Skip to content

139,445 - Pentesting smb

SMB stands for Server Message Block, a network protocol used for file and printer sharing among other things in a Microsoft Windows environment. SMB was first introduced in the 1980s and has evolved over time, with newer versions offering increased functionality and security.

SMB allows client computers to access resources (such as files and printers) on a server as if they were part of the same network, regardless of their physical location. SMB supports many operations, including reading and writing files, requesting print jobs, and managing shared resources such as directories and printers.

nmap

sudo nmap -p 139,445 -A $IP
sudo nmap -p 139,445 -sC -sV -Pn -vv $IP

nmap script

# ls /usr/share/nmap/scripts/*smb*
sudo nmap -p 139,445 --script=smb-vuln-* $IP
sudo nmap -p 139,445 --script=smb-enum-users.nse $IP
sudo nmap -p 139,445 --script=smb-enum-shares.nse $IP

rpcclient

rpcclient -U "" -N $IP
# check wireshark if you want to see smb version like Samba 2.2.7a

nbtscan

sudo nbtscan -r $IP/24

enum4linux

enum4linux -a $IP
enum4linux -a -u 'guest' $IP
enum4linux -a -u 'guest' $URL

enum4linux2 $IP

crackmapexec

crackmapexec - bruteforce 

crackmapexec smb $IP -u user.txt -p user.txt --shares --continue-on-success

crackmapexec - enumeration with guest user (no password) 

crackmapexec smb $IP -u '' -p '' --shares
crackmapexec smb $IP -u 'guest' -p '' --shares

crackmapexec smb $IP -u 'guest' -p '' --users
crackmapexec smb $IP -u 'guest' -p '' --groups
crackmapexec smb $IP -u 'guest' -p '' --local-groups
crackmapexec smb $IP -u 'guest' -p '' --loggedon-users
crackmapexec smb $IP -u 'guest' -p '' --rid-brute
crackmapexec smb $IP -u 'guest' -p '' --sessions
crackmapexec smb $IP -u 'guest' -p '' --pass-pol

smbexec.py

target: windows 

/opt/tools/impacket/examples/smbexec.py $USER:$PASS@$IP

smbmap

smbmap -H $IP -u anonymous 

smbmap -H $IP -d $DOMAIN -u $USER -p $PASS

smbclient

smbclient //$IP/tmp -U ''
smbclient //$IP/msfadmin -U 'msfadmin' 

smbclient "//$IP/Enterprise-Share" --user=$USER --password=$PASS
smbclient "\\\\$IP\Enterprise-Share" --user=$USER --password=$PASS

smbclient '\\11.22.33.44\shares' --user='admin' --password='123456'
smbclient '\\11.22.33.44\shares' --no-pass
smbclient '\\11.22.33.44\shares' -U 'guest' -N
smbclient '\\11.22.33.44\shares' -U 'guest'
smbclient '\\11.22.33.44\shares\'

smbclient - get folder 

smbclient '\\11.22.33.44\[share]' -U 'guest' -N -c 'prompt OFF;recurse ON;  mget *'

smbclient '\\11.22.33.44\[share]' -U 'guest' -c 'prompt OFF;recurse ON;  mget *'

smbclient '\\11.22.33.44\[share]' -N -c 'prompt OFF;recurse ON;cd "Share\"; lcd "/home/kali/workspace/gatekeeper/smb_dump/Share/"; mget *'
smbclient '\\11.22.33.44\[share]' -N -c 'prompt OFF;recurse ON;cd "Profile\"; lcd "/home/kali/workspace/gatekeeper/smb_dump/Default/"; mget *'

smbget

smbget -R 'smb://11.22.33.44/anonymous/'
smbget -R 'smb://11.22.33.44/Users/desktop.ini'

exploits

  • https://github.com/3ndG4me/AutoBlue-MS17-010