SMB Ports
SMB Port: 139/445
- Port 139 is the older port which ran over NetBIOS. NetBIOS is a transport layer protocol that allows Windows computers to speak to each other on the same network.
- Port 445 is the newer port that runs over the TCP/IP Stack. This allows SMB to work over the Internet.
Looking for open SMB ports
- Access the network and perform a Nmap scan. I used the following:
nmap -A <host>
Where '<host>' enter the IP address/range that you want to scan
Where '-A' = Enable OS detection, version detection, script scanning, and traceroute
Find the content of a share
Additional commands may be required. Included below are the commands that can be used with smbclient.
smbclient -L <host>
Where '-L' lists the contents of the share
Where '<host>' enter the IP address of the host
└──╼ $smbclient --help
]Usage: smbclient service <password>
-R, --name-resolve=NAME-RESOLVE-ORDER Use these name resolution services
only
-M, --message=HOST Send message
-I, --ip-address=IP Use this IP to connect to
-E, --stderr Write messages to stderr instead
of stdout
-L, --list=HOST Get a list of shares available on
a host
-m, --max-protocol=LEVEL Set the max protocol level
-T, --tar=<c|x>IXFvgbNan Command line tar
-D, --directory=DIR Start from directory
-c, --command=STRING Execute semicolon separated
commands
-b, --send-buffer=BYTES Changes the transmit/send buffer
-t, --timeout=SECONDS Changes the per-operation timeout
-p, --port=PORT Port to connect to
-g, --grepable Produce grepable output
-q, --quiet Suppress help message
-B, --browse Browse SMB servers using DNS
Help options:
-?, --help Show this help message
--usage Display brief usage message
Common samba options:
-d, --debuglevel=DEBUGLEVEL Set debug level
-s, --configfile=CONFIGFILE Use alternate configuration file
-l, --log-basename=LOGFILEBASE Base name for log files
-V, --version Print version
--option=name=value Set smb.conf option from command
line
Connection options:
-O, --socket-options=SOCKETOPTIONS socket options to use
-n, --netbiosname=NETBIOSNAME Primary netbios name
-W, --workgroup=WORKGROUP Set the workgroup name
-i, --scope=SCOPE Use this Netbios scope
Authentication options:
-U, --user=USERNAME Set the network username
-N, --no-pass Don't ask for a password
-k, --kerberos Use kerberos (active directory)
authentication
-A, --authentication-file=FILE Get the credentials from a file
-S, --signing=on|off|required Set the client signing state
-P, --machine-pass Use stored machine account password
-e, --encrypt Encrypt SMB transport
-C, --use-ccache Use the winbind ccache for
authentication
--pw-nt-hash The supplied password is the NT
hash
Connect to an SMB shell
smbclient //<host>/<share>
Example: smbclient //10.10.10.1/workshare
Saving a file to your system
When connected to the SMB shell, navigate to the location of interest and extract the file/s of interest.
smb:> cd
smb: \User1\> ls
. D 0 Thu Jun 3 09:38:03 2021
.. D 0 Thu Jun 3 09:38:03 2021
file.txt A 32 Mon Mar 29 10:26:57 2021
5114111 blocks of size 4096. 1751933 blocks available
smb: \User1\> get file.txt
getting file \User1\file.txt of size 32 as file.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
Additional commands can be used. See other commands below.
smb: \User1\> ?
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del deltree dir
du echo exit get getfacl
geteas hardlink help history iosize
lcd link lock lowercase ls
l mask md mget mkdir
more mput newer notify open
posix posix_encrypt posix_open posix_mkdir posix_rmdir
posix_unlink posix_whoami print prompt put
pwd q queue quit readlink
rd recurse reget rename reput
rm rmdir showacls setea setmode
scopy stat symlink tar tarmode
timeout translate unlock volume vuid
wdel logon listconnect showconnect tcon
tdis tid utimes logoff ..
!