139/445 - SMB

What all I do, when I see 139/445 Open:

Find SMB Version: tcpdump -i tun0 port <Victim Port> and src <Victim IP> -s0 -A -n 2>/dev/null & crackmapexec smb <Victim IP> --shares --port <Victim Port> 1>/dev/null 2>/dev/null
Nmap Scan: nmap --script "safe or smb-enum-*" -p 445 <IP>
Shares: smbclient -L \\\\<IP>\\
Changing Shares: smbclient -L \\\\<IP>\\C$
Lists file with permissions: smbmap -H <IP>
Downloading: smbget -R smb://<IP>/anonymous
type prompt off, recurse on -> lets us download all the files using mget *
Nmap Vuln Script: nmap --script "smb-vuln*" -p 139,445 <IP>
crackmapexec smb <IP>
Users: crackmapexec smb <IP> --users
Shares: crackmapexec smb <IP> --shares
Try Crackmapexec, psexec, smbexec, wmiexec

If we have Username and password:

Authenticated SMB Shares: smbclient \\\new-site -U <domain_name\username>
Null login: crackmapexec smb <IP> --shares -u ' ' -p ''
Null login: crackmapexec smb <IP> --shares -u '' -p ''
Null login: crackmapexec smb <IP> -u ' ' -p ''
Default Guest login: crackmapexec smb <IP> -u 'guest' -p ''
LDAP search: ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(&(objectclass=user))" -h <IP> | grep -i samaccountname: | cut -f 2 -d " "
Auth Check: crackmapexec smb <IP> -u <user> -p <pass> --local-auth
Auth Check: crackmapexec smb <IP> -u <user> -p <pass>

Last updated 1 year ago

Was this helpful?

What all I do, when I see 139/445 Open:

Find SMB Version: tcpdump -i tun0 port <Victim Port> and src <Victim IP> -s0 -A -n 2>/dev/null & crackmapexec smb <Victim IP> --shares --port <Victim Port> 1>/dev/null 2>/dev/null
Nmap Scan: nmap --script "safe or smb-enum-*" -p 445 <IP>
Shares: smbclient -L \\\\<IP>\\
Changing Shares: smbclient -L \\\\<IP>\\C$
Lists file with permissions: smbmap -H <IP>
Downloading: smbget -R smb://<IP>/anonymous
type prompt off, recurse on -> lets us download all the files using mget *
Nmap Vuln Script: nmap --script "smb-vuln*" -p 139,445 <IP>
crackmapexec smb <IP>
Users: crackmapexec smb <IP> --users
Shares: crackmapexec smb <IP> --shares
Try Crackmapexec, psexec, smbexec, wmiexec

If we have Username and password:

Authenticated SMB Shares: smbclient \\\new-site -U <domain_name\username>
Null login: crackmapexec smb <IP> --shares -u ' ' -p ''
Null login: crackmapexec smb <IP> --shares -u '' -p ''
Null login: crackmapexec smb <IP> -u ' ' -p ''
Default Guest login: crackmapexec smb <IP> -u 'guest' -p ''
LDAP search: ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(&(objectclass=user))" -h <IP> | grep -i samaccountname: | cut -f 2 -d " "
Auth Check: crackmapexec smb <IP> -u <user> -p <pass> --local-auth
Auth Check: crackmapexec smb <IP> -u <user> -p <pass>

Last updated 1 year ago

Was this helpful?