Introduction SMB; A network file sharing

protocol
SMB Protocol

SMB protocol was designed by the Microsoft for direct file sharing on the local area network.

• The set of message packets which defines the version of the protocol called SMB dialect.
• It’s a client-server model which is not limited to the file sharing but can also be used for
sharing devices printers, serial printers and other resources available on local area
network.
• SMB service works on the well-defined port on 445 over the TCP/IP stack.
• The set of messages called the dialect implements CIFS which is Common Internet File
System.
• Some functionalities of SMB protocol are included in it like network browsing, printing
over a LAN, directory access.

In case of lower level protocol for support, SMB uses NetBIOS which is Network Basic
Input/Output System. This was designed by the IBM that allows applications running on a
different computer system to communicate with a LAN which is a base of SMB protocol.
NetBIOS API can rely on Layer 3 protocol like UDP port 137 and 138.

Software Application for Implementation of SMB Protocol :

The open-source software called SAMBA that can run best on UNIX environment and able to
communicate with Microsoft Window’s Clients so that SAMBA is able to provide the sharing
service by employing this common internet file system. In general words, SAMBA server allows
resource sharing between a system running Microsoft OS and systems running UNIX.

SAMBA INSTALLATION / CONFIGURATION

On Terminal
sudo apt update
sudo apt install samba
SAMBA

Now check the location of the installed files

whereis samaba

whereis samba

Now create directory in home/

Example:
mkdir sambashare

Now Configure the SAMBA Files

Add the given below content in /etc/samba/[Link]

[sambashare]
path=(Directory Path)
readonly = no
browsable = yes

Restart the smbd daemon by

sudo samba daemon smbd
sudo service smbd restart

service smbd restart

NFS System: Network File Sharing System

More specific to LINUX/UNIX environment, there is an application layer protocol called NFS
which provides a file sharing solution in cross-platform environment.
Some ways in which we can use NFS are

• Migrating applications from one operating system to another by storing the data on shares
accessible through both as a main NFS protocol.
• Some famous applications like TeamViewer, ShareIT and many other uses this protocol
from remote access and remote file sharing.

SMB Enumeration
SMB( Server Message Block protocol) is a client-server communication protocol that is used for
sharing access to files, devices, serial ports, and other resources on a network. SMB enumeration
is a multipart process in which we enumerate the host or target system for different information
like Hostnames, List shares, null sessions, checking for vulnerabilities, etc.
SMB Enumeration Stages:

• Hostname enumeration
• List Share
• Checking Null session
• List users
• Vulnerability Scanning
• Overall Scanning
SMB Enumeration for Hostname

There are plenty of tools that can enumerate Hostname, here to demonstrate we are using
nmblookup and nbtscan. Nmblookup tool makes use of queries of the NetBIOS names and maps
them to their related IP addresses in a network.

1. Nmblookup:
$ nmblookup -A <Target IP>
Here, you can see that we have enumerated the hostname to CAJA.

2. Nbtscan:
$ nbtscan <target IP>

Here, you can see that we have enumerated the hostname to CAJA as the same as the above scan
through nmblookup.
SMB Enumeration for Share and Null Session:

In this part, we are going to enumerate shares of the host or target system. We can perform this
enumeration with many tools, for this article we are going to use smbmap, smbclient, Nmap, and
Metasploit for different ways of performing this share enumeration.

1. Smbmap: Smbmap allows the attacker to enumerate samba share drives on the IP address. It
also lists drive permissions and upload/download functionality.
$ smbmap -H <target IP>

Also, you can scan for specific user shares using the credentials by using the below command
$ smbmap -H <target IP> -u username -p password

2. smbclient: It is a samba-client, and it is useful to test connectivity to windows shares.

$ smbclient -L <target IP>

3. Nmap: Nmap provides smb-enum-shares NSE script which can be used to enumerate the
shares.
$ nmap --script smb-enum-shares -p 139,445 <Target IP>

Here is the result as you can see that we didn’t find any SMB share detail.

4. Metasploit: In Metasploit, we are going to the smb_enumshares module that will enumerate
any SMB share if present on the server.
msf6> use auxiliary/scanner/smb/smb_enumshares
msf6> auxiliary(scanner/smb/smb_enumshares) > set rhosts <target IP>
msf6> auxiliary(scanner/smb/smb_enumshares) > set smbuser <username>
msf6> auxiliary(scanner/smb/smb_enumshares) > set smbpass <password>
msf6> auxiliary(scanner/smb/smb_enumshares) > exploit
SMB Enumeration for Vulnerability Scanning:

In this stage, we use Nmap’s script for scanning for vulnerabilities that could possibly be found
on the server. We can use various tools for this stage but here we are going to look at Nmap’s NSE
script.

Nmap’s smb-vuln NSE Script:

Nmap has a wide range of scripts for different purposes, here as an example we are going to look
at smb-check-vulns. This script can scan targets for a wide range of vulnerabilities, for example:

• a -3103
• regsv-dos
• ms06 -025
$ sudo nmap --script smb-vuln* -p 139,445 <Target IP>

Example:

Result here we scanned the target for the specific script, and we didn’t find any vulnerability as
we can see in the scan.
SMB Enumeration by Enum4Linux:

Enum4linux is a powerful tool that can detect and fetch data from both windows and Linux OS,
also SMB hosts on the network.
$ enum4linux -U <target IP>

Example:

What is NetBIOS Enumeration?

NetBIOS is an acronym that stands for Network Basic Input Output System. It enables computer
communication over a LAN and the sharing of files and printers. TCP/IP network devices are
identified using NetBIOS names (Windows). It must be network-unique and limited to 16
characters, with 15 reserved for the device name and the 16th reserved for identifying the type of
service running or name record type.
Uses of NetBIOS Enumeration:

An attacker who discovers a Windows OS with port 139 open can investigate what resources are
accessible or viewable on the remote system. To enumerate the NetBIOS names, the remote system
must have file and printer sharing enabled. Depending on the availability of shares, NetBIOS
enumeration may allow an attacker to read or write to the remote computer system or launch a
(Dos).
NetBIOS Enumeration Tools:

NetBIOS’s enumeration tools explore and scan the network for security loopholes or flaws in
networked systems within a given range of IP addresses and computer lists. In addition, these tools
list the operating system, users, password policies, groups, service packs and hotfixes, services,
NetBIOS shares, discs, transmits, sessions, SIDs and security event logs.
Netstat:

Netstat is a utility for obtaining protocol statistics, NetBIOS name table, name cache information
and current TCP/IP connections over NBT (NetBIOS over TCP/IP), assisting in the resolution of
NetBIOS name resolution issues. Name resolution is normally performed when NetBIOS over
TCP/IP is operational.

Netstat Parameters and their respective functions :

Nbtst
Functions
Parameters
-a Displays the NetBIOS name table of a remote computer, where RemoteName is the
RemoteName remote computer’s NetBIOS computer name.
Displays the NetBIOS name table of a remote computer, as specified by the remote
-A IPAddress
computer’s IP address (in dotted decimal notation).
The contents of the NetBIOS name cache, as well as the table of NetBIOS names and
-c
their resolved IP addresses, are listed.
Displays the names that NetBIOS applications, such as the server and redirector, have
-n
registered locally.
-r Displays the total number of names resolved by a broadcast or WINS server.
-R Removes all #PRE entries from LMHOSTS and clears the name cache.
-RR All names are released and reregistered with the name server.
The NetBIOS sessions table is listed, with destination IP addresses converted to
-s
computer NetBIOS names.
-S Lists the current NetBIOS sessions, along with their status and IP addresses.
Displays selected statistics again, pausing for the amount of time specified in Interval
Interval
between each display.
Examples:

1. To display the NetBIOS name table of a remote computer

Netstat -a

2. To see IPv4/IPv6 Group Memberships

Netstat -g

3. To display kernel interface

Netstat -i
Hyena:

Windows operating systems are managed and secured by Hyena. For all operations, it employs a
Windows Explorer-style interface. Users, groups (both local and global), shares, domains,
computers, services, devices, events, files, printers, print jobs, sessions, open files, disc space, user
rights, messaging, exporting, job scheduling, processes, and printing are all supported. It displays
Windows server and domain controller shares and user log on names.
It shows a graphical representation of Microsoft Terminal Services, Windows Network, Web
Client Network, and so on.
Features:

1. Active Task Matching Options – Active Directory update tasks, a key match option has been added
to Active Task. When updating directory objects, the new key option allows any unique directory
characteristic to be employed as a ‘match’ field.
2. Group Member Matrix – in a simple grid all members of multiple groups, including direct, indirect
(nested), and primary membership.
3. Active Editor Enhancements – The new Hyena release includes new Editor feature enhancements
such as account expiration date, support for multivalued attributes, and multi-selection and
update capabilities.
PsExec:

PsExec is a lightweight telnet replacement that can execute processes on other systems, complete
with full interactivity for console applications, without the need for manual client software
installation. PsExec’s most powerful applications include launching interactive command prompts
on remote systems and remote-enabling tools such as Ipconfig, which would otherwise be unable
to display information about remote systems.
PsFile:

PsFile is a command-line utility which displays a list of files that have been opened remotely on a
system and can close opened files by name or file identifier. PsFile’s default behaviour is to list
the files on the local system that have been opened by remote systems. Typing a command
followed by “-” showcases details about the command’s syntax.
PsGetSid:

PsGetSid converts SIDs to display names and vice versa. It is compatible with built-in accounts,
domain accounts, and local accounts. It also displays the SIDs of user accounts and translates a
SID into its corresponding name. It can query SIDs remotely across the network.
PsKill:

PsKill is a kill utility that can end processes and kill processes on remote systems. When you run
PsKill with a process ID, it will kill the process with that ID on your local computer. If you define
a process name, PsKill will kill all processes with that name. PsKill does not require the installation
of a client on the targeted device to terminate a remote process.
SuperScan :

SuperScan is a free proprietary graphical application tool for enumerating Windows machines for
Windows which was built by Foundstone and later acquired by McAffe. This tool is no longer
available for download from the McAffe website.
NET VIEW:

NET VIEW is a command-line tool for locating shared network resources. NetBIOS is required
for the NET VIEW command. When NetBIOS is disabled, greatest modern networks will return
an incomplete list of nearby computers, or none at all. It is used in.

1. net view \\<computername> – Where<computername> is the name of the computer whose

resources you wish to view.
2. net view /workgroup:<workgroupname> – Where <workgroupname>is the name of the
workgroup from which you want to view the shared resources.
NetBIOS Protection Ways:

A security hole in the NetBIOS protocol allows a Windows VPS with this service enabled to be
used in an amplification DDoS attack. The following security controls are in place to prevent
NetBIOS enumeration attacks:

• Reduce the attack surface by removing unnecessary services such as Server Message Block (SMB).
• On Windows, disable file and printer sharing.