SMB Enum
- Run enum4linux
- Check version, null session.
- Check share drives
- If access to file system do the same as ftp attacks.
nmap -p 445 -vv --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse 10.10.10.10
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.10
smbclient //IP_ADDRESS/share
smbclient //IP_ADDRESS/tmp
smbclient \\\\IP_ADDRESS\\ipc -U username_here
smbclient //IP_ADDRESS/ipc -U username_here
smbclient -U '.' -L IP_ADDRESS
smbclient -U 'guest' -L IP_ADDRESS
Anonymous login:
smbclient //IP_ADDRESS/anonymous
Download file:
smbget -R smb://IP_ADDRESS/anonymous
smbclient -L IP_ADDRESS
enum4linux -a 10.10.10.10
enum4linux -r 10.10.10.10 | grep "Local User"
rpcclient -U "" 10.10.10.10
rpcclient -U '' 10.10.10.10
srvinfo
enumdomusers
getdompwinfo
querydominfo
querydisplayinfo2
netshareenum
netshareenumall
queryuser RID <-- Give the RID of the user.
nbtscan 10.10.10.x
mkdir /mnt/remote/
mount -t cifs //10.10.10.10/Backups /mnt/remote/
VHD mount:
guestmount --add /mnt/remote/path/to/file.vhd --inspector --ro /mnt/vhd -v
crackmapexec smb 10.10.10.10
crackmapexec smb 10.10.10.10 --shares
crackmapexec smb 10.10.10.10 --shares -u '' -p ''
crackmapexec smb 10.10.10.10 --pass-pol <-- Enum Password Policy
crackmapexec winrm 10.10.10.10 -u username -p password <-- See if you can login
smbmap -H 10.10.10.10 -u '' -p ''
Last modified 2yr ago