Using SMBClient to Enumerate Shares

Using SMBClient to Enumerate Shares

Time for a quick back to the basics blog post!  Let us talk about Samba shares. What is Samba?  From the official Samba web page: "Samba is the standard Windows interoperability suite of programs for Linux and Unix." Alright, what?

Since 1992, Samba, commonly referred to as SMB, has provided file and print services for all clients using the SMB/CIFS protocol, such as all versions of DOS and Windows, OS/2, Linux and many others. Samba is an important component to seamlessly integrate Linux/Unix Servers and Desktops into Active Directory environments. It can function both as a domain controller or as a regular domain member.

So what does this have to do with cybersecurity?  Well for one, Windows exposes several administrative and hidden shares via SMB by default.  Three common shares on Windows machines are the C$, Admin$, and IPC$.  

The C$ share will allow one to access the C Drive on the remote machine. Another share, Admin$, allows one to access the Windows installation directory. To be able to mount these shares however, one needs to be an administrator on the remote system.

The last of the three common shares is the IPC$ share.  IPC$ is a special share within Windows that is used to facilitate inter-process communication more commonly referred to as IPC. That is, it doesn’t allow one to access files or directories like other shares, but rather allows one to communicate with processes running on the remote system. Specifically, IPC$ exposes named pipes, that one can write to or read from to communicate with remote processes. Such named pipes are created when an application opens a pipe and registers it with the Windows Server service (SMB), such that it can be exposed by the IPC$ share. Any data written to such a named pipe is sent to the remote process, and conversely any output data written by the remote process can be read by a local application from the pipe. One can use such named pipes to execute specific functions, often referred to as Remote Procedure Calls (RPC) on the remote system.

Certain versions of Windows allowed one to authenticate and mount the IPC$ share without providing a username or password. Such a connection is often referred to as a NULL session, which while limited in its privileges, could be used to execute various RPC calls and as a result obtain useful information about the remote system. Arguably the most useful information one could extract in this manner is user and group listings, which can be used in brute force attacks.  NULL session attack is not a new concept (hence the reason for a "Back to the Basics" post).  However, along with looking for user and group listings an attacker could potentially look for sensitive files that are being shared.  Or upload malicious files that could be executed from a different attack vector.

To move into the vulnerability checking section of the blog post, Kali linux comes with a SMB client program included with the distribution. It provides an FTP-like interface on the command line. You can use this utility to transfer files between a Windows 'server' and a Linux client.

To see which shares are available on a given host, run the following:

/usr/bin/smbclient -L host  or if smbclient is already in your path like in Kali Linux, smbclient -L host.  Where host is the name of the machine that you wish to view. This will return a list of service names - that is, names of drives or printers that it can share with you. Unless the SMB server has no security configured, it will ask you for a password.

Additionally, if you haven't enumerated hostnames yet in your test you can also use IP addresses, but keep in mind you will need to escape the slashes so 4 will be needed instead of 2.  In the example below, we are using the smbclient tool to list the shares available on the remote host.

smbclient -L \\\\

The output of this command should look something like this:

smbclient -L \\\\ -U 'administrator'
Enter WORKGROUP\administrator's password: 

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC

Keep in mind that your instance might differ based on the operating system, and configuration on the remote host.

To connect to particular service or a drive, where service is a machine or share name.  For example, if you are trying to reach a directory that has been shared as 'C$' on a machine called, the service would be called\C$. However, due to bash shell restrictions, you will need to escape the backslashes, so you end up with a command such as this:

smbclient \\\\\\C$ -U administrator

If the provided credentials are valid or the SMB share supports anonymous connections you will get the smbclient prompt like the following:

Server time is Sat Aug 10 15:58:44 1996
Timezone is UTC+10.0
Domain=[WORKGROUP] OS=[Windows NT 3.51] Server=[NT LAN Manager 3.51]
smb: \> 

At this point you have a terminal that is FTP-like, and  can use the help option to get the different commands while using smbclient:

As well you can use typical FTP-like commands such as ls and cd to interact with the remote share.

The screenshot below shows movement through the remote share C$ to the Program Files (x86) where I had placed the passwords.txt file.  

In order to download the text file you can use the get command which will allow for tab completion using the remote share directory.  

Alternatively, you could upload a file to the remote share using the put command.  The put command allows for tab completion using the local directory.  

Final note, most Linux distributions also now include the useful smbfs package, which allows one to mount and umount SMB shares.  Mounting the drive instead of using the FTP-like terminal could allow an attacker to grep or search more easily through remote shares for sensitive data.  This concludes our post, hopefully you have found this informative, and until next time please get rid of Samba.  

Citation and inspiration:

Ryan Villarreal

About Ryan Villarreal