samba | Cheatsheet¶
Samba is a free and open-source software that allows files to be shared across Windows and Linux systems simply and easily. To be exact, it is an open-source implementation of the SMB/CIFS protocol.
The (SMB) Server Message Block Protocol is a client-server communication protocol that is used for sharing access to files, printers, serial ports, and other resources on a network.
Installation¶
Add user¶
Create smb.conf¶
Advanced configuration¶
Symlinks¶
Enable symlink following
[global] follow symlinks = yes wide links = yes unix extensions = no
Restrict protocols for better security¶
By default, Samba versions prior to 4.11 allow connections using the outdated and insecure SMB1 protocol. When using one these Samba versions, it is highly recommended to set server min protocol = SMB2_02 to protect yourself from ransomware attacks. In Samba v4.11 and newer, SMB2 is the default min protocol, so no changes are required there.
Append server min protocol and server max protocol in /etc/samba/smb.conf to force usage of a minimum and maximum protocol:
Use server min protocol = SMB3_00 when clients should only connect using the latest SMB3 protocol, e.g. on clients running Windows 8 and later.
Clients using mount.cifs may need to specify the correct vers=*, e.g.:
mount -t cifs //SERVER/sharename /mnt/mountpoint \
-o username=username,password=password,iocharset=utf8,vers=3.1.1
Use native SMB transport encryption¶
Native SMB transport encryption is available in SMB version v3.0 or newer. Clients supporting this type of
encryption include Windows 8 and newer, Windows Server 2012 and newer, and smbclient of Samba v4.1 and newer.
To use native SMB transport encryption by default, set the server smb encrypt parameter
globally and/or by share. Possible values are off, enabled (default value), desired, or required
Disable printer sharing¶
By default Samba shares printers configured using CUPS.
If you do not want printers to be shared, use the following settings:
[global]
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
show add printer wizard = no
Block certain file extensions on Samba share¶
Setting this parameter will affect the performance of Samba, as it will be forced to check all files and directories for a match as they are scanned.
Samba offers an option to block files with certain patterns, like file extensions.
This option can be used to prevent dissemination of viruses or to dissuade users from wasting space with certain files. More information about this option can be found in smb.conf(5).
[foo-share]
comment = Private
path = /mnt/data
read only = no
veto files = /*.exe/*.com/*.dll/*.bat/*.vbs/*.tmp/*.mp3/*.avi/*.mp4/*.wmv/*.wma/
List public shares¶
- The following command lists public shares on a server
- The following command lists public shares on a server in a Tree View
Disable NetBIOS/WINS support¶
When not using NetBIOS/WINS host name resolution, it may be preferred to disable this protocol:
Manual mounting¶
Mount the share using mount.cifs as type. Not all the options listed below are needed or desirable
mount --mkdir -t cifs //SERVER/sharename /mnt/mountpoint \
-o username=username,password=password,workgroup=workgroup,iocharset=utf8,uid=username,gid=group
Storing share passwords¶
Storing passwords in a world readable file is not recommended.
A safer method is to use a credentials file instead, e.g. inside /etc/samba/credentials
For the mount command replace username=myuser,password=mypass with credentials=/etc/samba/credentials/share.
The credential file should explicitly readable/writeable to root
mkdir -v -p /etc/samba/credentials
chown root:root /etc/samba/credentials
chmod 700 /etc/samba/credentials
chmod 600 /etc/samba/credentials/share
cat << "EOF" > /etc/samba/credentials/share
username=myuser
password=mypass
EOF
Automatic mounting¶
autofs is perfect for this purpose...
This is a simple example of a cifs mount entry that requires authentication:
cat << "EOF" >> /etc/fstab
#############################################################################################
### ###
### - AutoMount Samba Share ###
### ###
#############################################################################################
//SERVER/sharename /mnt/mountpoint cifs _netdev,nofail,username=myuser,password=mypass 0 0
EOF
### For Dolphin in `plasma-meta` we need to install kde-apps/kdenetwork-filesharing
!!! Info ""
=== "Gentoo"
```bash
emerge --ask kde-apps/kdenetwork-filesharing
```
### Access samba share in dolphin url
Scan for network shares with nmap¶
smb-os-discovery¶
It is used to enumerate the Operating System of target system along with other interesting things like:
smb-enum-shares¶
It will enumerate publically exposed SMB shares, if available. In addition, if nmap is not able to get shares from any host it will bruteforce commonly used share names to check if they are accessible.
smb-enum-users.nse¶
As name suggests, it is used enumerate all users on remote Windows system using 2 different techniques.
SMB Blanket Command for Enumeration¶
We can run all SMB enumeration scripts in on go by following command.
nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-services.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse -p445 192.168.1.*
SMB Blanket Command for Vulnerability Detection:¶
By design, nmap comes with various scripts that can be used to detect various vulnerabilities or CVEs. Specifically for SMB, we can use nmap to detect below CVEs
- 2009-3103
- 2017-7494
- ms06-025
- ms07-029
- ms08-067
- ms10-054
- ms10-061
- ms17-010 (Eternal Blue)
nmap --script smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-cve-2017-7494.nse,smb-vuln-ms06-025.nse,
smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,
smb-vuln-ms17-010.nse,smb-vuln-regsvc-dos.nse,smb-vuln-webexec.nse -p445 192.168.1.*