SMB Share Discovery and Exploitation

SMB Share Discovery and Exploitation – Complete Guide for GIAC GCIH

SMB Share Discovery and Exploitation

Why Is This Important?
Server Message Block (SMB) is one of the most commonly exploited protocols in enterprise environments. SMB shares are used extensively in Windows networks for file sharing, printer access, and inter-process communication. Misconfigured or poorly secured SMB shares represent a significant attack surface that adversaries routinely target during penetration tests and real-world attacks. For the GIAC GCIH (GIAC Certified Incident Handler) exam, understanding SMB share discovery and exploitation is critical because it falls squarely within the reconnaissance, scanning, and enumeration phase of an attack lifecycle — a core domain tested on the exam.

What Is SMB Share Discovery and Exploitation?
SMB (Server Message Block) is a network file-sharing protocol that operates primarily on TCP port 445 (and historically over NetBIOS on ports 137-139). SMB share discovery refers to the process of identifying accessible network shares on remote systems. Exploitation involves leveraging misconfigured permissions, null sessions, weak credentials, or protocol vulnerabilities to gain unauthorized access to sensitive data, escalate privileges, or move laterally through a network.

Key concepts include:
- Null Sessions: Anonymous connections to SMB shares that require no authentication. These can leak user lists, share names, group memberships, and security policies.
- Share Enumeration: Listing available shares on a target host, including hidden administrative shares (C$, ADMIN$, IPC$).
- Permission Misconfiguration: Shares with overly permissive ACLs (Access Control Lists) that allow unauthorized read or write access.
- Credential-Based Access: Using stolen, default, or brute-forced credentials to authenticate to SMB shares.

How Does It Work?

1. Discovery and Enumeration
Attackers begin by scanning for systems with open SMB ports:
- Nmap: nmap -p 445,139 --open -sV target_range — Identifies hosts with SMB services running.
- Nmap NSE Scripts: nmap --script smb-enum-shares,smb-enum-users,smb-os-discovery -p 445 target — Enumerates shares, users, and OS information.
- enum4linux: A popular Linux tool for enumerating SMB information from Windows and Samba hosts. Example: enum4linux -a target_ip — Performs a full enumeration including shares, users, password policy, groups, and OS info.
- smbclient: smbclient -L //target_ip -N — Lists shares using a null session (no password).
- CrackMapExec (CME): crackmapexec smb target_range --shares — Enumerates shares across multiple hosts with or without credentials.
- net view: Windows native command: net view \\target_ip — Lists shared resources on the target.

2. Null Session Exploitation
Null sessions exploit the IPC$ share to establish an anonymous connection:
- smbclient //target_ip/IPC$ -N
- rpcclient -U "" -N target_ip — Then use commands like enumdomusers, enumdomgroups, querydominfo
- On Windows: net use \\target_ip\IPC$ "" /u:""

Null sessions were a severe issue in older Windows systems (NT4, 2000, early XP) but can still be found in misconfigured modern environments.

3. Accessing and Exploiting Shares
Once shares are discovered:
- Anonymous/Guest Access: Connect to shares that allow unauthenticated access and browse for sensitive files (configuration files, credentials, scripts, backups).
- Credential-Based Access: smbclient //target_ip/share_name -U username%password
- Mounting Shares: mount -t cifs //target_ip/share_name /mnt/smb -o username=user,password=pass
- Searching for Sensitive Data: Look for files containing passwords, configuration data, database connection strings, SSH keys, etc.

4. Lateral Movement and Privilege Escalation
- PsExec / Impacket psexec.py: Uses ADMIN$ or C$ shares to upload a service binary and execute commands remotely. Requires admin-level credentials.
- Pass-the-Hash: Tools like CrackMapExec or Impacket allow authentication using NTLM hashes instead of plaintext passwords: crackmapexec smb target -u admin -H hash_value --shares
- SCF/URL File Attacks: Placing malicious .scf or .url files on writable shares to capture NTLMv2 hashes when users browse the share (used with Responder or similar tools).

5. Notable SMB Vulnerabilities
- MS17-010 (EternalBlue): Critical SMBv1 remote code execution vulnerability exploited by WannaCry and NotPetya. Nmap check: nmap --script smb-vuln-ms17-010 -p 445 target
- MS08-067: An older but historically significant SMB vulnerability in the Server service.
- SMBGhost (CVE-2020-0796): SMBv3.1.1 compression vulnerability allowing remote code execution.
- SMB Signing Disabled: When SMB signing is not required, attackers can perform relay attacks (NTLM relay) to authenticate to other services.

6. SMB Relay Attacks
When SMB signing is not enforced, an attacker can intercept authentication requests and relay them to another host:
- Use Responder to capture authentication attempts
- Use ntlmrelayx.py (Impacket) to relay captured credentials to a target with SMB signing disabled
- This can result in command execution, share access, or credential dumping on the relayed target

Key Tools Summary for the Exam:
- Nmap (with NSE scripts) — Port scanning and SMB enumeration
- enum4linux / enum4linux-ng — Comprehensive SMB/NetBIOS enumeration
- smbclient — SMB share interaction and listing
- CrackMapExec — Multi-host SMB enumeration and exploitation
- rpcclient — RPC-based enumeration via SMB
- Impacket suite (psexec.py, smbexec.py, ntlmrelayx.py) — SMB exploitation and lateral movement
- Responder — LLMNR/NBT-NS poisoning and hash capture
- Metasploit — Various SMB auxiliary and exploit modules

Defensive Measures (Know These for the Exam):
- Disable SMBv1 across the environment
- Enforce SMB signing on all systems
- Restrict null sessions (RestrictAnonymous registry settings)
- Apply least-privilege permissions to all shares
- Remove unnecessary shares and disable default administrative shares where possible
- Use network segmentation to limit SMB traffic
- Monitor for anomalous SMB activity (large data transfers, unusual share access patterns)
- Keep systems patched against known SMB vulnerabilities
- Use strong, unique passwords and implement multi-factor authentication where possible

---

Exam Tips: Answering Questions on SMB Share Discovery and Exploitation

1. Know Your Port Numbers: SMB operates on TCP 445 (direct SMB) and TCP/UDP 137-139 (NetBIOS over TCP/IP). Questions may reference either or both. If a question mentions NetBIOS session service specifically, that is port 139.

2. Understand Null Sessions Thoroughly: Be able to identify what information null sessions can reveal (usernames, shares, groups, password policies, SIDs) and which tools establish them. Know that IPC$ is the share used for null session connections.

3. Recognize Tool Output: The exam may present output from enum4linux, smbclient, Nmap SMB scripts, or CrackMapExec and ask you to interpret results. Practice reading this output so you can quickly identify share names, permissions, usernames, and OS versions.

4. Differentiate Between SMB Versions: Know that SMBv1 is the most vulnerable version (EternalBlue, MS17-010). SMBv2 and SMBv3 introduced better security features. Questions about disabling protocols or identifying vulnerable versions are common.

5. Understand the Attack Chain: Questions may ask about the sequence of events. Remember: Port Scan → Service Identification → Share Enumeration → Access/Exploitation → Lateral Movement. Be able to identify which step a given action belongs to.

6. Know Administrative Shares: C$, ADMIN$, and IPC$ are default administrative shares. C$ and ADMIN$ require admin credentials to access. IPC$ is used for inter-process communication and null sessions. Hidden shares end with a $ sign.

7. SMB Relay vs. SMB Exploitation: These are different attack types. Relay attacks abuse the authentication protocol (NTLM) when signing is not enforced. Direct exploitation targets vulnerabilities in the SMB protocol itself. Be clear on the distinction.

8. Map Tools to Techniques: When a question describes an activity, be able to identify the most likely tool used. For example: enumerating shares on multiple hosts simultaneously → CrackMapExec; executing commands via ADMIN$ → PsExec or Impacket psexec.py; capturing NTLM hashes on the network → Responder.

9. Focus on Defensive Countermeasures: GCIH is an incident handling certification, so expect questions about how to detect and mitigate SMB attacks. Know that enabling SMB signing prevents relay attacks, disabling SMBv1 mitigates EternalBlue, and restricting anonymous access prevents null session enumeration.

10. Pay Attention to Context Clues: Exam questions often include specific details like port numbers, tool flags, or output snippets. Use these to narrow down the correct answer. For example, if a question mentions port 445 and anonymous listing of shares, think null session enumeration with smbclient or enum4linux.

11. Remember Key CVEs: MS17-010 (EternalBlue), MS08-067, and CVE-2020-0796 (SMBGhost) are the most commonly referenced SMB vulnerabilities. Know which SMB version each affects and the general impact (remote code execution).

12. Practice with Index/Reference Materials: The GCIH exam is open book. Create a well-organized index that includes SMB-related tools, ports, vulnerabilities, and commands so you can quickly reference them during the exam.