Shared Folders

AIM: Find folders shared across the network

Enumerating SMB shared folders allows a penetration tester or attacker to list and access folders that are shared on a target system over the SMB (Server Message Block) protocol. These shared folders may contain sensitive files or misconfigurations that provide unauthorized access, potentially leading to further compromise of the network. The main purposes of enumerating SMB shared folders are:

1. Identifying Sensitive Data: Shared folders may store sensitive or confidential information like financial records, personal data, credentials, and configuration files.

2. Privilege Escalation: Misconfigured permissions on shared folders can allow unauthorized users to access or modify critical files, leading to privilege escalation.

3. Lateral Movement: Shared folders can provide access to data or scripts used for administrative tasks, enabling attackers to pivot to other systems in the network.

4. Reconnaissance: Information in shared folders can give insight into the target organization’s structure, network layout, or internal systems.

5. Credential Harvesting: Files in shared folders may contain plain text credentials or password hashes, which attackers can use for credential theft.

Impact of Enumerating Shared Folders

Once you have enumerated SMB shared folders, you can:

1. Access Shared Files: If permissions are misconfigured, you can access files that contain sensitive information or critical configurations. This may include personal information, company data, or scripts that can be modified.

2. Modify Files: If write permissions are granted, you can modify or upload files, potentially adding malicious scripts or binaries for future attacks.

3. Identify Misconfigurations: Identifying folders where permissions are set incorrectly (e.g., granting “Everyone” or “Anonymous” users full access) allows you to report misconfigurations to the client or exploit them during a red team exercise.

4. Data Exfiltration: Sensitive data found in shared folders can be exfiltrated. This includes documents, credentials, or any other valuable files that can be later analyzed or used for further attacks.

5. Privilege Escalation and Lateral Movement: Accessing configuration files or scripts can help escalate privileges or move laterally across the network. For example, you might find backup files containing hashes or configuration files with plain text credentials.

6. Password Hashes and Credentials: Files such as backup configurations or .ps1 (PowerShell) scripts may contain hard coded credentials or password hashes that you can use for further compromise.

Connect/List a Shared Folder

#Connect using smbclient
$smbclient --no-pass //<IP>/<Folder>
$smbclient -U 'username[%passwd]' [--pw-nt-hash] //<IP> #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
#Use --no-pass -c 'recurse;ls'  to list recursively with smbclient

#List with smbmap, without folder list everything
$smbmap [-u "username" -p "password"] -R [Folder] -H <IP> [-P <PORT>] # Recursive list
$smbmap [-u "username" -p "password"] -r [Folder] -H <IP> [-P <PORT>] # Non-Recursive list
$smbmap -u "username" -p "<NT>:<LM>" [-r/-R] [Folder] -H <IP> [-P <PORT>] #Pass-the-Hash

IPC$ Share

Access to the IPC$ share can be obtained through an anonymous null session, allowing for interaction with services exposed via named pipes. The utility enum4linux is useful for this purpose. Utilized properly, it enables the acquisition of:

• Information on the operating system

• Details on the parent domain

• A compilation of local users and groups

• Information on available SMB shares

• The effective system security policy

This functionality is critical for network administrators and security professionals to assess the security posture of SMB (Server Message Block) services on a network. enum4linux provides a comprehensive view of the target system's SMB environment, which is essential for identifying potential vulnerabilities and ensuring that the SMB services are properly secured.

enum4linux -a target_ip

The above command is an example of how enum4linux might be used to perform a full enumeration against a target specified by target_ip.

Mitigating Security Risks Associated with SMB Shared Folder Enumeration

There are several best practices and configuration changes that can mitigate the risks associated with SMB shared folder enumeration:

1. Use Strong Access Control Policies

• Review Permissions: Ensure that shared folders have appropriate permissions, limiting access to only the necessary users and groups. Avoid giving excessive permissions to groups like “Everyone” or “Anonymous.”

  • For example, restrict access to only the relevant users or departments for sensitive data.

2. Disable Unnecessary Shares

• Remove Unused or Misconfigured Shares: If certain shares are no longer needed, disable or remove them. Also, avoid creating administrative shares (e.g., C$, ADMIN$) unless absolutely necessary.

3. Implement SMB Signing

• Enable SMB Signing: SMB signing ensures the authenticity and integrity of the SMB communication, making it harder for attackers to launch Man-in-the-Middle (MitM) attacks.

  • This can be enforced using Group Policy:

    Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options
    Microsoft network client: Digitally sign communications (always) -> Enabled
    Microsoft network server: Digitally sign communications (always) -> Enabled

4. Use Encrypted SMB (SMB 3.0)

• SMB 3.0 Encryption: Use SMB 3.0 with encryption to prevent unauthorized access and protect SMB data in transit.

  • Encryption can be enforced at the folder level for sensitive shares by using the following command:

    Set-SmbServerConfiguration -EncryptData $true

5. Block SMB Traffic on Public Networks

• Limit SMB Exposure: Block SMB traffic on untrusted networks (e.g., the internet or external subnets) by using firewalls to block ports 137, 138, 139, and 445. Restrict SMB access to only trusted devices and internal networks.

  • In Windows Firewall, create inbound and outbound rules to block SMB:

    New Inbound Rule -> Port -> TCP/UDP -> Specific Ports (137, 138, 139, 445)
    

6. Enforce Authentication

• Disable Anonymous Access: Ensure that anonymous access to shares is disabled to prevent unauthenticated users from accessing sensitive data. This can be configured in Group Policy:

  Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options
  Network access: Shares that can be accessed anonymously -> None

7. Regular Auditing and Monitoring

• Audit Shared Folder Usage: Regularly audit shared folders to ensure that no unauthorized access has been granted. Use event logging to track access to sensitive shares and monitor for suspicious activity.

  • In Windows, configure auditing for file access via the following:

    Group Policy Management Editor -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Object Access
    

8. Disable SMBv1

• Disable SMBv1: SMBv1 is insecure and deprecated. Disabling it eliminates the risks associated with its vulnerabilities, such as the EternalBlue exploit used in ransomware attacks like WannaCry.

  • Disable SMBv1 using PowerShell:

Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol