Hack$Notes
Search…
⌃K

SMB Enum

CheckList

  • Run enum4linux
  • Check version, null session.
  • Check share drives
  • If access to file system do the same as ftp attacks.

SMB Vulnerability Scan

nmap -p 445 -vv --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse 10.10.10.10

Enumerate users and shares

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.10

SMB Connect share

smbclient //IP_ADDRESS/share
smbclient //IP_ADDRESS/tmp
smbclient \\\\IP_ADDRESS\\ipc -U username_here
smbclient //IP_ADDRESS/ipc -U username_here
smbclient -U '.' -L IP_ADDRESS
smbclient -U 'guest' -L IP_ADDRESS
Anonymous login:
smbclient //IP_ADDRESS/anonymous
Download file:
smbget -R smb://IP_ADDRESS/anonymous

List Shares

smbclient -L IP_ADDRESS

Enum4Linux

enum4linux -a 10.10.10.10

Enum4Linux enumerate users

enum4linux -r 10.10.10.10 | grep "Local User"

Null Connect

rpcclient -U "" 10.10.10.10
rpcclient -U '' 10.10.10.10
srvinfo
enumdomusers
getdompwinfo
querydominfo
querydisplayinfo2
netshareenum
netshareenumall
queryuser RID <-- Give the RID of the user.

NBTscan

nbtscan 10.10.10.x

Mount Share

mkdir /mnt/remote/
mount -t cifs //10.10.10.10/Backups /mnt/remote/
VHD mount:
guestmount --add /mnt/remote/path/to/file.vhd --inspector --ro /mnt/vhd -v

CrackMapExec

crackmapexec smb 10.10.10.10
crackmapexec smb 10.10.10.10 --shares
crackmapexec smb 10.10.10.10 --shares -u '' -p ''
crackmapexec smb 10.10.10.10 --pass-pol <-- Enum Password Policy
crackmapexec winrm 10.10.10.10 -u username -p password <-- See if you can login

SMBmap Connect

smbmap -H 10.10.10.10 -u '' -p ''
Last modified 1yr ago