To verify that the SMB Sensor is running and is configured correctly, the following test could be executed. All the tests are executed with NMAP NSE scripts to impersonate real attacks by bots and/or hackers.
Open SMB Ports
To check if the SMB sensor is running on port 445 we could execute the following NMAP query:
nmap -sV -p 445 <ip of honeypot>
If the sensor is correctly configured, we expect the following result:
Nmap scan report for <ip of honeypot> Host is up (0.0014s latency).
PORT STATE SERVICE VERSION 445/tcp open microsoft-ds ?
OS information SMB protocol
We can verify our OS settings by querying the follow NMAP command to the honeypot:
nmap -p 445 --script smb-os-discovery.nse <ip of honeypot>
If the sensor is correctly configured, we expect something similar to the following result:
Nmap scan report for <ip of honeypot> Host is up (0.00013s latency).
PORT STATE SERVICE 445/tcp open microsoft-ds
Host script results:
smb-os-discovery:
OS: Windows 7 Professional 7600 (Windows 7 Professional 6.1)
OS CPE: cpe:/o:microsoft:windows_7::-:professional
NetBIOS computer name: missioncontrolx00
Workgroup: securityhive.localx00
System time: 2018-02-15T15:21:29+01:00
Listing Shares
Now that we have verified that the SMB port is open and is being used by a fake windows server, lets try to enumerate the active shares we created. We can enumerate the active shares by querying the following script:
nmap -p 445 --script smb-enum-shares.nse <ip of honeypot>
If the shares are configured correctly we are expecting something similar to the following result:
Nmap scan report for <ip of honeypot> Host is up (0.0054s latency).
PORT STATE SERVICE 445/tcp open microsoft-ds
Host script results:
smb-enum-shares:
account_used: guest
<ip of honeypot>SH-Printer:
Type: STYPE_PRINTQ
Comment: Microsoft XPS Document Writer
Users: 1
Max Users: <unlimited>
Path:
Anonymous access: READ/WRITE
Current user access: READ/WRITE
<ip of honeypot>Teamfolder:
Type: STYPE_DISKTREE
Comment: Remote Admin SH
Users: 1
Max Users: <unlimited>
Path: C:\WindowsShares
Anonymous access: READ/WRITE
Current user access: READ/WRITE
List Share contents
Currently it is not yet supported to add files to a network share, we can however verify that the share exist and we can list its content by querying the following commmand: nmap -p 445 --script smb-ls --script-args 'share=<sharename>' <ip of honeypot>
If the shares are correctly configured, we are expecting the following result:
Nmap scan report for <ip of honeypot> Host is up (0.0054s latency).
PORT STATE SERVICE 445/tcp open microsoft-ds
Host script results:
smb-ls: Volume Teamfolder
SIZE TIME FILENAME
<DIR> 2017-05-26 11:18:27 .
<DIR> 2017-05-26 04:59:01 ..
Query printer
To fake query a print share we can execute the following command:
nmap -p 445 --script smb-print-text --script-args text=<text_to_print>,printer=<sharename> <ip of honeypot>
If the print share is configured correctly we expect the following result:
Nmap scan report for <ip of honeypot> Host is up (0.00013s latency).
PORT STATE SERVICE 445/tcp open microsoft-ds
Host script results:
smb-print-text: Printer job started using <sharename> printer share.