← Back to Blog

SMB: Server Message Block

Type: Technical Notes Category: Network Exploitation
SMB Enumeration Enum4Linux smbclient Pivoting

SMB is a network-based file sharing protocol that allows users to access shared files on a server. SMB is used on both Windows and Unix systems; common service names include microsoft-ds for Windows-based systems and Samba for linux-based systems.

Due to the file-sharing properties of SMB, it is a common attack vector and can lead to serious information breaches if not properly configured and/or secured.

Scan

The first step is to determine whether SMB is running on the target machine.

sudo nmap {target_ip} -sV -sC -O

The nmap scan shows open ports, with SMB ports typically on 139 and 445:

Nmap SMB Ports

The scripts switch also returns useful information about the specific SMB configuration:

Nmap SMB Scripts

With just this single nmap scan, we know of two SMB ports that are open, the system name, the security configuration (guest has user access), and an open SSH port.

Enumerate

Two main methods of enumerating SMB:

  • Enum4Linux - Goes in-depth scanning and enumerating for everything from users to workgroups
  • smbclient - Simple CLI tool for interacting with SMB service

smbclient

List Shares:

smbclient -L {target_ip}

Connect to Share:

smbclient \\\\{target_ip}\\profiles

Connect with Username:

smbclient \\\\{target_ip}\\share -U username

Enum4Linux

perl enum4linux.pl -a {target_ip}

This provides comprehensive information including users, shares, and workgroups - verifying and expanding on smbclient and nmap findings.

Pivoting

After finding useful information in shares (such as SSH RSA keys), you can pivot to other services.

SSH with RSA Key:

If you get a "UNPROTECTED PRIVATE KEY FILE" error:

chmod 600 id_rsa

Then connect:

ssh -i id_rsa user@{target_ip}

Insights

This was simple due to serious security misconfiguration (guest access), however the underlying process is valid and can be applied in conjunction with other tools and techniques.

For example, if the guest user did not have user-level access, the specific SMB version (from nmap) could be used to find specific exploits. Metasploit also contains various SMB exploits.

Important Commands Summary

# List shares
smbclient -L ip

# Full enumeration
perl enum4linux.pl -a ip

# Connect to share
smbclient \\\\ip\\share

# Connect with username
smbclient \\\\ip\\share -U username