SMB protocol 101

I discovered this protocol by doing a HTB’s room which involved a Windows-based machine, and it was my very first time hacking that OS.

Introduction #

Also known as Server Message Block, is a client-server protocol, originally created by IBM than updated by Microsoft, that allow access to shared file, printers and ports over the network.
We mostly see SMB services running on Windows machines.
User side, SMB authentication requires a username and password to allow access to the server. It is controlled by the system administrator, who can add or block users and keep tabs on who is allowed in.
Meanwhile at share-level, users have to enter a one-time password to access the shared file or server, but no username is required.

Different Version #

There are different variations of this protocol:

• SMBv1, released by IBM and modified by Microsoft, this version is also known because the ransomware Wannacry used a vulnerability of this version to spread itself over the network.

• SMBv2, performance boosted - debuted in Windows Vista

• SMBv3, security increased via end-to-end encryption - introduced in Windows 7

• SMBv3.02, possibility to completely disable SMBv1- came with Windows 8.1

• SMBv3.1.1, introduced AES-128 encryption, MITM protection and session verification - released in Windows 10

Always check your SMB’s version and update it, if possible.

How to use SMB #

Fisrt of all we should know that it operate via TCP on port 445. If we are operating from a Linux machine, the command to see the shares is :

smbclient -L {HOSTNAME}

This will output something like this:

Server time is Sat Aug 10 15:58:27 1996
Timezone is UTC+10.0
Password: 
Domain=[WORKGROUP] OS=[Windows NT 3.51] Server=[NT LAN Manager 3.51]

Server=[ZIMMERMAN] User=[] Workgroup=[WORKGROUP] Domain=[]

        Sharename      Type      Comment
        ---------      ----      -------
        ADMIN$         Disk      Remote Admin
        public         Disk      Public 
        C$             Disk      Default share
        IPC$           IPC       Remote IPC
        OReilly        Printer   OReilly
        print$         Disk      Printer Drivers


This machine has a browse list:

        Server               Comment
        ---------            -------
        HOPPER               Samba 1.9.15p8
        KERNIGAN             Samba 1.9.15p8
        LOVELACE             Samba 1.9.15p8
        RITCHIE              Samba 1.9.15p8
        ZIMMERMAN            

If you want to reach the public directory on the machine we have to type:

smbclient \\\\{HOSTNAME}\\public

It may ask you for a password.

Once we are connected we can do a bunch of operation, type smb: \> help for more info.