It is common to see that Server Message Block (“SMB”) (445/TCP) service is often available or listening on the target systems. In general, SMB is used for sharing files in both Windows and Linux systems and is notorious for many known vulnerabilities. The most common issue with SMB is a null session misconfiguration which allows unauthenticated users to access the file shares configured with READ access.
Although there are various clients/tools to access SMB, I will be covering
Smbclient, a client that is part of the Samba software suite, today. You may already know all the basic commands of this tool, but I will show you some tricks you probably didn’t know.
Listing Shares (Basic Command — Just for courtesy)
Following command will list all the available shares:
# Null Authentication Allowed
smbclient -L <Target IP># User Specified
smbclient -L <Target IP> -U <Username>
* This will prompt for entering password for the user
When there are multiple directories instead of files, it will be tedious to go back and forth to view each directory manually. The
Recurse function allows directory recursion, and it is also useful for the commands like
mput. So it makes it easy to download/upload entire directories at one shot.
# Using Recurse
smbclient '\\<Target IP>\<Target Dir>' -U <Username>smb: \> recurse # Enabling directory recursion
smb: \> ls # Showing recursion of the directory
smb: \> mget <Target Directory to Download>
smb: \> mput <Target Directory to Upload>
smb: \> recurse # Disabling directory recursion
You can also check file attributes of the files stored in SMB shares by using
Allinfo function. File attributes are metadata values stored by the file system on disk. Sometimes, you can find some juicy information by inspecting these. Depending on file systems like NTFS, the file can be shown as 0 bytes on the share; however, by inspecting the attributes you can analyze further to identify what kind of file type it is and retrieve some hidden data out of it.
# Using Allinfo
smbclient '\\<Target IP>\<Target Dir>' -U <Username>smb: \> allinfo <Target File>
smb: \> get <Target File>:<Potential File Attributes>
When I perform pentest, I often do find open SMB shares. The following one-liner with
smbmap allows quickly identifying open shares with directory listing:
while read i; do smbmap -H $i 2>/dev/null; done < <Target IP File> | grep -v Finding | grep -v Authentication
And make sure to read the GitHub page for
smbmap since there are more cool functionalities you can use to inspect shares.