SMB

Server Message Block, a stateful protocol defines extensions to the existing Common Internet File System (CIFS) protocol by introducing new flags, extended requests and responses, and new Information Levels.

SMB can be used for Files, printers, or serial port sharing.

[MS-SMB]: OverviewMicrosoftLearn

Extensions

Extensions to the CIFS protocol include:

TCP transport support besides SMB transport.

Session

Clients establish a session with a server and use that session to make a variety of requests to access:

files
printers
inter-process communication (IPC) mechanisms, such as named pipes

Commands

A set of SMB messages that are exchanged to perform an operation.

An SMB command is typically identified by a unique command code in the message headers.

SMBv2/3

These protocols, or dialects, borrow and extend concepts from the Server Message Block (SMB) Version 1.0 Protocol

[MS-SMB2]: Server Message Block (SMB) Protocol Versions 2 and 3MicrosoftLearn

Extensions

Refer to MS-SMB2 - Overview to see a list of extensions to SMBv1.

Relationship to Other Protocols

Overview

Information about protocols used by the SMB or use SMB.

[MS-SMB2]: Relationship to Other ProtocolsMicrosoftLearn

Authentication

The SMB 2 Protocol uses Simple and Protected GSS-API Negotiation (SPNEGO), as described in [MS-AUTHSOD] section 2.1.2.3.1 and specified in [RFC4178] and [MS-SPNG], which in turn can rely on

the Kerberos Protocol Extensions (as specified in [MS-KILE]) or
the NT LAN Manager (NTLM) Authentication Protocol (as specified in [MS-NLMP]).

The Server Service Remote

Refer to [MS-SRVS].

Remote Procedure Call (RPC)

The Remote Procedure Call Protocol Extensions, as specified in [MS-RPCE], define an RPC over SMB Protocol or SMB 2 Protocol sequence that can use SMB 2 Protocol named pipes as its underlying transport.

Distributed File System (DFS)

Enumeration

We can use commands or packages like smbclient, crackmapexec, or impakcet, etc. to enumerate SMB services in a Windows network environment.

Null Session Authentication

We can use smbclient to test if null session authentication is enabled:

$ smbclient -N -L '\\host\'

Use `smbclient` to download files recursively:

$ smbclient -N \\\\coder.htb\\Development
smb: \> mask ""
smb: \> recurse
smb: \> prompt
smb: \> mget *

Impacket

We try to understand the SMB protocols by inspecting the Impacket example modules.

PreviousWindows Protocols NextWindows Server

Last updated 2 years ago

hashtagSMB

hashtagExtensions

hashtagSession

hashtagCommands

hashtagSMBv2/3

hashtagExtensions

hashtagRelationship to Other Protocols

hashtagOverview

hashtagAuthentication

hashtagThe Server Service Remote

hashtagRemote Procedure Call (RPC)

hashtagDistributed File System (DFS)

hashtagEnumeration

hashtagNull Session Authentication

hashtagFile Sharing

hashtagImpacket

SMB

Extensions

Session

Commands

SMBv2/3

Extensions

Relationship to Other Protocols

Overview

Authentication

The Server Service Remote

Remote Procedure Call (RPC)

Distributed File System (DFS)

Enumeration

Null Session Authentication

File Sharing

Impacket