SMB#
SMB (Server Message Block, also called CIFS in older docs) is the
file-and-printer-sharing protocol of the Windows world. Linux speaks
it through Samba, both the smbd server and the client tools
(smbclient, mount.cifs). For the operator, SMB matters two
ways: it’s how you mount Windows shares from Linux, and it’s one of
the largest internal-network attack surfaces in any organization
(EternalBlue, NTLM relay, anonymous shares, password spray over
smbd).
Three SMB dialects coexist; only the latter two are safe:
Dialect |
Notes |
|---|---|
SMBv1 |
Original; broken (EternalBlue / WannaCry). Disable
everywhere. |
SMBv2 |
2006; Vista era. The minimum acceptable. |
SMBv3 |
Windows 8 / Server 2012; AES encryption, signing required. The current standard. |
Ports:
Port |
Use |
|---|---|
TCP 445 |
SMB over TCP, the modern transport. Use this. |
TCP 139 |
NetBIOS Session Service, legacy, still seen. |
UDP 137 |
NetBIOS Name Service, legacy. |
UDP 138 |
NetBIOS Datagram, legacy. |
Session setup#
SMB2/3 opens with a dialect negotiation, then authenticates the session, then attaches to a share, then opens files. Every later operation rides the same session ID.
sequenceDiagram
participant C as Client (smbclient)
participant S as Server (smbd)
C->>S: NEGOTIATE_REQUEST (offered dialects: 2.0.2 .. 3.1.1)
S-->>C: NEGOTIATE_RESPONSE (selected dialect, capabilities)
C->>S: SESSION_SETUP_REQUEST (NTLM or Kerberos via SPNEGO)
S-->>C: SESSION_SETUP_RESPONSE (SessionId, signing key)
C->>S: TREE_CONNECT_REQUEST (\\\\server\\share)
S-->>C: TREE_CONNECT_RESPONSE (TreeId)
C->>S: CREATE_REQUEST (open path, access mask, share access)
S-->>C: CREATE_RESPONSE (FileId)
Note over C,S: READ / WRITE / IOCTL / CLOSE on the FileId
Client tooling#
Tool |
Use |
|---|---|
|
FTP-like SMB client; list shares, get / put files, run commands. |
|
Recursive file fetch ( |
|
Quick read of share names + permissions. |
|
Kernel-level mount of an SMB share. |
|
Drive MS-RPC over SMB; enum users, groups, SIDs, sessions, shares. |
|
Wrapper that runs the standard SMB / RPC enumeration sweep. |
|
Operator’s swiss army for SMB across hosts; auth, exec, lateral movement. |
|
Python tools for every SMB / RPC verb
( |
# list shares
$ smbclient -L //fileserver -U alice
$ smbclient -L //fileserver -N # null session
# interactive
$ smbclient //fileserver/finance -U alice
smb: \> ls
smb: \> get budget.xlsx
smb: \> put report.pdf
smb: \> mask ""; recurse ON; prompt OFF; mget *
# mount as a regular filesystem
$ sudo mkdir /mnt/finance
$ sudo mount -t cifs //fileserver/finance /mnt/finance \
-o username=alice,uid=$(id -u),vers=3.1.1
# persist in /etc/fstab (with a credentials file mode 600)
//fileserver/finance /mnt/finance cifs credentials=/etc/cifs.cred,uid=1000,vers=3.1.1 0 0
Pentest enumeration#
Standard internal-network sweep when SMB is in scope:
# Nmap scripts
$ nmap -p 445 --script smb-os-discovery,smb-protocols,smb-security-mode \
smb-enum-shares,smb-enum-users,smb-enum-sessions \
10.0.0.0/24
# null-session enumeration
$ enum4linux-ng -A host
$ rpcclient -U "" -N host
rpcclient> srvinfo
rpcclient> enumdomusers
rpcclient> querydispinfo
# crackmapexec sweeps
$ crackmapexec smb 10.0.0.0/24 # banner / hostname
$ crackmapexec smb 10.0.0.0/24 -u alice -p 'p@ss' # auth check
$ crackmapexec smb 10.0.0.0/24 -u alice -H <NTLM-hash> # pass-the-hash
$ crackmapexec smb 10.0.0.0/24 --shares
$ crackmapexec smb 10.0.0.0/24 --pass-pol
Server (Samba)#
smbd (file shares) plus nmbd (legacy NetBIOS browsing) plus
winbindd (AD integration on domain-joined hosts).
Path |
Purpose |
|---|---|
|
Main configuration; |
|
Databases (users, secrets, group mappings). |
|
Per-client and per-daemon logs. |
|
Local SMB passwords (legacy text format). |
Minimum share definition:
[finance]
path = /srv/finance
browseable = yes
read only = no
valid users = @finance
create mask = 0660
directory mask = 0770
$ sudo testparm # syntax-check smb.conf
$ sudo systemctl reload smbd
$ sudo smbpasswd -a alice # add a Samba user
$ sudo smbstatus # who's connected, what's open
$ sudo pdbedit -L # list all SMB users
Hardening#
Disable SMBv1.
min protocol = SMB2insmb.conf;Set-SmbServerConfiguration -EnableSMB1Protocol $falseon Windows.Require signing.
server signing = mandatory(Samba),RequireSecuritySignature = 1(Windows). Stops NTLM relay.Disable null sessions and guest access unless explicitly required:
map to guest = never,restrict anonymous = 2.Audit anonymous-readable shares, a recurring data-leak vector:
smbclient -L //host -N.Encrypt v3 traffic.
smb encrypt = requiredfor sensitive shares.Patch the box. Most catastrophic SMB CVEs (MS17-010 / EternalBlue, PrintNightmare, ZeroLogon-adjacent) are missing-patch findings.
See also#
0X42 - Networks, discovering SMB listeners.
man smbclient,man smb.conf,man mount.cifs.Samba docs, [MS-SMB2] (protocol reference).