Link to this headingSMB

Find Shares on Network:

./enum4linux-ng.py -a x.x.x.x nmap -v -p 139,445 -oG smb.txt 192.168.11.200-254 nbtscan -r 192.168.11.0/24 nmblookup -A target smbclient -L //192.168.1.100 rpcclient -U "" target smbmap -u "" -p "" -d MYGROUP -H 10.11.1.22

Finding Null Sessions in Windows:

net use \\TARGET\IPC$ "" /u:""

Finding Null Sessions in Linux:

smbclient -L //192.168.99.131 ./enum4linux-ng.py -a 192.168.1.1

Enumerating Users:

nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.200-254

Finding Folders using a login:

nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.1.0/24

Link to this headingMount a share

Using smbclient:

smbclient -L \\WIN7\ -I 192.168.13.218 smbclient -L \\WIN7\ADMIN$ -I 192.168.13.218 smbclient -L \\WIN7\C$ -I 192.168.13.218 smbclient -L \\WIN7\IPC$ -I 192.168.13.218 smbclient \\192.168.13.236\some-share -o user=root,pass=root,workgroup=BOB

Using mount:

apt-get install cifs-utils mount -t cifs //10.11.6.31/wwwroot -o username=xxx,password=xxx /tmp/smb/ mount -t auto --source //192.168.31.147/kathy --target /tmp/smb/ -o username=root,workgroup=WORKGROUP

Windows:

C:\WINDOWS\system32> dir \\Computer_name\wwwroot net use X: \\<server>\<sharename> /USER:<domain>\<username> <password> /PERSISTENT:YES

Link to this headingMetasploit

SMB UID lookup:

msf auxiliary(scanner/smb/smb_lookupsid) > use auxiliary/scanner/smb/smb_lookupsid msf auxiliary(scanner/smb/smb_lookupsid) > set RHOSTS 192.168.31.142 RHOSTS => 192.168.31.142 msf auxiliary(scanner/smb/smb_lookupsid) > run [*] 192.168.31.142:139 - PIPE(LSARPC) LOCAL(MYGROUP - 5-21-4157223341-3243572438-1405127623) DOMAIN(MYGROUP - ) [*] 192.168.31.142:139 - TYPE=0 NAME=Administrator rid=500

Getting SMB version:

msf auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_version msf auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.31.142 RHOSTS => 192.168.31.142 msf auxiliary(scanner/smb/smb_version) > run [*] 192.168.31.142:139 - Host could not be identified: Unix (Samba 2.2.1a)

SMB brute force:

msf auxiliary(scanner/smb/smb_login) > use auxiliary/scanner/smb/smb_login msf auxiliary(scanner/smb/smb_login) > set RHOSTS 192.168.31.142 RHOSTS => 192.168.31.142 msf auxiliary(scanner/smb/smb_login) > run

Link to this headingUpload a File with SMB

smbclient //192.168.31.142/ADMIN$ -U "nobody"%"somepassword" -c "put 40280.py"

Link to this headingNMAP SMB scripts

bridings@lupin:/usr/share/nmap/scripts >>> ls smb* smb2-capabilities.nse smb-protocols.nse smb2-security-mode.nse smb-psexec.nse smb2-time.nse smb-security-mode.nse smb2-vuln-uptime.nse smb-server-stats.nse smb-brute.nse smb-system-info.nse smb-double-pulsar-backdoor.nse smb-vuln-conficker.nse smb-enum-domains.nse smb-vuln-cve2009-3103.nse smb-enum-groups.nse smb-vuln-cve-2017-7494.nse smb-enum-processes.nse smb-vuln-ms06-025.nse smb-enum-services.nse smb-vuln-ms07-029.nse smb-enum-sessions.nse smb-vuln-ms08-067.nse smb-enum-shares.nse smb-vuln-ms10-054.nse smb-enum-users.nse smb-vuln-ms10-061.nse smb-flood.nse smb-vuln-ms17-010.nse smb-ls.nse smb-vuln-regsvc-dos.nse smb-mbenum.nse smb-vuln-webexec.nse smb-os-discovery.nse smb-webexec-exploit.nse smb-print-text.nse >>> nmap --script smb-* --script-args=unsafe=1 192.168.10.55