This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

SMB

What is SMB?

Server Message Block (SMB) is a common protocol for file sharing and inter-process communication on Windows and compatible systems. SMB has had many security issues in the past, and older versions (especially SMBv1) are insecure. Modern Windows improves SMB, but many networks still support legacy features like NetBIOS. Treat results from scans as leads, not absolute truth.

Key points

  • Ports

    • SMB (direct over TCP): 445

    • NetBIOS session: 139

    • NetBIOS name service: UDP 137

  • NetBIOS vs SMB

    • NetBIOS is a separate session-layer service used historically for name and session services.

    • NetBIOS over TCP (NBT) allows older SMB implementations to work over TCP/IP.

    • SMB can run without NetBIOS, but both are often enabled together for backward compatibility.

  • SMB versions

    • SMBv1 is old and insecure; many systems disable it today. If SMBv1 is enabled, additional enumeration techniques may work.

SMB Enumeration

Linux

Using Nmap

  • Find hosts with SMB/NetBIOS

 nmap -v -p 139,445 192.168.5.0-254
PORT    STATE    SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
MAC Address: FE:E4:85:42:95:DD (Unknown)

Nmap scan report for 192.168.5.58
Host is up (0.032s latency).

PORT    STATE  SERVICE
139/tcp closed netbios-ssn
445/tcp open   microsoft-ds
MAC Address: 3A:09:F5:A5:42:A8 (Unknown)

Nmap scan report for 192.168.5.60
Host is up (0.045s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: AC:50:DE:D2:D8:71 (Cloud Network Technology Singapore PTE.)

Nmap scan report for 192.168.5.65
Host is up (0.011s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:15:5D:05:80:A2 (Microsoft)

Nmap scan report for 192.168.5.67
Host is up (0.011s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: CC:28:AA:CE:81:2A (ASUSTek Computer)

  • Using scripts for more enumeration

ls -1 /usr/share/nmap/scripts/smb*
/usr/share/nmap/scripts/smb2-capabilities.nse
/usr/share/nmap/scripts/smb2-security-mode.nse
/usr/share/nmap/scripts/smb2-time.nse
/usr/share/nmap/scripts/smb2-vuln-uptime.nse
/usr/share/nmap/scripts/smb-brute.nse
/usr/share/nmap/scripts/smb-double-pulsar-backdoor.nse
/usr/share/nmap/scripts/smb-enum-domains.nse
/usr/share/nmap/scripts/smb-enum-groups.nse
/usr/share/nmap/scripts/smb-enum-processes.nse
/usr/share/nmap/scripts/smb-enum-services.nse
/usr/share/nmap/scripts/smb-enum-sessions.nse
/usr/share/nmap/scripts/smb-enum-shares.nse
/usr/share/nmap/scripts/smb-enum-users.nse
/usr/share/nmap/scripts/smb-flood.nse
/usr/share/nmap/scripts/smb-ls.nse
/usr/share/nmap/scripts/smb-mbenum.nse
/usr/share/nmap/scripts/smb-os-discovery.nse
/usr/share/nmap/scripts/smb-print-text.nse
/usr/share/nmap/scripts/smb-protocols.nse
/usr/share/nmap/scripts/smb-psexec.nse
# And more

You can specify any of those scripts by (which work for any other script type) :

sudo nmap -p 139,445 --script=smb2-security-mode 192.168.5.1
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:15:5D:05:80:A0 (Microsoft)

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds

You will see this later, message signing enabled and required indicates most of the time that this is a Domain controller, check AD Architecture for more.

SMBv1 checks: Some discovery techniques only work if SMBv1 is enabled.

Using "nbtscan"

  • Collecting NetBIOS Names (Works only if UDP/137 is opened)

sudo nbtscan -r 192.168.5.0/24
IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
192.168.5.65     DESKTOP-6UTJNBG  <server>  <unknown>        00:15:5d:05:80:a2
192.168.5.67     DIGITAL-BANKING  <server>  <unknown>        cc:28:aa:ce:81:2a
192.168.5.76     DEV-PC99         <server>  <unknown>        d8:cb:8a:44:64:cf
192.168.5.88     DESKTOP-0OMGKUK  <server>  <unknown>        00:15:5d:05:5a:16
192.168.5.90     INFINITY-SERVER  <server>  <unknown>        10:ff:e0:f2:63:91
192.168.5.118    TIME-ATTENDANCE  <server>  <unknown>        00:15:5d:05:80:8c
192.168.5.120    INSTALLPC1       <server>  <unknown>        44:39:c4:95:ad:24
192.168.5.58     MAC-920035       <server>  <unknown>        3a:09:f5:a5:42:a8

Windows

Using 'net view' command

From a Windows machine, use built-in commands to list shares and resources. By providing the /all keyword, we can list the administrative shares ending with the dollar sign.

net view \\<computer name> /all 
Shared resources at \\REAPER
Share name                              Type  Used as  Comment

-------------------------------------------------------------------------------
ADMIN$                                  Disk           Remote Admin
C$                                      Disk           Default share
Command and Conquer Generals Zero Hour  Disk
films-server                            Disk
IPC$                                    IPC            Remote IPC
print$                                  Disk           Printer Drivers
Users                                   Disk
The command completed successfully.
PreviousDNSNextSMTP

Last updated

Was this helpful?