SMB

SMB

🗒️ SMB (Server Message Block) - a network file sharing protocol, used for files and peripherals sharing, on Windows

  • Ports: 445 (TCP), 139 (NetBIOS)

  • Two levels of authentication to access a share:

    • User Authentication - username & password

    • Share Authentication - password

    • both utilize a challenge response authentication system

🗒️ SAMBA is the open source Linux SMB

  • it allows Windows systems to access Linux shares

SMB Authentication

  1. Auth request from the client to the server

  2. The server request the client to encrypt string with user's hash

  3. The client sends the encrypted string to the server

  4. The server checks the actual string value of that users matches the client's one, and grant access. It doesn't match access is denied

PsExec

psexec - a light-weight telnet-replacement that lets you execute processes on remote systems, complete with full interactivity for console applications, using any user's credentials

  • PsExec authentication is performed via SMB

  • Run arbitrary commands or a remote command prompt

  • Commands are sent via CMD (without a GUI like RDP)

  • Legitimate user account and passwords/hashes are necessary to gain Windows target access

PsExec Exploitation

  1. Leverage various techniques, e.g. SMB login brute-force attack.

  2. Narrow down the attack to only common Win user accounts, e.g. Administrator.

  3. Use the obtained credentials to authenticate via PsExec and execute system commands or get a reverse shell.

Last updated