SMB - 139, 445
Server Connection
smbmap
$ smbmap -H $ip
$ smbmap -u <user> -H $ip
smbclient
$ smbclient -L $ip
$ smbclient -N -L //10.10.10.4
Scanning Vul
$ ls -l /usr/share/nmap/scripts/smb*
$ nmap -p 139,445 --script smb-vul* $ip
SMB Enum
Guess Server's Version
$ nmap -A 10.10.10.4
$ nmap -p 139,445 $ip --script-args=unsafe=1 --script /usr/share/nmap/scripts/smb-os-discovery
Mount Access
$ mount -t cifs -o user=USERNAME,sec=ntlm,dir_mode=0077 "//ip/My Share" /mnt/cifs
$ mount -o nolock $ip:/home ~/home/
-rwx------ 1 1014 1014 48 Jun 10 09:16 creds.txt
$ sudo adduser pwn
$ sudo sed -i -e 's/1001/1014/g' /etc/passwd
$ su pwn
$ cat creds.txt
smbclient
$ smbclient //ip/tmp
$ smbclient \\\\ip\\ipc$ -U john
$ smbclient //ip/ipc$ -U john
nbtscan
$ nbtscan -r $ip
Enum4linux
$ enum4linux -a $ip
rpcclient
$ rpcclient -U "" $ip
SMB Common Commands
$ srvinfo
$ enumdomusers
$ getdompwinfo
$ querydominfo
$ netshareenum
$ netshareenumall
Last updated
Was this helpful?