Skip to content

Port 445 - smb

SMB - Server Message Block Protocol - is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network.

nmap

nmap -p 445 -A $(target) 
ls /usr/share/nmap/scripts/*smb*
nmap -p 139,445 --script=smb-enum-users.nse $(target)
nmap -p 139,445 --script=smb-enum-shares.nse $(target)
nmap -p 139,445 --script=smb-vuln-* $(target) | tee nmap.smb.vuln.txt

enum4linux

enum4linux -S $(target)
enum4linux -a $(target)

crackmapexec

crackmapexec smb $(target) -u 'guest' -p '' --users | tee smb.users.txt
crackmapexec smb $(target) -u 'guest' -p '' --shares  | tee smb.shares.txt
crackmapexec smb $(target) -u 'guest' -p '' --groups  | tee smb.groups.txt
crackmapexec smb $(target) -u 'guest' -p '' --local-groups  | tee smb.local-groups.txt
crackmapexec smb $(target) -u 'guest' -p '' --loggedon-users  | tee smb.loggedon-user.txt
crackmapexec smb $(target) -u 'guest' -p '' --rid-brute  | tee smb.rid.txt
crackmapexec smb $(target) -u 'guest' -p '' --sessions  | tee smb.sessions.txt
crackmapexec smb $(target) -u 'guest' -p '' --pass-pol  | tee smb.pass-pol.txt

smbclient

guest access

smbclient '\\spookysec.local\backup' --user='svc-admin' --password='management2005'
smbclient //10.10.26.241/shares --no-pass
smbclient '\\10.10.26.241\shares' -U 'guest' -N
smbclient '\\10.10.26.241\shares' -U 'guest'
# \shares resource name
# -U username
# -N no password

anonymous access

smbclient '\\10.10.176.235\anonymous\'
# anonymous resource name

get files

smbget -R 'smb://10.10.176.235/anonymous/'
smbget -R 'smb://10.10.253.178/Users/desktop.ini'

get folder

smbclient '\\10.10.253.178\[share]' -U 'guest' -N -c 'prompt OFF;recurse ON;  mget *'
smbclient '\\10.10.253.178\[share]' -N -c 'prompt OFF;recurse ON;cd "Share\"; lcd "/home/kali/workspace/gatekeeper/smb_dump/Share/"; mget *'
smbclient '\\10.10.253.178\[share]' -N -c 'prompt OFF;recurse ON;cd "Profile\"; lcd "/home/kali/workspace/gatekeeper/smb_dump/Default/"; mget *'

scripts

nmap -p445 --script=smb-enum-shares.nse $(target)
cd /usr/share/nmap/scripts
ls -la *smb*
  smb2-capabilities.nse
  smb2-security-mode.nse
  smb2-time.nse
  smb2-vuln-uptime.nse
  smb-brute.nse
  smb-double-pulsar-backdoor.nse
  smb-enum-domains.nse
  smb-enum-groups.nse
  smb-enum-processes.nse
  smb-enum-services.nse
  smb-enum-sessions.nse
  smb-enum-shares.nse
  smb-enum-users.nse
  smb-flood.nse
  smb-ls.nse
  smb-mbenum.nse
  smb-os-discovery.nse
  smb-print-text.nse
  smb-protocols.nse
  smb-psexec.nse
  smb-security-mode.nse
  smb-server-stats.nse
  smb-system-info.nse
  smb-vuln-conficker.nse
  smb-vuln-cve2009-3103.nse
  smb-vuln-cve-2017-7494.nse
  smb-vuln-ms06-025.nse
  smb-vuln-ms07-029.nse
  smb-vuln-ms08-067.nse
  smb-vuln-ms10-054.nse
  smb-vuln-ms10-061.nse
  smb-vuln-ms17-010.nse
  smb-vuln-regsvc-dos.nse
  smb-vuln-webexec.nse
  smb-webexec-exploit.nse