Privia Security was chosen as one of Türkiye's fastest growing companies!
Privia Security was chosen as one of Türkiye's fastest growing companies!
Enumeration is the phase in penetration testing that comes after the information gathering phase, in which the maximum amount of information about the target system is sought. At this stage, information such as which services are using the open ports that have been identified, which vendor’s services these are, and their version numbers is discovered using a method called “banner grabbing”. After confirming the accuracy of this information through manual tests, vulnerability databases are scanned in light of this information and known vulnerabilities are noted for use in subsequent phases. The information obtained during the Reconnaissance phase provides a perspective on the target systems, and the information obtained at this stage plays an important role in the enumeration phase.
SMB (Server Message Block) is a network protocol used by Windows systems that allows systems on the same network to share files. SMB enables systems connected to the same network or the same domain environment to easily access files on other systems as if they were on their own local drives. SMB also allows systems in the same environment to share printers and serial ports. Initially developed for Windows, SMB can also be used by other platforms including Unix and Mac OS X systems through a service called Samba. The SMB protocol uses TCP ports 139 and 445 by default.
SMB is one of the most important protocols that can be used to make progress in penetration tests. The SMB protocol is among the top protocols targeted by penetration testing experts due to situations such as:
This article will cover the operations performed during the SMB Enumeration phase and the tools that can be used for these operations.
When the SMB protocol is exposed to external access, SMB enumeration is performed in order to obtain information such as directories open for sharing, user information, machine information, and vulnerabilities affecting the target system. The information obtained during the enumeration phase guides the penetration phase.
The following tools are available on KALI Linux for SMB Enumeration operations:
SMB Enumeration operations performed using these tools are explained below.
NetBIOS (Network Basic Input/Output System) is a system that enables different systems on a local network to communicate with each other. NetBIOS, originally created by IBM for desktop computers, was later adapted by Microsoft for Windows operating systems. Nmblookup is used to query NetBIOS names and match those names to IP addresses. The following command can be used to make a query for an IP address with Nmblookup:
nmblookup -A 192.168.35.132Additionally, nmblookup provides the ability to list domain information and MAC address information of the target system through NetBIOS suffixes. The information expressed by NetBIOS suffixes is explained below:
Unique names:
Group names:
As a result of the enumeration operation performed using the nmblookup tool, the host name of the machine with IP address 192.168.35.132 was determined to be FILESERVER, the NetBIOS name of the domain environment to which it was connected to be PRIVIASECURITY, and the file service name to be FILESERVER.
Nbtscan is a program used to scan IP addresses to find NetBIOS names. Nbtscan sends a NetBIOS status query to each address in a given range and, based on the responses received, lists the following for each system: IP address, NetBIOS name, logged-in username and MAC address.
SMBMap is a tool that lists directories and disk drives open for sharing, shared files, and permissions on directories and disk drives open for sharing. Additionally, using the SMBMap tool, files can be uploaded to the target system, files can be downloaded from the target system and commands can be run remotely on the target system. This tool aims to make it easier to search for sensitive data when there are many target systems in penetration tests.
The SMBMap tool can be used anonymously by specifying only the address of the target system.
No information was obtained as a result of the anonymous listing operation. If credentials have been obtained for the target system, listing can be performed using those credentials.
Smbclient is an SMB client that can communicate with a target SMB server. Using the smbclient tool, files can be downloaded from the target server, files can be uploaded to the target server, or directory and file information can be obtained.
Using the SMBClient tool, information can be obtained about directories open for sharing on the target system. When no credentials are specified, the listing operation is performed anonymously.
The SMBClient tool can be used by specifying credentials belonging to a user account. In this way, depending on that account’s permissions, access can be gained to directories that cannot be accessed anonymously.
Rpcclient is a tool originally developed to test Samba’s MS-RPC functionality. Rpcclient can be used to open an SMB session on the target system and perform enumeration operations.
The “queryuser” command can be used to obtain information about users.
Nmap is an open-source tool used for network scanning and vulnerability detection. Using the Nmap tool, SMB enumeration can be performed by running a script scan against TCP ports 139 and 445 on the target system.
If SMBv1 is active on target systems, those systems may be vulnerable to the MS17-010 security vulnerability. MS17-010 is a critical security vulnerability that allows attackers to access the target system anonymously with SYSTEM privileges. Using the Nmap tool, target systems can be scanned for the MS17-010 security vulnerability.
Enum4linux is a tool used to list information from Windows and Samba systems. This tool has the functions of smbclient, rpcclient, net and nmblookup tools. The main features of this tool are as follows:
Using the enum4linux tool, SMB enumeration was performed anonymously on the target system.
You May Be Interested In These
