# SMB Enum

### CheckList

* Run enum4linux
* Check version, null session. 
* Check share drives
* If access to file system do the same as ftp attacks. 

### SMB Vulnerability Scan

```
nmap -p 445 -vv --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse 10.10.10.10
```

### Enumerate users and shares

```
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.10
```

### SMB Connect share

```
smbclient //IP_ADDRESS/share
smbclient //IP_ADDRESS/tmp
smbclient \\\\IP_ADDRESS\\ipc -U username_here
smbclient //IP_ADDRESS/ipc -U username_here  
smbclient -U '.' -L IP_ADDRESS
smbclient -U 'guest' -L IP_ADDRESS

Anonymous login:
smbclient //IP_ADDRESS/anonymous

Download file:
smbget -R smb://IP_ADDRESS/anonymous
```

### List Shares

```
smbclient -L IP_ADDRESS
```

### Enum4Linux

```
enum4linux -a 10.10.10.10
```

### **Enum4Linux enumerate users**

```
enum4linux -r 10.10.10.10 | grep "Local User"
```

### Null Connect

```
rpcclient -U "" 10.10.10.10
rpcclient -U '' 10.10.10.10
	srvinfo
	enumdomusers
	getdompwinfo
	querydominfo
	querydisplayinfo2
	netshareenum
	netshareenumall
	queryuser RID						<-- Give the RID of the user. 
```

### NBTscan

```
nbtscan 10.10.10.x
```

### Mount Share

```
mkdir /mnt/remote/
mount -t cifs //10.10.10.10/Backups /mnt/remote/

VHD mount:
guestmount --add /mnt/remote/path/to/file.vhd --inspector --ro /mnt/vhd -v
```

### CrackMapExec

```
crackmapexec smb 10.10.10.10
crackmapexec smb 10.10.10.10 --shares
crackmapexec smb 10.10.10.10 --shares -u '' -p ''
crackmapexec smb 10.10.10.10 --pass-pol                  <-- Enum Password Policy
crackmapexec winrm 10.10.10.10 -u username -p password   <-- See if you can login 
```

### SMBmap Connect

```
smbmap -H 10.10.10.10 -u '' -p ''
```