Skip to content

445 - Pentesting smb

SMB - Server Message Block Protocol - is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network.

nmap

nmap -p 445 -A $(target) 

ls /usr/share/nmap/scripts/*smb*

nmap -p 139,445 --script=smb-enum-users.nse $(target)
nmap -p 139,445 --script=smb-enum-shares.nse $(target)
nmap -p 139,445 --script=smb-vuln-* $(target) | tee nmap.smb.vuln.txt

enum4linux

enum4linux -S $(target)
enum4linux -a $(target)

crackmapexec

crackmapexec smb $(target) -u 'guest' -p '' --users | tee smb.users.txt
crackmapexec smb $(target) -u 'guest' -p '' --shares  | tee smb.shares.txt
crackmapexec smb $(target) -u 'guest' -p '' --groups  | tee smb.groups.txt
crackmapexec smb $(target) -u 'guest' -p '' --local-groups  | tee smb.local-groups.txt
crackmapexec smb $(target) -u 'guest' -p '' --loggedon-users  | tee smb.loggedon-user.txt
crackmapexec smb $(target) -u 'guest' -p '' --rid-brute  | tee smb.rid.txt
crackmapexec smb $(target) -u 'guest' -p '' --sessions  | tee smb.sessions.txt
crackmapexec smb $(target) -u 'guest' -p '' --pass-pol  | tee smb.pass-pol.txt

smbclient

smbclient '\\spookysec.local\backup' --user='svc-admin' --password='management2005'
smbclient //10.10.26.241/shares --no-pass
smbclient '\\10.10.26.241\shares' -U 'guest' -N
smbclient '\\10.10.26.241\shares' -U 'guest'
smbclient '\\10.10.176.235\anonymous\'

get files

smbget -R 'smb://10.10.176.235/anonymous/'
smbget -R 'smb://10.10.253.178/Users/desktop.ini'

get folder

smbclient '\\10.10.253.178\[share]' -U 'guest' -N -c 'prompt OFF;recurse ON;  mget *'
smbclient '\\10.10.253.178\[share]' -N -c 'prompt OFF;recurse ON;cd "Share\"; lcd "/home/kali/workspace/gatekeeper/smb_dump/Share/"; mget *'
smbclient '\\10.10.253.178\[share]' -N -c 'prompt OFF;recurse ON;cd "Profile\"; lcd "/home/kali/workspace/gatekeeper/smb_dump/Default/"; mget *'