03. SMB SMBMap
1. Checking SMB Protocol Versions¶
Command:¶
Explanation:¶
- Detects SMB versions supported by the target (SMBv1, SMBv2, SMBv3).
- SMBv1 is known to be vulnerable to exploits like EternalBlue (MS17-010).
Example Output:¶
Real-World Use Case:¶
- If SMBv1 is enabled, the system may be vulnerable to ransomware attacks like WannaCry.
2. Checking SMB Security Mode¶
Command:¶
Explanation:¶
- Identifies authentication methods and encryption levels enforced by the SMB server.
Example Output:¶
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
Real-World Use Case:¶
- Determines whether weak authentication mechanisms are in place, potentially allowing unauthorized access.
3. Enumerating Active SMB Sessions¶
Command:¶
Explanation:¶
- Lists active SMB sessions on the target system.
- Useful for identifying logged-in users and potential unauthorized connections.
Example Output:¶
Real-World Use Case:¶
- Helps security analysts detect unauthorized access to SMB services.
4. Enumerating SMB Shares¶
Command:¶
Explanation:¶
- Lists shared folders available on the target system.
Example Output:¶
Real-World Use Case:¶
- Reveals accessible shared folders that may contain sensitive data.
- Attackers can exploit misconfigured shares to access files without authentication.
5. Enumerating SMB Users¶
Command:¶
nmap -p 445 --script smb-enum-users --script-args smbusername=administrator,smbpassword=smbserver_771 <target>
Explanation:¶
- Lists SMB users on the system.
Example Output:¶
Real-World Use Case:¶
- Identifies user accounts that might be targeted for brute-force attacks.
6. Enumerating SMB Domains¶
Command:¶
nmap -p 445 --script smb-enum-domains --script-args smbusername=administrator,smbpassword=smbserver_771 <target>
Explanation:¶
- Lists domain names associated with the SMB server.
Real-World Use Case:¶
- Useful in Active Directory penetration testing.
7. Enumerating SMB Groups¶
Command:¶
nmap -p 445 --script smb-enum-groups --script-args smbusername=administrator,smbpassword=smbserver_771 <target>
Explanation:¶
- Retrieves information about security groups configured on the SMB server.
8. SMB Enumeration Using SMBMap¶
Checking Anonymous SMB Access¶
- Attempts to list SMB shares without authentication.
Authenticating as Administrator¶
- Uses valid credentials to list SMB shares.
Running Remote Commands¶
- Executes system commands remotely over SMB.
Real-World Use Case:¶
- Used by attackers to run malicious commands on a compromised machine.
Listing Shared Files and Directories¶
- Lists all available SMB shares on the target.
Recursively Listing Files in C$ Share¶
- Displays files inside the
C$(Admin Share).
Uploading a File to SMB Share¶
- Transfers
flag.txtto theC$share.
Real-World Use Case:¶
- Attackers use this technique to drop malware onto the target system.
Downloading a File from SMB Share¶
- Retrieves
flag.txtfrom theC$share.
Real-World Use Case:¶
- Used for exfiltrating sensitive files.
Summary¶
These Nmap scripts and smbmap commands provide valuable insights into SMB security, misconfigurations, and potential attack vectors. Properly securing SMB services can help prevent unauthorized access, data leaks, and network intrusions.
Mitigation Strategies:¶
- Disable SMBv1 – Prevents exploitation via known vulnerabilities.
- Restrict Anonymous Access – Ensures only authenticated users can access SMB shares.
- Use Strong Credentials – Protects against brute-force attacks.
- Enable SMB Signing and Encryption – Prevents Man-in-the-Middle (MITM) attacks.
- Monitor SMB Logs – Detects suspicious activity in real time.
By applying these security measures, organizations can strengthen their SMB configurations and minimize risks.