Attacking SMB
Server Message Block (SMB) is a communication protocol created for providing shared access to files and printers across nodes on a network. Initially, it was designed to run on top of NetBIOS over TCP/IP (NBT) using TCP port 139 and UDP ports 137 and 138. However, with Windows 2000, Microsoft added the option to run SMB directly over TCP/IP on port 445 without the extra NetBIOS layer. Nowadays, modern Windows operating systems use SMB over TCP but still support the NetBIOS implementation as a failover.
Samba is a Unix/Linux-based open-source implementation of the SMB protocol. It also allows Linux/Unix servers and Windows clients to use the same SMB services.
For instance, on Windows, SMB can run directly over port 445 TCP/IP without the need for NetBIOS over TCP/IP, but if Windows has NetBIOS enabled, or we are targetting a non-Windows host, we will find SMB running on port 139 TCP/IP. This means that SMB is running with NetBIOS over TCP/IP.
Another protocol that is commonly related to SMB is MSRPC (Microsoft Remote Procedure Call). RPC provides an application developer a generic way to execute a procedure (a.k.a. a function) in a local or remote process without having to understand the network protocols used to support the communication, as specified in MS-RPCE, which defines an RPC over SMB Protocol that can use SMB Protocol named pipes as its underlying transport.
To attack an SMB Server, we need to understand its implementation, operating system, and which tools we can use to abuse it. As with other services, we can abuse misconfiguration or excessive privileges, exploit known vulnerabilities or discover new vulnerabilities. Furthermore, after we gain access to the SMB Service, if we interact with a shared folder, we need to be aware of the content in the directory. Finally, if we are targetting NetBIOS or RPC, identify which information we can get or what action we can perform on the target.
Enumeration
Depending on the SMB implementation and the operating system, we will get different information using Nmap. Keep in mind that when targetting Windows OS, version information is usually not included as part of the Nmap scan results. Instead, Nmap will try to guess the OS version. However, we will often need other scans to identify if the target is vulnerable to a particular exploit. We will cover searching for known vulnerabilities later in this section. For now, let's scan ports 139 and 445 TCP.
The Nmap scan reveals essential information about the target:
SMB version (Samba smbd 4.6.2)
Hostname HTB
Operating System is Linux based on SMB implementation
Let's explore some common misconfigurations and protocols specifics attacks.
Misconfigurations
SMB can be configured not to require authentication, which is often called a null session. Instead, we can log in to a system with no username or password.
Anonymous Authentication
If we find an SMB server that does not require a username and password or find valid credentials, we can get a list of shares, usernames, groups, permissions, policies, services, etc. Most tools that interact with SMB allow null session connectivity, including smbclient, smbmap, rpcclient, or enum4linux. Let's explore how we can interact with file shares and RPC using null authentication.
File Share
Using smbclient, we can display a list of the server's shares with the option -L, and using the option -N, we tell smbclient to use the null session.
Smbmap is another tool that helps us enumerate network shares and access associated permissions. An advantage of smbmap is that it provides a list of permissions for each shared folder.
Using smbmap with the -r or -R (recursive) option, one can browse the directories:
From the above example, the permissions are set to READ and WRITE, which one can use to upload and download the files.
Remote Procedure Call (RPC)
We can use the rpcclient tool with a null session to enumerate a workstation or Domain Controller.
The rpcclient tool offers us many different commands to execute specific functions on the SMB server to gather information or modify server attributes like a username. We can use this cheat sheet from the SANS Institute or review the complete list of all these functions found on the man page of the rpcclient.
Here is a SANS Cheat sheet:
Enum4linux is another utility that supports null sessions, and it utilizes nmblookup, net, rpcclient, and smbclient to automate some common enumeration from SMB targets such as:
Workgroup/Domain name
Users information
Operating system information
Groups information
Shares Folders
Password policy information
The original tool was written in Perl and rewritten by Mark Lowe in Python.
Protocol Specifics Attacks
If a null session is not enabled, we will need credentials to interact with the SMB protocol. Two common ways to obtain credentials are brute forcing and password spraying.
Brute Forcing and Password Spray
When brute-forcing, we try as many passwords as possible against an account, but it can lock out an account if we hit the threshold. We can use brute-forcing and stop before reaching the threshold if we know it. Otherwise, we do not recommend using brute force.
Password spraying is a better alternative since we can target a list of usernames with one common password to avoid account lockouts. We can try more than one password if we know the account lockout threshold. Typically, two to three attempts are safe, provided we wait 30-60 minutes between attempts. Let's explore the tool CrackMapExec that includes the ability to execute password spraying.
With CrackMapExec (CME), we can target multiple IPs, using numerous users and passwords. Let's explore an everyday use case for password spraying. To perform a password spray against one IP, we can use the option -u to specify a file with a user list and -p to specify a password. This will attempt to authenticate every user from the list using the provided password.
Note: By default CME will exit after a successful login is found. Using the --continue-on-success flag will continue spraying even after a valid password is found. it is very useful for spraying a single password against a large user list. Additionally, if we are targetting a non-domain joined computer, we will need to use the option --local-auth. For a more detailed study Password Spraying see the Active Directory Enumeration & Attacks module.
For more detailed usage instructions, check out the tool's documentation guide.
SMB
Linux and Windows SMB servers provide different attack paths. Usually, we will only get access to the file system, abuse privileges, or exploit known vulnerabilities in a Linux environment, as we will discuss later in this section. However, in Windows, the attack surface is more significant.
When attacking a Windows SMB Server, our actions will be limited by the privileges we had on the user we manage to compromise. If this user is an Administrator or has specific privileges, we will be able to perform operations such as:
Remote Command Execution
Extract Hashes from SAM Database
Enumerating Logged-on Users
Pass-the-Hash (PTH)
Let's discuss how we can perform such operations. Additionally, we will learn how the SMB protocol can be abused to retrieve a user's hash as a method to escalate privileges or gain access to a network.
Remote Code Execution (RCE)
Before jumping into how to execute a command on a remote system using SMB, let's talk about Sysinternals. The Windows Sysinternals website was created in 1996 by Mark Russinovich and Bryce Cogswell to offers technical resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment. Microsoft acquired Windows Sysinternals and its assets on July 18, 2006.
Sysinternals featured several freeware tools to administer and monitor computers running Microsoft Windows. The software can now be found on the Microsoft website. One of those freeware tools to administer remote systems is PsExec.
PsExec is a tool that lets us execute processes on other systems, complete with full interactivity for console applications, without having to install client software manually. It works because it has a Windows service image inside of its executable. It takes this service and deploys it to the admin$ share (by default) on the remote machine. It then uses the DCE/RPC interface over SMB to access the Windows Service Control Manager API. Next, it starts the PSExec service on the remote machine. The PSExec service then creates a named pipe that can send commands to the system.
We can download PsExec from Microsoft website, or we can use some Linux implementations:
Impacket PsExec - Python PsExec like functionality example using RemComSvc.
Impacket SMBExec - A similar approach to PsExec without using RemComSvc. The technique is described here. This implementation goes one step further, instantiating a local SMB server to receive the output of the commands. This is useful when the target machine does NOT have a writeable share available.
Impacket atexec - This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.
CrackMapExec - includes an implementation of
smbexecandatexec.Metasploit PsExec - Ruby PsExec implementation.
Impacket PsExec
To use impacket-psexec, we need to provide the domain/username, the password, and the IP address of our target machine. For more detailed information we can use impacket help:
To connect to a remote machine with a local administrator account, using impacket-psexec, you can use the following command:
The same options apply to impacket-smbexec and impacket-atexec.
CrackMapExec
Another tool we can use to run CMD or PowerShell is CrackMapExec. One advantage of CrackMapExec is the availability to run a command on multiples host at a time. To use it, we need to specify the protocol, smb, the IP address or IP address range, the option -u for username, and -p for the password, and the option -x to run cmd commands or uppercase -X to run PowerShell commands.
Note: If the--exec-method is not defined, CrackMapExec will try to execute the atexec method, if it fails you can try to specify the --exec-method smbexec.
Enumerating Logged-on Users
Imagine we are in a network with multiple machines. Some of them share the same local administrator account. In this case, we could use CrackMapExec to enumerate logged-on users on all machines within the same network 10.10.110.17/24, which speeds up our enumeration process.
Extract Hashes from SAM Database
The Security Account Manager (SAM) is a database file that stores users' passwords. It can be used to authenticate local and remote users. If we get administrative privileges on a machine, we can extract the SAM database hashes for different purposes:
Authenticate as another user.
Password Cracking, if we manage to crack the password, we can try to reuse the password for other services or accounts.
Pass The Hash. We will discuss it later in this section.
Pass-the-Hash (PtH)
If we manage to get an NTLM hash of a user, and if we cannot crack it, we can still use the hash to authenticate over SMB with a technique called Pass-the-Hash (PtH). PtH allows an attacker to authenticate to a remote server or service using the underlying NTLM hash of a user's password instead of the plaintext password. We can use a PtH attack with any Impacket tool, SMBMap, CrackMapExec, among other tools. Here is an example of how this would work with CrackMapExec
Forced Authentication Attacks
We can also abuse the SMB protocol by creating a fake SMB Server to capture users' NetNTLM v1/v2 hashes.
The most common tool to perform such operations is the Responder. Responder is an LLMNR, NBT-NS, and MDNS poisoner tool with different capabilities, one of them is the possibility to set up fake services, including SMB, to steal NetNTLM v1/v2 hashes. In its default configuration, it will find LLMNR and NBT-NS traffic. Then, it will respond on behalf of the servers the victim is looking for and capture their NetNTLM hashes.
Let's illustrate an example to understand better how Responder works. Imagine we created a fake SMB server using the Responder default configuration, with the following command:
When a user or a system tries to perform a Name Resolution (NR), a series of procedures are conducted by a machine to retrieve a host's IP address by its hostname. On Windows machines, the procedure will roughly be as follows:
The hostname file share's IP address is required.
The local host file (C:\Windows\System32\Drivers\etc\hosts) will be checked for suitable records.
If no records are found, the machine switches to the local DNS cache, which keeps track of recently resolved names.
Is there no local DNS record? A query will be sent to the DNS server that has been configured.
If all else fails, the machine will issue a multicast query, requesting the IP address of the file share from other machines on the network.
Suppose a user mistyped a shared folder's name \\mysharefoder\ instead of \\mysharedfolder\. In that case, all name resolutions will fail because the name does not exist, and the machine will send a multicast query to all devices on the network, including us running our fake SMB server. This is a problem because no measures are taken to verify the integrity of the responses. Attackers can take advantage of this mechanism by listening in on such queries and spoofing responses, leading the victim to believe malicious servers are trustworthy. This trust is usually used to steal credentials.
These captured credentials can be cracked using hashcat or relayed to a remote host to complete the authentication and impersonate the user.
All saved Hashes are located in Responder's logs directory (/usr/share/responder/logs/). We can copy the hash to a file and attempt to crack it using the hashcat module 5600.
Note: If you notice multiples hashes for one account this is because NTLMv2 utilizes both a client-side and server-side challenge that is randomized for each interaction. This makes it so the resulting hashes that are sent are salted with a randomized string of numbers. This is why the hashes don't match but still represent the same password.
The NTLMv2 hash was cracked. The password is P@ssword. If we cannot crack the hash, we can potentially relay the captured hash to another machine using impacket-ntlmrelayx or Responder MultiRelay.py. Let us see an example using impacket-ntlmrelayx.
First, we need to set SMB to OFF in our responder configuration file (/etc/responder/Responder.conf).
Then we execute impacket-ntlmrelayx with the option --no-http-server, -smb2support, and the target machine with the option -t. By default, impacket-ntlmrelayx will dump the SAM database, but we can execute commands by adding the option -c.
We can create a PowerShell reverse shell using https://www.revshells.com/, set our machine IP address, port, and the option Powershell #3 (Base64).
Once the victim authenticates to our server, we poison the response and make it execute our command to obtain a reverse shell.
Latest SMB Vulnerabilities
One recent significant vulnerability that affected the SMB protocol was called SMBGhost with the CVE-2020-0796. The vulnerability consisted of a compression mechanism of the version SMB v3.1.1 which made Windows 10 versions 1903 and 1909 vulnerable to attack by an unauthenticated attacker. The vulnerability allowed the attacker to gain remote code execution (RCE) and full access to the remote target system.
We will not discuss the vulnerability in detail in this section, as a very in-depth explanation requires some reverse engineering experience and advanced knowledge of CPU, kernel, and exploit development. Instead, we will only focus on the attack concept because even with more complicated exploits and vulnerabilities, the concept remains the same.
The Concept of the Attack
In simple terms, this is an integer overflow vulnerability in a function of an SMB driver that allows system commands to be overwritten while accessing memory. An integer overflow results from a CPU attempting to generate a number that is greater than the value required for the allocated memory space. Arithmetic operations can always return unexpected values, resulting in an error. An example of an integer overflow can occur when a programmer does not allow a negative number to occur. In this case, an integer overflow occurs when a variable performs an operation that results in a negative number, and the variable is returned as a positive integer. This vulnerability occurred because, at the time, the function lacked bounds checks to handle the size of the data sent in the process of SMB session negotiation.
To learn more about buffer overflow techniques and vulnerabilities, check out the Stack-Based Buffer Overflows on Linux x86, and Stack-Based Buffer Overflows on Windows x86 module. These go into detail on the basics of how the buffer can be overwritten and handled by the attacker.
The Concept of Attacks
The vulnerability occurs while processing a malformed compressed message after the Negotiate Protocol Responses. If the SMB server allows requests (over TCP/445), compression is generally supported, where the server and client set the terms of communication before the client sends any more data. Suppose the data transmitted exceeds the integer variable limits due to the excessive amount of data. In that case, these parts are written into the buffer, which leads to the overwriting of the subsequent CPU instructions and interrupts the process's normal or planned execution. These data sets can be structured so that the overwritten instructions are replaced with our own ones, and thus we force the CPU (and hence also the process) to perform other tasks and instructions.
Initiation of the Attack
1.
The client sends a request manipulated by the attacker to the SMB server.
Source
2.
The sent compressed packets are processed according to the negotiated protocol responses.
Process
3.
This process is performed with the system's privileges or at least with the privileges of an administrator.
Privileges
4.
The local process is used as the destination, which should process these compressed packets.
Destination
This is when the cycle starts all over again, but this time to gain remote access to the target system.
Trigger Remote Code Execution
5.
The sources used in the second cycle are from the previous process.
Source
6.
In this process, the integer overflow occurs by replacing the overwritten buffer with the attacker's instructions and forcing the CPU to execute those instructions.
Process
7.
The same privileges of the SMB server are used.
Privileges
8.
The remote attacker system is used as the destination, in this case, granting access to the local system.
Destination
However, despite the vulnerability's complexity due to the buffer's manipulation, which we can see in the PoC, the concept of the attack nevertheless applies here.
Last updated