01. SMB Windows Discover & Mount

Introduction

Server Message Block (SMB) is a network protocol used for sharing files, printers, and other resources. It is commonly found in Windows environments and is often targeted by attackers. This document covers various commands to enumerate SMB services, users, shares, and security configurations.

Nmap for SMB Enumeration in Windows

1. Enumerate SMB Services and OS Information

   nmap -p 139,445 <Target_IP> -sV -O
   

   • Purpose: Scan the common SMB ports (139 and 445), detect service versions, and fingerprint the OS.

   • Example Output:

     PORT    STATE SERVICE     VERSION
     139/tcp open  netbios-ssn Microsoft Windows netbios-ssn
     445/tcp open  microsoft-ds Windows 10 Pro
     Host script results:
     |_smb-os-discovery: Windows Server 2012
     

2. Check SMB Security and Configuration

   nmap --script smb-security-mode <Target_IP>
   

   • Purpose: Check whether SMB message signing is enabled (critical for secure communication).

   • Example Output:

     smb-security-mode: Message signing disabled (dangerous)
     

3. List SMB Shares

   nmap --script smb-enum-shares <Target_IP>
   

   • Purpose: List available SMB shares on the target system.

   • Example Output:

     smb-enum-shares: 
     Share: C$     Type: Disk
     Share: ADMIN$ Type: Disk
     Share: SharedFolder Type: Disk
     

4. User Enumeration over SMB

   nmap --script smb-enum-users <Target_IP>
   

   • Purpose: Enumerate user accounts on the target system via SMB.

   • Example Output:

     smb-enum-users:
     User: Administrator (admin account)
     

---

Practical Windows SMB Usage Examples

1. Delete All Existing SMB Mappings

   net use * /delete
   

   • Use Case: Ensure no previous network shares are lingering.
   • Map a Network Drive to SMB Share

   net use Z: \\192.168.1.10\SharedFolder /user:administrator
   

   • Explanation: Maps the network share SharedFolder to local drive Z:.
   • Access the Share via Command Line

   dir Z:
   

   • Use Case: List the contents of the mapped drive.
   • Connect to the Default Admin Share C$

   net use Z: \\192.168.1.10\C$ /user:administrator smbserver_771
   

   • Security Note: Only administrators can access admin shares (C$, D$, etc.). Use strong passwords.
   • Disconnect a Specific Share

   net use Z: /delete
   

   • Use Case: Remove a specific SMB mapping.

---

SMB Security Best Practices

1. Disable SMBv1:

   • SMBv1 is outdated and vulnerable to attacks like WannaCry. Use this command to disable it:

     Set-SmbServerConfiguration -EnableSMB1Protocol $false
     

2. Enable Message Signing:

   • Ensure message signing is enforced to prevent MITM attacks:

     Set-SmbServerConfiguration -RequireSecuritySignature $true
     

3. Restrict SMB Access:

   • Limit access to trusted subnets by configuring firewall rules:

     New-NetFirewallRule -DisplayName "Allow SMB from Internal" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 445 -RemoteAddress 192.168.1.0/24
     

4. Use Strong Authentication:

   • Always enforce strong passwords and disable guest access:

     Set-LocalUser -Name "Guest" -AccountDisabled $true
     

5. Regular Auditing:

   • Monitor SMB access logs in Windows Event Viewer under Security Logs.

---

Example Workflow: Secure SMB Mapping and Enumeration

1. Start with an Nmap Scan:

   nmap -p 139,445 --script smb-enum-shares,smb-security-mode <Target_IP>
   

2. Map the Secure Share:

   net use Y: \\192.168.1.10\SecureFolder /user:secureUser
   

3. Check the Share Contents:

   dir Y:
   

4. Disconnect the Share:

   net use Y: /delete
   

---