139/445 - SMB

What all I do, when I see 139/445 Open:

  1. Find SMB Version: tcpdump -i tun0 port <Victim Port> and src <Victim IP> -s0 -A -n 2>/dev/null & crackmapexec smb <Victim IP> --shares --port <Victim Port> 1>/dev/null 2>/dev/null

  2. Nmap Scan: nmap --script "safe or smb-enum-*" -p 445 <IP>

  3. Shares: smbclient -L \\\\<IP>\\

  4. Changing Shares: smbclient -L \\\\<IP>\\C$

  5. Lists file with permissions: smbmap -H <IP>

  6. Downloading: smbget -R smb://<IP>/anonymous

  7. type prompt off, recurse on -> lets us download all the files using mget *

  8. Nmap Vuln Script: nmap --script "smb-vuln*" -p 139,445 <IP>

  9. crackmapexec smb <IP>

  10. Users: crackmapexec smb <IP> --users

  11. Shares: crackmapexec smb <IP> --shares

  12. Try Crackmapexec, psexec, smbexec, wmiexec

If we have Username and password:

  1. Authenticated SMB Shares: smbclient \\\new-site -U <domain_name\username>

  2. Null login: crackmapexec smb <IP> --shares -u ' ' -p ''

  3. Null login: crackmapexec smb <IP> --shares -u '' -p ''

  4. Null login: crackmapexec smb <IP> -u ' ' -p ''

  5. Default Guest login: crackmapexec smb <IP> -u 'guest' -p ''

  6. LDAP search: ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(&(objectclass=user))" -h <IP> | grep -i samaccountname: | cut -f 2 -d " "

  7. Auth Check: crackmapexec smb <IP> -u <user> -p <pass> --local-auth

  8. Auth Check: crackmapexec smb <IP> -u <user> -p <pass>

Previous80/443 - HTTP(s)Next21 - FTP

Last updated