Question

I want to gather information about SMB shares and their access permissions on a network. What tools, such as smbclient, enum4linux, or smbmap, can I use for this purpose? How can I analyze the results to identify potential vulnerabilities in the permissions?

Detailed examples of the process and best practices would be helpful.

Answer 1

Performing SMB Share Enumeration and Analyzing Permissions

A protocol called SMB (Server Message Block) is used to share resources, such as printers, and files. During a security evaluation, listing SMB shares and associated permissions can assist in identifying configuration errors and access flaws.

Below are tools, methods, and examples for effectively enumerating SMB shares and analyzing their permissions.

1. Using smbclient

smbclient is a command-line tool that functions like an FTP client for SMB shares.

Enumerate Shares:

smbclient -L //<target-ip> -U <username>

• -L lists available shares.
• Replace <username> with anonymous for unauthenticated access or provide valid credentials.

Example:

smbclient -L //192.168.1.100 -U anonymous

Access a Share:

smbclient //<target-ip>/<share-name> -U <username>

Example:

smbclient //192.168.1.100/public -U anonymous

Once connected, use commands like:

• ls: List files.
• cd <directory>: Change directory.
• get <file>: Download a file.

2. Using enum4linux

enum4linux is a powerful tool for SMB enumeration, providing comprehensive information about shares, users, and groups.

enum4linux <target-ip>

Focused Enumeration:

List shares:

enum4linux -S <target-ip>

List users:

enum4linux -U <target-ip>

Example Output:

Sharename       Type      Comment
---------       ----      -------
IPC$            IPC       Remote IPC
public          Disk      Shared directory

3. Using smbmap

smbmap provides detailed information about share access permissions and file-level access.

smbmap -H <target-ip>

Example:

smbmap -H 192.168.1.100

Detailed Permissions:

smbmap -H <target-ip> -u <username> -p <password>

Recursive File Listing:

smbmap -H <target-ip> -R

Example Output:

Disk            Permissions    Comment
----            -----------    -------
public          READ           Shared directory
private         NO ACCESS      Confidential data

4. Using nmap with SMB Scripts

Nmap’s SMB scripts can enumerate shares, users, and permissions.

List Shares:

nmap --script smb-enum-shares -p 445 <target-ip>

List Users:

nmap --script smb-enum-users -p 445 <target-ip>

Example Output:

| smb-enum-shares:
|   Share       Type   Comment
|   -------     ----   -------
|   public      Disk   Shared directory
|   IPC$        IPC    Remote IPC

5. Using rpcclient

rpcclient allows querying the SMB server for detailed information.

Enumerate Shares:

rpcclient -U <username> <target-ip>

Example Commands

Connect to server:

rpcclient -U anonymous 192.168.1.100

List shares:

netshareenum

List users:

enumdomusers

6. Analyzing Permissions

• Look for open shares like public or everyone with no restrictions.
• Check for read/write access that shouldn't be available to unauthenticated users.
• Test file upload/download capabilities to validate permissions.

Tools for Permission Analysis:

• smbmap shows access levels (e.g., READ, WRITE).
• Manual Testing: Use smbclient to attempt creating or modifying files in writable shares.