SMB

It is common to see that Server Message Block (“SMB”) (445/TCP) service is often available or listening on the target systems. In general, SMB is used for sharing files in both Windows and Linux systems and is notorious for many known vulnerabilities. The most common issue with SMB is a null session misconfiguration which allows unauthenticated users to access the file shares configured with READ access.

Smbclient

Although there are various clients/tools to access SMB, I will be covering Smbclient, a client that is part of the Samba software suite, today. You may already know all the basic commands of this tool, but I will show you some tricks you probably didn’t know.

Following command will list all the available shares:

# Null Authentication Allowed
smbclient -L <Target IP>
# User Specified
smbclient -L <Target IP> -U <Username>
* This will prompt for entering password for the user

When there are multiple directories instead of files, it will be tedious to go back and forth to view each directory manually. The Recurse function allows directory recursion, and it is also useful for the commands like mget and mput. So it makes it easy to download/upload entire directories at one shot.

# Using Recurse
smbclient '\\<Target IP>\<Target Dir>' -U <Username>
smb: \> recurse # Enabling directory recursion
smb: \> ls # Showing recursion of the directory
smb: \> mget <Target Directory to Download>
smb: \> mput <Target Directory to Upload>
smb: \> recurse # Disabling directory recursion

You can also check file attributes of the files stored in SMB shares by using smbclient’s Allinfo function. File attributes are metadata values stored by the file system on disk. Sometimes, you can find some juicy information by inspecting these. Depending on file systems like NTFS, the file can be shown as 0 bytes on the share; however, by inspecting the attributes you can analyze further to identify what kind of file type it is and retrieve some hidden data out of it.

# Using Allinfo
smbclient '\\<Target IP>\<Target Dir>' -U <Username>
smb: \> allinfo <Target File>
smb: \> get <Target File>:<Potential File Attributes>

Bonus

When I perform pentest, I often do find open SMB shares. The following one-liner with smbmap allows quickly identifying open shares with directory listing:

# smbmap
while read i; do smbmap -H $i 2>/dev/null; done < <Target IP File> | grep -v Finding | grep -v Authentication

And make sure to read the GitHub page for smbmap since there are more cool functionalities you can use to inspect shares.

Enjoy!

OSCE | OSCP | CREST | Offensive Security Consultant — All about Penetration Test | Red Team | Cloud Security | Web Application Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store