SMB (139-445)

Server Message Block.

Protocol Information

SMB (Server Message Block) is a network protocol that enables the sharing of files, printers and other resources among devices within a network. Used primarily in Windows systems, SMB allows users and applications to access remote files as if they were local and supports features such as authentication, permission management, and access control. SMB uses port 445 (TCP). However, SMB was originally run on NetBIOS using port 139. NetBIOS is an independent session-level service and protocol that allows computers on a local network to communicate with each other. While modern implementations of SMB can run without NetBIOS, NetBIOS over TCP (NBT) is required for backward compatibility and is often enabled together.

There is 3 version of SMB: SMBv1 susceptible to known attacks (Eternal blue, wanna cry), SMBv2 and SMBv3 that uses encryption and is more secure.

SAMBA is the open source Linux implementation of SMB.

Port

445 TCP	Newer versions of SMB (after Windows 2000)
139 TCP	NBSession

Config File

• /etc/samba/smb.conf

Interact

If anonymous access is enabled, it's possible log in with username “” and password “”. Or try with guest and "".

Windows

net use n: \\<IP>\<SHARE>
net use n: \\<IP>\<SHARE> /user:<USER> <PASSWORD>

Linux

sudo apt install cifs-utils

sudo mkdir <MyDir>
sudo mount -t cifs -o username=<USERNAME>,password=<PASSWORD>[,domain=.] //<IP>/<SHARE> <MyDir>

Tools

Tool	Details
smbmap	For enumeration smbmap [-u <USER> -p <PASS> -d <DOMAIN>] -H <IP>
enum4linux	For enumeration enum4linux [-u <USER> -p <PASS> -w <DOMAIN>] -A <IP>
smbclient	Accessing and interacting smbclient [-N or -U <USER>] -L <IP> smbclient [-N or -U <USER>] //<IP>/<SHARE>
netexec	Searching in shares nxc smb <IP> -u <USER> -p <PASS> --shares nxc smb <IP> -u <USER> -p <PASS> --spider '<SHARE>' --regex '<REGEX>' nxc smb <IP> -u <USER> -p <PASS> -M spider_plus (try again if there are errors)

Attacks

EternalBlue (MS17-010)

CVE-2017-0144

EternalBlue exploits a flaw in the SMBv1 protocol. By exploiting this flaw, an attacker can send malicious data to the victim system via an SMBv1 connection, causing a condition that allows them to take control of the target system, executing malicious code without any need for authentication and with system privileges.