By Thomas Wilhelm
I had a question the other day from a student at the Hacking Dojo who was interested in accessing a Windows system remotely through SMB. My initial response was to tell the student that it was similar to FTP, and they should conduct the same type of enumeration against SMB as they do anything else open on the system. Unfortunately, this did not help the student, because their hands-on experience on Windows file sharing was all done using GUI. It then dawned on me that, since I came from a Solaris background, I had a different experience. I would simply map the drives at the command line as a system / network administrator. Because of this, I decided to put together a quick tutorial for my students. Since there might be some additional confusion in the general populace of the security community, I thought getting it published on The Ethical Hacker Network would be beneficial. In a world where security awareness is rapidly increasing and your grandmother even has a secure wireless access point, one might imagine that admins without command line experience and open, anonymous SMB shares are a thing of the past… think again!
During a penetration test (pentest), it is natural to investigate FTP services within a network that allow anonymous access. It is possible that sensitive data is unintentionally placed on an FTP server by non-IT employees (for the sake of convenience) without knowing who else can access the material. During a pentest, I find these anonymous FTP systems quite frequently, and in some cases they serve up useful information. Now, if we compare FTP with system shares, we find that employees are quicker to allow anonymous access to their own files – all it takes is someone wanting access to some document another employee has on their system. In fact, sharing a single file makes it easier to maintain revisions than copying a file back and forth between an FTP server. While that is certainly convenient for the employees, it is obviously quite devastating for the organization’s security posture. So let’s take a look at SMB shares and how we can take advantage of them.
Since this tutorial is for new students learning pentesting, I will begin our fun with SMB with enumeration and discuss some issues along the way. So the first thing we want to do is find a system that has SMB running. In Figure 1, we see the results of an Nmap scan against a target within the Dojo’s lab. Nmap discovered NetBioS, the computer name (HACKINGDOJO-01), and the name of the workgroup in which the system is assigned (WORKGROUP).
Figure 1 – Nmap scan of target system
Now that we know there is a system that permits remote connectivity via SMB, we need to see what else we can discover. Just like the FTP application, there is a tool that makes it easy to connect remotely to file shares on other systems – smbclient. Figure 2 is the output from a request using smbclient to identify shares on the target system (the “-L” option asks for a lookup, and the “-U” option provides the username to the remote system). In this instance, we used “administrator” as the username, more out of laziness than anything else. Since we currently don’t know any usernames on the system, using “administrator” works in a pinch. Also, since we don’t know any passwords yet, we can just hit the return key when prompted (there is another flag that will bypass the password prompt and log in anonymously (I’ll leave that for you to figure out… consider it homework)).
Figure 2 – Lookup request to remote system
Once we connect to the remote system with our query, the remote system responds with a list of sharenames. The next thing we want to do is see if we can access any of the directory shares. In this case (and for issues of brevity) we will target the “SharedDocs” share. In Figure 3, we attempt again to connect anonymously, again using smbclient. The target IP address along with the sharename is sent, along with who we want to log in as (again, administrator). Using either the command “ls” or “dir” we are presented with the current working directory and files / folders present within the share. From here we can navigate around using similar commands as those found in FTP applications.
Figure 3 – Logged in remotely using smbclient
That’s really about it – there are some quirks / formatting that need attention, but playing with smbclient is the best way to learn those (more homework). However, if systems in a network are configured with anonymous shares, what we covered is pretty much all you need to know.
All that said, those that have taken my class have heard the following mantra of mine numerous times, so I repeat it here: “Always be cynical – never trust your tools – always use more than one tool for each task…” and that saying works here as well. We may have unfettered access to a shared document folder (which could be a serious win, mind you), but we haven’t enumerated the system to its fullest potential. What I would like to do is also know of any additional users on this system. A tool often cited in tutorials regarding smb exploitation is Metasploit (which we will use next), and the smb_login module. Let’s take a look at the output of that module against our target as seen in Figure 4.
Figure 4 – smb_login module results
After we run the module, we are no further along than we were before running it. However, there are other tools available to us in Metasploit that target smb. So the next module we will look at is smb_enumusers_domain. In Figure 5, we see a new value, specifically “wilhelm,” which turns out to be a username on the target system.
Figure 5 – smb_enumusers_domain results
If we return to the smb_login module and set the username (SMBUser) to “Wilhelm,” we come up with some different results as seen in Figure 6. It could be possible that “wilhelm” had a password that we could attempt to brute force, which smb_client would be capable of performing as well.
Figure 6 – smb_client with a username included
We now have additional information that we could use to expand our attack against other systems in the network / domain. Anonymous logins are oftentimes extremely helpful when accessing remote systems during a pentest, but we should make sure to squeeze as much information out of the target as we can. This includes user enumeration. I also want to point out that there is a lot of functionality and restrictions / circumstances that would impact a pentester using these tools, and it is imperative for students to understand each flag / option / limitations of each tool or module they use. For example, all of the Metasploit tools I used in this example can generate a significant amount of noise. Also, we are always faced with account lock-outs that would halt us in our tracks… but how to mitigate those issues is another topic.
Being an instructor as well as a full time pentester, I’m always looking for opportunities to assign more homework. So your task is to study each and every option of the tools we tried in this tutorial. And yes… that also includes researching all of the command line options for interacting with SMB shares (Hint: type net in your Windows cmd). Then play with them to fully understand the subtle differences and consequences of each.
I hope that this short and fundamental tutorial explained how smb works in an internal network, and some of the steps taken during a pentest. I hope that those that are not familiar with smb take this lesson and delve deeper into the subject. There is a lot that can be done against a system with shares within a pentest. Enjoy!
Thomas Wilhelm has been in involved in Information Security since 1990, where he served in the Army for eight years as a Signals Intelligence Analyst / Russian Linguist / Cryptanalyst. A speaker at security conferences across the U.S., including DefCon, HOPE, and CSI, he has been employed by Fortune 100 companies to conduct Risk Assessments, participate and lead external and internal Penetration Testing efforts, and manage Information Systems Security projects.
Thomas is also a Doctoral student who holds Masters Degrees in both Computer Science and Management. Additionally, he also dedicates some of his time as an Associate Professor at Colorado Technical University, and has contributed to multiple publications, including both magazines and books. His latest contribution was the publication titled “Nina Hacking,” released in September, 2012, which was his fifth book contribution to Syngress. You can also find him training both military and civilian personnel at http://www.hackingdojo.com/.