SMB
Shares
Shares are like folders that a machine shares in order to be accessed by other computers/users in the network. You can list the shares by using the net view command, the Get-SmbShare Powershell Cmdlet, or smbclient.py.
For accessing a share, you can use the a UNC path like \\dc01.contoso.local\SYSVOL\
or map the remote share to a local device by using net use command.
To refer to the target computer in the UNC path, you can use its dns name or its NetBIOS name. For example net view \\dc01.contoso.local
or net view \\dc01
.
Shares are very useful for users in order to access to files of other machines without really need to worry about using an special program or something like that. Hence, they are also very practical for attackers to move files from one computer to another in order to exfiltrate them.
Default shares
You may notice previously that there are some shares that finished with $
. These shares are C$
, ADMIN$
and IPC$
and they are present by default in any Windows computer.
In order to access to C$
and ADMIN$
you are required to have Administrator privileges in the target computer. With these shares (specially C$
) you can inspect all the computer files. Actually, these shares are used by several tools. For example, PsExec uses ADMIN$
to deploy a binary on charge of executing the given command.
The IPC$
shared is an special shared used to create named pipes.
Default domain shares
Apart from the common shares, in a domain, the Domain Controllers also publish the SYSVOL
and the NETLOGON
shares that are available for any user/computer in the domain. They are used to store files that need to be accessed by all the machines (at least Windows machines) of the domain.
The SYSVOL
share is commonly used to store the Group Policy templates used by the computers to read the Group Policies deployed in the domain. Sometimes these policies contains passwords. You can access to the SYSVOL share with the \\<domain>\SYSVOL
UNC path.
The \\<domain>\\SYSVOL\<domain>\scripts
policy is an alias for the NETLOGON
share. The NETLOGON share is used to store the logon scripts that need to be executed for the computers of the domain.
Named pipes
The IPC$
share is not a directory, but it is used to create named pipes, that allow processes of different computers interact between them with mechanisms like RPC (Remote Procedure Calls).
Named pipes can be seen as TCP ports that allows machines communicate between them, but inside of the SMB protocol. They are used to do RPC calls, allowing a lot of protocols to communicate over SMB.
Usually the protocols that work over the RPC/SMB stack defines a known named pipe that can be used to contact with the remote service (same idea as TCP/UDP ports). For example, RPC uses the \pipe\netlogon
named pipe to exchange the messages of the Netlogon protocol.
Links & Papers
https://www.hackingarticles.in/smb-penetration-testing-port-445/
SMB Enum & Exploitation & Hardening:
Last updated