SMB

Server Message Block

The Server Message Block protocol (SMB protocol) is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network.

The earlier version of SMB (SMB 1.0) was originally designed to operate on NetBIOS over TCP/IP (NBT), which uses port

137 (TCP/UDP) for name services
138 (UDP) for datagram services
139 (TCP) for session services

By default, NBT is installed and enabled in Windows for backwards compatibility, but it is known for exposing file shares and other information to everyone on the network.

NetBIOS over TCP/IP (NBT) is a completely independent service from SMB, and it doesn't depend on SMB for anything. The SMB protocol, on the other hand, may rely on NetBIOS to communicate with old devices that do not support the direct hosting of SMB over TCP/IP.

SMB operating over NBT --> port 139

SMB directly over TCP/IP --> port 445

By the way, if both NetBIOS over TCP/IP and directly hosted SMB over TCP/IP are available (that is, if ports 445 and 139 are both listening), Windows tries both options at the same time. Whichever responds first is used for communication.

The SMB 2.0 that was introduced with Windows Vista and Windows Server 2008 can operate solely on TCP port 445, and you can safely disable NBT for improved security and reduced network overhead caused by NetBIOS broadcasts.

NMBD = NetBIOS name server to provide NetBIOS over IP naming services to clients

SMBD = server to provide SMB/CIFS services to clients

Map a network drive

Here you'll see how to map a network share to one of your drive. It's like a shortcut for that specific share folder. In this way you'll see the share in "This PC", otherwise you would have to go under Network > TARGET_PC.

First check with nmap that the target has NetBIOS and/or SMB active (usually on port 139 and 445).

To map a network drive, you can follow 2 ways.

net use <drive_name>: \\<target_IP>\<share_path> <password> /user:<username>

To unmap a specific drive

net use <drive_name>: /delete

To delete all mappings

net use * /delete

Nmap scripts

On your nmap command add --script followed by:

smb-protocols

smb-protocols: attempts to list the supported protocols and versions of a SMB server

smb-security-mode

smb-security-mode: returns information about the SMB security level determined by SMB

smb-enum-sessions

smb-enum-sessions: enumerates the users logged into a system either locally or through an SMB share

You can pass parameters as well, with --script-args

Example --script-args smbusername=<username>,smbpassword=<password>

Launching the smb-enum-sessions script along with the previous example, makes you login as <username> and then it enumerates your session too.

smb-enum-shares

smb-enum-shares: attempts to list shares

The IPC$ share is also known as a null session connection. By using this session, Windows lets anonymous users perform certain activities, such as enumerating the names of domain accounts and network shares.

smb-enum-shares,smb-ls: enumerates shares and list their content

smb-enum-users

smb-enum-users: attempts to enumerate the users on a remote Windows system, with as much information as possible

smb-server-stats

smb-server-stats: attempts to grab the server's statistics

smb-enum-domains

smb-enum-domains: attempts to enumerate domains on a system, along with their policies. This generally requires credentials, except against Windows 2000

smb-enum-groups

smb-enum-groups: get a list of groups from the remote Windows system, as well as a list of the group's users

smb-os-discovery

smb-os-discovery: attempts to determine

OS
smb version
computer name
domain
workgroup
current time over the SMB protocol (ports 445 or 139).

SMBMap

SMBMap is a command-line tool used in penetration testing and security assessments to interact with and enumerate resources, shares, directories, and files on systems that use the Server Message Block (SMB) protocol.

It will connect to the samba service running on the target host with the provided credentials and you'll see all available shares

smbmap -u <username> -p <password> -H <target IP>

For what follows, just append to this command line.

Execute command

-x <command>: execute the provided command on the target machine.

# Example
smbmap -u <username> -p <password> -H <target IP> -x 'ipconfig'

List available drives

-L: list all drives on the specified host, requires ADMIN rights.

# Example
smbmap -u <username> -p <password> -H <target IP> -L

List dirs/files

-r <share name>

# Example
smbmap -u <username> -p <password> -H <target IP> -r 'C$'

Upload files

--upload <full file path (local)> <full file path (remote)>

# Example
smbmap -u <username> -p <password> -H <target IP> --upload '/pippo' 'C$\pippo'

Paths must around quotes (or double quotes)!

Download files

--download <remote file path>

# Example
smbmap -u <username> -p <password> -H <target IP> --download 'C$\pippo'

Other tools

nmblookup -A <target IP>

When you see a row with the value 20, it means that Samba service is active on that machine.

rpcclient -U <username> -N <target IP>

-N: don't ask for a password

# Example: connect with null user
rpcclient -U "" -N <target IP>

Check which version are installed

use auxiliary/scanner/smb/smb_version

Check if a specific version is installed

# Example: checking for SMB v2
use auxiliary/scanner/smb/smb2Nmblookup
nmblookup -A <target IP>


When you see a row with the value 20, it means that Samba service is active on that machine.

Get OS version

srvinfo

enum4linux -o <target IP>

Enumerating users

enum4linux -U <target IP>

Via RID cycling (-r)

enum4linux -r -u <username> -p <password> <target IP>

smb-enum-users

enumdomusers

lookupnames <user>: extract a user SID

Enumerating shares

enum4linux -S <target IP>

smb-enum-shares

use auxiliary/scanner/smb/smb_enumshares

smbclient -L <target IP> -N

Enumerating groups

enum4linux -G <target IP>

enumdomgroups

Getting printer information

enum4linux -i <target ID>

Access a share avoiding a null session

smbclient //<target IP>/<share name> -N

Crack password via dictionary attack

use auxiliary/scanner/smb/smb_login

You need to set

rhosts
pass_file
smbuser

hydra -l <username> -P <passwords file list> <target IP> smb

Named pipes

Named pipes, also known as FIFOs (First In, First Out), are a type of inter-process communication (IPC) mechanism used in operating systems to allow communication between processes. Named pipes provide a way for processes to communicate by using a special type of file that acts as a conduit for data exchange.

Unlike regular files that store data on disk, named pipes exist in memory and facilitate communication between processes without the need for explicit socket programming. Processes can write data to a named pipe, and other processes can read from it, creating a form of data stream between them.

Named pipes are particularly useful for situations where multiple processes need to exchange data quickly and efficiently. They are commonly used in various scenarios, including client-server applications, network services, and in some cases, for communication between different components of an operating system.

🧨 In the context of security, named pipes can also be used as a potential attack vector if not properly configured or protected, as they might expose unintended communication channels between processes that could be exploited by malicious actors.

SMB is a protocol used by many other services. The way services talk to each other is through pipes. Named pipe are pipe that are known.

If you can get into SMB, there's a chance you could get into other services that are piped through it, if you know the name of the pipes.