Contents

What is SMB?.....................................................................................4
SMB Working .....................................................................................4
SMB Versions .....................................................................................4
SMB Security......................................................................................4
SMB Enumeration: Hostname ............................................................5
nmblookup ...................................................................................................... 5
nbtscan ............................................................................................................ 6
nbstat NSE Script ............................................................................................. 6
nbtstat ............................................................................................................. 7
Ping ................................................................................................................. 8
smb-os-discovery NSE Script ............................................................................ 8
SMB Enumeration: Share and Null Session .........................................9
SMBMap .......................................................................................................... 9
smbclient ....................................................................................................... 10
smb-enum-shares NSE Script ......................................................................... 12
Net view ........................................................................................................ 13
Metasploit: smb_enumshares ........................................................................ 14
CrackMapExec ............................................................................................... 15
rpcclient......................................................................................................... 16
SMB Enumeration: Vulnerability Scanning ........................................ 16
smb-vuln NSE Script ....................................................................................... 16
SMB Enumeration: Users.................................................................. 17
smb_lookupsid .............................................................................................. 18
Impacket: Lookupsid ...................................................................................... 18
SMB Enumeration: Enum4Linux ....................................................... 19

Page 2 of 23
Conclusion ....................................................................................... 23

Page 3 of 23
What is SMB?
SMB (Server Message Block) is the modernised concept of what was once known as the Common Internet
File System. It works as an Application Layer Network Protocol. It is designed to be used as a file sharing
protocol. Different applications on a system can read and write to files at the same time, as well as request
services from a server located within a network.One of the interesting functionalities of SMB is that it can
be run atop of the TCP/IP protocol or other network protocols. With the help of SMB, a user or any
application or software that is authorised can access files or other resources on a remote server. Actions
that can be performed include reading data, creating data, and updating data. Communication between
clients and servers is done with the help of something called SMB client request.

SMB Working
The SMB Protocol delegates the client to communicate with other participants in the same network,
allowing it to access files or services open to it on the network. In order for it to function, the other device
also requires the implemented network protocol and receives and processes the respective client request
using an SMB server application. Client computers using SMB connect to a supporting server using
NetBIOS over TCP/IP, IPX/SPX, or NetBEUI. The initial establishment of the connection is required for
exchanging information. Subsequent data transport is regulated by the provisions of the TCP protocol.
SMB functions as a request-response or client-server protocol. Once the connection is established, the
client computer or program can then open, read/write, and access files similar to the file system on a local
computer.

SMB Versions
 CIFS: The old version of SMB, which was included in Microsoft Windows NT 4.0 in 1996.
 SMB 1.0 / SMB1: The version used in Windows 2000, Windows XP, Windows Server 2003 and
Windows Server 2003 R2.
 SMB 2.0 / SMB2: This version used in Windows Vista and Windows Server 2008.
 SMB 2.1 / SMB2.1: This version used in Windows 7 and Windows Server 2008 R2.
 SMB 3.0 / SMB3: This version used in Windows 8 and Windows Server 2012.
 SMB 3.02 / SMB3: This version used in Windows 8.1 and Windows Server 2012 R2.
 SMB 3.1: This version used in Windows Server 2016 and Windows 10.

Presently, the latest version of SMB is SMB 3.1.1, which was introduced with Windows 10 and Windows
Server 2016. This version supports AES 128 GCM encryption in addition to the AES 128 CCM encryption
added in SMB3, and implements a pre-authentication integrity check using a SHA-512 hash. SMB 3.1.1
also makes secure negotiation mandatory when connecting to clients using SMB 2.x and higher.

SMB Security
The SMB protocol supports two levels of security. The first is the share level. The server is protected at
this level, and each share has a password. On the client computer or user, you have to enter the password
to access data or files saved under the specific share. This is the only security model available in the Core
and Core plus SMG protocol definitions. User-level protection was later added to the SMB protocol. It is
applied to individual files, and each share is based on specific user access rights. Once a server

Page 4 of 23
authenticates the client, he/she is given a unique identification (UID) that is displayed upon accessing the
server. The SMB protocol has supported individual security since LAN Manager 1.0 was implemented.

SMB Enumeration: Hostname

We will start the enumeration of the SMB by finding the hostname of the target machine. This can be
done with various tools.

nmblookup
We started with the nmblookup tool. It is designed to make use of queries for the NetBIOS names and
then map them to their subsequent IP addresses in a network. The options allow the name queries to be
directed at a particular IP broadcast area or to a particular machine. All queries are done over UDP.

For unique names:

00: Workstation Service (workstation name)
03: Windows Messenger service
06: Remote Access Service
20: File Service (also called Host Record)
21: Remote Access Service client
1B: Domain Master Browser – Primary Domain Controller for a domain
1D: Master Browser

For group names:

00: Workstation Service (workgroup/domain name)
1C: Domain Controllers for a domain
1E: Browser Service Elections

nmblookup -A 192.168.1.17

Here, we can see that we have enumerated the hostname to be DESKTOP-ATNONJ9.

Page 5 of 23
nbtscan
Moving forward, we used nbtscan tool. NBTscan is a program for scanning IP networks for NetBIOS name
information. It sends a NetBIOS status query to each address in the supplied range and lists the received
information in human-readable form. For each responded host, it lists the IP address, NetBIOS computer
name, logged-in user name, and MAC address (such as Ethernet).

nbtscan 192.168.1.17

Here, we can see that we have enumerated the hostname to be DESKTOP-ATNONJ9.

nbstat NSE Script
This nmap script attempts to retrieve the target’s NetBIOS names and MAC address. By default, the
script displays the name of the computer and the logged-in user; if the verbosity is turned up, it displays
all names the system thinks it owns. It also shows the flags that we studied in nmblookup tool.

nmap --script nbstat.nse 192.168.1.17

Page 6 of 23
Here, we can see that we have enumerated the hostname to be DESKTOP-ATNONJ9.
nbtstat
This Windows command displays the NetBIOS over TCP/IP (NetBT) protocol statistics. It can read the
NetBIOS name tables for both the local computer and remote computers. It can also read the NetBIOS
name cache. This command allows a refresh of the NetBIOS name cache and the names registered with
the Windows Internet Name Service (WINS). When used without any parameters, this command displays
help information. This command is available only if the Internet Protocol (TCP/IP) protocol is installed as
a component in the properties of a network adapter in Network Connections.

nbtstat -A 192.168.1.17

Page 7 of 23
Here, we can see that we have enumerated the hostname to be DESKTOP-ATNONJ9.

Ping
We can also use the ping command to detect the hostname of an SMB server or machine. The -a
parameter specifies reverse name resolution to be performed on the destination IP address. If this is
successful, ping displays the corresponding hostname.

ping -a 192.168.1.17

Here, we can see that we have enumerated the hostname to be DESKTOP-ATNONJ9.

smb-os-discovery NSE Script

This NSE script attempts to determine the operating system, computer name, domain, workgroup, and
current time over the SMB protocol (ports 445 or 139). It is achieved by initiating a session with the
anonymous account (or with a proper user account, if one is given; it likely doesn’t make a difference); in
response to the session starting, the server will send back all this information.

The following fields may be included in the output, depending on the circumstances (e.g., the workgroup
name is mutually exclusive with domain and forest names) and the information available:

 OS
 Computer name
 Domain name
 Forest name
 FQDN
 NetBIOS computer name
 NetBIOS domain name
 Workgroup

Page 8 of 23
  System time

nmap --script smb-os-discovery 192.168.1.17

Here, we can see that we have enumerated the hostname to be DESKTOP-ATNONJ9.

SMB Enumeration: Share and Null Session

As we discussed earlier, SMB works on sharing files and resources. In order to transfer these files or
resources, there are data streams that are called shares. There are public shares that are accessible to
everyone on the network, and then there are user-specific shares. Let’s enumerate these shares.

SMBMap
SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive
permissions, share contents, upload/download functionality, file name auto-download pattern matching,
and even execute remote commands. This tool was designed with pen testing in mind and is intended to
simplify searching for potentially sensitive data across large networks.

smbmap -H 192.168.1.40

Page 9 of 23
Here we see that the target machine has some shares. There is a share by the name of the guest. That
must be a public share. Let’s enumerate a user-specific share using the credentials for that user. We are
enumerating the shares for the user raj as shown in the image below.

smbmap -H 192.168.1.17 -u raj -p 123

smbclient
Samba client with an "FTP-like" interface is smbclient.It is a useful tool to test connectivity to a Windows
share. It can be used to transfer files, or to look at share names. In addition, it has a nifty ability to ‘tar’
(backup) and restore files from a server to a client and vice versa. We enumerated the target machine and
found the guest share using the SMBClient directly. Then we connect to the guest share and see that there
is a text file named file.txt. We can download it using the get command.

smbclient -L 192.168.1.40
smbclient //192.168.1.40/guest
get file.txt

Page 10 of 23
Now we enumerate the user-specific share. We connect to the SMB as user raj and find a share by the
name of ‘share’. We reconfigured the smbclient command to access the share and we see that we find a
file named raj.txt. Again, we can download this file as well as use the get command.

smbclient -L 192.168.1.17 -U raj%123

smbclient //192.168.1.17/share -U raj%123
get raj.txt

Page 11 of 23
smb-enum-shares NSE Script
This NSE script attempts to list shares using the srvsvc.NetShareEnumAll MSRPC function and retrieve
more information about them using srvsvc. NetShareGetInfo. If access to those functions is denied, a list
of common share names is checked. Calling NetShareGetInfo requires an administrator account on all
versions of Windows up to 2003, as well as Windows Vista, Windows 7, and Windows 10, if UAC is turned
off. Even if NetShareEnumAll is restricted, attempting to connect to a share will always reveal its existence.
So, if NetShareEnumAll fails, a pre-generated list of shares, based on a large test network, is used. If any
of those succeed, they are recorded. After a list of shares is found, the script attempts to connect to each
of them anonymously, which divides them into "anonymous," for shares that the NULL user can connect
to, or "restricted," for shares that require a user account.

nmap --script smb-enum-shares -p139,445 192.168.1.17

Page 12 of 23
Here, we can see that we have the shares listed although the Access is Denied the existence of the share
is confirmed.
Net view
Displays a list of domains, computers or resources that are being shared by the specified computer. Used
without parameters, net view displays a list of computers in your current domain. This time we are on the
Windows machine. We used the net view with the /all parameter to list all the shares on the target
machine.

net view \\192.168.1.17 /All

Page 13 of 23
Then we changed the command by adding the share, and we were able to read the contents of that share.
Now, using the copy command, we can download the file from the share.
Metasploit: smb_enumshares
The smb_enumshares module enumerates any SMB shares that are available on a remote system. It
requires the IP Address of the target server or machine, followed by a set of credentials that can be used
to access the share.

Page 14 of 23
 use auxiliary/scanner/smb/smb_enumshares
set rhosts 192.168.1.17
set smbuser raj
set smbpass 123
exploit

CrackMapExec
CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large
Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land":
abusing built-in Active Directory features/protocols to achieve its functionality and allowing it to evade
most endpoint protection/IDS/IPS solutions. CrackMapExec can map the network hosts, generate relay
lists, enumerate shares and access, enumerate active sessions, enumerate disks, enumerate logged on
users, enumerate domain users, enumerate users by bruteforcing RID, enumerate domain groups,
enumerate local groups, etc.

crackmapexec smb 192.168.1.40 -u 'raj' -p '123' --shares

Here, we can see different shares and the permissions that are allowed on that particular share.

Page 15 of 23
rpcclient
rpcclient is a utility initially developed to test MS-RPC functionality in Samba itself. It has undergone
several stages of development and stability. Many system administrators have now written scripts around
it to manage Windows NT clients from their UNIX workstations. We will be using it to enumerate the users
on the SMB shares using the option of netshareenum, as shown in the image below.

rpcclient -U "" -N 192.168.1.40

netshareenum
netshareenumall

SMB Enumeration: Vulnerability Scanning

Enumerate an SMB server in order to compromise it. We need to enumerate and find possible
vulnerabilities that can be used to exploit the server. In order to do this in an optimised method, we can
perform a vulnerability scan. There might be multiple tools to perform this kind of scanning, but here we
will be focusing on this NSE script.

smb-vuln NSE Script

Nmap in the past used to have a script by the name of smb-check-vulns. It is used to scan the target server
for various vulnerabilities, such as:

 conficker
 cve2009-3103
 ms06-025
 ms07-029

Page 16 of 23
  regsvc-dos
 ms08-067

Then the script was divided into single vulnerability checks that could be run individually, such as smb-
vuln-ms08-067. Hence, to check all SMB vulnerabilities available in the Nmap Scripting Engine, we use the
* with the script.

nmap --script smb-vuln* 192.168.1.16

SMB Enumeration: Users

In a Windows environment, each user is assigned a unique identifier called a Security ID, or SID, which is
used to control access to various resources like files, registry keys, network shares, etc. Hence, the SID of
a user shouldn’t be compromised.

Page 17 of 23
smb_lookupsid
The smb_lookupsid module brute-forces SID lookups on a range of targets to determine what local users
exist in the system. Knowing what users exist on a system can greatly speed up any further brute-force
logon attempts later on.

use auxiliary/scanner/smb/smb_lookupsid
set rhosts 192.168.1.17
set smbuser raj
set smbpass 123
exploit

Here, we can see that through enumerating SMB we have extracted two users: raj and aarti.

Impacket: Lookupsid
A Security Identifier (SID) is a unique value of variable length that is used to identify a user account.
Through a SID User Enumeration, we can extract information about which users exist and their data. The
Lookupsid script can enumerate both local and domain users. There is a Metasploit module too for this
attack. If you are planning on injecting a target server with a golden or silver ticket, then one of the things
that is required is the SID of the 500 user. Lookupsid.py can be used in that scenario. When we provide
the following parameters to the Lookupsid in such a format as shown below.
Requirements:

 Domain
 Username

Page 18 of 23
  Password/Password Hash
 Target IP Address

python3 lookupsid.py DESKTOP-ATNONJ9/raj:123@192.168.1.17

SMB Enumeration: Enum4Linux

Enum4linux is a tool that is designed to detect and extract data or enumerate from Windows and Linux
operating systems, including SMB hosts that are on a network. Enum4linux can discover the following:

 Domain and group membership

 User listings
 Shares on a device (drives and folders)
 Password policies on a target
 The operating system of a remote target

We start to normal scan using enum4linux. It extracts the RID Range, Usernames, Workgroup, Nbtstat
Information, Sessions, SID Information, OS Information.

enum4linux 192.168.1.40

Page 19 of 23
Page 20 of 23
We see that it has also extracted the two uses based on the SID. These two users are privs and ignite. This
user's information was extracted through communicating via the SMB channels by the enum4linux script.

Finally, we have the Share Enumeration, which had the guest share that we enumerated earlier. Then we
see that it tried to enumerate inside the print share and IPC but was restricted. Then we have the
Password Policy Information regarding the users on the system. It enumerates if the password was
changed recently or if it has never been changed. It also tells us the complexity and other details regarding
users and the operating system of the target system.

Page 21 of 23
Page 22 of 23
Conclusion
In this discussion, we understood the various scripts and tools that can be used to enumerate the
SMB/MSRPC services on a target system. Enumeration is the key step in order to compromise and to
defend your system and network. Be sure to safeguard your SMB service.

Page 23 of 23