A Little Guide to SMB Enumeration

September 9, 2024
Post Author / Publisher: IGNITE Technologies

CISO2CISO post categories: 0 - CT - SOC - CSIRT Operations - Red - Blue & Purple Teams Operations, CISO2CISO Notepad Series

Rate this post

The document “A Little Guide to SMB Enumeration” provides a comprehensive overview of the Server Message Block (SMB) protocol and various tools and techniques used for SMB enumeration, a critical process in cybersecurity, particularly in penetration testing and vulnerability assessments. Here’s an extensive summary in English:

What is SMB?

SMB (Server Message Block), formerly known as the Common Internet File System (CIFS), is an Application Layer Network Protocol used for file sharing. SMB enables users or applications to read, write, and request services from servers within a network. It runs on the TCP/IP protocol and is fundamental for accessing files, data, or other resources on remote servers.

SMB Working Mechanism

SMB functions using a client-server model, where the client requests access to files or services hosted on a server within a network. The protocol supports file operations such as opening, reading, writing, and accessing files, similar to local file systems, with the communication regulated through TCP. SMB can be implemented using NetBIOS over TCP/IP, IPX/SPX, or NetBEUI protocols.

SMB Versions

The guide covers the evolution of SMB versions:

CIFS: A precursor to modern SMB, introduced in Windows NT 4.0 (1996).
SMB 1.0: Supported by Windows 2000 and Windows XP.
SMB 2.0/2.1: Introduced with Windows Vista and Windows 7.
SMB 3.0/3.1.1: Used in modern Windows versions, with improvements in encryption (AES 128 GCM) and security (SHA-512 for integrity checks).

SMB Security

SMB supports two security models:

Share-Level Security: Protects shared resources with passwords, offering minimal security.
User-Level Security: Introduced in later versions, allowing user-specific access control for individual files or shares.

SMB Enumeration

The main focus of the document is on SMB Enumeration, which involves identifying and extracting valuable data from SMB services. Various tools and scripts are used for this purpose, organized under several categories:

1. Hostname Enumeration

nmblookup: Queries NetBIOS names and maps them to IP addresses.
nbtscan: Scans IP networks for NetBIOS information, displaying computer names, logged-in users, and MAC addresses.
nbstat NSE Script: An Nmap script for gathering NetBIOS names and MAC addresses.

2. Share and Null Session Enumeration

SMB allows sharing files and resources within a network. Public shares are accessible to all, while user-specific shares are restricted.

SMBMap: Enumerates Samba shares across domains, listing contents and permissions.
smbclient: An FTP-like tool for accessing Windows shares, useful for transferring files and testing connectivity.
Nmap smb-enum-shares script: Lists shares on remote systems, even if access is denied.

3. Vulnerability Scanning

SMB servers can be scanned for vulnerabilities to detect potential exploits.

smb-vuln NSE Script: A suite of scripts in Nmap to check for vulnerabilities like Conficker or MS08-067.

4. User Enumeration

Tools like smb_lookupsid and Impacket’s Lookupsid are used to brute-force or enumerate Security Identifiers (SIDs), identifying local or domain users. User enumeration helps in brute-forcing logins or injecting malicious credentials.

5. Enum4Linux

A versatile tool used for detailed SMB enumeration, extracting domain and group memberships, user listings, shares, password policies, and operating system details from target systems.