Port 445 - smb
SMB - Server Message Block Protocol - is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network.
nmap
nmap -p 445 -A $(target)
ls /usr/share/nmap/scripts/*smb*
nmap -p 139,445 --script=smb-enum-users.nse $(target)
nmap -p 139,445 --script=smb-enum-shares.nse $(target)
nmap -p 139,445 --script=smb-vuln-* $(target) | tee nmap.smb.vuln.txt
enum4linux
enum4linux -S $(target)
enum4linux -a $(target)
crackmapexec
crackmapexec smb $(target) -u 'guest' -p '' --users | tee smb.users.txt
crackmapexec smb $(target) -u 'guest' -p '' --shares | tee smb.shares.txt
crackmapexec smb $(target) -u 'guest' -p '' --groups | tee smb.groups.txt
crackmapexec smb $(target) -u 'guest' -p '' --local-groups | tee smb.local-groups.txt
crackmapexec smb $(target) -u 'guest' -p '' --loggedon-users | tee smb.loggedon-user.txt
crackmapexec smb $(target) -u 'guest' -p '' --rid-brute | tee smb.rid.txt
crackmapexec smb $(target) -u 'guest' -p '' --sessions | tee smb.sessions.txt
crackmapexec smb $(target) -u 'guest' -p '' --pass-pol | tee smb.pass-pol.txt
smbclient
guest access
smbclient '\\spookysec.local\backup' --user='svc-admin' --password='management2005'
smbclient //10.10.26.241/shares --no-pass
smbclient '\\10.10.26.241\shares' -U 'guest' -N
smbclient '\\10.10.26.241\shares' -U 'guest'
# \shares resource name
# -U username
# -N no password
anonymous access
smbclient '\\10.10.176.235\anonymous\'
# anonymous resource name
get files
smbget -R 'smb://10.10.176.235/anonymous/'
smbget -R 'smb://10.10.253.178/Users/desktop.ini'
get folder
smbclient '\\10.10.253.178\[share]' -U 'guest' -N -c 'prompt OFF;recurse ON; mget *'
smbclient '\\10.10.253.178\[share]' -N -c 'prompt OFF;recurse ON;cd "Share\"; lcd "/home/kali/workspace/gatekeeper/smb_dump/Share/"; mget *'
smbclient '\\10.10.253.178\[share]' -N -c 'prompt OFF;recurse ON;cd "Profile\"; lcd "/home/kali/workspace/gatekeeper/smb_dump/Default/"; mget *'
scripts
nmap -p445 --script=smb-enum-shares.nse $(target)
cd /usr/share/nmap/scripts
ls -la *smb*
smb2-capabilities.nse
smb2-security-mode.nse
smb2-time.nse
smb2-vuln-uptime.nse
smb-brute.nse
smb-double-pulsar-backdoor.nse
smb-enum-domains.nse
smb-enum-groups.nse
smb-enum-processes.nse
smb-enum-services.nse
smb-enum-sessions.nse
smb-enum-shares.nse
smb-enum-users.nse
smb-flood.nse
smb-ls.nse
smb-mbenum.nse
smb-os-discovery.nse
smb-print-text.nse
smb-protocols.nse
smb-psexec.nse
smb-security-mode.nse
smb-server-stats.nse
smb-system-info.nse
smb-vuln-conficker.nse
smb-vuln-cve2009-3103.nse
smb-vuln-cve-2017-7494.nse
smb-vuln-ms06-025.nse
smb-vuln-ms07-029.nse
smb-vuln-ms08-067.nse
smb-vuln-ms10-054.nse
smb-vuln-ms10-061.nse
smb-vuln-ms17-010.nse
smb-vuln-regsvc-dos.nse
smb-vuln-webexec.nse
smb-webexec-exploit.nse