Wednesday, 27 March 2013

Server Message Block


The Server Message Block (SMB) operates as an application-layer network protocol mainly used for providing shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network. Using this protocol, an application (or the user of an application) can access files at a remote server as well as other resources, including printers, mailslots, and named pipes. A client application can read, create, and update files on the remote server.

Most usage of SMB involves computers running Microsoft Windows, where it was known as "Microsoft Windows Network" before the subsequent introduction of Active Directory. Corresponding Windows services are the "Server Service" (for the server component) and "Workstation Service" (for the client component).

The Server Message Block protocol can run atop the Session (and lower) network layers in several ways:
  • directly over TCP, port 445
  • via the NetBIOS API, which in turn can run on several transports:
    • on UDP ports 137, 138 & TCP ports 137, 139
    • on several legacy protocols such as NBF

Versions

There have been a number of versions of SMB starting with its forerunner CIFS up to version 3 in Windows Server 2012. The versions and the corresponding Operating Systems are shown below.
  • CIFS – The ancient version of SMB that was part of Microsoft Windows NT 4.0 in 1996.
  • SMB 1.0 (or SMB1) – The version used in Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2003 R2
  • SMB 2.0 (or SMB2) – The version used in Windows Vista (SP1 or later) and Windows Server 2008
  • SMB 2.1 (or SMB2.1) – The version used in Windows 7 and Windows Server 2008 R2
  • SMB 3.0 (or SMB3) – The version used in Windows 8 and Windows Server 2012
Although the protocol is proprietary, its specification has been published to allow other systems to interoperate with Microsoft operating systems that use the new protocol.

The SMB protocol can provide a lot of information for the enumeration of targets and this is shown below.

SMB & NMap

Nmap can discovery a lot of information about a target using smb, typical output from against a Windows target is show below.

| smb-os-discovery:
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: insecure-62400a
|   NetBIOS computer name: INSECURE-62400A
|   Workgroup: WORKGROUP
|_  System time: 2013-03-26T17:10:49+00:00
| smb-security-mode:
|   Account that was used for smb scripts: <blank>
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol

Nmap supports the following scripts with their designated categories.

NMAP scripts (category)

  • smb-brute (brute) (intrusive)
  • smb-check-vulns (dos) (exploit) (intrusive) (vuln)
  • smb-enum-domains (discovery) (intrusive)
  • smb-enum-groups (discovery) (intrusive)
  • smb-enum-processes (discovery) (intrusive)
  • smb-enum-sessions (discovery) (intrusive)
  • smb-enum-shares (discovery) (intrusive)
  • smb-enum-users (auth) (intrusive)
  • smb-flood (dos) (intrusive)
  • smb-ls (safe) (discovery)
  • smb-mbenum (safe) (discovery)
  • smb-os-discovery (safe) (default) (discovery)
  • smb-print-text (intrusive)
  • smb-psexec (intrusive)
  • smb-security-mode (safe) (default) (discovery)
  • smb-server-stats (discovery) (intrusive)
  • smb-system-info (discovery) (intrusive)
  • smb-vuln-ms10-054 (intrusive) (vuln)
  • smb-vuln-ms10-061 (intrusive) (vuln)
  • smbv2-enabled (safe) (default)

Some of these scripts will require you to specify the unsafe script argument "--script-args=unsafe=1" in order for them to run..

smb-flood is not recommended as a general purpose script, because a) it is designed to harm the server and has no useful output, and b) it never ends (until timeout).

The smb-psexec is not included by default and needs downloading from http://nmap.org/psexec/

Null Sessions

A key feature an attacker will be looking for is null sessions, where an attacker can connect via an anonymous user, where a connection can be made using a command as shown below.

net use \\192.168.10.100\IPC$ "" /u:""

Once a connection has been formed it is possible to enumerate shares on the remote system, a lot of this activity can be done using the scripts in Nmap.


No comments:

Post a Comment