SMB in a CLI world

If you are new or like me forget the bazzilion command syntaxes in the world, the use of the man command will be super helpful as well as google foo! To help people on their way here are some example of basic SMB tools, these come with kali.

SMB Ports

SMB typically operated on TCP 445

Nmap Example

nmap -p T:445 -v -sV 192.168.0.5

SMBTools

https://www.samba.org/samba/docs/current/man-html/smbclient.1.html

https://www.samba.org/samba/docs/current/man-html/smbtree.1.html

https://www.kali.org/tools/smbmap/

SMBCLIENT

List Shares

Auth

smbclient -L //192.168.0.5/

Anonymous

smbclient -L //192.168.0.5/ -N

Connect to a remote share

smbclient -L //192.168.0.5/share

List files & directories

ls

Change Directory

cd

Download (or Get) a file

get filename

Upload (or Put) a file

put filename

Delete

del file

Rename

Rename file newname

SMBMap

smbmap -H 192.168.0.5

Guest Access

smbmap -u anonymous -H 192.168.0.5

Recursive

smbmap -u anonymous -H 192.168.0.5 -R

Authenticated

smbmap -u administrator -p Pa55w0rd1 -H 192.168.0.5

Recursive

Note this may take some time if you have large volume of data access e.g. admin

smbmap -u administrator -p Pa55w0rd1 -H 192.168.0.5 -R

SMB Hash Type

The NTLMv2-SSP (also called: Net-NTLMv2 or NTLMv2) Hash looks like this:

administrator::WORKGROUP:4e0b9bcd7dc82495:512E347B03AC9269E4C25E35FFEA1F24:0101000000000000008644B5D183D8016D796C5576333555000000000200080059004E004500360001001E00570049004E002D00430034004D0032004A0034003300550058004100510004003400570049004E002D00430034004D0032004A003400330055005800410051002E0059004E00450036002E004C004F00430041004C000300140059004E00450036002E004C004F00430041004C000500140059004E00450036002E004C004F00430041004C0007000800008644B5D183D8010900280063006900660073002F00570049004E002D00430034004D0032004A003400330055005800410051000000000000000000

https://hashcat.net/wiki/doku.php?id=example_hashes

Collecting hashes

You can collect hashes using:

• Responder (https://github.com/SpiderLabs/Responder)
• Inveigh (https://github.com/Kevin-Robertson/Inveigh)
• SMBSERVER.py from impacket (https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbserver.py)
• Packet Captures/PCAPs
• TAPs

NETNTLM hashes can also be relayed.

Cracking NETNTLMv2-SSP (Net-NTLMv2) hashes

You can crack these with hashcat:

hashcat -m 5600

Or John the Ripper

john –format=netntlmv2

Pass the hash (PTH)

The NETNTLM hashes can’t be passed. Only LM or NLTM hashes can be passed using tools such as:

• Crackmapexec
• PSEXEC
• Impacket
• Metasploit

Summary

Understanding protocols and tools for common services is key for basic sysadmin, cyber defensive and offensive skills. Transferring files to and from systems is also important, as well as understanding authentication protocols and their strengths /weaknesses.