Definition

Server Message Block (SMB) is a protocol for sharing files, accessing printers and other resources on a network. It is generally present on ports 445 and 139. It is natively included on Windows. For Linux machines, it is necessary to first install a Samba server, as Linux does not use this protocol by default.

SMB enumeration

SMB enumeration aims to discover the different shares available on the network, the access permissions to the share and the users and groups present on the machine.
These shares can sometimes contain sensitive data such as passwords and user information that can help us compromise a user’s account.

Enumeration with nmap

  1. Identify SMB hosts with Nmap :
    nmap --open -p 139,445 <Network_range>

  2. Identify smb versions:
    nmap --script smb-protocols -p 445,139 <IP_Machine>

  3. Identification of vulnerabilities:
    nmap --script smb-vuln* -p 445,139 <IP_Machine>

Enumeration on Windows/linux

From windows

  • Net view**: lists available shares on a host
    net view <IP>`

  • Powershell**: allows advanced enumeration of shares
    Get-SMBShare -ComputerName `

From linux

  • Smbclient** : allows you to interact with an SMB share
    smbclient -L //`

  • NetExec : Enumeration and attack tool for various protocols used for intrusion testing in Active Directory environments.
    nxc smb <IIP> --shares

In an AD environment, SMB shares are protected by identifiers that must be specified when the tool is launched:
nxc smb <IP> --shares -u user -p password -d domain

In some cases, guest mode access is allowed, so it’s important to test credentials at the start of an intrusion test:
nxc smb <IP> --shares -u guest -p guest

It is possible to access the share anonymously if the server allows it:
nxc smb <IP> --shares -u '' -p ''

  • enum4linux: This tool enables users and shares to be enumerated via SMB.
    enum4linux <IP> -a

Secure SMB

  • Set the right permissions for each group and user
  • Use recent versions of SMB (SMBv3 or SMBv2) with encryption enabled to secure communications
  • Use ACLs (Access Control Lists) and monitor logs to detect suspicious accesses
  • Enable and force SMB signing to ensure the integrity of transmitted data.