SMB-Samba 135-139 445
#NMAP
#run this first
nmap --script=smb2-security-mode.nse -p 445 192.168.10.0/24
sudo nmap -v -p 139,445 -oG smb.txt 10.11.1.8
sudo nmap --script nbstat.nse 10.11.1.5
sudo nmap --script smb-os-discovery 10.11.1.5
sudo nmap -v -p 139, 445 --script=smb-os-discovery 10.11.1.5 (variation)
nmap --script smb-enum-shares -p139,445 10.11.1.5
sudo nmap --script smb-vuln* 10.11.1.5
sudo nmap -v -p 139,445 --script=smb-vuln* --script-args=unsafe=1 10.11.1.5 (variation)
sudo nmap -A -p 135 --open 10.11.1.0/24 -oG nmap135
nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p 445 10.11.1.0/24#if user/pass are known
nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse 10.10.10.10 #one liner
#Metasploit
use auxiliary/scanner/smb/smb_enumshares
use auxiliary/scanner/smb/smb_lookupsid
#Banner grab
nc -nv 10.11.1.5 135
#Crackmapexec
crackmapexec smb --help (smb specific)
crackmapexec smb 10.11.1.128
crackmapexec smb 10.11.1.128 -u 'username' -p 'password'
crackmapexec smb 10.11.1.128 -u "DJ" -p /usr/share/dirb/wordlists/mutations_common.txt
crackmapexec smb 10.11.1.136 -u root -p /usr/share/wordlists/rockyou.txt
crackmapexec smb 10.11.1.146 -u 'guest' -p '' #null session
crackmapexec smb 10.11.1.146 -u '' -p '' --shares #listing available shares
#rpcclient
rpcclient -U "" -N 10.11.1.5
#Ridenum
ridenum.py 10.10.10.10 500 50000 dict.txt
#dictionary bruteforce of users
#Null session
Windows:
net use \\10.10.10.10\ "" /u:""
Linux:
smbclient -L //10.10.10.10
#nmblookup
nmblookup -A 10.11.1.5
#nbtscan
nbtscan 10.11.1.5
#Smbmap
smbmap -H 10.11.1.5 -P 135
Login with creds:
smbmap -u "root" -p "123456" -R Bob -H 10.11.1.136 -P 445
smbclient -L 10.11.1.5
smbclient //10.11.1.5/guest
smbclient --no-pass -L //10.11.1.146
#null session
smbmap -H //10.10.10.10/ --upload test.txt /SHARENAME/test.txt
#upload file
#Bruteforcing
medusa -h 10.11.1.111 -u redcliff -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt
nmap -p445 --script smb-brute --script-args userdb=user.txt,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt 10.11.1.111 -vvvv
nmap –script smb-brute 10.11.1.111
#smbget
smbget -rR smb://192.168.101.83/sambashare -U guest
#Eternalchecker.py
https://github.com/3ndG4me/AutoBlue-MS17-010/blob/master/eternal_checker.py
clone repo and fire off against target , POC for Eternal Blue Vuln
#Mounting shares
Creating a temporary share folder in /tmp (kali)
sudo mkdir /tmp/share
Mounting the share
sudo mount -t cifs //10.11.1.146/SusieShare /tmp/share
Last updated