Free MP3 Music Header Free MP3 Music Header Free MP3 Music Header
Chrome Strip
Chrome Strip
EXPLOITING SMB

====================================================================
SMB ENUMERATION: ACTIVE INFORMATION GATHERING:
====================================================================

Server Message Block: SMB Protocol

Many security vulnerabilities identified in this protocol from:
- SMB unauthenticated NULL Sessions in Windows 2000 and XP
- Plenty of Microsoft and RPC bugs and vulnerabilities over the years.
The SMB protocol has also undergone many changes and improvements over the years to help improve security, especially it's default implementation.

Listens on port 445 and tcp port 139 and several UDP ports when using windows netbios api.

using nmap to identify what machines have SMB ports open:
#nmap -p139,445 10.11.1.200-254 --open

There are other tools specifically for identify what machines are running the SMB or netbios services.
- nbtscan - netbios name server scanner.

#man nbtscan

***************************
#nbtscan 10.11.1.200-254
***************************
nbtscan can even list logged in users if they are present.

SMB - ACTIVE INFORMATION GATHERING: SMB Null Session Enumeration

*** WINDOWS XP (SP1) AND WINDOWS 2000 SERVERS ARE THE MAIN TARGETS (BUT NOT LIMITED TOO) IN THE LABS HERE

An SMB Null Session refers to an unauthenticated netbios session between 2 computers. This feature exists to allow unauthenticated users to obtain information about the machine which is exactly the type of information that we are interested in as attackers.

Information available includes:
- password policies
- usernames
- group names
- machine names
- user and host sids
- and so forth

In Windows NT 2000 and XP. The default configuration of the SMB service allowed Null Sessions to be created. From windows 2003 and Windows XP service 2 onwards, the SMB service has this behaviour disabled as well as many other security improvements are added.

Even in modern pen testing work, we will often find windows machines vulnerable to these technques.

Alternatively you may also stumble upon a more modern server with a misconfigured SMB service.

****************************
A useful tool to create Null session and explore a remote SMB service is rpcclient

The example below connects to a windows machine running windows 2000 server using Null as the username.
#rpcclient -U "" 192.168.31.206
When asked, enter an empty password.
****************************

When this completes we are connected providing no credentials whatsoever. We are now at an rpcclient prompt and can issue commands to enumerate the SMB protocol.

Get more information on the specific OS version:
rcpclient $>srvinfo

Display a list of usernames defined on this server
rcpclient $>enumdomusers

Display the SMB password policy configured for this server.
rcpclient $>getdompwinfo

rcpclient $>

SMB - ACTIVE INFORMATION GATHERING: Enum4Linux

***WINDOWS XP (SP1) AND WINDOWS 2000 SERVERS ARE THE MAIN TARGETS (BUT NOT LIMITED TOO) IN THE LABS HERE

This is a perl script wrapper around tools such as rpcclient which runs various SMB enumeration procedures aainst a given machine.

************************************
eg:
#enum4linus -v 192.168.31.206
************************************

The output is a wealth of information including:
- a full list of usernames
- shares
- password policies
- user and group information
- and much much more

We can also see the specific commands lines that Enum4Linux gives in order to get this information and show it to the user.

SMB - ACTIVE INFORMATION GATHERING: SMB NSE Scripts

*** WINDOWS XP (SP1) AND WINDOWS 2000 SERVERS ARE THE MAIN TARGETS (BUT NOT LIMITED TOO) IN THE LABS HERE

NMAP also includes several SMB scripts which can run a variety of SMB protocol checks.

To list these scripts, we can list the nse scripts directory and then grep for SMB.

************************************
# ls -l /usr/share/nmap/scripts |grep smb
************************************

In order to use the smb-enum-users script: This will try to enumerate user names via a null sessions on a given machine as part of the nmap scan.
eg:
#nmap -p 139,445 --script smb-enum-users 192.168.31.206

************************************
Another useful NMAP SMB script is the nse-check-vulns script which checks for the existence of several SMB vulnerabilities.
Eg:
#nmap -p 139,445 --script=smb-check-vulns --script-args=unsafe=1 192.168.31.229

MODERN SYNTAX for this:
#nmap -p 139,445 --script=smb-vuln* --script-args=unsafe=1 192.168.31.229

I have created a list of all IPs that appear to exist called IPs.txt Below I use this txt file list to search all machines for SMB vulnerabilities.
#nmap -p 139,445 --script=smb-vuln* --script-args=unsafe=1 -iL IPs.txt
************************************

SMB ports are not usually exposed to the internet as they are known to be vulnerable. Many ISPs even filter out this traffic, as a result you are more likely to find these vulnerabilities in internal network environments. Finding an SMB port exposed to the internet will be either a security oversight or a lack of proper port filtering on their side.