1. Overview
In networked file sharing, the Server Message Block (SMB) protocol plays a crucial role. SMB enables the sharing of files, printers, and other resources among devices on a local network or over the Internet. For system administrators and security professionals, determining which SMB shares a user has read and write access to from a Linux system can be essential for managing permissions.
In this tutorial, we’ll explore various methods to determine SMB shares to users with read and write access.
2. What Is SMB?
SMB is a network file-sharing protocol that enables applications on a network to communicate and share resources. Developed by Microsoft, SMB has become the standard for sharing files and printers between Microsoft Windows machines. SMB operates over TCP/IP and has evolved through different versions, with SMBv3 being the latest, offering improved security features.
3. Why Determine SMB Share Permissions?
SMB shares have permissions that dictate the level of access users or groups have to shared resources. Permissions include READ, WRITE, EXECUTE, and DELETE, among others. READ access allows users to view files, while WRITE access grants the ability to modify or create new files. Executing files and deleting them are additional permissions that should be carefully managed.
Determining SMB share permissions is crucial for several reasons. It enables security professionals and administrators to perform a number of activities efficiently:
- maintain security: understanding user access ensures that sensitive information is only accessible to authorized individuals, preventing unauthorized access and potential security breaches
- troubleshoot issues: when users face difficulties accessing certain files or directories, assessing SMB share permissions helps identify the root cause and resolve issues
- ensure compliance: many organizations have regulatory requirements regarding data access and sharing
Further, determining SMB share permissions helps organizations comply with the regulations, avoiding potential legal and financial consequences.
4. Using smbmap
smbmap is a powerful command-line tool, specifically designed for automated SMB enumeration and comes with various features, including the ability to identify accessible shares.
Before using smbmap for listing shares permission, let’s install smbmap using apt-get:
$ sudo apt-get install smbmap
After completing the smbmap installation, let’s use it to connect to the SMB service as an administrator user on the host 192.168.1.149. In this case, we use the -u option for the username and the -p option for the password which helps us find and check the permissions of SMB shares for the administrator:
$ smbmap -u 'administrator' -p 'password123' -H 192.168.1.149
[+] IP: 192.168.1.149:445 Name: 192.168.1.149
Disk Permissions Comment
---- ----------- -------
ADMIN$ READ, WRITE Remote Admin
C$ READ, WRITE Default share
IPC$ READ ONLY Remote IPC
Users READ, WRITE
Travel NO ACCESS
The command output provides information about available shares on the host (192.168.1.149), specifying that the administrator user has READ and WRITE access on ADMIN$, C$, and Users shares, READ-ONLY access on IPC$ share and NO ACCESS on Travel share.
Since the permission for share access differs from user to user, similarly let’s check what permission guest users have:
$ smbmap -u 'guest' -p '' -H 192.168.1.149
[+] Guest session IP: 192.168.1.149:445 Name: 192.168.1.149
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
Users READ ONLY
Travel NO ACCESS
The guest user has limited READ ONLY access to the IPC$ and Users share while having NO ACCESS to system shares like ADMIN$ and C$ and Travel share.
5. Using crackmapexec
Another powerful command-line tool for assessing SMB share is crackmapexec. crackmapexec *is a versatile post-exploitation framework that supports various protocols like mssql, winrm, ldap, ssh, and SMB*. It enables security professionals to automate tasks such as credential validation and lateral movement within a network.
Similarly, crackmapexec can determine which SMB shares a user has read and write access to. It does so by leveraging its capabilities for executing commands on remote systems.
Before using crackmapexec, let’s install it using apt-get:
$ sudo apt-get install crackmapexec
To ascertain the permissions of SMB shares, we can authenticate with the target host using crackmapexec along with the -u option for the username, i.e., administrator, and the -p option for the password:
$ crackmapexec smb 192.168.1.149 -u administrator -p 'password123' --shares
SMB 192.168.1.149 445 AVITAR [*] Windows 6.1 Build 0 (name:AVITAR) (domain:AVITAR) (signing:False) (SMBv1:False)
SMB 192.168.1.149 445 AVITAR [+] AVITAR\:
SMB 192.168.1.149 445 AVITAR [+] Enumerated shares
SMB 192.168.1.149 445 AVITAR Share Permissions Remark
SMB 192.168.1.149 445 AVITAR ----- ----------- ------
SMB 192.168.1.149 445 AVITAR ADMIN$ READ, WRITE Remote Admin
SMB 192.168.1.149 445 AVITAR C$ READ, WRITE Default Share
SMB 192.168.1.149 445 AVITAR IPC$ READ ONLY Remote IPC
SMB 192.168.1.149 445 AVITAR Users READ, WRITE
SMB 192.168.1.149 445 AVITAR Travel NO ACCESS
The command output displays a scan conducted with crackmapexec on the IP address 192.168.1.149. The results reveal a Windows machine named AVITAR with five accessible shares: ADMIN$, C$, IPC$, Users, and Travel. Further, the corresponding permissions indicate that ADMIN$, C$, and, Users have both READ, and WRITE permissions, IPC$ has READ ONLY permission, and Travel share has NO ACCESS permission.
Now, let’s determine the share permission for guest users using crackampexec:
$ crackmapexec smb 192.168.1.149 -u guest -p '' --shares
SMB 192.168.1.149 445 AVITAR [*] Windows 6.1 Build 0 (name:AVITAR) (domain:AVITAR) (signing:False) (SMBv1:False)
SMB 192.168.1.149 445 AVITAR [+] AVITAR\:
SMB 192.168.1.149 445 AVITAR [+] Enumerated shares
SMB 192.168.1.149 445 AVITAR Share Permissions Remark
SMB 192.168.1.149 445 AVITAR ----- ----------- ------
SMB 192.168.1.149 445 AVITAR ADMIN$ NO ACCESS Remote Admin
SMB 192.168.1.149 445 AVITAR C$ NO ACCESS Default Share
SMB 192.168.1.149 445 AVITAR IPC$ READ ONLY Remote IPC
SMB 192.168.1.149 445 AVITAR Users READ ONLY
SMB 192.168.1.149 445 AVITAR Travel NO ACCESS
The command output mirrors smbmap‘s results since we’re listing the shares of the same host and user. The guest user is restricted to READ ONLY access on IPC$ and Users shares. However, they have no access to system shares such as ADMIN$ and C$, and Travel.
6. Listing Shares With Specific Permissions
For efficient user access management, identifying SMB shares with particular permissions like READ, WRITE, or both READ and WRITE access can be essential. Both smbmap and crackmapexec offer functionalities to list shares with specific permissions.
6.1. Using smbmap
To filter shares with specific permissions using smbmap, we can grep regular expression patterns to target lines containing READ or WRITE:
$ smbmap -u 'administrator' -p 'password123' -H 192.168.1.149 -shares | grep -E 'WRITE|READ'
ADMIN$ READ, WRITE
C$ READ, WRITE
IPC$ READ ONLY
Users READ, WRITE
The command filters the output using grep to display only shares where the administrator user has either READ or WRITE permissions.
Let’s break down some of the command’s options to make it easy to understand:
- -shares: instructs smbmap to enumerate and list all available shares on the target host (192.168.1.149)
- grep -E ‘WRITE|READ’: -E enables extended regular expression patterns, where the pattern ‘WRITE|READ’ matches any lines containing either READ or WRITE
This way, we ensure that only the relevant lines are shown.
6.2. Using crackmapexec
Similar to smbmap, let’s use crackmapexec and filter the list of shares based on their specific permissions using grep along with regular expression pattern for administrator users:
$ crackmapexec smb 192.168.1.149 -u administrator -p 'password123' --shares | grep -E 'WRITE|READ'
SMB 192.168.1.149 445 AVITAR ADMIN$ READ, WRITE
SMB 192.168.1.149 445 AVITAR C$ READ, WRITE
SMB 192.168.1.149 445 AVITAR IPC$ READ ONLY
SMB 192.168.1.149 445 AVITAR Users READ, WRITE
The command output is similar to that of smbmap since we’re filtering the shares on the same user and host. It shows the Windows machine named AVITAR, enumerates its shares, and displays the shares with their permissions. In this case, the shares ADMIN$ and C$ have both READ and WRITE permissions, while IPC$ has READ ONLY permission, and the Users share has READ and WRITE permissions.
7. Conclusion
In this article, we explored the methods to determine SMB Shares to which a user possesses read or write access.
Whether using the straightforward enumeration of smbmap or the versatile post-exploitation features of crackmapexec, these tools offer valuable insights into SMB share permissions, contributing to a more secure and well-managed network environment.