November 1, 2019 · Basic Pen-Testing
4.3 : Active information gathering techniques - SMB enum (Part III)
SMB Enumeration
background
SMB has a broken security track record, here is the system versions table:
- SMB1 – Windows 2000, XP and Windows 2003
- SMB2 – Windows Vista SP1 and Windows 2008
- SMB2.1 – Windows 7 and Windows 2008 R2
- SMB3 – Windows 8 and Windows 2012
- SMB1/2/3 - Windows 10 & Windows Server 2016
- Samba - Linux based SMB protocol
SMB is on port 139 & 445
basic scan
basic scan
nmap -v -p 139,445 -oG smb.txt 10.0.0.1-254
advanced scan by nbtscan
nbtscan -r 10.0.0.0/24
Advanced scan
null session
null session by default in SMB is unauthenticated session.
- SMB1 - enabled by default
- 2/3 or later - restricted
info to obtain
- password policies
- usernames
- group names
- machine names
- user
- host SIDs.
auto null session scanning tool
enum4linux -a 10.11.1.227
========================================
| OS information on 10.11.1.227 |
========================================
[+] Got OS info for 10.11.1.227 from smbclient: Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
...
user:[admin] rid:[0x3ef]
user:[Administrator] rid:[0x1f4]
user:[alice] rid:[0x3f0]
...
[+] Password Info for Domain: SRV2
[+] Minimum password length: None
[+] Password history length: None
[+] Maximum password age: 42 days 22 hours 47 minutes [+] Password Complexity Flags: 000000
...
nmap vulnerability scanning tool
nmap -v -p 139, 445 --script=smb* 10.0.0.1-255
# or you can specify script from ls -la /usr/share/nmap/scripts/smb*