# SMB

## What is SMB?

Server Message Block (SMB) is a common protocol for file sharing and inter-process communication on Windows and compatible systems. SMB has had many security issues in the past, and older versions (especially SMBv1) are insecure. Modern Windows improves SMB, but many networks still support legacy features like NetBIOS. Treat results from scans as leads, not absolute truth.

***

### Key points

* **Ports**
  * SMB (direct over TCP): **445**
  * NetBIOS session: **139**
  * NetBIOS name service: **UDP 137**
* **NetBIOS vs SMB**
  * NetBIOS is a separate session-layer service used historically for name and session services.
  * NetBIOS over TCP (NBT) allows older SMB implementations to work over TCP/IP.
  * SMB can run without NetBIOS, but both are often enabled together for backward compatibility.
* **SMB versions**
  * SMBv1 is old and insecure; many systems disable it today. If SMBv1 is enabled, additional enumeration techniques may work.

***

## SMB Enumeration

### Linux

#### Using Nmap

* Find hosts with SMB/NetBIOS

```bash
 nmap -v -p 139,445 192.168.5.0-254
```

```
PORT    STATE    SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
MAC Address: FE:E4:85:42:95:DD (Unknown)

Nmap scan report for 192.168.5.58
Host is up (0.032s latency).

PORT    STATE  SERVICE
139/tcp closed netbios-ssn
445/tcp open   microsoft-ds
MAC Address: 3A:09:F5:A5:42:A8 (Unknown)

Nmap scan report for 192.168.5.60
Host is up (0.045s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: AC:50:DE:D2:D8:71 (Cloud Network Technology Singapore PTE.)

Nmap scan report for 192.168.5.65
Host is up (0.011s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:15:5D:05:80:A2 (Microsoft)

Nmap scan report for 192.168.5.67
Host is up (0.011s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: CC:28:AA:CE:81:2A (ASUSTek Computer)

```

* Using scripts for more enumeration

```bash
ls -1 /usr/share/nmap/scripts/smb*
```

```
/usr/share/nmap/scripts/smb2-capabilities.nse
/usr/share/nmap/scripts/smb2-security-mode.nse
/usr/share/nmap/scripts/smb2-time.nse
/usr/share/nmap/scripts/smb2-vuln-uptime.nse
/usr/share/nmap/scripts/smb-brute.nse
/usr/share/nmap/scripts/smb-double-pulsar-backdoor.nse
/usr/share/nmap/scripts/smb-enum-domains.nse
/usr/share/nmap/scripts/smb-enum-groups.nse
/usr/share/nmap/scripts/smb-enum-processes.nse
/usr/share/nmap/scripts/smb-enum-services.nse
/usr/share/nmap/scripts/smb-enum-sessions.nse
/usr/share/nmap/scripts/smb-enum-shares.nse
/usr/share/nmap/scripts/smb-enum-users.nse
/usr/share/nmap/scripts/smb-flood.nse
/usr/share/nmap/scripts/smb-ls.nse
/usr/share/nmap/scripts/smb-mbenum.nse
/usr/share/nmap/scripts/smb-os-discovery.nse
/usr/share/nmap/scripts/smb-print-text.nse
/usr/share/nmap/scripts/smb-protocols.nse
/usr/share/nmap/scripts/smb-psexec.nse
# And more 
```

You can specify any of those scripts by (which work for any other script type) :

```bash
sudo nmap -p 139,445 --script=smb2-security-mode 192.168.5.1
```

```
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:15:5D:05:80:A0 (Microsoft)

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
```

{% hint style="success" %}
You will see this later, `message signing enabled and required` indicates most of the time that this is a Domain controller, check [ad-architecture](https://reaper.gitbook.io/my-penetration-test-guide/active-directory/active-directory-overview/ad-architecture "mention") for more.
{% endhint %}

{% hint style="warning" %}
**SMBv1 checks:** Some discovery techniques only work if SMBv1 is enabled.
{% endhint %}

#### Using "nbtscan" 

* Collecting NetBIOS Names (Works only if UDP/137 is opened)

```bash
sudo nbtscan -r 192.168.5.0/24
```

```
IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
192.168.5.65     DESKTOP-6UTJNBG  <server>  <unknown>        00:15:5d:05:80:a2
192.168.5.67     DIGITAL-BANKING  <server>  <unknown>        cc:28:aa:ce:81:2a
192.168.5.76     DEV-PC99         <server>  <unknown>        d8:cb:8a:44:64:cf
192.168.5.88     DESKTOP-0OMGKUK  <server>  <unknown>        00:15:5d:05:5a:16
192.168.5.90     INFINITY-SERVER  <server>  <unknown>        10:ff:e0:f2:63:91
192.168.5.118    TIME-ATTENDANCE  <server>  <unknown>        00:15:5d:05:80:8c
192.168.5.120    INSTALLPC1       <server>  <unknown>        44:39:c4:95:ad:24
192.168.5.58     MAC-920035       <server>  <unknown>        3a:09:f5:a5:42:a8
```

### Windows

#### Using 'net view' command

From a Windows machine, use built-in commands to list shares and resources. By providing the **/all** keyword, we can list the administrative shares ending with the dollar sign.

```powershell
net view \\<computer name> /all 
```

```
Shared resources at \\REAPER
Share name                              Type  Used as  Comment

-------------------------------------------------------------------------------
ADMIN$                                  Disk           Remote Admin
C$                                      Disk           Default share
Command and Conquer Generals Zero Hour  Disk
films-server                            Disk
IPC$                                    IPC            Remote IPC
print$                                  Disk           Printer Drivers
Users                                   Disk
The command completed successfully.
```