As a red teamer or pen tester, you probably understand the importance of reconnaissance in a successful attack. One of the most essential tools for reconnaissance is smbclient, a command-line tool that allows you to interact with SMB/CIFS servers. SMB/CIFS (Server Message Block/Common Internet File System) is a protocol that enables file sharing, printer sharing, and other communications between computers on a network.

In this article, we’ll examine smbclient more closely and explore how it can be used in a red team or pen testing engagement.

Overview of smbclient

Smbclient is a command-line tool that provides several features for interacting with SMB/CIFS servers. It can be used to:

  1. Connect to SMB/CIFS servers.
  2. List the shares that are available on a server.
  3. Access files and folders on a server
  4. Upload and download files to and from a server.
  5. Create, delete, and modify files and folders on a server.
  6. Run commands on a server.

Smbclient is available on Linux, Unix, and Windows systems and is typically installed by default on most Linux distributions.

Connecting to an SMB/CIFS server

Before using smbclient to interact with a server, you need to connect to the server. The basic syntax for connecting to an SMB/CIFS server is as follows:

smbclient //[server]/[share] -U [username]

For example, to connect to a server named “fileserver” and access the “shared” share as the user “johndoe”, you would use the following command:

smbclient //fileserver/shared -U johndoe

Once you’ve entered this command, you’ll be prompted for the password for the user “johndoe”. If the password is correct, you’ll be connected to the server and can start interacting with it using smbclient commands.

Listing shares on a server

Once you’ve connected to a server, you can use smbclient to list the shares available on the server. To do this, you can use the “-L” option like so:

smbclient -L [server] -U [username]

For example, to list the shares that are available on the “fileserver” server as the user “johndoe”, you would use the following command:

smbclient -L fileserver -U johndoe

This will display a list of the shares available on the server, along with their names and descriptions.

Accessing files and folders on a server

Once you’ve connected to a server and listed the available shares, you can use smbclient to access files and folders on the server. The basic syntax for accessing a file or folder is as follows:

get [filename]

For example, to download a file named “document.docx” from the “shared” share on the “fileserver” server, you would use the following command:

get document.docx

This will download the file to your local system.

Uploading files to a server

In addition to downloading files from a server, you can also use smbclient to upload files to a server. The basic syntax for uploading a file is as follows:

put [filename]

For example, to upload a file named “exploit.exe” to the “shared” share on the “fileserver” server, you would use the following command:

put exploit.exe

This will upload the file to the server.

Creating, deleting, and modifying files and folders

In addition to downloading and uploading files, you can use smbclient to create, delete, and modify files and folders on a server. The basic syntax for these operations is as follows:

  • Creating a folder:

    mkdir [foldername]
    

    For example, to create a folder named “confidential” in the “shared” share on the “fileserver” server, you would use the following command:

    mkdir confidential
    
  • Deleting a folder:

    rmdir [foldername]
    

    For example, to delete the “confidential” folder in the “shared” share on the “fileserver” server, you would use the following command:

    rmdir confidential
    
  • Modifying a file:

    edit [filename]
    

    For example, to modify a file named “document.docx” in the “shared” share on the “fileserver” server, you would use the following command:

    edit document.docx
    

    This will open the file in an editor, where you can make your changes. When you save the file and exit the editor, the changes will be saved to the file on the server.

Running commands on a server

Finally, you can use smbclient to run commands on a server. The basic syntax for running a command is as follows:

! [command]

For example, to run the “dir” command on the “shared” share on the “fileserver” server, you would use the following command:

! dir

This will execute the “dir” command on the server and display the results in your local smbclient session.

Real-world examples

Now that we’ve covered the basic functionality of smbclient, let’s look at some real-world examples of how it can be used in a red team or pen testing engagement.

Example 1: Enumeration

One of the most common uses for smbclient in a red team or pen testing engagement is enumeration. By using smbclient to connect to a server and list the available shares, you can quickly gain valuable information about the target network.

For example, imagine you’re conducting a pen test on a network, and you’ve identified a server that you suspect might contain valuable information. You can use smbclient to connect to the server and list the available shares to see if any contain sensitive data.

smbclient -L [server] -U [username]

This will display a list of the shares available on the server, along with their names and descriptions. By examining the share names and descriptions, you can identify shares that contain sensitive data, such as financial data or employee records.

Example 2: Data exfiltration

Another everyday use for smbclient in a red team or pen testing engagement is data exfiltration. Using smbclient to download files from a server, you can steal sensitive data from the target network and exfiltrate it to your system.

For example, imagine you’ve successfully accessed a server containing sensitive financial data. You can use smbclient to download the data to your local system, like so:

get financial_data.xlsx

This will download the financial data file to your local system, where you can analyze it and exfiltrate any valuable information.

Example 3: Privilege escalation

Finally, smbclient can also be used for privilege escalation in some cases. By uploading malicious files to a server, you might be able to exploit vulnerabilities in the server’s software and gain elevated privileges.

For example, imagine you’ve gained access to a server as a low-privileged user but want to escalate your privileges to gain access to sensitive data. You can use smbclient to upload a malicious file to the server, like so:

put malware.exe

This will upload the malicious file to the server. If the malicious file exploits vulnerabilities in the server’s software, you might be able to use it to gain elevated privileges.

Lesser-known features

In addition to the basic syntax and functionality of smbclient that we’ve covered so far, several lesser-known flags and options can be used to customize smbclient and perform more advanced tasks.

In this section, we’ll examine some of these flags and options in more detail and explore how they can be used in the context of a red team or pen testing engagement.

The -c flag

The -c flag can specify a command to be executed on the server immediately after the connection is established. This can be useful for executing a remote command or setting up a port forward.

For example, to execute the “whoami” command on the server immediately after connecting, you could use the following command:

smbclient //[server]/[share] -U [username] -c "whoami"

This will connect to the server, authenticate as the specified user, and execute the “whoami” command on the server.

The -I flag

The -I flag can be used to specify the server’s IP address. This can be useful in cases where the server’s hostname cannot be resolved.

For example, to connect to a server with the IP address 192.168.1.100, you could use the following command:

smbclient //192.168.1.100/[share] -U [username]

This will connect to the server at the specified IP address and access the specified share.

The -P flag

The -P flag in smbclient specifies the stored machine account password, which can be useful when you want to connect to a server using the machine account rather than a user account.

The syntax for using the -P flag is as follows:

smbclient //[server]/[share] -U [username] -P

This will connect to the server and authenticate using the stored machine account password.

It’s important to note that the -P flag is not used to specify a user password but rather the stored machine account password. Additionally, not all SMB/CIFS servers support the use of machine accounts, so it’s important to verify that the server supports this feature before attempting to use it.

Overall, the -P flag can be helpful when you need to connect to a server using the machine account rather than a user account. However, verifying that the server supports the feature and weighing the security implications before using it is essential.

The –pw-nt-hash flag

The --pw-nt-hash flag in smbclient can be used to specify a password hash in NTLM format, which can be useful in cases where you don’t want to transmit the plaintext password over the network.

The syntax for using the --pw-nt-hash flag is as follows:

smbclient //[server]/[share] -U [username] --pw-nt-hash=[hash]

The [hash] parameter should be set to the NTLM hash of the password in the format “username:domain:hash”. This format can be generated using tools like John the Ripper or Hashcat.

For example, if the username is “johndoe”, the domain is “example.com”, and the NTLM hash of the password is “aabbccddeeff00112233445566778899”, you would use the following command:

smbclient //fileserver/shared -U johndoe --pw-nt-hash=johndoe:example.com:aabbccddeeff00112233445566778899

This will connect to the server and authenticate as the specified user using the NTLM hash of the password.

It’s important to note that using the --pw-nt-hash flag can be less secure than transmitting the plaintext password over a secure connection, as the hash can be intercepted and used to gain unauthorized access. Additionally, not all SMB/CIFS servers support the use of NTLM password hashes, so it’s essential to verify that the server supports this feature before attempting to use it.

Overall, the --pw-nt-hash flag can be valuable when connecting to a server without transmitting the plaintext password over the network. However, weighing the security implications and ensuring that the server supports the feature before using it is essential.

Conclusion

In conclusion, smbclient is a powerful tool that can be used for a wide range of tasks in a red team or pen testing engagement. Whether connecting to SMB/CIFS servers, enumerating the target network, accessing files and folders, uploading and downloading files, or even running commands on the server, smbclient can be a valuable asset in your toolkit. By understanding the basic syntax and functionality of smbclient and its lesser-known flags and options, you can customize its behavior and perform more advanced tasks with greater efficiency and effectiveness. Whether you’re a seasoned pen tester or just starting, mastering smbclient can help you gain valuable information about your target and improve your chances of success.