SMB - Port 139 445
Last updated
Was this helpful?
Last updated
Was this helpful?
Become VeryLazyTech ! π
Follow us on:
β Twitter .
πΎ Github .
π Medium .
πΊ YouTube .
π© Telegram .
π΅οΈββοΈ My Site .
Visit our for e-books and courses. π
Port 139, commonly associated with the Server Message Block (SMB) protocol over NetBIOS, plays a key role in enabling file and printer sharing, network authentication, and various types of communication within local area networks (LANs). Leveraging NetBIOS (Network Basic Input/Output System), this port facilitates inter-computer communication by supporting session establishment, data transmission, and the management of networked resources like shared files and printers. Historically integral to Windows networking, Port 139 enables SMB, an essential protocol that underpins shared access to files, printers, and even serial ports across networks.
Technically, Port 445 is referred to as βSMB over IPβ, distinguishing it from Port 139, which is known as βNBT over IPβ. The term SMB stands for βServer Message Blocksβ, a protocol also commonly referred to as the Common Internet File System (CIFS). As an application-layer network protocol, SMB/CIFS facilitates shared access to files, printers, and serial ports while enabling seamless communication between devices on a network.
In modern Windows systems, SMB operates directly over TCP/IP through Port 445, bypassing the need for NetBIOS. This direct implementation enhances efficiency and reduces dependencies on older protocols. On the other hand, legacy systems or specific configurations may still employ Port 139, which signifies SMB functioning in conjunction with NetBIOS over TCP/IP. The distinction between these ports underscores the evolution of network protocols, with Port 445 representing a streamlined approach to resource sharing in contemporary networks.
The Server Message Block (SMB) protocol, operating in a client-server model, is designed for regulating access to files, directories, and other network resources like printers and routers. Primarily utilized within the Windows operating system series, SMB ensures backward compatibility, allowing devices with newer versions of Microsoft's operating system to seamlessly interact with those running older versions. Additionally, the Samba project offers a free software solution, enabling SMB's implementation on Linux and Unix systems, thereby facilitating cross-platform communication through SMB.
Shares, representing arbitrary parts of the local file system, can be provided by an SMB server, making the hierarchy visible to a client partly independent from the server's actual structure. The Access Control Lists (ACLs), which define access rights, allow for fine-grained control over user permissions, including attributes like execute, read, and full access. These permissions can be assigned to individual users or groups, based on the shares, and are distinct from the local permissions set on the server.
Access to the IPC$ share can be obtained through an anonymous null session, allowing for interaction with services exposed via named pipes. The utility enum4linux is useful for this purpose. Utilized properly, it enables the acquisition of:
Information on the operating system
Details on the parent domain
A compilation of local users and groups
Information on available SMB shares
The effective system security policy
This functionality is critical for network administrators and security professionals to assess the security posture of SMB (Server Message Block) services on a network. enum4linux provides a comprehensive view of the target system's SMB environment, which is essential for identifying potential vulnerabilities and ensuring that the SMB services are properly secured.
The above command is an example of how enum4linux might be used to perform a full enumeration against a target specified by target_ip.
To look for possible exploits to the SMB version it important to know which version is being used. If this information does not appear in other used tools, you can:
Or this script:
This info should already being gathered from enum4linux and enum4linux-ng
It is always recommended to look if you can access to anything, if you don't have credentials try using null credentials/guest user.
crackmapexec can execute commands abusing any of mmcexec, smbexec, atexec, wmiexec being wmiexec the default method. You can indicate which option you prefer to use with the parameter --exec-method:
Username(s)
Common passwords
(blank)
(blank)
guest
(blank)
Administrator, admin
(blank), password, administrator, admin
arcserve
arcserve, backup
tivoli, tmersrvd
tivoli, tmersrvd, admin
backupexec, backup
backupexec, backup, arcada
test, lab, demo
password, test, lab, demo
The default config of a Samba server is usually located in /etc/samba/smb.conf and might have some dangerous configs:
Setting
Description
browseable = yes
Allow listing available shares in the current share?
read only = no
Forbid the creation and modification of files?
writable = yes
Allow users to create and modify files?
guest ok = yes
Allow connecting to the service without using a password?
enable privileges = yes
Honor privileges assigned to specific SID?
create mask = 0777
What permissions must be assigned to the newly created files?
directory mask = 0777
What permissions must be assigned to the newly created directories?
logon script = script.sh
What script needs to be executed on the user's login?
magic script = script.sh
Which script should be executed when the script gets closed?
magic output = script.out
Where the output of the magic script needs to be stored?
The command smbstatus gives information about the server and about who is connected.
Learn & practice
Become VeryLazyTech ! π
β Twitter .
πΎ Github .
π Medium .
πΊ YouTube .
π© Telegram .
π΅οΈββοΈ My Site .
Visit our for e-books and courses. π