Quartz 4

Server Message Block (SMB)

3 min read

Port 445

commonly targeted for hash-based relay attacks like NTLM relay attacks.

Step-by-Step Explanation Understanding Hash-Based Relays: NTLM Relay Attack: An attacker intercepts and relays NTLM authentication requests to another service, effectively performing authentication on behalf of the victim.

SMB Protocol: Port 445 is used for SMB/CIFS traffic, which supports NTLM authentication.

Prioritizing Port 445: Vulnerability: SMB is often targeted because it frequently supports New Technology LAN Manager (NTLM) authentication, making it susceptible to relay attacks.

Tools: Tools like Responder and NTLMRelayX are commonly used to capture and relay NTLM hashes over SMB.

Execution: Capture Hash: Use a tool like Responder to capture NTLM hashes. Relay Hash: Use a tool like NTLMRelayX to relay the captured hash to another service on port 445.

Server Message Block (SMB)

📝 Overview

What it is: The standard network file sharing protocol used in Microsoft Windows environments. It allows applications to read and write to files and request services from server programs in a computer network. Ports: 445 (SMB over TCP) and 139 (NetBIOS/Legacy) Target Phase: Enumeration / Exploitation Operating System: Windows (primarily), Linux (via Samba)

⚙️ Core Capabilities (The Attacker’s Perspective)

  • Share Enumeration: Finding open, misconfigured file shares containing sensitive data or scripts.
  • User Enumeration: Pulling lists of valid domain users, password policies, and group memberships directly from the Domain Controller.
  • Authentication Relaying: Intercepting NTLM authentication requests and forwarding them to another machine to gain unauthorized access.

💻 Common Tools & Commands

Enumeration (Finding the open doors)

CommandDescription
smbclient -L //[Target_IP]Lists the available shares on a target server.
smbclient //[Target_IP]/[ShareName]Connects to a specific share (like an FTP prompt) to download/upload files.
enum4linux -a [Target_IP]A massive enumeration script that pulls users, shares, password policies, and OS info all at once.

Exploitation (Your relay steps)

  • Capture Hash: Use a tool like Responder to poison local network requests (LLMNR/NBT-NS) and capture NTLM hashes over SMB.
  • Relay Hash: Use a tool like NTLMRelayX to relay the captured hash to another service on port 445, effectively performing authentication on behalf of the victim.

⚠️ Notes & Vulnerabilities

  • Null Sessions (Anonymous Login): A massive historical vulnerability (especially in Windows 2000/2003) where SMB allows a user to connect without a password and pull full lists of users and shares. Modern Windows disables this by default, but it is often re-enabled accidentally by admins.
  • EternalBlue (MS17-010): A critical vulnerability in the SMBv1 protocol that allows for remote code execution. It was famously used by the WannaCry ransomware.
  • Prioritizing Port 445: SMB is heavily targeted for hash-based relay attacks because it frequently supports New Technology LAN Manager (NTLM) authentication.

🏷️ Tags

Services #SMB #Port445 #Exploitable #Hash #NTLMRelay #Enumeration #exploitable #hash #services

Graph View

Backlinks