139/445 - NetBIOS/SMB

NetBIOS/Server Message Block

NetBIOS listens on TCP 139 and several UDP ports. SMB (TCP 445) and NetBIOS are separate protocols; however, modern implementations of SMB often utilize NetBIOS over TCP for backwards compatibility. SMB has a history of vulnerabilities but we are primarily interested in SMB for enumeration of shares to search for credentials, backups and other information that may help us gain a foothold.

We can search for NetBios/SMB hosts using nmap or nbtscan:

nmap -v -p 139,445 10.11.1.1-254 
sudo nbtscan -r 10.11.1.0/24 

NSE scripts

• Viewable with ls -l /usr/share/nmap/scripts/smb*

nmap -p 139,445 --script=smb* 10.11.1.75
nmap --script=smb-enum* 10.11.1.227
nmap -p 139,445 --script=smb-enum-users 10.11.1.75
nmap -v -p 139,445 -oG smb.txt 10.11.1.1-245 –open
nmap --script smb-vuln-* 10.10.10.40
nmap -p 139,445 --script=smb-os-discovery 10.10.10.40

CrackMapExec

crackmapexec smb $ip_range -u '' -p '' (enumerate null shares)
crackmapexec smb $ip_range --pass-pol
crackmapexec smb $ip_range --users
crackmapexec smb $ip_range --groups
crackmapexec smb $ip_range -u user -p 'password' -d domain --shares
crackmapexec smb $ip_address -u user -p 'password' -d domain --shares --spider "C$" --pattern "pass"

smbclient

enum4linux

showmount

mount

Download shares

smbclient.py

Eternal Blue

• Metasploit module available, search MS17-010 in MSFconsole

• Manual - https://github.com/3ndG4me/AutoBlue-MS17-010

• Link includes a python script to check for vulnerability eternal_checker.py