Network

SMB

Shares

Shares are like folders that a machine shares in order to be accessed by other computers/users in the network. You can list the shares by using the net view command, the Get-SmbShare Powershell Cmdlet, or smbclient.py.

C:\> net view \\dc01.contoso.local /all
Shared resources at \\dc01.contoso.local

Share name  Type  Used as  Comment

-------------------------------------------------------------------------------
ADMIN$      Disk           Remote Admin
C$          Disk           Default share
IPC$        IPC            Remote IPC
NETLOGON    Disk           Logon server share
SYSVOL      Disk           Logon server share
The command completed successfully.

For accessing a share, you can use the a UNC path like \\dc01.contoso.local\SYSVOL\ or map the remote share to a local device by using net use command.

To refer to the target computer in the UNC path, you can use its dns name or its NetBIOS name. For example net view \\dc01.contoso.local or net view \\dc01.

C:\> dir \\dc01\sysvol
 Volume in drive \\dc01\sysvol has no label.
 Volume Serial Number is 609D-528B

 Directory of \\dc01\sysvol

28/11/2020  11:02    <DIR>          .
28/11/2020  11:02    <DIR>          ..
28/11/2020  11:02    <JUNCTION>     contoso.local [C:\Windows\SYSVOL\domain]
               0 File(s)              0 bytes
               3 Dir(s)  20,050,214,912 bytes free

Shares are very useful for users in order to access to files of other machines without really need to worry about using an special program or something like that. Hence, they are also very practical for attackers to move files from one computer to another in order to exfiltrate them.

net share Temp=C:\Temp /grant:everyone,FULL

Default shares

You may notice previously that there are some shares that finished with $. These shares are C$, ADMIN$ and IPC$ and they are present by default in any Windows computer.

In order to access to C$ and ADMIN$ you are required to have Administrator privileges in the target computer. With these shares (specially C$) you can inspect all the computer files. Actually, these shares are used by several tools. For example, PsExec uses ADMIN$ to deploy a binary on charge of executing the given command.

The IPC$ shared is an special shared used to create named pipes.

Default domain shares

Apart from the common shares, in a domain, the Domain Controllers also publish the SYSVOL and the NETLOGON shares that are available for any user/computer in the domain. They are used to store files that need to be accessed by all the machines (at least Windows machines) of the domain.

The SYSVOL share is commonly used to store the Group Policy templates used by the computers to read the Group Policies deployed in the domain. Sometimes these policies contains passwords. You can access to the SYSVOL share with the \\<domain>\SYSVOL UNC path.

The \\<domain>\\SYSVOL\<domain>\scripts policy is an alias for the NETLOGON share. The NETLOGON share is used to store the logon scripts that need to be executed for the computers of the domain.

Named pipes

The IPC$ share is not a directory, but it is used to create named pipes, that allow processes of different computers interact between them with mechanisms like RPC (Remote Procedure Calls).

Named pipes can be seen as TCP ports that allows machines communicate between them, but inside of the SMB protocol. They are used to do RPC calls, allowing a lot of protocols to communicate over SMB.

Usually the protocols that work over the RPC/SMB stack defines a known named pipe that can be used to contact with the remote service (same idea as TCP/UDP ports). For example, RPC uses the \pipe\netlogon named pipe to exchange the messages of the Netlogon protocol.

Links & Papers

https://www.hackingarticles.in/smb-penetration-testing-port-445/

SMB Enum & Exploitation & Hardening:

PreviousRPCNextWindows Name Resolution

Last updated