SMB

SMB

Server Message Block, a stateful protocol defines extensions to the existing Common Internet File System (CIFS) protocol by introducing new flags, extended requests and responses, and new Information Levels.

SMB can be used for Files, printers, or serial port sharing.

[MS-SMB]: OverviewMicrosoftLearn

Extensions

Extensions to the CIFS protocol include:

• TCP transport support besides SMB transport.

Session

Clients establish a session with a server and use that session to make a variety of requests to access:

• files

• printers

• inter-process communication (IPC) mechanisms, such as named pipes

Commands

A set of SMB messages that are exchanged to perform an operation.

An SMB command is typically identified by a unique command code in the message headers.

SMBv2/3

These protocols, or dialects, borrow and extend concepts from the Server Message Block (SMB) Version 1.0 Protocol

[MS-SMB2]: Server Message Block (SMB) Protocol Versions 2 and 3MicrosoftLearn

Extensions

Refer to MS-SMB2 - Overview to see a list of extensions to SMBv1.

Relationship to Other Protocols

Overview

Information about protocols used by the SMB or use SMB.

[MS-SMB2]: Relationship to Other ProtocolsMicrosoftLearn

Authentication

The SMB 2 Protocol uses Simple and Protected GSS-API Negotiation (SPNEGO), as described in [MS-AUTHSOD] section 2.1.2.3.1 and specified in [RFC4178] and [MS-SPNG], which in turn can rely on

• the Kerberos Protocol Extensions (as specified in [MS-KILE]) or

• the NT LAN Manager (NTLM) Authentication Protocol (as specified in [MS-NLMP]).

The Server Service Remote

Refer to [MS-SRVS].

Remote Procedure Call (RPC)

The Remote Procedure Call Protocol Extensions, as specified in [MS-RPCE], define an RPC over SMB Protocol or SMB 2 Protocol sequence that can use SMB 2 Protocol named pipes as its underlying transport.

Distributed File System (DFS)

Enumeration

We can use commands or packages like smbclient, crackmapexec, or impakcet, etc. to enumerate SMB services in a Windows network environment.

Null Session Authentication

We can use smbclient to test if null session authentication is enabled:

$ smbclient -N -L '\\host\'

File Sharing

Use `smbclient` to download files recursively:

$ smbclient -N \\\\coder.htb\\Development
smb: \> mask ""
smb: \> recurse
smb: \> prompt
smb: \> mget *

Impacket

We try to understand the SMB protocols by inspecting the Impacket example modules.