SMB
Server Message Block is a protocol for providing shared access to files, printers and serial ports between a network.
It is used heavily on Windows networks.
SMB vs CIFS vs Samba
You may also know SMB by one of the other common names: CIFS and Samba. While these are technically three different things, many people use the terms interchangeably to describe the same network file system protocol. Why? That’s a long story involving IBM, Microsoft, Linux, and about 35 years of history. All you need to know is that at Microsoft we use the term SMB (Server Message Block).
But if you must know, the simplified version goes something like this: SMB is the protocol, CIFS is an old dialect of SMB, and Samba is the Linux/Unix-like implementation of the SMB protocol. People and companies get familiar with one of those terms and stick to it, which has made the three names interchangeable outside of technical documentation.
Version 1 on Linux
SMB version 1 is no longer considered secure. It does not support encryption and was exploited in both WannaCry and NotPetya attacks. Recent versions of Samba (the Linux implementation of SMB) don’t allow you to connect to or host a version 1 smb share.
smbclient -m=nt1 //127.0.0.1/public
$ lp_load_ex: Max protocol NT1 is less than min protocol SMB2_02.
protocol negotiation failed: NT_STATUS_INVALID_PARAMETER_MIX
However, when testing implementations, it can be helpful to connect, providing you know what you’re doing.
To change this, you’ll need to edit the /etc/samba/smb.conf
file. Under the [global]
section, add the line
client min protocol = nt1
As you can see, smbclient then allows you to connect:
smbclient -m=nt1 //127.0.0.1/public
$ Enter MYGROUP\jonathan's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Dec 30 22:59:28 2020
.. D 0 Wed Dec 30 23:03:35 2020
test N 15 Wed Dec 30 22:59:28 2020
490675452 blocks of size 1024. 41096948 blocks available
If you need to host a version 1 server, you can add the line
server min protocol = nt1
However, it is probably better to do this with Docker.
Getting password policy
It is always useful to try and get this before you start trying to brute force passwords.
crackmapexec smb <ip> --pass-pol
If that fails, try with null authentication
crackmapexec smb <ip> --pass-pol -u '' -p ''
This will sometimes work if the system has been upgraded from old version of windows (server 2003 or earlier I think?).
Brute force passwords
crackmapexec smb <ip> -u <username or usernameList.txt> -p <password or passwordList.txt>
Listing shares
smbclient -L <ip>
# or
smbmap -H <ip>
With these tools, you will sometimes get more infomation if you try to connect with incorrect credentials rather than no credentials. I think this is because it causes an anonymous login rather than a null login although I would like to clarify that.
Hosting a share with Docker
Hosting an SMB share can be a convenient way to get information on and off other systems.
If this is going to be a temporary share, I suggest setting it up with docker. This way it can easily be removed without the rigmarole of configuring samba (which can be a headache).
sudo docker run -it -p 139:139 -p 445:445 -v $PWD/Share:/share -d dperson/samba -p \ -125-
-u "jonathan;password" \
-s "public;/share" \
-S
This will expose the folder Share
in your current working directory under the share name public.
The -S flag allows clients to connect using SMB version 1.
For full documentation about the options available, see the container’s official documentation.
Common Credentials
Username(s) | Common passwords |
---|---|
(blank) | (blank) |
guest | (blank) |
Administrator, admin | (blank), password, administrator, admin |
arcserve | arcserve, backup |
tivoli, tmersrvd | tivoli, tmersrvd, admin |
backupexec, backup | backupexec, backup, arcada |
test, lab, demo | password, test, lab, demo |
Common windows shares
- C$
- D$
- ADMIN$
- IPC$
- PRINT$
- FAX$
- SYSVOL
- NETLOGON