SMB#

SMB (Server Message Block, also called CIFS in older docs) is the file-and-printer-sharing protocol of the Windows world. Linux speaks it through Samba, both the smbd server and the client tools (smbclient, mount.cifs). For the operator, SMB matters two ways: it’s how you mount Windows shares from Linux, and it’s one of the largest internal-network attack surfaces in any organization (EternalBlue, NTLM relay, anonymous shares, password spray over smbd).

Three SMB dialects coexist; only the latter two are safe:

Dialect

Notes

SMBv1

Original; broken (EternalBlue / WannaCry). Disable everywhere. smbd ships min protocol = SMB2.

SMBv2

2006; Vista era. The minimum acceptable.

SMBv3

Windows 8 / Server 2012; AES encryption, signing required. The current standard.

Ports:

Port

Use

TCP 445

SMB over TCP, the modern transport. Use this.

TCP 139

NetBIOS Session Service, legacy, still seen.

UDP 137

NetBIOS Name Service, legacy.

UDP 138

NetBIOS Datagram, legacy.

Session setup#

SMB2/3 opens with a dialect negotiation, then authenticates the session, then attaches to a share, then opens files. Every later operation rides the same session ID.

        sequenceDiagram
    participant C as Client (smbclient)
    participant S as Server (smbd)
    C->>S: NEGOTIATE_REQUEST (offered dialects: 2.0.2 .. 3.1.1)
    S-->>C: NEGOTIATE_RESPONSE (selected dialect, capabilities)
    C->>S: SESSION_SETUP_REQUEST (NTLM or Kerberos via SPNEGO)
    S-->>C: SESSION_SETUP_RESPONSE (SessionId, signing key)
    C->>S: TREE_CONNECT_REQUEST (\\\\server\\share)
    S-->>C: TREE_CONNECT_RESPONSE (TreeId)
    C->>S: CREATE_REQUEST (open path, access mask, share access)
    S-->>C: CREATE_RESPONSE (FileId)
    Note over C,S: READ / WRITE / IOCTL / CLOSE on the FileId
    

Client tooling#

Tool

Use

smbclient

FTP-like SMB client; list shares, get / put files, run commands.

smbget

Recursive file fetch (wget for SMB).

smbmap

Quick read of share names + permissions.

mount.cifs

Kernel-level mount of an SMB share.

rpcclient

Drive MS-RPC over SMB; enum users, groups, SIDs, sessions, shares.

enum4linux / -ng

Wrapper that runs the standard SMB / RPC enumeration sweep.

crackmapexec

Operator’s swiss army for SMB across hosts; auth, exec, lateral movement.

impacket-*

Python tools for every SMB / RPC verb (smbexec.py, psexec.py, wmiexec.py, GetNPUsers.py).

# list shares
$ smbclient -L //fileserver -U alice
$ smbclient -L //fileserver -N                        # null session

# interactive
$ smbclient //fileserver/finance -U alice
smb: \> ls
smb: \> get budget.xlsx
smb: \> put report.pdf
smb: \> mask ""; recurse ON; prompt OFF; mget *

# mount as a regular filesystem
$ sudo mkdir /mnt/finance
$ sudo mount -t cifs //fileserver/finance /mnt/finance \
     -o username=alice,uid=$(id -u),vers=3.1.1

# persist in /etc/fstab (with a credentials file mode 600)
//fileserver/finance /mnt/finance cifs credentials=/etc/cifs.cred,uid=1000,vers=3.1.1 0 0

Pentest enumeration#

Standard internal-network sweep when SMB is in scope:

# Nmap scripts
$ nmap -p 445 --script smb-os-discovery,smb-protocols,smb-security-mode \
                       smb-enum-shares,smb-enum-users,smb-enum-sessions \
              10.0.0.0/24

# null-session enumeration
$ enum4linux-ng -A host
$ rpcclient -U "" -N host
rpcclient> srvinfo
rpcclient> enumdomusers
rpcclient> querydispinfo

# crackmapexec sweeps
$ crackmapexec smb 10.0.0.0/24                           # banner / hostname
$ crackmapexec smb 10.0.0.0/24 -u alice -p 'p@ss'        # auth check
$ crackmapexec smb 10.0.0.0/24 -u alice -H <NTLM-hash>   # pass-the-hash
$ crackmapexec smb 10.0.0.0/24 --shares
$ crackmapexec smb 10.0.0.0/24 --pass-pol

Server (Samba)#

smbd (file shares) plus nmbd (legacy NetBIOS browsing) plus winbindd (AD integration on domain-joined hosts).

Path

Purpose

/etc/samba/smb.conf

Main configuration; [global] plus one section per share.

/var/lib/samba/

Databases (users, secrets, group mappings).

/var/log/samba/

Per-client and per-daemon logs.

/etc/samba/smbpasswd

Local SMB passwords (legacy text format).

Minimum share definition:

[finance]
    path = /srv/finance
    browseable = yes
    read only = no
    valid users = @finance
    create mask = 0660
    directory mask = 0770
$ sudo testparm                         # syntax-check smb.conf
$ sudo systemctl reload smbd
$ sudo smbpasswd -a alice               # add a Samba user
$ sudo smbstatus                        # who's connected, what's open
$ sudo pdbedit -L                       # list all SMB users

Hardening#

  • Disable SMBv1. min protocol = SMB2 in smb.conf; Set-SmbServerConfiguration -EnableSMB1Protocol $false on Windows.

  • Require signing. server signing = mandatory (Samba), RequireSecuritySignature = 1 (Windows). Stops NTLM relay.

  • Disable null sessions and guest access unless explicitly required: map to guest = never, restrict anonymous = 2.

  • Audit anonymous-readable shares, a recurring data-leak vector: smbclient -L //host -N.

  • Encrypt v3 traffic. smb encrypt = required for sensitive shares.

  • Patch the box. Most catastrophic SMB CVEs (MS17-010 / EternalBlue, PrintNightmare, ZeroLogon-adjacent) are missing-patch findings.

See also#