SMB Enum
CheckList
Run enum4linux
Check version, null session.
Check share drives
If access to file system do the same as ftp attacks.
SMB Vulnerability Scan
nmap -p 445 -vv --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse 10.10.10.10Enumerate users and shares
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.10SMB Connect share
smbclient //IP_ADDRESS/share
smbclient //IP_ADDRESS/tmp
smbclient \\\\IP_ADDRESS\\ipc -U username_here
smbclient //IP_ADDRESS/ipc -U username_here
smbclient -U '.' -L IP_ADDRESS
smbclient -U 'guest' -L IP_ADDRESS
Anonymous login:
smbclient //IP_ADDRESS/anonymous
Download file:
smbget -R smb://IP_ADDRESS/anonymousList Shares
smbclient -L IP_ADDRESSEnum4Linux
enum4linux -a 10.10.10.10Enum4Linux enumerate users
enum4linux -r 10.10.10.10 | grep "Local User"Null Connect
rpcclient -U "" 10.10.10.10
rpcclient -U '' 10.10.10.10
srvinfo
enumdomusers
getdompwinfo
querydominfo
querydisplayinfo2
netshareenum
netshareenumall
queryuser RID <-- Give the RID of the user. NBTscan
nbtscan 10.10.10.xMount Share
mkdir /mnt/remote/
mount -t cifs //10.10.10.10/Backups /mnt/remote/
VHD mount:
guestmount --add /mnt/remote/path/to/file.vhd --inspector --ro /mnt/vhd -vCrackMapExec
crackmapexec smb 10.10.10.10
crackmapexec smb 10.10.10.10 --shares
crackmapexec smb 10.10.10.10 --shares -u '' -p ''
crackmapexec smb 10.10.10.10 --pass-pol <-- Enum Password Policy
crackmapexec winrm 10.10.10.10 -u username -p password <-- See if you can login SMBmap Connect
smbmap -H 10.10.10.10 -u '' -p ''Last updated
Was this helpful?