SMB
Last updated
Last updated
Server Message Block, a stateful protocol defines extensions to the existing Common Internet File System (CIFS) protocol by introducing new flags, extended requests and responses, and new Information Levels.
SMB can be used for Files, printers, or serial port sharing.
Extensions to the CIFS protocol include:
TCP transport support besides SMB transport.
Clients establish a session with a server and use that session to make a variety of requests to access:
files
printers
inter-process communication (IPC) mechanisms, such as named pipes
A set of SMB messages that are exchanged to perform an operation.
An SMB command is typically identified by a unique command code in the message headers.
These protocols, or dialects, borrow and extend concepts from the Server Message Block (SMB) Version 1.0 Protocol
Refer to MS-SMB2 - Overview to see a list of extensions to SMBv1.
Information about protocols used by the SMB or use SMB.
The SMB 2 Protocol uses Simple and Protected GSS-API Negotiation (SPNEGO), as described in [MS-AUTHSOD] section 2.1.2.3.1 and specified in [RFC4178] and [MS-SPNG], which in turn can rely on
the Kerberos Protocol Extensions (as specified in [MS-KILE]) or
the NT LAN Manager (NTLM) Authentication Protocol (as specified in [MS-NLMP]).
Refer to [MS-SRVS].
The Remote Procedure Call Protocol Extensions, as specified in [MS-RPCE], define an RPC over SMB Protocol or SMB 2 Protocol sequence that can use SMB 2 Protocol named pipes as its underlying transport.
We can use commands or packages like smbclient, crackmapexec, or impakcet, etc. to enumerate SMB services in a Windows network environment.
We can use smbclient to test if null session authentication is enabled:
Use `smbclient` to download files recursively:
We try to understand the SMB protocols by inspecting the Impacket example modules.
