Cardboard Iguana Security

Search

SearchSearch

CIFS

July 31, 20241 min read

Basics

Default shares

Default CIFS shares

Default SMB shares (which you generally can’t connect to):

  • IPC$
  • ADMIN$
  • C$

The ADMIN$ share is only accessibly by administrators; by default this maps to %WINDIR% (and is a great place to stash malicious executables for access via sc.exe or schtasks.exe, if you have the right permissions).

Link to original

Associated protocols

DCERPC

DCERPC is Windows Server’s RPC connection protocol.

Link to original

DRSUAPI

DRSUAPI is Windows’ implementation of the “Directory Replication Service” protocol, which is used to keep domain controllers in sync.

Link to original

Tools

smbmap

smbmap

  • -h — IP address or host to enumerate
  • -u — username to use during enumeration (attempts to use the NULL session if not supplied)
  • -p — password or NTLM hash to use during enumeration
  • -d — domain (or workgroup) to use during enumeration
  • -s — share to enumerate (defaults to C$ if not supplied)
  • -x — attempt to execute the supplied command (!!!) on the server (if the user you’re connecting as has permission to do so)
  • --download/--upload — download or upload a file to specified share
Link to original

smbclient

How to use smbclient

smbclient //$IP/$SHARE -U $USER -p $PORT
  • -I — IP address to connect to
  • -U — username to use for the connection
  • -P — password to use for the connection
  • -N — attempt to connect without a password
  • -W — domain (or workgroup) to use for the connection
  • -p — connect to a non-standard port
  • -c — attempt to execute the supplied command (!!!) on the server (if the user you’re connecting as has permission to do so)

The -p directive is only necessary if working over a non-standard port (e.g., not 445).

If -U is not included, smbclient will use your current (local) username, so probably best to fill something else in. If a password needs to be sent, specify the user as ${USER}%${PASSWORD}.

The interface is reminiscent of old-school FTP clients.

Link to original

smbget

smbget

smbget smb://$IP/$SHARE/$FILE -U $USER

Download $FILE from $SHARE at $IP.

Note that the semantics are annoyingly slightly different from smbclient — no port specification, and the smb: protocol portion of the URI must be included.

Use -R (and omit $FILE) to recursively download an entire directory.

Link to original

Reconnaissance

Nmap

CIFS reconnaissance with Nmap

Typical Nmap portscan output for CIFS:

PORT    STATE SERVICE      REASON
139/tcp open  netbios-ssn  syn-ack
445/tcp open  microsoft-ds syn-ack

CIFS users and shares can be enumerated by Nmap during scanning:

nmap -vv -sT \
     --script smb-enum-shares.nse,smb-enum-users.nse \
     -p445 $TARGET_IP

NOTE

While smb-enum-shares.nse returns results for UNIX-like systems, I’ve found smb-enum-users.nse to be kind of hit-or-miss.

Link to original

Metasploit

Metasploit CIFS modules

Metasploit can also enumerate CIFS users using the auxiliary/smb/smb_lookupsid module.

Like Nmap, I’ve found this to be a bit unreliable on UNIX-like systems.

Link to original

nbtscan

nbtscan

You can scan a target machine or network using nbtscan to see what hosts are running Samba.

nbtscan -r $NETWORK_IP/$CIDR_NETMASK

This won’t give you detailed user and share information, but it will at least let you know what machines to target.

Link to original

enum4linux

enum4linux

For UNIX-like systems running Samba, enum4linux works well.

enum4linux -a $TARGET_IP

As of the time of this writing (November 5, 2021) however, it looks like enum4linux’s normal user enumeration has been broken for quite some time. However, the “RID cycling” method of discovering users still works — so just call enum4linux with either the -r flag (to specifically use RID cycling to enumerate users) or the -a flag (which does a complete enumeration, including RID cycling) rather than the -U flag.

Link to original

Graph View

Backlinks