** #SMB protocol ( Server message block ) [ port : 445 or 139 via NetBIOS ]**

Intro:

SMB uses port 445 on modern Windows systems. In older versions of windows it runs on port 139 via NetBIOS. Some systems host SMB on both 445 and 139 ports for compatibility reasons.

SMB: is a network file sharing protocol that is used to facilitate the sharing of files and peripherals between computers on a local network(LAN).

SAMBA is the Linux utility that allows Windows systems to access Linux shares and devices.

SMB connection :

via net command:

net use <any driver character> : \\ <ip address> \ <driver character >$ <password> /user: <username>

via smbclient:

We can use -L to list available shares ==> smbclient -L //<ip>/ -U <username> To login select a share and remove the -L ==> smbclient //<ip>/<shared_folder> -U <username>

** #nmap_scripts:**

  1. smb-protocols:
  2. smb-security-mode:
  3. smb-enum-sessions:
  4. smb-enum-shares: Checks all shares using guest users and checks permission of each folder or drive. (REQUIRES LOGIN CREDS OR ANONYMOUS LOGON)
  5. smb-enum-users: nmap -p445 --script smb-enum-users.nse <ip> (Requires ANONYMOUS LOGON)
  6. smb-server-stats:
  7. smb-enum-domains:
  8. smb-enum-groups:
  9. smb-enum-services:
  10. smb-ls:
  11. smb-os-discovery:

#MSF Modules :

Module Description Other information
auxiliary/scanner/smb/smb_version SMB Version Detection
auxiliary/scanner/smb/smb_enumusers SMB User Enumeration (SAM EnumUsers) Even the module doesn't Requires an SMBUser & SMBPass but the Target machine does require so...
auxiliary/scanner/smb/smb_enumshares SMB Share Enumeration
auxiliary/scanner/smb/smb_login SMB BruteForce Password list location: set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

there also smb msf modules :

  • search type:auxiliary name:smb
  • search auxiliary/scanner/smb/
Linux MSF Module:

exploit/linux/samba/is_known_pipename

SMB tools :

smbmap

  • read/upload/download files, execute commands
  • Example code: smbmap -H 192.168.1.100 -u administrator -p smbserver_771

nmblookup

  • NetBIOS over TCP/IP client used to lookup NetBIOS names

smbclient

  • client to access SMB/CIFS resources on servers

rpcclient

  • tool for executing client side MS-RPC functions

enum4linux

  • good enumerarting tool that gives a lot of info regarding SMB
  • Example: enum4linux -u administrator -p smbserver_771 192.168.1.100
  • For more info just add -a : enum4linux -a -u administrator -p smbserver_771 192.168.1.100

Exploits & Vulnerabilities:

1. [[CVE-2017-0144 (EternalBlue) SMB]]

**2. Samba V3.5.0 **

is vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.

Samba 4.1.17

Has also a MSF module to exploit: exploit/linux/samba/is_known_pipename set the target to automatic command. and run.

3. PsExec

If we got SMB creds we can use [[SMB PsExec]] python file or the MSF_Module 👇 to execute commands or get a shell.

psexec.py <user>@<target_ip> 

exploit/windows/smb/psexec

4. SMB Relay Attack

Pasted image 20250417183112.png

Full attack scenario in this note: [[SMB Relay Attack]]