Hack$Notes
  • Hack$Notes
  • Enumeration
    • NMAP Scanning
    • Hping3 Scanning
      • IDLE SCAN
    • DNS Enum
    • SMB Enum
    • SMTP Enum
    • POP3
    • SNMP Enum
    • LDAP Enum
    • HTTP Enum
      • CheckList
    • FTP Enum
    • SSH Enum
    • MySQL Enum
    • Oracle Enum
    • NFS Enum
    • Internet Relay Chat (IRC)
    • Telnet
    • Kerberos
    • Finger
    • Ports Open/Close
    • ident
    • Postgresl
  • Transferring Files
  • Metasploit Framework
    • Msfvenom tutorial
    • Msfvenom Payloads
  • Reverse Shells
  • Buffer Overflow
    • B.O Steps
    • SLmail B.O
  • Spawning a Shell
  • Password Attacks
    • Passing the Hash
    • SAM/SYSTEM
    • Passwords
    • Hydra
    • Medusa
    • Ncrack
    • Unshadow
    • Hashcat
    • John The Ripper
    • fcrackzip
  • Privilege Escalation
    • Windows
      • Kernel Exploits
      • Stored Credentials
      • Unquoted Service Path
      • Always Install Elevated
      • Weak Permissions
      • Schedule Tasks
      • AutoRun Executables
      • Startup Apps
      • Passwords
      • Win PrivEsc Tools
    • Linux
      • Kernel Exploits
      • Service Exploits
      • PATH Variable
      • SUID/GUID files
      • CronJobs
      • Sudo
      • Custom Executable
      • Linux PrivEsc Tools
  • Port Forwarding
  • Tools / Techniques
    • General Check List
    • Misc. Commands
    • Steganography
    • Evasion Techniques
    • SQL Injection Payloads
    • LFI / RFI
    • Recover contents
    • JAR Files
    • Strace/Ltrace
    • Port Knocking
    • Screenshots in Kali
    • Curl
  • Resources
    • Books
    • Links
Powered by GitBook
On this page
  • CheckList
  • SMB Vulnerability Scan
  • Enumerate users and shares
  • SMB Connect share
  • List Shares
  • Enum4Linux
  • Enum4Linux enumerate users
  • Null Connect
  • NBTscan
  • Mount Share
  • CrackMapExec
  • SMBmap Connect

Was this helpful?

  1. Enumeration

SMB Enum

CheckList

  • Run enum4linux

  • Check version, null session.

  • Check share drives

  • If access to file system do the same as ftp attacks.

SMB Vulnerability Scan

nmap -p 445 -vv --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse 10.10.10.10

Enumerate users and shares

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.10

SMB Connect share

smbclient //IP_ADDRESS/share
smbclient //IP_ADDRESS/tmp
smbclient \\\\IP_ADDRESS\\ipc -U username_here
smbclient //IP_ADDRESS/ipc -U username_here  
smbclient -U '.' -L IP_ADDRESS
smbclient -U 'guest' -L IP_ADDRESS

Anonymous login:
smbclient //IP_ADDRESS/anonymous

Download file:
smbget -R smb://IP_ADDRESS/anonymous

List Shares

smbclient -L IP_ADDRESS

Enum4Linux

enum4linux -a 10.10.10.10

Enum4Linux enumerate users

enum4linux -r 10.10.10.10 | grep "Local User"

Null Connect

rpcclient -U "" 10.10.10.10
rpcclient -U '' 10.10.10.10
	srvinfo
	enumdomusers
	getdompwinfo
	querydominfo
	querydisplayinfo2
	netshareenum
	netshareenumall
	queryuser RID						<-- Give the RID of the user.

NBTscan

nbtscan 10.10.10.x

Mount Share

mkdir /mnt/remote/
mount -t cifs //10.10.10.10/Backups /mnt/remote/

VHD mount:
guestmount --add /mnt/remote/path/to/file.vhd --inspector --ro /mnt/vhd -v

CrackMapExec

crackmapexec smb 10.10.10.10
crackmapexec smb 10.10.10.10 --shares
crackmapexec smb 10.10.10.10 --shares -u '' -p ''
crackmapexec smb 10.10.10.10 --pass-pol                  <-- Enum Password Policy
crackmapexec winrm 10.10.10.10 -u username -p password   <-- See if you can login

SMBmap Connect

smbmap -H 10.10.10.10 -u '' -p ''
PreviousDNS EnumNextSMTP Enum

Last updated 3 years ago

Was this helpful?