SMB | Notion

A client-server protocol that regulates access to files and entire directories and other network resources such as printers, routers, or interfaces released for the network.

crackmapexec

Default Configuration

cat /etc/samba/smb.conf | grep -v "#/|/;"

Once we have discovered interesting files or folders, we can download them using the get command. Smbclient also allows us to execute local system commands using an exclamation mark at the beginning (!<cmd>) without interrupting the connection.

Footprinting the service

rpcclient

rpcclient -U "" 10.129.14.128

https://www.samba.org/samba/docs/current/man-html/rpcclient.1.html (Manual of rpcclient)

Query	Description
`srvinfo`	Server information.
`enumdomains`	Enumerate all domains that are deployed in the network.
`querydominfo`	Provides domain, server, and user information of deployed domains.
`netshareenumall`	Enumerates all available shares.
`netsharegetinfo <share>`	Provides information about a specific share.
`enumdomusers`	Enumerates all domain users.
`queryuser <RID>`	Provides information about a specific user.
`guerygroup <<GRID>`	Provides information about a specific group.

Brute Forcing User RIDs

for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\\n' $i)" | grep "User Name\\|user_rid\\|group_rid" && echo "";done

An alternative to this would be a Python script from Impacket called samrdump.py.