SMBMAP
Null Session
Guest can be exchanged with “”
1
| smbmap -u guest -p "" -H <IP> -L
|
Authenticathed
1
| smbmap -H <IP> -u 'user' -p 'pass' -d .
|
Command Execution
1
| smbmap -H <IP> -u 'user' -p 'pass' -x 'ipconfig'
|
Connect to a share
1
| smbmap -u guest -p "" -H <IP> -r "C$"
|
Upload a file
1
| smbmap -u administrator -p 'smbserver_771' -H <IP> --upload "/path/to/local/file" "C$\path\to\remote\file"
|
Download a file
1
| smbmap -u administrator -p 'smbserver_771' -H <IP> --download "C$\path\to\remote\file"
|
CRACKMAPEXEC
Retrieve Domain Info
Null Session
A dummy user is needed if the machine is part of a Domain.
1
| crackmapexec smb 10.10.11.175 -u 'abc' -p ''
|
Also it is possible to execute crackmapexec
with a file with hashes:
1
| crackmapexec ldap 10.10.10.248 -u 'svc_int' -H hashes --continue-on-success
|
ENUM4LINUX
General info
Do all simple enumeration (-a) with user (-u) admin and password (-p):
1
| enum4linux -a -u "admin" -p "password1" <IP>
|
NMAP
SMB Multiple Vulns
Please Note: If we set the script parameter unsafe=1, the scripts that will run are almost (or totally) guaranteed to crash a vulnerable system. Needless to say, exercise extreme caution when enabling this argument, especially when scanning production systems.
1
| nmap -v -p 139,445 --script=smb-vuln-* --script-args=unsafe=1 10.11.1.5
|
Version of SMB
1
| nmap -p445 --script smb-protocols 10.4.31.9
|
OS Discovery
1
| nmap -p139,445 --script smb-os-discovery 10.4.31.9
|
Authentication verification
1
| nmap -p445 --script smb-security-mode 10.4.31.9
|
Sessions
Args optional if credentials exists
1
| nmap -p445 --script smb-enum-sessions <--script-args smbusername=administrator,smbpassword=smbserver_771> 10.4.31.9
|
Shares
Args optional if credentials exists
1
| nmap -p445 --script smb-enum-shares,smb-ls <--script-args smbusername=administrator,smbpassword=smbserver_771> 10.4.31.9
|
Users
Args optional
1
| nmap -p445 --script smb-enum-users <--script-args smbusername=administrator,smbpassword=smbserver_771> 10.4.31.9
|
Statistics
1
| nmap -p445 --script smb-server-stats --script-args smbusername=administrator,smbpassword=smbserver_771 10.4.31.9
|
Domains
1
| nmap -p445 --script smb-enum-domains --script-args smbusername=administrator,smbpassword=smbserver_771 10.4.31.9
|
Get more info about scripts:
1
| ls -l /usr/share/nmap/scripts/smb*
|
Mounting
Linux:
1
2
| mount -t cifs "//10.10.10.103/Department Shares" /mnt/tempMount
umount /mnt/tempMount # To dismount the share
|
Examples: Sizzle
Windows:
1
| net use Z: \\10.0.22.92\C$ smbserver_771 /user:administrator
|
NMBLOOKUP
Lookup by IP
Shows different permissions of shares
SMBCLIENT
Null session
Shares:
1
| smbclient -L 10.0.1.1 -N
|
Examples: Outdated Connect to a Share:
1
| smbclient //10.10.11.175//Share -N
|
Examples: Outdated
Authenticated
1
| smbclient //10.10.11.102 -U 'localadmin%Secret123'
|
Examples: [[Anubis]]
Download a Share
1
2
3
4
| # First connect to it and then run this commands:
smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *
|
Enumerate permissions on shares:
Smbcacls:
1
| smbcacls "//10.10.10.103/Department Shares" Users/amanda -N
|
Script to enumerate permissions recursively on every folder
1
| for dir in $(cat users); do echo -e "\n[+] Trying directory $dir:\n"; echo -e "\t[-] $(smbcacls "//10.10.10.103/Department Shares" Users/$dir -N)" | grep "Everyone" ; done
|
Examples: Sizzle
HYDRA
Get the correct password by bruteforcing:
1
| hydra -l user -P /path/to/wordlist <IP> smb
|
Exploitation MS17-010 on Windows XP
Manual exploitation can be found at MS17-010
Reference:
setup manual MS17-010 for Windows XP