SMB Enumeration

00:00

SMB enumeration in this lesson, we're gonna understand what SMB is used for as well as demonstrate how to enumerate SMB.

00:09

Yeah.

00:10

So this will start kind of the journey of all the different network services and protocols and

00:17

you know, there's gonna be a lot of information about the protocol itself. What I want you to focus on though is the hands on portion of it. So from here I want you to take the information and and learn how to use it. Hands on. This is oh, SCP is not a memorization test

00:33

so just you know, it's okay if you forget certain things but I'll try to hint at like flags and switches and things like that and the tools that will use because that's what's important.

00:44

So S and B is used by Windows as well as Lennox. Some people might just focus on the Windows version. There's also Lennox version called Samba. So just because you see SMB open doesn't mean it's a Windows box off the bat.

01:00

It's also known as common internet file system C I F C.

01:06

And there's basically three versions. Version one is old on the older machines. You'll find it

01:14

On the newer machines like Windows 10. It does not come by default is disabled.

01:18

SMB version two is kind of an upgrade from SMB version one.

01:23

Um Guest access is disabled by default on it

01:29

So it's a little bit safer. This smb version one

01:33

And then there's SMB version three which is the most secure because guest access is disabled, uses encryption and you need to use your name and password.

01:44

So why is that important? Well because you want to as an attacker be able to log on to SMB and enumerate the different shares within SMB.

01:56

So there's port 139 and 445 And as you'll see here in this end map scan,

02:02

we're looking at both, We're looking at 139 which is SMB over net bios

02:07

and also uh port 445 which is SMB over I. P. Address. So in the newer version you can use an I. P. Address in the older version on 139 you actually need the host name.

02:23

So there's a number of tools already available in Cali to enumerate SMB.

02:30

Um and you want to keep note of them and map has and map scripting engine script for numerous SMB services and vulnerabilities. There's also a new name for Lennox

02:39

which you can use to enumerate SNB.

02:43

There's SMB client and RPc client will go over those.

02:46

So the three common shares R. C. Which is the C drive of the remote host, the admin share. Which is if you have access to. This is great because that's kind of the keys to the kingdom as the admin and I. P. See if you can get on I. P. C. You'll notice that you can't actually enumerate any shares. It's not really used for that

03:07

now. The thing is though if if I. P. C. Is available to be uh to be accessed you can do things like Eternal Blue

03:16

but the key points to consider.

03:19

Can you access SMB as a guest, you even need a password.

03:23

Can you force user name, user names and passwords?

03:25

Can you read and write to different shares? Of course readings. Good writing is even better because you can put things on two different shares.

03:35

Now if you can put things onto a share and you can access that share you can then execute that script

03:42

and get a shell. And we'll talk about shells later.

03:45

So even if you have SMB access to a certain share and you can look at a flag, it's not good enough in os CPU actually need to get a shell with something like Net Cat, which we looked at in the wire Shark module.

03:59

So here, you'll see End map and where you can use End Map for a lot of great things. And you can see here, you can use an asterix. If you just do SMB asterix,

04:09

it might take a very long time to run all the map scripting engine scripts. So here, here's some tips if you want to enumerate, you can do SMB tack in oum asterisk

04:20

or vulnerabilities or operating system, different scripting engines for that. So, there's a lot of availability there. And you'll see here we're running a new shares and here are all the different shares on this machine.

04:34

You can also see that it's samba. Right. And we talked about that before. So this is my display suitable and this is actually a Lennox box and a Windows box.

04:45

RPc client is great. It's not something where you're gonna connect to shares. It is something that you can use though to enumerate things like users on that machine or different services that are running.

04:57

Um you'll notice with newer versions of Cali you might have issues if you just do the syntax without the option client min protocol in T one. So if you're having issues connecting, you might want to try that option. Pro tip for you.

05:13

There's a lot of different options with this tool. I'm going to show you in the demo how we can use it to enumerate users.

05:19

And there's another SMB client. This is probably the most don't want to say useful but it's great with connecting to shares, putting things on shares, getting things from shares.

05:30

Um and and enumerating SMB from there. So this is kind of your your main tool, I would say. Uh with using SMB.

05:40

So here's a bunch of different ways to enumerate shares, access shares.

05:46

Um and also remember you can get and put things on different shares. It just depends on the permissions of that share.

05:56

So here we see, I'm using Hydra and I found a user name and password, I'm gonna show you that in the demo a little bit later, so I don't want to spend too much time on it, but once you find a username and password, you can then get onto a share if it if it requires a username or password.

06:14

So in summary, hopefully we now understand what S and B is used for, as well as we can demonstrate how to enumerate. SMB with different tools.