By Thomas Wilhelm
I had a question the other day from a student at the Hacking Dojo who was interested in accessing a Windows system remotely through SMB. My initial response was to tell the student that it was similar to FTP, and they should conduct the same type of enumeration against SMB as they do anything else open on the system. Unfortunately, this did not help the student, because their hands-on experience on Windows file sharing was all done using GUI. It then dawned on me that, since I came from a Solaris background, I had a different experience. I would simply map the drives at the command line as a system / network administrator. Because of this, I decided to put together a quick tutorial for my students. Since there might be some additional confusion in the general populace of the security community, I thought getting it published on The Ethical Hacker Network would be beneficial. In a world where security awareness is rapidly increasing and your grandmother even has a secure wireless access point, one might imagine that admins without command line experience and open, anonymous SMB shares are a thing of the past… think again!
During a penetration test (pentest), it is natural to investigate FTP services within a network that allow anonymous access. It is possible that sensitive data is unintentionally placed on an FTP server by non-IT employees (for the sake of convenience) without knowing who else can access the material. During a pentest, I find these anonymous FTP systems quite frequently, and in some cases they serve up useful information. Now, if we compare FTP with system shares, we find that employees are quicker to allow anonymous access to their own files – all it takes is someone wanting access to some document another employee has on their system. In fact, sharing a single file makes it easier to maintain revisions than copying a file back and forth between an FTP server. While that is certainly convenient for the employees, it is obviously quite devastating for the organization’s security posture. So let’s take a look at SMB shares and how we can take advantage of them.