SERVER MESSAGE BLOCKS (SMB)

SMB Overview

  • SMB (Server Message Block) is a client-server protocol for sharing files, printers, and network resources.

  • SMB operates over TCP ports 445 (direct) and 139 (NetBIOS-based).

  • Samba is the Linux/Unix implementation of SMB, compatible with Windows systems.

SMB Versions

SMB Version OS Support Notable Features
CIFS Win NT 4.0 NetBIOS communication
SMB 1.0 Win 2000 TCP support
SMB 2.0 Vista/2008 Message signing, caching
SMB 2.1 Win 7/2008R2 File locking
SMB 3.x 8/2012+ Encryption, multichannel, remote storage

Default Samba Configuration (/etc/samba/smb.conf)

Command:

cat /etc/samba/smb.conf | grep -v "#\|;"

Key Settings:

Dangerous Settings (Often Misconfigured)

  • guest ok = yes

  • read only = no

  • writable = yes

  • create mask = 0777

  • browseable = yes

These settings can lead to full read/write access by unauthenticated users.

Starting Samba

sudo systemctl restart smbd

Enumeration Techniques

Nmap SMB Scan

sudo nmap -sV -sC -p139,445 <target>

Replace “target” with the target IP address.

smbclient - Anonymous Listing

smbclient -N -L //<target>

Replace “target” with the target IP address.

smbclient -N //<target>/sharename

Replace “target” with the target IP address. Also, replace “sharename” with the ssharename on the smbclient server.

get FILENAME

smbstatus - Check Active Connections

smbstatus

rpcclient - Remote Procedure Enumeration

rpcclient -U "" <target>

Replace “target” with the target IP address.

Useful Commands:

  • srvinfo – Server info

  • enumdomains – List domains

  • netshareenumall – List shares

  • netsharegetinfo <share> – Share details

  • enumdomusers – List users

  • queryuser <RID> – User details

RID Brute Forcing (RPC)

for i in $(seq 500 1100); do
 rpcclient -N -U "" <target> -c "queryuser 0x$(printf '%x' $i)" \
 | grep "User Name\|user_rid\|group_rid" && echo "";
done

Replace “target” with the target IP address.

Impaacket: samrdump.py

samrdump.py <target>

Replace “target” with the target IP address.

SMBMap

smbmap -H <target>

Replace “target” with the target IP address.

CrackMapExec

crackmapexec smb <target> --share -u "" -p ""

Replace “target” with the target IP address.

enum4linux-ng

./enum4linux-ng.py <target> -A

Replace “target” with the target IP address.

Pro Tips

  • Use multiple tools for enumeration: each tool may uncover unique information.

  • Manual checks are crucial — tools might miss misconfigurations.

  • Look for null sessions, misconfigured shares, and legacy SMB versions.

Recommendations (Blue Team)

  • Disable SMBv1

  • Enforce strong ACLs and passwords Pro Tips

    • Use multiple tools for enumeration: each tool may uncover unique information.

    • Manual checks are crucial — tools might miss misconfigurations.

    • Look for null sessions, misconfigured shares, and legacy SMB versions.