessions and guest sessions, and how these vulnerabilities can expose sensitive information. SMB is a critical protocol for network services, and improper configurations can lead to severe security issues. Understanding how to enumerate SMB services effectively is crucial for penetration testers and network security professionals.

Understanding SMB and Its Ports

SMB operates primarily over port 445. In older configurations, it also uses ports 137, 138, and 139 for NetBIOS-related services. SMB allows file and printer sharing across the network. Two services that are frequently encountered when dealing with SMB are LanMan Server (Windows) and Samba (Linux), both of which enable these network functionalities.

Key Ports:

• Port 445: Main port used for SMB.
• Ports 137-139: Used for older NetBIOS services.

Null and Guest Sessions

Null Session: A null session is an unauthenticated SMB session. This type of session allows access without providing any credentials (no username or password). It's often used by attackers to enumerate resources on the network, such as shared folders and permissions.

Guest Session: A guest session, on the other hand, requires a username, but no password. This provides limited access to shared resources, often with read-only privileges.

SMB Enumeration Tools

SMBMap:

• SMBMap is a tool designed to enumerate SMB shares. It provides details about shared folders, including their permissions, making it useful for identifying potential weaknesses.
• Example usage for null session:

smbmap -H <target_ip>        

SMBClient:

• A built-in tool in many Linux distributions, SMBClient allows you to interact with SMB shares directly from the terminal.
• Example usage for guest session:

smbclient -L <target_ip> -U guest        

Impacket SMBClient:

• Impacket's SMBClient, written in Python, offers similar functionality to the standard SMBClient but with added flexibility. It allows for null sessions by default and includes options for advanced operations like dumping credentials and executing commands.
• Example:

python3 smbclient.py <target_ip>        

Nmap:

• Nmap is a versatile network scanner that also includes NSE scripts for SMB enumeration. These scripts can discover shares, check for anonymous access, and gather detailed information about the target's SMB configuration.
• Example command for enumerating shares:

nmap --script smb-enum-shares -p445 <target_ip>        

Exploiting Insecure ACLs

Access Control Lists (ACLs) on SMB shares determine who can read, write, and execute files within those shares. Misconfigured ACLs that allow both read and write access can be exploited by attackers to upload malicious files or gain further access.

For example, an attacker could upload a script or malware to a writable share using:

put malicious_file        

Once uploaded, if the file is executed, it can provide the attacker with remote access or escalate privileges.

BruteForce Users with Hydra

Hydra is a popular tool for performing brute-force attacks on login credentials. Using Hydra, you can try multiple username and password combinations to gain access to SMB services.

Example command:

hydra -l <username_list> -P <password_list> smb://<target_ip>        

Hydra will try each username and password combination until valid credentials are found, allowing further access to the SMB service.

Conclusion

SMB enumeration is an essential step in assessing the security of network services. Misconfigurations such as null sessions, guest sessions, and insecure ACLs can expose sensitive data and provide attackers with footholds in the network. Using tools like SMBMap, SMBClient, Impacket, and Hydra can help security professionals uncover these vulnerabilities and take action to secure SMB services.

Watch video to know more about practical approach