Server Message Block (SMB): 445

Summary

• Ports: 139 (TCP) and 445 (TCP)

Security Weaknesses

• Exploitation of SMBv1 vulnerabilities (e.g., EternalBlue).

• Unauthorized access to shared files and resources.

• Lack of encryption in older versions of SMB.

Security Defense and Mitigation Measures

• Disable SMBv1 and enforce SMBv2 or SMBv3.

• Use network segmentation to limit SMB access.

• Regularly patch SMB services and enforce access controls.

Indicators of Compromise or Attack

• Unauthorized access to file shares.

• Unusual SMB traffic from unexpected endpoints.

• High volumes of failed login attempts.

Why Should SMB Be Enumerated?

• SMB (Server Message Block) should be enumerated and assessed for vulnerabilities because it is a widely used protocol in Windows environments, facilitating file sharing, authentication, and remote administration. Due to its prevalence, SMB is a high-value target for attackers and has a history of severe vulnerabilities like EternalBlue (MS17-010), which led to widespread ransomware attacks such as WannaCry.

• By enumerating SMB, attackers and penetration testers can uncover critical information, such as shared folders, usernames, groups, service versions, and file permissions. This data may reveal sensitive information, weak configurations, or unpatched systems, all of which can be exploited for remote code execution, lateral movement, privilege escalation, or data theft.

• SMB is also vulnerable to credential theft and relay attacks if SMB signing is disabled, allowing attackers to capture NTLM hashes for further exploitation. Misconfigured shares with overly permissive access can expose sensitive files and enable attackers to gain unauthorized access to critical resources.

• Assessing SMB for vulnerabilities is crucial to protecting against ransomware, man-in-the-middle attacks, and unauthorized access. Regular patching, disabling SMBv1, enabling SMB signing, and limiting SMB access to trusted networks are essential mitigation strategies to reduce the risks posed by SMB vulnerabilities. Proper assessment helps organizations identify weak points in their network and prevent severe security breaches.

General Enumeration Steps/Checklist

#1 - Enumerate Hostname
$nmblookup -A [target_ip]

#2 - List Shared Folders 
$smbmap -H [ip/hostname]
$echo exit | smbclient -L \\\\[target_ip]
$nmap --script smb-enum-shares -p 139,445 [target_ip]

#3 - Check for Null Sessions
$smbmap -H [target_ip/hostname]
$rpcclient -U "" -N [target_ip]
$smbclient \\\\[target_ip]\\[share name]

#4 - List Users
$enum4linux -a <Target-IP>	

#5 - Vulnerability Scanning
$nmap --script smb-vuln* -p 139,445 [ip]

#6 - Overall Scanning
#Enum4Linux - can detect and fetch data from both Windows and Linux
$enum4linux -U <target IP>

#Scan a network searching for hosts
$nbtscan -r <CIDR Range>

Information Gathered via SMB Enumeration

SMB Enumeration

Summary

Detailed Enumeration

Hostname

Shared Folders

Windows Environment-Related Information

Workgroup VS Domain

• Workgroup: It is a peer-to-peer network for a maximum of 10 computers in the same LAN or subnet. It has no Centralized Administration, meaning no computer controls another computer. Each user controls the resources and security locally on their system.

• Domain: It is a client/server network for up to 2000 computers anywhere in the world. The administrator manages the domain and its users and resources. A user with an account on the domain can log onto any computer system without having the account on that computer.