SMB | The Pentester's Best Friend | Andrew Nash
Continuing to explore common offensive tools, in this post I will give a high-level overview of how penetration testers frequently abuse the Server Message Block (SMB) protocol and a few versatile tools to do just that.
SMB and equivalent protocols like Samba for Linux are extremely versatile and powerful, particularly in an Active Directory environment. Whenever I conduct a penetration test for a client, you can bet I will be abusing SMB. There are multiple tools available for using SMB and many of them accomplish the same basic tasks. Using a framework such as MITRE ATT&CK (which I have roughly done here) is helpful for explaining how SMB can fit into most phases of a cyber-attack, and the tools that are relevant for each.
Initial Access | Discovery
Though external exposure of SMB services is not common in my experience, it can lead to initial access into a network. File shares frequently contain sensitive data (even credentials!), so you don't want those readable through null or anonymous logins (a topic for another day). In the case of an internal penetration test, there will likely be file shares on the network that grant "read" access to anyone, authenticated or not. SMB also provides attackers with a protocol to perform password attacks against, so even if file shares are not publicly readable it is still a significant risk to have the service accessible. Usernames can be gathered through open-source intelligence (OSINT) or other vulnerabilities to perform password spray attacks against. Below is an example of such an attack in my evolving demo lab using CrackMapExec (CME), the ever useful "swiss army knife" of pentesting. It can perform enumeration, authentication, code execution, and more. It supports several protocols, including SMB.
Looks like sgriffin should have chosen a better password… Unfortunately, passwords like this are still fairly common in real Active Directory environments, so don't underestimate the potential impact of a password spray attack.
Once initial access is gained, we can begin gathering more data about the domain we are targeting by gathering usernames, groups, computers, etc. This can be done with tools like CME, RPCclient, or enum4linux (all of which are linked at the end of this post). More than just pure SMB protocol is happening when running the commands below (such as LDAP, RPC, and SAMR), but it is responsible for most of the traffic. RPCclient allows for interaction with SAMR, LSARPC, Netlogon, and more to gather a lot of useful data. Enum4linux automates much of the enumeration done manually with RPCclient. Each of these three tools can perform system and domain enumeration through SMB but do so with varying amounts of traffic (enum4linux typically generates the most because of its automation).
Now with a list of valid domain users, we can perform additional password attacks for lateral movement. Looks like another account is using the same password as sgriffin, and it even has Administrator access on a workstation! Administrator access opens more possibilities to abuse SMB, specifically code execution.
Execution | Credential Access | Lateral Movement
Executing commands over SMB is straightforward with Impacket's SMBexec and CME (which runs Impacket under the hood). SMBexec allows us to drop into a shell and run commands as if we were sitting at the Windows command-line.
CME doesn't give us a shell in the same way as SMBexec but it allows us to send commands and receive their output. CME uses the “wmiexec” method by default, so the examples below specify "--exec-method smbexec" to specifically run over SMB. CME conveniently gathers password hashes with the "--sam" (Security Account Manager) and "--lsa" (Local Security Authority secrets) commands or built-in modules like “lsassy” (Local Security Authority Subsystem Service). Domain Administrator here we come.
Now with the Administrator’s password hash, we can execute a pass-the-hash attack to laterally move to the Domain Controller and obtain every domain user’s password hash.
There are many more possibilities for what you can do with code execution over SMB. On an engagement I may also install a Command and Control (C2) agent, perform in-depth system enumeration, or other tasks.
Collection
After gaining all those credentials, it’s time to hunt for data. Frequently sensitive data exists on file shares, which use what protocol? That’s right, SMB.
CME has features to search through accessible shares with its “spidering” feature. This can be helpful when looking for specific data like credentials. However, I generally find the most success by just manually searching shares using Impacket’s SMBclient tool, though it does take more time.
Blue Team Considerations
The attack surface for SMB is broad and monitoring it is critical. There are configuration changes that can help defend against many of these attacks. In keeping with the format I have used so far, I would like to provide some specific recommendations for the defenders out there. But that will need to wait for part two!
Links | References
https://github.com/Porchetta-Industries/CrackMapExec
https://www.samba.org/samba/docs/current/man-html/rpcclient.1.html