TCP 139, 445: NetBIOS, SMB

NetBIOS is a protocol used for File and Print Sharing under all current versions of Windows. While this in itself is not a problem, the way that the protocol is implemented can be. There are a number of vulnerabilities associated with leaving this port open.

NetBios services: NETBIOS Name Service (TCP/UDP: 137) NETBIOS Datagram Service (TCP/UDP: 138) NETBIOS Session Service (TCP/UDP: 139)

TCP port 445 is used for direct TCP_IP MS Networking access without the need for a NetBIOS layer. This service is only implemented in the more recent verions of Windows (e.g. Windows 2K / XP). The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT/2K_XP. In Windows NT it ran on top of NetBT (NetBIOS over TCP_IP, ports 137, 139 and 138_udp). In Windows 2K_XP, Microsoft added the possibility to run SMB directly over TCP_IP, without the extra layer of NetBT. For this they use TCP port 445.

Related

UDP 137, 138, TCP 139: NetBIOS

Enumeration

nbtscan

sudo nbtscan -r <ip-range>

nmap

Check default SMB ports are open

nmap -p139,445 <ip> --open

List SMB scripts

ls -l /usr/share/nmap/scripts | grep smb

Run all SMB scripts

nmap -p139,445 --script "smb*" --script-timeout 30 -oA nmap_smb <ip>

Run all SMB vuln scripts

nmap -p139,445 --script "smb-vuln*" --script-timeout 30 -oA nmap_smb-vuln <ip>

enum4linux

enum4linux is a tool for enumerating information from Windows and Samba systems

enum4linux -a <ip>

Run this in parallel to grep the samba version

sudo ngrep -i -d tun0 's.?a.?m.?b.?a.*[[:digit:]]'

enum4linux-ng

A next generation version of enum4linux (a Windows/Samba enumeration tool) with additional features like JSON/YAML export. Aimed for security professionals and CTF players. GitHub - cddmp/enum4linux-ng

python enum4linux-ng.py -A <ip>

SMBMap

SMBMap is a handy SMB enumeration tool GitHub - ShawnDEvans/smbmap

apt install smbmap

List files on target

smbmap -H <ip> -R --depth 5

Enumerate authenticated

smbmap -d <domain> -u <user> -p <hash:hash or pw> -H <ip>

Find file

smbmap -R <folder> -H <ip> -A Groups.xml -q

Tools

smbclient

FTP-like client to access SMB/CIFS resources on servers

list shares Unauthenticated

smbclient -N -L //<ip>

Authenticated

smbclient -L //<ip> -U <user> -P <pass>
smbclient \\\\$ip\\$share

Mount share

smbclient //<ip>/share

(look for files, containing password, pwd, admin, user, connect, etc.)

Download file

get <file>

Pull all files from (readable) share

recurse ON
prompt OFF
mget *

mount

Mount smb share locally

mount -t cifs -o username=<user>,password=<pw> //<ip>/<share> /mnt/<share>

gpp-decrypt

A simple ruby script that will decrypt a given GPP encrypted string.

apt install gpp-decrypt

gpp-decrypt <Groups.xml-cpassword>

smbexec

A rapid psexec style attack with samba tools

• GitHub - brav0hax/smbexec
• GitHub - 404NetworkError/smbexec at fixes

grab password hashes from domain controller

./smbexec

-> 3 "obain hashes" -> 2 "domain controllers"

crackmapexec

A swiss army knife for pentesting networks GitHub - byt3bl33d3r/CrackMapExec

-> SMB Command Reference

Display help (smb)

cme smb --help

Using Credentials, NULL Sessions, PtH Attacks

cme smb <ip> -u <user> -H <hash>

null sessions

Pre Windows 2003, XP SP2

rpcclient -U "" <ip>

-> Enter empty password

srvinfo
enumdomusers
getdompwinfo
querydominfo
netshareenum
netshareenumall

Metasploit

smb version

Get samba version

use auxiliary/scanner/smb/smb_version

psexec

use auxiliary/admin/smb/psexec_command