Skip to content

04. SMB Samba Part 1

1. Detecting SMB and NetBIOS Services

Command:

nmap <IP Address> -sV -p 139,445

Explanation:

  • Scans ports 139 (NetBIOS) and 445 (SMB) to detect services running on them.
  • -sV enables version detection.

Example Output:

PORT    STATE SERVICE       VERSION
139/tcp open  netbios-ssn   Samba smbd 3.X
445/tcp open  microsoft-ds  Windows Server 2019

Real-World Use Case:

  • Helps determine if SMB services are active and their versions for vulnerability assessment.

2. Scanning Top 25 UDP Ports

Command:

nmap <IP Address> -sU --top-port 25 --open

Explanation:

  • Scans the top 25 commonly used UDP ports.
  • --open displays only open ports.

Real-World Use Case:

  • Identifies critical UDP services running on the target.

3. UDP Service Version Detection

Command:

nmap <IP Address> -sU --top-port 25 --open -sV

Explanation:

  • Identifies versions of services running on the top 25 open UDP ports.

Real-World Use Case:

  • Determines if outdated or vulnerable services are active.

4. Discovering SMB Operating System Details

Command:

nmap <IP Address> -p 445 --script smb-os-discovery

Explanation:

  • Identifies the operating system version and build number through SMB.

Example Output:

| smb-os-discovery:
|   OS: Windows Server 2016 Standard 14393

Real-World Use Case:

  • Helps penetration testers determine the OS version for targeted exploits.

5. SMB Version Scanning Using Metasploit

Commands:

msfconsole
use auxiliary/scanner/smb/smb_version
set RHOSTS <IP Address>
run

Explanation:

  • Launches Metasploit and scans SMB services for version detection.

Real-World Use Case:

  • Determines if the target is vulnerable to SMB-based exploits like EternalBlue.

6. NetBIOS Name Lookup Using NMBLookup

Command:

nmblookup -A <IP Address>

Explanation:

  • Queries NetBIOS names of the target system.

Example Output:

NetBIOS Name Table of <IP Address>
    WORKGROUP     <00> - <GROUP>
    SERVERNAME    <20> - <UNIQUE>

Real-World Use Case:

  • Identifies NetBIOS names for reconnaissance.

7. Listing SMB Shares Using SMBClient

Command:

smbclient -L <IP Address> -N

Explanation:

  • Lists available SMB shares without authentication.
  • -N prevents password prompt.

Example Output:

    Sharename       Type
    ADMIN$         Disk
    C$             Disk
    IPC$           IPC

Real-World Use Case:

  • Identifies accessible SMB shares that might contain sensitive data.

Note: Anonymous SMB Access Behavior

Sometimes, Anonymous (null session) login is allowed on the target system, but enumeration and other actions are restricted and result in access denied.

8. Enumerating RPC Services Using RPCClient

Command:

rpcclient -U "" -N <IP Address>

Explanation:

  • Connects to the target's RPC service anonymously.
  • -U "" specifies an empty username.
  • -N avoids a password prompt.

Real-World Use Case:

  • Helps identify exposed RPC services that may be exploited.

Summary

These Nmap, Metasploit, and SMB-related commands provide valuable insights into SMB security, misconfigurations, and potential attack vectors. Properly securing SMB services can help prevent unauthorized access, data leaks, and network intrusions.

Mitigation Strategies:

  1. Disable SMBv1 – Prevents exploitation via known vulnerabilities.
  2. Restrict Anonymous Access – Ensures only authenticated users can access SMB shares.
  3. Use Strong Credentials – Protects against brute-force attacks.
  4. Enable SMB Signing and Encryption – Prevents Man-in-the-Middle (MITM) attacks.
  5. Monitor SMB Logs – Detects suspicious activity in real time.

By applying these security measures, organizations can strengthen their SMB configurations and minimize risks.